query.c revision 1.23
1 /* $NetBSD: query.c,v 1.23 2025/01/26 16:25:45 christos Exp $ */ 2 3 /* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16 /*! \file */ 17 18 #include <ctype.h> 19 #include <inttypes.h> 20 #include <stdbool.h> 21 #include <stdint.h> 22 #include <string.h> 23 24 #include <isc/async.h> 25 #include <isc/hex.h> 26 #include <isc/mem.h> 27 #include <isc/once.h> 28 #include <isc/random.h> 29 #include <isc/result.h> 30 #include <isc/rwlock.h> 31 #include <isc/serial.h> 32 #include <isc/stats.h> 33 #include <isc/string.h> 34 #include <isc/thread.h> 35 #include <isc/util.h> 36 37 #include <dns/adb.h> 38 #include <dns/badcache.h> 39 #include <dns/byaddr.h> 40 #include <dns/cache.h> 41 #include <dns/db.h> 42 #include <dns/dlz.h> 43 #include <dns/dns64.h> 44 #include <dns/dnsrps.h> 45 #include <dns/dnssec.h> 46 #include <dns/keytable.h> 47 #include <dns/message.h> 48 #include <dns/ncache.h> 49 #include <dns/nsec.h> 50 #include <dns/nsec3.h> 51 #include <dns/order.h> 52 #include <dns/rbt.h> 53 #include <dns/rcode.h> 54 #include <dns/rdata.h> 55 #include <dns/rdataclass.h> 56 #include <dns/rdatalist.h> 57 #include <dns/rdataset.h> 58 #include <dns/rdatasetiter.h> 59 #include <dns/rdatastruct.h> 60 #include <dns/rdatatype.h> 61 #include <dns/resolver.h> 62 #include <dns/result.h> 63 #include <dns/stats.h> 64 #include <dns/tkey.h> 65 #include <dns/types.h> 66 #include <dns/view.h> 67 #include <dns/zone.h> 68 #include <dns/zt.h> 69 70 #include <ns/client.h> 71 #include <ns/hooks.h> 72 #include <ns/interfacemgr.h> 73 #include <ns/log.h> 74 #include <ns/server.h> 75 #include <ns/sortlist.h> 76 #include <ns/stats.h> 77 #include <ns/xfrout.h> 78 79 #include "probes.h" 80 81 #if 0 82 /* 83 * It has been recommended that DNS64 be changed to return excluded 84 * AAAA addresses if DNS64 synthesis does not occur. This minimises 85 * the impact on the lookup results. While most DNS AAAA lookups are 86 * done to send IP packets to a host, not all of them are and filtering 87 * excluded addresses has a negative impact on those uses. 88 */ 89 #define dns64_bis_return_excluded_addresses 1 90 #endif /* if 0 */ 91 92 #define QUERY_ERROR(qctx, r) \ 93 do { \ 94 (qctx)->result = r; \ 95 (qctx)->want_restart = false; \ 96 (qctx)->line = __LINE__; \ 97 } while (0) 98 99 /*% Partial answer? */ 100 #define PARTIALANSWER(c) \ 101 (((c)->query.attributes & NS_QUERYATTR_PARTIALANSWER) != 0) 102 /*% Use Cache? */ 103 #define USECACHE(c) (((c)->query.attributes & NS_QUERYATTR_CACHEOK) != 0) 104 /*% Recursion OK? */ 105 #define RECURSIONOK(c) (((c)->query.attributes & NS_QUERYATTR_RECURSIONOK) != 0) 106 /*% Recursing? */ 107 #define RECURSING(c) (((c)->query.attributes & NS_QUERYATTR_RECURSING) != 0) 108 /*% Want Recursion? */ 109 #define WANTRECURSION(c) \ 110 (((c)->query.attributes & NS_QUERYATTR_WANTRECURSION) != 0) 111 /*% Is TCP? */ 112 #define TCP(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) 113 114 /*% Want DNSSEC? */ 115 #define WANTDNSSEC(c) (((c)->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0) 116 /*% Want WANTAD? */ 117 #define WANTAD(c) (((c)->attributes & NS_CLIENTATTR_WANTAD) != 0) 118 /*% Client presented a bad COOKIE. */ 119 #define BADCOOKIE(c) (((c)->attributes & NS_CLIENTATTR_BADCOOKIE) != 0) 120 /*% Client presented a valid COOKIE. */ 121 #define HAVECOOKIE(c) (((c)->attributes & NS_CLIENTATTR_HAVECOOKIE) != 0) 122 /*% Client presented a COOKIE. */ 123 #define WANTCOOKIE(c) (((c)->attributes & NS_CLIENTATTR_WANTCOOKIE) != 0) 124 /*% Client presented a CLIENT-SUBNET option. */ 125 #define HAVEECS(c) (((c)->attributes & NS_CLIENTATTR_HAVEECS) != 0) 126 /*% No authority? */ 127 #define NOAUTHORITY(c) (((c)->query.attributes & NS_QUERYATTR_NOAUTHORITY) != 0) 128 /*% No additional? */ 129 #define NOADDITIONAL(c) \ 130 (((c)->query.attributes & NS_QUERYATTR_NOADDITIONAL) != 0) 131 /*% Secure? */ 132 #define SECURE(c) (((c)->query.attributes & NS_QUERYATTR_SECURE) != 0) 133 /*% DNS64 A lookup? */ 134 #define DNS64(c) (((c)->query.attributes & NS_QUERYATTR_DNS64) != 0) 135 136 #define DNS64EXCLUDE(c) \ 137 (((c)->query.attributes & NS_QUERYATTR_DNS64EXCLUDE) != 0) 138 139 #define REDIRECT(c) (((c)->query.attributes & NS_QUERYATTR_REDIRECT) != 0) 140 141 /*% Was the client already sent a response? */ 142 #define QUERY_ANSWERED(q) (((q)->attributes & NS_QUERYATTR_ANSWERED) != 0) 143 144 /*% Does the query allow stale data in the response? */ 145 #define QUERY_STALEOK(q) (((q)->attributes & NS_QUERYATTR_STALEOK) != 0) 146 147 /*% Does the query wants to check for stale RRset due to a timeout? */ 148 #define QUERY_STALETIMEOUT(q) (((q)->dboptions & DNS_DBFIND_STALETIMEOUT) != 0) 149 150 /*% Does the rdataset 'r' have an attached 'No QNAME Proof'? */ 151 #define NOQNAME(r) (((r)->attributes & DNS_RDATASETATTR_NOQNAME) != 0) 152 153 /*% Does the rdataset 'r' contain a stale answer? */ 154 #define STALE(r) (((r)->attributes & DNS_RDATASETATTR_STALE) != 0) 155 156 /*% Does the rdataset 'r' is stale and within stale-refresh-time? */ 157 #define STALE_WINDOW(r) (((r)->attributes & DNS_RDATASETATTR_STALE_WINDOW) != 0) 158 159 #ifdef WANT_QUERYTRACE 160 static void 161 client_trace(ns_client_t *client, int level, const char *message) { 162 if (client != NULL && client->query.qname != NULL) { 163 if (isc_log_wouldlog(ns_lctx, level)) { 164 char qbuf[DNS_NAME_FORMATSIZE]; 165 char tbuf[DNS_RDATATYPE_FORMATSIZE]; 166 dns_name_format(client->query.qname, qbuf, 167 sizeof(qbuf)); 168 dns_rdatatype_format(client->query.qtype, tbuf, 169 sizeof(tbuf)); 170 isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, 171 NS_LOGMODULE_QUERY, level, 172 "query client=%p thread=0x%" PRIxPTR 173 "(%s/%s): %s", 174 client, isc_thread_self(), qbuf, tbuf, 175 message); 176 } 177 } else { 178 isc_log_write(ns_lctx, NS_LOGCATEGORY_CLIENT, 179 NS_LOGMODULE_QUERY, level, 180 "query client=%p thread=0x%" PRIxPTR 181 "(<unknown-query>): %s", 182 client, isc_thread_self(), message); 183 } 184 } 185 #define CTRACE(l, m) client_trace(client, l, m) 186 #define CCTRACE(l, m) client_trace(qctx->client, l, m) 187 #else /* ifdef WANT_QUERYTRACE */ 188 #define CTRACE(l, m) ((void)m) 189 #define CCTRACE(l, m) ((void)m) 190 #endif /* WANT_QUERYTRACE */ 191 192 #define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0) 193 194 #define SFCACHE_CDFLAG 0x1 195 196 /* 197 * SAVE and RESTORE have the same semantics as: 198 * 199 * foo_attach(b, &a); 200 * foo_detach(&b); 201 * 202 * without the locking and magic testing. 203 * 204 * We use the names SAVE and RESTORE to show the operation being performed, 205 * even though the two macros are identical. 206 */ 207 #define SAVE(a, b) \ 208 do { \ 209 INSIST(a == NULL); \ 210 a = b; \ 211 b = NULL; \ 212 } while (0) 213 #define RESTORE(a, b) SAVE(a, b) 214 215 static bool 216 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, 217 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); 218 219 static void 220 query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, 221 dns_dbversion_t *version, ns_client_t *client, 222 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, 223 dns_name_t *fname, bool exact, dns_name_t *found); 224 225 static void 226 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level); 227 228 static void 229 rpz_st_clear(ns_client_t *client); 230 231 static bool 232 rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, 233 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset); 234 235 static void 236 log_noexistnodata(void *val, int level, const char *fmt, ...) 237 ISC_FORMAT_PRINTF(3, 4); 238 239 static isc_result_t 240 query_addanswer(query_ctx_t *qctx); 241 242 static isc_result_t 243 query_prepare_delegation_response(query_ctx_t *qctx); 244 245 static isc_result_t 246 acquire_recursionquota(ns_client_t *client); 247 248 static void 249 release_recursionquota(ns_client_t *client); 250 251 /* 252 * Return the hooktable in use with 'qctx', or if there isn't one 253 * set, return the default hooktable. 254 */ 255 static ns_hooktable_t * 256 get_hooktab(query_ctx_t *qctx) { 257 if (qctx == NULL || qctx->view == NULL || qctx->view->hooktable == NULL) 258 { 259 return ns__hook_table; 260 } 261 262 return qctx->view->hooktable; 263 } 264 265 /* 266 * Call the specified hook function in every configured module that implements 267 * that function. If any hook function returns NS_HOOK_RETURN, we 268 * set 'result' and terminate processing by jumping to the 'cleanup' tag. 269 * 270 * (Note that a hook function may set the 'result' to ISC_R_SUCCESS but 271 * still terminate processing within the calling function. That's why this 272 * is a macro instead of a static function; it needs to be able to use 273 * 'goto cleanup' regardless of the return value.) 274 */ 275 #define CALL_HOOK(_id, _qctx) \ 276 do { \ 277 isc_result_t _res = result; \ 278 ns_hooktable_t *_tab = get_hooktab(_qctx); \ 279 ns_hook_t *_hook; \ 280 _hook = ISC_LIST_HEAD((*_tab)[_id]); \ 281 while (_hook != NULL) { \ 282 ns_hook_action_t _func = _hook->action; \ 283 void *_data = _hook->action_data; \ 284 INSIST(_func != NULL); \ 285 switch (_func(_qctx, _data, &_res)) { \ 286 case NS_HOOK_CONTINUE: \ 287 _hook = ISC_LIST_NEXT(_hook, link); \ 288 break; \ 289 case NS_HOOK_RETURN: \ 290 result = _res; \ 291 goto cleanup; \ 292 default: \ 293 UNREACHABLE(); \ 294 } \ 295 } \ 296 } while (false) 297 298 /* 299 * Call the specified hook function in every configured module that 300 * implements that function. All modules are called; hook function return 301 * codes are ignored. This is intended for use with initialization and 302 * destruction calls which *must* run in every configured module. 303 * 304 * (This could be implemented as a static void function, but is left as a 305 * macro for symmetry with CALL_HOOK above.) 306 */ 307 #define CALL_HOOK_NORETURN(_id, _qctx) \ 308 do { \ 309 isc_result_t _res; \ 310 ns_hooktable_t *_tab = get_hooktab(_qctx); \ 311 ns_hook_t *_hook; \ 312 _hook = ISC_LIST_HEAD((*_tab)[_id]); \ 313 while (_hook != NULL) { \ 314 ns_hook_action_t _func = _hook->action; \ 315 void *_data = _hook->action_data; \ 316 INSIST(_func != NULL); \ 317 _func(_qctx, _data, &_res); \ 318 _hook = ISC_LIST_NEXT(_hook, link); \ 319 } \ 320 } while (false) 321 322 /* 323 * The functions defined below implement the query logic that previously lived 324 * in the single very complex function query_find(). The query_ctx_t structure 325 * defined in <ns/query.h> maintains state from function to function. The call 326 * flow for the general query processing algorithm is described below: 327 * 328 * 1. Set up query context and other resources for a client 329 * query (query_setup()) 330 * 331 * 2. Start the search (ns__query_start()) 332 * 333 * 3. Identify authoritative data sources which may have an answer; 334 * search them (query_lookup()). If an answer is found, go to 7. 335 * 336 * 4. If recursion or cache access are allowed, search the cache 337 * (query_lookup() again, using the cache database) to find a better 338 * answer. If an answer is found, go to 7. 339 * 340 * 5. If recursion is allowed, begin recursion (ns_query_recurse()). 341 * Go to 15 to clean up this phase of the query. When recursion 342 * is complete, processing will resume at 6. 343 * 344 * 6. Resume from recursion; set up query context for resumed processing. 345 * 346 * 7. Determine what sort of answer we've found (query_gotanswer()) 347 * and call other functions accordingly: 348 * - not found (auth or cache), go to 8 349 * - delegation, go to 9 350 * - no such domain (auth), go to 10 351 * - empty answer (auth), go to 11 352 * - negative response (cache), go to 12 353 * - answer found, go to 13 354 * 355 * 8. The answer was not found in the database (query_notfound(). 356 * Set up a referral and go to 9. 357 * 358 * 9. Handle a delegation response (query_delegation()). If we need 359 * to and are allowed to recurse (query_delegation_recurse()), go to 5, 360 * otherwise go to 15 to clean up and return the delegation to the client. 361 * 362 * 10. No such domain (query_nxdomain()). Attempt redirection; if 363 * unsuccessful, add authority section records (query_addsoa(), 364 * query_addauth()), then go to 15 to return NXDOMAIN to client. 365 * 366 * 11. Empty answer (query_nodata()). Add authority section records 367 * (query_addsoa(), query_addauth()) and signatures if authoritative 368 * (query_sign_nodata()) then go to 15 and return 369 * NOERROR/ANCOUNT=0 to client. 370 * 371 * 12. No such domain or empty answer returned from cache (query_ncache()). 372 * Set response code appropriately, go to 11. 373 * 374 * 13. Prepare a response (query_prepresponse()) and then fill it 375 * appropriately (query_respond(), or for type ANY, 376 * query_respond_any()). 377 * 378 * 14. If a restart is needed due to CNAME/DNAME chaining, go to 2. 379 * 380 * 15. Clean up resources. If recursing, stop and wait for the event 381 * handler to be called back (step 6). If an answer is ready, 382 * return it to the client. 383 * 384 * (XXX: This description omits several special cases including 385 * DNS64, RPZ, RRL, and the SERVFAIL cache. It also doesn't discuss 386 * plugins.) 387 */ 388 389 static void 390 query_trace(query_ctx_t *qctx); 391 392 static void 393 qctx_init(ns_client_t *client, dns_fetchresponse_t **respp, 394 dns_rdatatype_t qtype, query_ctx_t *qctx); 395 396 static isc_result_t 397 qctx_prepare_buffers(query_ctx_t *qctx, isc_buffer_t *buffer); 398 399 static void 400 qctx_freedata(query_ctx_t *qctx); 401 402 static void 403 qctx_destroy(query_ctx_t *qctx); 404 405 static void 406 query_setup(ns_client_t *client, dns_rdatatype_t qtype); 407 408 static isc_result_t 409 query_lookup(query_ctx_t *qctx); 410 411 static void 412 fetch_callback(void *arg); 413 414 static void 415 recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype, 416 const dns_name_t *qname, const dns_name_t *qdomain); 417 418 static isc_result_t 419 query_resume(query_ctx_t *qctx); 420 421 static isc_result_t 422 query_checkrrl(query_ctx_t *qctx, isc_result_t result); 423 424 static isc_result_t 425 query_checkrpz(query_ctx_t *qctx, isc_result_t result); 426 427 static isc_result_t 428 query_rpzcname(query_ctx_t *qctx, dns_name_t *cname); 429 430 static isc_result_t 431 query_gotanswer(query_ctx_t *qctx, isc_result_t result); 432 433 static void 434 query_addnoqnameproof(query_ctx_t *qctx); 435 436 static isc_result_t 437 query_respond_any(query_ctx_t *qctx); 438 439 static isc_result_t 440 query_respond(query_ctx_t *qctx); 441 442 static isc_result_t 443 query_dns64(query_ctx_t *qctx); 444 445 static void 446 query_filter64(query_ctx_t *qctx); 447 448 static isc_result_t 449 query_notfound(query_ctx_t *qctx); 450 451 static isc_result_t 452 query_zone_delegation(query_ctx_t *qctx); 453 454 static isc_result_t 455 query_delegation(query_ctx_t *qctx); 456 457 static isc_result_t 458 query_delegation_recurse(query_ctx_t *qctx); 459 460 static void 461 query_addds(query_ctx_t *qctx); 462 463 static isc_result_t 464 query_nodata(query_ctx_t *qctx, isc_result_t result); 465 466 static isc_result_t 467 query_sign_nodata(query_ctx_t *qctx); 468 469 static void 470 query_addnxrrsetnsec(query_ctx_t *qctx); 471 472 static isc_result_t 473 query_nxdomain(query_ctx_t *qctx, isc_result_t result); 474 475 static isc_result_t 476 query_redirect(query_ctx_t *qctx, isc_result_t result); 477 478 static isc_result_t 479 query_ncache(query_ctx_t *qctx, isc_result_t result); 480 481 static isc_result_t 482 query_coveringnsec(query_ctx_t *qctx); 483 484 static isc_result_t 485 query_zerottl_refetch(query_ctx_t *qctx); 486 487 static isc_result_t 488 query_cname(query_ctx_t *qctx); 489 490 static isc_result_t 491 query_dname(query_ctx_t *qctx); 492 493 static void 494 query_addcname(query_ctx_t *qctx, dns_trust_t trust, dns_ttl_t ttl); 495 496 static isc_result_t 497 query_prepresponse(query_ctx_t *qctx); 498 499 static isc_result_t 500 query_addsoa(query_ctx_t *qctx, unsigned int override_ttl, 501 dns_section_t section); 502 503 static isc_result_t 504 query_addns(query_ctx_t *qctx); 505 506 static void 507 query_addbestns(query_ctx_t *qctx); 508 509 static void 510 query_addwildcardproof(query_ctx_t *qctx, bool ispositive, bool nodata); 511 512 static void 513 query_addauth(query_ctx_t *qctx); 514 515 static void 516 query_clear_stale(ns_client_t *client); 517 518 /* 519 * Increment query statistics counters. 520 */ 521 static void 522 inc_stats(ns_client_t *client, isc_statscounter_t counter) { 523 dns_zone_t *zone = client->query.authzone; 524 dns_rdatatype_t qtype; 525 dns_rdataset_t *rdataset; 526 isc_stats_t *zonestats; 527 dns_stats_t *querystats = NULL; 528 529 ns_stats_increment(client->manager->sctx->nsstats, counter); 530 531 if (zone == NULL) { 532 return; 533 } 534 535 /* Do regular response type stats */ 536 zonestats = dns_zone_getrequeststats(zone); 537 538 if (zonestats != NULL) { 539 isc_stats_increment(zonestats, counter); 540 } 541 542 /* Do query type statistics 543 * 544 * We only increment per-type if we're using the authoritative 545 * answer counter, preventing double-counting. 546 */ 547 if (counter == ns_statscounter_authans) { 548 querystats = dns_zone_getrcvquerystats(zone); 549 if (querystats != NULL) { 550 rdataset = ISC_LIST_HEAD(client->query.qname->list); 551 if (rdataset != NULL) { 552 qtype = rdataset->type; 553 dns_rdatatypestats_increment(querystats, qtype); 554 } 555 } 556 } 557 } 558 559 #define NS_CLIENT_FLAGS_FORMATSIZE sizeof("+E(255)STDCV") 560 561 static inline void 562 ns_client_log_flags(ns_client_t *client, unsigned int flags, 563 unsigned int extflags, char *buf, size_t len) { 564 isc_buffer_t b; 565 566 isc_buffer_init(&b, buf, len); 567 isc_buffer_putuint8(&b, WANTRECURSION(client) ? '+' : '-'); 568 if (client->ednsversion >= 0) { 569 char ednsbuf[sizeof("E(255)")] = { 0 }; 570 571 snprintf(ednsbuf, sizeof(ednsbuf), "E(%hhu)", 572 (unsigned char)client->ednsversion); 573 isc_buffer_putstr(&b, ednsbuf); 574 } 575 if (client->signer != NULL) { 576 isc_buffer_putuint8(&b, 'S'); 577 } 578 if (TCP(client)) { 579 isc_buffer_putuint8(&b, 'T'); 580 } 581 if ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) { 582 isc_buffer_putuint8(&b, 'D'); 583 } 584 if ((flags & DNS_MESSAGEFLAG_CD) != 0) { 585 isc_buffer_putuint8(&b, 'C'); 586 } 587 if (HAVECOOKIE(client)) { 588 isc_buffer_putuint8(&b, 'V'); 589 } else if (WANTCOOKIE(client)) { 590 isc_buffer_putuint8(&b, 'K'); 591 } 592 isc_buffer_putuint8(&b, 0); 593 } 594 595 #define NS_CLIENT_ECS_FORMATSIZE (DNS_ECS_FORMATSIZE + sizeof(" [ECS ]") - 1) 596 597 static inline void 598 ns_client_log_ecs(ns_client_t *client, char *ecsbuf, size_t len) { 599 strlcpy(ecsbuf, " [ECS ", len); 600 dns_ecs_format(&client->ecs, ecsbuf + 6, len - 6); 601 strlcat(ecsbuf, "]", len); 602 } 603 604 static inline void 605 log_response(ns_client_t *client, dns_rcode_t rcode) { 606 char namebuf[DNS_NAME_FORMATSIZE]; 607 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 608 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 609 char rcodebuf[20]; 610 char onbuf[ISC_NETADDR_FORMATSIZE]; 611 char ecsbuf[NS_CLIENT_ECS_FORMATSIZE] = { 0 }; 612 char flagsbuf[NS_CLIENT_FLAGS_FORMATSIZE] = { 0 }; 613 isc_buffer_t b; 614 int level = ISC_LOG_INFO; 615 616 if (!isc_log_wouldlog(ns_lctx, level)) { 617 return; 618 } 619 620 dns_name_format(client->query.origqname, namebuf, sizeof(namebuf)); 621 dns_rdataclass_format(client->message->rdclass, classbuf, 622 sizeof(classbuf)); 623 dns_rdatatype_format(client->query.qtype, typebuf, sizeof(typebuf)); 624 isc_buffer_init(&b, rcodebuf, sizeof(rcodebuf)); 625 dns_rcode_totext(rcode, &b); 626 isc_buffer_putuint8(&b, 0); 627 isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf)); 628 629 if (HAVEECS(client)) { 630 ns_client_log_ecs(client, ecsbuf, sizeof(ecsbuf)); 631 } 632 633 ns_client_log_flags(client, client->message->flags, client->extflags, 634 flagsbuf, sizeof(flagsbuf)); 635 ns_client_log(client, NS_LOGCATEGORY_RESPONSES, NS_LOGMODULE_QUERY, 636 level, "response: %s %s %s %s %u %u %u %s (%s)%s", 637 namebuf, classbuf, typebuf, rcodebuf, 638 client->message->counts[DNS_SECTION_ANSWER], 639 client->message->counts[DNS_SECTION_AUTHORITY], 640 client->message->counts[DNS_SECTION_ADDITIONAL], flagsbuf, 641 onbuf, ecsbuf); 642 } 643 644 static void 645 query_send(ns_client_t *client) { 646 isc_statscounter_t counter; 647 648 if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0) { 649 inc_stats(client, ns_statscounter_nonauthans); 650 } else { 651 inc_stats(client, ns_statscounter_authans); 652 } 653 654 if (client->message->rcode == dns_rcode_noerror) { 655 dns_section_t answer = DNS_SECTION_ANSWER; 656 if (ISC_LIST_EMPTY(client->message->sections[answer])) { 657 if (client->query.isreferral) { 658 counter = ns_statscounter_referral; 659 } else { 660 counter = ns_statscounter_nxrrset; 661 } 662 } else { 663 counter = ns_statscounter_success; 664 } 665 } else if (client->message->rcode == dns_rcode_nxdomain) { 666 counter = ns_statscounter_nxdomain; 667 } else if (client->message->rcode == dns_rcode_badcookie) { 668 counter = ns_statscounter_badcookie; 669 } else { /* We end up here in case of YXDOMAIN, and maybe others */ 670 counter = ns_statscounter_failure; 671 } 672 673 inc_stats(client, counter); 674 ns_client_send(client); 675 676 if ((client->manager->sctx->options & NS_SERVER_LOGRESPONSES) != 0) { 677 log_response(client, client->message->rcode); 678 } 679 680 isc_nmhandle_detach(&client->reqhandle); 681 } 682 683 static void 684 query_error(ns_client_t *client, isc_result_t result, int line) { 685 int loglevel = ISC_LOG_DEBUG(3); 686 dns_rcode_t rcode; 687 688 rcode = dns_result_torcode(result); 689 switch (rcode) { 690 case dns_rcode_servfail: 691 loglevel = ISC_LOG_DEBUG(1); 692 inc_stats(client, ns_statscounter_servfail); 693 break; 694 case dns_rcode_formerr: 695 inc_stats(client, ns_statscounter_formerr); 696 break; 697 default: 698 inc_stats(client, ns_statscounter_failure); 699 break; 700 } 701 702 if ((client->manager->sctx->options & NS_SERVER_LOGQUERIES) != 0) { 703 loglevel = ISC_LOG_INFO; 704 } 705 706 log_queryerror(client, result, line, loglevel); 707 708 ns_client_error(client, result); 709 710 if (client->query.origqname != NULL && 711 (client->manager->sctx->options & NS_SERVER_LOGRESPONSES) != 0) 712 { 713 log_response(client, rcode); 714 } 715 716 isc_nmhandle_detach(&client->reqhandle); 717 } 718 719 static void 720 query_next(ns_client_t *client, isc_result_t result) { 721 if (result == DNS_R_DUPLICATE) { 722 inc_stats(client, ns_statscounter_duplicate); 723 } else if (result == DNS_R_DROP) { 724 inc_stats(client, ns_statscounter_dropped); 725 } else { 726 inc_stats(client, ns_statscounter_failure); 727 } 728 ns_client_drop(client, result); 729 isc_nmhandle_detach(&client->reqhandle); 730 } 731 732 static void 733 query_freefreeversions(ns_client_t *client, bool everything) { 734 ns_dbversion_t *dbversion, *dbversion_next; 735 unsigned int i; 736 737 for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0; 738 dbversion != NULL; dbversion = dbversion_next, i++) 739 { 740 dbversion_next = ISC_LIST_NEXT(dbversion, link); 741 /* 742 * If we're not freeing everything, we keep the first three 743 * dbversions structures around. 744 */ 745 if (i > 3 || everything) { 746 ISC_LIST_UNLINK(client->query.freeversions, dbversion, 747 link); 748 isc_mem_put(client->manager->mctx, dbversion, 749 sizeof(*dbversion)); 750 } 751 } 752 } 753 754 void 755 ns_query_cancel(ns_client_t *client) { 756 REQUIRE(NS_CLIENT_VALID(client)); 757 758 LOCK(&client->query.fetchlock); 759 for (int i = 0; i < RECTYPE_COUNT; i++) { 760 dns_fetch_t **fetchp = &client->query.recursions[i].fetch; 761 if (*fetchp != NULL) { 762 dns_resolver_cancelfetch(*fetchp); 763 *fetchp = NULL; 764 } 765 } 766 if (client->query.hookactx != NULL) { 767 client->query.hookactx->cancel(client->query.hookactx); 768 client->query.hookactx = NULL; 769 } 770 UNLOCK(&client->query.fetchlock); 771 } 772 773 static void 774 query_reset(ns_client_t *client, bool everything) { 775 isc_buffer_t *dbuf, *dbuf_next; 776 ns_dbversion_t *dbversion, *dbversion_next; 777 778 CTRACE(ISC_LOG_DEBUG(3), "query_reset"); 779 780 /*% 781 * Reset the query state of a client to its default state. 782 */ 783 784 /* 785 * Cancel the fetch if it's running. 786 */ 787 ns_query_cancel(client); 788 789 /* 790 * Cleanup any active versions. 791 */ 792 for (dbversion = ISC_LIST_HEAD(client->query.activeversions); 793 dbversion != NULL; dbversion = dbversion_next) 794 { 795 dbversion_next = ISC_LIST_NEXT(dbversion, link); 796 dns_db_closeversion(dbversion->db, &dbversion->version, false); 797 dns_db_detach(&dbversion->db); 798 ISC_LIST_INITANDAPPEND(client->query.freeversions, dbversion, 799 link); 800 } 801 ISC_LIST_INIT(client->query.activeversions); 802 803 if (client->query.authdb != NULL) { 804 dns_db_detach(&client->query.authdb); 805 } 806 if (client->query.authzone != NULL) { 807 dns_zone_detach(&client->query.authzone); 808 } 809 810 if (client->query.dns64_aaaa != NULL) { 811 ns_client_putrdataset(client, &client->query.dns64_aaaa); 812 } 813 if (client->query.dns64_sigaaaa != NULL) { 814 ns_client_putrdataset(client, &client->query.dns64_sigaaaa); 815 } 816 if (client->query.dns64_aaaaok != NULL) { 817 isc_mem_cput(client->manager->mctx, client->query.dns64_aaaaok, 818 client->query.dns64_aaaaoklen, sizeof(bool)); 819 client->query.dns64_aaaaok = NULL; 820 client->query.dns64_aaaaoklen = 0; 821 } 822 823 ns_client_putrdataset(client, &client->query.redirect.rdataset); 824 ns_client_putrdataset(client, &client->query.redirect.sigrdataset); 825 if (client->query.redirect.db != NULL) { 826 if (client->query.redirect.node != NULL) { 827 dns_db_detachnode(client->query.redirect.db, 828 &client->query.redirect.node); 829 } 830 dns_db_detach(&client->query.redirect.db); 831 } 832 if (client->query.redirect.zone != NULL) { 833 dns_zone_detach(&client->query.redirect.zone); 834 } 835 836 query_freefreeversions(client, everything); 837 838 for (dbuf = ISC_LIST_HEAD(client->query.namebufs); dbuf != NULL; 839 dbuf = dbuf_next) 840 { 841 dbuf_next = ISC_LIST_NEXT(dbuf, link); 842 if (dbuf_next != NULL || everything) { 843 ISC_LIST_UNLINK(client->query.namebufs, dbuf, link); 844 isc_buffer_free(&dbuf); 845 } 846 } 847 848 if (client->query.restarts > 0) { 849 /* 850 * client->query.qname was dynamically allocated. 851 */ 852 dns_message_puttempname(client->message, &client->query.qname); 853 } 854 client->query.qname = NULL; 855 client->query.attributes = (NS_QUERYATTR_RECURSIONOK | 856 NS_QUERYATTR_CACHEOK | NS_QUERYATTR_SECURE); 857 client->query.restarts = 0; 858 client->query.timerset = false; 859 if (client->query.rpz_st != NULL) { 860 rpz_st_clear(client); 861 if (everything) { 862 INSIST(client->query.rpz_st->rpsdb == NULL); 863 isc_mem_put(client->manager->mctx, client->query.rpz_st, 864 sizeof(*client->query.rpz_st)); 865 client->query.rpz_st = NULL; 866 } 867 } 868 client->query.origqname = NULL; 869 client->query.dboptions = 0; 870 client->query.fetchoptions = 0; 871 client->query.gluedb = NULL; 872 client->query.authdbset = false; 873 client->query.isreferral = false; 874 client->query.dns64_options = 0; 875 client->query.dns64_ttl = UINT32_MAX; 876 recparam_update(&client->query.recparam, 0, NULL, NULL); 877 client->query.root_key_sentinel_keyid = 0; 878 client->query.root_key_sentinel_is_ta = false; 879 client->query.root_key_sentinel_not_ta = false; 880 } 881 882 static void 883 query_cleanup(ns_client_t *client) { 884 query_reset(client, false); 885 } 886 887 void 888 ns_query_free(ns_client_t *client) { 889 REQUIRE(NS_CLIENT_VALID(client)); 890 891 query_reset(client, true); 892 } 893 894 void 895 ns_query_init(ns_client_t *client) { 896 REQUIRE(NS_CLIENT_VALID(client)); 897 898 client->query = (ns_query_t){ 0 }; 899 900 ISC_LIST_INIT(client->query.namebufs); 901 ISC_LIST_INIT(client->query.activeversions); 902 ISC_LIST_INIT(client->query.freeversions); 903 /* 904 * This mutex is destroyed when the client is destroyed in 905 * exit_check(). 906 */ 907 isc_mutex_init(&client->query.fetchlock); 908 client->query.redirect.fname = 909 dns_fixedname_initname(&client->query.redirect.fixed); 910 query_reset(client, false); 911 ns_client_newdbversion(client, 3); 912 ns_client_newnamebuf(client); 913 } 914 915 /*% 916 * Check if 'client' is allowed to query the cache of its associated view. 917 * Unless 'options' has the 'nolog' flag set, log the result of cache ACL 918 * evaluation using the appropriate level, along with 'name' and 'qtype'. 919 * 920 * The cache ACL is only evaluated once for each client and then the result is 921 * cached: if NS_QUERYATTR_CACHEACLOKVALID is set in client->query.attributes, 922 * cache ACL evaluation has already been performed. The evaluation result is 923 * also stored in client->query.attributes: if NS_QUERYATTR_CACHEACLOK is set, 924 * the client is allowed cache access. 925 * 926 * Returns: 927 * 928 *\li #ISC_R_SUCCESS 'client' is allowed to access cache 929 *\li #DNS_R_REFUSED 'client' is not allowed to access cache 930 */ 931 static isc_result_t 932 query_checkcacheaccess(ns_client_t *client, const dns_name_t *name, 933 dns_rdatatype_t qtype, dns_getdb_options_t options) { 934 isc_result_t result; 935 936 if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) == 0) { 937 enum refusal_reasons { 938 ALLOW_QUERY_CACHE, 939 ALLOW_QUERY_CACHE_ON 940 }; 941 static const char *acl_desc[] = { 942 "allow-query-cache did not match", 943 "allow-query-cache-on did not match", 944 }; 945 946 /* 947 * The view's cache ACLs have not yet been evaluated. 948 * Do it now. Both allow-query-cache and 949 * allow-query-cache-on must be satisfied. 950 */ 951 char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")]; 952 953 enum refusal_reasons refusal_reason = ALLOW_QUERY_CACHE; 954 result = ns_client_checkaclsilent(client, NULL, 955 client->view->cacheacl, true); 956 if (result == ISC_R_SUCCESS) { 957 refusal_reason = ALLOW_QUERY_CACHE_ON; 958 result = ns_client_checkaclsilent( 959 client, &client->destaddr, 960 client->view->cacheonacl, true); 961 } 962 if (result == ISC_R_SUCCESS) { 963 /* 964 * We were allowed by the "allow-query-cache" ACL. 965 */ 966 client->query.attributes |= NS_QUERYATTR_CACHEACLOK; 967 if (!options.nolog && 968 isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3))) 969 { 970 ns_client_aclmsg("query (cache)", name, qtype, 971 client->view->rdclass, msg, 972 sizeof(msg)); 973 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 974 NS_LOGMODULE_QUERY, 975 ISC_LOG_DEBUG(3), "%s approved", 976 msg); 977 } 978 } else { 979 /* 980 * We were denied by the "allow-query-cache" ACL. 981 * There is no need to clear NS_QUERYATTR_CACHEACLOK 982 * since it is cleared by query_reset(), before query 983 * processing starts. 984 */ 985 ns_client_extendederror(client, DNS_EDE_PROHIBITED, 986 NULL); 987 988 if (!options.nolog) { 989 ns_client_aclmsg("query (cache)", name, qtype, 990 client->view->rdclass, msg, 991 sizeof(msg)); 992 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 993 NS_LOGMODULE_QUERY, ISC_LOG_INFO, 994 "%s denied (%s)", msg, 995 acl_desc[refusal_reason]); 996 } 997 } 998 999 /* 1000 * Evaluation has been finished; make sure we will just consult 1001 * NS_QUERYATTR_CACHEACLOK for this client from now on. 1002 */ 1003 client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID; 1004 } 1005 1006 return (client->query.attributes & NS_QUERYATTR_CACHEACLOK) != 0 1007 ? ISC_R_SUCCESS 1008 : DNS_R_REFUSED; 1009 } 1010 1011 static isc_result_t 1012 query_validatezonedb(ns_client_t *client, const dns_name_t *name, 1013 dns_rdatatype_t qtype, dns_getdb_options_t options, 1014 dns_zone_t *zone, dns_db_t *db, 1015 dns_dbversion_t **versionp) { 1016 isc_result_t result; 1017 dns_acl_t *queryacl, *queryonacl; 1018 ns_dbversion_t *dbversion; 1019 1020 REQUIRE(zone != NULL); 1021 REQUIRE(db != NULL); 1022 1023 /* 1024 * Mirror zone data is treated as cache data. 1025 */ 1026 if (dns_zone_gettype(zone) == dns_zone_mirror) { 1027 return query_checkcacheaccess(client, name, qtype, options); 1028 } 1029 1030 /* 1031 * This limits our searching to the zone where the first name 1032 * (the query target) was looked for. This prevents following 1033 * CNAMES or DNAMES into other zones and prevents returning 1034 * additional data from other zones. This does not apply if we're 1035 * answering a query where recursion is requested and allowed. 1036 */ 1037 if (client->query.rpz_st == NULL && 1038 !(WANTRECURSION(client) && RECURSIONOK(client)) && 1039 client->query.authdbset && db != client->query.authdb) 1040 { 1041 return DNS_R_REFUSED; 1042 } 1043 1044 /* 1045 * Non recursive query to a static-stub zone is prohibited; its 1046 * zone content is not public data, but a part of local configuration 1047 * and should not be disclosed. 1048 */ 1049 if (dns_zone_gettype(zone) == dns_zone_staticstub && 1050 !RECURSIONOK(client)) 1051 { 1052 return DNS_R_REFUSED; 1053 } 1054 1055 /* 1056 * If the zone has an ACL, we'll check it, otherwise 1057 * we use the view's "allow-query" ACL. Each ACL is only checked 1058 * once per query. 1059 * 1060 * Also, get the database version to use. 1061 */ 1062 1063 /* 1064 * Get the current version of this database. 1065 */ 1066 dbversion = ns_client_findversion(client, db); 1067 if (dbversion == NULL) { 1068 CTRACE(ISC_LOG_ERROR, "unable to get db version"); 1069 return DNS_R_SERVFAIL; 1070 } 1071 1072 if (options.ignoreacl) { 1073 goto approved; 1074 } 1075 if (dbversion->acl_checked) { 1076 if (!dbversion->queryok) { 1077 return DNS_R_REFUSED; 1078 } 1079 goto approved; 1080 } 1081 1082 queryacl = dns_zone_getqueryacl(zone); 1083 if (queryacl == NULL) { 1084 queryacl = client->view->queryacl; 1085 if ((client->query.attributes & NS_QUERYATTR_QUERYOKVALID) != 0) 1086 { 1087 /* 1088 * We've evaluated the view's queryacl already. If 1089 * NS_QUERYATTR_QUERYOK is set, then the client is 1090 * allowed to make queries, otherwise the query should 1091 * be refused. 1092 */ 1093 dbversion->acl_checked = true; 1094 if ((client->query.attributes & NS_QUERYATTR_QUERYOK) == 1095 0) 1096 { 1097 dbversion->queryok = false; 1098 return DNS_R_REFUSED; 1099 } 1100 dbversion->queryok = true; 1101 goto approved; 1102 } 1103 } 1104 1105 result = ns_client_checkaclsilent(client, NULL, queryacl, true); 1106 if (!options.nolog) { 1107 char msg[NS_CLIENT_ACLMSGSIZE("query")]; 1108 if (result == ISC_R_SUCCESS) { 1109 if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(3))) { 1110 ns_client_aclmsg("query", name, qtype, 1111 client->view->rdclass, msg, 1112 sizeof(msg)); 1113 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 1114 NS_LOGMODULE_QUERY, 1115 ISC_LOG_DEBUG(3), "%s approved", 1116 msg); 1117 } 1118 } else { 1119 ns_client_aclmsg("query", name, qtype, 1120 client->view->rdclass, msg, 1121 sizeof(msg)); 1122 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 1123 NS_LOGMODULE_QUERY, ISC_LOG_INFO, 1124 "%s denied", msg); 1125 ns_client_extendederror(client, DNS_EDE_PROHIBITED, 1126 NULL); 1127 } 1128 } 1129 1130 if (queryacl == client->view->queryacl) { 1131 if (result == ISC_R_SUCCESS) { 1132 /* 1133 * We were allowed by the default 1134 * "allow-query" ACL. Remember this so we 1135 * don't have to check again. 1136 */ 1137 client->query.attributes |= NS_QUERYATTR_QUERYOK; 1138 } 1139 /* 1140 * We've now evaluated the view's query ACL, and 1141 * the NS_QUERYATTR_QUERYOK attribute is now valid. 1142 */ 1143 client->query.attributes |= NS_QUERYATTR_QUERYOKVALID; 1144 } 1145 1146 /* If and only if we've gotten this far, check allow-query-on too */ 1147 if (result == ISC_R_SUCCESS) { 1148 queryonacl = dns_zone_getqueryonacl(zone); 1149 if (queryonacl == NULL) { 1150 queryonacl = client->view->queryonacl; 1151 } 1152 1153 result = ns_client_checkaclsilent(client, &client->destaddr, 1154 queryonacl, true); 1155 if (result != ISC_R_SUCCESS) { 1156 ns_client_extendederror(client, DNS_EDE_PROHIBITED, 1157 NULL); 1158 } 1159 if (!options.nolog && result != ISC_R_SUCCESS) { 1160 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 1161 NS_LOGMODULE_QUERY, ISC_LOG_INFO, 1162 "query-on denied"); 1163 } 1164 } 1165 1166 dbversion->acl_checked = true; 1167 if (result != ISC_R_SUCCESS) { 1168 dbversion->queryok = false; 1169 return DNS_R_REFUSED; 1170 } 1171 dbversion->queryok = true; 1172 1173 approved: 1174 /* Transfer ownership, if necessary. */ 1175 SET_IF_NOT_NULL(versionp, dbversion->version); 1176 return ISC_R_SUCCESS; 1177 } 1178 1179 static isc_result_t 1180 query_getzonedb(ns_client_t *client, const dns_name_t *name, 1181 dns_rdatatype_t qtype, dns_getdb_options_t options, 1182 dns_zone_t **zonep, dns_db_t **dbp, 1183 dns_dbversion_t **versionp) { 1184 isc_result_t result; 1185 unsigned int ztoptions; 1186 dns_zone_t *zone = NULL; 1187 dns_db_t *db = NULL; 1188 bool partial = false; 1189 1190 REQUIRE(zonep != NULL && *zonep == NULL); 1191 REQUIRE(dbp != NULL && *dbp == NULL); 1192 1193 /*% 1194 * Find a zone database to answer the query. 1195 */ 1196 ztoptions = DNS_ZTFIND_MIRROR; 1197 if (options.noexact) { 1198 ztoptions |= DNS_ZTFIND_NOEXACT; 1199 } 1200 1201 result = dns_view_findzone(client->view, name, ztoptions, &zone); 1202 1203 if (result == DNS_R_PARTIALMATCH) { 1204 partial = true; 1205 } 1206 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { 1207 result = dns_zone_getdb(zone, &db); 1208 } 1209 1210 if (result != ISC_R_SUCCESS) { 1211 goto fail; 1212 } 1213 1214 result = query_validatezonedb(client, name, qtype, options, zone, db, 1215 versionp); 1216 1217 if (result != ISC_R_SUCCESS) { 1218 goto fail; 1219 } 1220 1221 /* Transfer ownership. */ 1222 *zonep = zone; 1223 *dbp = db; 1224 1225 if (partial && options.partial) { 1226 return DNS_R_PARTIALMATCH; 1227 } 1228 return ISC_R_SUCCESS; 1229 1230 fail: 1231 if (zone != NULL) { 1232 dns_zone_detach(&zone); 1233 } 1234 if (db != NULL) { 1235 dns_db_detach(&db); 1236 } 1237 1238 return result; 1239 } 1240 1241 static void 1242 rpz_log_rewrite(ns_client_t *client, bool disabled, dns_rpz_policy_t policy, 1243 dns_rpz_type_t type, dns_zone_t *p_zone, dns_name_t *p_name, 1244 dns_name_t *cname, dns_rpz_num_t rpz_num) { 1245 char cname_buf[DNS_NAME_FORMATSIZE] = { 0 }; 1246 char p_name_buf[DNS_NAME_FORMATSIZE]; 1247 char qname_buf[DNS_NAME_FORMATSIZE]; 1248 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 1249 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 1250 const char *s1 = cname_buf, *s2 = cname_buf; 1251 dns_rdataset_t *rdataset; 1252 dns_rpz_st_t *st; 1253 isc_stats_t *zonestats; 1254 1255 /* 1256 * Count enabled rewrites in the global counter. 1257 * Count both enabled and disabled rewrites for each zone. 1258 */ 1259 if (!disabled && policy != DNS_RPZ_POLICY_PASSTHRU) { 1260 ns_stats_increment(client->manager->sctx->nsstats, 1261 ns_statscounter_rpz_rewrites); 1262 } 1263 if (p_zone != NULL) { 1264 zonestats = dns_zone_getrequeststats(p_zone); 1265 if (zonestats != NULL) { 1266 isc_stats_increment(zonestats, 1267 ns_statscounter_rpz_rewrites); 1268 } 1269 } 1270 1271 if (!isc_log_wouldlog(ns_lctx, DNS_RPZ_INFO_LEVEL)) { 1272 return; 1273 } 1274 1275 st = client->query.rpz_st; 1276 if ((st->popt.no_log & DNS_RPZ_ZBIT(rpz_num)) != 0) { 1277 return; 1278 } 1279 1280 dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf)); 1281 dns_name_format(p_name, p_name_buf, sizeof(p_name_buf)); 1282 if (cname != NULL) { 1283 s1 = " (CNAME to: "; 1284 dns_name_format(cname, cname_buf, sizeof(cname_buf)); 1285 s2 = ")"; 1286 } 1287 1288 /* 1289 * Log Qclass and Qtype in addition to existing 1290 * fields. 1291 */ 1292 rdataset = ISC_LIST_HEAD(client->query.origqname->list); 1293 INSIST(rdataset != NULL); 1294 dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf)); 1295 dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); 1296 1297 /* It's possible to have a separate log channel for rpz passthru. */ 1298 isc_logcategory_t *log_cat = (policy == DNS_RPZ_POLICY_PASSTHRU) 1299 ? DNS_LOGCATEGORY_RPZ_PASSTHRU 1300 : DNS_LOGCATEGORY_RPZ; 1301 1302 ns_client_log(client, log_cat, NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, 1303 "%srpz %s %s rewrite %s/%s/%s via %s%s%s%s", 1304 disabled ? "disabled " : "", dns_rpz_type2str(type), 1305 dns_rpz_policy2str(policy), qname_buf, typebuf, classbuf, 1306 p_name_buf, s1, cname_buf, s2); 1307 } 1308 1309 static void 1310 rpz_log_fail_helper(ns_client_t *client, int level, dns_name_t *p_name, 1311 dns_rpz_type_t rpz_type1, dns_rpz_type_t rpz_type2, 1312 const char *str, isc_result_t result) { 1313 char qnamebuf[DNS_NAME_FORMATSIZE]; 1314 char p_namebuf[DNS_NAME_FORMATSIZE]; 1315 const char *failed, *via, *slash, *str_blank; 1316 const char *rpztypestr1; 1317 const char *rpztypestr2; 1318 1319 if (!isc_log_wouldlog(ns_lctx, level)) { 1320 return; 1321 } 1322 1323 /* 1324 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed" for problems. 1325 */ 1326 if (level <= DNS_RPZ_DEBUG_LEVEL1) { 1327 failed = " failed: "; 1328 } else { 1329 failed = ": "; 1330 } 1331 1332 rpztypestr1 = dns_rpz_type2str(rpz_type1); 1333 if (rpz_type2 != DNS_RPZ_TYPE_BAD) { 1334 slash = "/"; 1335 rpztypestr2 = dns_rpz_type2str(rpz_type2); 1336 } else { 1337 slash = ""; 1338 rpztypestr2 = ""; 1339 } 1340 1341 str_blank = (*str != ' ' && *str != '\0') ? " " : ""; 1342 1343 dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf)); 1344 1345 if (p_name != NULL) { 1346 via = " via "; 1347 dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); 1348 } else { 1349 via = ""; 1350 p_namebuf[0] = '\0'; 1351 } 1352 1353 ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS, NS_LOGMODULE_QUERY, 1354 level, "rpz %s%s%s rewrite %s%s%s%s%s%s%s", rpztypestr1, 1355 slash, rpztypestr2, qnamebuf, via, p_namebuf, str_blank, 1356 str, failed, isc_result_totext(result)); 1357 } 1358 1359 static void 1360 rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name, 1361 dns_rpz_type_t rpz_type, const char *str, isc_result_t result) { 1362 rpz_log_fail_helper(client, level, p_name, rpz_type, DNS_RPZ_TYPE_BAD, 1363 str, result); 1364 } 1365 1366 /* 1367 * Get a policy rewrite zone database. 1368 */ 1369 static isc_result_t 1370 rpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type, 1371 dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) { 1372 char qnamebuf[DNS_NAME_FORMATSIZE]; 1373 char p_namebuf[DNS_NAME_FORMATSIZE]; 1374 dns_dbversion_t *rpz_version = NULL; 1375 isc_result_t result; 1376 1377 CTRACE(ISC_LOG_DEBUG(3), "rpz_getdb"); 1378 1379 dns_getdb_options_t options = { .ignoreacl = true }; 1380 result = query_getzonedb(client, p_name, dns_rdatatype_any, options, 1381 zonep, dbp, &rpz_version); 1382 if (result == ISC_R_SUCCESS) { 1383 dns_rpz_st_t *st = client->query.rpz_st; 1384 1385 /* 1386 * It isn't meaningful to log this message when 1387 * logging is disabled for some policy zones. 1388 */ 1389 if (st->popt.no_log == 0 && 1390 isc_log_wouldlog(ns_lctx, DNS_RPZ_DEBUG_LEVEL2)) 1391 { 1392 dns_name_format(client->query.qname, qnamebuf, 1393 sizeof(qnamebuf)); 1394 dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); 1395 ns_client_log(client, DNS_LOGCATEGORY_RPZ, 1396 NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2, 1397 "try rpz %s rewrite %s via %s", 1398 dns_rpz_type2str(rpz_type), qnamebuf, 1399 p_namebuf); 1400 } 1401 *versionp = rpz_version; 1402 return ISC_R_SUCCESS; 1403 } 1404 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, 1405 "query_getzonedb()", result); 1406 return result; 1407 } 1408 1409 /*% 1410 * Find a cache database to answer the query. This may fail with DNS_R_REFUSED 1411 * if the client is not allowed to use the cache. 1412 */ 1413 static isc_result_t 1414 query_getcachedb(ns_client_t *client, const dns_name_t *name, 1415 dns_rdatatype_t qtype, dns_db_t **dbp, 1416 dns_getdb_options_t options) { 1417 isc_result_t result; 1418 dns_db_t *db = NULL; 1419 1420 REQUIRE(dbp != NULL && *dbp == NULL); 1421 1422 if (!USECACHE(client)) { 1423 return DNS_R_REFUSED; 1424 } 1425 1426 dns_db_attach(client->view->cachedb, &db); 1427 1428 result = query_checkcacheaccess(client, name, qtype, options); 1429 if (result != ISC_R_SUCCESS) { 1430 dns_db_detach(&db); 1431 } 1432 1433 /* 1434 * If query_checkcacheaccess() succeeded, transfer ownership of 'db'. 1435 * Otherwise, 'db' will be NULL due to the dns_db_detach() call above. 1436 */ 1437 *dbp = db; 1438 1439 return result; 1440 } 1441 1442 static isc_result_t 1443 query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, 1444 dns_getdb_options_t options, dns_zone_t **zonep, dns_db_t **dbp, 1445 dns_dbversion_t **versionp, bool *is_zonep) { 1446 isc_result_t result; 1447 isc_result_t tresult; 1448 unsigned int namelabels; 1449 unsigned int zonelabels; 1450 dns_zone_t *zone = NULL; 1451 1452 REQUIRE(zonep != NULL && *zonep == NULL); 1453 1454 /* Calculate how many labels are in name. */ 1455 namelabels = dns_name_countlabels(name); 1456 zonelabels = 0; 1457 1458 /* Try to find name in bind's standard database. */ 1459 result = query_getzonedb(client, name, qtype, options, &zone, dbp, 1460 versionp); 1461 1462 /* See how many labels are in the zone's name. */ 1463 if (result == ISC_R_SUCCESS && zone != NULL) { 1464 zonelabels = dns_name_countlabels(dns_zone_getorigin(zone)); 1465 } 1466 1467 /* 1468 * If # zone labels < # name labels, try to find an even better match 1469 * Only try if DLZ drivers are loaded for this view 1470 */ 1471 if (zonelabels < namelabels && 1472 !ISC_LIST_EMPTY(client->view->dlz_searched)) 1473 { 1474 dns_clientinfomethods_t cm; 1475 dns_clientinfo_t ci; 1476 dns_db_t *tdbp; 1477 1478 dns_clientinfomethods_init(&cm, ns_client_sourceip); 1479 dns_clientinfo_init(&ci, client, NULL); 1480 dns_clientinfo_setecs(&ci, &client->ecs); 1481 1482 tdbp = NULL; 1483 tresult = dns_view_searchdlz(client->view, name, zonelabels, 1484 &cm, &ci, &tdbp); 1485 /* If we successful, we found a better match. */ 1486 if (tresult == ISC_R_SUCCESS) { 1487 ns_dbversion_t *dbversion; 1488 1489 /* 1490 * If the previous search returned a zone, detach it. 1491 */ 1492 if (zone != NULL) { 1493 dns_zone_detach(&zone); 1494 } 1495 1496 /* 1497 * If the previous search returned a database, 1498 * detach it. 1499 */ 1500 if (*dbp != NULL) { 1501 dns_db_detach(dbp); 1502 } 1503 1504 /* 1505 * If the previous search returned a version, clear it. 1506 */ 1507 *versionp = NULL; 1508 1509 dbversion = ns_client_findversion(client, tdbp); 1510 if (dbversion == NULL) { 1511 tresult = ISC_R_NOMEMORY; 1512 } else { 1513 /* 1514 * Be sure to return our database. 1515 */ 1516 *dbp = tdbp; 1517 *versionp = dbversion->version; 1518 } 1519 1520 /* 1521 * We return a null zone, No stats for DLZ zones. 1522 */ 1523 zone = NULL; 1524 result = tresult; 1525 } 1526 } 1527 1528 /* If successful, Transfer ownership of zone. */ 1529 if (result == ISC_R_SUCCESS) { 1530 *zonep = zone; 1531 /* 1532 * If neither attempt above succeeded, return the cache instead 1533 */ 1534 *is_zonep = true; 1535 } else { 1536 if (result == ISC_R_NOTFOUND) { 1537 result = query_getcachedb(client, name, qtype, dbp, 1538 options); 1539 } 1540 *is_zonep = false; 1541 } 1542 return result; 1543 } 1544 1545 static bool 1546 query_isduplicate(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, 1547 dns_name_t **mnamep) { 1548 dns_section_t section; 1549 dns_name_t *mname = NULL; 1550 isc_result_t result; 1551 1552 CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate"); 1553 1554 for (section = DNS_SECTION_ANSWER; section <= DNS_SECTION_ADDITIONAL; 1555 section++) 1556 { 1557 result = dns_message_findname(client->message, section, name, 1558 type, 0, &mname, NULL); 1559 if (result == ISC_R_SUCCESS) { 1560 /* 1561 * We've already got this RRset in the response. 1562 */ 1563 CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: true: " 1564 "done"); 1565 return true; 1566 } else if (result == DNS_R_NXRRSET) { 1567 /* 1568 * The name exists, but the rdataset does not. 1569 */ 1570 if (section == DNS_SECTION_ADDITIONAL) { 1571 break; 1572 } 1573 } else { 1574 RUNTIME_CHECK(result == DNS_R_NXDOMAIN); 1575 } 1576 mname = NULL; 1577 } 1578 1579 SET_IF_NOT_NULL(mnamep, mname); 1580 1581 CTRACE(ISC_LOG_DEBUG(3), "query_isduplicate: false: done"); 1582 return false; 1583 } 1584 1585 /* 1586 * Look up data for given 'name' and 'type' in given 'version' of 'db' for 1587 * 'client'. Called from query_additionalauth(). 1588 * 1589 * If the lookup is successful: 1590 * 1591 * - store the node containing the result at 'nodep', 1592 * 1593 * - store the owner name of the returned node in 'fname', 1594 * 1595 * - if 'type' is not ANY, dns_db_findext() will put the exact rdataset being 1596 * looked for in 'rdataset' and its signatures (if any) in 'sigrdataset', 1597 * 1598 * - if 'type' is ANY, dns_db_findext() will leave 'rdataset' and 1599 * 'sigrdataset' disassociated and the returned node will be iterated in 1600 * query_additional_cb(). 1601 * 1602 * If the lookup is not successful: 1603 * 1604 * - 'nodep' will not be written to, 1605 * - 'fname' may still be modified as it is passed to dns_db_findext(), 1606 * - 'rdataset' and 'sigrdataset' will remain disassociated. 1607 */ 1608 static isc_result_t 1609 query_additionalauthfind(dns_db_t *db, dns_dbversion_t *version, 1610 const dns_name_t *name, dns_rdatatype_t type, 1611 ns_client_t *client, dns_dbnode_t **nodep, 1612 dns_name_t *fname, dns_rdataset_t *rdataset, 1613 dns_rdataset_t *sigrdataset) { 1614 dns_clientinfomethods_t cm; 1615 dns_dbnode_t *node = NULL; 1616 dns_clientinfo_t ci; 1617 isc_result_t result; 1618 1619 dns_clientinfomethods_init(&cm, ns_client_sourceip); 1620 dns_clientinfo_init(&ci, client, NULL); 1621 1622 /* 1623 * Since we are looking for authoritative data, we do not set 1624 * the GLUEOK flag. Glue will be looked for later, but not 1625 * necessarily in the same database. 1626 */ 1627 result = dns_db_findext(db, name, version, type, 1628 client->query.dboptions, client->now, &node, 1629 fname, &cm, &ci, rdataset, sigrdataset); 1630 if (result != ISC_R_SUCCESS) { 1631 if (dns_rdataset_isassociated(rdataset)) { 1632 dns_rdataset_disassociate(rdataset); 1633 } 1634 1635 if (sigrdataset != NULL && 1636 dns_rdataset_isassociated(sigrdataset)) 1637 { 1638 dns_rdataset_disassociate(sigrdataset); 1639 } 1640 1641 if (node != NULL) { 1642 dns_db_detachnode(db, &node); 1643 } 1644 1645 return result; 1646 } 1647 1648 /* 1649 * Do not return signatures if the zone is not fully signed. 1650 */ 1651 if (sigrdataset != NULL && !dns_db_issecure(db) && 1652 dns_rdataset_isassociated(sigrdataset)) 1653 { 1654 dns_rdataset_disassociate(sigrdataset); 1655 } 1656 1657 *nodep = node; 1658 1659 return ISC_R_SUCCESS; 1660 } 1661 1662 /* 1663 * For query context 'qctx', try finding authoritative additional data for 1664 * given 'name' and 'type'. Called from query_additional_cb(). 1665 * 1666 * If successful: 1667 * 1668 * - store pointers to the database and node which contain the result in 1669 * 'dbp' and 'nodep', respectively, 1670 * 1671 * - store the owner name of the returned node in 'fname', 1672 * 1673 * - potentially bind 'rdataset' and 'sigrdataset', as explained in the 1674 * comment for query_additionalauthfind(). 1675 * 1676 * If unsuccessful: 1677 * 1678 * - 'dbp' and 'nodep' will not be written to, 1679 * - 'fname' may still be modified as it is passed to dns_db_findext(), 1680 * - 'rdataset' and 'sigrdataset' will remain disassociated. 1681 */ 1682 static isc_result_t 1683 query_additionalauth(query_ctx_t *qctx, const dns_name_t *name, 1684 dns_rdatatype_t type, dns_db_t **dbp, dns_dbnode_t **nodep, 1685 dns_name_t *fname, dns_rdataset_t *rdataset, 1686 dns_rdataset_t *sigrdataset) { 1687 ns_client_t *client = qctx->client; 1688 ns_dbversion_t *dbversion = NULL; 1689 dns_dbversion_t *version = NULL; 1690 dns_dbnode_t *node = NULL; 1691 dns_zone_t *zone = NULL; 1692 dns_db_t *db = NULL; 1693 isc_result_t result; 1694 1695 /* 1696 * First, look within the same zone database for authoritative 1697 * additional data. 1698 */ 1699 if (!client->query.authdbset || client->query.authdb == NULL) { 1700 return ISC_R_NOTFOUND; 1701 } 1702 1703 dbversion = ns_client_findversion(client, client->query.authdb); 1704 if (dbversion == NULL) { 1705 return ISC_R_NOTFOUND; 1706 } 1707 1708 dns_db_attach(client->query.authdb, &db); 1709 version = dbversion->version; 1710 1711 CTRACE(ISC_LOG_DEBUG(3), "query_additionalauth: same zone"); 1712 1713 result = query_additionalauthfind(db, version, name, type, client, 1714 &node, fname, rdataset, sigrdataset); 1715 if (result != ISC_R_SUCCESS && 1716 qctx->view->minimalresponses == dns_minimal_no && 1717 RECURSIONOK(client)) 1718 { 1719 /* 1720 * If we aren't doing response minimization and recursion is 1721 * allowed, we can try and see if any other zone matches. 1722 */ 1723 version = NULL; 1724 dns_db_detach(&db); 1725 dns_getdb_options_t options = { .nolog = true }; 1726 result = query_getzonedb(client, name, type, options, &zone, 1727 &db, &version); 1728 if (result != ISC_R_SUCCESS) { 1729 return result; 1730 } 1731 dns_zone_detach(&zone); 1732 1733 CTRACE(ISC_LOG_DEBUG(3), "query_additionalauth: other zone"); 1734 1735 result = query_additionalauthfind(db, version, name, type, 1736 client, &node, fname, 1737 rdataset, sigrdataset); 1738 } 1739 1740 if (result != ISC_R_SUCCESS) { 1741 dns_db_detach(&db); 1742 } else { 1743 *nodep = node; 1744 node = NULL; 1745 1746 *dbp = db; 1747 db = NULL; 1748 } 1749 1750 return result; 1751 } 1752 1753 static isc_result_t 1754 query_additional_cb(void *arg, const dns_name_t *name, dns_rdatatype_t qtype, 1755 dns_rdataset_t *found DNS__DB_FLARG) { 1756 query_ctx_t *qctx = arg; 1757 ns_client_t *client = qctx->client; 1758 isc_result_t result, eresult = ISC_R_SUCCESS; 1759 dns_dbnode_t *node = NULL; 1760 dns_db_t *db = NULL; 1761 dns_name_t *fname = NULL, *mname = NULL; 1762 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; 1763 dns_rdataset_t *trdataset = NULL; 1764 isc_buffer_t *dbuf = NULL; 1765 isc_buffer_t b; 1766 ns_dbversion_t *dbversion = NULL; 1767 dns_dbversion_t *version = NULL; 1768 bool added_something = false, need_addname = false; 1769 dns_rdatatype_t type; 1770 dns_clientinfomethods_t cm; 1771 dns_clientinfo_t ci; 1772 dns_rdatasetadditional_t additionaltype = 1773 dns_rdatasetadditional_fromauth; 1774 1775 REQUIRE(NS_CLIENT_VALID(client)); 1776 REQUIRE(qtype != dns_rdatatype_any); 1777 1778 if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype)) { 1779 return ISC_R_SUCCESS; 1780 } 1781 1782 CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb"); 1783 1784 dns_clientinfomethods_init(&cm, ns_client_sourceip); 1785 dns_clientinfo_init(&ci, client, NULL); 1786 1787 /* 1788 * We treat type A additional section processing as if it 1789 * were "any address type" additional section processing. 1790 * To avoid multiple lookups, we do an 'any' database 1791 * lookup and iterate over the node. 1792 */ 1793 if (qtype == dns_rdatatype_a) { 1794 type = dns_rdatatype_any; 1795 } else { 1796 type = qtype; 1797 } 1798 1799 /* 1800 * Get some resources. 1801 */ 1802 dbuf = ns_client_getnamebuf(client); 1803 fname = ns_client_newname(client, dbuf, &b); 1804 rdataset = ns_client_newrdataset(client); 1805 if (WANTDNSSEC(client)) { 1806 sigrdataset = ns_client_newrdataset(client); 1807 } 1808 1809 /* 1810 * If we want only minimal responses and are here, then it must 1811 * be for glue. 1812 */ 1813 if (qctx->view->minimalresponses == dns_minimal_yes && 1814 client->query.qtype != dns_rdatatype_ns) 1815 { 1816 goto try_glue; 1817 } 1818 1819 /* 1820 * First, look for authoritative additional data. 1821 */ 1822 result = query_additionalauth(qctx, name, type, &db, &node, fname, 1823 rdataset, sigrdataset); 1824 if (result == ISC_R_SUCCESS) { 1825 goto found; 1826 } 1827 1828 /* 1829 * No authoritative data was found. The cache is our next best bet. 1830 */ 1831 if (!qctx->view->recursion) { 1832 goto try_glue; 1833 } 1834 1835 additionaltype = dns_rdatasetadditional_fromcache; 1836 dns_getdb_options_t options = { .nolog = true }; 1837 result = query_getcachedb(client, name, qtype, &db, options); 1838 if (result != ISC_R_SUCCESS) { 1839 /* 1840 * Most likely the client isn't allowed to query the cache. 1841 */ 1842 goto try_glue; 1843 } 1844 /* 1845 * Attempt to validate glue. 1846 */ 1847 if (sigrdataset == NULL) { 1848 sigrdataset = ns_client_newrdataset(client); 1849 } 1850 1851 version = NULL; 1852 result = dns_db_findext(db, name, version, type, 1853 client->query.dboptions | DNS_DBFIND_GLUEOK | 1854 DNS_DBFIND_ADDITIONALOK, 1855 client->now, &node, fname, &cm, &ci, rdataset, 1856 sigrdataset); 1857 1858 dns_cache_updatestats(qctx->view->cache, result); 1859 if (!WANTDNSSEC(client)) { 1860 ns_client_putrdataset(client, &sigrdataset); 1861 } 1862 if (result == ISC_R_SUCCESS) { 1863 goto found; 1864 } 1865 1866 if (dns_rdataset_isassociated(rdataset)) { 1867 dns_rdataset_disassociate(rdataset); 1868 } 1869 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { 1870 dns_rdataset_disassociate(sigrdataset); 1871 } 1872 if (node != NULL) { 1873 dns_db_detachnode(db, &node); 1874 } 1875 dns_db_detach(&db); 1876 1877 try_glue: 1878 /* 1879 * No cached data was found. Glue is our last chance. 1880 * RFC1035 sayeth: 1881 * 1882 * NS records cause both the usual additional section 1883 * processing to locate a type A record, and, when used 1884 * in a referral, a special search of the zone in which 1885 * they reside for glue information. 1886 * 1887 * This is the "special search". Note that we must search 1888 * the zone where the NS record resides, not the zone it 1889 * points to, and that we only do the search in the delegation 1890 * case (identified by client->query.gluedb being set). 1891 */ 1892 1893 if (client->query.gluedb == NULL) { 1894 goto cleanup; 1895 } 1896 1897 /* 1898 * Don't poison caches using the bailiwick protection model. 1899 */ 1900 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb))) { 1901 goto cleanup; 1902 } 1903 1904 dbversion = ns_client_findversion(client, client->query.gluedb); 1905 if (dbversion == NULL) { 1906 goto cleanup; 1907 } 1908 1909 dns_db_attach(client->query.gluedb, &db); 1910 version = dbversion->version; 1911 additionaltype = dns_rdatasetadditional_fromglue; 1912 result = dns_db_findext(db, name, version, type, 1913 client->query.dboptions | DNS_DBFIND_GLUEOK, 1914 client->now, &node, fname, &cm, &ci, rdataset, 1915 sigrdataset); 1916 if (result != ISC_R_SUCCESS && result != DNS_R_ZONECUT && 1917 result != DNS_R_GLUE) 1918 { 1919 goto cleanup; 1920 } 1921 1922 found: 1923 /* 1924 * We have found a potential additional data rdataset, or 1925 * at least a node to iterate over. 1926 */ 1927 ns_client_keepname(client, fname, dbuf); 1928 1929 /* 1930 * Does the caller want the found rdataset? 1931 */ 1932 if (found != NULL && dns_rdataset_isassociated(rdataset)) { 1933 dns_rdataset_clone(rdataset, found); 1934 } 1935 1936 /* 1937 * If we have an rdataset, add it to the additional data 1938 * section. 1939 */ 1940 mname = NULL; 1941 if (dns_rdataset_isassociated(rdataset) && 1942 !query_isduplicate(client, fname, type, &mname)) 1943 { 1944 if (mname != NULL) { 1945 INSIST(mname != fname); 1946 ns_client_releasename(client, &fname); 1947 fname = mname; 1948 } else { 1949 need_addname = true; 1950 } 1951 ISC_LIST_APPEND(fname->list, rdataset, link); 1952 trdataset = rdataset; 1953 rdataset = NULL; 1954 added_something = true; 1955 /* 1956 * Note: we only add SIGs if we've added the type they cover, 1957 * so we do not need to check if the SIG rdataset is already 1958 * in the response. 1959 */ 1960 if (sigrdataset != NULL && 1961 dns_rdataset_isassociated(sigrdataset)) 1962 { 1963 ISC_LIST_APPEND(fname->list, sigrdataset, link); 1964 sigrdataset = NULL; 1965 } 1966 } 1967 1968 if (qtype == dns_rdatatype_a) { 1969 /* 1970 * We now go looking for A and AAAA records, along with 1971 * their signatures. 1972 * 1973 * XXXRTH This code could be more efficient. 1974 */ 1975 if (rdataset != NULL) { 1976 if (dns_rdataset_isassociated(rdataset)) { 1977 dns_rdataset_disassociate(rdataset); 1978 } 1979 } else { 1980 rdataset = ns_client_newrdataset(client); 1981 } 1982 if (sigrdataset != NULL) { 1983 if (dns_rdataset_isassociated(sigrdataset)) { 1984 dns_rdataset_disassociate(sigrdataset); 1985 } 1986 } else if (WANTDNSSEC(client)) { 1987 sigrdataset = ns_client_newrdataset(client); 1988 } 1989 if (query_isduplicate(client, fname, dns_rdatatype_a, NULL)) { 1990 goto aaaa_lookup; 1991 } 1992 result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 1993 0, client->now, rdataset, 1994 sigrdataset); 1995 if (result == DNS_R_NCACHENXDOMAIN) { 1996 goto addname; 1997 } else if (result == DNS_R_NCACHENXRRSET) { 1998 dns_rdataset_disassociate(rdataset); 1999 if (sigrdataset != NULL && 2000 dns_rdataset_isassociated(sigrdataset)) 2001 { 2002 dns_rdataset_disassociate(sigrdataset); 2003 } 2004 } else if (result == ISC_R_SUCCESS) { 2005 bool invalid = false; 2006 mname = NULL; 2007 if (additionaltype == 2008 dns_rdatasetadditional_fromcache && 2009 (DNS_TRUST_PENDING(rdataset->trust) || 2010 DNS_TRUST_GLUE(rdataset->trust))) 2011 { 2012 /* validate() may change rdataset->trust */ 2013 invalid = !validate(client, db, fname, rdataset, 2014 sigrdataset); 2015 } 2016 if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { 2017 dns_rdataset_disassociate(rdataset); 2018 if (sigrdataset != NULL && 2019 dns_rdataset_isassociated(sigrdataset)) 2020 { 2021 dns_rdataset_disassociate(sigrdataset); 2022 } 2023 } else if (!query_isduplicate(client, fname, 2024 dns_rdatatype_a, &mname)) 2025 { 2026 if (mname != fname) { 2027 if (mname != NULL) { 2028 ns_client_releasename(client, 2029 &fname); 2030 fname = mname; 2031 } else { 2032 need_addname = true; 2033 } 2034 } 2035 ISC_LIST_APPEND(fname->list, rdataset, link); 2036 added_something = true; 2037 if (sigrdataset != NULL && 2038 dns_rdataset_isassociated(sigrdataset)) 2039 { 2040 ISC_LIST_APPEND(fname->list, 2041 sigrdataset, link); 2042 sigrdataset = 2043 ns_client_newrdataset(client); 2044 } 2045 rdataset = ns_client_newrdataset(client); 2046 } else { 2047 dns_rdataset_disassociate(rdataset); 2048 if (sigrdataset != NULL && 2049 dns_rdataset_isassociated(sigrdataset)) 2050 { 2051 dns_rdataset_disassociate(sigrdataset); 2052 } 2053 } 2054 } 2055 aaaa_lookup: 2056 if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL)) 2057 { 2058 goto addname; 2059 } 2060 result = dns_db_findrdataset(db, node, version, 2061 dns_rdatatype_aaaa, 0, client->now, 2062 rdataset, sigrdataset); 2063 if (result == DNS_R_NCACHENXDOMAIN) { 2064 goto addname; 2065 } else if (result == DNS_R_NCACHENXRRSET) { 2066 dns_rdataset_disassociate(rdataset); 2067 if (sigrdataset != NULL && 2068 dns_rdataset_isassociated(sigrdataset)) 2069 { 2070 dns_rdataset_disassociate(sigrdataset); 2071 } 2072 } else if (result == ISC_R_SUCCESS) { 2073 bool invalid = false; 2074 mname = NULL; 2075 2076 if (additionaltype == 2077 dns_rdatasetadditional_fromcache && 2078 (DNS_TRUST_PENDING(rdataset->trust) || 2079 DNS_TRUST_GLUE(rdataset->trust))) 2080 { 2081 /* validate() may change rdataset->trust */ 2082 invalid = !validate(client, db, fname, rdataset, 2083 sigrdataset); 2084 } 2085 2086 if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { 2087 dns_rdataset_disassociate(rdataset); 2088 if (sigrdataset != NULL && 2089 dns_rdataset_isassociated(sigrdataset)) 2090 { 2091 dns_rdataset_disassociate(sigrdataset); 2092 } 2093 } else if (!query_isduplicate(client, fname, 2094 dns_rdatatype_aaaa, 2095 &mname)) 2096 { 2097 if (mname != fname) { 2098 if (mname != NULL) { 2099 ns_client_releasename(client, 2100 &fname); 2101 fname = mname; 2102 } else { 2103 need_addname = true; 2104 } 2105 } 2106 ISC_LIST_APPEND(fname->list, rdataset, link); 2107 added_something = true; 2108 if (sigrdataset != NULL && 2109 dns_rdataset_isassociated(sigrdataset)) 2110 { 2111 ISC_LIST_APPEND(fname->list, 2112 sigrdataset, link); 2113 sigrdataset = NULL; 2114 } 2115 rdataset = NULL; 2116 } 2117 } 2118 } 2119 2120 addname: 2121 CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: addname"); 2122 /* 2123 * If we haven't added anything, then we're done. 2124 */ 2125 if (!added_something) { 2126 goto cleanup; 2127 } 2128 2129 /* 2130 * We may have added our rdatasets to an existing name, if so, then 2131 * need_addname will be false. Whether we used an existing name 2132 * or a new one, we must set fname to NULL to prevent cleanup. 2133 */ 2134 if (need_addname) { 2135 dns_message_addname(client->message, fname, 2136 DNS_SECTION_ADDITIONAL); 2137 } 2138 2139 /* 2140 * In some cases, a record that has been added as additional 2141 * data may *also* trigger the addition of additional data. 2142 * This cannot go more than 'max-restarts' levels deep. 2143 */ 2144 if (trdataset != NULL && dns_rdatatype_followadditional(type)) { 2145 if (client->additionaldepth++ < client->view->max_restarts) { 2146 eresult = dns_rdataset_additionaldata( 2147 trdataset, fname, query_additional_cb, qctx); 2148 } 2149 client->additionaldepth--; 2150 } 2151 2152 /* 2153 * Don't release fname. 2154 */ 2155 fname = NULL; 2156 2157 cleanup: 2158 CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: cleanup"); 2159 ns_client_putrdataset(client, &rdataset); 2160 if (sigrdataset != NULL) { 2161 ns_client_putrdataset(client, &sigrdataset); 2162 } 2163 if (fname != NULL) { 2164 ns_client_releasename(client, &fname); 2165 } 2166 if (node != NULL) { 2167 dns_db_detachnode(db, &node); 2168 } 2169 if (db != NULL) { 2170 dns_db_detach(&db); 2171 } 2172 2173 CTRACE(ISC_LOG_DEBUG(3), "query_additional_cb: done"); 2174 return eresult; 2175 } 2176 2177 /* 2178 * Add 'rdataset' to 'name'. 2179 */ 2180 static void 2181 query_addtoname(dns_name_t *name, dns_rdataset_t *rdataset) { 2182 ISC_LIST_APPEND(name->list, rdataset, link); 2183 } 2184 2185 /* 2186 * Set the ordering for 'rdataset'. 2187 */ 2188 static void 2189 query_setorder(query_ctx_t *qctx, dns_name_t *name, dns_rdataset_t *rdataset) { 2190 ns_client_t *client = qctx->client; 2191 dns_order_t *order = client->view->order; 2192 2193 CTRACE(ISC_LOG_DEBUG(3), "query_setorder"); 2194 2195 UNUSED(client); 2196 2197 if (order != NULL) { 2198 rdataset->attributes |= dns_order_find( 2199 order, name, rdataset->type, rdataset->rdclass); 2200 } 2201 rdataset->attributes |= DNS_RDATASETATTR_LOADORDER; 2202 } 2203 2204 /* 2205 * Handle glue and fetch any other needed additional data for 'rdataset'. 2206 */ 2207 static void 2208 query_additional(query_ctx_t *qctx, dns_name_t *name, 2209 dns_rdataset_t *rdataset) { 2210 ns_client_t *client = qctx->client; 2211 isc_result_t result; 2212 2213 CTRACE(ISC_LOG_DEBUG(3), "query_additional"); 2214 2215 if (NOADDITIONAL(client)) { 2216 return; 2217 } 2218 2219 /* 2220 * Try to process glue directly. 2221 */ 2222 if (rdataset->type == dns_rdatatype_ns && 2223 client->query.gluedb != NULL && dns_db_iszone(client->query.gluedb)) 2224 { 2225 ns_dbversion_t *dbversion = NULL; 2226 2227 dbversion = ns_client_findversion(client, client->query.gluedb); 2228 if (dbversion == NULL) { 2229 goto regular; 2230 } 2231 2232 result = dns_db_addglue(qctx->db, dbversion->version, rdataset, 2233 client->message); 2234 if (result == ISC_R_SUCCESS) { 2235 return; 2236 } 2237 } 2238 2239 regular: 2240 /* 2241 * Add other additional data if needed. 2242 * We don't care if dns_rdataset_additionaldata() fails. 2243 */ 2244 (void)dns_rdataset_additionaldata(rdataset, name, query_additional_cb, 2245 qctx); 2246 CTRACE(ISC_LOG_DEBUG(3), "query_additional: done"); 2247 } 2248 2249 static void 2250 query_addrrset(query_ctx_t *qctx, dns_name_t **namep, 2251 dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp, 2252 isc_buffer_t *dbuf, dns_section_t section) { 2253 isc_result_t result; 2254 ns_client_t *client = qctx->client; 2255 dns_name_t *name = *namep, *mname = NULL; 2256 dns_rdataset_t *rdataset = *rdatasetp, *mrdataset = NULL; 2257 dns_rdataset_t *sigrdataset = NULL; 2258 2259 CTRACE(ISC_LOG_DEBUG(3), "query_addrrset"); 2260 2261 REQUIRE(name != NULL); 2262 2263 if (sigrdatasetp != NULL) { 2264 sigrdataset = *sigrdatasetp; 2265 } 2266 2267 /*% 2268 * To the current response for 'client', add the answer RRset 2269 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with 2270 * owner name '*namep', to section 'section', unless they are 2271 * already there. Also add any pertinent additional data. 2272 * 2273 * If 'dbuf' is not NULL, then '*namep' is the name whose data is 2274 * stored in 'dbuf'. In this case, query_addrrset() guarantees that 2275 * when it returns the name will either have been kept or released. 2276 */ 2277 result = dns_message_findname(client->message, section, name, 2278 rdataset->type, rdataset->covers, &mname, 2279 &mrdataset); 2280 if (result == ISC_R_SUCCESS) { 2281 /* 2282 * We've already got an RRset of the given name and type. 2283 */ 2284 CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: dns_message_findname " 2285 "succeeded: done"); 2286 if (dbuf != NULL) { 2287 ns_client_releasename(client, namep); 2288 } 2289 if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0) { 2290 mrdataset->attributes |= DNS_RDATASETATTR_REQUIRED; 2291 } 2292 if ((rdataset->attributes & DNS_RDATASETATTR_STALE_ADDED) != 0) 2293 { 2294 mrdataset->attributes |= DNS_RDATASETATTR_STALE_ADDED; 2295 } 2296 return; 2297 } else if (result == DNS_R_NXDOMAIN) { 2298 /* 2299 * The name doesn't exist. 2300 */ 2301 if (dbuf != NULL) { 2302 ns_client_keepname(client, name, dbuf); 2303 } 2304 dns_message_addname(client->message, name, section); 2305 *namep = NULL; 2306 mname = name; 2307 } else { 2308 RUNTIME_CHECK(result == DNS_R_NXRRSET); 2309 if (dbuf != NULL) { 2310 ns_client_releasename(client, namep); 2311 } 2312 } 2313 2314 if (rdataset->trust != dns_trust_secure && 2315 (section == DNS_SECTION_ANSWER || section == DNS_SECTION_AUTHORITY)) 2316 { 2317 client->query.attributes &= ~NS_QUERYATTR_SECURE; 2318 } 2319 2320 /* 2321 * Update message name, set rdataset order, and do additional 2322 * section processing if needed. 2323 */ 2324 query_addtoname(mname, rdataset); 2325 query_setorder(qctx, mname, rdataset); 2326 query_additional(qctx, mname, rdataset); 2327 2328 /* 2329 * Note: we only add SIGs if we've added the type they cover, so 2330 * we do not need to check if the SIG rdataset is already in the 2331 * response. 2332 */ 2333 *rdatasetp = NULL; 2334 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) { 2335 /* 2336 * We have a signature. Add it to the response. 2337 */ 2338 ISC_LIST_APPEND(mname->list, sigrdataset, link); 2339 *sigrdatasetp = NULL; 2340 } 2341 2342 CTRACE(ISC_LOG_DEBUG(3), "query_addrrset: done"); 2343 } 2344 2345 /* 2346 * Mark the RRsets as secure. Update the cache (db) to reflect the 2347 * change in trust level. 2348 */ 2349 static void 2350 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name, 2351 dns_rdata_rrsig_t *rrsig, dns_rdataset_t *rdataset, 2352 dns_rdataset_t *sigrdataset) { 2353 isc_result_t result; 2354 dns_dbnode_t *node = NULL; 2355 dns_clientinfomethods_t cm; 2356 dns_clientinfo_t ci; 2357 isc_stdtime_t now; 2358 2359 rdataset->trust = dns_trust_secure; 2360 sigrdataset->trust = dns_trust_secure; 2361 dns_clientinfomethods_init(&cm, ns_client_sourceip); 2362 dns_clientinfo_init(&ci, client, NULL); 2363 2364 /* 2365 * Save the updated secure state. Ignore failures. 2366 */ 2367 result = dns_db_findnodeext(db, name, true, &cm, &ci, &node); 2368 if (result != ISC_R_SUCCESS) { 2369 return; 2370 } 2371 2372 now = isc_stdtime_now(); 2373 dns_rdataset_trimttl(rdataset, sigrdataset, rrsig, now, 2374 client->view->acceptexpired); 2375 2376 (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset, 0, 2377 NULL); 2378 (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset, 0, 2379 NULL); 2380 dns_db_detachnode(db, &node); 2381 } 2382 2383 /* 2384 * Find the secure key that corresponds to rrsig. 2385 * Note: 'keyrdataset' maintains state between successive calls, 2386 * there may be multiple keys with the same keyid. 2387 * Return false if we have exhausted all the possible keys. 2388 */ 2389 static bool 2390 get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig, 2391 dns_rdataset_t *keyrdataset, dst_key_t **keyp) { 2392 isc_result_t result; 2393 dns_dbnode_t *node = NULL; 2394 bool secure = false; 2395 dns_clientinfomethods_t cm; 2396 dns_clientinfo_t ci; 2397 2398 dns_clientinfomethods_init(&cm, ns_client_sourceip); 2399 dns_clientinfo_init(&ci, client, NULL); 2400 2401 if (!dns_rdataset_isassociated(keyrdataset)) { 2402 result = dns_db_findnodeext(db, &rrsig->signer, false, &cm, &ci, 2403 &node); 2404 if (result != ISC_R_SUCCESS) { 2405 return false; 2406 } 2407 2408 result = dns_db_findrdataset(db, node, NULL, 2409 dns_rdatatype_dnskey, 0, 2410 client->now, keyrdataset, NULL); 2411 dns_db_detachnode(db, &node); 2412 if (result != ISC_R_SUCCESS) { 2413 return false; 2414 } 2415 2416 if (keyrdataset->trust != dns_trust_secure) { 2417 return false; 2418 } 2419 2420 result = dns_rdataset_first(keyrdataset); 2421 } else { 2422 result = dns_rdataset_next(keyrdataset); 2423 } 2424 2425 for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(keyrdataset)) 2426 { 2427 dns_rdata_t rdata = DNS_RDATA_INIT; 2428 isc_buffer_t b; 2429 2430 dns_rdataset_current(keyrdataset, &rdata); 2431 isc_buffer_init(&b, rdata.data, rdata.length); 2432 isc_buffer_add(&b, rdata.length); 2433 result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b, 2434 client->manager->mctx, keyp); 2435 if (result != ISC_R_SUCCESS) { 2436 continue; 2437 } 2438 if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) && 2439 rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) && 2440 dst_key_iszonekey(*keyp)) 2441 { 2442 secure = true; 2443 break; 2444 } 2445 dst_key_free(keyp); 2446 } 2447 return secure; 2448 } 2449 2450 static bool 2451 verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset, 2452 dns_rdata_t *rdata, ns_client_t *client) { 2453 isc_result_t result; 2454 dns_fixedname_t fixed; 2455 bool ignore = false; 2456 2457 dns_fixedname_init(&fixed); 2458 2459 again: 2460 result = dns_dnssec_verify(name, rdataset, key, ignore, 2461 client->view->maxbits, client->manager->mctx, 2462 rdata, NULL); 2463 if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) { 2464 ignore = true; 2465 goto again; 2466 } 2467 if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD) { 2468 return true; 2469 } 2470 return false; 2471 } 2472 2473 /* 2474 * Validate the rdataset if possible with available records. 2475 */ 2476 static bool 2477 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name, 2478 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { 2479 isc_result_t result; 2480 dns_rdata_t rdata = DNS_RDATA_INIT; 2481 dns_rdata_rrsig_t rrsig; 2482 dst_key_t *key = NULL; 2483 dns_rdataset_t keyrdataset; 2484 2485 if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset)) { 2486 return false; 2487 } 2488 2489 for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS; 2490 result = dns_rdataset_next(sigrdataset)) 2491 { 2492 dns_rdata_reset(&rdata); 2493 dns_rdataset_current(sigrdataset, &rdata); 2494 result = dns_rdata_tostruct(&rdata, &rrsig, NULL); 2495 RUNTIME_CHECK(result == ISC_R_SUCCESS); 2496 if (!dns_resolver_algorithm_supported(client->view->resolver, 2497 name, rrsig.algorithm)) 2498 { 2499 continue; 2500 } 2501 if (!dns_name_issubdomain(name, &rrsig.signer)) { 2502 continue; 2503 } 2504 dns_rdataset_init(&keyrdataset); 2505 do { 2506 if (!get_key(client, db, &rrsig, &keyrdataset, &key)) { 2507 break; 2508 } 2509 if (verify(key, name, rdataset, &rdata, client)) { 2510 dst_key_free(&key); 2511 dns_rdataset_disassociate(&keyrdataset); 2512 mark_secure(client, db, name, &rrsig, rdataset, 2513 sigrdataset); 2514 return true; 2515 } 2516 dst_key_free(&key); 2517 } while (1); 2518 if (dns_rdataset_isassociated(&keyrdataset)) { 2519 dns_rdataset_disassociate(&keyrdataset); 2520 } 2521 } 2522 return false; 2523 } 2524 2525 static void 2526 fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) { 2527 if (*rdataset == NULL) { 2528 *rdataset = ns_client_newrdataset(client); 2529 } else if (dns_rdataset_isassociated(*rdataset)) { 2530 dns_rdataset_disassociate(*rdataset); 2531 } 2532 } 2533 2534 static void 2535 fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf, 2536 isc_buffer_t *nbuf) { 2537 if (*fname == NULL) { 2538 *dbuf = ns_client_getnamebuf(client); 2539 *fname = ns_client_newname(client, *dbuf, nbuf); 2540 } 2541 } 2542 2543 static void 2544 free_fresp(ns_client_t *client, dns_fetchresponse_t **frespp) { 2545 dns_fetchresponse_t *fresp = *frespp; 2546 2547 CTRACE(ISC_LOG_DEBUG(3), "free_fresp"); 2548 2549 if (fresp->fetch != NULL) { 2550 dns_resolver_destroyfetch(&fresp->fetch); 2551 } 2552 if (fresp->node != NULL) { 2553 dns_db_detachnode(fresp->db, &fresp->node); 2554 } 2555 if (fresp->db != NULL) { 2556 dns_db_detach(&fresp->db); 2557 } 2558 if (fresp->rdataset != NULL) { 2559 ns_client_putrdataset(client, &fresp->rdataset); 2560 } 2561 if (fresp->sigrdataset != NULL) { 2562 ns_client_putrdataset(client, &fresp->sigrdataset); 2563 } 2564 2565 *frespp = NULL; 2566 isc_mem_putanddetach(&fresp->mctx, fresp, sizeof(*fresp)); 2567 } 2568 2569 static isc_result_t 2570 recursionquotatype_attach(ns_client_t *client, bool soft_limit) { 2571 isc_statscounter_t recurscount; 2572 isc_result_t result; 2573 2574 result = isc_quota_acquire(&client->manager->sctx->recursionquota); 2575 switch (result) { 2576 case ISC_R_SUCCESS: 2577 break; 2578 case ISC_R_SOFTQUOTA: 2579 if (soft_limit) { 2580 /* 2581 * Exceeding soft quota was allowed, so continue as if 2582 * 'result' was ISC_R_SUCCESS while retaining the 2583 * original result code. 2584 */ 2585 break; 2586 } 2587 2588 isc_quota_release(&client->manager->sctx->recursionquota); 2589 FALLTHROUGH; 2590 default: 2591 return result; 2592 } 2593 2594 recurscount = ns_stats_increment(client->manager->sctx->nsstats, 2595 ns_statscounter_recursclients); 2596 2597 ns_stats_update_if_greater(client->manager->sctx->nsstats, 2598 ns_statscounter_recurshighwater, 2599 recurscount + 1); 2600 2601 return result; 2602 } 2603 2604 static isc_result_t 2605 recursionquotatype_attach_hard(ns_client_t *client) { 2606 return recursionquotatype_attach(client, false); 2607 } 2608 2609 static isc_result_t 2610 recursionquotatype_attach_soft(ns_client_t *client) { 2611 return recursionquotatype_attach(client, true); 2612 } 2613 2614 static void 2615 recursionquotatype_detach(ns_client_t *client) { 2616 isc_quota_release(&client->manager->sctx->recursionquota); 2617 ns_stats_decrement(client->manager->sctx->nsstats, 2618 ns_statscounter_recursclients); 2619 } 2620 2621 static void 2622 stale_refresh_aftermath(ns_client_t *client, isc_result_t result) { 2623 dns_db_t *db = NULL; 2624 unsigned int dboptions; 2625 isc_buffer_t buffer; 2626 query_ctx_t qctx; 2627 dns_clientinfomethods_t cm; 2628 dns_clientinfo_t ci; 2629 char namebuf[DNS_NAME_FORMATSIZE]; 2630 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 2631 2632 /* 2633 * If refreshing a stale RRset failed, we need to set the 2634 * stale-refresh-time window, so that on future requests for this 2635 * RRset the stale entry may be used immediately. 2636 */ 2637 switch (result) { 2638 case ISC_R_SUCCESS: 2639 case DNS_R_GLUE: 2640 case DNS_R_ZONECUT: 2641 case ISC_R_NOTFOUND: 2642 case DNS_R_DELEGATION: 2643 case DNS_R_EMPTYNAME: 2644 case DNS_R_NXRRSET: 2645 case DNS_R_EMPTYWILD: 2646 case DNS_R_NXDOMAIN: 2647 case DNS_R_COVERINGNSEC: 2648 case DNS_R_NCACHENXDOMAIN: 2649 case DNS_R_NCACHENXRRSET: 2650 case DNS_R_CNAME: 2651 case DNS_R_DNAME: 2652 break; 2653 default: 2654 dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); 2655 dns_rdatatype_format(client->query.qtype, typebuf, 2656 sizeof(typebuf)); 2657 ns_client_log(client, NS_LOGCATEGORY_SERVE_STALE, 2658 NS_LOGMODULE_QUERY, ISC_LOG_NOTICE, 2659 "%s/%s stale refresh failed: timed out", namebuf, 2660 typebuf); 2661 2662 /* 2663 * Set up a short lived query context, solely to set the 2664 * last refresh failure time on the RRset in the cache 2665 * database, starting the stale-refresh-time window for it. 2666 * This is a condensed form of query_lookup(). 2667 */ 2668 client->now = isc_stdtime_now(); 2669 client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK; 2670 qctx_init(client, NULL, 0, &qctx); 2671 2672 dns_clientinfomethods_init(&cm, ns_client_sourceip); 2673 dns_clientinfo_init(&ci, qctx.client, NULL); 2674 if (HAVEECS(qctx.client)) { 2675 dns_clientinfo_setecs(&ci, &qctx.client->ecs); 2676 } 2677 2678 result = qctx_prepare_buffers(&qctx, &buffer); 2679 if (result != ISC_R_SUCCESS) { 2680 goto cleanup; 2681 } 2682 2683 dboptions = qctx.client->query.dboptions; 2684 dboptions |= DNS_DBFIND_STALEOK; 2685 dboptions |= DNS_DBFIND_STALESTART; 2686 2687 dns_db_attach(qctx.client->view->cachedb, &db); 2688 (void)dns_db_findext(db, qctx.client->query.qname, NULL, 2689 qctx.client->query.qtype, dboptions, 2690 qctx.client->now, &qctx.node, qctx.fname, 2691 &cm, &ci, qctx.rdataset, qctx.sigrdataset); 2692 if (qctx.node != NULL) { 2693 dns_db_detachnode(db, &qctx.node); 2694 } 2695 dns_db_detach(&db); 2696 2697 cleanup: 2698 qctx_freedata(&qctx); 2699 qctx_destroy(&qctx); 2700 } 2701 } 2702 2703 static void 2704 cleanup_after_fetch(dns_fetchresponse_t *resp, const char *ctracestr, 2705 ns_query_rectype_t recursion_type) { 2706 ns_client_t *client = resp->arg; 2707 isc_nmhandle_t **handlep = NULL; 2708 dns_fetch_t **fetchp = NULL; 2709 isc_result_t result; 2710 2711 REQUIRE(NS_CLIENT_VALID(client)); 2712 2713 CTRACE(ISC_LOG_DEBUG(3), ctracestr); 2714 2715 handlep = &client->query.recursions[recursion_type].handle; 2716 fetchp = &client->query.recursions[recursion_type].fetch; 2717 result = resp->result; 2718 2719 LOCK(&client->query.fetchlock); 2720 if (*fetchp != NULL) { 2721 INSIST(resp->fetch == *fetchp); 2722 *fetchp = NULL; 2723 } 2724 UNLOCK(&client->query.fetchlock); 2725 2726 /* Some type of recursions require a bit of aftermath. */ 2727 if (recursion_type == RECTYPE_STALE_REFRESH) { 2728 stale_refresh_aftermath(client, result); 2729 } 2730 2731 recursionquotatype_detach(client); 2732 free_fresp(client, &resp); 2733 isc_nmhandle_detach(handlep); 2734 } 2735 2736 static void 2737 prefetch_done(void *arg) { 2738 cleanup_after_fetch(arg, "prefetch_done", RECTYPE_PREFETCH); 2739 } 2740 2741 static void 2742 rpzfetch_done(void *arg) { 2743 cleanup_after_fetch(arg, "rpzfetch_done", RECTYPE_RPZ); 2744 } 2745 2746 static void 2747 stale_refresh_done(void *arg) { 2748 cleanup_after_fetch(arg, "stale_refresh_done", RECTYPE_STALE_REFRESH); 2749 } 2750 2751 /* 2752 * Try initiating a fetch for the given 'qname' and 'qtype' (using the slot in 2753 * the 'recursions' array indicated by 'recursion_type') that will be 2754 * associated with 'client'. If the recursive clients quota (or even soft 2755 * quota) is reached or some other error occurs, just return without starting 2756 * the fetch. If a fetch is successfully created, its results will be cached 2757 * upon successful completion, but no further actions will be taken afterwards. 2758 */ 2759 static void 2760 fetch_and_forget(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t qtype, 2761 ns_query_rectype_t recursion_type) { 2762 dns_rdataset_t *tmprdataset; 2763 isc_sockaddr_t *peeraddr; 2764 unsigned int options; 2765 isc_job_cb cb; 2766 isc_nmhandle_t **handlep; 2767 dns_fetch_t **fetchp; 2768 isc_result_t result; 2769 2770 result = recursionquotatype_attach_hard(client); 2771 if (result != ISC_R_SUCCESS) { 2772 return; 2773 } 2774 2775 tmprdataset = ns_client_newrdataset(client); 2776 2777 if (!TCP(client)) { 2778 peeraddr = &client->peeraddr; 2779 } else { 2780 peeraddr = NULL; 2781 } 2782 2783 switch (recursion_type) { 2784 case RECTYPE_PREFETCH: 2785 options = client->query.fetchoptions | DNS_FETCHOPT_PREFETCH; 2786 cb = prefetch_done; 2787 break; 2788 case RECTYPE_RPZ: 2789 options = client->query.fetchoptions; 2790 cb = rpzfetch_done; 2791 break; 2792 case RECTYPE_STALE_REFRESH: 2793 options = client->query.fetchoptions; 2794 cb = stale_refresh_done; 2795 break; 2796 default: 2797 UNREACHABLE(); 2798 } 2799 2800 handlep = &client->query.recursions[recursion_type].handle; 2801 fetchp = &client->query.recursions[recursion_type].fetch; 2802 2803 isc_nmhandle_attach(client->handle, handlep); 2804 result = dns_resolver_createfetch( 2805 client->view->resolver, qname, qtype, NULL, NULL, NULL, 2806 peeraddr, client->message->id, options, 0, NULL, 2807 client->manager->loop, cb, client, tmprdataset, NULL, fetchp); 2808 if (result != ISC_R_SUCCESS) { 2809 ns_client_putrdataset(client, &tmprdataset); 2810 isc_nmhandle_detach(handlep); 2811 recursionquotatype_detach(client); 2812 } 2813 } 2814 2815 static void 2816 query_prefetch(ns_client_t *client, dns_name_t *qname, 2817 dns_rdataset_t *rdataset) { 2818 CTRACE(ISC_LOG_DEBUG(3), "query_prefetch"); 2819 2820 if (FETCH_RECTYPE_PREFETCH(client) != NULL || 2821 client->view->prefetch_trigger == 0U || 2822 rdataset->ttl > client->view->prefetch_trigger || 2823 (rdataset->attributes & DNS_RDATASETATTR_PREFETCH) == 0) 2824 { 2825 return; 2826 } 2827 2828 fetch_and_forget(client, qname, rdataset->type, RECTYPE_PREFETCH); 2829 2830 dns_rdataset_clearprefetch(rdataset); 2831 ns_stats_increment(client->manager->sctx->nsstats, 2832 ns_statscounter_prefetch); 2833 } 2834 2835 static void 2836 query_stale_refresh(ns_client_t *client) { 2837 dns_name_t *qname; 2838 2839 CTRACE(ISC_LOG_DEBUG(3), "query_stale_refresh"); 2840 2841 if (FETCH_RECTYPE_STALE_REFRESH(client) != NULL) { 2842 return; 2843 } 2844 2845 client->query.dboptions &= ~(DNS_DBFIND_STALETIMEOUT | 2846 DNS_DBFIND_STALEOK | 2847 DNS_DBFIND_STALEENABLED); 2848 2849 if (client->query.origqname != NULL) { 2850 qname = client->query.origqname; 2851 } else { 2852 qname = client->query.qname; 2853 } 2854 2855 fetch_and_forget(client, qname, client->query.qtype, 2856 RECTYPE_STALE_REFRESH); 2857 } 2858 2859 static void 2860 rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep, 2861 dns_rdataset_t **rdatasetp) { 2862 if (nodep != NULL && *nodep != NULL) { 2863 REQUIRE(dbp != NULL && *dbp != NULL); 2864 dns_db_detachnode(*dbp, nodep); 2865 } 2866 if (dbp != NULL && *dbp != NULL) { 2867 dns_db_detach(dbp); 2868 } 2869 if (zonep != NULL && *zonep != NULL) { 2870 dns_zone_detach(zonep); 2871 } 2872 if (rdatasetp != NULL && *rdatasetp != NULL && 2873 dns_rdataset_isassociated(*rdatasetp)) 2874 { 2875 dns_rdataset_disassociate(*rdatasetp); 2876 } 2877 } 2878 2879 static void 2880 rpz_match_clear(dns_rpz_st_t *st) { 2881 rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset); 2882 st->m.version = NULL; 2883 } 2884 2885 static isc_result_t 2886 rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) { 2887 REQUIRE(rdatasetp != NULL); 2888 2889 CTRACE(ISC_LOG_DEBUG(3), "rpz_ready"); 2890 2891 if (*rdatasetp == NULL) { 2892 *rdatasetp = ns_client_newrdataset(client); 2893 } else if (dns_rdataset_isassociated(*rdatasetp)) { 2894 dns_rdataset_disassociate(*rdatasetp); 2895 } 2896 return ISC_R_SUCCESS; 2897 } 2898 2899 static void 2900 rpz_st_clear(ns_client_t *client) { 2901 dns_rpz_st_t *st = client->query.rpz_st; 2902 2903 CTRACE(ISC_LOG_DEBUG(3), "rpz_st_clear"); 2904 2905 if (st->m.rdataset != NULL) { 2906 ns_client_putrdataset(client, &st->m.rdataset); 2907 } 2908 rpz_match_clear(st); 2909 2910 rpz_clean(NULL, &st->r.db, NULL, NULL); 2911 if (st->r.ns_rdataset != NULL) { 2912 ns_client_putrdataset(client, &st->r.ns_rdataset); 2913 } 2914 if (st->r.r_rdataset != NULL) { 2915 ns_client_putrdataset(client, &st->r.r_rdataset); 2916 } 2917 2918 rpz_clean(&st->q.zone, &st->q.db, &st->q.node, NULL); 2919 if (st->q.rdataset != NULL) { 2920 ns_client_putrdataset(client, &st->q.rdataset); 2921 } 2922 if (st->q.sigrdataset != NULL) { 2923 ns_client_putrdataset(client, &st->q.sigrdataset); 2924 } 2925 st->state = 0; 2926 st->m.type = DNS_RPZ_TYPE_BAD; 2927 st->m.policy = DNS_RPZ_POLICY_MISS; 2928 if (st->rpsdb != NULL) { 2929 dns_db_detach(&st->rpsdb); 2930 } 2931 } 2932 2933 static dns_rpz_zbits_t 2934 rpz_get_zbits(ns_client_t *client, dns_rdatatype_t ip_type, 2935 dns_rpz_type_t rpz_type) { 2936 dns_rpz_st_t *st; 2937 dns_rpz_zbits_t zbits = 0; 2938 2939 REQUIRE(client != NULL); 2940 REQUIRE(client->query.rpz_st != NULL); 2941 2942 st = client->query.rpz_st; 2943 2944 #ifdef USE_DNSRPS 2945 if (st->popt.dnsrps_enabled) { 2946 if (st->rpsdb == NULL || 2947 librpz->have_trig(dns_dnsrps_type2trig(rpz_type), 2948 ip_type == dns_rdatatype_aaaa, 2949 ((dns_rpsdb_t *)st->rpsdb)->rsp)) 2950 { 2951 return DNS_RPZ_ALL_ZBITS; 2952 } 2953 return 0; 2954 } 2955 #endif /* ifdef USE_DNSRPS */ 2956 2957 switch (rpz_type) { 2958 case DNS_RPZ_TYPE_CLIENT_IP: 2959 zbits = st->have.client_ip; 2960 break; 2961 case DNS_RPZ_TYPE_QNAME: 2962 zbits = st->have.qname; 2963 break; 2964 case DNS_RPZ_TYPE_IP: 2965 if (ip_type == dns_rdatatype_a) { 2966 zbits = st->have.ipv4; 2967 } else if (ip_type == dns_rdatatype_aaaa) { 2968 zbits = st->have.ipv6; 2969 } else { 2970 zbits = st->have.ip; 2971 } 2972 break; 2973 case DNS_RPZ_TYPE_NSDNAME: 2974 zbits = st->have.nsdname; 2975 break; 2976 case DNS_RPZ_TYPE_NSIP: 2977 if (ip_type == dns_rdatatype_a) { 2978 zbits = st->have.nsipv4; 2979 } else if (ip_type == dns_rdatatype_aaaa) { 2980 zbits = st->have.nsipv6; 2981 } else { 2982 zbits = st->have.nsip; 2983 } 2984 break; 2985 default: 2986 UNREACHABLE(); 2987 } 2988 2989 /* 2990 * Choose 2991 * the earliest configured policy zone (rpz->num) 2992 * QNAME over IP over NSDNAME over NSIP (rpz_type) 2993 * the smallest name, 2994 * the longest IP address prefix, 2995 * the lexically smallest address. 2996 */ 2997 if (st->m.policy != DNS_RPZ_POLICY_MISS) { 2998 if (st->m.type >= rpz_type) { 2999 zbits &= DNS_RPZ_ZMASK(st->m.rpz->num); 3000 } else { 3001 zbits &= DNS_RPZ_ZMASK(st->m.rpz->num) >> 1; 3002 } 3003 } 3004 3005 /* 3006 * If the client wants recursion, allow only compatible policies. 3007 */ 3008 if (!RECURSIONOK(client)) { 3009 zbits &= st->popt.no_rd_ok; 3010 } 3011 3012 return zbits; 3013 } 3014 3015 static void 3016 query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) { 3017 CTRACE(ISC_LOG_DEBUG(3), "query_rpzfetch"); 3018 3019 if (FETCH_RECTYPE_RPZ(client) != NULL) { 3020 return; 3021 } 3022 3023 fetch_and_forget(client, qname, type, RECTYPE_RPZ); 3024 } 3025 3026 /* 3027 * Get an NS, A, or AAAA rrset related to the response for the client 3028 * to check the contents of that rrset for hits by eligible policy zones. 3029 */ 3030 static isc_result_t 3031 rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, 3032 unsigned int options, dns_rpz_type_t rpz_type, dns_db_t **dbp, 3033 dns_dbversion_t *version, dns_rdataset_t **rdatasetp, 3034 bool resuming) { 3035 dns_rpz_st_t *st; 3036 bool is_zone; 3037 dns_dbnode_t *node; 3038 dns_fixedname_t fixed; 3039 dns_name_t *found; 3040 isc_result_t result; 3041 dns_clientinfomethods_t cm; 3042 dns_clientinfo_t ci; 3043 3044 CTRACE(ISC_LOG_DEBUG(3), "rpz_rrset_find"); 3045 3046 st = client->query.rpz_st; 3047 if ((st->state & DNS_RPZ_RECURSING) != 0) { 3048 INSIST(st->r.r_type == type); 3049 INSIST(dns_name_equal(name, st->r_name)); 3050 INSIST(*rdatasetp == NULL || 3051 !dns_rdataset_isassociated(*rdatasetp)); 3052 st->state &= ~DNS_RPZ_RECURSING; 3053 RESTORE(*dbp, st->r.db); 3054 if (*rdatasetp != NULL) { 3055 ns_client_putrdataset(client, rdatasetp); 3056 } 3057 RESTORE(*rdatasetp, st->r.r_rdataset); 3058 result = st->r.r_result; 3059 if (result == DNS_R_DELEGATION) { 3060 CTRACE(ISC_LOG_ERROR, "RPZ recursing"); 3061 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, 3062 rpz_type, "rpz_rrset_find(1)", result); 3063 st->m.policy = DNS_RPZ_POLICY_ERROR; 3064 result = DNS_R_SERVFAIL; 3065 } 3066 return result; 3067 } 3068 3069 result = rpz_ready(client, rdatasetp); 3070 if (result != ISC_R_SUCCESS) { 3071 st->m.policy = DNS_RPZ_POLICY_ERROR; 3072 return result; 3073 } 3074 if (*dbp != NULL) { 3075 is_zone = false; 3076 } else { 3077 dns_zone_t *zone; 3078 3079 version = NULL; 3080 zone = NULL; 3081 result = query_getdb(client, name, type, 3082 (dns_getdb_options_t){ 0 }, &zone, dbp, 3083 &version, &is_zone); 3084 if (result != ISC_R_SUCCESS) { 3085 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, 3086 rpz_type, "rpz_rrset_find(2)", result); 3087 st->m.policy = DNS_RPZ_POLICY_ERROR; 3088 if (zone != NULL) { 3089 dns_zone_detach(&zone); 3090 } 3091 return result; 3092 } 3093 if (zone != NULL) { 3094 dns_zone_detach(&zone); 3095 } 3096 } 3097 3098 node = NULL; 3099 found = dns_fixedname_initname(&fixed); 3100 dns_clientinfomethods_init(&cm, ns_client_sourceip); 3101 dns_clientinfo_init(&ci, client, NULL); 3102 result = dns_db_findext(*dbp, name, version, type, options, client->now, 3103 &node, found, &cm, &ci, *rdatasetp, NULL); 3104 if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) { 3105 /* 3106 * Try the cache if we're authoritative for an 3107 * ancestor but not the domain itself. 3108 */ 3109 rpz_clean(NULL, dbp, &node, rdatasetp); 3110 version = NULL; 3111 dns_db_attach(client->view->cachedb, dbp); 3112 result = dns_db_findext(*dbp, name, version, type, 0, 3113 client->now, &node, found, &cm, &ci, 3114 *rdatasetp, NULL); 3115 } 3116 rpz_clean(NULL, dbp, &node, NULL); 3117 if (result == DNS_R_DELEGATION) { 3118 rpz_clean(NULL, NULL, NULL, rdatasetp); 3119 /* 3120 * Recurse for NS rrset or A or AAAA rrset for an NS. 3121 * Do not recurse for addresses for the query name. 3122 */ 3123 if (rpz_type == DNS_RPZ_TYPE_IP) { 3124 result = DNS_R_NXRRSET; 3125 } else if (!client->view->rpzs->p.nsip_wait_recurse || 3126 (!client->view->rpzs->p.nsdname_wait_recurse && 3127 rpz_type == DNS_RPZ_TYPE_NSDNAME)) 3128 { 3129 query_rpzfetch(client, name, type); 3130 result = DNS_R_NXRRSET; 3131 } else { 3132 dns_name_copy(name, st->r_name); 3133 result = ns_query_recurse(client, type, st->r_name, 3134 NULL, NULL, resuming); 3135 if (result == ISC_R_SUCCESS) { 3136 st->state |= DNS_RPZ_RECURSING; 3137 result = DNS_R_DELEGATION; 3138 } 3139 } 3140 } 3141 return result; 3142 } 3143 3144 /* 3145 * Compute a policy owner name, p_name, in a policy zone given the needed 3146 * policy type and the trigger name. 3147 */ 3148 static isc_result_t 3149 rpz_get_p_name(ns_client_t *client, dns_name_t *p_name, dns_rpz_zone_t *rpz, 3150 dns_rpz_type_t rpz_type, dns_name_t *trig_name) { 3151 dns_offsets_t prefix_offsets; 3152 dns_name_t prefix, *suffix; 3153 unsigned int first, labels; 3154 isc_result_t result; 3155 3156 CTRACE(ISC_LOG_DEBUG(3), "rpz_get_p_name"); 3157 3158 /* 3159 * The policy owner name consists of a suffix depending on the type 3160 * and policy zone and a prefix that is the longest possible string 3161 * from the trigger name that keesp the resulting policy owner name 3162 * from being too long. 3163 */ 3164 switch (rpz_type) { 3165 case DNS_RPZ_TYPE_CLIENT_IP: 3166 suffix = &rpz->client_ip; 3167 break; 3168 case DNS_RPZ_TYPE_QNAME: 3169 suffix = &rpz->origin; 3170 break; 3171 case DNS_RPZ_TYPE_IP: 3172 suffix = &rpz->ip; 3173 break; 3174 case DNS_RPZ_TYPE_NSDNAME: 3175 suffix = &rpz->nsdname; 3176 break; 3177 case DNS_RPZ_TYPE_NSIP: 3178 suffix = &rpz->nsip; 3179 break; 3180 default: 3181 UNREACHABLE(); 3182 } 3183 3184 /* 3185 * Start with relative version of the full trigger name, 3186 * and trim enough allow the addition of the suffix. 3187 */ 3188 dns_name_init(&prefix, prefix_offsets); 3189 labels = dns_name_countlabels(trig_name); 3190 first = 0; 3191 for (;;) { 3192 dns_name_getlabelsequence(trig_name, first, labels - first - 1, 3193 &prefix); 3194 result = dns_name_concatenate(&prefix, suffix, p_name, NULL); 3195 if (result == ISC_R_SUCCESS) { 3196 break; 3197 } 3198 INSIST(result == DNS_R_NAMETOOLONG); 3199 /* 3200 * Trim the trigger name until the combination is not too long. 3201 */ 3202 if (labels - first < 2) { 3203 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, suffix, 3204 rpz_type, "concatenate()", result); 3205 return ISC_R_FAILURE; 3206 } 3207 /* 3208 * Complain once about trimming the trigger name. 3209 */ 3210 if (first == 0) { 3211 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, suffix, 3212 rpz_type, "concatenate()", result); 3213 } 3214 ++first; 3215 } 3216 return ISC_R_SUCCESS; 3217 } 3218 3219 /* 3220 * Look in policy zone rpz for a policy of rpz_type by p_name. 3221 * The self-name (usually the client qname or an NS name) is compared with 3222 * the target of a CNAME policy for the old style passthru encoding. 3223 * If found, the policy is recorded in *zonep, *dbp, *versionp, *nodep, 3224 * *rdatasetp, and *policyp. 3225 * The target DNS type, qtype, chooses the best rdataset for *rdatasetp. 3226 * The caller must decide if the found policy is most suitable, including 3227 * better than a previously found policy. 3228 * If it is best, the caller records it in client->query.rpz_st->m. 3229 */ 3230 static isc_result_t 3231 rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, 3232 dns_name_t *p_name, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, 3233 dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, 3234 dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, 3235 dns_rpz_policy_t *policyp) { 3236 dns_fixedname_t foundf; 3237 dns_name_t *found; 3238 isc_result_t result; 3239 dns_clientinfomethods_t cm; 3240 dns_clientinfo_t ci; 3241 bool found_a = false; 3242 3243 REQUIRE(nodep != NULL); 3244 3245 CTRACE(ISC_LOG_DEBUG(3), "rpz_find_p"); 3246 3247 dns_clientinfomethods_init(&cm, ns_client_sourceip); 3248 dns_clientinfo_init(&ci, client, NULL); 3249 3250 /* 3251 * Try to find either a CNAME or the type of record demanded by the 3252 * request from the policy zone. 3253 */ 3254 rpz_clean(zonep, dbp, nodep, rdatasetp); 3255 result = rpz_ready(client, rdatasetp); 3256 if (result != ISC_R_SUCCESS) { 3257 CTRACE(ISC_LOG_ERROR, "rpz_ready() failed"); 3258 return DNS_R_SERVFAIL; 3259 } 3260 *versionp = NULL; 3261 result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp); 3262 if (result != ISC_R_SUCCESS) { 3263 return DNS_R_NXDOMAIN; 3264 } 3265 found = dns_fixedname_initname(&foundf); 3266 3267 result = dns_db_findext(*dbp, p_name, *versionp, dns_rdatatype_any, 0, 3268 client->now, nodep, found, &cm, &ci, *rdatasetp, 3269 NULL); 3270 /* 3271 * Choose the best rdataset if we found something. 3272 */ 3273 if (result == ISC_R_SUCCESS) { 3274 dns_rdatasetiter_t *rdsiter; 3275 3276 rdsiter = NULL; 3277 result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0, 0, 3278 &rdsiter); 3279 if (result != ISC_R_SUCCESS) { 3280 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, 3281 rpz_type, "allrdatasets()", result); 3282 CTRACE(ISC_LOG_ERROR, 3283 "rpz_find_p: allrdatasets failed"); 3284 return DNS_R_SERVFAIL; 3285 } 3286 if (qtype == dns_rdatatype_aaaa && 3287 !ISC_LIST_EMPTY(client->view->dns64)) 3288 { 3289 for (result = dns_rdatasetiter_first(rdsiter); 3290 result == ISC_R_SUCCESS; 3291 result = dns_rdatasetiter_next(rdsiter)) 3292 { 3293 dns_rdatasetiter_current(rdsiter, *rdatasetp); 3294 if ((*rdatasetp)->type == dns_rdatatype_a) { 3295 found_a = true; 3296 } 3297 dns_rdataset_disassociate(*rdatasetp); 3298 } 3299 } 3300 for (result = dns_rdatasetiter_first(rdsiter); 3301 result == ISC_R_SUCCESS; 3302 result = dns_rdatasetiter_next(rdsiter)) 3303 { 3304 dns_rdatasetiter_current(rdsiter, *rdatasetp); 3305 if ((*rdatasetp)->type == dns_rdatatype_cname || 3306 (*rdatasetp)->type == qtype) 3307 { 3308 break; 3309 } 3310 dns_rdataset_disassociate(*rdatasetp); 3311 } 3312 dns_rdatasetiter_destroy(&rdsiter); 3313 if (result != ISC_R_SUCCESS) { 3314 if (result != ISC_R_NOMORE) { 3315 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, 3316 p_name, rpz_type, "rdatasetiter", 3317 result); 3318 CTRACE(ISC_LOG_ERROR, "rpz_find_p: " 3319 "rdatasetiter failed"); 3320 return DNS_R_SERVFAIL; 3321 } 3322 /* 3323 * Ask again to get the right DNS_R_DNAME/NXRRSET/... 3324 * result if there is neither a CNAME nor target type. 3325 */ 3326 if (dns_rdataset_isassociated(*rdatasetp)) { 3327 dns_rdataset_disassociate(*rdatasetp); 3328 } 3329 dns_db_detachnode(*dbp, nodep); 3330 3331 if (qtype == dns_rdatatype_rrsig || 3332 qtype == dns_rdatatype_sig) 3333 { 3334 result = DNS_R_NXRRSET; 3335 } else { 3336 result = dns_db_findext(*dbp, p_name, *versionp, 3337 qtype, 0, client->now, 3338 nodep, found, &cm, &ci, 3339 *rdatasetp, NULL); 3340 } 3341 } 3342 } 3343 switch (result) { 3344 case ISC_R_SUCCESS: 3345 if ((*rdatasetp)->type != dns_rdatatype_cname) { 3346 *policyp = DNS_RPZ_POLICY_RECORD; 3347 } else { 3348 *policyp = dns_rpz_decode_cname(rpz, *rdatasetp, 3349 self_name); 3350 if ((*policyp == DNS_RPZ_POLICY_RECORD || 3351 *policyp == DNS_RPZ_POLICY_WILDCNAME) && 3352 qtype != dns_rdatatype_cname && 3353 qtype != dns_rdatatype_any) 3354 { 3355 return DNS_R_CNAME; 3356 } 3357 } 3358 return ISC_R_SUCCESS; 3359 case DNS_R_NXRRSET: 3360 if (found_a) { 3361 *policyp = DNS_RPZ_POLICY_DNS64; 3362 } else { 3363 *policyp = DNS_RPZ_POLICY_NODATA; 3364 } 3365 return result; 3366 case DNS_R_DNAME: 3367 /* 3368 * DNAME policy RRs have very few if any uses that are not 3369 * better served with simple wildcards. Making them work would 3370 * require complications to get the number of labels matched 3371 * in the name or the found name to the main DNS_R_DNAME case 3372 * in query_dname(). The domain also does not appear in the 3373 * summary database at the right level, so this happens only 3374 * with a single policy zone when we have no summary database. 3375 * Treat it as a miss. 3376 */ 3377 case DNS_R_NXDOMAIN: 3378 case DNS_R_EMPTYNAME: 3379 return DNS_R_NXDOMAIN; 3380 default: 3381 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "", 3382 result); 3383 CTRACE(ISC_LOG_ERROR, "rpz_find_p: unexpected result"); 3384 return DNS_R_SERVFAIL; 3385 } 3386 } 3387 3388 static void 3389 rpz_save_p(dns_rpz_st_t *st, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, 3390 dns_rpz_policy_t policy, dns_name_t *p_name, dns_rpz_prefix_t prefix, 3391 isc_result_t result, dns_zone_t **zonep, dns_db_t **dbp, 3392 dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, 3393 dns_dbversion_t *version) { 3394 dns_rdataset_t *trdataset = NULL; 3395 3396 rpz_match_clear(st); 3397 st->m.rpz = rpz; 3398 st->m.type = rpz_type; 3399 st->m.policy = policy; 3400 dns_name_copy(p_name, st->p_name); 3401 st->m.prefix = prefix; 3402 st->m.result = result; 3403 SAVE(st->m.zone, *zonep); 3404 SAVE(st->m.db, *dbp); 3405 SAVE(st->m.node, *nodep); 3406 if (*rdatasetp != NULL && dns_rdataset_isassociated(*rdatasetp)) { 3407 /* 3408 * Save the replacement rdataset from the policy 3409 * and make the previous replacement rdataset scratch. 3410 */ 3411 SAVE(trdataset, st->m.rdataset); 3412 SAVE(st->m.rdataset, *rdatasetp); 3413 SAVE(*rdatasetp, trdataset); 3414 st->m.ttl = ISC_MIN(st->m.rdataset->ttl, rpz->max_policy_ttl); 3415 } else { 3416 st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, rpz->max_policy_ttl); 3417 } 3418 SAVE(st->m.version, version); 3419 } 3420 3421 #ifdef USE_DNSRPS 3422 /* 3423 * Check the results of a RPZ service interface lookup. 3424 * Stop after an error (<0) or not a hit on a disabled zone (0). 3425 * Continue after a hit on a disabled zone (>0). 3426 */ 3427 static int 3428 dnsrps_ck(librpz_emsg_t *emsg, ns_client_t *client, dns_rpsdb_t *rpsdb, 3429 bool recursed) { 3430 isc_region_t region; 3431 librpz_domain_buf_t pname_buf; 3432 3433 CTRACE(ISC_LOG_DEBUG(3), "dnsrps_ck"); 3434 3435 if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) { 3436 return -1; 3437 } 3438 3439 /* 3440 * Forget the state from before the IP address or domain check 3441 * if the lookup hit nothing. 3442 */ 3443 if (rpsdb->result.policy == LIBRPZ_POLICY_UNDEFINED || 3444 rpsdb->result.hit_id != rpsdb->hit_id || 3445 rpsdb->result.policy != LIBRPZ_POLICY_DISABLED) 3446 { 3447 if (!librpz->rsp_pop_discard(emsg, rpsdb->rsp)) { 3448 return -1; 3449 } 3450 return 0; 3451 } 3452 3453 /* 3454 * Log a hit on a disabled zone. 3455 * Forget the zone to not try it again, and restore the pre-hit state. 3456 */ 3457 if (!librpz->rsp_domain(emsg, &pname_buf, rpsdb->rsp)) { 3458 return -1; 3459 } 3460 region.base = pname_buf.d; 3461 region.length = pname_buf.size; 3462 dns_name_fromregion(client->query.rpz_st->p_name, ®ion); 3463 rpz_log_rewrite(client, true, dns_dnsrps_2policy(rpsdb->result.zpolicy), 3464 dns_dnsrps_trig2type(rpsdb->result.trig), NULL, 3465 client->query.rpz_st->p_name, NULL, 3466 rpsdb->result.cznum); 3467 3468 if (!librpz->rsp_forget_zone(emsg, rpsdb->result.cznum, rpsdb->rsp) || 3469 !librpz->rsp_pop(emsg, &rpsdb->result, rpsdb->rsp)) 3470 { 3471 return -1; 3472 } 3473 return 1; 3474 } 3475 3476 /* 3477 * Ready the shim database and rdataset for a DNSRPS hit. 3478 */ 3479 static bool 3480 dnsrps_set_p(librpz_emsg_t *emsg, ns_client_t *client, dns_rpz_st_t *st, 3481 dns_rdatatype_t qtype, dns_rdataset_t **p_rdatasetp, 3482 bool recursed) { 3483 dns_rpsdb_t *rpsdb = NULL; 3484 librpz_domain_buf_t pname_buf; 3485 isc_region_t region; 3486 dns_zone_t *p_zone = NULL; 3487 dns_db_t *p_db = NULL; 3488 dns_dbnode_t *p_node = NULL; 3489 dns_rpz_policy_t policy; 3490 dns_rdatatype_t foundtype, searchtype; 3491 isc_result_t result; 3492 3493 CTRACE(ISC_LOG_DEBUG(3), "dnsrps_set_p"); 3494 3495 rpsdb = (dns_rpsdb_t *)st->rpsdb; 3496 3497 if (!librpz->rsp_result(emsg, &rpsdb->result, recursed, rpsdb->rsp)) { 3498 return false; 3499 } 3500 3501 if (rpsdb->result.policy == LIBRPZ_POLICY_UNDEFINED) { 3502 return true; 3503 } 3504 3505 /* 3506 * Give the fake or shim DNSRPS database its new origin. 3507 */ 3508 if (!librpz->rsp_soa(emsg, NULL, NULL, &rpsdb->origin_buf, 3509 &rpsdb->result, rpsdb->rsp)) 3510 { 3511 return false; 3512 } 3513 region.base = rpsdb->origin_buf.d; 3514 region.length = rpsdb->origin_buf.size; 3515 dns_name_fromregion(&rpsdb->common.origin, ®ion); 3516 3517 if (!librpz->rsp_domain(emsg, &pname_buf, rpsdb->rsp)) { 3518 return false; 3519 } 3520 region.base = pname_buf.d; 3521 region.length = pname_buf.size; 3522 dns_name_fromregion(st->p_name, ®ion); 3523 3524 result = rpz_ready(client, p_rdatasetp); 3525 if (result != ISC_R_SUCCESS) { 3526 return false; 3527 } 3528 dns_db_attach(st->rpsdb, &p_db); 3529 policy = dns_dnsrps_2policy(rpsdb->result.policy); 3530 if (policy != DNS_RPZ_POLICY_RECORD) { 3531 result = ISC_R_SUCCESS; 3532 } else if (qtype == dns_rdatatype_rrsig) { 3533 /* 3534 * dns_find_db() refuses to look for and fail to 3535 * find dns_rdatatype_rrsig. 3536 */ 3537 result = DNS_R_NXRRSET; 3538 policy = DNS_RPZ_POLICY_NODATA; 3539 } else { 3540 dns_fixedname_t foundf; 3541 dns_name_t *found = NULL; 3542 3543 /* 3544 * Get the next (and so first) RR from the policy node. 3545 * If it is a CNAME, then look for it regardless of the 3546 * query type. 3547 */ 3548 if (!librpz->rsp_rr(emsg, &foundtype, NULL, NULL, NULL, 3549 &rpsdb->result, rpsdb->qname->ndata, 3550 rpsdb->qname->length, rpsdb->rsp)) 3551 { 3552 return false; 3553 } 3554 3555 if (foundtype == dns_rdatatype_cname) { 3556 searchtype = dns_rdatatype_cname; 3557 } else { 3558 searchtype = qtype; 3559 } 3560 /* 3561 * Get the DNSPRS imitation rdataset. 3562 */ 3563 found = dns_fixedname_initname(&foundf); 3564 result = dns_db_find(p_db, st->p_name, NULL, searchtype, 0, 0, 3565 &p_node, found, *p_rdatasetp, NULL); 3566 3567 if (result == ISC_R_SUCCESS) { 3568 if (searchtype == dns_rdatatype_cname && 3569 qtype != dns_rdatatype_cname) 3570 { 3571 result = DNS_R_CNAME; 3572 } 3573 } else if (result == DNS_R_NXRRSET) { 3574 policy = DNS_RPZ_POLICY_NODATA; 3575 } else { 3576 snprintf(emsg->c, sizeof(emsg->c), "dns_db_find(): %s", 3577 isc_result_totext(result)); 3578 return false; 3579 } 3580 } 3581 3582 rpz_save_p(st, client->view->rpzs->zones[rpsdb->result.cznum], 3583 dns_dnsrps_trig2type(rpsdb->result.trig), policy, st->p_name, 3584 0, result, &p_zone, &p_db, &p_node, p_rdatasetp, NULL); 3585 3586 rpz_clean(NULL, NULL, NULL, p_rdatasetp); 3587 3588 return true; 3589 } 3590 3591 static isc_result_t 3592 dnsrps_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr, 3593 dns_rpz_type_t rpz_type, dns_rdataset_t **p_rdatasetp) { 3594 dns_rpz_st_t *st; 3595 dns_rpsdb_t *rpsdb; 3596 librpz_trig_t trig = LIBRPZ_TRIG_CLIENT_IP; 3597 bool recursed = false; 3598 int res; 3599 librpz_emsg_t emsg; 3600 isc_result_t result; 3601 3602 CTRACE(ISC_LOG_DEBUG(3), "dnsrps_rewrite_ip"); 3603 3604 st = client->query.rpz_st; 3605 rpsdb = (dns_rpsdb_t *)st->rpsdb; 3606 3607 result = rpz_ready(client, p_rdatasetp); 3608 if (result != ISC_R_SUCCESS) { 3609 st->m.policy = DNS_RPZ_POLICY_ERROR; 3610 return result; 3611 } 3612 3613 switch (rpz_type) { 3614 case DNS_RPZ_TYPE_CLIENT_IP: 3615 trig = LIBRPZ_TRIG_CLIENT_IP; 3616 recursed = false; 3617 break; 3618 case DNS_RPZ_TYPE_IP: 3619 trig = LIBRPZ_TRIG_IP; 3620 recursed = true; 3621 break; 3622 case DNS_RPZ_TYPE_NSIP: 3623 trig = LIBRPZ_TRIG_NSIP; 3624 recursed = true; 3625 break; 3626 default: 3627 UNREACHABLE(); 3628 } 3629 3630 do { 3631 if (!librpz->rsp_push(&emsg, rpsdb->rsp) || 3632 !librpz->ck_ip(&emsg, 3633 netaddr->family == AF_INET 3634 ? (const void *)&netaddr->type.in 3635 : (const void *)&netaddr->type.in6, 3636 netaddr->family, trig, ++rpsdb->hit_id, 3637 recursed, rpsdb->rsp) || 3638 (res = dnsrps_ck(&emsg, client, rpsdb, recursed)) < 0) 3639 { 3640 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, 3641 rpz_type, emsg.c, DNS_R_SERVFAIL); 3642 st->m.policy = DNS_RPZ_POLICY_ERROR; 3643 return DNS_R_SERVFAIL; 3644 } 3645 } while (res != 0); 3646 return ISC_R_SUCCESS; 3647 } 3648 3649 static isc_result_t 3650 dnsrps_rewrite_name(ns_client_t *client, dns_name_t *trig_name, bool recursed, 3651 dns_rpz_type_t rpz_type, dns_rdataset_t **p_rdatasetp) { 3652 dns_rpz_st_t *st; 3653 dns_rpsdb_t *rpsdb; 3654 librpz_trig_t trig = LIBRPZ_TRIG_CLIENT_IP; 3655 isc_region_t r; 3656 int res; 3657 librpz_emsg_t emsg; 3658 isc_result_t result; 3659 3660 CTRACE(ISC_LOG_DEBUG(3), "dnsrps_rewrite_name"); 3661 3662 st = client->query.rpz_st; 3663 rpsdb = (dns_rpsdb_t *)st->rpsdb; 3664 3665 result = rpz_ready(client, p_rdatasetp); 3666 if (result != ISC_R_SUCCESS) { 3667 st->m.policy = DNS_RPZ_POLICY_ERROR; 3668 return result; 3669 } 3670 3671 switch (rpz_type) { 3672 case DNS_RPZ_TYPE_QNAME: 3673 trig = LIBRPZ_TRIG_QNAME; 3674 break; 3675 case DNS_RPZ_TYPE_NSDNAME: 3676 trig = LIBRPZ_TRIG_NSDNAME; 3677 break; 3678 default: 3679 UNREACHABLE(); 3680 } 3681 3682 dns_name_toregion(trig_name, &r); 3683 do { 3684 if (!librpz->rsp_push(&emsg, rpsdb->rsp) || 3685 !librpz->ck_domain(&emsg, r.base, r.length, trig, 3686 ++rpsdb->hit_id, recursed, rpsdb->rsp) || 3687 (res = dnsrps_ck(&emsg, client, rpsdb, recursed)) < 0) 3688 { 3689 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, 3690 rpz_type, emsg.c, DNS_R_SERVFAIL); 3691 st->m.policy = DNS_RPZ_POLICY_ERROR; 3692 return DNS_R_SERVFAIL; 3693 } 3694 } while (res != 0); 3695 return ISC_R_SUCCESS; 3696 } 3697 #endif /* USE_DNSRPS */ 3698 3699 /* 3700 * Check this address in every eligible policy zone. 3701 */ 3702 static isc_result_t 3703 rpz_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr, 3704 dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, 3705 dns_rpz_zbits_t zbits, dns_rdataset_t **p_rdatasetp) { 3706 dns_rpz_zones_t *rpzs; 3707 dns_rpz_st_t *st; 3708 dns_rpz_zone_t *rpz; 3709 dns_rpz_prefix_t prefix; 3710 dns_rpz_num_t rpz_num; 3711 dns_fixedname_t ip_namef, p_namef; 3712 dns_name_t *ip_name, *p_name; 3713 dns_zone_t *p_zone; 3714 dns_db_t *p_db; 3715 dns_dbversion_t *p_version; 3716 dns_dbnode_t *p_node; 3717 dns_rpz_policy_t policy; 3718 isc_result_t result; 3719 3720 CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip"); 3721 3722 rpzs = client->view->rpzs; 3723 st = client->query.rpz_st; 3724 #ifdef USE_DNSRPS 3725 if (st->popt.dnsrps_enabled) { 3726 return dnsrps_rewrite_ip(client, netaddr, rpz_type, 3727 p_rdatasetp); 3728 } 3729 #endif /* ifdef USE_DNSRPS */ 3730 3731 ip_name = dns_fixedname_initname(&ip_namef); 3732 3733 p_zone = NULL; 3734 p_db = NULL; 3735 p_node = NULL; 3736 3737 while (zbits != 0) { 3738 rpz_num = dns_rpz_find_ip(rpzs, rpz_type, zbits, netaddr, 3739 ip_name, &prefix); 3740 if (rpz_num == DNS_RPZ_INVALID_NUM) { 3741 break; 3742 } 3743 zbits &= (DNS_RPZ_ZMASK(rpz_num) >> 1); 3744 3745 /* 3746 * Do not try applying policy zones that cannot replace a 3747 * previously found policy zone. 3748 * Stop looking if the next best choice cannot 3749 * replace what we already have. 3750 */ 3751 rpz = rpzs->zones[rpz_num]; 3752 if (st->m.policy != DNS_RPZ_POLICY_MISS) { 3753 if (st->m.rpz->num < rpz->num) { 3754 break; 3755 } 3756 if (st->m.rpz->num == rpz->num && 3757 (st->m.type < rpz_type || st->m.prefix > prefix)) 3758 { 3759 break; 3760 } 3761 } 3762 3763 /* 3764 * Get the policy for a prefix at least as long 3765 * as the prefix of the entry we had before. 3766 */ 3767 p_name = dns_fixedname_initname(&p_namef); 3768 result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name); 3769 if (result != ISC_R_SUCCESS) { 3770 continue; 3771 } 3772 result = rpz_find_p(client, ip_name, qtype, p_name, rpz, 3773 rpz_type, &p_zone, &p_db, &p_version, 3774 &p_node, p_rdatasetp, &policy); 3775 switch (result) { 3776 case DNS_R_NXDOMAIN: 3777 /* 3778 * Continue after a policy record that is missing 3779 * contrary to the summary data. The summary 3780 * data can out of date during races with and among 3781 * policy zone updates. 3782 */ 3783 CTRACE(ISC_LOG_ERROR, "rpz_rewrite_ip: mismatched " 3784 "summary data; " 3785 "continuing"); 3786 continue; 3787 case DNS_R_SERVFAIL: 3788 rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); 3789 st->m.policy = DNS_RPZ_POLICY_ERROR; 3790 return DNS_R_SERVFAIL; 3791 default: 3792 /* 3793 * Forget this policy if it is not preferable 3794 * to the previously found policy. 3795 * If this policy is not good, then stop looking 3796 * because none of the later policy zones would work. 3797 * 3798 * With more than one applicable policy, prefer 3799 * the earliest configured policy, 3800 * client-IP over QNAME over IP over NSDNAME over NSIP, 3801 * the longest prefix 3802 * the lexically smallest address. 3803 * dns_rpz_find_ip() ensures st->m.rpz->num >= rpz->num. 3804 * We can compare new and current p_name because 3805 * both are of the same type and in the same zone. 3806 * The tests above eliminate other reasons to 3807 * reject this policy. If this policy can't work, 3808 * then neither can later zones. 3809 */ 3810 if (st->m.policy != DNS_RPZ_POLICY_MISS && 3811 rpz->num == st->m.rpz->num && 3812 (st->m.type == rpz_type && st->m.prefix == prefix && 3813 0 > dns_name_rdatacompare(st->p_name, p_name))) 3814 { 3815 break; 3816 } 3817 3818 /* 3819 * Stop checking after saving an enabled hit in this 3820 * policy zone. The radix tree in the policy zone 3821 * ensures that we found the longest match. 3822 */ 3823 if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { 3824 CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip: " 3825 "rpz_save_p"); 3826 rpz_save_p(st, rpz, rpz_type, policy, p_name, 3827 prefix, result, &p_zone, &p_db, 3828 &p_node, p_rdatasetp, p_version); 3829 break; 3830 } 3831 3832 /* 3833 * Log DNS_RPZ_POLICY_DISABLED zones 3834 * and try the next eligible policy zone. 3835 */ 3836 rpz_log_rewrite(client, true, policy, rpz_type, p_zone, 3837 p_name, NULL, rpz_num); 3838 } 3839 } 3840 3841 rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); 3842 return ISC_R_SUCCESS; 3843 } 3844 3845 /* 3846 * Check the IP addresses in the A or AAAA rrsets for name against 3847 * all eligible rpz_type (IP or NSIP) response policy rewrite rules. 3848 */ 3849 static isc_result_t 3850 rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name, 3851 dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, 3852 dns_rdatatype_t ip_type, dns_db_t **ip_dbp, 3853 dns_dbversion_t *ip_version, dns_rdataset_t **ip_rdatasetp, 3854 dns_rdataset_t **p_rdatasetp, bool resuming) { 3855 dns_rpz_zbits_t zbits; 3856 isc_netaddr_t netaddr; 3857 struct in_addr ina; 3858 struct in6_addr in6a; 3859 isc_result_t result; 3860 unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK; 3861 bool done = false; 3862 3863 CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset"); 3864 3865 do { 3866 zbits = rpz_get_zbits(client, ip_type, rpz_type); 3867 if (zbits == 0) { 3868 return ISC_R_SUCCESS; 3869 } 3870 3871 /* 3872 * Get the A or AAAA rdataset. 3873 */ 3874 result = rpz_rrset_find(client, name, ip_type, options, 3875 rpz_type, ip_dbp, ip_version, 3876 ip_rdatasetp, resuming); 3877 switch (result) { 3878 case ISC_R_SUCCESS: 3879 case DNS_R_GLUE: 3880 case DNS_R_ZONECUT: 3881 break; 3882 case DNS_R_EMPTYNAME: 3883 case DNS_R_EMPTYWILD: 3884 case DNS_R_NXDOMAIN: 3885 case DNS_R_NCACHENXDOMAIN: 3886 case DNS_R_NXRRSET: 3887 case DNS_R_NCACHENXRRSET: 3888 case ISC_R_NOTFOUND: 3889 return ISC_R_SUCCESS; 3890 case DNS_R_DELEGATION: 3891 case DNS_R_DUPLICATE: 3892 case DNS_R_DROP: 3893 return result; 3894 case DNS_R_CNAME: 3895 case DNS_R_DNAME: 3896 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, 3897 rpz_type, "NS address rewrite rrset", 3898 result); 3899 return ISC_R_SUCCESS; 3900 default: 3901 if (client->query.rpz_st->m.policy != 3902 DNS_RPZ_POLICY_ERROR) 3903 { 3904 client->query.rpz_st->m.policy = 3905 DNS_RPZ_POLICY_ERROR; 3906 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, 3907 rpz_type, 3908 "NS address rewrite rrset", 3909 result); 3910 } 3911 CTRACE(ISC_LOG_ERROR, 3912 "rpz_rewrite_ip_rrset: unexpected " 3913 "result"); 3914 return DNS_R_SERVFAIL; 3915 } 3916 3917 /* 3918 * If we are processing glue setup for the next loop 3919 * otherwise we are done. 3920 */ 3921 if (result == DNS_R_GLUE) { 3922 options = client->query.dboptions; 3923 } else { 3924 options = client->query.dboptions | DNS_DBFIND_GLUEOK; 3925 done = true; 3926 } 3927 3928 /* 3929 * Check all of the IP addresses in the rdataset. 3930 */ 3931 for (result = dns_rdataset_first(*ip_rdatasetp); 3932 result == ISC_R_SUCCESS; 3933 result = dns_rdataset_next(*ip_rdatasetp)) 3934 { 3935 dns_rdata_t rdata = DNS_RDATA_INIT; 3936 dns_rdataset_current(*ip_rdatasetp, &rdata); 3937 switch (rdata.type) { 3938 case dns_rdatatype_a: 3939 INSIST(rdata.length == 4); 3940 memmove(&ina.s_addr, rdata.data, 4); 3941 isc_netaddr_fromin(&netaddr, &ina); 3942 break; 3943 case dns_rdatatype_aaaa: 3944 INSIST(rdata.length == 16); 3945 memmove(in6a.s6_addr, rdata.data, 16); 3946 isc_netaddr_fromin6(&netaddr, &in6a); 3947 break; 3948 default: 3949 continue; 3950 } 3951 3952 result = rpz_rewrite_ip(client, &netaddr, qtype, 3953 rpz_type, zbits, p_rdatasetp); 3954 if (result != ISC_R_SUCCESS) { 3955 return result; 3956 } 3957 } 3958 } while (!done && 3959 client->query.rpz_st->m.policy == DNS_RPZ_POLICY_MISS); 3960 3961 return ISC_R_SUCCESS; 3962 } 3963 3964 /* 3965 * Look for IP addresses in A and AAAA rdatasets 3966 * that trigger all eligible IP or NSIP policy rules. 3967 */ 3968 static isc_result_t 3969 rpz_rewrite_ip_rrsets(ns_client_t *client, dns_name_t *name, 3970 dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, 3971 dns_rdataset_t **ip_rdatasetp, bool resuming) { 3972 dns_rpz_st_t *st; 3973 dns_dbversion_t *ip_version; 3974 dns_db_t *ip_db; 3975 dns_rdataset_t *p_rdataset; 3976 isc_result_t result; 3977 3978 CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrsets"); 3979 3980 st = client->query.rpz_st; 3981 ip_version = NULL; 3982 ip_db = NULL; 3983 p_rdataset = NULL; 3984 if ((st->state & DNS_RPZ_DONE_IPv4) == 0 && 3985 (qtype == dns_rdatatype_a || qtype == dns_rdatatype_any || 3986 rpz_type == DNS_RPZ_TYPE_NSIP)) 3987 { 3988 /* 3989 * Rewrite based on an IPv4 address that will appear 3990 * in the ANSWER section or if we are checking IP addresses. 3991 */ 3992 result = rpz_rewrite_ip_rrset( 3993 client, name, qtype, rpz_type, dns_rdatatype_a, &ip_db, 3994 ip_version, ip_rdatasetp, &p_rdataset, resuming); 3995 if (result == ISC_R_SUCCESS) { 3996 st->state |= DNS_RPZ_DONE_IPv4; 3997 } 3998 } else { 3999 result = ISC_R_SUCCESS; 4000 } 4001 if (result == ISC_R_SUCCESS && 4002 (qtype == dns_rdatatype_aaaa || qtype == dns_rdatatype_any || 4003 rpz_type == DNS_RPZ_TYPE_NSIP)) 4004 { 4005 /* 4006 * Rewrite based on IPv6 addresses that will appear 4007 * in the ANSWER section or if we are checking IP addresses. 4008 */ 4009 result = rpz_rewrite_ip_rrset(client, name, qtype, rpz_type, 4010 dns_rdatatype_aaaa, &ip_db, 4011 ip_version, ip_rdatasetp, 4012 &p_rdataset, resuming); 4013 } 4014 if (ip_db != NULL) { 4015 dns_db_detach(&ip_db); 4016 } 4017 ns_client_putrdataset(client, &p_rdataset); 4018 return result; 4019 } 4020 4021 /* 4022 * Try to rewrite a request for a qtype rdataset based on the trigger name 4023 * trig_name and rpz_type (DNS_RPZ_TYPE_QNAME or DNS_RPZ_TYPE_NSDNAME). 4024 * Record the results including the replacement rdataset if any 4025 * in client->query.rpz_st. 4026 * *rdatasetp is a scratch rdataset. 4027 */ 4028 static isc_result_t 4029 rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name, 4030 dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, 4031 dns_rpz_zbits_t allowed_zbits, bool recursed, 4032 dns_rdataset_t **rdatasetp) { 4033 dns_rpz_zones_t *rpzs; 4034 dns_rpz_zone_t *rpz; 4035 dns_rpz_st_t *st; 4036 dns_fixedname_t p_namef; 4037 dns_name_t *p_name; 4038 dns_rpz_zbits_t zbits; 4039 dns_rpz_num_t rpz_num; 4040 dns_zone_t *p_zone; 4041 dns_db_t *p_db; 4042 dns_dbversion_t *p_version; 4043 dns_dbnode_t *p_node; 4044 dns_rpz_policy_t policy; 4045 isc_result_t result; 4046 4047 #ifndef USE_DNSRPS 4048 UNUSED(recursed); 4049 #endif /* ifndef USE_DNSRPS */ 4050 4051 CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_name"); 4052 4053 rpzs = client->view->rpzs; 4054 st = client->query.rpz_st; 4055 4056 #ifdef USE_DNSRPS 4057 if (st->popt.dnsrps_enabled) { 4058 return dnsrps_rewrite_name(client, trig_name, recursed, 4059 rpz_type, rdatasetp); 4060 } 4061 #endif /* ifdef USE_DNSRPS */ 4062 4063 zbits = rpz_get_zbits(client, qtype, rpz_type); 4064 zbits &= allowed_zbits; 4065 if (zbits == 0) { 4066 return ISC_R_SUCCESS; 4067 } 4068 4069 /* 4070 * Use the summary database to find the bit mask of policy zones 4071 * with policies for this trigger name. We do this even if there 4072 * is only one eligible policy zone so that wildcard triggers 4073 * are matched correctly, and not into their parent. 4074 */ 4075 zbits = dns_rpz_find_name(rpzs, rpz_type, zbits, trig_name); 4076 if (zbits == 0) { 4077 return ISC_R_SUCCESS; 4078 } 4079 4080 p_name = dns_fixedname_initname(&p_namef); 4081 4082 p_zone = NULL; 4083 p_db = NULL; 4084 p_node = NULL; 4085 4086 /* 4087 * Check the trigger name in every policy zone that the summary data 4088 * says has a hit for the trigger name. 4089 * Most of the time there are no eligible zones and the summary data 4090 * keeps us from getting this far. 4091 * We check the most eligible zone first and so usually check only 4092 * one policy zone. 4093 */ 4094 for (rpz_num = 0; zbits != 0; ++rpz_num, zbits >>= 1) { 4095 if ((zbits & 1) == 0) { 4096 continue; 4097 } 4098 4099 /* 4100 * Do not check policy zones that cannot replace a previously 4101 * found policy. 4102 */ 4103 rpz = rpzs->zones[rpz_num]; 4104 if (st->m.policy != DNS_RPZ_POLICY_MISS) { 4105 if (st->m.rpz->num < rpz->num) { 4106 break; 4107 } 4108 if (st->m.rpz->num == rpz->num && st->m.type < rpz_type) 4109 { 4110 break; 4111 } 4112 } 4113 4114 /* 4115 * Get the next policy zone's record for this trigger name. 4116 */ 4117 result = rpz_get_p_name(client, p_name, rpz, rpz_type, 4118 trig_name); 4119 if (result != ISC_R_SUCCESS) { 4120 continue; 4121 } 4122 result = rpz_find_p(client, trig_name, qtype, p_name, rpz, 4123 rpz_type, &p_zone, &p_db, &p_version, 4124 &p_node, rdatasetp, &policy); 4125 switch (result) { 4126 case DNS_R_NXDOMAIN: 4127 /* 4128 * Continue after a missing policy record 4129 * contrary to the summary data. The summary 4130 * data can out of date during races with and among 4131 * policy zone updates. 4132 */ 4133 CTRACE(ISC_LOG_ERROR, "rpz_rewrite_name: mismatched " 4134 "summary data; " 4135 "continuing"); 4136 continue; 4137 case DNS_R_SERVFAIL: 4138 rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); 4139 st->m.policy = DNS_RPZ_POLICY_ERROR; 4140 return DNS_R_SERVFAIL; 4141 default: 4142 /* 4143 * With more than one applicable policy, prefer 4144 * the earliest configured policy, 4145 * client-IP over QNAME over IP over NSDNAME over NSIP, 4146 * and the smallest name. 4147 * We known st->m.rpz->num >= rpz->num and either 4148 * st->m.rpz->num > rpz->num or st->m.type >= rpz_type 4149 */ 4150 if (st->m.policy != DNS_RPZ_POLICY_MISS && 4151 rpz->num == st->m.rpz->num && 4152 (st->m.type < rpz_type || 4153 (st->m.type == rpz_type && 4154 0 >= dns_name_compare(p_name, st->p_name)))) 4155 { 4156 continue; 4157 } 4158 4159 if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { 4160 CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_name: " 4161 "rpz_save_p"); 4162 rpz_save_p(st, rpz, rpz_type, policy, p_name, 0, 4163 result, &p_zone, &p_db, &p_node, 4164 rdatasetp, p_version); 4165 /* 4166 * After a hit, higher numbered policy zones 4167 * are irrelevant 4168 */ 4169 rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); 4170 return ISC_R_SUCCESS; 4171 } 4172 /* 4173 * Log DNS_RPZ_POLICY_DISABLED zones 4174 * and try the next eligible policy zone. 4175 */ 4176 rpz_log_rewrite(client, true, policy, rpz_type, p_zone, 4177 p_name, NULL, rpz_num); 4178 break; 4179 } 4180 } 4181 4182 rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); 4183 return ISC_R_SUCCESS; 4184 } 4185 4186 static void 4187 rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname, 4188 isc_result_t result, int level, const char *str) { 4189 dns_rpz_st_t *st; 4190 4191 CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ns_skip"); 4192 4193 st = client->query.rpz_st; 4194 4195 if (str != NULL) { 4196 rpz_log_fail_helper(client, level, nsname, DNS_RPZ_TYPE_NSIP, 4197 DNS_RPZ_TYPE_NSDNAME, str, result); 4198 } 4199 if (st->r.ns_rdataset != NULL && 4200 dns_rdataset_isassociated(st->r.ns_rdataset)) 4201 { 4202 dns_rdataset_disassociate(st->r.ns_rdataset); 4203 } 4204 4205 st->r.label--; 4206 } 4207 4208 /* 4209 * RPZ query result types 4210 */ 4211 typedef enum { 4212 qresult_type_done = 0, 4213 qresult_type_restart = 1, 4214 qresult_type_recurse = 2 4215 } qresult_type_t; 4216 4217 /* 4218 * Look for response policy zone QNAME, NSIP, and NSDNAME rewriting. 4219 */ 4220 static isc_result_t 4221 rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, 4222 bool resuming, dns_rdataset_t *ordataset, dns_rdataset_t *osigset) { 4223 dns_rpz_zones_t *rpzs; 4224 dns_rpz_st_t *st; 4225 dns_rdataset_t *rdataset; 4226 dns_fixedname_t nsnamef; 4227 dns_name_t *nsname; 4228 qresult_type_t qresult_type; 4229 dns_rpz_zbits_t zbits; 4230 isc_result_t result = ISC_R_SUCCESS; 4231 dns_rpz_have_t have; 4232 dns_rpz_popt_t popt; 4233 int rpz_ver; 4234 unsigned int options; 4235 #ifdef USE_DNSRPS 4236 librpz_emsg_t emsg; 4237 #endif /* ifdef USE_DNSRPS */ 4238 4239 CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite"); 4240 4241 rpzs = client->view->rpzs; 4242 st = client->query.rpz_st; 4243 4244 if (rpzs == NULL) { 4245 return ISC_R_NOTFOUND; 4246 } 4247 if (st != NULL && (st->state & DNS_RPZ_REWRITTEN) != 0) { 4248 return DNS_R_DISALLOWED; 4249 } 4250 if (RECURSING(client)) { 4251 return DNS_R_DISALLOWED; 4252 } 4253 4254 RWLOCK(&rpzs->search_lock, isc_rwlocktype_read); 4255 if ((rpzs->p.num_zones == 0 && !rpzs->p.dnsrps_enabled) || 4256 (!RECURSIONOK(client) && rpzs->p.no_rd_ok == 0) || 4257 !rpz_ck_dnssec(client, qresult, ordataset, osigset)) 4258 { 4259 RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read); 4260 return DNS_R_DISALLOWED; 4261 } 4262 have = rpzs->have; 4263 popt = rpzs->p; 4264 rpz_ver = rpzs->rpz_ver; 4265 RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read); 4266 4267 #ifndef USE_DNSRPS 4268 INSIST(!popt.dnsrps_enabled); 4269 #endif /* ifndef USE_DNSRPS */ 4270 4271 if (st == NULL) { 4272 st = isc_mem_get(client->manager->mctx, sizeof(*st)); 4273 st->state = 0; 4274 st->rpsdb = NULL; 4275 } 4276 if (st->state == 0) { 4277 st->state |= DNS_RPZ_ACTIVE; 4278 memset(&st->m, 0, sizeof(st->m)); 4279 st->m.type = DNS_RPZ_TYPE_BAD; 4280 st->m.policy = DNS_RPZ_POLICY_MISS; 4281 st->m.ttl = ~0; 4282 memset(&st->r, 0, sizeof(st->r)); 4283 memset(&st->q, 0, sizeof(st->q)); 4284 st->p_name = dns_fixedname_initname(&st->_p_namef); 4285 st->r_name = dns_fixedname_initname(&st->_r_namef); 4286 st->fname = dns_fixedname_initname(&st->_fnamef); 4287 st->have = have; 4288 st->popt = popt; 4289 st->rpz_ver = rpz_ver; 4290 client->query.rpz_st = st; 4291 #ifdef USE_DNSRPS 4292 if (popt.dnsrps_enabled) { 4293 if (st->rpsdb != NULL) { 4294 dns_db_detach(&st->rpsdb); 4295 } 4296 CTRACE(ISC_LOG_DEBUG(3), "dns_dnsrps_rewrite_init"); 4297 result = dns_dnsrps_rewrite_init( 4298 &emsg, st, rpzs, client->query.qname, 4299 client->manager->mctx, RECURSIONOK(client)); 4300 if (result != ISC_R_SUCCESS) { 4301 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, 4302 DNS_RPZ_TYPE_QNAME, emsg.c, 4303 result); 4304 st->m.policy = DNS_RPZ_POLICY_ERROR; 4305 return ISC_R_SUCCESS; 4306 } 4307 } 4308 #endif /* ifdef USE_DNSRPS */ 4309 } 4310 4311 /* 4312 * There is nothing to rewrite if the main query failed. 4313 */ 4314 switch (qresult) { 4315 case ISC_R_SUCCESS: 4316 case DNS_R_GLUE: 4317 case DNS_R_ZONECUT: 4318 qresult_type = qresult_type_done; 4319 break; 4320 case DNS_R_EMPTYNAME: 4321 case DNS_R_NXRRSET: 4322 case DNS_R_NXDOMAIN: 4323 case DNS_R_EMPTYWILD: 4324 case DNS_R_NCACHENXDOMAIN: 4325 case DNS_R_NCACHENXRRSET: 4326 case DNS_R_COVERINGNSEC: 4327 case DNS_R_CNAME: 4328 case DNS_R_DNAME: 4329 qresult_type = qresult_type_restart; 4330 break; 4331 case DNS_R_DELEGATION: 4332 case ISC_R_NOTFOUND: 4333 /* 4334 * If recursion is on, do only tentative rewriting. 4335 * If recursion is off, this the normal and only time we 4336 * can rewrite. 4337 */ 4338 if (RECURSIONOK(client)) { 4339 qresult_type = qresult_type_recurse; 4340 } else { 4341 qresult_type = qresult_type_restart; 4342 } 4343 break; 4344 case ISC_R_FAILURE: 4345 case ISC_R_TIMEDOUT: 4346 case ISC_R_CANCELED: 4347 case DNS_R_BROKENCHAIN: 4348 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, NULL, 4349 DNS_RPZ_TYPE_QNAME, 4350 "stop on qresult in rpz_rewrite()", qresult); 4351 return ISC_R_SUCCESS; 4352 default: 4353 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, NULL, 4354 DNS_RPZ_TYPE_QNAME, 4355 "stop on unrecognized qresult in rpz_rewrite()", 4356 qresult); 4357 return ISC_R_SUCCESS; 4358 } 4359 4360 rdataset = NULL; 4361 4362 if ((st->state & (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) != 4363 (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) 4364 { 4365 isc_netaddr_t netaddr; 4366 dns_rpz_zbits_t allowed; 4367 4368 if (!st->popt.dnsrps_enabled && 4369 qresult_type == qresult_type_recurse) 4370 { 4371 /* 4372 * This request needs recursion that has not been done. 4373 * Get bits for the policy zones that do not need 4374 * to wait for the results of recursion. 4375 */ 4376 allowed = st->have.qname_skip_recurse; 4377 if (allowed == 0) { 4378 return ISC_R_SUCCESS; 4379 } 4380 } else { 4381 allowed = DNS_RPZ_ALL_ZBITS; 4382 } 4383 4384 /* 4385 * Check once for triggers for the client IP address. 4386 */ 4387 if ((st->state & DNS_RPZ_DONE_CLIENT_IP) == 0) { 4388 zbits = rpz_get_zbits(client, dns_rdatatype_none, 4389 DNS_RPZ_TYPE_CLIENT_IP); 4390 zbits &= allowed; 4391 if (zbits != 0) { 4392 isc_netaddr_fromsockaddr(&netaddr, 4393 &client->peeraddr); 4394 result = rpz_rewrite_ip(client, &netaddr, qtype, 4395 DNS_RPZ_TYPE_CLIENT_IP, 4396 zbits, &rdataset); 4397 if (result != ISC_R_SUCCESS) { 4398 goto cleanup; 4399 } 4400 } 4401 } 4402 4403 /* 4404 * Check triggers for the query name if this is the first time 4405 * for the current qname. 4406 * There is a first time for each name in a CNAME chain 4407 */ 4408 if ((st->state & DNS_RPZ_DONE_QNAME) == 0) { 4409 bool norec = (qresult_type != qresult_type_recurse); 4410 result = rpz_rewrite_name(client, client->query.qname, 4411 qtype, DNS_RPZ_TYPE_QNAME, 4412 allowed, norec, &rdataset); 4413 if (result != ISC_R_SUCCESS) { 4414 goto cleanup; 4415 } 4416 4417 /* 4418 * Check IPv4 addresses in A RRs next. 4419 * Reset to the start of the NS names. 4420 */ 4421 st->r.label = dns_name_countlabels(client->query.qname); 4422 st->state &= ~(DNS_RPZ_DONE_QNAME_IP | 4423 DNS_RPZ_DONE_IPv4); 4424 } 4425 4426 /* 4427 * Quit if this was an attempt to find a qname or 4428 * client-IP trigger before recursion. 4429 * We will be back if no pre-recursion triggers hit. 4430 * For example, consider 2 policy zones, both with qname and 4431 * IP address triggers. If the qname misses the 1st zone, 4432 * then we cannot know whether a hit for the qname in the 4433 * 2nd zone matters until after recursing to get the A RRs and 4434 * testing them in the first zone. 4435 * Do not bother saving the work from this attempt, 4436 * because recursion is so slow. 4437 */ 4438 if (qresult_type == qresult_type_recurse) { 4439 goto cleanup; 4440 } 4441 4442 /* 4443 * DNS_RPZ_DONE_QNAME but not DNS_RPZ_DONE_CLIENT_IP 4444 * is reset at the end of dealing with each CNAME. 4445 */ 4446 st->state |= (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME); 4447 } 4448 4449 /* 4450 * Check known IP addresses for the query name if the database lookup 4451 * resulted in some addresses (qresult_type == qresult_type_done) 4452 * and if we have not already checked them. 4453 * Any recursion required for the query has already happened. 4454 * Do not check addresses that will not be in the ANSWER section. 4455 */ 4456 if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 && 4457 qresult_type == qresult_type_done && 4458 rpz_get_zbits(client, qtype, DNS_RPZ_TYPE_IP) != 0) 4459 { 4460 result = rpz_rewrite_ip_rrsets(client, client->query.qname, 4461 qtype, DNS_RPZ_TYPE_IP, 4462 &rdataset, resuming); 4463 if (result != ISC_R_SUCCESS) { 4464 goto cleanup; 4465 } 4466 /* 4467 * We are finished checking the IP addresses for the qname. 4468 * Start with IPv4 if we will check NS IP addresses. 4469 */ 4470 st->state |= DNS_RPZ_DONE_QNAME_IP; 4471 st->state &= ~DNS_RPZ_DONE_IPv4; 4472 } 4473 4474 /* 4475 * Stop looking for rules if there are none of the other kinds 4476 * that could override what we already have. 4477 */ 4478 if (rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSDNAME) == 4479 0 && 4480 rpz_get_zbits(client, dns_rdatatype_any, DNS_RPZ_TYPE_NSIP) == 0) 4481 { 4482 result = ISC_R_SUCCESS; 4483 goto cleanup; 4484 } 4485 4486 dns_fixedname_init(&nsnamef); 4487 dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); 4488 options = client->query.dboptions | DNS_DBFIND_GLUEOK; 4489 while (st->r.label > st->popt.min_ns_labels) { 4490 bool was_glue = false; 4491 /* 4492 * Get NS rrset for each domain in the current qname. 4493 */ 4494 if (st->r.label == dns_name_countlabels(client->query.qname)) { 4495 nsname = client->query.qname; 4496 } else { 4497 nsname = dns_fixedname_name(&nsnamef); 4498 dns_name_split(client->query.qname, st->r.label, NULL, 4499 nsname); 4500 } 4501 if (st->r.ns_rdataset == NULL || 4502 !dns_rdataset_isassociated(st->r.ns_rdataset)) 4503 { 4504 dns_db_t *db = NULL; 4505 result = rpz_rrset_find(client, nsname, 4506 dns_rdatatype_ns, options, 4507 DNS_RPZ_TYPE_NSDNAME, &db, NULL, 4508 &st->r.ns_rdataset, resuming); 4509 if (db != NULL) { 4510 dns_db_detach(&db); 4511 } 4512 if (st->m.policy == DNS_RPZ_POLICY_ERROR) { 4513 goto cleanup; 4514 } 4515 switch (result) { 4516 case DNS_R_GLUE: 4517 was_glue = true; 4518 FALLTHROUGH; 4519 case ISC_R_SUCCESS: 4520 result = dns_rdataset_first(st->r.ns_rdataset); 4521 if (result != ISC_R_SUCCESS) { 4522 goto cleanup; 4523 } 4524 st->state &= ~(DNS_RPZ_DONE_NSDNAME | 4525 DNS_RPZ_DONE_IPv4); 4526 break; 4527 case DNS_R_DELEGATION: 4528 case DNS_R_DUPLICATE: 4529 case DNS_R_DROP: 4530 goto cleanup; 4531 case DNS_R_EMPTYNAME: 4532 case DNS_R_NXRRSET: 4533 case DNS_R_EMPTYWILD: 4534 case DNS_R_NXDOMAIN: 4535 case DNS_R_NCACHENXDOMAIN: 4536 case DNS_R_NCACHENXRRSET: 4537 case ISC_R_NOTFOUND: 4538 case DNS_R_CNAME: 4539 case DNS_R_DNAME: 4540 rpz_rewrite_ns_skip(client, nsname, result, 0, 4541 NULL); 4542 continue; 4543 case ISC_R_TIMEDOUT: 4544 case DNS_R_BROKENCHAIN: 4545 case ISC_R_FAILURE: 4546 rpz_rewrite_ns_skip(client, nsname, result, 4547 DNS_RPZ_DEBUG_LEVEL3, 4548 " NS rpz_rrset_find()"); 4549 continue; 4550 default: 4551 rpz_rewrite_ns_skip(client, nsname, result, 4552 DNS_RPZ_INFO_LEVEL, 4553 " unrecognized NS" 4554 " rpz_rrset_find()"); 4555 continue; 4556 } 4557 } 4558 4559 /* 4560 * Check all NS names. 4561 */ 4562 do { 4563 dns_rdata_ns_t ns; 4564 dns_rdata_t nsrdata = DNS_RDATA_INIT; 4565 4566 dns_rdataset_current(st->r.ns_rdataset, &nsrdata); 4567 result = dns_rdata_tostruct(&nsrdata, &ns, NULL); 4568 RUNTIME_CHECK(result == ISC_R_SUCCESS); 4569 dns_rdata_reset(&nsrdata); 4570 4571 /* 4572 * Do nothing about "NS ." 4573 */ 4574 if (dns_name_equal(&ns.name, dns_rootname)) { 4575 dns_rdata_freestruct(&ns); 4576 result = dns_rdataset_next(st->r.ns_rdataset); 4577 continue; 4578 } 4579 /* 4580 * Check this NS name if we did not handle it 4581 * during a previous recursion. 4582 */ 4583 if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0) { 4584 result = rpz_rewrite_name( 4585 client, &ns.name, qtype, 4586 DNS_RPZ_TYPE_NSDNAME, DNS_RPZ_ALL_ZBITS, 4587 true, &rdataset); 4588 if (result != ISC_R_SUCCESS) { 4589 dns_rdata_freestruct(&ns); 4590 goto cleanup; 4591 } 4592 st->state |= DNS_RPZ_DONE_NSDNAME; 4593 } 4594 /* 4595 * Check all IP addresses for this NS name. 4596 */ 4597 result = rpz_rewrite_ip_rrsets(client, &ns.name, qtype, 4598 DNS_RPZ_TYPE_NSIP, 4599 &rdataset, resuming); 4600 dns_rdata_freestruct(&ns); 4601 if (result != ISC_R_SUCCESS) { 4602 goto cleanup; 4603 } 4604 st->state &= ~(DNS_RPZ_DONE_NSDNAME | 4605 DNS_RPZ_DONE_IPv4); 4606 result = dns_rdataset_next(st->r.ns_rdataset); 4607 } while (result == ISC_R_SUCCESS); 4608 dns_rdataset_disassociate(st->r.ns_rdataset); 4609 4610 /* 4611 * If we just checked a glue NS RRset retry without allowing 4612 * glue responses, otherwise setup for the next name. 4613 */ 4614 if (was_glue) { 4615 options = client->query.dboptions; 4616 } else { 4617 options = client->query.dboptions | DNS_DBFIND_GLUEOK; 4618 st->r.label--; 4619 } 4620 4621 if (rpz_get_zbits(client, dns_rdatatype_any, 4622 DNS_RPZ_TYPE_NSDNAME) == 0 && 4623 rpz_get_zbits(client, dns_rdatatype_any, 4624 DNS_RPZ_TYPE_NSIP) == 0) 4625 { 4626 break; 4627 } 4628 } 4629 4630 /* 4631 * Use the best hit, if any. 4632 */ 4633 result = ISC_R_SUCCESS; 4634 4635 cleanup: 4636 #ifdef USE_DNSRPS 4637 if (st->popt.dnsrps_enabled && st->m.policy != DNS_RPZ_POLICY_ERROR && 4638 !dnsrps_set_p(&emsg, client, st, qtype, &rdataset, 4639 (qresult_type != qresult_type_recurse))) 4640 { 4641 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, NULL, 4642 DNS_RPZ_TYPE_BAD, emsg.c, DNS_R_SERVFAIL); 4643 st->m.policy = DNS_RPZ_POLICY_ERROR; 4644 } 4645 #endif /* ifdef USE_DNSRPS */ 4646 if (st->m.policy != DNS_RPZ_POLICY_MISS && 4647 st->m.policy != DNS_RPZ_POLICY_ERROR && 4648 st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN) 4649 { 4650 st->m.policy = st->m.rpz->policy; 4651 } 4652 if (st->m.policy == DNS_RPZ_POLICY_MISS || 4653 st->m.policy == DNS_RPZ_POLICY_PASSTHRU || 4654 st->m.policy == DNS_RPZ_POLICY_ERROR) 4655 { 4656 if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU && 4657 result != DNS_R_DELEGATION) 4658 { 4659 rpz_log_rewrite(client, false, st->m.policy, st->m.type, 4660 st->m.zone, st->p_name, NULL, 4661 st->m.rpz->num); 4662 } 4663 rpz_match_clear(st); 4664 } 4665 if (st->m.policy == DNS_RPZ_POLICY_ERROR) { 4666 CTRACE(ISC_LOG_ERROR, "SERVFAIL due to RPZ policy"); 4667 st->m.type = DNS_RPZ_TYPE_BAD; 4668 result = DNS_R_SERVFAIL; 4669 } 4670 ns_client_putrdataset(client, &rdataset); 4671 if ((st->state & DNS_RPZ_RECURSING) == 0) { 4672 rpz_clean(NULL, &st->r.db, NULL, &st->r.ns_rdataset); 4673 } 4674 4675 return result; 4676 } 4677 4678 /* 4679 * See if response policy zone rewriting is allowed by a lack of interest 4680 * by the client in DNSSEC or a lack of signatures. 4681 */ 4682 static bool 4683 rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, 4684 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { 4685 dns_fixedname_t fixed; 4686 dns_name_t *found; 4687 dns_rdataset_t trdataset; 4688 dns_rdatatype_t type; 4689 isc_result_t result; 4690 4691 CTRACE(ISC_LOG_DEBUG(3), "rpz_ck_dnssec"); 4692 4693 if (client->view->rpzs->p.break_dnssec || !WANTDNSSEC(client)) { 4694 return true; 4695 } 4696 4697 /* 4698 * We do not know if there are signatures if we have not recursed 4699 * for them. 4700 */ 4701 if (qresult == DNS_R_DELEGATION || qresult == ISC_R_NOTFOUND) { 4702 return false; 4703 } 4704 4705 if (sigrdataset == NULL) { 4706 return true; 4707 } 4708 if (dns_rdataset_isassociated(sigrdataset)) { 4709 return false; 4710 } 4711 4712 /* 4713 * We are happy to rewrite nothing. 4714 */ 4715 if (rdataset == NULL || !dns_rdataset_isassociated(rdataset)) { 4716 return true; 4717 } 4718 /* 4719 * Do not rewrite if there is any sign of signatures. 4720 */ 4721 if (rdataset->type == dns_rdatatype_nsec || 4722 rdataset->type == dns_rdatatype_nsec3 || 4723 rdataset->type == dns_rdatatype_rrsig) 4724 { 4725 return false; 4726 } 4727 4728 /* 4729 * Look for a signature in a negative cache rdataset. 4730 */ 4731 if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0) { 4732 return true; 4733 } 4734 found = dns_fixedname_initname(&fixed); 4735 dns_rdataset_init(&trdataset); 4736 for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; 4737 result = dns_rdataset_next(rdataset)) 4738 { 4739 dns_ncache_current(rdataset, found, &trdataset); 4740 type = trdataset.type; 4741 dns_rdataset_disassociate(&trdataset); 4742 if (type == dns_rdatatype_nsec || type == dns_rdatatype_nsec3 || 4743 type == dns_rdatatype_rrsig) 4744 { 4745 return false; 4746 } 4747 } 4748 return true; 4749 } 4750 4751 /* 4752 * Extract a network address from the RDATA of an A or AAAA 4753 * record. 4754 * 4755 * Returns: 4756 * ISC_R_SUCCESS 4757 * ISC_R_NOTIMPLEMENTED The rdata is not a known address type. 4758 */ 4759 static isc_result_t 4760 rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) { 4761 struct in_addr ina; 4762 struct in6_addr in6a; 4763 4764 switch (rdata->type) { 4765 case dns_rdatatype_a: 4766 INSIST(rdata->length == 4); 4767 memmove(&ina.s_addr, rdata->data, 4); 4768 isc_netaddr_fromin(netaddr, &ina); 4769 return ISC_R_SUCCESS; 4770 case dns_rdatatype_aaaa: 4771 INSIST(rdata->length == 16); 4772 memmove(in6a.s6_addr, rdata->data, 16); 4773 isc_netaddr_fromin6(netaddr, &in6a); 4774 return ISC_R_SUCCESS; 4775 default: 4776 return ISC_R_NOTIMPLEMENTED; 4777 } 4778 } 4779 4780 static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 }; 4781 static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 }; 4782 static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 }; 4783 4784 static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA"; 4785 4786 static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA"; 4787 static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA"; 4788 static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA"; 4789 static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA"; 4790 static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA"; 4791 static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA"; 4792 static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA"; 4793 static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA"; 4794 static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA"; 4795 static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA"; 4796 static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA"; 4797 static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA"; 4798 static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA"; 4799 static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA"; 4800 static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA"; 4801 static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA"; 4802 4803 static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA"; 4804 4805 static dns_name_t rfc1918names[] = { 4806 DNS_NAME_INITABSOLUTE(inaddr10, inaddr10_offsets), 4807 DNS_NAME_INITABSOLUTE(inaddr16172, inaddr172_offsets), 4808 DNS_NAME_INITABSOLUTE(inaddr17172, inaddr172_offsets), 4809 DNS_NAME_INITABSOLUTE(inaddr18172, inaddr172_offsets), 4810 DNS_NAME_INITABSOLUTE(inaddr19172, inaddr172_offsets), 4811 DNS_NAME_INITABSOLUTE(inaddr20172, inaddr172_offsets), 4812 DNS_NAME_INITABSOLUTE(inaddr21172, inaddr172_offsets), 4813 DNS_NAME_INITABSOLUTE(inaddr22172, inaddr172_offsets), 4814 DNS_NAME_INITABSOLUTE(inaddr23172, inaddr172_offsets), 4815 DNS_NAME_INITABSOLUTE(inaddr24172, inaddr172_offsets), 4816 DNS_NAME_INITABSOLUTE(inaddr25172, inaddr172_offsets), 4817 DNS_NAME_INITABSOLUTE(inaddr26172, inaddr172_offsets), 4818 DNS_NAME_INITABSOLUTE(inaddr27172, inaddr172_offsets), 4819 DNS_NAME_INITABSOLUTE(inaddr28172, inaddr172_offsets), 4820 DNS_NAME_INITABSOLUTE(inaddr29172, inaddr172_offsets), 4821 DNS_NAME_INITABSOLUTE(inaddr30172, inaddr172_offsets), 4822 DNS_NAME_INITABSOLUTE(inaddr31172, inaddr172_offsets), 4823 DNS_NAME_INITABSOLUTE(inaddr168192, inaddr192_offsets) 4824 }; 4825 4826 static unsigned char prisoner_data[] = "\010prisoner\004iana\003org"; 4827 static unsigned char hostmaster_data[] = "\012hostmaster\014root-" 4828 "servers\003org"; 4829 4830 static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 }; 4831 static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 }; 4832 4833 static dns_name_t const prisoner = DNS_NAME_INITABSOLUTE(prisoner_data, 4834 prisoner_offsets); 4835 static dns_name_t const hostmaster = DNS_NAME_INITABSOLUTE(hostmaster_data, 4836 hostmaster_offsets); 4837 4838 static void 4839 warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) { 4840 unsigned int i; 4841 dns_rdata_t rdata = DNS_RDATA_INIT; 4842 dns_rdata_soa_t soa; 4843 dns_rdataset_t found; 4844 isc_result_t result; 4845 4846 for (i = 0; i < (sizeof(rfc1918names) / sizeof(*rfc1918names)); i++) { 4847 if (dns_name_issubdomain(fname, &rfc1918names[i])) { 4848 dns_rdataset_init(&found); 4849 result = dns_ncache_getrdataset( 4850 rdataset, &rfc1918names[i], dns_rdatatype_soa, 4851 &found); 4852 if (result != ISC_R_SUCCESS) { 4853 return; 4854 } 4855 4856 result = dns_rdataset_first(&found); 4857 RUNTIME_CHECK(result == ISC_R_SUCCESS); 4858 dns_rdataset_current(&found, &rdata); 4859 result = dns_rdata_tostruct(&rdata, &soa, NULL); 4860 RUNTIME_CHECK(result == ISC_R_SUCCESS); 4861 if (dns_name_equal(&soa.origin, &prisoner) && 4862 dns_name_equal(&soa.contact, &hostmaster)) 4863 { 4864 char buf[DNS_NAME_FORMATSIZE]; 4865 dns_name_format(fname, buf, sizeof(buf)); 4866 ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 4867 NS_LOGMODULE_QUERY, 4868 ISC_LOG_WARNING, 4869 "RFC 1918 response from " 4870 "Internet for %s", 4871 buf); 4872 } 4873 dns_rdataset_disassociate(&found); 4874 return; 4875 } 4876 } 4877 } 4878 4879 static void 4880 query_findclosestnsec3(dns_name_t *qname, dns_db_t *db, 4881 dns_dbversion_t *version, ns_client_t *client, 4882 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, 4883 dns_name_t *fname, bool exact, dns_name_t *found) { 4884 unsigned char salt[256]; 4885 size_t salt_length; 4886 uint16_t iterations; 4887 isc_result_t result; 4888 unsigned int dboptions; 4889 dns_fixedname_t fixed; 4890 dns_hash_t hash; 4891 dns_name_t name; 4892 unsigned int skip = 0, labels; 4893 dns_rdata_nsec3_t nsec3; 4894 dns_rdata_t rdata = DNS_RDATA_INIT; 4895 bool optout; 4896 dns_clientinfomethods_t cm; 4897 dns_clientinfo_t ci; 4898 4899 salt_length = sizeof(salt); 4900 result = dns_db_getnsec3parameters(db, version, &hash, NULL, 4901 &iterations, salt, &salt_length); 4902 if (result != ISC_R_SUCCESS) { 4903 return; 4904 } 4905 4906 dns_name_init(&name, NULL); 4907 dns_name_clone(qname, &name); 4908 labels = dns_name_countlabels(&name); 4909 dns_clientinfomethods_init(&cm, ns_client_sourceip); 4910 dns_clientinfo_init(&ci, client, NULL); 4911 4912 /* 4913 * Map unknown algorithm to known value. 4914 */ 4915 if (hash == DNS_NSEC3_UNKNOWNALG) { 4916 hash = 1; 4917 } 4918 4919 again: 4920 dns_fixedname_init(&fixed); 4921 result = dns_nsec3_hashname(&fixed, NULL, NULL, &name, 4922 dns_db_origin(db), hash, iterations, salt, 4923 salt_length); 4924 if (result != ISC_R_SUCCESS) { 4925 return; 4926 } 4927 4928 dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3; 4929 result = dns_db_findext(db, dns_fixedname_name(&fixed), version, 4930 dns_rdatatype_nsec3, dboptions, client->now, 4931 NULL, fname, &cm, &ci, rdataset, sigrdataset); 4932 4933 if (result == DNS_R_NXDOMAIN) { 4934 if (!dns_rdataset_isassociated(rdataset)) { 4935 return; 4936 } 4937 result = dns_rdataset_first(rdataset); 4938 INSIST(result == ISC_R_SUCCESS); 4939 dns_rdataset_current(rdataset, &rdata); 4940 result = dns_rdata_tostruct(&rdata, &nsec3, NULL); 4941 RUNTIME_CHECK(result == ISC_R_SUCCESS); 4942 dns_rdata_reset(&rdata); 4943 optout = ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); 4944 if (found != NULL && optout && 4945 dns_name_issubdomain(&name, dns_db_origin(db))) 4946 { 4947 dns_rdataset_disassociate(rdataset); 4948 if (dns_rdataset_isassociated(sigrdataset)) { 4949 dns_rdataset_disassociate(sigrdataset); 4950 } 4951 skip++; 4952 dns_name_getlabelsequence(qname, skip, labels - skip, 4953 &name); 4954 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, 4955 NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), 4956 "looking for closest provable encloser"); 4957 goto again; 4958 } 4959 if (exact) { 4960 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, 4961 NS_LOGMODULE_QUERY, ISC_LOG_WARNING, 4962 "expected a exact match NSEC3, got " 4963 "a covering record"); 4964 } 4965 } else if (result != ISC_R_SUCCESS) { 4966 return; 4967 } else if (!exact) { 4968 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, 4969 NS_LOGMODULE_QUERY, ISC_LOG_WARNING, 4970 "expected covering NSEC3, got an exact match"); 4971 } 4972 if (found == qname) { 4973 if (skip != 0U) { 4974 dns_name_getlabelsequence(qname, skip, labels - skip, 4975 found); 4976 } 4977 } else if (found != NULL) { 4978 dns_name_copy(&name, found); 4979 } 4980 return; 4981 } 4982 4983 static uint32_t 4984 dns64_ttl(dns_db_t *db, dns_dbversion_t *version) { 4985 dns_dbnode_t *node = NULL; 4986 dns_rdata_soa_t soa; 4987 dns_rdata_t rdata = DNS_RDATA_INIT; 4988 dns_rdataset_t rdataset; 4989 isc_result_t result; 4990 uint32_t ttl = UINT32_MAX; 4991 4992 dns_rdataset_init(&rdataset); 4993 4994 result = dns_db_getoriginnode(db, &node); 4995 if (result != ISC_R_SUCCESS) { 4996 goto cleanup; 4997 } 4998 4999 result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa, 0, 0, 5000 &rdataset, NULL); 5001 if (result != ISC_R_SUCCESS) { 5002 goto cleanup; 5003 } 5004 result = dns_rdataset_first(&rdataset); 5005 if (result != ISC_R_SUCCESS) { 5006 goto cleanup; 5007 } 5008 5009 dns_rdataset_current(&rdataset, &rdata); 5010 result = dns_rdata_tostruct(&rdata, &soa, NULL); 5011 RUNTIME_CHECK(result == ISC_R_SUCCESS); 5012 ttl = ISC_MIN(rdataset.ttl, soa.minimum); 5013 5014 cleanup: 5015 if (dns_rdataset_isassociated(&rdataset)) { 5016 dns_rdataset_disassociate(&rdataset); 5017 } 5018 if (node != NULL) { 5019 dns_db_detachnode(db, &node); 5020 } 5021 return ttl; 5022 } 5023 5024 static bool 5025 dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset, 5026 dns_rdataset_t *sigrdataset) { 5027 isc_netaddr_t netaddr; 5028 dns_aclenv_t *env = client->manager->aclenv; 5029 dns_dns64_t *dns64 = ISC_LIST_HEAD(client->view->dns64); 5030 unsigned int flags = 0; 5031 unsigned int i, count; 5032 bool *aaaaok; 5033 5034 INSIST(client->query.dns64_aaaaok == NULL); 5035 INSIST(client->query.dns64_aaaaoklen == 0); 5036 INSIST(client->query.dns64_aaaa == NULL); 5037 INSIST(client->query.dns64_sigaaaa == NULL); 5038 5039 if (dns64 == NULL) { 5040 return true; 5041 } 5042 5043 if (RECURSIONOK(client)) { 5044 flags |= DNS_DNS64_RECURSIVE; 5045 } 5046 5047 if (WANTDNSSEC(client) && sigrdataset != NULL && 5048 dns_rdataset_isassociated(sigrdataset)) 5049 { 5050 flags |= DNS_DNS64_DNSSEC; 5051 } 5052 5053 count = dns_rdataset_count(rdataset); 5054 aaaaok = isc_mem_cget(client->manager->mctx, count, sizeof(bool)); 5055 5056 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); 5057 if (dns_dns64_aaaaok(dns64, &netaddr, client->signer, env, flags, 5058 rdataset, aaaaok, count)) 5059 { 5060 for (i = 0; i < count; i++) { 5061 if (aaaaok != NULL && !aaaaok[i]) { 5062 SAVE(client->query.dns64_aaaaok, aaaaok); 5063 client->query.dns64_aaaaoklen = count; 5064 break; 5065 } 5066 } 5067 if (aaaaok != NULL) { 5068 isc_mem_cput(client->manager->mctx, aaaaok, count, 5069 sizeof(bool)); 5070 } 5071 return true; 5072 } 5073 if (aaaaok != NULL) { 5074 isc_mem_cput(client->manager->mctx, aaaaok, count, 5075 sizeof(bool)); 5076 } 5077 return false; 5078 } 5079 5080 /* 5081 * Look for the name and type in the redirection zone. If found update 5082 * the arguments as appropriate. Return true if a update was 5083 * performed. 5084 * 5085 * Only perform the update if the client is in the allow query acl and 5086 * returning the update would not cause a DNSSEC validation failure. 5087 */ 5088 static isc_result_t 5089 redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, 5090 dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp, 5091 dns_rdatatype_t qtype) { 5092 dns_db_t *db = NULL; 5093 dns_dbnode_t *node = NULL; 5094 dns_fixedname_t fixed; 5095 dns_name_t *found; 5096 dns_rdataset_t trdataset; 5097 isc_result_t result; 5098 dns_rdatatype_t type; 5099 dns_clientinfomethods_t cm; 5100 dns_clientinfo_t ci; 5101 ns_dbversion_t *dbversion; 5102 5103 CTRACE(ISC_LOG_DEBUG(3), "redirect"); 5104 5105 if (client->view->redirect == NULL) { 5106 return ISC_R_NOTFOUND; 5107 } 5108 5109 found = dns_fixedname_initname(&fixed); 5110 dns_rdataset_init(&trdataset); 5111 5112 dns_clientinfomethods_init(&cm, ns_client_sourceip); 5113 dns_clientinfo_init(&ci, client, NULL); 5114 dns_clientinfo_setecs(&ci, &client->ecs); 5115 5116 if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) 5117 { 5118 return ISC_R_NOTFOUND; 5119 } 5120 5121 if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) { 5122 if (rdataset->trust == dns_trust_secure) { 5123 return ISC_R_NOTFOUND; 5124 } 5125 if (rdataset->trust == dns_trust_ultimate && 5126 (rdataset->type == dns_rdatatype_nsec || 5127 rdataset->type == dns_rdatatype_nsec3)) 5128 { 5129 return ISC_R_NOTFOUND; 5130 } 5131 if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { 5132 for (result = dns_rdataset_first(rdataset); 5133 result == ISC_R_SUCCESS; 5134 result = dns_rdataset_next(rdataset)) 5135 { 5136 dns_ncache_current(rdataset, found, &trdataset); 5137 type = trdataset.type; 5138 dns_rdataset_disassociate(&trdataset); 5139 if (type == dns_rdatatype_nsec || 5140 type == dns_rdatatype_nsec3 || 5141 type == dns_rdatatype_rrsig) 5142 { 5143 return ISC_R_NOTFOUND; 5144 } 5145 } 5146 } 5147 } 5148 5149 result = ns_client_checkaclsilent( 5150 client, NULL, dns_zone_getqueryacl(client->view->redirect), 5151 true); 5152 if (result != ISC_R_SUCCESS) { 5153 return ISC_R_NOTFOUND; 5154 } 5155 5156 result = dns_zone_getdb(client->view->redirect, &db); 5157 if (result != ISC_R_SUCCESS) { 5158 return ISC_R_NOTFOUND; 5159 } 5160 5161 dbversion = ns_client_findversion(client, db); 5162 if (dbversion == NULL) { 5163 dns_db_detach(&db); 5164 return ISC_R_NOTFOUND; 5165 } 5166 5167 /* 5168 * Lookup the requested data in the redirect zone. 5169 */ 5170 result = dns_db_findext(db, client->query.qname, dbversion->version, 5171 qtype, DNS_DBFIND_NOZONECUT, client->now, &node, 5172 found, &cm, &ci, &trdataset, NULL); 5173 if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { 5174 if (dns_rdataset_isassociated(rdataset)) { 5175 dns_rdataset_disassociate(rdataset); 5176 } 5177 if (dns_rdataset_isassociated(&trdataset)) { 5178 dns_rdataset_disassociate(&trdataset); 5179 } 5180 goto nxrrset; 5181 } else if (result != ISC_R_SUCCESS) { 5182 if (dns_rdataset_isassociated(&trdataset)) { 5183 dns_rdataset_disassociate(&trdataset); 5184 } 5185 if (node != NULL) { 5186 dns_db_detachnode(db, &node); 5187 } 5188 dns_db_detach(&db); 5189 return ISC_R_NOTFOUND; 5190 } 5191 5192 CTRACE(ISC_LOG_DEBUG(3), "redirect: found data: done"); 5193 dns_name_copy(found, name); 5194 if (dns_rdataset_isassociated(rdataset)) { 5195 dns_rdataset_disassociate(rdataset); 5196 } 5197 if (dns_rdataset_isassociated(&trdataset)) { 5198 dns_rdataset_clone(&trdataset, rdataset); 5199 dns_rdataset_disassociate(&trdataset); 5200 } 5201 nxrrset: 5202 if (*nodep != NULL) { 5203 dns_db_detachnode(*dbp, nodep); 5204 } 5205 dns_db_detach(dbp); 5206 dns_db_attachnode(db, node, nodep); 5207 dns_db_attach(db, dbp); 5208 dns_db_detachnode(db, &node); 5209 dns_db_detach(&db); 5210 *versionp = dbversion->version; 5211 5212 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | 5213 NS_QUERYATTR_NOADDITIONAL); 5214 5215 return result; 5216 } 5217 5218 static isc_result_t 5219 redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, 5220 dns_dbnode_t **nodep, dns_db_t **dbp, dns_dbversion_t **versionp, 5221 dns_rdatatype_t qtype, bool *is_zonep) { 5222 dns_db_t *db = NULL; 5223 dns_dbnode_t *node = NULL; 5224 dns_fixedname_t fixed; 5225 dns_fixedname_t fixedredirect; 5226 dns_name_t *found, *redirectname; 5227 dns_rdataset_t trdataset; 5228 isc_result_t result; 5229 dns_rdatatype_t type; 5230 dns_clientinfomethods_t cm; 5231 dns_clientinfo_t ci; 5232 dns_dbversion_t *version = NULL; 5233 dns_zone_t *zone = NULL; 5234 bool is_zone; 5235 unsigned int labels; 5236 5237 CTRACE(ISC_LOG_DEBUG(3), "redirect2"); 5238 5239 if (client->view->redirectzone == NULL) { 5240 return ISC_R_NOTFOUND; 5241 } 5242 5243 if (dns_name_issubdomain(name, client->view->redirectzone)) { 5244 return ISC_R_NOTFOUND; 5245 } 5246 5247 found = dns_fixedname_initname(&fixed); 5248 dns_rdataset_init(&trdataset); 5249 5250 dns_clientinfomethods_init(&cm, ns_client_sourceip); 5251 dns_clientinfo_init(&ci, client, NULL); 5252 dns_clientinfo_setecs(&ci, &client->ecs); 5253 5254 if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) 5255 { 5256 return ISC_R_NOTFOUND; 5257 } 5258 5259 if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) { 5260 if (rdataset->trust == dns_trust_secure) { 5261 return ISC_R_NOTFOUND; 5262 } 5263 if (rdataset->trust == dns_trust_ultimate && 5264 (rdataset->type == dns_rdatatype_nsec || 5265 rdataset->type == dns_rdatatype_nsec3)) 5266 { 5267 return ISC_R_NOTFOUND; 5268 } 5269 if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { 5270 for (result = dns_rdataset_first(rdataset); 5271 result == ISC_R_SUCCESS; 5272 result = dns_rdataset_next(rdataset)) 5273 { 5274 dns_ncache_current(rdataset, found, &trdataset); 5275 type = trdataset.type; 5276 dns_rdataset_disassociate(&trdataset); 5277 if (type == dns_rdatatype_nsec || 5278 type == dns_rdatatype_nsec3 || 5279 type == dns_rdatatype_rrsig) 5280 { 5281 return ISC_R_NOTFOUND; 5282 } 5283 } 5284 } 5285 } 5286 5287 redirectname = dns_fixedname_initname(&fixedredirect); 5288 labels = dns_name_countlabels(client->query.qname); 5289 if (labels > 1U) { 5290 dns_name_t prefix; 5291 5292 dns_name_init(&prefix, NULL); 5293 dns_name_getlabelsequence(client->query.qname, 0, labels - 1, 5294 &prefix); 5295 result = dns_name_concatenate(&prefix, 5296 client->view->redirectzone, 5297 redirectname, NULL); 5298 if (result != ISC_R_SUCCESS) { 5299 return ISC_R_NOTFOUND; 5300 } 5301 } else { 5302 dns_name_copy(redirectname, client->view->redirectzone); 5303 } 5304 5305 result = query_getdb(client, redirectname, qtype, 5306 (dns_getdb_options_t){ 0 }, &zone, &db, &version, 5307 &is_zone); 5308 if (result != ISC_R_SUCCESS) { 5309 return ISC_R_NOTFOUND; 5310 } 5311 if (zone != NULL) { 5312 dns_zone_detach(&zone); 5313 } 5314 5315 /* 5316 * Lookup the requested data in the redirect zone. 5317 */ 5318 result = dns_db_findext(db, redirectname, version, qtype, 0, 5319 client->now, &node, found, &cm, &ci, &trdataset, 5320 NULL); 5321 if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) { 5322 if (dns_rdataset_isassociated(rdataset)) { 5323 dns_rdataset_disassociate(rdataset); 5324 } 5325 if (dns_rdataset_isassociated(&trdataset)) { 5326 dns_rdataset_disassociate(&trdataset); 5327 } 5328 goto nxrrset; 5329 } else if (result == ISC_R_NOTFOUND || result == DNS_R_DELEGATION) { 5330 /* 5331 * Cleanup. 5332 */ 5333 if (dns_rdataset_isassociated(&trdataset)) { 5334 dns_rdataset_disassociate(&trdataset); 5335 } 5336 if (node != NULL) { 5337 dns_db_detachnode(db, &node); 5338 } 5339 dns_db_detach(&db); 5340 /* 5341 * Don't loop forever if the lookup failed last time. 5342 */ 5343 if (!REDIRECT(client)) { 5344 result = ns_query_recurse(client, qtype, redirectname, 5345 NULL, NULL, true); 5346 if (result == ISC_R_SUCCESS) { 5347 client->query.attributes |= 5348 NS_QUERYATTR_RECURSING; 5349 client->query.attributes |= 5350 NS_QUERYATTR_REDIRECT; 5351 return DNS_R_CONTINUE; 5352 } 5353 } 5354 return ISC_R_NOTFOUND; 5355 } else if (result != ISC_R_SUCCESS) { 5356 if (dns_rdataset_isassociated(&trdataset)) { 5357 dns_rdataset_disassociate(&trdataset); 5358 } 5359 if (node != NULL) { 5360 dns_db_detachnode(db, &node); 5361 } 5362 dns_db_detach(&db); 5363 return ISC_R_NOTFOUND; 5364 } 5365 5366 CTRACE(ISC_LOG_DEBUG(3), "redirect2: found data: done"); 5367 /* 5368 * Adjust the found name to not include the redirectzone suffix. 5369 */ 5370 dns_name_split(found, dns_name_countlabels(client->view->redirectzone), 5371 found, NULL); 5372 /* 5373 * Make the name absolute. 5374 */ 5375 result = dns_name_concatenate(found, dns_rootname, found, NULL); 5376 RUNTIME_CHECK(result == ISC_R_SUCCESS); 5377 5378 dns_name_copy(found, name); 5379 if (dns_rdataset_isassociated(rdataset)) { 5380 dns_rdataset_disassociate(rdataset); 5381 } 5382 if (dns_rdataset_isassociated(&trdataset)) { 5383 dns_rdataset_clone(&trdataset, rdataset); 5384 dns_rdataset_disassociate(&trdataset); 5385 } 5386 nxrrset: 5387 if (*nodep != NULL) { 5388 dns_db_detachnode(*dbp, nodep); 5389 } 5390 dns_db_detach(dbp); 5391 dns_db_attachnode(db, node, nodep); 5392 dns_db_attach(db, dbp); 5393 dns_db_detachnode(db, &node); 5394 dns_db_detach(&db); 5395 *is_zonep = is_zone; 5396 *versionp = version; 5397 5398 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | 5399 NS_QUERYATTR_NOADDITIONAL); 5400 5401 return result; 5402 } 5403 5404 /*% 5405 * Initialize query context 'qctx'. Run by query_setup() when 5406 * first handling a client query, and by query_resume() when 5407 * returning from recursion. 5408 * 5409 * Whenever this function is called, qctx_destroy() must be called 5410 * when leaving the scope or freeing the qctx. 5411 */ 5412 static void 5413 qctx_init(ns_client_t *client, dns_fetchresponse_t **frespp, 5414 dns_rdatatype_t qtype, query_ctx_t *qctx) { 5415 REQUIRE(qctx != NULL); 5416 REQUIRE(client != NULL); 5417 5418 memset(qctx, 0, sizeof(*qctx)); 5419 5420 /* Set this first so CCTRACE will work */ 5421 qctx->client = client; 5422 5423 dns_view_attach(client->view, &qctx->view); 5424 5425 CCTRACE(ISC_LOG_DEBUG(3), "qctx_init"); 5426 5427 if (frespp != NULL) { 5428 qctx->fresp = *frespp; 5429 *frespp = NULL; 5430 } else { 5431 qctx->fresp = NULL; 5432 } 5433 qctx->qtype = qctx->type = qtype; 5434 qctx->result = ISC_R_SUCCESS; 5435 qctx->findcoveringnsec = qctx->view->synthfromdnssec; 5436 5437 /* 5438 * If it's an RRSIG or SIG query, we'll iterate the node. 5439 */ 5440 if (qctx->qtype == dns_rdatatype_rrsig || 5441 qctx->qtype == dns_rdatatype_sig) 5442 { 5443 qctx->type = dns_rdatatype_any; 5444 } 5445 5446 CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx); 5447 } 5448 5449 /*% 5450 * Clean up and disassociate the rdataset and node pointers in qctx. 5451 */ 5452 static void 5453 qctx_clean(query_ctx_t *qctx) { 5454 if (qctx->rdataset != NULL && dns_rdataset_isassociated(qctx->rdataset)) 5455 { 5456 dns_rdataset_disassociate(qctx->rdataset); 5457 } 5458 if (qctx->sigrdataset != NULL && 5459 dns_rdataset_isassociated(qctx->sigrdataset)) 5460 { 5461 dns_rdataset_disassociate(qctx->sigrdataset); 5462 } 5463 if (qctx->db != NULL && qctx->node != NULL) { 5464 dns_db_detachnode(qctx->db, &qctx->node); 5465 } 5466 } 5467 5468 /*% 5469 * Free any allocated memory associated with qctx. 5470 */ 5471 static void 5472 qctx_freedata(query_ctx_t *qctx) { 5473 if (qctx->rdataset != NULL) { 5474 ns_client_putrdataset(qctx->client, &qctx->rdataset); 5475 } 5476 5477 if (qctx->sigrdataset != NULL) { 5478 ns_client_putrdataset(qctx->client, &qctx->sigrdataset); 5479 } 5480 5481 if (qctx->fname != NULL) { 5482 ns_client_releasename(qctx->client, &qctx->fname); 5483 } 5484 5485 if (qctx->db != NULL) { 5486 INSIST(qctx->node == NULL); 5487 dns_db_detach(&qctx->db); 5488 } 5489 5490 if (qctx->zone != NULL) { 5491 dns_zone_detach(&qctx->zone); 5492 } 5493 5494 if (qctx->zdb != NULL) { 5495 ns_client_putrdataset(qctx->client, &qctx->zsigrdataset); 5496 ns_client_putrdataset(qctx->client, &qctx->zrdataset); 5497 ns_client_releasename(qctx->client, &qctx->zfname); 5498 dns_db_detachnode(qctx->zdb, &qctx->znode); 5499 dns_db_detach(&qctx->zdb); 5500 qctx->zversion = NULL; 5501 } 5502 5503 if (qctx->fresp != NULL) { 5504 free_fresp(qctx->client, &qctx->fresp); 5505 } 5506 } 5507 5508 static void 5509 qctx_destroy(query_ctx_t *qctx) { 5510 CALL_HOOK_NORETURN(NS_QUERY_QCTX_DESTROYED, qctx); 5511 5512 dns_view_detach(&qctx->view); 5513 } 5514 5515 /* 5516 * Call SAVE but set 'a' to NULL first so as not to assert. 5517 */ 5518 #define INITANDSAVE(a, b) \ 5519 do { \ 5520 a = NULL; \ 5521 SAVE(a, b); \ 5522 } while (0) 5523 5524 /* 5525 * "save" qctx data from 'src' to 'tgt'. 5526 * It essentially moves ownership of the data from src to tgt, so the former 5527 * becomes unusable except for final cleanup (such as by qctx_destroy). 5528 * Note: this function doesn't attach to the client's handle. It's the caller's 5529 * responsibility to do it if it's necessary. 5530 */ 5531 static void 5532 qctx_save(query_ctx_t *src, query_ctx_t *tgt) { 5533 /* First copy all fields in a straightforward way */ 5534 *tgt = *src; 5535 5536 /* Then "move" pointers (except client and view) */ 5537 INITANDSAVE(tgt->dbuf, src->dbuf); 5538 INITANDSAVE(tgt->fname, src->fname); 5539 INITANDSAVE(tgt->tname, src->tname); 5540 INITANDSAVE(tgt->rdataset, src->rdataset); 5541 INITANDSAVE(tgt->sigrdataset, src->sigrdataset); 5542 INITANDSAVE(tgt->noqname, src->noqname); 5543 INITANDSAVE(tgt->fresp, src->fresp); 5544 INITANDSAVE(tgt->db, src->db); 5545 INITANDSAVE(tgt->version, src->version); 5546 INITANDSAVE(tgt->node, src->node); 5547 INITANDSAVE(tgt->zdb, src->zdb); 5548 INITANDSAVE(tgt->znode, src->znode); 5549 INITANDSAVE(tgt->zfname, src->zfname); 5550 INITANDSAVE(tgt->zversion, src->zversion); 5551 INITANDSAVE(tgt->zrdataset, src->zrdataset); 5552 INITANDSAVE(tgt->zsigrdataset, src->zsigrdataset); 5553 INITANDSAVE(tgt->rpz_st, src->rpz_st); 5554 INITANDSAVE(tgt->zone, src->zone); 5555 5556 /* View has to stay in 'src' for qctx_destroy. */ 5557 tgt->view = NULL; 5558 dns_view_attach(src->view, &tgt->view); 5559 } 5560 5561 /*% 5562 * Log detailed information about the query immediately after 5563 * the client request or a return from recursion. 5564 */ 5565 static void 5566 query_trace(query_ctx_t *qctx) { 5567 #ifdef WANT_QUERYTRACE 5568 char mbuf[2 * DNS_NAME_FORMATSIZE]; 5569 char qbuf[DNS_NAME_FORMATSIZE]; 5570 5571 if (qctx->client->query.origqname != NULL) { 5572 dns_name_format(qctx->client->query.origqname, qbuf, 5573 sizeof(qbuf)); 5574 } else { 5575 snprintf(qbuf, sizeof(qbuf), "<unset>"); 5576 } 5577 5578 snprintf(mbuf, sizeof(mbuf) - 1, 5579 "client attr:0x%x, query attr:0x%X, restarts:%u, " 5580 "origqname:%s, timer:%d, authdb:%d, referral:%d", 5581 qctx->client->attributes, qctx->client->query.attributes, 5582 qctx->client->query.restarts, qbuf, 5583 (int)qctx->client->query.timerset, 5584 (int)qctx->client->query.authdbset, 5585 (int)qctx->client->query.isreferral); 5586 CCTRACE(ISC_LOG_DEBUG(3), mbuf); 5587 #else /* ifdef WANT_QUERYTRACE */ 5588 UNUSED(qctx); 5589 #endif /* ifdef WANT_QUERYTRACE */ 5590 } 5591 5592 /* 5593 * Set up query processing for the current query of 'client'. 5594 * Calls qctx_init() to initialize a query context, checks 5595 * the SERVFAIL cache, then hands off processing to ns__query_start(). 5596 * 5597 * This is called only from ns_query_start(), to begin a query 5598 * for the first time. Restarting an existing query (for 5599 * instance, to handle CNAME lookups), is done by calling 5600 * ns__query_start() again with the same query context. Resuming from 5601 * recursion is handled by query_resume(). 5602 */ 5603 static void 5604 query_setup(ns_client_t *client, dns_rdatatype_t qtype) { 5605 isc_result_t result = ISC_R_UNSET; 5606 query_ctx_t qctx; 5607 5608 qctx_init(client, NULL, qtype, &qctx); 5609 query_trace(&qctx); 5610 5611 CALL_HOOK(NS_QUERY_SETUP, &qctx); 5612 5613 /* 5614 * Check SERVFAIL cache 5615 */ 5616 result = ns__query_sfcache(&qctx); 5617 if (result != ISC_R_COMPLETE) { 5618 goto cleanup; 5619 } 5620 5621 (void)ns__query_start(&qctx); 5622 5623 cleanup: 5624 qctx_destroy(&qctx); 5625 } 5626 5627 static bool 5628 get_root_key_sentinel_id(query_ctx_t *qctx, const char *ndata) { 5629 unsigned int v = 0; 5630 int i; 5631 5632 for (i = 0; i < 5; i++) { 5633 if (!isdigit((unsigned char)ndata[i])) { 5634 return false; 5635 } 5636 v *= 10; 5637 v += ndata[i] - '0'; 5638 } 5639 if (v > 65535U) { 5640 return false; 5641 } 5642 qctx->client->query.root_key_sentinel_keyid = v; 5643 return true; 5644 } 5645 5646 /*% 5647 * Find out if the query is for a root key sentinel and if so, record the type 5648 * of root key sentinel query and the key id that is being checked for. 5649 * 5650 * The code is assuming a zero padded decimal field of width 5. 5651 */ 5652 static void 5653 root_key_sentinel_detect(query_ctx_t *qctx) { 5654 const char *ndata = (const char *)qctx->client->query.qname->ndata; 5655 5656 if (qctx->client->query.qname->length > 30 && ndata[0] == 29 && 5657 strncasecmp(ndata + 1, "root-key-sentinel-is-ta-", 24) == 0) 5658 { 5659 if (!get_root_key_sentinel_id(qctx, ndata + 25)) { 5660 return; 5661 } 5662 qctx->client->query.root_key_sentinel_is_ta = true; 5663 /* 5664 * Simplify processing by disabling aggressive 5665 * negative caching. 5666 */ 5667 qctx->findcoveringnsec = false; 5668 ns_client_log(qctx->client, NS_LOGCATEGORY_TAT, 5669 NS_LOGMODULE_QUERY, ISC_LOG_INFO, 5670 "root-key-sentinel-is-ta query label found"); 5671 } else if (qctx->client->query.qname->length > 31 && ndata[0] == 30 && 5672 strncasecmp(ndata + 1, "root-key-sentinel-not-ta-", 25) == 0) 5673 { 5674 if (!get_root_key_sentinel_id(qctx, ndata + 26)) { 5675 return; 5676 } 5677 qctx->client->query.root_key_sentinel_not_ta = true; 5678 /* 5679 * Simplify processing by disabling aggressive 5680 * negative caching. 5681 */ 5682 qctx->findcoveringnsec = false; 5683 ns_client_log(qctx->client, NS_LOGCATEGORY_TAT, 5684 NS_LOGMODULE_QUERY, ISC_LOG_INFO, 5685 "root-key-sentinel-not-ta query label found"); 5686 } 5687 } 5688 5689 /*% 5690 * Starting point for a client query or a chaining query. 5691 * 5692 * Called first by query_setup(), and then again as often as needed to 5693 * follow a CNAME chain. Determines which authoritative database to 5694 * search, then hands off processing to query_lookup(). 5695 */ 5696 isc_result_t 5697 ns__query_start(query_ctx_t *qctx) { 5698 isc_result_t result = ISC_R_UNSET; 5699 CCTRACE(ISC_LOG_DEBUG(3), "ns__query_start"); 5700 qctx->want_restart = false; 5701 qctx->authoritative = false; 5702 qctx->version = NULL; 5703 qctx->zversion = NULL; 5704 qctx->need_wildcardproof = false; 5705 qctx->rpz = false; 5706 5707 CALL_HOOK(NS_QUERY_START_BEGIN, qctx); 5708 5709 /* 5710 * If we require a server cookie or the presented server 5711 * cookie was bad then send back BADCOOKIE before we have 5712 * done too much work. 5713 */ 5714 if (!TCP(qctx->client) && 5715 (BADCOOKIE(qctx->client) || 5716 (qctx->view->requireservercookie && WANTCOOKIE(qctx->client) && 5717 !HAVECOOKIE(qctx->client)))) 5718 { 5719 qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA; 5720 qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD; 5721 qctx->client->message->rcode = dns_rcode_badcookie; 5722 return ns_query_done(qctx); 5723 } 5724 5725 if (qctx->view->checknames && 5726 !dns_rdata_checkowner(qctx->client->query.qname, 5727 qctx->client->message->rdclass, qctx->qtype, 5728 false)) 5729 { 5730 char namebuf[DNS_NAME_FORMATSIZE]; 5731 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 5732 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 5733 5734 dns_name_format(qctx->client->query.qname, namebuf, 5735 sizeof(namebuf)); 5736 dns_rdatatype_format(qctx->qtype, typebuf, sizeof(typebuf)); 5737 dns_rdataclass_format(qctx->client->message->rdclass, classbuf, 5738 sizeof(classbuf)); 5739 ns_client_log(qctx->client, DNS_LOGCATEGORY_SECURITY, 5740 NS_LOGMODULE_QUERY, ISC_LOG_ERROR, 5741 "check-names failure %s/%s/%s", namebuf, typebuf, 5742 classbuf); 5743 QUERY_ERROR(qctx, DNS_R_REFUSED); 5744 return ns_query_done(qctx); 5745 } 5746 5747 /* 5748 * Setup for root key sentinel processing. 5749 */ 5750 if (qctx->view->root_key_sentinel && 5751 qctx->client->query.restarts == 0 && 5752 (qctx->qtype == dns_rdatatype_a || 5753 qctx->qtype == dns_rdatatype_aaaa) && 5754 (qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0) 5755 { 5756 root_key_sentinel_detect(qctx); 5757 } 5758 5759 /* 5760 * First we must find the right database. Reset the options but preserve 5761 * the 'nolog' flag. 5762 */ 5763 qctx->options = (dns_getdb_options_t){ .nolog = qctx->options.nolog }; 5764 if (dns_rdatatype_atparent(qctx->qtype) && 5765 !dns_name_equal(qctx->client->query.qname, dns_rootname)) 5766 { 5767 /* 5768 * If authoritative data for this QTYPE is supposed to live in 5769 * the parent zone, do not look for an exact match for QNAME, 5770 * but rather for its containing zone (unless the QNAME is 5771 * root). 5772 */ 5773 qctx->options.noexact = true; 5774 } 5775 5776 result = query_getdb(qctx->client, qctx->client->query.qname, 5777 qctx->qtype, qctx->options, &qctx->zone, &qctx->db, 5778 &qctx->version, &qctx->is_zone); 5779 if ((result != ISC_R_SUCCESS || !qctx->is_zone) && 5780 qctx->qtype == dns_rdatatype_ds && !RECURSIONOK(qctx->client) && 5781 qctx->options.noexact) 5782 { 5783 /* 5784 * This is a non-recursive QTYPE=DS query with QNAME whose 5785 * parent we are not authoritative for. Check whether we are 5786 * authoritative for QNAME, because if so, we need to send a 5787 * "no data" response as required by RFC 4035, section 3.1.4.1. 5788 */ 5789 dns_db_t *tdb = NULL; 5790 dns_zone_t *tzone = NULL; 5791 dns_dbversion_t *tversion = NULL; 5792 isc_result_t tresult; 5793 5794 dns_getdb_options_t options = { .partial = true }; 5795 tresult = query_getzonedb( 5796 qctx->client, qctx->client->query.qname, qctx->qtype, 5797 options, &tzone, &tdb, &tversion); 5798 if (tresult == ISC_R_SUCCESS) { 5799 /* 5800 * We are authoritative for QNAME. Attach the relevant 5801 * zone to query context, set result to ISC_R_SUCCESS. 5802 */ 5803 qctx->options.noexact = false; 5804 ns_client_putrdataset(qctx->client, &qctx->rdataset); 5805 if (qctx->db != NULL) { 5806 dns_db_detach(&qctx->db); 5807 } 5808 if (qctx->zone != NULL) { 5809 dns_zone_detach(&qctx->zone); 5810 } 5811 qctx->version = NULL; 5812 RESTORE(qctx->version, tversion); 5813 RESTORE(qctx->db, tdb); 5814 RESTORE(qctx->zone, tzone); 5815 qctx->is_zone = true; 5816 result = ISC_R_SUCCESS; 5817 } else { 5818 /* 5819 * We are not authoritative for QNAME. Clean up and 5820 * leave result as it was. 5821 */ 5822 if (tdb != NULL) { 5823 dns_db_detach(&tdb); 5824 } 5825 if (tzone != NULL) { 5826 dns_zone_detach(&tzone); 5827 } 5828 } 5829 } 5830 /* 5831 * If we did not find a database from which we can answer the query, 5832 * respond with either REFUSED or SERVFAIL, depending on what the 5833 * result of query_getdb() was. 5834 */ 5835 if (result != ISC_R_SUCCESS) { 5836 if (result == DNS_R_REFUSED) { 5837 if (WANTRECURSION(qctx->client)) { 5838 inc_stats(qctx->client, 5839 ns_statscounter_recurserej); 5840 } else { 5841 inc_stats(qctx->client, 5842 ns_statscounter_authrej); 5843 } 5844 if (!PARTIALANSWER(qctx->client)) { 5845 QUERY_ERROR(qctx, DNS_R_REFUSED); 5846 } 5847 } else { 5848 CCTRACE(ISC_LOG_ERROR, "ns__query_start: query_getdb " 5849 "failed"); 5850 QUERY_ERROR(qctx, result); 5851 } 5852 return ns_query_done(qctx); 5853 } 5854 5855 /* 5856 * We found a database from which we can answer the query. Update 5857 * relevant query context flags if the answer is to be prepared using 5858 * authoritative data. 5859 */ 5860 qctx->is_staticstub_zone = false; 5861 if (qctx->is_zone) { 5862 qctx->authoritative = true; 5863 if (qctx->zone != NULL) { 5864 if (dns_zone_gettype(qctx->zone) == dns_zone_mirror) { 5865 qctx->authoritative = false; 5866 } 5867 if (dns_zone_gettype(qctx->zone) == dns_zone_staticstub) 5868 { 5869 qctx->is_staticstub_zone = true; 5870 } 5871 } 5872 } 5873 5874 /* 5875 * Attach to the database which will be used to prepare the answer. 5876 * Update query statistics. 5877 */ 5878 if (qctx->fresp == NULL && qctx->client->query.restarts == 0) { 5879 if (qctx->is_zone) { 5880 if (qctx->zone != NULL) { 5881 /* 5882 * if is_zone = true, zone = NULL then this is 5883 * a DLZ zone. Don't attempt to attach zone. 5884 */ 5885 dns_zone_attach(qctx->zone, 5886 &qctx->client->query.authzone); 5887 } 5888 dns_db_attach(qctx->db, &qctx->client->query.authdb); 5889 } 5890 qctx->client->query.authdbset = true; 5891 5892 /* Track TCP vs UDP stats per zone */ 5893 if (TCP(qctx->client)) { 5894 inc_stats(qctx->client, ns_statscounter_tcp); 5895 } else { 5896 inc_stats(qctx->client, ns_statscounter_udp); 5897 } 5898 } 5899 5900 if (!qctx->is_zone && qctx->view->staleanswerclienttimeout == 0 && 5901 dns_view_staleanswerenabled(qctx->view)) 5902 { 5903 /* 5904 * If stale answers are enabled and 5905 * stale-answer-client-timeout is zero, then we can promptly 5906 * answer with a stale RRset if one is available in cache. 5907 */ 5908 qctx->options.stalefirst = true; 5909 } 5910 5911 result = query_lookup(qctx); 5912 5913 /* 5914 * Clear "look-also-for-stale-data" flag. 5915 * If a fetch is created to resolve this query, then, 5916 * when it completes, this option is not expected to be set. 5917 */ 5918 qctx->options.stalefirst = false; 5919 5920 cleanup: 5921 return result; 5922 } 5923 5924 static void 5925 async_restart(void *arg) { 5926 query_ctx_t *qctx = arg; 5927 ns_client_t *client = qctx->client; 5928 isc_nmhandle_t *handle = client->restarthandle; 5929 5930 client->restarthandle = NULL; 5931 5932 ns__query_start(qctx); 5933 5934 qctx_clean(qctx); 5935 qctx_freedata(qctx); 5936 qctx_destroy(qctx); 5937 isc_mem_put(client->manager->mctx, qctx, sizeof(*qctx)); 5938 isc_nmhandle_detach(&handle); 5939 } 5940 5941 /* 5942 * Allocate buffers in 'qctx' used to store query results. 5943 * 5944 * 'buffer' must be a pointer to an object whose lifetime 5945 * doesn't expire while 'qctx' is in use. 5946 */ 5947 static isc_result_t 5948 qctx_prepare_buffers(query_ctx_t *qctx, isc_buffer_t *buffer) { 5949 REQUIRE(qctx != NULL); 5950 REQUIRE(qctx->client != NULL); 5951 REQUIRE(buffer != NULL); 5952 5953 qctx->dbuf = ns_client_getnamebuf(qctx->client); 5954 qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, buffer); 5955 qctx->rdataset = ns_client_newrdataset(qctx->client); 5956 5957 if ((WANTDNSSEC(qctx->client) || qctx->findcoveringnsec) && 5958 (!qctx->is_zone || dns_db_issecure(qctx->db))) 5959 { 5960 qctx->sigrdataset = ns_client_newrdataset(qctx->client); 5961 } 5962 5963 return ISC_R_SUCCESS; 5964 } 5965 5966 /*% 5967 * Depending on the db lookup result, we can respond to the 5968 * client this stale answer. 5969 */ 5970 static bool 5971 stale_client_answer(isc_result_t result) { 5972 switch (result) { 5973 case ISC_R_SUCCESS: 5974 case DNS_R_EMPTYNAME: 5975 case DNS_R_NXRRSET: 5976 case DNS_R_NCACHENXRRSET: 5977 case DNS_R_CNAME: 5978 case DNS_R_DNAME: 5979 return true; 5980 default: 5981 return false; 5982 } 5983 5984 UNREACHABLE(); 5985 } 5986 5987 /*% 5988 * Perform a local database lookup, in either an authoritative or 5989 * cache database. If unable to answer, call ns_query_done(); otherwise 5990 * hand off processing to query_gotanswer(). 5991 */ 5992 static isc_result_t 5993 query_lookup(query_ctx_t *qctx) { 5994 isc_buffer_t buffer; 5995 isc_result_t result = ISC_R_UNSET; 5996 dns_clientinfomethods_t cm; 5997 dns_clientinfo_t ci; 5998 dns_name_t *rpzqname = NULL; 5999 char namebuf[DNS_NAME_FORMATSIZE]; 6000 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 6001 unsigned int dboptions; 6002 dns_ttl_t stale_refresh = 0; 6003 bool dbfind_stale = false; 6004 bool stale_timeout = false; 6005 bool answer_found = false; 6006 bool stale_found = false; 6007 bool stale_refresh_window = false; 6008 uint16_t ede = 0; 6009 6010 CCTRACE(ISC_LOG_DEBUG(3), "query_lookup"); 6011 6012 CALL_HOOK(NS_QUERY_LOOKUP_BEGIN, qctx); 6013 6014 dns_clientinfomethods_init(&cm, ns_client_sourceip); 6015 dns_clientinfo_init(&ci, qctx->client, NULL); 6016 if (HAVEECS(qctx->client)) { 6017 dns_clientinfo_setecs(&ci, &qctx->client->ecs); 6018 } 6019 6020 /* 6021 * We'll need some resources... 6022 */ 6023 result = qctx_prepare_buffers(qctx, &buffer); 6024 if (result != ISC_R_SUCCESS) { 6025 QUERY_ERROR(qctx, result); 6026 return ns_query_done(qctx); 6027 } 6028 6029 /* 6030 * Now look for an answer in the database. 6031 */ 6032 if (qctx->dns64 && qctx->rpz) { 6033 rpzqname = qctx->client->query.rpz_st->p_name; 6034 } else { 6035 rpzqname = qctx->client->query.qname; 6036 } 6037 6038 if (qctx->options.stalefirst) { 6039 /* 6040 * If the 'stalefirst' flag is set, it means that a stale 6041 * RRset may be returned as part of this lookup. An attempt 6042 * to refresh the RRset will still take place if an 6043 * active RRset is not available. 6044 */ 6045 qctx->client->query.dboptions |= DNS_DBFIND_STALETIMEOUT; 6046 } 6047 6048 dboptions = qctx->client->query.dboptions; 6049 if (!qctx->is_zone && qctx->findcoveringnsec && 6050 (qctx->type != dns_rdatatype_null || !dns_name_istat(rpzqname))) 6051 { 6052 dboptions |= DNS_DBFIND_COVERINGNSEC; 6053 } 6054 6055 (void)dns_db_getservestalerefresh(qctx->client->view->cachedb, 6056 &stale_refresh); 6057 if (stale_refresh > 0 && 6058 dns_view_staleanswerenabled(qctx->client->view)) 6059 { 6060 dboptions |= DNS_DBFIND_STALEENABLED; 6061 } 6062 6063 result = dns_db_findext(qctx->db, rpzqname, qctx->version, qctx->type, 6064 dboptions, qctx->client->now, &qctx->node, 6065 qctx->fname, &cm, &ci, qctx->rdataset, 6066 qctx->sigrdataset); 6067 6068 /* 6069 * Fixup fname and sigrdataset. 6070 */ 6071 if (qctx->dns64 && qctx->rpz) { 6072 dns_name_copy(qctx->client->query.qname, qctx->fname); 6073 if (qctx->sigrdataset != NULL && 6074 dns_rdataset_isassociated(qctx->sigrdataset)) 6075 { 6076 dns_rdataset_disassociate(qctx->sigrdataset); 6077 } 6078 } 6079 6080 if (!qctx->is_zone) { 6081 dns_cache_updatestats(qctx->view->cache, result); 6082 } 6083 6084 /* 6085 * If DNS_DBFIND_STALEOK is set this means we are dealing with a 6086 * lookup following a failed lookup and it is okay to serve a stale 6087 * answer. This will (re)start the 'stale-refresh-time' window in 6088 * rbtdb, tracking the last time the RRset lookup failed. 6089 */ 6090 dbfind_stale = ((dboptions & DNS_DBFIND_STALEOK) != 0); 6091 6092 /* 6093 * If DNS_DBFIND_STALEENABLED is set, this may be a normal lookup, but 6094 * we are allowed to immediately respond with a stale answer if the 6095 * request is within the 'stale-refresh-time' window. 6096 */ 6097 stale_refresh_window = (STALE_WINDOW(qctx->rdataset) && 6098 (dboptions & DNS_DBFIND_STALEENABLED) != 0); 6099 6100 /* 6101 * If DNS_DBFIND_STALETIMEOUT is set, a stale answer is requested. 6102 * This can happen if 'stale-answer-client-timeout' is enabled. 6103 * 6104 * If a stale answer is found, send it to the client, and try to refresh 6105 * the RRset. 6106 */ 6107 stale_timeout = ((dboptions & DNS_DBFIND_STALETIMEOUT) != 0); 6108 6109 if (dns_rdataset_isassociated(qctx->rdataset) && 6110 dns_rdataset_count(qctx->rdataset) > 0 && !STALE(qctx->rdataset)) 6111 { 6112 /* Found non-stale usable rdataset. */ 6113 answer_found = true; 6114 } 6115 6116 if (dbfind_stale || stale_refresh_window || stale_timeout) { 6117 dns_name_format(qctx->client->query.qname, namebuf, 6118 sizeof(namebuf)); 6119 dns_rdatatype_format(qctx->qtype, typebuf, sizeof(typebuf)); 6120 6121 inc_stats(qctx->client, ns_statscounter_trystale); 6122 6123 if (dns_rdataset_isassociated(qctx->rdataset) && 6124 dns_rdataset_count(qctx->rdataset) > 0 && 6125 STALE(qctx->rdataset)) 6126 { 6127 stale_found = true; 6128 if (result == DNS_R_NCACHENXDOMAIN || 6129 result == DNS_R_NXDOMAIN) 6130 { 6131 ede = DNS_EDE_STALENXANSWER; 6132 } else { 6133 ede = DNS_EDE_STALEANSWER; 6134 } 6135 qctx->rdataset->ttl = qctx->view->staleanswerttl; 6136 inc_stats(qctx->client, ns_statscounter_usedstale); 6137 } else { 6138 stale_found = false; 6139 } 6140 } 6141 6142 if (dbfind_stale) { 6143 isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE, 6144 NS_LOGMODULE_QUERY, ISC_LOG_INFO, 6145 "%s %s resolver failure, stale answer %s (%s)", 6146 namebuf, typebuf, 6147 stale_found ? "used" : "unavailable", 6148 isc_result_totext(result)); 6149 if (stale_found) { 6150 ns_client_extendederror(qctx->client, ede, 6151 "resolver failure"); 6152 } else if (!answer_found) { 6153 /* 6154 * Resolver failure, no stale data, nothing more we 6155 * can do, return SERVFAIL. 6156 */ 6157 QUERY_ERROR(qctx, DNS_R_SERVFAIL); 6158 return ns_query_done(qctx); 6159 } 6160 } else if (stale_refresh_window) { 6161 /* 6162 * A recent lookup failed, so during this time window we are 6163 * allowed to return stale data immediately. 6164 */ 6165 isc_log_write(ns_lctx, NS_LOGCATEGORY_SERVE_STALE, 6166 NS_LOGMODULE_QUERY, ISC_LOG_INFO, 6167 "%s %s query within stale refresh time, stale " 6168 "answer %s (%s)", 6169 namebuf, typebuf, 6170 stale_found ? "used" : "unavailable", 6171 isc_result_totext(result)); 6172 6173 if (stale_found) { 6174 ns_client_extendederror( 6175 qctx->client, ede, 6176 "query within stale refresh time window"); 6177 } else if (!answer_found) { 6178 /* 6179 * During the stale refresh window explicitly do not try 6180 * to refresh the data, because a recent lookup failed. 6181 */ 6182 QUERY_ERROR(qctx, DNS_R_SERVFAIL); 6183 return ns_query_done(qctx); 6184 } 6185 } else if (stale_timeout) { 6186 if (qctx->options.stalefirst) { 6187 if (!stale_found && !answer_found) { 6188 /* 6189 * We have nothing useful in cache to return 6190 * immediately. 6191 */ 6192 qctx_clean(qctx); 6193 qctx_freedata(qctx); 6194 dns_db_attach(qctx->client->view->cachedb, 6195 &qctx->db); 6196 qctx->client->query.dboptions &= 6197 ~DNS_DBFIND_STALETIMEOUT; 6198 qctx->options.stalefirst = false; 6199 if (FETCH_RECTYPE_NORMAL(qctx->client) != NULL) 6200 { 6201 dns_resolver_destroyfetch( 6202 &FETCH_RECTYPE_NORMAL( 6203 qctx->client)); 6204 } 6205 return query_lookup(qctx); 6206 } else if (stale_client_answer(result)) { 6207 /* 6208 * Immediately return the stale answer, start a 6209 * resolver fetch to refresh the data in cache. 6210 */ 6211 isc_log_write( 6212 ns_lctx, NS_LOGCATEGORY_SERVE_STALE, 6213 NS_LOGMODULE_QUERY, ISC_LOG_INFO, 6214 "%s %s stale answer used, an attempt " 6215 "to refresh the RRset will still be " 6216 "made", 6217 namebuf, typebuf); 6218 qctx->refresh_rrset = STALE(qctx->rdataset); 6219 if (stale_found) { 6220 ns_client_extendederror( 6221 qctx->client, ede, 6222 "stale data prioritized over " 6223 "lookup"); 6224 } 6225 } 6226 } else { 6227 UNREACHABLE(); 6228 } 6229 } 6230 6231 if (stale_timeout && (answer_found || stale_found)) { 6232 /* 6233 * Mark RRsets that we are adding to the client message on a 6234 * lookup during 'stale-answer-client-timeout', so we can 6235 * clean it up if needed when we resume from recursion. 6236 */ 6237 qctx->client->query.attributes |= NS_QUERYATTR_STALEOK; 6238 qctx->rdataset->attributes |= DNS_RDATASETATTR_STALE_ADDED; 6239 } 6240 6241 result = query_gotanswer(qctx, result); 6242 6243 cleanup: 6244 return result; 6245 } 6246 6247 /* 6248 * Clear all rdatasets from the message that are in the given section and 6249 * that have the 'attr' attribute set. 6250 */ 6251 static void 6252 message_clearrdataset(dns_message_t *msg, unsigned int attr) { 6253 unsigned int i; 6254 dns_name_t *name, *next_name; 6255 dns_rdataset_t *rds, *next_rds; 6256 6257 /* 6258 * Clean up name lists by calling the rdataset disassociate function. 6259 */ 6260 for (i = DNS_SECTION_ANSWER; i < DNS_SECTION_MAX; i++) { 6261 name = ISC_LIST_HEAD(msg->sections[i]); 6262 while (name != NULL) { 6263 next_name = ISC_LIST_NEXT(name, link); 6264 6265 rds = ISC_LIST_HEAD(name->list); 6266 while (rds != NULL) { 6267 next_rds = ISC_LIST_NEXT(rds, link); 6268 if ((rds->attributes & attr) != attr) { 6269 rds = next_rds; 6270 continue; 6271 } 6272 ISC_LIST_UNLINK(name->list, rds, link); 6273 INSIST(dns_rdataset_isassociated(rds)); 6274 dns_rdataset_disassociate(rds); 6275 isc_mempool_put(msg->rdspool, rds); 6276 rds = next_rds; 6277 } 6278 6279 if (ISC_LIST_EMPTY(name->list)) { 6280 ISC_LIST_UNLINK(msg->sections[i], name, link); 6281 if (dns_name_dynamic(name)) { 6282 dns_name_free(name, msg->mctx); 6283 } 6284 isc_mempool_put(msg->namepool, name); 6285 } 6286 6287 name = next_name; 6288 } 6289 } 6290 } 6291 6292 /* 6293 * Clear any rdatasets from the client's message that were added on a lookup 6294 * due to a client timeout. 6295 */ 6296 static void 6297 query_clear_stale(ns_client_t *client) { 6298 message_clearrdataset(client->message, DNS_RDATASETATTR_STALE_ADDED); 6299 } 6300 6301 /* 6302 * Event handler to resume processing a query after recursion, or when a 6303 * client timeout is triggered. If the query has timed out or been cancelled 6304 * or the system is shutting down, clean up and exit. If a client timeout is 6305 * triggered, see if we can respond with a stale answer from cache. Otherwise, 6306 * call query_resume() to continue the ongoing work. 6307 */ 6308 static void 6309 fetch_callback(void *arg) { 6310 dns_fetchresponse_t *resp = (dns_fetchresponse_t *)arg; 6311 ns_client_t *client = resp->arg; 6312 dns_fetch_t *fetch = NULL; 6313 bool fetch_canceled = false; 6314 isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_ERRORS; 6315 isc_result_t result; 6316 int errorloglevel; 6317 query_ctx_t qctx; 6318 6319 REQUIRE(NS_CLIENT_VALID(client)); 6320 REQUIRE(RECURSING(client)); 6321 6322 CTRACE(ISC_LOG_DEBUG(3), "fetch_callback"); 6323 6324 /* 6325 * We are resuming from recursion. Reset any attributes, options 6326 * that a lookup due to stale-answer-client-timeout may have set. 6327 */ 6328 if (client->view->cachedb != NULL && client->view->recursion) { 6329 client->query.attributes |= NS_QUERYATTR_RECURSIONOK; 6330 } 6331 client->query.dboptions &= ~DNS_DBFIND_STALETIMEOUT; 6332 6333 LOCK(&client->query.fetchlock); 6334 INSIST(FETCH_RECTYPE_NORMAL(client) == resp->fetch || 6335 FETCH_RECTYPE_NORMAL(client) == NULL); 6336 if (FETCH_RECTYPE_NORMAL(client) != NULL) { 6337 /* 6338 * This is the fetch we've been waiting for. 6339 */ 6340 INSIST(FETCH_RECTYPE_NORMAL(client) == resp->fetch); 6341 FETCH_RECTYPE_NORMAL(client) = NULL; 6342 6343 /* 6344 * Update client->now. 6345 */ 6346 client->now = isc_stdtime_now(); 6347 } else { 6348 /* 6349 * This is a fetch completion event for a canceled fetch. 6350 * Clean up and don't resume the find. 6351 */ 6352 fetch_canceled = true; 6353 } 6354 UNLOCK(&client->query.fetchlock); 6355 6356 SAVE(fetch, resp->fetch); 6357 6358 /* 6359 * We're done recursing, detach from quota and unlink from 6360 * the manager's recursing-clients list. 6361 */ 6362 release_recursionquota(client); 6363 6364 isc_nmhandle_detach(&HANDLE_RECTYPE_NORMAL(client)); 6365 6366 client->query.attributes &= ~NS_QUERYATTR_RECURSING; 6367 client->state = NS_CLIENTSTATE_WORKING; 6368 6369 /* 6370 * Initialize a new qctx and use it to either resume from 6371 * recursion or clean up after cancelation. Transfer 6372 * ownership of resp to the new qctx in the process. 6373 */ 6374 qctx_init(client, &resp, 0, &qctx); 6375 6376 if (fetch_canceled) { 6377 /* 6378 * We've timed out or are shutting down. We can now 6379 * free the event and other resources held by qctx, but 6380 * don't call qctx_destroy() yet: it might destroy the 6381 * client, which we still need for a moment. 6382 */ 6383 qctx_freedata(&qctx); 6384 6385 /* 6386 * Return an error to the client. 6387 */ 6388 CTRACE(ISC_LOG_ERROR, "fetch cancelled"); 6389 query_error(client, DNS_R_SERVFAIL, __LINE__); 6390 6391 /* 6392 * Free any persistent plugin data that was allocated to 6393 * service the client, then detach the client object. 6394 */ 6395 qctx.detach_client = true; 6396 qctx_destroy(&qctx); 6397 } else { 6398 /* 6399 * Resume the find process. 6400 */ 6401 query_trace(&qctx); 6402 6403 result = query_resume(&qctx); 6404 if (result != ISC_R_SUCCESS) { 6405 if (result == DNS_R_SERVFAIL) { 6406 errorloglevel = ISC_LOG_DEBUG(2); 6407 } else { 6408 errorloglevel = ISC_LOG_DEBUG(4); 6409 } 6410 if (isc_log_wouldlog(ns_lctx, errorloglevel)) { 6411 dns_resolver_logfetch(fetch, ns_lctx, 6412 logcategory, 6413 NS_LOGMODULE_QUERY, 6414 errorloglevel, false); 6415 } 6416 } 6417 6418 qctx_destroy(&qctx); 6419 } 6420 6421 dns_resolver_destroyfetch(&fetch); 6422 } 6423 6424 /*% 6425 * Check whether the recursion parameters in 'param' match the current query's 6426 * recursion parameters provided in 'qtype', 'qname', and 'qdomain'. 6427 */ 6428 static bool 6429 recparam_match(const ns_query_recparam_t *param, dns_rdatatype_t qtype, 6430 const dns_name_t *qname, const dns_name_t *qdomain) { 6431 REQUIRE(param != NULL); 6432 6433 return param->qtype == qtype && param->qname != NULL && qname != NULL && 6434 param->qdomain != NULL && qdomain != NULL && 6435 dns_name_equal(param->qname, qname) && 6436 dns_name_equal(param->qdomain, qdomain); 6437 } 6438 6439 /*% 6440 * Update 'param' with current query's recursion parameters provided in 6441 * 'qtype', 'qname', and 'qdomain'. 6442 */ 6443 static void 6444 recparam_update(ns_query_recparam_t *param, dns_rdatatype_t qtype, 6445 const dns_name_t *qname, const dns_name_t *qdomain) { 6446 REQUIRE(param != NULL); 6447 6448 param->qtype = qtype; 6449 6450 if (qname == NULL) { 6451 param->qname = NULL; 6452 } else { 6453 param->qname = dns_fixedname_initname(¶m->fqname); 6454 dns_name_copy(qname, param->qname); 6455 } 6456 6457 if (qdomain == NULL) { 6458 param->qdomain = NULL; 6459 } else { 6460 param->qdomain = dns_fixedname_initname(¶m->fqdomain); 6461 dns_name_copy(qdomain, param->qdomain); 6462 } 6463 } 6464 6465 static void 6466 recursionquota_log(ns_client_t *client, atomic_uint_fast32_t *last_log_time, 6467 const char *format, isc_quota_t *quota) { 6468 isc_stdtime_t now = isc_stdtime_now(); 6469 if (now == atomic_load_relaxed(last_log_time)) { 6470 return; 6471 } 6472 6473 atomic_store_relaxed(last_log_time, now); 6474 ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, 6475 ISC_LOG_WARNING, format, isc_quota_getused(quota), 6476 isc_quota_getsoft(quota), isc_quota_getmax(quota)); 6477 } 6478 6479 static atomic_uint_fast32_t last_soft, last_hard; 6480 6481 /*% 6482 * Acquire recursion quota before making the current client "recursing". 6483 */ 6484 static isc_result_t 6485 acquire_recursionquota(ns_client_t *client) { 6486 isc_result_t result; 6487 6488 result = recursionquotatype_attach_soft(client); 6489 switch (result) { 6490 case ISC_R_SOFTQUOTA: 6491 recursionquota_log(client, &last_soft, 6492 "recursive-clients soft limit exceeded " 6493 "(%u/%u/%u), aborting oldest query", 6494 &client->manager->sctx->recursionquota); 6495 ns_client_killoldestquery(client); 6496 FALLTHROUGH; 6497 case ISC_R_SUCCESS: 6498 break; 6499 case ISC_R_QUOTA: 6500 recursionquota_log(client, &last_hard, 6501 "no more recursive clients (%u/%u/%u)", 6502 &client->manager->sctx->recursionquota); 6503 ns_client_killoldestquery(client); 6504 return result; 6505 default: 6506 UNREACHABLE(); 6507 } 6508 6509 dns_message_clonebuffer(client->message); 6510 ns_client_recursing(client); 6511 6512 return ISC_R_SUCCESS; 6513 } 6514 6515 /*% 6516 * Release recursion quota and remove the client from the "recursing" list. 6517 */ 6518 static void 6519 release_recursionquota(ns_client_t *client) { 6520 recursionquotatype_detach(client); 6521 6522 LOCK(&client->manager->reclock); 6523 if (ISC_LINK_LINKED(client, rlink)) { 6524 ISC_LIST_UNLINK(client->manager->recursing, client, rlink); 6525 } 6526 UNLOCK(&client->manager->reclock); 6527 } 6528 6529 isc_result_t 6530 ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, 6531 dns_name_t *qdomain, dns_rdataset_t *nameservers, 6532 bool resuming) { 6533 isc_result_t result; 6534 dns_rdataset_t *rdataset, *sigrdataset; 6535 isc_sockaddr_t *peeraddr = NULL; 6536 6537 CTRACE(ISC_LOG_DEBUG(3), "ns_query_recurse"); 6538 6539 /* 6540 * Check recursion parameters from the previous query to see if they 6541 * match. If not, update recursion parameters and proceed. 6542 */ 6543 if (recparam_match(&client->query.recparam, qtype, qname, qdomain)) { 6544 ns_client_log(client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY, 6545 ISC_LOG_INFO, "recursion loop detected"); 6546 return ISC_R_FAILURE; 6547 } 6548 6549 recparam_update(&client->query.recparam, qtype, qname, qdomain); 6550 6551 if (!resuming) { 6552 inc_stats(client, ns_statscounter_recursion); 6553 } 6554 6555 result = acquire_recursionquota(client); 6556 if (result != ISC_R_SUCCESS) { 6557 return result; 6558 } 6559 6560 /* 6561 * Invoke the resolver. 6562 */ 6563 REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns); 6564 REQUIRE(FETCH_RECTYPE_NORMAL(client) == NULL); 6565 6566 rdataset = ns_client_newrdataset(client); 6567 6568 if (WANTDNSSEC(client)) { 6569 sigrdataset = ns_client_newrdataset(client); 6570 } else { 6571 sigrdataset = NULL; 6572 } 6573 6574 if (!client->query.timerset) { 6575 ns_client_settimeout(client, 60); 6576 } 6577 6578 if (!TCP(client)) { 6579 peeraddr = &client->peeraddr; 6580 } 6581 6582 isc_nmhandle_attach(client->handle, &HANDLE_RECTYPE_NORMAL(client)); 6583 result = dns_resolver_createfetch( 6584 client->view->resolver, qname, qtype, qdomain, nameservers, 6585 NULL, peeraddr, client->message->id, client->query.fetchoptions, 6586 0, NULL, client->manager->loop, fetch_callback, client, 6587 rdataset, sigrdataset, &FETCH_RECTYPE_NORMAL(client)); 6588 if (result != ISC_R_SUCCESS) { 6589 release_recursionquota(client); 6590 6591 ns_client_putrdataset(client, &rdataset); 6592 if (sigrdataset != NULL) { 6593 ns_client_putrdataset(client, &sigrdataset); 6594 } 6595 6596 isc_nmhandle_detach(&HANDLE_RECTYPE_NORMAL(client)); 6597 } 6598 6599 /* 6600 * We're now waiting for a fetch event. A client which is 6601 * shutting down will not be destroyed until all the events 6602 * have been received. 6603 */ 6604 6605 return result; 6606 } 6607 6608 /*% 6609 * Restores the query context after resuming from recursion, and 6610 * continues the query processing if needed. 6611 */ 6612 static isc_result_t 6613 query_resume(query_ctx_t *qctx) { 6614 isc_result_t result = ISC_R_UNSET; 6615 dns_name_t *tname; 6616 isc_buffer_t b; 6617 #ifdef WANT_QUERYTRACE 6618 char mbuf[4 * DNS_NAME_FORMATSIZE]; 6619 char qbuf[DNS_NAME_FORMATSIZE]; 6620 char tbuf[DNS_RDATATYPE_FORMATSIZE]; 6621 #endif /* ifdef WANT_QUERYTRACE */ 6622 6623 CCTRACE(ISC_LOG_DEBUG(3), "query_resume"); 6624 6625 CALL_HOOK(NS_QUERY_RESUME_BEGIN, qctx); 6626 6627 qctx->want_restart = false; 6628 6629 qctx->rpz_st = qctx->client->query.rpz_st; 6630 if (qctx->rpz_st != NULL && 6631 (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) 6632 { 6633 CCTRACE(ISC_LOG_DEBUG(3), "resume from RPZ recursion"); 6634 #ifdef WANT_QUERYTRACE 6635 { 6636 char pbuf[DNS_NAME_FORMATSIZE] = "<unset>"; 6637 char fbuf[DNS_NAME_FORMATSIZE] = "<unset>"; 6638 if (qctx->rpz_st->r_name != NULL) { 6639 dns_name_format(qctx->rpz_st->r_name, qbuf, 6640 sizeof(qbuf)); 6641 } else { 6642 snprintf(qbuf, sizeof(qbuf), "<unset>"); 6643 } 6644 if (qctx->rpz_st->p_name != NULL) { 6645 dns_name_format(qctx->rpz_st->p_name, pbuf, 6646 sizeof(pbuf)); 6647 } 6648 if (qctx->rpz_st->fname != NULL) { 6649 dns_name_format(qctx->rpz_st->fname, fbuf, 6650 sizeof(fbuf)); 6651 } 6652 6653 snprintf(mbuf, sizeof(mbuf) - 1, 6654 "rpz rname:%s, pname:%s, qctx->fname:%s", qbuf, 6655 pbuf, fbuf); 6656 CCTRACE(ISC_LOG_DEBUG(3), mbuf); 6657 } 6658 #endif /* ifdef WANT_QUERYTRACE */ 6659 6660 qctx->is_zone = qctx->rpz_st->q.is_zone; 6661 qctx->authoritative = qctx->rpz_st->q.authoritative; 6662 RESTORE(qctx->zone, qctx->rpz_st->q.zone); 6663 RESTORE(qctx->node, qctx->rpz_st->q.node); 6664 RESTORE(qctx->db, qctx->rpz_st->q.db); 6665 RESTORE(qctx->rdataset, qctx->rpz_st->q.rdataset); 6666 RESTORE(qctx->sigrdataset, qctx->rpz_st->q.sigrdataset); 6667 qctx->qtype = qctx->rpz_st->q.qtype; 6668 6669 if (qctx->fresp->node != NULL) { 6670 dns_db_detachnode(qctx->fresp->db, &qctx->fresp->node); 6671 } 6672 SAVE(qctx->rpz_st->r.db, qctx->fresp->db); 6673 qctx->rpz_st->r.r_type = qctx->fresp->qtype; 6674 SAVE(qctx->rpz_st->r.r_rdataset, qctx->fresp->rdataset); 6675 ns_client_putrdataset(qctx->client, &qctx->fresp->sigrdataset); 6676 } else if (REDIRECT(qctx->client)) { 6677 /* 6678 * Restore saved state. 6679 */ 6680 CCTRACE(ISC_LOG_DEBUG(3), "resume from redirect recursion"); 6681 #ifdef WANT_QUERYTRACE 6682 dns_name_format(qctx->client->query.redirect.fname, qbuf, 6683 sizeof(qbuf)); 6684 dns_rdatatype_format(qctx->client->query.redirect.qtype, tbuf, 6685 sizeof(tbuf)); 6686 snprintf(mbuf, sizeof(mbuf) - 1, 6687 "redirect qctx->fname:%s, qtype:%s, auth:%d", qbuf, 6688 tbuf, qctx->client->query.redirect.authoritative); 6689 CCTRACE(ISC_LOG_DEBUG(3), mbuf); 6690 #endif /* ifdef WANT_QUERYTRACE */ 6691 qctx->qtype = qctx->client->query.redirect.qtype; 6692 INSIST(qctx->client->query.redirect.rdataset != NULL); 6693 RESTORE(qctx->rdataset, qctx->client->query.redirect.rdataset); 6694 RESTORE(qctx->sigrdataset, 6695 qctx->client->query.redirect.sigrdataset); 6696 RESTORE(qctx->db, qctx->client->query.redirect.db); 6697 RESTORE(qctx->node, qctx->client->query.redirect.node); 6698 RESTORE(qctx->zone, qctx->client->query.redirect.zone); 6699 qctx->authoritative = 6700 qctx->client->query.redirect.authoritative; 6701 6702 /* 6703 * Free resources used while recursing. 6704 */ 6705 ns_client_putrdataset(qctx->client, &qctx->fresp->rdataset); 6706 ns_client_putrdataset(qctx->client, &qctx->fresp->sigrdataset); 6707 if (qctx->fresp->node != NULL) { 6708 dns_db_detachnode(qctx->fresp->db, &qctx->fresp->node); 6709 } 6710 if (qctx->fresp->db != NULL) { 6711 dns_db_detach(&qctx->fresp->db); 6712 } 6713 } else { 6714 CCTRACE(ISC_LOG_DEBUG(3), "resume from normal recursion"); 6715 qctx->authoritative = false; 6716 6717 qctx->qtype = qctx->fresp->qtype; 6718 SAVE(qctx->db, qctx->fresp->db); 6719 SAVE(qctx->node, qctx->fresp->node); 6720 SAVE(qctx->rdataset, qctx->fresp->rdataset); 6721 SAVE(qctx->sigrdataset, qctx->fresp->sigrdataset); 6722 } 6723 INSIST(qctx->rdataset != NULL); 6724 6725 if (qctx->qtype == dns_rdatatype_rrsig || 6726 qctx->qtype == dns_rdatatype_sig) 6727 { 6728 qctx->type = dns_rdatatype_any; 6729 } else { 6730 qctx->type = qctx->qtype; 6731 } 6732 6733 CALL_HOOK(NS_QUERY_RESUME_RESTORED, qctx); 6734 6735 if (DNS64(qctx->client)) { 6736 qctx->client->query.attributes &= ~NS_QUERYATTR_DNS64; 6737 qctx->dns64 = true; 6738 } 6739 6740 if (DNS64EXCLUDE(qctx->client)) { 6741 qctx->client->query.attributes &= ~NS_QUERYATTR_DNS64EXCLUDE; 6742 qctx->dns64_exclude = true; 6743 } 6744 6745 if (qctx->rpz_st != NULL && 6746 (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) 6747 { 6748 /* 6749 * Has response policy changed out from under us? 6750 */ 6751 if (qctx->rpz_st->rpz_ver != qctx->view->rpzs->rpz_ver) { 6752 ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT, 6753 NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, 6754 "query_resume: RPZ settings " 6755 "out of date " 6756 "(rpz_ver %d, expected %d)", 6757 qctx->view->rpzs->rpz_ver, 6758 qctx->rpz_st->rpz_ver); 6759 QUERY_ERROR(qctx, DNS_R_SERVFAIL); 6760 return ns_query_done(qctx); 6761 } 6762 } 6763 6764 /* 6765 * We'll need some resources... 6766 */ 6767 qctx->dbuf = ns_client_getnamebuf(qctx->client); 6768 qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); 6769 6770 if (qctx->rpz_st != NULL && 6771 (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) 6772 { 6773 tname = qctx->rpz_st->fname; 6774 } else if (REDIRECT(qctx->client)) { 6775 tname = qctx->client->query.redirect.fname; 6776 } else { 6777 tname = qctx->fresp->foundname; 6778 } 6779 6780 dns_name_copy(tname, qctx->fname); 6781 6782 if (qctx->rpz_st != NULL && 6783 (qctx->rpz_st->state & DNS_RPZ_RECURSING) != 0) 6784 { 6785 qctx->rpz_st->r.r_result = qctx->fresp->result; 6786 result = qctx->rpz_st->q.result; 6787 free_fresp(qctx->client, &qctx->fresp); 6788 } else if (REDIRECT(qctx->client)) { 6789 result = qctx->client->query.redirect.result; 6790 } else { 6791 result = qctx->fresp->result; 6792 } 6793 6794 qctx->resuming = true; 6795 6796 return query_gotanswer(qctx, result); 6797 6798 cleanup: 6799 return result; 6800 } 6801 6802 static void 6803 query_hookresume(void *arg) { 6804 ns_hook_resume_t *rev = (ns_hook_resume_t *)arg; 6805 ns_hookasync_t *hctx = NULL; 6806 ns_client_t *client = rev->arg; 6807 query_ctx_t *qctx = rev->saved_qctx; 6808 bool canceled; 6809 6810 CTRACE(ISC_LOG_DEBUG(3), "query_hookresume"); 6811 6812 REQUIRE(NS_CLIENT_VALID(client)); 6813 6814 LOCK(&client->query.fetchlock); 6815 if (client->query.hookactx != NULL) { 6816 INSIST(rev->ctx == client->query.hookactx); 6817 client->query.hookactx = NULL; 6818 canceled = false; 6819 client->now = isc_stdtime_now(); 6820 } else { 6821 canceled = true; 6822 } 6823 UNLOCK(&client->query.fetchlock); 6824 SAVE(hctx, rev->ctx); 6825 6826 release_recursionquota(client); 6827 6828 /* 6829 * The fetch handle should be detached before resuming query processing 6830 * below, since that may trigger another recursion or asynchronous hook 6831 * event. 6832 */ 6833 isc_nmhandle_detach(&HANDLE_RECTYPE_HOOK(client)); 6834 6835 client->state = NS_CLIENTSTATE_WORKING; 6836 6837 if (canceled) { 6838 /* 6839 * Note: unlike fetch_callback, this function doesn't bother 6840 * to check the 'shutdown' condition, as that doesn't seem to 6841 * happen in the latest implementation. 6842 */ 6843 query_error(client, DNS_R_SERVFAIL, __LINE__); 6844 6845 /* 6846 * There's no other place to free/release any data maintained 6847 * in qctx. We need to do it here to prevent leak. 6848 */ 6849 qctx_clean(qctx); 6850 qctx_freedata(qctx); 6851 6852 /* 6853 * As we're almost done with this client, make sure any internal 6854 * resource for hooks will be released (if necessary) via the 6855 * QCTX_DESTROYED hook. 6856 */ 6857 qctx->detach_client = true; 6858 } else { 6859 switch (rev->hookpoint) { 6860 case NS_QUERY_SETUP: 6861 query_setup(client, qctx->qtype); 6862 break; 6863 case NS_QUERY_START_BEGIN: 6864 (void)ns__query_start(qctx); 6865 break; 6866 case NS_QUERY_LOOKUP_BEGIN: 6867 (void)query_lookup(qctx); 6868 break; 6869 case NS_QUERY_RESUME_BEGIN: 6870 case NS_QUERY_RESUME_RESTORED: 6871 (void)query_resume(qctx); 6872 break; 6873 case NS_QUERY_GOT_ANSWER_BEGIN: 6874 (void)query_gotanswer(qctx, rev->origresult); 6875 break; 6876 case NS_QUERY_RESPOND_ANY_BEGIN: 6877 (void)query_respond_any(qctx); 6878 break; 6879 case NS_QUERY_ADDANSWER_BEGIN: 6880 (void)query_addanswer(qctx); 6881 break; 6882 case NS_QUERY_NOTFOUND_BEGIN: 6883 (void)query_notfound(qctx); 6884 break; 6885 case NS_QUERY_PREP_DELEGATION_BEGIN: 6886 (void)query_prepare_delegation_response(qctx); 6887 break; 6888 case NS_QUERY_ZONE_DELEGATION_BEGIN: 6889 (void)query_zone_delegation(qctx); 6890 break; 6891 case NS_QUERY_DELEGATION_BEGIN: 6892 (void)query_delegation(qctx); 6893 break; 6894 case NS_QUERY_DELEGATION_RECURSE_BEGIN: 6895 (void)query_delegation_recurse(qctx); 6896 break; 6897 case NS_QUERY_NODATA_BEGIN: 6898 (void)query_nodata(qctx, rev->origresult); 6899 break; 6900 case NS_QUERY_NXDOMAIN_BEGIN: 6901 (void)query_nxdomain(qctx, rev->origresult); 6902 break; 6903 case NS_QUERY_NCACHE_BEGIN: 6904 (void)query_ncache(qctx, rev->origresult); 6905 break; 6906 case NS_QUERY_CNAME_BEGIN: 6907 (void)query_cname(qctx); 6908 break; 6909 case NS_QUERY_DNAME_BEGIN: 6910 (void)query_dname(qctx); 6911 break; 6912 case NS_QUERY_RESPOND_BEGIN: 6913 (void)query_respond(qctx); 6914 break; 6915 case NS_QUERY_PREP_RESPONSE_BEGIN: 6916 (void)query_prepresponse(qctx); 6917 break; 6918 case NS_QUERY_DONE_BEGIN: 6919 case NS_QUERY_DONE_SEND: 6920 (void)ns_query_done(qctx); 6921 break; 6922 6923 /* Not all hookpoints can use recursion. Catch violations */ 6924 case NS_QUERY_RESPOND_ANY_FOUND: /* due to side effect */ 6925 case NS_QUERY_NOTFOUND_RECURSE: /* in recursion */ 6926 case NS_QUERY_ZEROTTL_RECURSE: /* in recursion */ 6927 default: /* catch-all just in case */ 6928 INSIST(false); 6929 } 6930 } 6931 6932 isc_mem_put(hctx->mctx, rev, sizeof(*rev)); 6933 hctx->destroy(&hctx); 6934 qctx_destroy(qctx); 6935 isc_mem_put(client->manager->mctx, qctx, sizeof(*qctx)); 6936 } 6937 6938 isc_result_t 6939 ns_query_hookasync(query_ctx_t *qctx, ns_query_starthookasync_t runasync, 6940 void *arg) { 6941 isc_result_t result; 6942 ns_client_t *client = qctx->client; 6943 query_ctx_t *saved_qctx = NULL; 6944 6945 CTRACE(ISC_LOG_DEBUG(3), "ns_query_hookasync"); 6946 6947 REQUIRE(NS_CLIENT_VALID(client)); 6948 REQUIRE(client->query.hookactx == NULL); 6949 REQUIRE(FETCH_RECTYPE_NORMAL(client) == NULL); 6950 6951 result = acquire_recursionquota(client); 6952 if (result != ISC_R_SUCCESS) { 6953 goto cleanup; 6954 } 6955 6956 saved_qctx = isc_mem_get(client->manager->mctx, sizeof(*saved_qctx)); 6957 qctx_save(qctx, saved_qctx); 6958 result = runasync(saved_qctx, client->manager->mctx, arg, 6959 client->manager->loop, query_hookresume, client, 6960 &client->query.hookactx); 6961 if (result != ISC_R_SUCCESS) { 6962 goto cleanup_and_detach_from_quota; 6963 } 6964 6965 /* 6966 * Typically the runasync() function will trigger recursion, but 6967 * there is no need to set NS_QUERYATTR_RECURSING. The calling hook 6968 * is expected to return NS_HOOK_RETURN, and the RECURSING 6969 * attribute won't be checked anywhere. 6970 * 6971 * Hook-based asynchronous processing cannot coincide with normal 6972 * recursion. Unlike in ns_query_recurse(), we attach to the handle 6973 * only if 'runasync' succeeds. It should be safe since we're either in 6974 * the client task or pausing it. 6975 */ 6976 isc_nmhandle_attach(client->handle, &HANDLE_RECTYPE_HOOK(client)); 6977 return ISC_R_SUCCESS; 6978 6979 cleanup_and_detach_from_quota: 6980 release_recursionquota(client); 6981 cleanup: 6982 /* 6983 * If we fail, send SERVFAIL now. It may be better to let the caller 6984 * decide what to do on failure of this function, but hooks don't have 6985 * access to query_error(). 6986 */ 6987 query_error(client, DNS_R_SERVFAIL, __LINE__); 6988 6989 /* 6990 * Free all resource related to the query and set detach_client, 6991 * similar to the cancel case of query_hookresume; the callers will 6992 * simply return on failure of this function, so there's no other 6993 * place for this to prevent leak. 6994 */ 6995 if (saved_qctx != NULL) { 6996 qctx_clean(saved_qctx); 6997 qctx_freedata(saved_qctx); 6998 qctx_destroy(saved_qctx); 6999 isc_mem_put(client->manager->mctx, saved_qctx, 7000 sizeof(*saved_qctx)); 7001 } 7002 qctx->detach_client = true; 7003 return result; 7004 } 7005 7006 /*% 7007 * If the query is recursive, check the SERVFAIL cache to see whether 7008 * identical queries have failed recently. If we find a match, and it was 7009 * from a query with CD=1, *or* if the current query has CD=0, then we just 7010 * return SERVFAIL again. This prevents a validation failure from eliciting a 7011 * SERVFAIL response to a CD=1 query. 7012 */ 7013 isc_result_t 7014 ns__query_sfcache(query_ctx_t *qctx) { 7015 isc_result_t failcache; 7016 uint32_t flags; 7017 7018 /* 7019 * The SERVFAIL cache doesn't apply to authoritative queries. 7020 */ 7021 if (!RECURSIONOK(qctx->client)) { 7022 return ISC_R_COMPLETE; 7023 } 7024 7025 flags = 0; 7026 #ifdef ENABLE_AFL 7027 if (qctx->client->manager->sctx->fuzztype == isc_fuzz_resolver) { 7028 failcache = ISC_R_NOTFOUND; 7029 } else 7030 #endif /* ifdef ENABLE_AFL */ 7031 { 7032 failcache = dns_badcache_find( 7033 qctx->view->failcache, qctx->client->query.qname, 7034 qctx->qtype, &flags, 7035 isc_time_seconds(&qctx->client->tnow)); 7036 } 7037 7038 if (failcache != ISC_R_SUCCESS) { 7039 return ISC_R_COMPLETE; 7040 } 7041 7042 if (((flags & NS_FAILCACHE_CD) != 0) || 7043 ((qctx->client->message->flags & DNS_MESSAGEFLAG_CD) == 0)) 7044 { 7045 if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) { 7046 char namebuf[DNS_NAME_FORMATSIZE]; 7047 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 7048 7049 dns_name_format(qctx->client->query.qname, namebuf, 7050 sizeof(namebuf)); 7051 dns_rdatatype_format(qctx->qtype, typebuf, 7052 sizeof(typebuf)); 7053 ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT, 7054 NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(1), 7055 "servfail cache hit %s/%s (%s)", namebuf, 7056 typebuf, 7057 ((flags & NS_FAILCACHE_CD) != 0) ? "CD=1" 7058 : "CD=" 7059 "0"); 7060 } 7061 7062 qctx->client->attributes |= NS_CLIENTATTR_NOSETFC; 7063 QUERY_ERROR(qctx, DNS_R_SERVFAIL); 7064 return ns_query_done(qctx); 7065 } 7066 7067 return ISC_R_COMPLETE; 7068 } 7069 7070 static void 7071 query_trace_rrldrop(query_ctx_t *qctx, 7072 dns_rrl_result_t rrl_result ISC_ATTR_UNUSED) { 7073 if (!LIBNS_RRL_DROP_ENABLED()) { 7074 return; 7075 } 7076 7077 char peerbuf[ISC_SOCKADDR_FORMATSIZE]; 7078 isc_netaddr_t peer; 7079 isc_netaddr_fromsockaddr(&peer, &qctx->client->peeraddr); 7080 isc_netaddr_format(&peer, peerbuf, sizeof(peerbuf)); 7081 7082 char qnamebuf[DNS_NAME_FORMATSIZE]; 7083 char fnamebuf[DNS_NAME_FORMATSIZE]; 7084 dns_name_format(qctx->client->query.qname, qnamebuf, sizeof(qnamebuf)); 7085 dns_name_format(qctx->fname, fnamebuf, sizeof(fnamebuf)); 7086 LIBNS_RRL_DROP(peerbuf, qnamebuf, fnamebuf, rrl_result); 7087 } 7088 7089 /*% 7090 * Handle response rate limiting (RRL). 7091 */ 7092 static isc_result_t 7093 query_checkrrl(query_ctx_t *qctx, isc_result_t result) { 7094 /* 7095 * Rate limit these responses to this client. 7096 * Do not delay counting and handling obvious referrals, 7097 * since those won't come here again. 7098 * Delay handling delegations for which we are certain to recurse and 7099 * return here (DNS_R_DELEGATION, not a child of one of our 7100 * own zones, and recursion enabled) 7101 * Don't mess with responses rewritten by RPZ 7102 * Count each response at most once. 7103 */ 7104 7105 /* 7106 * XXXMPA the rrl system tests fails sometimes and RRL_CHECKED 7107 * is set when we are called the second time preventing the 7108 * response being dropped. 7109 */ 7110 ns_client_log( 7111 qctx->client, DNS_LOGCATEGORY_RRL, NS_LOGMODULE_QUERY, 7112 ISC_LOG_DEBUG(99), 7113 "rrl=%p, HAVECOOKIE=%u, result=%s, " 7114 "fname=%p(%u), is_zone=%u, RECURSIONOK=%u, " 7115 "query.rpz_st=%p(%u), RRL_CHECKED=%u", 7116 qctx->client->view->rrl, HAVECOOKIE(qctx->client), 7117 isc_result_toid(result), qctx->fname, 7118 qctx->fname != NULL ? dns_name_isabsolute(qctx->fname) : 0, 7119 qctx->is_zone, RECURSIONOK(qctx->client), 7120 qctx->client->query.rpz_st, 7121 qctx->client->query.rpz_st != NULL 7122 ? ((qctx->client->query.rpz_st->state & 7123 DNS_RPZ_REWRITTEN) != 0) 7124 : 0, 7125 (qctx->client->query.attributes & NS_QUERYATTR_RRL_CHECKED) != 7126 0); 7127 7128 if (qctx->view->rrl != NULL && !HAVECOOKIE(qctx->client) && 7129 ((qctx->fname != NULL && dns_name_isabsolute(qctx->fname)) || 7130 (result == ISC_R_NOTFOUND && !RECURSIONOK(qctx->client))) && 7131 !(result == DNS_R_DELEGATION && !qctx->is_zone && 7132 RECURSIONOK(qctx->client)) && 7133 (qctx->client->query.rpz_st == NULL || 7134 (qctx->client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) && 7135 (qctx->client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) 7136 { 7137 dns_rdataset_t nc_rdataset; 7138 bool wouldlog; 7139 dns_fixedname_t fixed; 7140 const dns_name_t *constname; 7141 char log_buf[DNS_RRL_LOG_BUF_LEN]; 7142 isc_result_t nc_result, resp_result; 7143 dns_rrl_result_t rrl_result; 7144 7145 qctx->client->query.attributes |= NS_QUERYATTR_RRL_CHECKED; 7146 7147 wouldlog = isc_log_wouldlog(ns_lctx, DNS_RRL_LOG_DROP); 7148 constname = qctx->fname; 7149 if (result == DNS_R_NXDOMAIN) { 7150 /* 7151 * Use the database origin name to rate limit NXDOMAIN 7152 */ 7153 if (qctx->db != NULL) { 7154 constname = dns_db_origin(qctx->db); 7155 } 7156 resp_result = result; 7157 } else if (result == DNS_R_NCACHENXDOMAIN && 7158 qctx->rdataset != NULL && 7159 dns_rdataset_isassociated(qctx->rdataset) && 7160 (qctx->rdataset->attributes & 7161 DNS_RDATASETATTR_NEGATIVE) != 0) 7162 { 7163 /* 7164 * Try to use owner name in the negative cache SOA. 7165 */ 7166 dns_fixedname_init(&fixed); 7167 dns_rdataset_init(&nc_rdataset); 7168 for (nc_result = dns_rdataset_first(qctx->rdataset); 7169 nc_result == ISC_R_SUCCESS; 7170 nc_result = dns_rdataset_next(qctx->rdataset)) 7171 { 7172 dns_ncache_current(qctx->rdataset, 7173 dns_fixedname_name(&fixed), 7174 &nc_rdataset); 7175 if (nc_rdataset.type == dns_rdatatype_soa) { 7176 dns_rdataset_disassociate(&nc_rdataset); 7177 constname = dns_fixedname_name(&fixed); 7178 break; 7179 } 7180 dns_rdataset_disassociate(&nc_rdataset); 7181 } 7182 resp_result = DNS_R_NXDOMAIN; 7183 } else if (result == DNS_R_NXRRSET || result == DNS_R_EMPTYNAME) 7184 { 7185 resp_result = DNS_R_NXRRSET; 7186 } else if (result == DNS_R_DELEGATION) { 7187 resp_result = result; 7188 } else if (result == ISC_R_NOTFOUND) { 7189 /* 7190 * Handle referral to ".", including when recursion 7191 * is off or not requested and the hints have not 7192 * been loaded. 7193 */ 7194 constname = dns_rootname; 7195 resp_result = DNS_R_DELEGATION; 7196 } else { 7197 resp_result = ISC_R_SUCCESS; 7198 } 7199 7200 rrl_result = dns_rrl( 7201 qctx->view, qctx->zone, &qctx->client->peeraddr, 7202 TCP(qctx->client), qctx->client->message->rdclass, 7203 qctx->qtype, constname, resp_result, qctx->client->now, 7204 wouldlog, log_buf, sizeof(log_buf)); 7205 if (rrl_result != DNS_RRL_RESULT_OK) { 7206 /* 7207 * Log dropped or slipped responses in the query 7208 * category so that requests are not silently lost. 7209 * Starts of rate-limited bursts are logged in 7210 * DNS_LOGCATEGORY_RRL. 7211 * 7212 * Dropped responses are counted with dropped queries 7213 * in QryDropped while slipped responses are counted 7214 * with other truncated responses in RespTruncated. 7215 */ 7216 if (wouldlog) { 7217 ns_client_log(qctx->client, DNS_LOGCATEGORY_RRL, 7218 NS_LOGMODULE_QUERY, 7219 DNS_RRL_LOG_DROP, "%s", log_buf); 7220 } 7221 7222 /* 7223 * If tracing is enabled, format some extra information 7224 * to pass along. 7225 */ 7226 query_trace_rrldrop(qctx, rrl_result); 7227 7228 if (!qctx->view->rrl->log_only) { 7229 if (rrl_result == DNS_RRL_RESULT_DROP) { 7230 /* 7231 * These will also be counted in 7232 * ns_statscounter_dropped 7233 */ 7234 inc_stats(qctx->client, 7235 ns_statscounter_ratedropped); 7236 QUERY_ERROR(qctx, DNS_R_DROP); 7237 } else { 7238 /* 7239 * These will also be counted in 7240 * ns_statscounter_truncatedresp 7241 */ 7242 inc_stats(qctx->client, 7243 ns_statscounter_rateslipped); 7244 if (WANTCOOKIE(qctx->client)) { 7245 qctx->client->message->flags &= 7246 ~DNS_MESSAGEFLAG_AA; 7247 qctx->client->message->flags &= 7248 ~DNS_MESSAGEFLAG_AD; 7249 qctx->client->message->rcode = 7250 dns_rcode_badcookie; 7251 } else { 7252 qctx->client->message->flags |= 7253 DNS_MESSAGEFLAG_TC; 7254 if (resp_result == 7255 DNS_R_NXDOMAIN) 7256 { 7257 qctx->client->message 7258 ->rcode = 7259 dns_rcode_nxdomain; 7260 } 7261 } 7262 } 7263 return DNS_R_DROP; 7264 } 7265 } 7266 } 7267 7268 return ISC_R_SUCCESS; 7269 } 7270 7271 /*% 7272 * Do any RPZ rewriting that may be needed for this query. 7273 */ 7274 static isc_result_t 7275 query_checkrpz(query_ctx_t *qctx, isc_result_t result) { 7276 isc_result_t rresult; 7277 7278 CCTRACE(ISC_LOG_DEBUG(3), "query_checkrpz"); 7279 7280 rresult = rpz_rewrite(qctx->client, qctx->qtype, result, qctx->resuming, 7281 qctx->rdataset, qctx->sigrdataset); 7282 qctx->rpz_st = qctx->client->query.rpz_st; 7283 switch (rresult) { 7284 case ISC_R_SUCCESS: 7285 break; 7286 case ISC_R_NOTFOUND: 7287 case DNS_R_DISALLOWED: 7288 return result; 7289 case DNS_R_DELEGATION: 7290 /* 7291 * recursing for NS names or addresses, 7292 * so save the main query state 7293 */ 7294 INSIST(!RECURSING(qctx->client)); 7295 qctx->rpz_st->q.qtype = qctx->qtype; 7296 qctx->rpz_st->q.is_zone = qctx->is_zone; 7297 qctx->rpz_st->q.authoritative = qctx->authoritative; 7298 SAVE(qctx->rpz_st->q.zone, qctx->zone); 7299 SAVE(qctx->rpz_st->q.db, qctx->db); 7300 SAVE(qctx->rpz_st->q.node, qctx->node); 7301 SAVE(qctx->rpz_st->q.rdataset, qctx->rdataset); 7302 SAVE(qctx->rpz_st->q.sigrdataset, qctx->sigrdataset); 7303 dns_name_copy(qctx->fname, qctx->rpz_st->fname); 7304 qctx->rpz_st->q.result = result; 7305 qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; 7306 return ISC_R_COMPLETE; 7307 default: 7308 QUERY_ERROR(qctx, rresult); 7309 return ISC_R_COMPLETE; 7310 } 7311 7312 if (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS) { 7313 qctx->rpz_st->state |= DNS_RPZ_REWRITTEN; 7314 } 7315 7316 if (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_MISS && 7317 qctx->rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU && 7318 (qctx->rpz_st->m.policy != DNS_RPZ_POLICY_TCP_ONLY || 7319 !TCP(qctx->client)) && 7320 qctx->rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) 7321 { 7322 /* 7323 * We got a hit and are going to answer with our 7324 * fiction. Ensure that we answer with the name 7325 * we looked up even if we were stopped short 7326 * in recursion or for a deferral. 7327 */ 7328 dns_name_copy(qctx->client->query.qname, qctx->fname); 7329 rpz_clean(&qctx->zone, &qctx->db, &qctx->node, NULL); 7330 if (qctx->rpz_st->m.rdataset != NULL) { 7331 ns_client_putrdataset(qctx->client, &qctx->rdataset); 7332 RESTORE(qctx->rdataset, qctx->rpz_st->m.rdataset); 7333 } else { 7334 qctx_clean(qctx); 7335 } 7336 qctx->version = NULL; 7337 7338 RESTORE(qctx->node, qctx->rpz_st->m.node); 7339 RESTORE(qctx->db, qctx->rpz_st->m.db); 7340 RESTORE(qctx->version, qctx->rpz_st->m.version); 7341 RESTORE(qctx->zone, qctx->rpz_st->m.zone); 7342 7343 /* 7344 * Add SOA record to additional section 7345 */ 7346 if (qctx->rpz_st->m.rpz->addsoa) { 7347 rresult = query_addsoa(qctx, UINT32_MAX, 7348 DNS_SECTION_ADDITIONAL); 7349 if (rresult != ISC_R_SUCCESS) { 7350 QUERY_ERROR(qctx, result); 7351 return ISC_R_COMPLETE; 7352 } 7353 } 7354 7355 switch (qctx->rpz_st->m.policy) { 7356 case DNS_RPZ_POLICY_TCP_ONLY: 7357 qctx->client->message->flags |= DNS_MESSAGEFLAG_TC; 7358 if (result == DNS_R_NXDOMAIN || 7359 result == DNS_R_NCACHENXDOMAIN) 7360 { 7361 qctx->client->message->rcode = 7362 dns_rcode_nxdomain; 7363 } 7364 rpz_log_rewrite(qctx->client, false, 7365 qctx->rpz_st->m.policy, 7366 qctx->rpz_st->m.type, qctx->zone, 7367 qctx->rpz_st->p_name, NULL, 7368 qctx->rpz_st->m.rpz->num); 7369 return ISC_R_COMPLETE; 7370 case DNS_RPZ_POLICY_DROP: 7371 QUERY_ERROR(qctx, DNS_R_DROP); 7372 rpz_log_rewrite(qctx->client, false, 7373 qctx->rpz_st->m.policy, 7374 qctx->rpz_st->m.type, qctx->zone, 7375 qctx->rpz_st->p_name, NULL, 7376 qctx->rpz_st->m.rpz->num); 7377 return ISC_R_COMPLETE; 7378 case DNS_RPZ_POLICY_NXDOMAIN: 7379 result = DNS_R_NXDOMAIN; 7380 qctx->nxrewrite = true; 7381 qctx->rpz = true; 7382 break; 7383 case DNS_RPZ_POLICY_NODATA: 7384 qctx->nxrewrite = true; 7385 FALLTHROUGH; 7386 case DNS_RPZ_POLICY_DNS64: 7387 result = DNS_R_NXRRSET; 7388 qctx->rpz = true; 7389 break; 7390 case DNS_RPZ_POLICY_RECORD: 7391 result = qctx->rpz_st->m.result; 7392 if (qctx->qtype == dns_rdatatype_any && 7393 result != DNS_R_CNAME) 7394 { 7395 /* 7396 * We will add all of the rdatasets of 7397 * the node by iterating later, 7398 * and set the TTL then. 7399 */ 7400 if (dns_rdataset_isassociated(qctx->rdataset)) { 7401 dns_rdataset_disassociate( 7402 qctx->rdataset); 7403 } 7404 } else { 7405 /* 7406 * We will add this rdataset. 7407 */ 7408 qctx->rdataset->ttl = 7409 ISC_MIN(qctx->rdataset->ttl, 7410 qctx->rpz_st->m.ttl); 7411 } 7412 qctx->rpz = true; 7413 break; 7414 case DNS_RPZ_POLICY_WILDCNAME: { 7415 dns_rdata_t rdata = DNS_RDATA_INIT; 7416 dns_rdata_cname_t cname; 7417 result = dns_rdataset_first(qctx->rdataset); 7418 RUNTIME_CHECK(result == ISC_R_SUCCESS); 7419 dns_rdataset_current(qctx->rdataset, &rdata); 7420 result = dns_rdata_tostruct(&rdata, &cname, NULL); 7421 RUNTIME_CHECK(result == ISC_R_SUCCESS); 7422 dns_rdata_reset(&rdata); 7423 result = query_rpzcname(qctx, &cname.cname); 7424 if (result != ISC_R_SUCCESS) { 7425 return ISC_R_COMPLETE; 7426 } 7427 qctx->fname = NULL; 7428 qctx->want_restart = true; 7429 return ISC_R_COMPLETE; 7430 } 7431 case DNS_RPZ_POLICY_CNAME: 7432 /* 7433 * Add overriding CNAME from a named.conf 7434 * response-policy statement 7435 */ 7436 result = query_rpzcname(qctx, 7437 &qctx->rpz_st->m.rpz->cname); 7438 if (result != ISC_R_SUCCESS) { 7439 return ISC_R_COMPLETE; 7440 } 7441 qctx->fname = NULL; 7442 qctx->want_restart = true; 7443 return ISC_R_COMPLETE; 7444 default: 7445 UNREACHABLE(); 7446 } 7447 7448 if (qctx->rpz_st->m.rpz->ede != 0 && 7449 qctx->rpz_st->m.rpz->ede != UINT16_MAX) 7450 { 7451 ns_client_extendederror(qctx->client, 7452 qctx->rpz_st->m.rpz->ede, NULL); 7453 } 7454 7455 /* 7456 * Turn off DNSSEC because the results of a 7457 * response policy zone cannot verify. 7458 */ 7459 qctx->client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | 7460 NS_CLIENTATTR_WANTAD); 7461 qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AD; 7462 ns_client_putrdataset(qctx->client, &qctx->sigrdataset); 7463 qctx->rpz_st->q.is_zone = qctx->is_zone; 7464 qctx->is_zone = true; 7465 rpz_log_rewrite(qctx->client, false, qctx->rpz_st->m.policy, 7466 qctx->rpz_st->m.type, qctx->zone, 7467 qctx->rpz_st->p_name, NULL, 7468 qctx->rpz_st->m.rpz->num); 7469 } 7470 7471 return result; 7472 } 7473 7474 /*% 7475 * Add a CNAME to a query response, including translating foo.evil.com and 7476 * *.evil.com CNAME *.example.com 7477 * to 7478 * foo.evil.com CNAME foo.evil.com.example.com 7479 */ 7480 static isc_result_t 7481 query_rpzcname(query_ctx_t *qctx, dns_name_t *cname) { 7482 ns_client_t *client; 7483 dns_fixedname_t prefix, suffix; 7484 unsigned int labels; 7485 isc_result_t result; 7486 7487 REQUIRE(qctx != NULL && qctx->client != NULL); 7488 7489 client = qctx->client; 7490 7491 CTRACE(ISC_LOG_DEBUG(3), "query_rpzcname"); 7492 7493 labels = dns_name_countlabels(cname); 7494 if (labels > 2 && dns_name_iswildcard(cname)) { 7495 dns_fixedname_init(&prefix); 7496 dns_name_split(client->query.qname, 1, 7497 dns_fixedname_name(&prefix), NULL); 7498 dns_fixedname_init(&suffix); 7499 dns_name_split(cname, labels - 1, NULL, 7500 dns_fixedname_name(&suffix)); 7501 result = dns_name_concatenate(dns_fixedname_name(&prefix), 7502 dns_fixedname_name(&suffix), 7503 qctx->fname, NULL); 7504 if (result == DNS_R_NAMETOOLONG) { 7505 client->message->rcode = dns_rcode_yxdomain; 7506 } else if (result != ISC_R_SUCCESS) { 7507 return result; 7508 } 7509 } else { 7510 dns_name_copy(cname, qctx->fname); 7511 } 7512 7513 ns_client_keepname(client, qctx->fname, qctx->dbuf); 7514 query_addcname(qctx, dns_trust_authanswer, qctx->rpz_st->m.ttl); 7515 7516 rpz_log_rewrite(client, false, qctx->rpz_st->m.policy, 7517 qctx->rpz_st->m.type, qctx->rpz_st->m.zone, 7518 qctx->rpz_st->p_name, qctx->fname, 7519 qctx->rpz_st->m.rpz->num); 7520 7521 ns_client_qnamereplace(client, qctx->fname); 7522 7523 /* 7524 * Turn off DNSSEC because the results of a 7525 * response policy zone cannot verify. 7526 */ 7527 client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC | 7528 NS_CLIENTATTR_WANTAD); 7529 7530 return ISC_R_SUCCESS; 7531 } 7532 7533 /*% 7534 * Check the configured trust anchors for a root zone trust anchor 7535 * with a key id that matches qctx->client->query.root_key_sentinel_keyid. 7536 * 7537 * Return true when found, otherwise return false. 7538 */ 7539 static bool 7540 has_ta(query_ctx_t *qctx) { 7541 dns_keytable_t *keytable = NULL; 7542 dns_keynode_t *keynode = NULL; 7543 dns_rdataset_t dsset; 7544 dns_keytag_t sentinel = qctx->client->query.root_key_sentinel_keyid; 7545 isc_result_t result; 7546 7547 result = dns_view_getsecroots(qctx->view, &keytable); 7548 if (result != ISC_R_SUCCESS) { 7549 return false; 7550 } 7551 7552 result = dns_keytable_find(keytable, dns_rootname, &keynode); 7553 if (result != ISC_R_SUCCESS) { 7554 if (keynode != NULL) { 7555 dns_keynode_detach(&keynode); 7556 } 7557 dns_keytable_detach(&keytable); 7558 return false; 7559 } 7560 7561 dns_rdataset_init(&dsset); 7562 if (dns_keynode_dsset(keynode, &dsset)) { 7563 for (result = dns_rdataset_first(&dsset); 7564 result == ISC_R_SUCCESS; 7565 result = dns_rdataset_next(&dsset)) 7566 { 7567 dns_rdata_t rdata = DNS_RDATA_INIT; 7568 dns_rdata_ds_t ds; 7569 7570 dns_rdata_reset(&rdata); 7571 dns_rdataset_current(&dsset, &rdata); 7572 result = dns_rdata_tostruct(&rdata, &ds, NULL); 7573 RUNTIME_CHECK(result == ISC_R_SUCCESS); 7574 if (ds.key_tag == sentinel) { 7575 dns_keynode_detach(&keynode); 7576 dns_keytable_detach(&keytable); 7577 dns_rdataset_disassociate(&dsset); 7578 return true; 7579 } 7580 } 7581 dns_rdataset_disassociate(&dsset); 7582 } 7583 7584 if (keynode != NULL) { 7585 dns_keynode_detach(&keynode); 7586 } 7587 7588 dns_keytable_detach(&keytable); 7589 7590 return false; 7591 } 7592 7593 /*% 7594 * Check if a root key sentinel SERVFAIL should be returned. 7595 */ 7596 static bool 7597 root_key_sentinel_return_servfail(query_ctx_t *qctx, isc_result_t result) { 7598 /* 7599 * Are we looking at a "root-key-sentinel" query? 7600 */ 7601 if (!qctx->client->query.root_key_sentinel_is_ta && 7602 !qctx->client->query.root_key_sentinel_not_ta) 7603 { 7604 return false; 7605 } 7606 7607 /* 7608 * We only care about the query if 'result' indicates we have a cached 7609 * answer. 7610 */ 7611 switch (result) { 7612 case ISC_R_SUCCESS: 7613 case DNS_R_CNAME: 7614 case DNS_R_DNAME: 7615 case DNS_R_NCACHENXDOMAIN: 7616 case DNS_R_NCACHENXRRSET: 7617 break; 7618 default: 7619 return false; 7620 } 7621 7622 /* 7623 * Do we meet the specified conditions to return SERVFAIL? 7624 */ 7625 if (!qctx->is_zone && qctx->rdataset->trust == dns_trust_secure && 7626 ((qctx->client->query.root_key_sentinel_is_ta && !has_ta(qctx)) || 7627 (qctx->client->query.root_key_sentinel_not_ta && has_ta(qctx)))) 7628 { 7629 return true; 7630 } 7631 7632 /* 7633 * As special processing may only be triggered by the original QNAME, 7634 * disable it after following a CNAME/DNAME. 7635 */ 7636 qctx->client->query.root_key_sentinel_is_ta = false; 7637 qctx->client->query.root_key_sentinel_not_ta = false; 7638 7639 return false; 7640 } 7641 7642 /*% 7643 * If serving stale answers is allowed, set up 'qctx' to look for one and 7644 * return true; otherwise, return false. 7645 */ 7646 static bool 7647 query_usestale(query_ctx_t *qctx, isc_result_t result) { 7648 if ((qctx->client->query.dboptions & DNS_DBFIND_STALEOK) != 0) { 7649 /* 7650 * Query was already using stale, if that didn't work the 7651 * last time, it won't work this time either. 7652 */ 7653 return false; 7654 } 7655 7656 if (result == DNS_R_DUPLICATE || result == DNS_R_DROP) { 7657 /* 7658 * Don't enable serve-stale if the result signals a duplicate 7659 * query or query that is being dropped. 7660 */ 7661 return false; 7662 } 7663 7664 qctx_clean(qctx); 7665 qctx_freedata(qctx); 7666 7667 if (dns_view_staleanswerenabled(qctx->client->view)) { 7668 isc_result_t ret; 7669 ret = query_getdb(qctx->client, qctx->client->query.qname, 7670 qctx->client->query.qtype, qctx->options, 7671 &qctx->zone, &qctx->db, &qctx->version, 7672 &qctx->is_zone); 7673 if (ret != ISC_R_SUCCESS) { 7674 /* 7675 * Failed to get the database, unexpected, but let us 7676 * at least abandon serve-stale. 7677 */ 7678 return false; 7679 } 7680 7681 qctx->client->query.dboptions |= DNS_DBFIND_STALEOK; 7682 if (FETCH_RECTYPE_NORMAL(qctx->client) != NULL) { 7683 dns_resolver_destroyfetch( 7684 &FETCH_RECTYPE_NORMAL(qctx->client)); 7685 } 7686 7687 /* 7688 * Start the stale-refresh-time window in case there was a 7689 * resolver query timeout. 7690 */ 7691 if (qctx->resuming && result == ISC_R_TIMEDOUT) { 7692 qctx->client->query.dboptions |= DNS_DBFIND_STALESTART; 7693 } 7694 return true; 7695 } 7696 7697 return false; 7698 } 7699 7700 /*% 7701 * Continue after doing a database lookup or returning from 7702 * recursion, and call out to the next function depending on the 7703 * result from the search. 7704 */ 7705 static isc_result_t 7706 query_gotanswer(query_ctx_t *qctx, isc_result_t result) { 7707 char errmsg[256]; 7708 7709 CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer"); 7710 7711 CALL_HOOK(NS_QUERY_GOT_ANSWER_BEGIN, qctx); 7712 7713 if (query_checkrrl(qctx, result) != ISC_R_SUCCESS) { 7714 return ns_query_done(qctx); 7715 } 7716 7717 if (!dns_name_equal(qctx->client->query.qname, dns_rootname)) { 7718 result = query_checkrpz(qctx, result); 7719 if (result == ISC_R_NOTFOUND) { 7720 /* 7721 * RPZ not configured for this view. 7722 */ 7723 goto root_key_sentinel; 7724 } 7725 if (RECURSING(qctx->client) && result == DNS_R_DISALLOWED) { 7726 /* 7727 * We are recursing, and thus RPZ processing is not 7728 * allowed at the moment. This could happen on a 7729 * "stale-answer-client-timeout" lookup. In this case, 7730 * bail out and wait for recursion to complete, as we 7731 * we can't perform the RPZ rewrite rules. 7732 */ 7733 return result; 7734 } 7735 if (result == ISC_R_COMPLETE) { 7736 return ns_query_done(qctx); 7737 } 7738 } 7739 7740 root_key_sentinel: 7741 /* 7742 * If required, handle special "root-key-sentinel-is-ta-<keyid>" and 7743 * "root-key-sentinel-not-ta-<keyid>" labels by returning SERVFAIL. 7744 */ 7745 if (root_key_sentinel_return_servfail(qctx, result)) { 7746 /* 7747 * Don't record this response in the SERVFAIL cache. 7748 */ 7749 qctx->client->attributes |= NS_CLIENTATTR_NOSETFC; 7750 QUERY_ERROR(qctx, DNS_R_SERVFAIL); 7751 return ns_query_done(qctx); 7752 } 7753 7754 switch (result) { 7755 case ISC_R_SUCCESS: 7756 return query_prepresponse(qctx); 7757 7758 case DNS_R_GLUE: 7759 case DNS_R_ZONECUT: 7760 INSIST(qctx->is_zone); 7761 qctx->authoritative = false; 7762 return query_prepresponse(qctx); 7763 7764 case ISC_R_NOTFOUND: 7765 return query_notfound(qctx); 7766 7767 case DNS_R_DELEGATION: 7768 return query_delegation(qctx); 7769 7770 case DNS_R_EMPTYNAME: 7771 case DNS_R_NXRRSET: 7772 return query_nodata(qctx, result); 7773 7774 case DNS_R_EMPTYWILD: 7775 case DNS_R_NXDOMAIN: 7776 return query_nxdomain(qctx, result); 7777 7778 case DNS_R_COVERINGNSEC: 7779 return query_coveringnsec(qctx); 7780 7781 case DNS_R_NCACHENXDOMAIN: 7782 result = query_redirect(qctx, result); 7783 if (result != ISC_R_COMPLETE) { 7784 return result; 7785 } 7786 return query_ncache(qctx, DNS_R_NCACHENXDOMAIN); 7787 7788 case DNS_R_NCACHENXRRSET: 7789 return query_ncache(qctx, DNS_R_NCACHENXRRSET); 7790 7791 case DNS_R_CNAME: 7792 return query_cname(qctx); 7793 7794 case DNS_R_DNAME: 7795 return query_dname(qctx); 7796 7797 default: 7798 /* 7799 * Something has gone wrong. 7800 */ 7801 snprintf(errmsg, sizeof(errmsg) - 1, 7802 "query_gotanswer: unexpected error: %s", 7803 isc_result_totext(result)); 7804 CCTRACE(ISC_LOG_ERROR, errmsg); 7805 if (query_usestale(qctx, result)) { 7806 /* 7807 * If serve-stale is enabled, query_usestale() already 7808 * set up 'qctx' for looking up a stale response. 7809 */ 7810 return query_lookup(qctx); 7811 } 7812 7813 /* 7814 * Regardless of the triggering result, we definitely 7815 * want to return SERVFAIL from here. 7816 */ 7817 qctx->client->rcode_override = dns_rcode_servfail; 7818 7819 QUERY_ERROR(qctx, result); 7820 return ns_query_done(qctx); 7821 } 7822 7823 cleanup: 7824 return result; 7825 } 7826 7827 static void 7828 query_addnoqnameproof(query_ctx_t *qctx) { 7829 ns_client_t *client = qctx->client; 7830 isc_buffer_t *dbuf, b; 7831 dns_name_t *fname = NULL; 7832 dns_rdataset_t *neg = NULL, *negsig = NULL; 7833 isc_result_t result = ISC_R_NOMEMORY; 7834 7835 CTRACE(ISC_LOG_DEBUG(3), "query_addnoqnameproof"); 7836 7837 if (qctx->noqname == NULL) { 7838 return; 7839 } 7840 7841 dbuf = ns_client_getnamebuf(client); 7842 fname = ns_client_newname(client, dbuf, &b); 7843 neg = ns_client_newrdataset(client); 7844 negsig = ns_client_newrdataset(client); 7845 7846 result = dns_rdataset_getnoqname(qctx->noqname, fname, neg, negsig); 7847 RUNTIME_CHECK(result == ISC_R_SUCCESS); 7848 7849 query_addrrset(qctx, &fname, &neg, &negsig, dbuf, 7850 DNS_SECTION_AUTHORITY); 7851 7852 if ((qctx->noqname->attributes & DNS_RDATASETATTR_CLOSEST) == 0) { 7853 goto cleanup; 7854 } 7855 7856 if (fname == NULL) { 7857 dbuf = ns_client_getnamebuf(client); 7858 fname = ns_client_newname(client, dbuf, &b); 7859 } 7860 7861 if (neg == NULL) { 7862 neg = ns_client_newrdataset(client); 7863 } else if (dns_rdataset_isassociated(neg)) { 7864 dns_rdataset_disassociate(neg); 7865 } 7866 7867 if (negsig == NULL) { 7868 negsig = ns_client_newrdataset(client); 7869 } else if (dns_rdataset_isassociated(negsig)) { 7870 dns_rdataset_disassociate(negsig); 7871 } 7872 7873 result = dns_rdataset_getclosest(qctx->noqname, fname, neg, negsig); 7874 RUNTIME_CHECK(result == ISC_R_SUCCESS); 7875 7876 query_addrrset(qctx, &fname, &neg, &negsig, dbuf, 7877 DNS_SECTION_AUTHORITY); 7878 7879 cleanup: 7880 if (neg != NULL) { 7881 ns_client_putrdataset(client, &neg); 7882 } 7883 if (negsig != NULL) { 7884 ns_client_putrdataset(client, &negsig); 7885 } 7886 if (fname != NULL) { 7887 ns_client_releasename(client, &fname); 7888 } 7889 } 7890 7891 /*% 7892 * Build the response for a query for type ANY. 7893 */ 7894 static isc_result_t 7895 query_respond_any(query_ctx_t *qctx) { 7896 bool found = false, hidden = false; 7897 dns_rdatasetiter_t *rdsiter = NULL; 7898 isc_result_t result = ISC_R_UNSET; 7899 dns_rdatatype_t onetype = 0; /* type to use for minimal-any */ 7900 isc_buffer_t b; 7901 7902 CCTRACE(ISC_LOG_DEBUG(3), "query_respond_any"); 7903 7904 CALL_HOOK(NS_QUERY_RESPOND_ANY_BEGIN, qctx); 7905 7906 result = dns_db_allrdatasets(qctx->db, qctx->node, qctx->version, 0, 0, 7907 &rdsiter); 7908 if (result != ISC_R_SUCCESS) { 7909 CCTRACE(ISC_LOG_ERROR, "query_respond_any: allrdatasets " 7910 "failed"); 7911 QUERY_ERROR(qctx, result); 7912 return ns_query_done(qctx); 7913 } 7914 7915 /* 7916 * Calling query_addrrset() with a non-NULL dbuf is going 7917 * to either keep or release the name. We don't want it to 7918 * release fname, since we may have to call query_addrrset() 7919 * more than once. That means we have to call ns_client_keepname() 7920 * now, and pass a NULL dbuf to query_addrrset(). 7921 * 7922 * If we do a query_addrrset() below, we must set qctx->fname to 7923 * NULL before leaving this block, otherwise we might try to 7924 * cleanup qctx->fname even though we're using it! 7925 */ 7926 ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); 7927 qctx->tname = qctx->fname; 7928 7929 result = dns_rdatasetiter_first(rdsiter); 7930 while (result == ISC_R_SUCCESS) { 7931 dns_rdatasetiter_current(rdsiter, qctx->rdataset); 7932 7933 /* 7934 * We found an NS RRset; no need to add one later. 7935 */ 7936 if (qctx->qtype == dns_rdatatype_any && 7937 qctx->rdataset->type == dns_rdatatype_ns) 7938 { 7939 qctx->answer_has_ns = true; 7940 } 7941 7942 /* 7943 * Note: if we're in this function, then qctx->type 7944 * is guaranteed to be ANY, but qctx->qtype (i.e. the 7945 * original type requested) might have been RRSIG or 7946 * SIG; we need to check for that. 7947 */ 7948 if (qctx->is_zone && qctx->qtype == dns_rdatatype_any && 7949 !dns_db_issecure(qctx->db) && 7950 dns_rdatatype_isdnssec(qctx->rdataset->type)) 7951 { 7952 /* 7953 * The zone may be transitioning from insecure 7954 * to secure. Hide DNSSEC records from ANY queries. 7955 */ 7956 dns_rdataset_disassociate(qctx->rdataset); 7957 hidden = true; 7958 } else if (qctx->view->minimal_any && !TCP(qctx->client) && 7959 !WANTDNSSEC(qctx->client) && 7960 qctx->qtype == dns_rdatatype_any && 7961 (qctx->rdataset->type == dns_rdatatype_sig || 7962 qctx->rdataset->type == dns_rdatatype_rrsig)) 7963 { 7964 CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: " 7965 "minimal-any skip signature"); 7966 dns_rdataset_disassociate(qctx->rdataset); 7967 } else if (qctx->view->minimal_any && !TCP(qctx->client) && 7968 onetype != 0 && qctx->rdataset->type != onetype && 7969 qctx->rdataset->covers != onetype) 7970 { 7971 CCTRACE(ISC_LOG_DEBUG(5), "query_respond_any: " 7972 "minimal-any skip rdataset"); 7973 dns_rdataset_disassociate(qctx->rdataset); 7974 } else if ((qctx->qtype == dns_rdatatype_any || 7975 qctx->rdataset->type == qctx->qtype) && 7976 qctx->rdataset->type != 0) 7977 { 7978 if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) 7979 { 7980 qctx->noqname = qctx->rdataset; 7981 } else { 7982 qctx->noqname = NULL; 7983 } 7984 7985 qctx->rpz_st = qctx->client->query.rpz_st; 7986 if (qctx->rpz_st != NULL) { 7987 qctx->rdataset->ttl = 7988 ISC_MIN(qctx->rdataset->ttl, 7989 qctx->rpz_st->m.ttl); 7990 } 7991 7992 if (!qctx->is_zone && RECURSIONOK(qctx->client)) { 7993 dns_name_t *name; 7994 name = (qctx->fname != NULL) ? qctx->fname 7995 : qctx->tname; 7996 query_prefetch(qctx->client, name, 7997 qctx->rdataset); 7998 } 7999 8000 /* 8001 * Remember the first RRtype we find so we 8002 * can skip others with minimal-any. 8003 */ 8004 if (qctx->rdataset->type == dns_rdatatype_sig || 8005 qctx->rdataset->type == dns_rdatatype_rrsig) 8006 { 8007 onetype = qctx->rdataset->covers; 8008 } else { 8009 onetype = qctx->rdataset->type; 8010 } 8011 8012 query_addrrset(qctx, 8013 (qctx->fname != NULL) ? &qctx->fname 8014 : &qctx->tname, 8015 &qctx->rdataset, NULL, NULL, 8016 DNS_SECTION_ANSWER); 8017 8018 query_addnoqnameproof(qctx); 8019 8020 found = true; 8021 INSIST(qctx->tname != NULL); 8022 8023 /* 8024 * rdataset is non-NULL only in certain 8025 * pathological cases involving DNAMEs. 8026 */ 8027 if (qctx->rdataset != NULL) { 8028 ns_client_putrdataset(qctx->client, 8029 &qctx->rdataset); 8030 } 8031 8032 qctx->rdataset = ns_client_newrdataset(qctx->client); 8033 } else { 8034 /* 8035 * We're not interested in this rdataset. 8036 */ 8037 dns_rdataset_disassociate(qctx->rdataset); 8038 } 8039 8040 result = dns_rdatasetiter_next(rdsiter); 8041 } 8042 8043 dns_rdatasetiter_destroy(&rdsiter); 8044 8045 if (result != ISC_R_NOMORE) { 8046 CCTRACE(ISC_LOG_ERROR, "query_respond_any: rdataset iterator " 8047 "failed"); 8048 QUERY_ERROR(qctx, DNS_R_SERVFAIL); 8049 return ns_query_done(qctx); 8050 } 8051 8052 if (found) { 8053 /* 8054 * Call hook if any answers were found. 8055 * Do this before releasing qctx->fname, in case 8056 * the hook function needs it. 8057 */ 8058 CALL_HOOK(NS_QUERY_RESPOND_ANY_FOUND, qctx); 8059 } 8060 8061 if (qctx->fname != NULL) { 8062 dns_message_puttempname(qctx->client->message, &qctx->fname); 8063 } 8064 8065 if (found) { 8066 /* 8067 * At least one matching rdataset was found 8068 */ 8069 query_addauth(qctx); 8070 } else if (qctx->qtype == dns_rdatatype_rrsig || 8071 qctx->qtype == dns_rdatatype_sig) 8072 { 8073 /* 8074 * No matching rdatasets were found, but we got 8075 * here on a search for RRSIG/SIG, so that's okay. 8076 */ 8077 if (!qctx->is_zone) { 8078 qctx->authoritative = false; 8079 qctx->client->attributes &= ~NS_CLIENTATTR_RA; 8080 query_addauth(qctx); 8081 return ns_query_done(qctx); 8082 } 8083 8084 if (qctx->qtype == dns_rdatatype_rrsig && 8085 dns_db_issecure(qctx->db)) 8086 { 8087 char namebuf[DNS_NAME_FORMATSIZE]; 8088 dns_name_format(qctx->client->query.qname, namebuf, 8089 sizeof(namebuf)); 8090 ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC, 8091 NS_LOGMODULE_QUERY, ISC_LOG_WARNING, 8092 "missing signature for %s", namebuf); 8093 } 8094 8095 qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); 8096 return query_sign_nodata(qctx); 8097 } else if (!hidden) { 8098 /* 8099 * No matching rdatasets were found and nothing was 8100 * deliberately hidden: something must have gone wrong. 8101 */ 8102 QUERY_ERROR(qctx, DNS_R_SERVFAIL); 8103 } 8104 8105 return ns_query_done(qctx); 8106 8107 cleanup: 8108 return result; 8109 } 8110 8111 /* 8112 * Set the expire time, if requested, when answering from a secondary, 8113 * mirror, or primary zone. 8114 */ 8115 static void 8116 query_getexpire(query_ctx_t *qctx) { 8117 dns_zone_t *raw = NULL, *mayberaw; 8118 8119 CCTRACE(ISC_LOG_DEBUG(3), "query_getexpire"); 8120 8121 if (qctx->zone == NULL || !qctx->is_zone || 8122 qctx->qtype != dns_rdatatype_soa || 8123 qctx->client->query.restarts != 0 || 8124 (qctx->client->attributes & NS_CLIENTATTR_WANTEXPIRE) == 0) 8125 { 8126 return; 8127 } 8128 8129 dns_zone_getraw(qctx->zone, &raw); 8130 mayberaw = (raw != NULL) ? raw : qctx->zone; 8131 8132 if (dns_zone_gettype(mayberaw) == dns_zone_secondary || 8133 dns_zone_gettype(mayberaw) == dns_zone_mirror) 8134 { 8135 isc_time_t expiretime; 8136 uint32_t secs; 8137 dns_zone_getexpiretime(qctx->zone, &expiretime); 8138 secs = isc_time_seconds(&expiretime); 8139 if (secs >= qctx->client->now && qctx->result == ISC_R_SUCCESS) 8140 { 8141 qctx->client->attributes |= NS_CLIENTATTR_HAVEEXPIRE; 8142 qctx->client->expire = secs - qctx->client->now; 8143 } 8144 } else if (dns_zone_gettype(mayberaw) == dns_zone_primary) { 8145 isc_result_t result; 8146 dns_rdata_t rdata = DNS_RDATA_INIT; 8147 dns_rdata_soa_t soa; 8148 8149 result = dns_rdataset_first(qctx->rdataset); 8150 RUNTIME_CHECK(result == ISC_R_SUCCESS); 8151 8152 dns_rdataset_current(qctx->rdataset, &rdata); 8153 result = dns_rdata_tostruct(&rdata, &soa, NULL); 8154 RUNTIME_CHECK(result == ISC_R_SUCCESS); 8155 8156 qctx->client->expire = soa.expire; 8157 qctx->client->attributes |= NS_CLIENTATTR_HAVEEXPIRE; 8158 } 8159 8160 if (raw != NULL) { 8161 dns_zone_detach(&raw); 8162 } 8163 } 8164 8165 /*% 8166 * Fill the ANSWER section of a positive response. 8167 */ 8168 static isc_result_t 8169 query_addanswer(query_ctx_t *qctx) { 8170 dns_rdataset_t **sigrdatasetp = NULL; 8171 isc_result_t result = ISC_R_UNSET; 8172 8173 CCTRACE(ISC_LOG_DEBUG(3), "query_addanswer"); 8174 8175 CALL_HOOK(NS_QUERY_ADDANSWER_BEGIN, qctx); 8176 8177 /* 8178 * On normal lookups, clear any rdatasets that were added on a 8179 * lookup due to stale-answer-client-timeout. Do not clear if we 8180 * are going to refresh the RRset, because the stale contents are 8181 * prioritized. 8182 */ 8183 if (QUERY_STALEOK(&qctx->client->query) && 8184 !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset) 8185 { 8186 CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale"); 8187 query_clear_stale(qctx->client); 8188 /* 8189 * We can clear the attribute to prevent redundant clearing 8190 * in subsequent lookups. 8191 */ 8192 qctx->client->query.attributes &= ~NS_QUERYATTR_STALEOK; 8193 } 8194 8195 if (qctx->dns64) { 8196 result = query_dns64(qctx); 8197 qctx->noqname = NULL; 8198 dns_rdataset_disassociate(qctx->rdataset); 8199 dns_message_puttemprdataset(qctx->client->message, 8200 &qctx->rdataset); 8201 if (result == ISC_R_NOMORE) { 8202 #ifndef dns64_bis_return_excluded_addresses 8203 if (qctx->dns64_exclude) { 8204 if (!qctx->is_zone) { 8205 return ns_query_done(qctx); 8206 } 8207 /* 8208 * Add a fake SOA record. 8209 */ 8210 (void)query_addsoa(qctx, 600, 8211 DNS_SECTION_AUTHORITY); 8212 return ns_query_done(qctx); 8213 } 8214 #endif /* ifndef dns64_bis_return_excluded_addresses */ 8215 if (qctx->is_zone) { 8216 return query_nodata(qctx, DNS_R_NXDOMAIN); 8217 } else { 8218 return query_ncache(qctx, DNS_R_NXDOMAIN); 8219 } 8220 } else if (result != ISC_R_SUCCESS) { 8221 qctx->result = result; 8222 return ns_query_done(qctx); 8223 } 8224 } else if (qctx->client->query.dns64_aaaaok != NULL) { 8225 query_filter64(qctx); 8226 ns_client_putrdataset(qctx->client, &qctx->rdataset); 8227 } else { 8228 if (!qctx->is_zone && RECURSIONOK(qctx->client) && 8229 !QUERY_STALETIMEOUT(&qctx->client->query)) 8230 { 8231 query_prefetch(qctx->client, qctx->fname, 8232 qctx->rdataset); 8233 } 8234 if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { 8235 sigrdatasetp = &qctx->sigrdataset; 8236 } 8237 query_addrrset(qctx, &qctx->fname, &qctx->rdataset, 8238 sigrdatasetp, qctx->dbuf, DNS_SECTION_ANSWER); 8239 } 8240 8241 return ISC_R_COMPLETE; 8242 8243 cleanup: 8244 return result; 8245 } 8246 8247 /*% 8248 * Build a response for a "normal" query, for a type other than ANY, 8249 * for which we have an answer (either positive or negative). 8250 */ 8251 static isc_result_t 8252 query_respond(query_ctx_t *qctx) { 8253 isc_result_t result = ISC_R_UNSET; 8254 8255 CCTRACE(ISC_LOG_DEBUG(3), "query_respond"); 8256 8257 /* 8258 * Check to see if the AAAA RRset has non-excluded addresses 8259 * in it. If not look for a A RRset. 8260 */ 8261 INSIST(qctx->client->query.dns64_aaaaok == NULL); 8262 8263 if (qctx->qtype == dns_rdatatype_aaaa && !qctx->dns64_exclude && 8264 !ISC_LIST_EMPTY(qctx->view->dns64) && 8265 qctx->client->message->rdclass == dns_rdataclass_in && 8266 !dns64_aaaaok(qctx->client, qctx->rdataset, qctx->sigrdataset)) 8267 { 8268 /* 8269 * Look to see if there are A records for this name. 8270 */ 8271 qctx->client->query.dns64_ttl = qctx->rdataset->ttl; 8272 SAVE(qctx->client->query.dns64_aaaa, qctx->rdataset); 8273 SAVE(qctx->client->query.dns64_sigaaaa, qctx->sigrdataset); 8274 ns_client_releasename(qctx->client, &qctx->fname); 8275 dns_db_detachnode(qctx->db, &qctx->node); 8276 qctx->type = qctx->qtype = dns_rdatatype_a; 8277 qctx->dns64_exclude = qctx->dns64 = true; 8278 8279 return query_lookup(qctx); 8280 } 8281 8282 /* 8283 * XXX: This hook is meant to be at the top of this function, 8284 * but is postponed until after DNS64 in order to avoid an 8285 * assertion if the hook causes recursion. (When DNS64 also 8286 * becomes a plugin, it will be necessary to find some 8287 * other way to prevent that assertion, since the order in 8288 * which plugins are configured can't be enforced.) 8289 */ 8290 CALL_HOOK(NS_QUERY_RESPOND_BEGIN, qctx); 8291 8292 if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) { 8293 qctx->noqname = qctx->rdataset; 8294 } else { 8295 qctx->noqname = NULL; 8296 } 8297 8298 /* 8299 * Special case NS handling 8300 */ 8301 if (qctx->is_zone && qctx->qtype == dns_rdatatype_ns) { 8302 /* 8303 * We've already got an NS, no need to add one in 8304 * the authority section 8305 */ 8306 if (dns_name_equal(qctx->client->query.qname, 8307 dns_db_origin(qctx->db))) 8308 { 8309 qctx->answer_has_ns = true; 8310 } 8311 8312 /* 8313 * Always add glue for root priming queries, regardless 8314 * of "minimal-responses" setting. 8315 */ 8316 if (dns_name_equal(qctx->client->query.qname, dns_rootname)) { 8317 qctx->client->query.attributes &= 8318 ~NS_QUERYATTR_NOADDITIONAL; 8319 dns_db_attach(qctx->db, &qctx->client->query.gluedb); 8320 } 8321 } 8322 8323 /* 8324 * Set expire time 8325 */ 8326 query_getexpire(qctx); 8327 8328 result = query_addanswer(qctx); 8329 if (result != ISC_R_COMPLETE) { 8330 return result; 8331 } 8332 8333 query_addnoqnameproof(qctx); 8334 8335 /* 8336 * 'qctx->rdataset' will only be non-NULL here if the ANSWER section of 8337 * the message to be sent to the client already contains an RRset with 8338 * the same owner name and the same type as 'qctx->rdataset'. This 8339 * should never happen, with one exception: when chasing DNAME records, 8340 * one of the DNAME records placed in the ANSWER section may turn out 8341 * to be the final answer to the client's query, but we have no way of 8342 * knowing that until now. In such a case, 'qctx->rdataset' will be 8343 * freed later, so we do not need to free it here. 8344 */ 8345 INSIST(qctx->rdataset == NULL || qctx->qtype == dns_rdatatype_dname); 8346 8347 query_addauth(qctx); 8348 8349 return ns_query_done(qctx); 8350 8351 cleanup: 8352 return result; 8353 } 8354 8355 static isc_result_t 8356 query_dns64(query_ctx_t *qctx) { 8357 ns_client_t *client = qctx->client; 8358 dns_aclenv_t *env = client->manager->aclenv; 8359 dns_name_t *name, *mname; 8360 dns_rdata_t *dns64_rdata; 8361 dns_rdata_t rdata = DNS_RDATA_INIT; 8362 dns_rdatalist_t *dns64_rdatalist; 8363 dns_rdataset_t *dns64_rdataset; 8364 dns_rdataset_t *mrdataset; 8365 isc_buffer_t *buffer; 8366 isc_region_t r; 8367 isc_result_t result; 8368 dns_view_t *view = client->view; 8369 isc_netaddr_t netaddr; 8370 dns_dns64_t *dns64; 8371 unsigned int flags = 0; 8372 const dns_section_t section = DNS_SECTION_ANSWER; 8373 8374 /*% 8375 * To the current response for 'qctx->client', add the answer RRset 8376 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with 8377 * owner name '*namep', to the answer section, unless they are 8378 * already there. Also add any pertinent additional data. 8379 * 8380 * If 'qctx->dbuf' is not NULL, then 'qctx->fname' is the name 8381 * whose data is stored 'qctx->dbuf'. In this case, 8382 * query_addrrset() guarantees that when it returns the name 8383 * will either have been kept or released. 8384 */ 8385 CTRACE(ISC_LOG_DEBUG(3), "query_dns64"); 8386 8387 qctx->qtype = qctx->type = dns_rdatatype_aaaa; 8388 8389 name = qctx->fname; 8390 mname = NULL; 8391 mrdataset = NULL; 8392 buffer = NULL; 8393 dns64_rdata = NULL; 8394 dns64_rdataset = NULL; 8395 dns64_rdatalist = NULL; 8396 result = dns_message_findname( 8397 client->message, section, name, dns_rdatatype_aaaa, 8398 qctx->rdataset->covers, &mname, &mrdataset); 8399 if (result == ISC_R_SUCCESS) { 8400 /* 8401 * We've already got an RRset of the given name and type. 8402 * There's nothing else to do; 8403 */ 8404 CTRACE(ISC_LOG_DEBUG(3), "query_dns64: dns_message_findname " 8405 "succeeded: done"); 8406 if (qctx->dbuf != NULL) { 8407 ns_client_releasename(client, &qctx->fname); 8408 } 8409 return ISC_R_SUCCESS; 8410 } else if (result == DNS_R_NXDOMAIN) { 8411 /* 8412 * The name doesn't exist. 8413 */ 8414 if (qctx->dbuf != NULL) { 8415 ns_client_keepname(client, name, qctx->dbuf); 8416 } 8417 dns_message_addname(client->message, name, section); 8418 qctx->fname = NULL; 8419 mname = name; 8420 } else { 8421 RUNTIME_CHECK(result == DNS_R_NXRRSET); 8422 if (qctx->dbuf != NULL) { 8423 ns_client_releasename(client, &qctx->fname); 8424 } 8425 } 8426 8427 if (qctx->rdataset->trust != dns_trust_secure) { 8428 client->query.attributes &= ~NS_QUERYATTR_SECURE; 8429 } 8430 8431 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); 8432 8433 isc_buffer_allocate(client->manager->mctx, &buffer, 8434 view->dns64cnt * 16 * 8435 dns_rdataset_count(qctx->rdataset)); 8436 dns_message_gettemprdataset(client->message, &dns64_rdataset); 8437 dns_message_gettemprdatalist(client->message, &dns64_rdatalist); 8438 8439 dns_rdatalist_init(dns64_rdatalist); 8440 dns64_rdatalist->rdclass = dns_rdataclass_in; 8441 dns64_rdatalist->type = dns_rdatatype_aaaa; 8442 if (client->query.dns64_ttl != UINT32_MAX) { 8443 dns64_rdatalist->ttl = ISC_MIN(qctx->rdataset->ttl, 8444 client->query.dns64_ttl); 8445 } else { 8446 dns64_rdatalist->ttl = ISC_MIN(qctx->rdataset->ttl, 600); 8447 } 8448 8449 if (RECURSIONOK(client)) { 8450 flags |= DNS_DNS64_RECURSIVE; 8451 } 8452 8453 /* 8454 * We use the signatures from the A lookup to set DNS_DNS64_DNSSEC 8455 * as this provides a easy way to see if the answer was signed. 8456 */ 8457 if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL && 8458 dns_rdataset_isassociated(qctx->sigrdataset)) 8459 { 8460 flags |= DNS_DNS64_DNSSEC; 8461 } 8462 8463 for (result = dns_rdataset_first(qctx->rdataset); 8464 result == ISC_R_SUCCESS; 8465 result = dns_rdataset_next(qctx->rdataset)) 8466 { 8467 for (dns64 = ISC_LIST_HEAD(client->view->dns64); dns64 != NULL; 8468 dns64 = dns_dns64_next(dns64)) 8469 { 8470 dns_rdataset_current(qctx->rdataset, &rdata); 8471 isc_buffer_availableregion(buffer, &r); 8472 INSIST(r.length >= 16); 8473 result = dns_dns64_aaaafroma(dns64, &netaddr, 8474 client->signer, env, flags, 8475 rdata.data, r.base); 8476 if (result != ISC_R_SUCCESS) { 8477 dns_rdata_reset(&rdata); 8478 continue; 8479 } 8480 isc_buffer_add(buffer, 16); 8481 isc_buffer_remainingregion(buffer, &r); 8482 isc_buffer_forward(buffer, 16); 8483 dns_message_gettemprdata(client->message, &dns64_rdata); 8484 dns_rdata_init(dns64_rdata); 8485 dns_rdata_fromregion(dns64_rdata, dns_rdataclass_in, 8486 dns_rdatatype_aaaa, &r); 8487 ISC_LIST_APPEND(dns64_rdatalist->rdata, dns64_rdata, 8488 link); 8489 dns64_rdata = NULL; 8490 dns_rdata_reset(&rdata); 8491 } 8492 } 8493 if (result != ISC_R_NOMORE) { 8494 goto cleanup; 8495 } 8496 8497 if (ISC_LIST_EMPTY(dns64_rdatalist->rdata)) { 8498 goto cleanup; 8499 } 8500 8501 dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset); 8502 dns_rdataset_setownercase(dns64_rdataset, mname); 8503 client->query.attributes |= NS_QUERYATTR_NOADDITIONAL; 8504 dns64_rdataset->trust = qctx->rdataset->trust; 8505 8506 query_addtoname(mname, dns64_rdataset); 8507 query_setorder(qctx, mname, dns64_rdataset); 8508 8509 dns64_rdataset = NULL; 8510 dns64_rdatalist = NULL; 8511 dns_message_takebuffer(client->message, &buffer); 8512 inc_stats(client, ns_statscounter_dns64); 8513 result = ISC_R_SUCCESS; 8514 8515 cleanup: 8516 if (buffer != NULL) { 8517 isc_buffer_free(&buffer); 8518 } 8519 8520 if (dns64_rdataset != NULL) { 8521 dns_message_puttemprdataset(client->message, &dns64_rdataset); 8522 } 8523 8524 if (dns64_rdatalist != NULL) { 8525 for (dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata); 8526 dns64_rdata != NULL; 8527 dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata)) 8528 { 8529 ISC_LIST_UNLINK(dns64_rdatalist->rdata, dns64_rdata, 8530 link); 8531 dns_message_puttemprdata(client->message, &dns64_rdata); 8532 } 8533 dns_message_puttemprdatalist(client->message, &dns64_rdatalist); 8534 } 8535 8536 CTRACE(ISC_LOG_DEBUG(3), "query_dns64: done"); 8537 return result; 8538 } 8539 8540 static void 8541 query_filter64(query_ctx_t *qctx) { 8542 ns_client_t *client = qctx->client; 8543 dns_name_t *name, *mname; 8544 dns_rdata_t *myrdata; 8545 dns_rdata_t rdata = DNS_RDATA_INIT; 8546 dns_rdatalist_t *myrdatalist; 8547 dns_rdataset_t *myrdataset; 8548 isc_buffer_t *buffer; 8549 isc_region_t r; 8550 isc_result_t result; 8551 unsigned int i; 8552 const dns_section_t section = DNS_SECTION_ANSWER; 8553 8554 CTRACE(ISC_LOG_DEBUG(3), "query_filter64"); 8555 8556 INSIST(client->query.dns64_aaaaok != NULL); 8557 INSIST(client->query.dns64_aaaaoklen == 8558 dns_rdataset_count(qctx->rdataset)); 8559 8560 name = qctx->fname; 8561 mname = NULL; 8562 buffer = NULL; 8563 myrdata = NULL; 8564 myrdataset = NULL; 8565 myrdatalist = NULL; 8566 result = dns_message_findname( 8567 client->message, section, name, dns_rdatatype_aaaa, 8568 qctx->rdataset->covers, &mname, &myrdataset); 8569 if (result == ISC_R_SUCCESS) { 8570 /* 8571 * We've already got an RRset of the given name and type. 8572 * There's nothing else to do; 8573 */ 8574 CTRACE(ISC_LOG_DEBUG(3), "query_filter64: dns_message_findname " 8575 "succeeded: done"); 8576 if (qctx->dbuf != NULL) { 8577 ns_client_releasename(client, &qctx->fname); 8578 } 8579 return; 8580 } else if (result == DNS_R_NXDOMAIN) { 8581 mname = name; 8582 qctx->fname = NULL; 8583 } else { 8584 RUNTIME_CHECK(result == DNS_R_NXRRSET); 8585 if (qctx->dbuf != NULL) { 8586 ns_client_releasename(client, &qctx->fname); 8587 } 8588 qctx->dbuf = NULL; 8589 } 8590 8591 if (qctx->rdataset->trust != dns_trust_secure) { 8592 client->query.attributes &= ~NS_QUERYATTR_SECURE; 8593 } 8594 8595 isc_buffer_allocate(client->manager->mctx, &buffer, 8596 16 * dns_rdataset_count(qctx->rdataset)); 8597 dns_message_gettemprdataset(client->message, &myrdataset); 8598 dns_message_gettemprdatalist(client->message, &myrdatalist); 8599 8600 dns_rdatalist_init(myrdatalist); 8601 myrdatalist->rdclass = dns_rdataclass_in; 8602 myrdatalist->type = dns_rdatatype_aaaa; 8603 myrdatalist->ttl = qctx->rdataset->ttl; 8604 8605 i = 0; 8606 for (result = dns_rdataset_first(qctx->rdataset); 8607 result == ISC_R_SUCCESS; 8608 result = dns_rdataset_next(qctx->rdataset)) 8609 { 8610 if (!client->query.dns64_aaaaok[i++]) { 8611 continue; 8612 } 8613 dns_rdataset_current(qctx->rdataset, &rdata); 8614 INSIST(rdata.length == 16); 8615 isc_buffer_putmem(buffer, rdata.data, rdata.length); 8616 isc_buffer_remainingregion(buffer, &r); 8617 isc_buffer_forward(buffer, rdata.length); 8618 dns_message_gettemprdata(client->message, &myrdata); 8619 dns_rdata_init(myrdata); 8620 dns_rdata_fromregion(myrdata, dns_rdataclass_in, 8621 dns_rdatatype_aaaa, &r); 8622 ISC_LIST_APPEND(myrdatalist->rdata, myrdata, link); 8623 myrdata = NULL; 8624 dns_rdata_reset(&rdata); 8625 } 8626 if (result != ISC_R_NOMORE) { 8627 goto cleanup; 8628 } 8629 8630 dns_rdatalist_tordataset(myrdatalist, myrdataset); 8631 dns_rdataset_setownercase(myrdataset, name); 8632 client->query.attributes |= NS_QUERYATTR_NOADDITIONAL; 8633 if (mname == name) { 8634 if (qctx->dbuf != NULL) { 8635 ns_client_keepname(client, name, qctx->dbuf); 8636 } 8637 dns_message_addname(client->message, name, section); 8638 qctx->dbuf = NULL; 8639 } 8640 myrdataset->trust = qctx->rdataset->trust; 8641 8642 query_addtoname(mname, myrdataset); 8643 query_setorder(qctx, mname, myrdataset); 8644 8645 myrdataset = NULL; 8646 myrdatalist = NULL; 8647 dns_message_takebuffer(client->message, &buffer); 8648 8649 cleanup: 8650 if (buffer != NULL) { 8651 isc_buffer_free(&buffer); 8652 } 8653 8654 if (myrdataset != NULL) { 8655 dns_message_puttemprdataset(client->message, &myrdataset); 8656 } 8657 8658 if (myrdatalist != NULL) { 8659 for (myrdata = ISC_LIST_HEAD(myrdatalist->rdata); 8660 myrdata != NULL; 8661 myrdata = ISC_LIST_HEAD(myrdatalist->rdata)) 8662 { 8663 ISC_LIST_UNLINK(myrdatalist->rdata, myrdata, link); 8664 dns_message_puttemprdata(client->message, &myrdata); 8665 } 8666 dns_message_puttemprdatalist(client->message, &myrdatalist); 8667 } 8668 8669 if (qctx->dbuf != NULL) { 8670 ns_client_releasename(client, &name); 8671 } 8672 8673 CTRACE(ISC_LOG_DEBUG(3), "query_filter64: done"); 8674 } 8675 8676 /*% 8677 * Handle the case of a name not being found in a database lookup. 8678 * Called from query_gotanswer(). Passes off processing to 8679 * query_delegation() for a root referral if appropriate. 8680 */ 8681 static isc_result_t 8682 query_notfound(query_ctx_t *qctx) { 8683 isc_result_t result = ISC_R_UNSET; 8684 8685 CCTRACE(ISC_LOG_DEBUG(3), "query_notfound"); 8686 8687 CALL_HOOK(NS_QUERY_NOTFOUND_BEGIN, qctx); 8688 8689 INSIST(!qctx->is_zone); 8690 8691 if (qctx->db != NULL) { 8692 dns_db_detach(&qctx->db); 8693 } 8694 8695 /* 8696 * If the cache doesn't even have the root NS, 8697 * try to get that from the hints DB. 8698 */ 8699 if (qctx->view->hints != NULL) { 8700 dns_clientinfomethods_t cm; 8701 dns_clientinfo_t ci; 8702 8703 dns_clientinfomethods_init(&cm, ns_client_sourceip); 8704 dns_clientinfo_init(&ci, qctx->client, NULL); 8705 8706 dns_db_attach(qctx->view->hints, &qctx->db); 8707 result = dns_db_findext(qctx->db, dns_rootname, NULL, 8708 dns_rdatatype_ns, 0, qctx->client->now, 8709 &qctx->node, qctx->fname, &cm, &ci, 8710 qctx->rdataset, qctx->sigrdataset); 8711 } else { 8712 /* We have no hints. */ 8713 result = ISC_R_FAILURE; 8714 } 8715 if (result != ISC_R_SUCCESS) { 8716 /* 8717 * Nonsensical root hints may require cleanup. 8718 */ 8719 qctx_clean(qctx); 8720 8721 /* 8722 * We don't have any root server hints, but 8723 * we may have working forwarders, so try to 8724 * recurse anyway. 8725 */ 8726 if (RECURSIONOK(qctx->client)) { 8727 INSIST(!REDIRECT(qctx->client)); 8728 result = ns_query_recurse(qctx->client, qctx->qtype, 8729 qctx->client->query.qname, 8730 NULL, NULL, qctx->resuming); 8731 if (result == ISC_R_SUCCESS) { 8732 CALL_HOOK(NS_QUERY_NOTFOUND_RECURSE, qctx); 8733 qctx->client->query.attributes |= 8734 NS_QUERYATTR_RECURSING; 8735 8736 if (qctx->dns64) { 8737 qctx->client->query.attributes |= 8738 NS_QUERYATTR_DNS64; 8739 } 8740 if (qctx->dns64_exclude) { 8741 qctx->client->query.attributes |= 8742 NS_QUERYATTR_DNS64EXCLUDE; 8743 } 8744 } else if (query_usestale(qctx, result)) { 8745 /* 8746 * If serve-stale is enabled, query_usestale() 8747 * already set up 'qctx' for looking up a 8748 * stale response. 8749 */ 8750 return query_lookup(qctx); 8751 } else { 8752 QUERY_ERROR(qctx, result); 8753 } 8754 return ns_query_done(qctx); 8755 } else { 8756 /* Unable to give root server referral. */ 8757 CCTRACE(ISC_LOG_ERROR, "unable to give root server " 8758 "referral"); 8759 QUERY_ERROR(qctx, result); 8760 return ns_query_done(qctx); 8761 } 8762 } 8763 8764 return query_delegation(qctx); 8765 8766 cleanup: 8767 return result; 8768 } 8769 8770 /*% 8771 * We have a delegation but recursion is not allowed, so return the delegation 8772 * to the client. 8773 */ 8774 static isc_result_t 8775 query_prepare_delegation_response(query_ctx_t *qctx) { 8776 isc_result_t result = ISC_R_UNSET; 8777 dns_rdataset_t **sigrdatasetp = NULL; 8778 bool detach = false; 8779 8780 CALL_HOOK(NS_QUERY_PREP_DELEGATION_BEGIN, qctx); 8781 8782 /* 8783 * qctx->fname could be released in query_addrrset(), so save a copy of 8784 * it here in case we need it. 8785 */ 8786 dns_fixedname_init(&qctx->dsname); 8787 dns_name_copy(qctx->fname, dns_fixedname_name(&qctx->dsname)); 8788 8789 /* 8790 * This is the best answer. 8791 */ 8792 qctx->client->query.isreferral = true; 8793 8794 if (!dns_db_iscache(qctx->db) && qctx->client->query.gluedb == NULL) { 8795 dns_db_attach(qctx->db, &qctx->client->query.gluedb); 8796 detach = true; 8797 } 8798 8799 /* 8800 * We must ensure NOADDITIONAL is off, because the generation of 8801 * additional data is required in delegations. 8802 */ 8803 qctx->client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL; 8804 if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { 8805 sigrdatasetp = &qctx->sigrdataset; 8806 } 8807 query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, 8808 qctx->dbuf, DNS_SECTION_AUTHORITY); 8809 if (detach) { 8810 dns_db_detach(&qctx->client->query.gluedb); 8811 } 8812 8813 /* 8814 * Add DS/NSEC(3) record(s) if needed. 8815 */ 8816 query_addds(qctx); 8817 8818 return ns_query_done(qctx); 8819 8820 cleanup: 8821 return result; 8822 } 8823 8824 /*% 8825 * Handle a delegation response from an authoritative lookup. This 8826 * may trigger additional lookups, e.g. from the cache database to 8827 * see if we have a better answer; if that is not allowed, return the 8828 * delegation to the client and call ns_query_done(). 8829 */ 8830 static isc_result_t 8831 query_zone_delegation(query_ctx_t *qctx) { 8832 isc_result_t result = ISC_R_UNSET; 8833 8834 CALL_HOOK(NS_QUERY_ZONE_DELEGATION_BEGIN, qctx); 8835 8836 /* 8837 * If the query type is DS, look to see if we are 8838 * authoritative for the child zone 8839 */ 8840 if (!RECURSIONOK(qctx->client) && 8841 (qctx->options.noexact && qctx->qtype == dns_rdatatype_ds)) 8842 { 8843 dns_db_t *tdb = NULL; 8844 dns_zone_t *tzone = NULL; 8845 dns_dbversion_t *tversion = NULL; 8846 dns_getdb_options_t options = { .partial = true }; 8847 result = query_getzonedb(qctx->client, 8848 qctx->client->query.qname, qctx->qtype, 8849 options, &tzone, &tdb, &tversion); 8850 if (result != ISC_R_SUCCESS) { 8851 if (tdb != NULL) { 8852 dns_db_detach(&tdb); 8853 } 8854 if (tzone != NULL) { 8855 dns_zone_detach(&tzone); 8856 } 8857 } else { 8858 qctx->options.noexact = false; 8859 ns_client_putrdataset(qctx->client, &qctx->rdataset); 8860 if (qctx->sigrdataset != NULL) { 8861 ns_client_putrdataset(qctx->client, 8862 &qctx->sigrdataset); 8863 } 8864 if (qctx->fname != NULL) { 8865 ns_client_releasename(qctx->client, 8866 &qctx->fname); 8867 } 8868 if (qctx->node != NULL) { 8869 dns_db_detachnode(qctx->db, &qctx->node); 8870 } 8871 if (qctx->db != NULL) { 8872 dns_db_detach(&qctx->db); 8873 } 8874 if (qctx->zone != NULL) { 8875 dns_zone_detach(&qctx->zone); 8876 } 8877 qctx->version = NULL; 8878 RESTORE(qctx->version, tversion); 8879 RESTORE(qctx->db, tdb); 8880 RESTORE(qctx->zone, tzone); 8881 qctx->authoritative = true; 8882 8883 return query_lookup(qctx); 8884 } 8885 } 8886 8887 if (USECACHE(qctx->client) && 8888 (RECURSIONOK(qctx->client) || 8889 (qctx->zone != NULL && 8890 dns_zone_gettype(qctx->zone) == dns_zone_mirror))) 8891 { 8892 /* 8893 * We might have a better answer or delegation in the 8894 * cache. We'll remember the current values of fname, 8895 * rdataset, and sigrdataset. We'll then go looking for 8896 * QNAME in the cache. If we find something better, we'll 8897 * use it instead. If not, then query_lookup() calls 8898 * query_notfound() which calls query_delegation(), and 8899 * we'll restore these values there. 8900 */ 8901 ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); 8902 SAVE(qctx->zdb, qctx->db); 8903 SAVE(qctx->znode, qctx->node); 8904 SAVE(qctx->zfname, qctx->fname); 8905 SAVE(qctx->zversion, qctx->version); 8906 SAVE(qctx->zrdataset, qctx->rdataset); 8907 SAVE(qctx->zsigrdataset, qctx->sigrdataset); 8908 dns_db_attach(qctx->view->cachedb, &qctx->db); 8909 qctx->is_zone = false; 8910 8911 return query_lookup(qctx); 8912 } 8913 8914 return query_prepare_delegation_response(qctx); 8915 8916 cleanup: 8917 return result; 8918 } 8919 8920 /*% 8921 * Handle delegation responses, including root referrals. 8922 * 8923 * If the delegation was returned from authoritative data, 8924 * call query_zone_delgation(). Otherwise, we can start 8925 * recursion if allowed; or else return the delegation to the 8926 * client and call ns_query_done(). 8927 */ 8928 static isc_result_t 8929 query_delegation(query_ctx_t *qctx) { 8930 isc_result_t result = ISC_R_UNSET; 8931 8932 CCTRACE(ISC_LOG_DEBUG(3), "query_delegation"); 8933 8934 CALL_HOOK(NS_QUERY_DELEGATION_BEGIN, qctx); 8935 8936 qctx->authoritative = false; 8937 8938 if (qctx->is_zone) { 8939 return query_zone_delegation(qctx); 8940 } 8941 8942 if (qctx->zfname != NULL && 8943 (!dns_name_issubdomain(qctx->fname, qctx->zfname) || 8944 (qctx->is_staticstub_zone && 8945 dns_name_equal(qctx->fname, qctx->zfname)))) 8946 { 8947 /* 8948 * In the following cases use "authoritative" 8949 * data instead of the cache delegation: 8950 * 1. We've already got a delegation from 8951 * authoritative data, and it is better 8952 * than what we found in the cache. 8953 * (See the comment above.) 8954 * 2. The query name matches the origin name 8955 * of a static-stub zone. This needs to be 8956 * considered for the case where the NS of 8957 * the static-stub zone and the cached NS 8958 * are different. We still need to contact 8959 * the nameservers configured in the 8960 * static-stub zone. 8961 */ 8962 ns_client_releasename(qctx->client, &qctx->fname); 8963 8964 /* 8965 * We've already done ns_client_keepname() on 8966 * qctx->zfname, so we must set dbuf to NULL to 8967 * prevent query_addrrset() from trying to 8968 * call ns_client_keepname() again. 8969 */ 8970 qctx->dbuf = NULL; 8971 ns_client_putrdataset(qctx->client, &qctx->rdataset); 8972 if (qctx->sigrdataset != NULL) { 8973 ns_client_putrdataset(qctx->client, &qctx->sigrdataset); 8974 } 8975 qctx->version = NULL; 8976 8977 dns_db_detachnode(qctx->db, &qctx->node); 8978 dns_db_detach(&qctx->db); 8979 RESTORE(qctx->db, qctx->zdb); 8980 RESTORE(qctx->node, qctx->znode); 8981 RESTORE(qctx->fname, qctx->zfname); 8982 RESTORE(qctx->version, qctx->zversion); 8983 RESTORE(qctx->rdataset, qctx->zrdataset); 8984 RESTORE(qctx->sigrdataset, qctx->zsigrdataset); 8985 } 8986 8987 result = query_delegation_recurse(qctx); 8988 if (result != ISC_R_COMPLETE) { 8989 return result; 8990 } 8991 8992 return query_prepare_delegation_response(qctx); 8993 8994 cleanup: 8995 return result; 8996 } 8997 8998 /*% 8999 * Handle recursive queries that are triggered as part of the 9000 * delegation process. 9001 */ 9002 static isc_result_t 9003 query_delegation_recurse(query_ctx_t *qctx) { 9004 isc_result_t result = ISC_R_UNSET; 9005 dns_name_t *qname = qctx->client->query.qname; 9006 9007 CCTRACE(ISC_LOG_DEBUG(3), "query_delegation_recurse"); 9008 9009 if (!RECURSIONOK(qctx->client)) { 9010 return ISC_R_COMPLETE; 9011 } 9012 9013 CALL_HOOK(NS_QUERY_DELEGATION_RECURSE_BEGIN, qctx); 9014 9015 /* 9016 * We have a delegation and recursion is allowed, 9017 * so we call ns_query_recurse() to follow it. 9018 * This phase of the query processing is done; 9019 * we'll resume via fetch_callback() and 9020 * query_resume() when the recursion is complete. 9021 */ 9022 9023 INSIST(!REDIRECT(qctx->client)); 9024 9025 if (dns_rdatatype_atparent(qctx->type)) { 9026 /* 9027 * Parent is authoritative for this RDATA type (i.e. DS). 9028 */ 9029 result = ns_query_recurse(qctx->client, qctx->qtype, qname, 9030 NULL, NULL, qctx->resuming); 9031 } else if (qctx->dns64) { 9032 /* 9033 * Look up an A record so we can synthesize DNS64. 9034 */ 9035 result = ns_query_recurse(qctx->client, dns_rdatatype_a, qname, 9036 NULL, NULL, qctx->resuming); 9037 } else { 9038 /* 9039 * Any other recursion. 9040 */ 9041 result = ns_query_recurse(qctx->client, qctx->qtype, qname, 9042 qctx->fname, qctx->rdataset, 9043 qctx->resuming); 9044 } 9045 9046 if (result == ISC_R_SUCCESS) { 9047 qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; 9048 if (qctx->dns64) { 9049 qctx->client->query.attributes |= NS_QUERYATTR_DNS64; 9050 } 9051 if (qctx->dns64_exclude) { 9052 qctx->client->query.attributes |= 9053 NS_QUERYATTR_DNS64EXCLUDE; 9054 } 9055 } else if (query_usestale(qctx, result)) { 9056 /* 9057 * If serve-stale is enabled, query_usestale() already set up 9058 * 'qctx' for looking up a stale response. 9059 */ 9060 return query_lookup(qctx); 9061 } else { 9062 QUERY_ERROR(qctx, result); 9063 } 9064 9065 return ns_query_done(qctx); 9066 9067 cleanup: 9068 return result; 9069 } 9070 9071 /*% 9072 * Add DS/NSEC(3) record(s) if needed. 9073 */ 9074 static void 9075 query_addds(query_ctx_t *qctx) { 9076 ns_client_t *client = qctx->client; 9077 dns_fixedname_t fixed; 9078 dns_name_t *fname = NULL; 9079 dns_name_t *rname = NULL; 9080 dns_name_t *name; 9081 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; 9082 isc_buffer_t *dbuf, b; 9083 isc_result_t result; 9084 unsigned int count; 9085 9086 CTRACE(ISC_LOG_DEBUG(3), "query_addds"); 9087 9088 /* 9089 * DS not needed. 9090 */ 9091 if (!WANTDNSSEC(client)) { 9092 return; 9093 } 9094 9095 /* 9096 * We'll need some resources... 9097 */ 9098 rdataset = ns_client_newrdataset(client); 9099 sigrdataset = ns_client_newrdataset(client); 9100 9101 /* 9102 * Look for the DS record, which may or may not be present. 9103 */ 9104 result = dns_db_findrdataset(qctx->db, qctx->node, qctx->version, 9105 dns_rdatatype_ds, 0, client->now, rdataset, 9106 sigrdataset); 9107 /* 9108 * If we didn't find it, look for an NSEC. 9109 */ 9110 if (result == ISC_R_NOTFOUND) { 9111 result = dns_db_findrdataset( 9112 qctx->db, qctx->node, qctx->version, dns_rdatatype_nsec, 9113 0, client->now, rdataset, sigrdataset); 9114 } 9115 if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) { 9116 goto addnsec3; 9117 } 9118 if (!dns_rdataset_isassociated(rdataset) || 9119 !dns_rdataset_isassociated(sigrdataset)) 9120 { 9121 goto addnsec3; 9122 } 9123 9124 /* 9125 * We've already added the NS record, so if the name's not there, 9126 * we have other problems. 9127 */ 9128 result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY); 9129 if (result != ISC_R_SUCCESS) { 9130 goto cleanup; 9131 } 9132 9133 /* 9134 * Find the delegation in the response message - it is not necessarily 9135 * the first name in the AUTHORITY section when wildcard processing is 9136 * involved. 9137 */ 9138 while (result == ISC_R_SUCCESS) { 9139 rname = NULL; 9140 dns_message_currentname(client->message, DNS_SECTION_AUTHORITY, 9141 &rname); 9142 result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL); 9143 if (result == ISC_R_SUCCESS) { 9144 break; 9145 } 9146 result = dns_message_nextname(client->message, 9147 DNS_SECTION_AUTHORITY); 9148 } 9149 9150 if (result != ISC_R_SUCCESS) { 9151 goto cleanup; 9152 } 9153 9154 /* 9155 * Add the relevant RRset (DS or NSEC) to the delegation. 9156 */ 9157 query_addrrset(qctx, &rname, &rdataset, &sigrdataset, NULL, 9158 DNS_SECTION_AUTHORITY); 9159 goto cleanup; 9160 9161 addnsec3: 9162 if (!dns_db_iszone(qctx->db)) { 9163 goto cleanup; 9164 } 9165 /* 9166 * Add the NSEC3 which proves the DS does not exist. 9167 */ 9168 dbuf = ns_client_getnamebuf(client); 9169 fname = ns_client_newname(client, dbuf, &b); 9170 dns_fixedname_init(&fixed); 9171 if (dns_rdataset_isassociated(rdataset)) { 9172 dns_rdataset_disassociate(rdataset); 9173 } 9174 if (dns_rdataset_isassociated(sigrdataset)) { 9175 dns_rdataset_disassociate(sigrdataset); 9176 } 9177 name = dns_fixedname_name(&qctx->dsname); 9178 query_findclosestnsec3(name, qctx->db, qctx->version, client, rdataset, 9179 sigrdataset, fname, true, 9180 dns_fixedname_name(&fixed)); 9181 if (!dns_rdataset_isassociated(rdataset)) { 9182 goto cleanup; 9183 } 9184 query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, 9185 DNS_SECTION_AUTHORITY); 9186 /* 9187 * Did we find the closest provable encloser instead? 9188 * If so add the nearest to the closest provable encloser. 9189 */ 9190 if (!dns_name_equal(name, dns_fixedname_name(&fixed))) { 9191 count = dns_name_countlabels(dns_fixedname_name(&fixed)) + 1; 9192 dns_name_getlabelsequence(name, 9193 dns_name_countlabels(name) - count, 9194 count, dns_fixedname_name(&fixed)); 9195 fixfname(client, &fname, &dbuf, &b); 9196 fixrdataset(client, &rdataset); 9197 fixrdataset(client, &sigrdataset); 9198 if (fname == NULL || rdataset == NULL || sigrdataset == NULL) { 9199 goto cleanup; 9200 } 9201 query_findclosestnsec3(dns_fixedname_name(&fixed), qctx->db, 9202 qctx->version, client, rdataset, 9203 sigrdataset, fname, false, NULL); 9204 if (!dns_rdataset_isassociated(rdataset)) { 9205 goto cleanup; 9206 } 9207 query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, 9208 DNS_SECTION_AUTHORITY); 9209 } 9210 9211 cleanup: 9212 if (rdataset != NULL) { 9213 ns_client_putrdataset(client, &rdataset); 9214 } 9215 if (sigrdataset != NULL) { 9216 ns_client_putrdataset(client, &sigrdataset); 9217 } 9218 if (fname != NULL) { 9219 ns_client_releasename(client, &fname); 9220 } 9221 } 9222 9223 /*% 9224 * Handle authoritative NOERROR/NODATA responses. 9225 */ 9226 static isc_result_t 9227 query_nodata(query_ctx_t *qctx, isc_result_t res) { 9228 isc_result_t result = res; 9229 9230 CCTRACE(ISC_LOG_DEBUG(3), "query_nodata"); 9231 9232 CALL_HOOK(NS_QUERY_NODATA_BEGIN, qctx); 9233 9234 #ifdef dns64_bis_return_excluded_addresses 9235 if (qctx->dns64) 9236 #else /* ifdef dns64_bis_return_excluded_addresses */ 9237 if (qctx->dns64 && !qctx->dns64_exclude) 9238 #endif /* ifdef dns64_bis_return_excluded_addresses */ 9239 { 9240 isc_buffer_t b; 9241 /* 9242 * Restore the answers from the previous AAAA lookup. 9243 */ 9244 if (qctx->rdataset != NULL) { 9245 ns_client_putrdataset(qctx->client, &qctx->rdataset); 9246 } 9247 if (qctx->sigrdataset != NULL) { 9248 ns_client_putrdataset(qctx->client, &qctx->sigrdataset); 9249 } 9250 RESTORE(qctx->rdataset, qctx->client->query.dns64_aaaa); 9251 RESTORE(qctx->sigrdataset, qctx->client->query.dns64_sigaaaa); 9252 if (qctx->fname == NULL) { 9253 qctx->dbuf = ns_client_getnamebuf(qctx->client); 9254 qctx->fname = ns_client_newname(qctx->client, 9255 qctx->dbuf, &b); 9256 } 9257 dns_name_copy(qctx->client->query.qname, qctx->fname); 9258 qctx->dns64 = false; 9259 #ifdef dns64_bis_return_excluded_addresses 9260 /* 9261 * Resume the diverted processing of the AAAA response? 9262 */ 9263 if (qctx->dns64_exclude) { 9264 return query_prepresponse(qctx); 9265 } 9266 #endif /* ifdef dns64_bis_return_excluded_addresses */ 9267 } else if ((result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) && 9268 !ISC_LIST_EMPTY(qctx->view->dns64) && !qctx->nxrewrite && 9269 qctx->client->message->rdclass == dns_rdataclass_in && 9270 qctx->qtype == dns_rdatatype_aaaa) 9271 { 9272 /* 9273 * Look to see if there are A records for this name. 9274 */ 9275 switch (result) { 9276 case DNS_R_NCACHENXRRSET: 9277 /* 9278 * This is from the negative cache; if the ttl is 9279 * zero, we need to work out whether we have just 9280 * decremented to zero or there was no negative 9281 * cache ttl in the answer. 9282 */ 9283 if (qctx->rdataset->ttl != 0) { 9284 qctx->client->query.dns64_ttl = 9285 qctx->rdataset->ttl; 9286 break; 9287 } 9288 if (dns_rdataset_first(qctx->rdataset) == ISC_R_SUCCESS) 9289 { 9290 qctx->client->query.dns64_ttl = 0; 9291 } 9292 break; 9293 case DNS_R_NXRRSET: 9294 qctx->client->query.dns64_ttl = 9295 dns64_ttl(qctx->db, qctx->version); 9296 break; 9297 default: 9298 UNREACHABLE(); 9299 } 9300 9301 SAVE(qctx->client->query.dns64_aaaa, qctx->rdataset); 9302 SAVE(qctx->client->query.dns64_sigaaaa, qctx->sigrdataset); 9303 ns_client_releasename(qctx->client, &qctx->fname); 9304 dns_db_detachnode(qctx->db, &qctx->node); 9305 qctx->type = qctx->qtype = dns_rdatatype_a; 9306 qctx->dns64 = true; 9307 return query_lookup(qctx); 9308 } 9309 9310 if (qctx->is_zone) { 9311 return query_sign_nodata(qctx); 9312 } else { 9313 /* 9314 * We don't call query_addrrset() because we don't need any 9315 * of its extra features (and things would probably break!). 9316 */ 9317 if (dns_rdataset_isassociated(qctx->rdataset)) { 9318 ns_client_keepname(qctx->client, qctx->fname, 9319 qctx->dbuf); 9320 dns_message_addname(qctx->client->message, qctx->fname, 9321 DNS_SECTION_AUTHORITY); 9322 ISC_LIST_APPEND(qctx->fname->list, qctx->rdataset, 9323 link); 9324 qctx->fname = NULL; 9325 qctx->rdataset = NULL; 9326 } 9327 } 9328 9329 return ns_query_done(qctx); 9330 9331 cleanup: 9332 return result; 9333 } 9334 9335 /*% 9336 * Add RRSIGs for NOERROR/NODATA responses when answering authoritatively. 9337 */ 9338 isc_result_t 9339 query_sign_nodata(query_ctx_t *qctx) { 9340 isc_result_t result; 9341 9342 CCTRACE(ISC_LOG_DEBUG(3), "query_sign_nodata"); 9343 9344 /* 9345 * Look for a NSEC3 record if we don't have a NSEC record. 9346 */ 9347 if (qctx->redirected) { 9348 return ns_query_done(qctx); 9349 } 9350 if (!dns_rdataset_isassociated(qctx->rdataset) && 9351 WANTDNSSEC(qctx->client)) 9352 { 9353 if (!qctx->fname->attributes.wildcard) { 9354 dns_name_t *found; 9355 dns_name_t *qname; 9356 dns_fixedname_t fixed; 9357 isc_buffer_t b; 9358 9359 found = dns_fixedname_initname(&fixed); 9360 qname = qctx->client->query.qname; 9361 9362 query_findclosestnsec3(qname, qctx->db, qctx->version, 9363 qctx->client, qctx->rdataset, 9364 qctx->sigrdataset, qctx->fname, 9365 true, found); 9366 /* 9367 * Did we find the closest provable encloser 9368 * instead? If so add the nearest to the 9369 * closest provable encloser. 9370 */ 9371 if (dns_rdataset_isassociated(qctx->rdataset) && 9372 !dns_name_equal(qname, found) && 9373 (((qctx->client->manager->sctx->options & 9374 NS_SERVER_NONEAREST) == 0) || 9375 qctx->qtype == dns_rdatatype_ds)) 9376 { 9377 unsigned int count; 9378 unsigned int skip; 9379 9380 /* 9381 * Add the closest provable encloser. 9382 */ 9383 query_addrrset(qctx, &qctx->fname, 9384 &qctx->rdataset, 9385 &qctx->sigrdataset, qctx->dbuf, 9386 DNS_SECTION_AUTHORITY); 9387 9388 count = dns_name_countlabels(found) + 1; 9389 skip = dns_name_countlabels(qname) - count; 9390 dns_name_getlabelsequence(qname, skip, count, 9391 found); 9392 9393 fixfname(qctx->client, &qctx->fname, 9394 &qctx->dbuf, &b); 9395 fixrdataset(qctx->client, &qctx->rdataset); 9396 fixrdataset(qctx->client, &qctx->sigrdataset); 9397 if (qctx->fname == NULL || 9398 qctx->rdataset == NULL || 9399 qctx->sigrdataset == NULL) 9400 { 9401 CCTRACE(ISC_LOG_ERROR, "query_sign_" 9402 "nodata: " 9403 "failure " 9404 "getting " 9405 "closest " 9406 "encloser"); 9407 QUERY_ERROR(qctx, ISC_R_NOMEMORY); 9408 return ns_query_done(qctx); 9409 } 9410 /* 9411 * 'nearest' doesn't exist so 9412 * 'exist' is set to false. 9413 */ 9414 query_findclosestnsec3( 9415 found, qctx->db, qctx->version, 9416 qctx->client, qctx->rdataset, 9417 qctx->sigrdataset, qctx->fname, false, 9418 NULL); 9419 } 9420 } else { 9421 ns_client_releasename(qctx->client, &qctx->fname); 9422 query_addwildcardproof(qctx, false, true); 9423 } 9424 } 9425 if (dns_rdataset_isassociated(qctx->rdataset)) { 9426 /* 9427 * If we've got a NSEC record, we need to save the 9428 * name now because we're going call query_addsoa() 9429 * below, and it needs to use the name buffer. 9430 */ 9431 ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); 9432 } else if (qctx->fname != NULL) { 9433 /* 9434 * We're not going to use fname, and need to release 9435 * our hold on the name buffer so query_addsoa() 9436 * may use it. 9437 */ 9438 ns_client_releasename(qctx->client, &qctx->fname); 9439 } 9440 9441 /* 9442 * The RPZ SOA has already been added to the additional section 9443 * if this was an RPZ rewrite, but if it wasn't, add it now. 9444 */ 9445 if (!qctx->nxrewrite) { 9446 result = query_addsoa(qctx, UINT32_MAX, DNS_SECTION_AUTHORITY); 9447 if (result != ISC_R_SUCCESS) { 9448 QUERY_ERROR(qctx, result); 9449 return ns_query_done(qctx); 9450 } 9451 } 9452 9453 /* 9454 * Add NSEC record if we found one. 9455 */ 9456 if (WANTDNSSEC(qctx->client) && 9457 dns_rdataset_isassociated(qctx->rdataset)) 9458 { 9459 query_addnxrrsetnsec(qctx); 9460 } 9461 9462 return ns_query_done(qctx); 9463 } 9464 9465 static void 9466 query_addnxrrsetnsec(query_ctx_t *qctx) { 9467 ns_client_t *client = qctx->client; 9468 dns_rdata_t sigrdata; 9469 dns_rdata_rrsig_t sig; 9470 unsigned int labels; 9471 isc_buffer_t *dbuf, b; 9472 dns_name_t *fname; 9473 isc_result_t result; 9474 9475 INSIST(qctx->fname != NULL); 9476 9477 if (!qctx->fname->attributes.wildcard) { 9478 query_addrrset(qctx, &qctx->fname, &qctx->rdataset, 9479 &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); 9480 return; 9481 } 9482 9483 if (qctx->sigrdataset == NULL || 9484 !dns_rdataset_isassociated(qctx->sigrdataset)) 9485 { 9486 return; 9487 } 9488 9489 if (dns_rdataset_first(qctx->sigrdataset) != ISC_R_SUCCESS) { 9490 return; 9491 } 9492 9493 dns_rdata_init(&sigrdata); 9494 dns_rdataset_current(qctx->sigrdataset, &sigrdata); 9495 result = dns_rdata_tostruct(&sigrdata, &sig, NULL); 9496 RUNTIME_CHECK(result == ISC_R_SUCCESS); 9497 9498 labels = dns_name_countlabels(qctx->fname); 9499 if ((unsigned int)sig.labels + 1 >= labels) { 9500 return; 9501 } 9502 9503 query_addwildcardproof(qctx, true, false); 9504 9505 /* 9506 * We'll need some resources... 9507 */ 9508 dbuf = ns_client_getnamebuf(client); 9509 fname = ns_client_newname(client, dbuf, &b); 9510 9511 dns_name_split(qctx->fname, sig.labels + 1, NULL, fname); 9512 /* This will succeed, since we've stripped labels. */ 9513 RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname, 9514 NULL) == ISC_R_SUCCESS); 9515 query_addrrset(qctx, &fname, &qctx->rdataset, &qctx->sigrdataset, dbuf, 9516 DNS_SECTION_AUTHORITY); 9517 } 9518 9519 /*% 9520 * Handle NXDOMAIN and empty wildcard responses. 9521 */ 9522 static isc_result_t 9523 query_nxdomain(query_ctx_t *qctx, isc_result_t result) { 9524 dns_section_t section; 9525 uint32_t ttl; 9526 bool empty_wild = (result == DNS_R_EMPTYWILD); 9527 9528 CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain"); 9529 9530 CALL_HOOK(NS_QUERY_NXDOMAIN_BEGIN, qctx); 9531 9532 INSIST(qctx->is_zone || REDIRECT(qctx->client)); 9533 9534 if (!empty_wild) { 9535 result = query_redirect(qctx, result); 9536 if (result != ISC_R_COMPLETE) { 9537 return result; 9538 } 9539 } 9540 9541 if (dns_rdataset_isassociated(qctx->rdataset)) { 9542 /* 9543 * If we've got a NSEC record, we need to save the 9544 * name now because we're going call query_addsoa() 9545 * below, and it needs to use the name buffer. 9546 */ 9547 ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); 9548 } else if (qctx->fname != NULL) { 9549 /* 9550 * We're not going to use fname, and need to release 9551 * our hold on the name buffer so query_addsoa() 9552 * may use it. 9553 */ 9554 ns_client_releasename(qctx->client, &qctx->fname); 9555 } 9556 9557 /* 9558 * Add SOA to the additional section if generated by a 9559 * RPZ rewrite. 9560 * 9561 * If the query was for a SOA record force the 9562 * ttl to zero so that it is possible for clients to find 9563 * the containing zone of an arbitrary name with a stub 9564 * resolver and not have it cached. 9565 */ 9566 section = qctx->nxrewrite ? DNS_SECTION_ADDITIONAL 9567 : DNS_SECTION_AUTHORITY; 9568 ttl = UINT32_MAX; 9569 if (!qctx->nxrewrite && qctx->qtype == dns_rdatatype_soa && 9570 qctx->zone != NULL && dns_zone_getzeronosoattl(qctx->zone)) 9571 { 9572 ttl = 0; 9573 } 9574 if (!qctx->nxrewrite || 9575 (qctx->rpz_st != NULL && qctx->rpz_st->m.rpz->addsoa)) 9576 { 9577 result = query_addsoa(qctx, ttl, section); 9578 if (result != ISC_R_SUCCESS) { 9579 QUERY_ERROR(qctx, result); 9580 return ns_query_done(qctx); 9581 } 9582 } 9583 9584 if (WANTDNSSEC(qctx->client)) { 9585 /* 9586 * Add NSEC record if we found one. 9587 */ 9588 if (dns_rdataset_isassociated(qctx->rdataset)) { 9589 query_addrrset(qctx, &qctx->fname, &qctx->rdataset, 9590 &qctx->sigrdataset, NULL, 9591 DNS_SECTION_AUTHORITY); 9592 } 9593 query_addwildcardproof(qctx, false, false); 9594 } 9595 9596 /* 9597 * Set message rcode. 9598 */ 9599 if (empty_wild) { 9600 qctx->client->message->rcode = dns_rcode_noerror; 9601 } else { 9602 qctx->client->message->rcode = dns_rcode_nxdomain; 9603 } 9604 9605 return ns_query_done(qctx); 9606 9607 cleanup: 9608 return result; 9609 } 9610 9611 /* 9612 * Handle both types of NXDOMAIN redirection, calling redirect() 9613 * (which implements type redirect zones) and redirect2() (which 9614 * implements recursive nxdomain-redirect lookups). 9615 * 9616 * Any result code other than ISC_R_COMPLETE means redirection was 9617 * successful and the result code should be returned up the call stack. 9618 * 9619 * ISC_R_COMPLETE means we reached the end of this function without 9620 * redirecting, so query processing should continue past it. 9621 */ 9622 static isc_result_t 9623 query_redirect(query_ctx_t *qctx, isc_result_t saved_result) { 9624 isc_result_t result; 9625 9626 CCTRACE(ISC_LOG_DEBUG(3), "query_redirect"); 9627 9628 result = redirect(qctx->client, qctx->fname, qctx->rdataset, 9629 &qctx->node, &qctx->db, &qctx->version, qctx->type); 9630 switch (result) { 9631 case ISC_R_SUCCESS: 9632 inc_stats(qctx->client, ns_statscounter_nxdomainredirect); 9633 return query_prepresponse(qctx); 9634 case DNS_R_NXRRSET: 9635 qctx->redirected = true; 9636 qctx->is_zone = true; 9637 return query_nodata(qctx, DNS_R_NXRRSET); 9638 case DNS_R_NCACHENXRRSET: 9639 qctx->redirected = true; 9640 qctx->is_zone = false; 9641 return query_ncache(qctx, DNS_R_NCACHENXRRSET); 9642 default: 9643 break; 9644 } 9645 9646 result = redirect2(qctx->client, qctx->fname, qctx->rdataset, 9647 &qctx->node, &qctx->db, &qctx->version, qctx->type, 9648 &qctx->is_zone); 9649 switch (result) { 9650 case ISC_R_SUCCESS: 9651 inc_stats(qctx->client, ns_statscounter_nxdomainredirect); 9652 return query_prepresponse(qctx); 9653 case DNS_R_CONTINUE: 9654 inc_stats(qctx->client, 9655 ns_statscounter_nxdomainredirect_rlookup); 9656 SAVE(qctx->client->query.redirect.db, qctx->db); 9657 SAVE(qctx->client->query.redirect.node, qctx->node); 9658 SAVE(qctx->client->query.redirect.zone, qctx->zone); 9659 qctx->client->query.redirect.qtype = qctx->qtype; 9660 INSIST(qctx->rdataset != NULL); 9661 SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset); 9662 SAVE(qctx->client->query.redirect.sigrdataset, 9663 qctx->sigrdataset); 9664 qctx->client->query.redirect.result = saved_result; 9665 dns_name_copy(qctx->fname, qctx->client->query.redirect.fname); 9666 qctx->client->query.redirect.authoritative = 9667 qctx->authoritative; 9668 qctx->client->query.redirect.is_zone = qctx->is_zone; 9669 return ns_query_done(qctx); 9670 case DNS_R_NXRRSET: 9671 qctx->redirected = true; 9672 qctx->is_zone = true; 9673 return query_nodata(qctx, DNS_R_NXRRSET); 9674 case DNS_R_NCACHENXRRSET: 9675 qctx->redirected = true; 9676 qctx->is_zone = false; 9677 return query_ncache(qctx, DNS_R_NCACHENXRRSET); 9678 default: 9679 break; 9680 } 9681 9682 return ISC_R_COMPLETE; 9683 } 9684 9685 /*% 9686 * Logging function to be passed to dns_nsec_noexistnodata. 9687 */ 9688 static void 9689 log_noexistnodata(void *val, int level, const char *fmt, ...) { 9690 query_ctx_t *qctx = val; 9691 va_list ap; 9692 9693 va_start(ap, fmt); 9694 ns_client_logv(qctx->client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, 9695 level, fmt, ap); 9696 va_end(ap); 9697 } 9698 9699 static dns_ttl_t 9700 query_synthttl(dns_rdataset_t *soardataset, dns_rdataset_t *sigsoardataset, 9701 dns_rdataset_t *p1rdataset, dns_rdataset_t *sigp1rdataset, 9702 dns_rdataset_t *p2rdataset, dns_rdataset_t *sigp2rdataset) { 9703 dns_rdata_soa_t soa; 9704 dns_rdata_t rdata = DNS_RDATA_INIT; 9705 dns_ttl_t ttl; 9706 isc_result_t result; 9707 9708 REQUIRE(soardataset != NULL); 9709 REQUIRE(sigsoardataset != NULL); 9710 REQUIRE(p1rdataset != NULL); 9711 REQUIRE(sigp1rdataset != NULL); 9712 9713 result = dns_rdataset_first(soardataset); 9714 RUNTIME_CHECK(result == ISC_R_SUCCESS); 9715 dns_rdataset_current(soardataset, &rdata); 9716 result = dns_rdata_tostruct(&rdata, &soa, NULL); 9717 RUNTIME_CHECK(result == ISC_R_SUCCESS); 9718 9719 ttl = ISC_MIN(soa.minimum, soardataset->ttl); 9720 ttl = ISC_MIN(ttl, sigsoardataset->ttl); 9721 ttl = ISC_MIN(ttl, p1rdataset->ttl); 9722 ttl = ISC_MIN(ttl, sigp1rdataset->ttl); 9723 if (p2rdataset != NULL) { 9724 ttl = ISC_MIN(ttl, p2rdataset->ttl); 9725 } 9726 if (sigp2rdataset != NULL) { 9727 ttl = ISC_MIN(ttl, sigp2rdataset->ttl); 9728 } 9729 9730 return ttl; 9731 } 9732 9733 /* 9734 * Synthesize a NODATA response from the SOA and covering NSEC in cache. 9735 */ 9736 static isc_result_t 9737 query_synthnodata(query_ctx_t *qctx, const dns_name_t *signer, 9738 dns_rdataset_t **soardatasetp, 9739 dns_rdataset_t **sigsoardatasetp) { 9740 dns_name_t *name = NULL; 9741 dns_ttl_t ttl; 9742 isc_buffer_t *dbuf, b; 9743 9744 /* 9745 * Determine the correct TTL to use for the SOA and RRSIG 9746 */ 9747 ttl = query_synthttl(*soardatasetp, *sigsoardatasetp, qctx->rdataset, 9748 qctx->sigrdataset, NULL, NULL); 9749 (*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl; 9750 9751 /* 9752 * We want the SOA record to be first, so save the 9753 * NODATA proof's name now or else discard it. 9754 */ 9755 if (WANTDNSSEC(qctx->client)) { 9756 ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); 9757 } else { 9758 ns_client_releasename(qctx->client, &qctx->fname); 9759 } 9760 9761 dbuf = ns_client_getnamebuf(qctx->client); 9762 name = ns_client_newname(qctx->client, dbuf, &b); 9763 dns_name_copy(signer, name); 9764 9765 /* 9766 * Add SOA record. Omit the RRSIG if DNSSEC was not requested. 9767 */ 9768 if (!WANTDNSSEC(qctx->client)) { 9769 sigsoardatasetp = NULL; 9770 } 9771 query_addrrset(qctx, &name, soardatasetp, sigsoardatasetp, dbuf, 9772 DNS_SECTION_AUTHORITY); 9773 9774 if (WANTDNSSEC(qctx->client)) { 9775 /* 9776 * Add NODATA proof. 9777 */ 9778 query_addrrset(qctx, &qctx->fname, &qctx->rdataset, 9779 &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); 9780 } 9781 9782 inc_stats(qctx->client, ns_statscounter_nodatasynth); 9783 9784 if (name != NULL) { 9785 ns_client_releasename(qctx->client, &name); 9786 } 9787 return ISC_R_SUCCESS; 9788 } 9789 9790 /* 9791 * Synthesize a wildcard answer using the contents of 'rdataset'. 9792 * qctx contains the NODATA proof. 9793 */ 9794 static isc_result_t 9795 query_synthwildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset, 9796 dns_rdataset_t *sigrdataset) { 9797 dns_name_t *name = NULL; 9798 isc_buffer_t *dbuf, b; 9799 dns_rdataset_t *cloneset = NULL, *clonesigset = NULL; 9800 dns_rdataset_t **sigrdatasetp; 9801 9802 CCTRACE(ISC_LOG_DEBUG(3), "query_synthwildcard"); 9803 9804 /* 9805 * We want the answer to be first, so save the 9806 * NOQNAME proof's name now or else discard it. 9807 */ 9808 if (WANTDNSSEC(qctx->client)) { 9809 ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); 9810 } else { 9811 ns_client_releasename(qctx->client, &qctx->fname); 9812 } 9813 9814 dbuf = ns_client_getnamebuf(qctx->client); 9815 name = ns_client_newname(qctx->client, dbuf, &b); 9816 dns_name_copy(qctx->client->query.qname, name); 9817 9818 cloneset = ns_client_newrdataset(qctx->client); 9819 dns_rdataset_clone(rdataset, cloneset); 9820 9821 /* 9822 * Add answer RRset. Omit the RRSIG if DNSSEC was not requested. 9823 */ 9824 if (WANTDNSSEC(qctx->client)) { 9825 clonesigset = ns_client_newrdataset(qctx->client); 9826 dns_rdataset_clone(sigrdataset, clonesigset); 9827 sigrdatasetp = &clonesigset; 9828 } else { 9829 sigrdatasetp = NULL; 9830 } 9831 9832 query_addrrset(qctx, &name, &cloneset, sigrdatasetp, dbuf, 9833 DNS_SECTION_ANSWER); 9834 9835 if (WANTDNSSEC(qctx->client)) { 9836 /* 9837 * Add NOQNAME proof. 9838 */ 9839 query_addrrset(qctx, &qctx->fname, &qctx->rdataset, 9840 &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); 9841 } 9842 9843 inc_stats(qctx->client, ns_statscounter_wildcardsynth); 9844 9845 if (name != NULL) { 9846 ns_client_releasename(qctx->client, &name); 9847 } 9848 if (cloneset != NULL) { 9849 ns_client_putrdataset(qctx->client, &cloneset); 9850 } 9851 if (clonesigset != NULL) { 9852 ns_client_putrdataset(qctx->client, &clonesigset); 9853 } 9854 return ISC_R_SUCCESS; 9855 } 9856 9857 /* 9858 * Add a synthesized CNAME record from the wildard RRset (rdataset) 9859 * and NODATA proof by calling query_synthwildcard then setup to 9860 * follow the CNAME. 9861 */ 9862 static isc_result_t 9863 query_synthcnamewildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset, 9864 dns_rdataset_t *sigrdataset) { 9865 isc_result_t result; 9866 dns_name_t *tname = NULL; 9867 dns_rdata_t rdata = DNS_RDATA_INIT; 9868 dns_rdata_cname_t cname; 9869 9870 result = query_synthwildcard(qctx, rdataset, sigrdataset); 9871 if (result != ISC_R_SUCCESS) { 9872 return result; 9873 } 9874 9875 qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; 9876 9877 /* 9878 * Reset qname to be the target name of the CNAME and restart 9879 * the query. 9880 */ 9881 dns_message_gettempname(qctx->client->message, &tname); 9882 9883 result = dns_rdataset_first(rdataset); 9884 if (result != ISC_R_SUCCESS) { 9885 dns_message_puttempname(qctx->client->message, &tname); 9886 return result; 9887 } 9888 9889 dns_rdataset_current(rdataset, &rdata); 9890 result = dns_rdata_tostruct(&rdata, &cname, NULL); 9891 RUNTIME_CHECK(result == ISC_R_SUCCESS); 9892 dns_rdata_reset(&rdata); 9893 9894 if (dns_name_equal(qctx->client->query.qname, &cname.cname)) { 9895 dns_message_puttempname(qctx->client->message, &tname); 9896 dns_rdata_freestruct(&cname); 9897 return ISC_R_SUCCESS; 9898 } 9899 9900 dns_name_copy(&cname.cname, tname); 9901 9902 dns_rdata_freestruct(&cname); 9903 ns_client_qnamereplace(qctx->client, tname); 9904 qctx->want_restart = true; 9905 if (!WANTRECURSION(qctx->client)) { 9906 qctx->options.nolog = true; 9907 } 9908 9909 return result; 9910 } 9911 9912 /* 9913 * Synthesize a NXDOMAIN or NODATA response from qctx (which contains the 9914 * NOQNAME proof), nowild + nowildrdataset + signowildrdataset (which 9915 * contains the NOWILDCARD proof or NODATA at wildcard) and 9916 * signer + soardatasetp + sigsoardatasetp which contain the 9917 * SOA record + RRSIG for the negative answer. 9918 */ 9919 static isc_result_t 9920 query_synthnxdomainnodata(query_ctx_t *qctx, bool nodata, dns_name_t *nowild, 9921 dns_rdataset_t *nowildrdataset, 9922 dns_rdataset_t *signowildrdataset, dns_name_t *signer, 9923 dns_rdataset_t **soardatasetp, 9924 dns_rdataset_t **sigsoardatasetp) { 9925 dns_name_t *name = NULL; 9926 dns_ttl_t ttl; 9927 isc_buffer_t *dbuf, b; 9928 dns_rdataset_t *cloneset = NULL, *clonesigset = NULL; 9929 9930 CCTRACE(ISC_LOG_DEBUG(3), "query_synthnxdomain"); 9931 9932 /* 9933 * Determine the correct TTL to use for the SOA and RRSIG 9934 */ 9935 ttl = query_synthttl(*soardatasetp, *sigsoardatasetp, qctx->rdataset, 9936 qctx->sigrdataset, nowildrdataset, 9937 signowildrdataset); 9938 (*soardatasetp)->ttl = (*sigsoardatasetp)->ttl = ttl; 9939 9940 /* 9941 * We want the SOA record to be first, so save the 9942 * NOQNAME proof's name now or else discard it. 9943 */ 9944 if (WANTDNSSEC(qctx->client)) { 9945 ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); 9946 } else { 9947 ns_client_releasename(qctx->client, &qctx->fname); 9948 } 9949 9950 dbuf = ns_client_getnamebuf(qctx->client); 9951 name = ns_client_newname(qctx->client, dbuf, &b); 9952 dns_name_copy(signer, name); 9953 9954 /* 9955 * Add SOA record. Omit the RRSIG if DNSSEC was not requested. 9956 */ 9957 if (!WANTDNSSEC(qctx->client)) { 9958 sigsoardatasetp = NULL; 9959 } 9960 query_addrrset(qctx, &name, soardatasetp, sigsoardatasetp, dbuf, 9961 DNS_SECTION_AUTHORITY); 9962 9963 if (WANTDNSSEC(qctx->client)) { 9964 /* 9965 * Add NOQNAME proof. 9966 */ 9967 query_addrrset(qctx, &qctx->fname, &qctx->rdataset, 9968 &qctx->sigrdataset, NULL, DNS_SECTION_AUTHORITY); 9969 9970 dbuf = ns_client_getnamebuf(qctx->client); 9971 name = ns_client_newname(qctx->client, dbuf, &b); 9972 dns_name_copy(nowild, name); 9973 9974 cloneset = ns_client_newrdataset(qctx->client); 9975 clonesigset = ns_client_newrdataset(qctx->client); 9976 9977 dns_rdataset_clone(nowildrdataset, cloneset); 9978 dns_rdataset_clone(signowildrdataset, clonesigset); 9979 9980 /* 9981 * Add NOWILDCARD proof. 9982 */ 9983 query_addrrset(qctx, &name, &cloneset, &clonesigset, dbuf, 9984 DNS_SECTION_AUTHORITY); 9985 } 9986 9987 if (nodata) { 9988 inc_stats(qctx->client, ns_statscounter_nodatasynth); 9989 } else { 9990 qctx->client->message->rcode = dns_rcode_nxdomain; 9991 inc_stats(qctx->client, ns_statscounter_nxdomainsynth); 9992 } 9993 9994 if (name != NULL) { 9995 ns_client_releasename(qctx->client, &name); 9996 } 9997 if (cloneset != NULL) { 9998 ns_client_putrdataset(qctx->client, &cloneset); 9999 } 10000 if (clonesigset != NULL) { 10001 ns_client_putrdataset(qctx->client, &clonesigset); 10002 } 10003 return ISC_R_SUCCESS; 10004 } 10005 10006 /* 10007 * Check that all signer names in sigrdataset match the expected signer. 10008 */ 10009 static isc_result_t 10010 checksignames(dns_name_t *signer, dns_rdataset_t *sigrdataset) { 10011 isc_result_t result; 10012 10013 for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS; 10014 result = dns_rdataset_next(sigrdataset)) 10015 { 10016 dns_rdata_t rdata = DNS_RDATA_INIT; 10017 dns_rdata_rrsig_t rrsig; 10018 10019 dns_rdataset_current(sigrdataset, &rdata); 10020 result = dns_rdata_tostruct(&rdata, &rrsig, NULL); 10021 RUNTIME_CHECK(result == ISC_R_SUCCESS); 10022 if (dns_name_countlabels(signer) == 0) { 10023 dns_name_copy(&rrsig.signer, signer); 10024 } else if (!dns_name_equal(signer, &rrsig.signer)) { 10025 return ISC_R_FAILURE; 10026 } 10027 } 10028 10029 return ISC_R_SUCCESS; 10030 } 10031 10032 /*% 10033 * Handle covering NSEC responses. 10034 * 10035 * Verify the NSEC record is appropriate for the QNAME; if not, 10036 * redo the initial query without DNS_DBFIND_COVERINGNSEC. 10037 * 10038 * If the covering NSEC proves that the name exists but not the type, 10039 * synthesize a NODATA response. 10040 * 10041 * If the name doesn't exist, compute the wildcard record and check whether 10042 * the wildcard name exists or not. If we can't determine this, redo the 10043 * initial query without DNS_DBFIND_COVERINGNSEC. 10044 * 10045 * If the wildcard name does not exist, compute the SOA name and look that 10046 * up. If the SOA record does not exist, redo the initial query without 10047 * DNS_DBFIND_COVERINGNSEC. If the SOA record exists, synthesize an 10048 * NXDOMAIN response from the found records. 10049 * 10050 * If the wildcard name does exist, perform a lookup for the requested 10051 * type at the wildcard name. 10052 */ 10053 static isc_result_t 10054 query_coveringnsec(query_ctx_t *qctx) { 10055 dns_db_t *db = NULL; 10056 dns_clientinfo_t ci; 10057 dns_clientinfomethods_t cm; 10058 dns_dbnode_t *node = NULL; 10059 dns_fixedname_t fixed; 10060 dns_fixedname_t fnamespace; 10061 dns_fixedname_t fnowild; 10062 dns_fixedname_t fsigner; 10063 dns_fixedname_t fwild; 10064 dns_name_t *fname = NULL; 10065 dns_name_t *namespace = NULL; 10066 dns_name_t *nowild = NULL; 10067 dns_name_t *signer = NULL; 10068 dns_name_t *wild = NULL; 10069 dns_name_t qname; 10070 dns_rdataset_t *soardataset = NULL, *sigsoardataset = NULL; 10071 dns_rdataset_t rdataset, sigrdataset; 10072 bool done = false; 10073 bool exists = true, data = true; 10074 bool redirected = false; 10075 isc_result_t result = ISC_R_SUCCESS; 10076 unsigned int dboptions = qctx->client->query.dboptions; 10077 unsigned int labels; 10078 10079 CCTRACE(ISC_LOG_DEBUG(3), "query_coveringnsec"); 10080 10081 dns_name_init(&qname, NULL); 10082 dns_rdataset_init(&rdataset); 10083 dns_rdataset_init(&sigrdataset); 10084 namespace = dns_fixedname_initname(&fnamespace); 10085 10086 /* 10087 * Check that the NSEC record is from the correct namespace. 10088 * For records that belong to the parent zone (i.e. DS), 10089 * remove a label to find the correct namespace. 10090 */ 10091 dns_name_clone(qctx->client->query.qname, &qname); 10092 labels = dns_name_countlabels(&qname); 10093 if (dns_rdatatype_atparent(qctx->qtype) && labels > 1) { 10094 dns_name_getlabelsequence(&qname, 1, labels - 1, &qname); 10095 } 10096 dns_view_sfd_find(qctx->view, &qname, namespace); 10097 if (!dns_name_issubdomain(qctx->fname, namespace)) { 10098 goto cleanup; 10099 } 10100 10101 /* 10102 * If we have no signer name, stop immediately. 10103 */ 10104 if (!dns_rdataset_isassociated(qctx->sigrdataset)) { 10105 goto cleanup; 10106 } 10107 10108 wild = dns_fixedname_initname(&fwild); 10109 fname = dns_fixedname_initname(&fixed); 10110 signer = dns_fixedname_initname(&fsigner); 10111 nowild = dns_fixedname_initname(&fnowild); 10112 10113 dns_clientinfomethods_init(&cm, ns_client_sourceip); 10114 dns_clientinfo_init(&ci, qctx->client, NULL); 10115 10116 /* 10117 * All signer names must be the same to accept. 10118 */ 10119 result = checksignames(signer, qctx->sigrdataset); 10120 if (result != ISC_R_SUCCESS) { 10121 result = ISC_R_SUCCESS; 10122 goto cleanup; 10123 } 10124 10125 /* 10126 * If NSEC or RRSIG are missing from the type map 10127 * reject the NSEC RRset. 10128 */ 10129 if (!dns_nsec_requiredtypespresent(qctx->rdataset)) { 10130 goto cleanup; 10131 } 10132 10133 /* 10134 * Check that we have the correct NOQNAME NSEC record. 10135 */ 10136 result = dns_nsec_noexistnodata(qctx->qtype, qctx->client->query.qname, 10137 qctx->fname, qctx->rdataset, &exists, 10138 &data, wild, log_noexistnodata, qctx); 10139 10140 if (result != ISC_R_SUCCESS || (exists && data)) { 10141 goto cleanup; 10142 } 10143 10144 if (exists) { 10145 if (qctx->type == dns_rdatatype_any) { /* XXX not yet */ 10146 goto cleanup; 10147 } 10148 if (!ISC_LIST_EMPTY(qctx->view->dns64) && 10149 (qctx->type == dns_rdatatype_a || 10150 qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */ 10151 { 10152 goto cleanup; 10153 } 10154 if (!qctx->resuming && !STALE(qctx->rdataset) && 10155 qctx->rdataset->ttl == 0 && RECURSIONOK(qctx->client)) 10156 { 10157 goto cleanup; 10158 } 10159 10160 soardataset = ns_client_newrdataset(qctx->client); 10161 sigsoardataset = ns_client_newrdataset(qctx->client); 10162 10163 /* 10164 * Look for SOA record to construct NODATA response. 10165 */ 10166 dns_db_attach(qctx->db, &db); 10167 result = dns_db_findext(db, signer, qctx->version, 10168 dns_rdatatype_soa, dboptions, 10169 qctx->client->now, &node, fname, &cm, 10170 &ci, soardataset, sigsoardataset); 10171 10172 if (result != ISC_R_SUCCESS) { 10173 goto cleanup; 10174 } 10175 (void)query_synthnodata(qctx, signer, &soardataset, 10176 &sigsoardataset); 10177 done = true; 10178 goto cleanup; 10179 } 10180 10181 /* 10182 * Look up the no-wildcard proof. 10183 */ 10184 dns_db_attach(qctx->db, &db); 10185 result = dns_db_findext(db, wild, qctx->version, qctx->type, 10186 dboptions | DNS_DBFIND_COVERINGNSEC, 10187 qctx->client->now, &node, nowild, &cm, &ci, 10188 &rdataset, &sigrdataset); 10189 10190 if (rdataset.trust != dns_trust_secure || 10191 sigrdataset.trust != dns_trust_secure) 10192 { 10193 goto cleanup; 10194 } 10195 10196 /* 10197 * Zero TTL handling of wildcard record. 10198 * 10199 * We don't yet have code to handle synthesis and type ANY or dns64 10200 * processing so we abort the synthesis here if there would be a 10201 * interaction. 10202 */ 10203 switch (result) { 10204 case ISC_R_SUCCESS: 10205 if (qctx->type == dns_rdatatype_any) { /* XXX not yet */ 10206 goto cleanup; 10207 } 10208 if (!ISC_LIST_EMPTY(qctx->view->dns64) && 10209 (qctx->type == dns_rdatatype_a || 10210 qctx->type == dns_rdatatype_aaaa)) /* XXX not yet */ 10211 { 10212 goto cleanup; 10213 } 10214 FALLTHROUGH; 10215 case DNS_R_CNAME: 10216 if (!qctx->resuming && !STALE(&rdataset) && rdataset.ttl == 0 && 10217 RECURSIONOK(qctx->client)) 10218 { 10219 goto cleanup; 10220 } 10221 default: 10222 break; 10223 } 10224 10225 switch (result) { 10226 case DNS_R_COVERINGNSEC: 10227 /* 10228 * Check that the covering NSEC record is from the right 10229 * namespace. 10230 */ 10231 if (!dns_name_issubdomain(nowild, namespace)) { 10232 goto cleanup; 10233 } 10234 result = dns_nsec_noexistnodata(qctx->qtype, wild, nowild, 10235 &rdataset, &exists, &data, NULL, 10236 log_noexistnodata, qctx); 10237 if (result != ISC_R_SUCCESS || (exists && data)) { 10238 goto cleanup; 10239 } 10240 break; 10241 case ISC_R_SUCCESS: /* wild card match */ 10242 (void)query_synthwildcard(qctx, &rdataset, &sigrdataset); 10243 done = true; 10244 goto cleanup; 10245 case DNS_R_CNAME: /* wild card cname */ 10246 (void)query_synthcnamewildcard(qctx, &rdataset, &sigrdataset); 10247 done = true; 10248 goto cleanup; 10249 case DNS_R_NCACHENXRRSET: /* wild card nodata */ 10250 case DNS_R_NCACHENXDOMAIN: /* direct nxdomain */ 10251 default: 10252 goto cleanup; 10253 } 10254 10255 /* 10256 * We now have the proof that we have an NXDOMAIN. Apply 10257 * NXDOMAIN redirection if configured. 10258 */ 10259 result = query_redirect(qctx, DNS_R_COVERINGNSEC); 10260 if (result != ISC_R_COMPLETE) { 10261 redirected = true; 10262 goto cleanup; 10263 } 10264 10265 /* 10266 * Must be signed to accept. 10267 */ 10268 if (!dns_rdataset_isassociated(&sigrdataset)) { 10269 goto cleanup; 10270 } 10271 10272 /* 10273 * Check signer signer names again. 10274 */ 10275 result = checksignames(signer, &sigrdataset); 10276 if (result != ISC_R_SUCCESS) { 10277 result = ISC_R_SUCCESS; 10278 goto cleanup; 10279 } 10280 10281 if (node != NULL) { 10282 dns_db_detachnode(db, &node); 10283 } 10284 10285 soardataset = ns_client_newrdataset(qctx->client); 10286 sigsoardataset = ns_client_newrdataset(qctx->client); 10287 10288 /* 10289 * Look for SOA record to construct NXDOMAIN response. 10290 */ 10291 result = dns_db_findext(db, signer, qctx->version, dns_rdatatype_soa, 10292 dboptions, qctx->client->now, &node, fname, &cm, 10293 &ci, soardataset, sigsoardataset); 10294 10295 if (result != ISC_R_SUCCESS) { 10296 goto cleanup; 10297 } 10298 (void)query_synthnxdomainnodata(qctx, exists, nowild, &rdataset, 10299 &sigrdataset, signer, &soardataset, 10300 &sigsoardataset); 10301 done = true; 10302 10303 cleanup: 10304 if (dns_rdataset_isassociated(&rdataset)) { 10305 dns_rdataset_disassociate(&rdataset); 10306 } 10307 if (dns_rdataset_isassociated(&sigrdataset)) { 10308 dns_rdataset_disassociate(&sigrdataset); 10309 } 10310 if (soardataset != NULL) { 10311 ns_client_putrdataset(qctx->client, &soardataset); 10312 } 10313 if (sigsoardataset != NULL) { 10314 ns_client_putrdataset(qctx->client, &sigsoardataset); 10315 } 10316 if (db != NULL) { 10317 if (node != NULL) { 10318 dns_db_detachnode(db, &node); 10319 } 10320 dns_db_detach(&db); 10321 } 10322 10323 if (redirected) { 10324 return result; 10325 } 10326 10327 if (!done) { 10328 /* 10329 * No covering NSEC was found; proceed with recursion. 10330 */ 10331 qctx->findcoveringnsec = false; 10332 if (qctx->fname != NULL) { 10333 ns_client_releasename(qctx->client, &qctx->fname); 10334 } 10335 if (qctx->node != NULL) { 10336 dns_db_detachnode(qctx->db, &qctx->node); 10337 } 10338 ns_client_putrdataset(qctx->client, &qctx->rdataset); 10339 if (qctx->sigrdataset != NULL) { 10340 ns_client_putrdataset(qctx->client, &qctx->sigrdataset); 10341 } 10342 return query_lookup(qctx); 10343 } 10344 10345 return ns_query_done(qctx); 10346 } 10347 10348 /*% 10349 * Handle negative cache responses, DNS_R_NCACHENXRRSET or 10350 * DNS_R_NCACHENXDOMAIN. (Note: may also be called with result 10351 * set to DNS_R_NXDOMAIN when handling DNS64 lookups.) 10352 */ 10353 static isc_result_t 10354 query_ncache(query_ctx_t *qctx, isc_result_t result) { 10355 INSIST(!qctx->is_zone); 10356 INSIST(result == DNS_R_NCACHENXDOMAIN || 10357 result == DNS_R_NCACHENXRRSET || result == DNS_R_NXDOMAIN); 10358 10359 CCTRACE(ISC_LOG_DEBUG(3), "query_ncache"); 10360 10361 CALL_HOOK(NS_QUERY_NCACHE_BEGIN, qctx); 10362 10363 qctx->authoritative = false; 10364 10365 if (result == DNS_R_NCACHENXDOMAIN) { 10366 /* 10367 * Set message rcode. (This is not done when 10368 * result == DNS_R_NXDOMAIN because that means we're 10369 * being called after a DNS64 lookup and don't want 10370 * to update the rcode now.) 10371 */ 10372 qctx->client->message->rcode = dns_rcode_nxdomain; 10373 10374 /* Look for RFC 1918 leakage from Internet. */ 10375 if (qctx->qtype == dns_rdatatype_ptr && 10376 qctx->client->message->rdclass == dns_rdataclass_in && 10377 dns_name_countlabels(qctx->fname) == 7) 10378 { 10379 warn_rfc1918(qctx->client, qctx->fname, qctx->rdataset); 10380 } 10381 } 10382 10383 return query_nodata(qctx, result); 10384 10385 cleanup: 10386 return result; 10387 } 10388 10389 /* 10390 * If we have a zero ttl from the cache, refetch. 10391 */ 10392 static isc_result_t 10393 query_zerottl_refetch(query_ctx_t *qctx) { 10394 isc_result_t result; 10395 10396 CCTRACE(ISC_LOG_DEBUG(3), "query_zerottl_refetch"); 10397 10398 if (qctx->is_zone || qctx->resuming || STALE(qctx->rdataset) || 10399 qctx->rdataset->ttl != 0 || !RECURSIONOK(qctx->client)) 10400 { 10401 return ISC_R_COMPLETE; 10402 } 10403 10404 qctx_clean(qctx); 10405 10406 INSIST(!REDIRECT(qctx->client)); 10407 10408 result = ns_query_recurse(qctx->client, qctx->qtype, 10409 qctx->client->query.qname, NULL, NULL, 10410 qctx->resuming); 10411 if (result == ISC_R_SUCCESS) { 10412 CALL_HOOK(NS_QUERY_ZEROTTL_RECURSE, qctx); 10413 qctx->client->query.attributes |= NS_QUERYATTR_RECURSING; 10414 10415 if (qctx->dns64) { 10416 qctx->client->query.attributes |= NS_QUERYATTR_DNS64; 10417 } 10418 if (qctx->dns64_exclude) { 10419 qctx->client->query.attributes |= 10420 NS_QUERYATTR_DNS64EXCLUDE; 10421 } 10422 } else { 10423 /* 10424 * There was a zero ttl from the cache, don't fallback to 10425 * serve-stale lookup. 10426 */ 10427 QUERY_ERROR(qctx, result); 10428 } 10429 10430 return ns_query_done(qctx); 10431 10432 cleanup: 10433 return result; 10434 } 10435 10436 /* 10437 * Handle CNAME responses. 10438 */ 10439 static isc_result_t 10440 query_cname(query_ctx_t *qctx) { 10441 isc_result_t result = ISC_R_UNSET; 10442 dns_name_t *tname = NULL; 10443 dns_rdataset_t *trdataset = NULL; 10444 dns_rdataset_t **sigrdatasetp = NULL; 10445 dns_rdata_t rdata = DNS_RDATA_INIT; 10446 dns_rdata_cname_t cname; 10447 10448 CCTRACE(ISC_LOG_DEBUG(3), "query_cname"); 10449 10450 CALL_HOOK(NS_QUERY_CNAME_BEGIN, qctx); 10451 10452 result = query_zerottl_refetch(qctx); 10453 if (result != ISC_R_COMPLETE) { 10454 goto cleanup; 10455 } 10456 10457 /* 10458 * Keep a copy of the rdataset. We have to do this because 10459 * query_addrrset may clear 'rdataset' (to prevent the 10460 * cleanup code from cleaning it up). 10461 */ 10462 trdataset = qctx->rdataset; 10463 10464 /* 10465 * Add the CNAME to the answer section. 10466 */ 10467 if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { 10468 sigrdatasetp = &qctx->sigrdataset; 10469 } 10470 10471 if (WANTDNSSEC(qctx->client) && qctx->fname->attributes.wildcard) { 10472 dns_fixedname_init(&qctx->wildcardname); 10473 dns_name_copy(qctx->fname, 10474 dns_fixedname_name(&qctx->wildcardname)); 10475 qctx->need_wildcardproof = true; 10476 } 10477 10478 if (NOQNAME(qctx->rdataset) && WANTDNSSEC(qctx->client)) { 10479 qctx->noqname = qctx->rdataset; 10480 } else { 10481 qctx->noqname = NULL; 10482 } 10483 10484 if (!qctx->is_zone && RECURSIONOK(qctx->client)) { 10485 query_prefetch(qctx->client, qctx->fname, qctx->rdataset); 10486 } 10487 10488 query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, 10489 qctx->dbuf, DNS_SECTION_ANSWER); 10490 10491 query_addnoqnameproof(qctx); 10492 10493 /* 10494 * We set the PARTIALANSWER attribute so that if anything goes 10495 * wrong later on, we'll return what we've got so far. 10496 */ 10497 qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; 10498 10499 /* 10500 * Reset qname to be the target name of the CNAME and restart 10501 * the query. 10502 */ 10503 dns_message_gettempname(qctx->client->message, &tname); 10504 10505 result = dns_rdataset_first(trdataset); 10506 if (result != ISC_R_SUCCESS) { 10507 dns_message_puttempname(qctx->client->message, &tname); 10508 (void)ns_query_done(qctx); 10509 goto cleanup; 10510 } 10511 10512 dns_rdataset_current(trdataset, &rdata); 10513 result = dns_rdata_tostruct(&rdata, &cname, NULL); 10514 RUNTIME_CHECK(result == ISC_R_SUCCESS); 10515 dns_rdata_reset(&rdata); 10516 10517 dns_name_copy(&cname.cname, tname); 10518 10519 dns_rdata_freestruct(&cname); 10520 ns_client_qnamereplace(qctx->client, tname); 10521 qctx->want_restart = true; 10522 if (!WANTRECURSION(qctx->client)) { 10523 qctx->options.nolog = true; 10524 } 10525 10526 query_addauth(qctx); 10527 10528 return ns_query_done(qctx); 10529 10530 cleanup: 10531 return result; 10532 } 10533 10534 /* 10535 * Handle DNAME responses. 10536 */ 10537 static isc_result_t 10538 query_dname(query_ctx_t *qctx) { 10539 dns_name_t *tname, *prefix; 10540 dns_rdata_t rdata = DNS_RDATA_INIT; 10541 dns_rdata_dname_t dname; 10542 dns_fixedname_t fixed; 10543 dns_rdataset_t *trdataset; 10544 dns_rdataset_t **sigrdatasetp = NULL; 10545 dns_namereln_t namereln; 10546 isc_buffer_t b; 10547 int order; 10548 isc_result_t result = ISC_R_UNSET; 10549 unsigned int nlabels; 10550 10551 CCTRACE(ISC_LOG_DEBUG(3), "query_dname"); 10552 10553 CALL_HOOK(NS_QUERY_DNAME_BEGIN, qctx); 10554 10555 /* 10556 * Compare the current qname to the found name. We need 10557 * to know how many labels and bits are in common because 10558 * we're going to have to split qname later on. 10559 */ 10560 namereln = dns_name_fullcompare(qctx->client->query.qname, qctx->fname, 10561 &order, &nlabels); 10562 INSIST(namereln == dns_namereln_subdomain); 10563 10564 /* 10565 * Keep a copy of the rdataset. We have to do this because 10566 * query_addrrset may clear 'rdataset' (to prevent the 10567 * cleanup code from cleaning it up). 10568 */ 10569 trdataset = qctx->rdataset; 10570 10571 /* 10572 * Add the DNAME to the answer section. 10573 */ 10574 if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) { 10575 sigrdatasetp = &qctx->sigrdataset; 10576 } 10577 10578 if (WANTDNSSEC(qctx->client) && qctx->fname->attributes.wildcard) { 10579 dns_fixedname_init(&qctx->wildcardname); 10580 dns_name_copy(qctx->fname, 10581 dns_fixedname_name(&qctx->wildcardname)); 10582 qctx->need_wildcardproof = true; 10583 } 10584 10585 if (!qctx->is_zone && RECURSIONOK(qctx->client)) { 10586 query_prefetch(qctx->client, qctx->fname, qctx->rdataset); 10587 } 10588 query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp, 10589 qctx->dbuf, DNS_SECTION_ANSWER); 10590 10591 /* 10592 * We set the PARTIALANSWER attribute so that if anything goes 10593 * wrong later on, we'll return what we've got so far. 10594 */ 10595 qctx->client->query.attributes |= NS_QUERYATTR_PARTIALANSWER; 10596 10597 /* 10598 * Get the target name of the DNAME. 10599 */ 10600 tname = NULL; 10601 dns_message_gettempname(qctx->client->message, &tname); 10602 10603 result = dns_rdataset_first(trdataset); 10604 if (result != ISC_R_SUCCESS) { 10605 dns_message_puttempname(qctx->client->message, &tname); 10606 (void)ns_query_done(qctx); 10607 goto cleanup; 10608 } 10609 10610 dns_rdataset_current(trdataset, &rdata); 10611 result = dns_rdata_tostruct(&rdata, &dname, NULL); 10612 RUNTIME_CHECK(result == ISC_R_SUCCESS); 10613 dns_rdata_reset(&rdata); 10614 10615 dns_name_copy(&dname.dname, tname); 10616 dns_rdata_freestruct(&dname); 10617 10618 /* 10619 * Construct the new qname consisting of 10620 * <found name prefix>.<dname target> 10621 */ 10622 prefix = dns_fixedname_initname(&fixed); 10623 dns_name_split(qctx->client->query.qname, nlabels, prefix, NULL); 10624 INSIST(qctx->fname == NULL); 10625 qctx->dbuf = ns_client_getnamebuf(qctx->client); 10626 qctx->fname = ns_client_newname(qctx->client, qctx->dbuf, &b); 10627 result = dns_name_concatenate(prefix, tname, qctx->fname, NULL); 10628 dns_message_puttempname(qctx->client->message, &tname); 10629 10630 /* 10631 * RFC2672, section 4.1, subsection 3c says 10632 * we should return YXDOMAIN if the constructed 10633 * name would be too long. 10634 */ 10635 if (result == DNS_R_NAMETOOLONG) { 10636 qctx->client->message->rcode = dns_rcode_yxdomain; 10637 } 10638 if (result != ISC_R_SUCCESS) { 10639 (void)ns_query_done(qctx); 10640 goto cleanup; 10641 } 10642 10643 ns_client_keepname(qctx->client, qctx->fname, qctx->dbuf); 10644 10645 /* 10646 * Synthesize a CNAME consisting of 10647 * <old qname> <dname ttl> CNAME <new qname> 10648 * with <dname trust value> 10649 * 10650 * Synthesize a CNAME so old old clients that don't understand 10651 * DNAME can chain. 10652 * 10653 * We do not try to synthesize a signature because we hope 10654 * that security aware servers will understand DNAME. Also, 10655 * even if we had an online key, making a signature 10656 * on-the-fly is costly, and not really legitimate anyway 10657 * since the synthesized CNAME is NOT in the zone. 10658 */ 10659 query_addcname(qctx, trdataset->trust, trdataset->ttl); 10660 10661 /* 10662 * If the original query was not for a CNAME or ANY then follow the 10663 * CNAME. 10664 */ 10665 if (qctx->qtype != dns_rdatatype_cname && 10666 qctx->qtype != dns_rdatatype_any) 10667 { 10668 /* 10669 * Switch to the new qname and restart. 10670 */ 10671 ns_client_qnamereplace(qctx->client, qctx->fname); 10672 qctx->fname = NULL; 10673 qctx->want_restart = true; 10674 if (!WANTRECURSION(qctx->client)) { 10675 qctx->options.nolog = true; 10676 } 10677 } 10678 10679 query_addauth(qctx); 10680 10681 return ns_query_done(qctx); 10682 10683 cleanup: 10684 return result; 10685 } 10686 10687 /*% 10688 * Add CNAME to response. 10689 */ 10690 static void 10691 query_addcname(query_ctx_t *qctx, dns_trust_t trust, dns_ttl_t ttl) { 10692 ns_client_t *client = qctx->client; 10693 dns_rdataset_t *rdataset = NULL; 10694 dns_rdatalist_t *rdatalist = NULL; 10695 dns_rdata_t *rdata = NULL; 10696 isc_region_t r; 10697 dns_name_t *aname = NULL; 10698 10699 dns_message_gettempname(client->message, &aname); 10700 10701 dns_name_copy(client->query.qname, aname); 10702 10703 dns_message_gettemprdatalist(client->message, &rdatalist); 10704 10705 dns_message_gettemprdata(client->message, &rdata); 10706 10707 dns_message_gettemprdataset(client->message, &rdataset); 10708 10709 rdatalist->type = dns_rdatatype_cname; 10710 rdatalist->rdclass = client->message->rdclass; 10711 rdatalist->ttl = ttl; 10712 10713 dns_name_toregion(qctx->fname, &r); 10714 rdata->data = r.base; 10715 rdata->length = r.length; 10716 rdata->rdclass = client->message->rdclass; 10717 rdata->type = dns_rdatatype_cname; 10718 10719 ISC_LIST_APPEND(rdatalist->rdata, rdata, link); 10720 dns_rdatalist_tordataset(rdatalist, rdataset); 10721 rdataset->trust = trust; 10722 dns_rdataset_setownercase(rdataset, aname); 10723 10724 query_addrrset(qctx, &aname, &rdataset, NULL, NULL, DNS_SECTION_ANSWER); 10725 if (rdataset != NULL) { 10726 if (dns_rdataset_isassociated(rdataset)) { 10727 dns_rdataset_disassociate(rdataset); 10728 } 10729 dns_message_puttemprdataset(client->message, &rdataset); 10730 } 10731 if (aname != NULL) { 10732 dns_message_puttempname(client->message, &aname); 10733 } 10734 } 10735 10736 /*% 10737 * Prepare to respond: determine whether a wildcard proof is needed, 10738 * then hand off to query_respond() or (for type ANY queries) 10739 * query_respond_any(). 10740 */ 10741 static isc_result_t 10742 query_prepresponse(query_ctx_t *qctx) { 10743 isc_result_t result = ISC_R_UNSET; 10744 10745 CCTRACE(ISC_LOG_DEBUG(3), "query_prepresponse"); 10746 10747 CALL_HOOK(NS_QUERY_PREP_RESPONSE_BEGIN, qctx); 10748 10749 if (WANTDNSSEC(qctx->client) && qctx->fname->attributes.wildcard) { 10750 dns_fixedname_init(&qctx->wildcardname); 10751 dns_name_copy(qctx->fname, 10752 dns_fixedname_name(&qctx->wildcardname)); 10753 qctx->need_wildcardproof = true; 10754 } 10755 10756 if (qctx->type == dns_rdatatype_any) { 10757 return query_respond_any(qctx); 10758 } 10759 10760 result = query_zerottl_refetch(qctx); 10761 if (result != ISC_R_COMPLETE) { 10762 goto cleanup; 10763 } 10764 10765 return query_respond(qctx); 10766 10767 cleanup: 10768 return result; 10769 } 10770 10771 /*% 10772 * Add SOA to the authority section when sending negative responses 10773 * (or to the additional section if sending negative responses triggered 10774 * by RPZ rewriting.) 10775 */ 10776 static isc_result_t 10777 query_addsoa(query_ctx_t *qctx, unsigned int override_ttl, 10778 dns_section_t section) { 10779 ns_client_t *client = qctx->client; 10780 dns_name_t *name = NULL; 10781 dns_dbnode_t *node = NULL; 10782 isc_result_t result, eresult = ISC_R_SUCCESS; 10783 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; 10784 dns_rdataset_t **sigrdatasetp = NULL; 10785 dns_clientinfomethods_t cm; 10786 dns_clientinfo_t ci; 10787 10788 CTRACE(ISC_LOG_DEBUG(3), "query_addsoa"); 10789 10790 dns_clientinfomethods_init(&cm, ns_client_sourceip); 10791 dns_clientinfo_init(&ci, client, NULL); 10792 10793 /* 10794 * Don't add the SOA record for test which set "-T nosoa". 10795 */ 10796 if (((client->manager->sctx->options & NS_SERVER_NOSOA) != 0) && 10797 (!WANTDNSSEC(client) || !dns_rdataset_isassociated(qctx->rdataset))) 10798 { 10799 return ISC_R_SUCCESS; 10800 } 10801 10802 /* 10803 * Get resources and make 'name' be the database origin. 10804 */ 10805 dns_message_gettempname(client->message, &name); 10806 10807 /* 10808 * We'll be releasing 'name' before returning, so it's safe to 10809 * use clone instead of copying here. 10810 */ 10811 dns_name_clone(dns_db_origin(qctx->db), name); 10812 10813 rdataset = ns_client_newrdataset(client); 10814 if (WANTDNSSEC(client) && dns_db_issecure(qctx->db)) { 10815 sigrdataset = ns_client_newrdataset(client); 10816 } 10817 10818 /* 10819 * Find the SOA. 10820 */ 10821 result = dns_db_getoriginnode(qctx->db, &node); 10822 if (result == ISC_R_SUCCESS) { 10823 result = dns_db_findrdataset(qctx->db, node, qctx->version, 10824 dns_rdatatype_soa, 0, client->now, 10825 rdataset, sigrdataset); 10826 } else { 10827 dns_fixedname_t foundname; 10828 dns_name_t *fname; 10829 10830 fname = dns_fixedname_initname(&foundname); 10831 10832 result = dns_db_findext(qctx->db, name, qctx->version, 10833 dns_rdatatype_soa, 10834 client->query.dboptions, 0, &node, 10835 fname, &cm, &ci, rdataset, sigrdataset); 10836 } 10837 if (result != ISC_R_SUCCESS) { 10838 /* 10839 * This is bad. We tried to get the SOA RR at the zone top 10840 * and it didn't work! 10841 */ 10842 CTRACE(ISC_LOG_ERROR, "unable to find SOA RR at zone apex"); 10843 eresult = DNS_R_SERVFAIL; 10844 } else { 10845 /* 10846 * Extract the SOA MINIMUM. 10847 */ 10848 dns_rdata_soa_t soa; 10849 dns_rdata_t rdata = DNS_RDATA_INIT; 10850 result = dns_rdataset_first(rdataset); 10851 RUNTIME_CHECK(result == ISC_R_SUCCESS); 10852 dns_rdataset_current(rdataset, &rdata); 10853 result = dns_rdata_tostruct(&rdata, &soa, NULL); 10854 RUNTIME_CHECK(result == ISC_R_SUCCESS); 10855 10856 if (override_ttl != UINT32_MAX && override_ttl < rdataset->ttl) 10857 { 10858 rdataset->ttl = override_ttl; 10859 if (sigrdataset != NULL) { 10860 sigrdataset->ttl = override_ttl; 10861 } 10862 } 10863 10864 /* 10865 * Add the SOA and its SIG to the response, with the 10866 * TTLs adjusted per RFC2308 section 3. 10867 */ 10868 if (rdataset->ttl > soa.minimum) { 10869 rdataset->ttl = soa.minimum; 10870 } 10871 if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum) { 10872 sigrdataset->ttl = soa.minimum; 10873 } 10874 10875 if (sigrdataset != NULL) { 10876 sigrdatasetp = &sigrdataset; 10877 } else { 10878 sigrdatasetp = NULL; 10879 } 10880 10881 if (section == DNS_SECTION_ADDITIONAL) { 10882 rdataset->attributes |= DNS_RDATASETATTR_REQUIRED; 10883 } 10884 query_addrrset(qctx, &name, &rdataset, sigrdatasetp, NULL, 10885 section); 10886 } 10887 10888 ns_client_putrdataset(client, &rdataset); 10889 if (sigrdataset != NULL) { 10890 ns_client_putrdataset(client, &sigrdataset); 10891 } 10892 if (name != NULL) { 10893 ns_client_releasename(client, &name); 10894 } 10895 if (node != NULL) { 10896 dns_db_detachnode(qctx->db, &node); 10897 } 10898 10899 return eresult; 10900 } 10901 10902 /*% 10903 * Add NS to authority section (used when the zone apex is already known). 10904 */ 10905 static isc_result_t 10906 query_addns(query_ctx_t *qctx) { 10907 ns_client_t *client = qctx->client; 10908 isc_result_t result, eresult; 10909 dns_name_t *name = NULL, *fname; 10910 dns_dbnode_t *node = NULL; 10911 dns_fixedname_t foundname; 10912 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; 10913 dns_rdataset_t **sigrdatasetp = NULL; 10914 dns_clientinfomethods_t cm; 10915 dns_clientinfo_t ci; 10916 10917 CTRACE(ISC_LOG_DEBUG(3), "query_addns"); 10918 10919 /* 10920 * Initialization. 10921 */ 10922 eresult = ISC_R_SUCCESS; 10923 fname = dns_fixedname_initname(&foundname); 10924 10925 dns_clientinfomethods_init(&cm, ns_client_sourceip); 10926 dns_clientinfo_init(&ci, client, NULL); 10927 10928 /* 10929 * Get resources and make 'name' be the database origin. 10930 */ 10931 dns_message_gettempname(client->message, &name); 10932 dns_name_clone(dns_db_origin(qctx->db), name); 10933 rdataset = ns_client_newrdataset(client); 10934 10935 if (WANTDNSSEC(client) && dns_db_issecure(qctx->db)) { 10936 sigrdataset = ns_client_newrdataset(client); 10937 } 10938 10939 /* 10940 * Find the NS rdataset. 10941 */ 10942 result = dns_db_getoriginnode(qctx->db, &node); 10943 if (result == ISC_R_SUCCESS) { 10944 result = dns_db_findrdataset(qctx->db, node, qctx->version, 10945 dns_rdatatype_ns, 0, client->now, 10946 rdataset, sigrdataset); 10947 } else { 10948 CTRACE(ISC_LOG_DEBUG(3), "query_addns: calling dns_db_find"); 10949 result = dns_db_findext(qctx->db, name, NULL, dns_rdatatype_ns, 10950 client->query.dboptions, 0, &node, 10951 fname, &cm, &ci, rdataset, sigrdataset); 10952 CTRACE(ISC_LOG_DEBUG(3), "query_addns: dns_db_find complete"); 10953 } 10954 if (result != ISC_R_SUCCESS) { 10955 CTRACE(ISC_LOG_ERROR, "query_addns: " 10956 "dns_db_findrdataset or dns_db_find " 10957 "failed"); 10958 /* 10959 * This is bad. We tried to get the NS rdataset at the zone 10960 * top and it didn't work! 10961 */ 10962 eresult = DNS_R_SERVFAIL; 10963 } else { 10964 if (sigrdataset != NULL) { 10965 sigrdatasetp = &sigrdataset; 10966 } 10967 query_addrrset(qctx, &name, &rdataset, sigrdatasetp, NULL, 10968 DNS_SECTION_AUTHORITY); 10969 } 10970 10971 CTRACE(ISC_LOG_DEBUG(3), "query_addns: cleanup"); 10972 ns_client_putrdataset(client, &rdataset); 10973 if (sigrdataset != NULL) { 10974 ns_client_putrdataset(client, &sigrdataset); 10975 } 10976 if (name != NULL) { 10977 ns_client_releasename(client, &name); 10978 } 10979 if (node != NULL) { 10980 dns_db_detachnode(qctx->db, &node); 10981 } 10982 10983 CTRACE(ISC_LOG_DEBUG(3), "query_addns: done"); 10984 return eresult; 10985 } 10986 10987 /*% 10988 * Find the zone cut and add the best NS rrset to the authority section. 10989 */ 10990 static void 10991 query_addbestns(query_ctx_t *qctx) { 10992 ns_client_t *client = qctx->client; 10993 dns_db_t *db = NULL, *zdb = NULL; 10994 dns_dbnode_t *node = NULL; 10995 dns_name_t *fname = NULL, *zfname = NULL; 10996 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; 10997 dns_rdataset_t *zrdataset = NULL, *zsigrdataset = NULL; 10998 bool is_zone = false, use_zone = false; 10999 isc_buffer_t *dbuf = NULL; 11000 isc_result_t result; 11001 dns_dbversion_t *version = NULL; 11002 dns_zone_t *zone = NULL; 11003 isc_buffer_t b; 11004 dns_clientinfomethods_t cm; 11005 dns_clientinfo_t ci; 11006 dns_name_t qname; 11007 11008 CTRACE(ISC_LOG_DEBUG(3), "query_addbestns"); 11009 11010 dns_clientinfomethods_init(&cm, ns_client_sourceip); 11011 dns_clientinfo_init(&ci, client, NULL); 11012 11013 dns_name_init(&qname, NULL); 11014 dns_name_clone(client->query.qname, &qname); 11015 11016 /* 11017 * Find the right database. 11018 */ 11019 do { 11020 result = query_getdb(client, &qname, dns_rdatatype_ns, 11021 (dns_getdb_options_t){ 0 }, &zone, &db, 11022 &version, &is_zone); 11023 if (result != ISC_R_SUCCESS) { 11024 goto cleanup; 11025 } 11026 11027 /* 11028 * If this is a static stub zone look for a parent zone. 11029 */ 11030 if (zone != NULL && 11031 dns_zone_gettype(zone) == dns_zone_staticstub) 11032 { 11033 unsigned int labels = dns_name_countlabels(&qname); 11034 dns_db_detach(&db); 11035 dns_zone_detach(&zone); 11036 version = NULL; 11037 if (labels != 1) { 11038 dns_name_split(&qname, labels - 1, NULL, 11039 &qname); 11040 continue; 11041 } 11042 if (!USECACHE(client)) { 11043 goto cleanup; 11044 } 11045 dns_db_attach(client->view->cachedb, &db); 11046 is_zone = false; 11047 } 11048 break; 11049 } while (true); 11050 11051 db_find: 11052 /* 11053 * We'll need some resources... 11054 */ 11055 dbuf = ns_client_getnamebuf(client); 11056 fname = ns_client_newname(client, dbuf, &b); 11057 rdataset = ns_client_newrdataset(client); 11058 11059 /* 11060 * Get the RRSIGs if the client requested them or if we may 11061 * need to validate answers from the cache. 11062 */ 11063 if (WANTDNSSEC(client) || !is_zone) { 11064 sigrdataset = ns_client_newrdataset(client); 11065 } 11066 11067 /* 11068 * Now look for the zonecut. 11069 */ 11070 if (is_zone) { 11071 result = dns_db_findext( 11072 db, client->query.qname, version, dns_rdatatype_ns, 11073 client->query.dboptions, client->now, &node, fname, &cm, 11074 &ci, rdataset, sigrdataset); 11075 if (result != DNS_R_DELEGATION) { 11076 goto cleanup; 11077 } 11078 if (USECACHE(client)) { 11079 ns_client_keepname(client, fname, dbuf); 11080 dns_db_detachnode(db, &node); 11081 SAVE(zdb, db); 11082 SAVE(zfname, fname); 11083 SAVE(zrdataset, rdataset); 11084 SAVE(zsigrdataset, sigrdataset); 11085 version = NULL; 11086 dns_db_attach(client->view->cachedb, &db); 11087 is_zone = false; 11088 goto db_find; 11089 } 11090 } else { 11091 result = dns_db_findzonecut( 11092 db, client->query.qname, client->query.dboptions, 11093 client->now, &node, fname, NULL, rdataset, sigrdataset); 11094 if (result == ISC_R_SUCCESS) { 11095 if (zfname != NULL && 11096 !dns_name_issubdomain(fname, zfname)) 11097 { 11098 /* 11099 * We found a zonecut in the cache, but our 11100 * zone delegation is better. 11101 */ 11102 use_zone = true; 11103 } 11104 } else if (result == ISC_R_NOTFOUND && zfname != NULL) { 11105 /* 11106 * We didn't find anything in the cache, but we 11107 * have a zone delegation, so use it. 11108 */ 11109 use_zone = true; 11110 } else { 11111 goto cleanup; 11112 } 11113 } 11114 11115 if (use_zone) { 11116 ns_client_releasename(client, &fname); 11117 /* 11118 * We've already done ns_client_keepname() on 11119 * zfname, so we must set dbuf to NULL to 11120 * prevent query_addrrset() from trying to 11121 * call ns_client_keepname() again. 11122 */ 11123 dbuf = NULL; 11124 ns_client_putrdataset(client, &rdataset); 11125 if (sigrdataset != NULL) { 11126 ns_client_putrdataset(client, &sigrdataset); 11127 } 11128 11129 if (node != NULL) { 11130 dns_db_detachnode(db, &node); 11131 } 11132 dns_db_detach(&db); 11133 11134 RESTORE(db, zdb); 11135 RESTORE(fname, zfname); 11136 RESTORE(rdataset, zrdataset); 11137 RESTORE(sigrdataset, zsigrdataset); 11138 } 11139 11140 /* 11141 * Attempt to validate RRsets that are pending or that are glue. 11142 */ 11143 if ((DNS_TRUST_PENDING(rdataset->trust) || 11144 (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust))) && 11145 !validate(client, db, fname, rdataset, sigrdataset) && 11146 !PENDINGOK(client->query.dboptions)) 11147 { 11148 goto cleanup; 11149 } 11150 11151 if ((DNS_TRUST_GLUE(rdataset->trust) || 11152 (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) && 11153 !validate(client, db, fname, rdataset, sigrdataset) && 11154 SECURE(client) && WANTDNSSEC(client)) 11155 { 11156 goto cleanup; 11157 } 11158 11159 /* 11160 * If the answer is secure only add NS records if they are secure 11161 * when the client may be looking for AD in the response. 11162 */ 11163 if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) && 11164 ((rdataset->trust != dns_trust_secure) || 11165 (sigrdataset != NULL && sigrdataset->trust != dns_trust_secure))) 11166 { 11167 goto cleanup; 11168 } 11169 11170 /* 11171 * If the client doesn't want DNSSEC we can discard the sigrdataset 11172 * now. 11173 */ 11174 if (!WANTDNSSEC(client)) { 11175 ns_client_putrdataset(client, &sigrdataset); 11176 } 11177 11178 query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, 11179 DNS_SECTION_AUTHORITY); 11180 11181 cleanup: 11182 if (rdataset != NULL) { 11183 ns_client_putrdataset(client, &rdataset); 11184 } 11185 if (sigrdataset != NULL) { 11186 ns_client_putrdataset(client, &sigrdataset); 11187 } 11188 if (fname != NULL) { 11189 ns_client_releasename(client, &fname); 11190 } 11191 if (node != NULL) { 11192 dns_db_detachnode(db, &node); 11193 } 11194 if (db != NULL) { 11195 dns_db_detach(&db); 11196 } 11197 if (zone != NULL) { 11198 dns_zone_detach(&zone); 11199 } 11200 if (zdb != NULL) { 11201 ns_client_putrdataset(client, &zrdataset); 11202 if (zsigrdataset != NULL) { 11203 ns_client_putrdataset(client, &zsigrdataset); 11204 } 11205 if (zfname != NULL) { 11206 ns_client_releasename(client, &zfname); 11207 } 11208 dns_db_detach(&zdb); 11209 } 11210 } 11211 11212 static void 11213 query_addwildcardproof(query_ctx_t *qctx, bool ispositive, bool nodata) { 11214 ns_client_t *client = qctx->client; 11215 isc_buffer_t *dbuf, b; 11216 dns_name_t *name; 11217 dns_name_t *fname = NULL; 11218 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; 11219 dns_fixedname_t wfixed; 11220 dns_name_t *wname; 11221 dns_dbnode_t *node = NULL; 11222 unsigned int options; 11223 unsigned int olabels, nlabels, labels; 11224 isc_result_t result; 11225 dns_rdata_t rdata = DNS_RDATA_INIT; 11226 dns_rdata_nsec_t nsec; 11227 bool have_wname; 11228 int order; 11229 dns_fixedname_t cfixed; 11230 dns_name_t *cname; 11231 dns_clientinfomethods_t cm; 11232 dns_clientinfo_t ci; 11233 11234 CTRACE(ISC_LOG_DEBUG(3), "query_addwildcardproof"); 11235 11236 dns_clientinfomethods_init(&cm, ns_client_sourceip); 11237 dns_clientinfo_init(&ci, client, NULL); 11238 11239 /* 11240 * If a name has been specifically flagged as needing 11241 * a wildcard proof then it will have been copied to 11242 * qctx->wildcardname. Otherwise we just use the client 11243 * QNAME. 11244 */ 11245 if (qctx->need_wildcardproof) { 11246 name = dns_fixedname_name(&qctx->wildcardname); 11247 } else { 11248 name = client->query.qname; 11249 } 11250 11251 /* 11252 * Get the NOQNAME proof then if !ispositive 11253 * get the NOWILDCARD proof. 11254 * 11255 * DNS_DBFIND_NOWILD finds the NSEC records that covers the 11256 * name ignoring any wildcard. From the owner and next names 11257 * of this record you can compute which wildcard (if it exists) 11258 * will match by finding the longest common suffix of the 11259 * owner name and next names with the qname and prefixing that 11260 * with the wildcard label. 11261 * 11262 * e.g. 11263 * Given: 11264 * example SOA 11265 * example NSEC b.example 11266 * b.example A 11267 * b.example NSEC a.d.example 11268 * a.d.example A 11269 * a.d.example NSEC g.f.example 11270 * g.f.example A 11271 * g.f.example NSEC z.i.example 11272 * z.i.example A 11273 * z.i.example NSEC example 11274 * 11275 * QNAME: 11276 * a.example -> example NSEC b.example 11277 * owner common example 11278 * next common example 11279 * wild *.example 11280 * d.b.example -> b.example NSEC a.d.example 11281 * owner common b.example 11282 * next common example 11283 * wild *.b.example 11284 * a.f.example -> a.d.example NSEC g.f.example 11285 * owner common example 11286 * next common f.example 11287 * wild *.f.example 11288 * j.example -> z.i.example NSEC example 11289 * owner common example 11290 * next common example 11291 * wild *.example 11292 */ 11293 options = client->query.dboptions | DNS_DBFIND_NOWILD; 11294 wname = dns_fixedname_initname(&wfixed); 11295 again: 11296 have_wname = false; 11297 /* 11298 * We'll need some resources... 11299 */ 11300 dbuf = ns_client_getnamebuf(client); 11301 fname = ns_client_newname(client, dbuf, &b); 11302 rdataset = ns_client_newrdataset(client); 11303 sigrdataset = ns_client_newrdataset(client); 11304 11305 result = dns_db_findext(qctx->db, name, qctx->version, 11306 dns_rdatatype_nsec, options, 0, &node, fname, 11307 &cm, &ci, rdataset, sigrdataset); 11308 if (node != NULL) { 11309 dns_db_detachnode(qctx->db, &node); 11310 } 11311 11312 if (!dns_rdataset_isassociated(rdataset)) { 11313 /* 11314 * No NSEC proof available, return NSEC3 proofs instead. 11315 */ 11316 cname = dns_fixedname_initname(&cfixed); 11317 11318 /* 11319 * Find the closest encloser using a binary search. 11320 * maxlabels: suffix length of NXDOMAIN result 11321 * minlabels: suffix length of non NXDOMAIN result 11322 */ 11323 unsigned int maxlabels = dns_name_countlabels(name); 11324 unsigned int minlabels = dns_name_countlabels(fname); 11325 bool search = result == DNS_R_NXDOMAIN; 11326 dns_name_copy(name, cname); 11327 while (search) { 11328 labels = (maxlabels + minlabels) / 2; 11329 dns_name_split(name, labels, NULL, cname); 11330 if (labels == minlabels) { 11331 break; 11332 } 11333 result = dns_db_findext(qctx->db, cname, qctx->version, 11334 dns_rdatatype_nsec, options, 0, 11335 NULL, fname, &cm, &ci, NULL, 11336 NULL); 11337 if (result == DNS_R_NXDOMAIN) { 11338 maxlabels = labels; 11339 } else { 11340 minlabels = labels; 11341 } 11342 } 11343 11344 /* 11345 * Add closest (provable) encloser NSEC3. 11346 */ 11347 query_findclosestnsec3(cname, qctx->db, qctx->version, client, 11348 rdataset, sigrdataset, fname, true, 11349 cname); 11350 if (!dns_rdataset_isassociated(rdataset)) { 11351 goto cleanup; 11352 } 11353 if (!ispositive) { 11354 query_addrrset(qctx, &fname, &rdataset, &sigrdataset, 11355 dbuf, DNS_SECTION_AUTHORITY); 11356 } 11357 11358 /* 11359 * Replace resources which were consumed by query_addrrset. 11360 */ 11361 if (fname == NULL) { 11362 dbuf = ns_client_getnamebuf(client); 11363 fname = ns_client_newname(client, dbuf, &b); 11364 } 11365 11366 if (rdataset == NULL) { 11367 rdataset = ns_client_newrdataset(client); 11368 } else if (dns_rdataset_isassociated(rdataset)) { 11369 dns_rdataset_disassociate(rdataset); 11370 } 11371 11372 if (sigrdataset == NULL) { 11373 sigrdataset = ns_client_newrdataset(client); 11374 } else if (dns_rdataset_isassociated(sigrdataset)) { 11375 dns_rdataset_disassociate(sigrdataset); 11376 } 11377 11378 /* 11379 * Add no qname proof. 11380 */ 11381 labels = dns_name_countlabels(cname) + 1; 11382 if (dns_name_countlabels(name) == labels) { 11383 dns_name_copy(name, wname); 11384 } else { 11385 dns_name_split(name, labels, NULL, wname); 11386 } 11387 11388 query_findclosestnsec3(wname, qctx->db, qctx->version, client, 11389 rdataset, sigrdataset, fname, false, 11390 NULL); 11391 if (!dns_rdataset_isassociated(rdataset)) { 11392 goto cleanup; 11393 } 11394 query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, 11395 DNS_SECTION_AUTHORITY); 11396 11397 if (ispositive) { 11398 goto cleanup; 11399 } 11400 11401 /* 11402 * Replace resources which were consumed by query_addrrset. 11403 */ 11404 if (fname == NULL) { 11405 dbuf = ns_client_getnamebuf(client); 11406 fname = ns_client_newname(client, dbuf, &b); 11407 } 11408 11409 if (rdataset == NULL) { 11410 rdataset = ns_client_newrdataset(client); 11411 } else if (dns_rdataset_isassociated(rdataset)) { 11412 dns_rdataset_disassociate(rdataset); 11413 } 11414 11415 if (sigrdataset == NULL) { 11416 sigrdataset = ns_client_newrdataset(client); 11417 } else if (dns_rdataset_isassociated(sigrdataset)) { 11418 dns_rdataset_disassociate(sigrdataset); 11419 } 11420 11421 /* 11422 * Add the no wildcard proof. 11423 */ 11424 result = dns_name_concatenate(dns_wildcardname, cname, wname, 11425 NULL); 11426 if (result != ISC_R_SUCCESS) { 11427 goto cleanup; 11428 } 11429 11430 query_findclosestnsec3(wname, qctx->db, qctx->version, client, 11431 rdataset, sigrdataset, fname, nodata, 11432 NULL); 11433 if (!dns_rdataset_isassociated(rdataset)) { 11434 goto cleanup; 11435 } 11436 query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, 11437 DNS_SECTION_AUTHORITY); 11438 11439 goto cleanup; 11440 } else if (result == DNS_R_NXDOMAIN) { 11441 if (!ispositive) { 11442 result = dns_rdataset_first(rdataset); 11443 } 11444 if (result == ISC_R_SUCCESS) { 11445 dns_rdataset_current(rdataset, &rdata); 11446 result = dns_rdata_tostruct(&rdata, &nsec, NULL); 11447 RUNTIME_CHECK(result == ISC_R_SUCCESS); 11448 (void)dns_name_fullcompare(name, fname, &order, 11449 &olabels); 11450 (void)dns_name_fullcompare(name, &nsec.next, &order, 11451 &nlabels); 11452 /* 11453 * Check for a pathological condition created when 11454 * serving some malformed signed zones and bail out. 11455 */ 11456 if (dns_name_countlabels(name) == nlabels) { 11457 goto cleanup; 11458 } 11459 11460 if (olabels > nlabels) { 11461 dns_name_split(name, olabels, NULL, wname); 11462 } else { 11463 dns_name_split(name, nlabels, NULL, wname); 11464 } 11465 result = dns_name_concatenate(dns_wildcardname, wname, 11466 wname, NULL); 11467 if (result == ISC_R_SUCCESS) { 11468 have_wname = true; 11469 } 11470 dns_rdata_freestruct(&nsec); 11471 } 11472 query_addrrset(qctx, &fname, &rdataset, &sigrdataset, dbuf, 11473 DNS_SECTION_AUTHORITY); 11474 } 11475 if (rdataset != NULL) { 11476 ns_client_putrdataset(client, &rdataset); 11477 } 11478 if (sigrdataset != NULL) { 11479 ns_client_putrdataset(client, &sigrdataset); 11480 } 11481 if (fname != NULL) { 11482 ns_client_releasename(client, &fname); 11483 } 11484 if (have_wname) { 11485 ispositive = true; /* prevent loop */ 11486 if (!dns_name_equal(name, wname)) { 11487 name = wname; 11488 goto again; 11489 } 11490 } 11491 cleanup: 11492 if (rdataset != NULL) { 11493 ns_client_putrdataset(client, &rdataset); 11494 } 11495 if (sigrdataset != NULL) { 11496 ns_client_putrdataset(client, &sigrdataset); 11497 } 11498 if (fname != NULL) { 11499 ns_client_releasename(client, &fname); 11500 } 11501 } 11502 11503 /*% 11504 * Add NS records, and NSEC/NSEC3 wildcard proof records if needed, 11505 * to the authority section. 11506 */ 11507 static void 11508 query_addauth(query_ctx_t *qctx) { 11509 CCTRACE(ISC_LOG_DEBUG(3), "query_addauth"); 11510 /* 11511 * Add NS records to the authority section (if we haven't already 11512 * added them to the answer section). 11513 */ 11514 if (!qctx->want_restart && !NOAUTHORITY(qctx->client)) { 11515 if (qctx->is_zone) { 11516 if (!qctx->answer_has_ns) { 11517 (void)query_addns(qctx); 11518 } 11519 } else if (!qctx->answer_has_ns && 11520 qctx->qtype != dns_rdatatype_ns) 11521 { 11522 if (qctx->fname != NULL) { 11523 ns_client_releasename(qctx->client, 11524 &qctx->fname); 11525 } 11526 query_addbestns(qctx); 11527 } 11528 } 11529 11530 /* 11531 * Add NSEC records to the authority section if they're needed for 11532 * DNSSEC wildcard proofs. 11533 */ 11534 if (qctx->need_wildcardproof && dns_db_issecure(qctx->db)) { 11535 query_addwildcardproof(qctx, true, false); 11536 } 11537 } 11538 11539 /* 11540 * Find the sort order of 'rdata' in the topology-like 11541 * ACL forming the second element in a 2-element top-level 11542 * sortlist statement. 11543 */ 11544 static int 11545 query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) { 11546 isc_netaddr_t netaddr; 11547 11548 if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) { 11549 return INT_MAX; 11550 } 11551 return ns_sortlist_addrorder2(&netaddr, arg); 11552 } 11553 11554 /* 11555 * Find the sort order of 'rdata' in the matching element 11556 * of a 1-element top-level sortlist statement. 11557 */ 11558 static int 11559 query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) { 11560 isc_netaddr_t netaddr; 11561 11562 if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS) { 11563 return INT_MAX; 11564 } 11565 return ns_sortlist_addrorder1(&netaddr, arg); 11566 } 11567 11568 /* 11569 * Find the sortlist statement that applies to 'client' and set up 11570 * the sortlist info in in client->message appropriately. 11571 */ 11572 static void 11573 query_setup_sortlist(query_ctx_t *qctx) { 11574 isc_netaddr_t netaddr; 11575 ns_client_t *client = qctx->client; 11576 dns_aclenv_t *env = client->manager->aclenv; 11577 dns_acl_t *acl = NULL; 11578 dns_aclelement_t *elt = NULL; 11579 void *order_arg = NULL; 11580 11581 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); 11582 switch (ns_sortlist_setup(client->view->sortlist, env, &netaddr, 11583 &order_arg)) 11584 { 11585 case NS_SORTLISTTYPE_1ELEMENT: 11586 elt = order_arg; 11587 dns_message_setsortorder(client->message, 11588 query_sortlist_order_1element, env, 11589 NULL, elt); 11590 break; 11591 case NS_SORTLISTTYPE_2ELEMENT: 11592 acl = order_arg; 11593 dns_message_setsortorder(client->message, 11594 query_sortlist_order_2element, env, 11595 acl, NULL); 11596 dns_acl_detach(&acl); 11597 break; 11598 case NS_SORTLISTTYPE_NONE: 11599 break; 11600 default: 11601 UNREACHABLE(); 11602 } 11603 } 11604 11605 /* 11606 * When sending a referral, if the answer to the question is 11607 * in the glue, sort it to the start of the additional section. 11608 */ 11609 static void 11610 query_glueanswer(query_ctx_t *qctx) { 11611 const dns_namelist_t *secs = qctx->client->message->sections; 11612 const dns_section_t section = DNS_SECTION_ADDITIONAL; 11613 dns_name_t *name; 11614 dns_message_t *msg; 11615 dns_rdataset_t *rdataset = NULL; 11616 11617 if (!ISC_LIST_EMPTY(secs[DNS_SECTION_ANSWER]) || 11618 qctx->client->message->rcode != dns_rcode_noerror || 11619 (qctx->qtype != dns_rdatatype_a && 11620 qctx->qtype != dns_rdatatype_aaaa)) 11621 { 11622 return; 11623 } 11624 11625 msg = qctx->client->message; 11626 for (name = ISC_LIST_HEAD(msg->sections[section]); name != NULL; 11627 name = ISC_LIST_NEXT(name, link)) 11628 { 11629 if (dns_name_equal(name, qctx->client->query.qname)) { 11630 for (rdataset = ISC_LIST_HEAD(name->list); 11631 rdataset != NULL; 11632 rdataset = ISC_LIST_NEXT(rdataset, link)) 11633 { 11634 if (rdataset->type == qctx->qtype) { 11635 break; 11636 } 11637 } 11638 break; 11639 } 11640 } 11641 if (rdataset != NULL) { 11642 ISC_LIST_UNLINK(msg->sections[section], name, link); 11643 ISC_LIST_PREPEND(msg->sections[section], name, link); 11644 ISC_LIST_UNLINK(name->list, rdataset, link); 11645 ISC_LIST_PREPEND(name->list, rdataset, link); 11646 rdataset->attributes |= DNS_RDATASETATTR_REQUIRED; 11647 } 11648 } 11649 11650 isc_result_t 11651 ns_query_done(query_ctx_t *qctx) { 11652 isc_result_t result = ISC_R_UNSET; 11653 const dns_namelist_t *secs = qctx->client->message->sections; 11654 bool partial_result_with_servfail = false; 11655 11656 CCTRACE(ISC_LOG_DEBUG(3), "ns_query_done"); 11657 11658 CALL_HOOK(NS_QUERY_DONE_BEGIN, qctx); 11659 11660 /* 11661 * General cleanup. 11662 */ 11663 qctx->rpz_st = qctx->client->query.rpz_st; 11664 if (qctx->rpz_st != NULL && 11665 (qctx->rpz_st->state & DNS_RPZ_RECURSING) == 0) 11666 { 11667 rpz_match_clear(qctx->rpz_st); 11668 qctx->rpz_st->state &= ~DNS_RPZ_DONE_QNAME; 11669 } 11670 11671 qctx_clean(qctx); 11672 qctx_freedata(qctx); 11673 11674 if (qctx->client->query.gluedb != NULL) { 11675 dns_db_detach(&qctx->client->query.gluedb); 11676 } 11677 11678 /* 11679 * Clear the AA bit if we're not authoritative. 11680 */ 11681 if (qctx->client->query.restarts == 0 && !qctx->authoritative) { 11682 qctx->client->message->flags &= ~DNS_MESSAGEFLAG_AA; 11683 } 11684 11685 /* 11686 * Do we need to restart the query (e.g. for CNAME chaining)? 11687 */ 11688 if (qctx->want_restart) { 11689 if (qctx->client->query.restarts < 11690 qctx->client->view->max_restarts) 11691 { 11692 query_ctx_t *saved_qctx = NULL; 11693 qctx->client->query.restarts++; 11694 saved_qctx = isc_mem_get(qctx->client->manager->mctx, 11695 sizeof(*saved_qctx)); 11696 qctx_save(qctx, saved_qctx); 11697 isc_nmhandle_attach(qctx->client->handle, 11698 &qctx->client->restarthandle); 11699 isc_async_run(qctx->client->manager->loop, 11700 async_restart, saved_qctx); 11701 return DNS_R_CONTINUE; 11702 } else { 11703 /* 11704 * This is e.g. a long CNAME chain which we cut short. 11705 */ 11706 qctx->client->query.attributes |= 11707 NS_QUERYATTR_PARTIALANSWER; 11708 qctx->client->message->rcode = dns_rcode_servfail; 11709 qctx->result = DNS_R_SERVFAIL; 11710 11711 /* 11712 * Send the answer back with a SERVFAIL result even 11713 * if recursion was requested. 11714 */ 11715 partial_result_with_servfail = true; 11716 11717 ns_client_extendederror(qctx->client, 0, 11718 "max. restarts reached"); 11719 ns_client_log(qctx->client, NS_LOGCATEGORY_CLIENT, 11720 NS_LOGMODULE_QUERY, ISC_LOG_INFO, 11721 "query iterations limit reached"); 11722 } 11723 } 11724 11725 if (qctx->result != ISC_R_SUCCESS && 11726 (!PARTIALANSWER(qctx->client) || 11727 (WANTRECURSION(qctx->client) && !partial_result_with_servfail) || 11728 qctx->result == DNS_R_DROP)) 11729 { 11730 if (qctx->result == DNS_R_DUPLICATE || 11731 qctx->result == DNS_R_DROP) 11732 { 11733 /* 11734 * This was a duplicate query that we are 11735 * recursing on or the result of rate limiting. 11736 * Don't send a response now for a duplicate query, 11737 * because the original will still cause a response. 11738 */ 11739 query_next(qctx->client, qctx->result); 11740 } else { 11741 /* 11742 * If we don't have any answer to give the client, 11743 * or if the client requested recursion and thus wanted 11744 * the complete answer, send an error response. 11745 */ 11746 INSIST(qctx->line >= 0); 11747 query_error(qctx->client, qctx->result, qctx->line); 11748 } 11749 11750 qctx->detach_client = true; 11751 return qctx->result; 11752 } 11753 11754 /* 11755 * If we're recursing then just return; the query will 11756 * resume when recursion ends. 11757 */ 11758 if (RECURSING(qctx->client) && 11759 (!QUERY_STALETIMEOUT(&qctx->client->query) || 11760 qctx->options.stalefirst)) 11761 { 11762 return qctx->result; 11763 } 11764 11765 /* 11766 * We are done. Set up sortlist data for the message 11767 * rendering code, sort the answer to the front of the 11768 * additional section if necessary, make a final tweak 11769 * to the AA bit if the auth-nxdomain config option 11770 * says so, then render and send the response. 11771 */ 11772 query_setup_sortlist(qctx); 11773 query_glueanswer(qctx); 11774 11775 if (qctx->client->message->rcode == dns_rcode_nxdomain && 11776 qctx->view->auth_nxdomain) 11777 { 11778 qctx->client->message->flags |= DNS_MESSAGEFLAG_AA; 11779 } 11780 11781 /* 11782 * If the response is somehow unexpected for the client and this 11783 * is a result of recursion, return an error to the caller 11784 * to indicate it may need to be logged. 11785 */ 11786 if (qctx->resuming && 11787 (ISC_LIST_EMPTY(secs[DNS_SECTION_ANSWER]) || 11788 qctx->client->message->rcode != dns_rcode_noerror)) 11789 { 11790 qctx->result = ISC_R_FAILURE; 11791 } 11792 11793 CALL_HOOK(NS_QUERY_DONE_SEND, qctx); 11794 11795 query_send(qctx->client); 11796 11797 if (qctx->refresh_rrset) { 11798 /* 11799 * If we reached this point then it means that we have found a 11800 * stale RRset entry in cache and BIND is configured to allow 11801 * queries to be answered with stale data if no active RRset 11802 * is available, i.e. "stale-anwer-client-timeout 0". But, we 11803 * still need to refresh the RRset. To prevent adding duplicate 11804 * RRsets, clear the RRsets from the message before doing the 11805 * refresh. 11806 */ 11807 message_clearrdataset(qctx->client->message, 0); 11808 query_stale_refresh(qctx->client); 11809 } 11810 11811 qctx->detach_client = true; 11812 11813 return qctx->result; 11814 11815 cleanup: 11816 return result; 11817 } 11818 11819 static void 11820 log_tat(ns_client_t *client) { 11821 char namebuf[DNS_NAME_FORMATSIZE]; 11822 char clientbuf[ISC_NETADDR_FORMATSIZE]; 11823 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 11824 isc_netaddr_t netaddr; 11825 char *tags = NULL; 11826 size_t taglen = 0; 11827 11828 if (!isc_log_wouldlog(ns_lctx, ISC_LOG_INFO)) { 11829 return; 11830 } 11831 11832 if ((client->query.qtype != dns_rdatatype_null || 11833 !dns_name_istat(client->query.qname)) && 11834 (client->keytag == NULL || 11835 client->query.qtype != dns_rdatatype_dnskey)) 11836 { 11837 return; 11838 } 11839 11840 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr); 11841 dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); 11842 isc_netaddr_format(&netaddr, clientbuf, sizeof(clientbuf)); 11843 dns_rdataclass_format(client->view->rdclass, classbuf, 11844 sizeof(classbuf)); 11845 11846 if (client->query.qtype == dns_rdatatype_dnskey) { 11847 uint16_t keytags = client->keytag_len / 2; 11848 size_t len = taglen = sizeof("65000") * keytags + 1; 11849 char *cp = tags = isc_mem_get(client->manager->mctx, taglen); 11850 int i = 0; 11851 11852 INSIST(client->keytag != NULL); 11853 if (tags != NULL) { 11854 while (keytags-- > 0U) { 11855 int n; 11856 uint16_t keytag; 11857 keytag = (client->keytag[i * 2] << 8) | 11858 client->keytag[i * 2 + 1]; 11859 n = snprintf(cp, len, " %u", keytag); 11860 if (n > 0 && (size_t)n <= len) { 11861 cp += n; 11862 len -= n; 11863 i++; 11864 } else { 11865 break; 11866 } 11867 } 11868 } 11869 } 11870 11871 isc_log_write(ns_lctx, NS_LOGCATEGORY_TAT, NS_LOGMODULE_QUERY, 11872 ISC_LOG_INFO, "trust-anchor-telemetry '%s/%s' from %s%s", 11873 namebuf, classbuf, clientbuf, tags != NULL ? tags : ""); 11874 if (tags != NULL) { 11875 isc_mem_put(client->manager->mctx, tags, taglen); 11876 } 11877 } 11878 11879 static void 11880 log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) { 11881 char namebuf[DNS_NAME_FORMATSIZE]; 11882 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 11883 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 11884 char onbuf[ISC_NETADDR_FORMATSIZE]; 11885 char ecsbuf[NS_CLIENT_ECS_FORMATSIZE] = { 0 }; 11886 char flagsbuf[NS_CLIENT_FLAGS_FORMATSIZE] = { 0 }; 11887 dns_rdataset_t *rdataset; 11888 int level = ISC_LOG_INFO; 11889 11890 if (!isc_log_wouldlog(ns_lctx, level)) { 11891 return; 11892 } 11893 11894 rdataset = ISC_LIST_HEAD(client->query.qname->list); 11895 INSIST(rdataset != NULL); 11896 dns_name_format(client->query.qname, namebuf, sizeof(namebuf)); 11897 dns_rdataclass_format(rdataset->rdclass, classbuf, sizeof(classbuf)); 11898 dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); 11899 isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf)); 11900 11901 if (HAVEECS(client)) { 11902 ns_client_log_ecs(client, ecsbuf, sizeof(ecsbuf)); 11903 } 11904 ns_client_log_flags(client, flags, extflags, flagsbuf, 11905 sizeof(flagsbuf)); 11906 11907 ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY, level, 11908 "query: %s %s %s %s (%s)%s", namebuf, classbuf, typebuf, 11909 flagsbuf, onbuf, ecsbuf); 11910 } 11911 11912 static void 11913 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) { 11914 char namebuf[DNS_NAME_FORMATSIZE]; 11915 char typebuf[DNS_RDATATYPE_FORMATSIZE]; 11916 char classbuf[DNS_RDATACLASS_FORMATSIZE]; 11917 const char *namep, *typep, *classp, *sep1, *sep2; 11918 dns_rdataset_t *rdataset; 11919 11920 if (!isc_log_wouldlog(ns_lctx, level)) { 11921 return; 11922 } 11923 11924 namep = typep = classp = sep1 = sep2 = ""; 11925 11926 /* 11927 * Query errors can happen for various reasons. In some cases we cannot 11928 * even assume the query contains a valid question section, so we should 11929 * expect exceptional cases. 11930 */ 11931 if (client->query.origqname != NULL) { 11932 dns_name_format(client->query.origqname, namebuf, 11933 sizeof(namebuf)); 11934 namep = namebuf; 11935 sep1 = " for "; 11936 11937 rdataset = ISC_LIST_HEAD(client->query.origqname->list); 11938 if (rdataset != NULL) { 11939 dns_rdataclass_format(rdataset->rdclass, classbuf, 11940 sizeof(classbuf)); 11941 classp = classbuf; 11942 dns_rdatatype_format(rdataset->type, typebuf, 11943 sizeof(typebuf)); 11944 typep = typebuf; 11945 sep2 = "/"; 11946 } 11947 } 11948 11949 ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS, NS_LOGMODULE_QUERY, 11950 level, "query failed (%s)%s%s%s%s%s%s at %s:%d", 11951 isc_result_totext(result), sep1, namep, sep2, classp, 11952 sep2, typep, __FILE__, line); 11953 } 11954 11955 void 11956 ns_query_start(ns_client_t *client, isc_nmhandle_t *handle) { 11957 isc_result_t result; 11958 dns_message_t *message; 11959 dns_rdataset_t *rdataset; 11960 dns_rdatatype_t qtype; 11961 unsigned int saved_extflags; 11962 unsigned int saved_flags; 11963 11964 REQUIRE(NS_CLIENT_VALID(client)); 11965 11966 /* 11967 * Attach to the request handle 11968 */ 11969 isc_nmhandle_attach(handle, &client->reqhandle); 11970 11971 message = client->message; 11972 saved_extflags = client->extflags; 11973 saved_flags = client->message->flags; 11974 11975 CTRACE(ISC_LOG_DEBUG(3), "ns_query_start"); 11976 11977 /* 11978 * Ensure that appropriate cleanups occur. 11979 */ 11980 client->cleanup = query_cleanup; 11981 11982 if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) { 11983 client->query.attributes |= NS_QUERYATTR_WANTRECURSION; 11984 } 11985 11986 if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0) { 11987 client->attributes |= NS_CLIENTATTR_WANTDNSSEC; 11988 } 11989 11990 switch (client->view->minimalresponses) { 11991 case dns_minimal_no: 11992 break; 11993 case dns_minimal_yes: 11994 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | 11995 NS_QUERYATTR_NOADDITIONAL); 11996 break; 11997 case dns_minimal_noauth: 11998 client->query.attributes |= NS_QUERYATTR_NOAUTHORITY; 11999 break; 12000 case dns_minimal_noauthrec: 12001 if ((message->flags & DNS_MESSAGEFLAG_RD) != 0) { 12002 client->query.attributes |= NS_QUERYATTR_NOAUTHORITY; 12003 } 12004 break; 12005 } 12006 12007 if (client->view->cachedb == NULL || !client->view->recursion) { 12008 /* 12009 * We don't have a cache. Turn off cache support and 12010 * recursion. 12011 */ 12012 client->query.attributes &= ~(NS_QUERYATTR_RECURSIONOK | 12013 NS_QUERYATTR_CACHEOK); 12014 client->attributes |= NS_CLIENTATTR_NOSETFC; 12015 } else if ((client->attributes & NS_CLIENTATTR_RA) == 0 || 12016 (message->flags & DNS_MESSAGEFLAG_RD) == 0) 12017 { 12018 /* 12019 * If the client isn't allowed to recurse (due to 12020 * "recursion no", the allow-recursion ACL, or the 12021 * lack of a resolver in this view), or if it 12022 * doesn't want recursion, turn recursion off. 12023 */ 12024 client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK; 12025 client->attributes |= NS_CLIENTATTR_NOSETFC; 12026 } 12027 12028 /* 12029 * Check for multiple question queries, since edns1 is dead. 12030 */ 12031 if (message->counts[DNS_SECTION_QUESTION] > 1) { 12032 query_error(client, DNS_R_FORMERR, __LINE__); 12033 return; 12034 } 12035 12036 /* 12037 * Get the question name. 12038 */ 12039 result = dns_message_firstname(message, DNS_SECTION_QUESTION); 12040 if (result != ISC_R_SUCCESS) { 12041 query_error(client, result, __LINE__); 12042 return; 12043 } 12044 dns_message_currentname(message, DNS_SECTION_QUESTION, 12045 &client->query.qname); 12046 client->query.origqname = client->query.qname; 12047 result = dns_message_nextname(message, DNS_SECTION_QUESTION); 12048 if (result != ISC_R_NOMORE) { 12049 if (result == ISC_R_SUCCESS) { 12050 /* 12051 * There's more than one QNAME in the question 12052 * section. 12053 */ 12054 query_error(client, DNS_R_FORMERR, __LINE__); 12055 } else { 12056 query_error(client, result, __LINE__); 12057 } 12058 return; 12059 } 12060 12061 if ((client->manager->sctx->options & NS_SERVER_LOGQUERIES) != 0) { 12062 log_query(client, saved_flags, saved_extflags); 12063 } 12064 12065 /* 12066 * Check for meta-queries like IXFR and AXFR. 12067 */ 12068 rdataset = ISC_LIST_HEAD(client->query.qname->list); 12069 INSIST(rdataset != NULL); 12070 client->query.qtype = qtype = rdataset->type; 12071 dns_rdatatypestats_increment(client->manager->sctx->rcvquerystats, 12072 qtype); 12073 12074 log_tat(client); 12075 12076 if (dns_rdatatype_ismeta(qtype)) { 12077 switch (qtype) { 12078 case dns_rdatatype_any: 12079 break; /* Let the query logic handle it. */ 12080 case dns_rdatatype_ixfr: 12081 case dns_rdatatype_axfr: 12082 if (isc_nm_is_http_handle(handle)) { 12083 /* 12084 * We cannot use DoH for zone transfers. 12085 * According to RFC 8484 a DoH request contains 12086 * exactly one DNS message (see Section 6: 12087 * Definition of the "application/dns-message" 12088 * Media Type). 12089 * 12090 * This makes DoH unsuitable for zone transfers 12091 * as often (and usually!) these need more than 12092 * one DNS message, especially for larger zones. 12093 * As zone transfers over DoH are not (yet) 12094 * standardised, nor discussed in RFC 8484, 12095 * the best thing we can do is to return "not 12096 * implemented". 12097 */ 12098 query_error(client, DNS_R_NOTIMP, __LINE__); 12099 return; 12100 } 12101 if (isc_nm_socket_type(handle) == 12102 isc_nm_streamdnssocket) 12103 { 12104 /* 12105 * Currently this code is here for DoT, which 12106 * has more complex requirements for zone 12107 * transfers compared to other stream 12108 * protocols. See RFC 9103 for details. 12109 */ 12110 switch (isc_nm_xfr_checkperm(handle)) { 12111 case ISC_R_SUCCESS: 12112 break; 12113 case ISC_R_DOTALPNERROR: 12114 query_error(client, DNS_R_NOALPN, 12115 __LINE__); 12116 return; 12117 default: 12118 query_error(client, DNS_R_REFUSED, 12119 __LINE__); 12120 return; 12121 } 12122 } 12123 ns_xfr_start(client, rdataset->type); 12124 return; 12125 case dns_rdatatype_maila: 12126 case dns_rdatatype_mailb: 12127 query_error(client, DNS_R_NOTIMP, __LINE__); 12128 return; 12129 case dns_rdatatype_tkey: 12130 result = dns_tkey_processquery( 12131 client->message, client->manager->sctx->tkeyctx, 12132 client->view->dynamickeys); 12133 if (result == ISC_R_SUCCESS) { 12134 query_send(client); 12135 } else { 12136 query_error(client, result, __LINE__); 12137 } 12138 return; 12139 default: /* TSIG, etc. */ 12140 query_error(client, DNS_R_FORMERR, __LINE__); 12141 return; 12142 } 12143 } 12144 12145 /* 12146 * Turn on minimal response for (C)DNSKEY and (C)DS queries. 12147 */ 12148 if (dns_rdatatype_iskeymaterial(qtype) || qtype == dns_rdatatype_ds) { 12149 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | 12150 NS_QUERYATTR_NOADDITIONAL); 12151 } else if (qtype == dns_rdatatype_ns) { 12152 /* 12153 * Always turn on additional records for NS queries. 12154 */ 12155 client->query.attributes &= ~(NS_QUERYATTR_NOAUTHORITY | 12156 NS_QUERYATTR_NOADDITIONAL); 12157 } 12158 12159 /* 12160 * Maybe turn on minimal responses for ANY queries. 12161 */ 12162 if (qtype == dns_rdatatype_any && client->view->minimal_any && 12163 !TCP(client)) 12164 { 12165 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | 12166 NS_QUERYATTR_NOADDITIONAL); 12167 } 12168 12169 /* 12170 * Turn on minimal responses for EDNS/UDP bufsize 512 queries. 12171 */ 12172 if (client->ednsversion >= 0 && client->udpsize <= 512U && !TCP(client)) 12173 { 12174 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY | 12175 NS_QUERYATTR_NOADDITIONAL); 12176 } 12177 12178 /* 12179 * If the client has requested that DNSSEC checking be disabled, 12180 * allow lookups to return pending data and instruct the resolver 12181 * to return data before validation has completed. 12182 * 12183 * We don't need to set DNS_DBFIND_PENDINGOK when validation is 12184 * disabled as there will be no pending data. 12185 */ 12186 if ((message->flags & DNS_MESSAGEFLAG_CD) != 0 || 12187 qtype == dns_rdatatype_rrsig) 12188 { 12189 client->query.dboptions |= DNS_DBFIND_PENDINGOK; 12190 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; 12191 } else if (!client->view->enablevalidation) { 12192 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE; 12193 } 12194 12195 if (client->view->qminimization) { 12196 client->query.fetchoptions |= DNS_FETCHOPT_QMINIMIZE | 12197 DNS_FETCHOPT_QMIN_SKIP_IP6A; 12198 if (client->view->qmin_strict) { 12199 client->query.fetchoptions |= DNS_FETCHOPT_QMIN_STRICT; 12200 } 12201 } 12202 12203 /* 12204 * Allow glue NS records to be added to the authority section 12205 * if the answer is secure. 12206 */ 12207 if ((message->flags & DNS_MESSAGEFLAG_CD) != 0) { 12208 client->query.attributes &= ~NS_QUERYATTR_SECURE; 12209 } 12210 12211 /* 12212 * Set NS_CLIENTATTR_WANTAD if the client has set AD in the query. 12213 * This allows AD to be returned on queries without DO set. 12214 */ 12215 if ((message->flags & DNS_MESSAGEFLAG_AD) != 0) { 12216 client->attributes |= NS_CLIENTATTR_WANTAD; 12217 } 12218 12219 /* 12220 * This is an ordinary query. 12221 */ 12222 result = dns_message_reply(message, true); 12223 if (result != ISC_R_SUCCESS) { 12224 query_next(client, result); 12225 return; 12226 } 12227 12228 /* 12229 * Assume authoritative response until it is known to be 12230 * otherwise. 12231 * 12232 * If "-T noaa" has been set on the command line don't set 12233 * AA on authoritative answers. 12234 */ 12235 if ((client->manager->sctx->options & NS_SERVER_NOAA) == 0) { 12236 message->flags |= DNS_MESSAGEFLAG_AA; 12237 } 12238 12239 /* 12240 * Set AD. We must clear it if we add non-validated data to a 12241 * response. 12242 */ 12243 if (WANTDNSSEC(client) || WANTAD(client)) { 12244 message->flags |= DNS_MESSAGEFLAG_AD; 12245 } 12246 12247 query_setup(client, qtype); 12248 } 12249
Indexes created Wed Mar 04 05:31:52 UTC 2026