2 * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: resolver.c,v 1.218.2.18.4.77 2008/01/17 23:45:27 tbox Exp $ */
22 #include <isc/print.h>
23 #include <isc/string.h>
25 #include <isc/timer.h>
30 #include <dns/cache.h>
32 #include <dns/dispatch.h>
34 #include <dns/events.h>
35 #include <dns/forward.h>
36 #include <dns/keytable.h>
38 #include <dns/message.h>
39 #include <dns/ncache.h>
40 #include <dns/opcode.h>
43 #include <dns/rcode.h>
44 #include <dns/rdata.h>
45 #include <dns/rdataclass.h>
46 #include <dns/rdatalist.h>
47 #include <dns/rdataset.h>
48 #include <dns/rdatastruct.h>
49 #include <dns/rdatatype.h>
50 #include <dns/resolver.h>
51 #include <dns/result.h>
52 #include <dns/rootns.h>
54 #include <dns/validator.h>
56 #define DNS_RESOLVER_TRACE
57 #ifdef DNS_RESOLVER_TRACE
58 #define RTRACE(m) isc_log_write(dns_lctx, \
59 DNS_LOGCATEGORY_RESOLVER, \
60 DNS_LOGMODULE_RESOLVER, \
62 "res %p: %s", res, (m))
63 #define RRTRACE(r, m) isc_log_write(dns_lctx, \
64 DNS_LOGCATEGORY_RESOLVER, \
65 DNS_LOGMODULE_RESOLVER, \
67 "res %p: %s", (r), (m))
68 #define FCTXTRACE(m) isc_log_write(dns_lctx, \
69 DNS_LOGCATEGORY_RESOLVER, \
70 DNS_LOGMODULE_RESOLVER, \
72 "fctx %p(%s'): %s", fctx, fctx->info, (m))
73 #define FCTXTRACE2(m1, m2) \
74 isc_log_write(dns_lctx, \
75 DNS_LOGCATEGORY_RESOLVER, \
76 DNS_LOGMODULE_RESOLVER, \
78 "fctx %p(%s): %s %s", \
79 fctx, fctx->info, (m1), (m2))
80 #define FTRACE(m) isc_log_write(dns_lctx, \
81 DNS_LOGCATEGORY_RESOLVER, \
82 DNS_LOGMODULE_RESOLVER, \
84 "fetch %p (fctx %p(%s)): %s", \
85 fetch, fetch->private, \
86 fetch->private->info, (m))
87 #define QTRACE(m) isc_log_write(dns_lctx, \
88 DNS_LOGCATEGORY_RESOLVER, \
89 DNS_LOGMODULE_RESOLVER, \
91 "resquery %p (fctx %p(%s)): %s", \
93 query->fctx->info, (m))
103 * Maximum EDNS0 input packet size.
105 #define RECV_BUFFER_SIZE 4096 /* XXXRTH Constant. */
108 * This defines the maximum number of timeouts we will permit before we
109 * disable EDNS0 on the query.
111 #define MAX_EDNS0_TIMEOUTS 3
113 typedef struct fetchctx fetchctx_t;
115 typedef struct query {
116 /* Locked by task event serialization. */
120 dns_dispatchmgr_t * dispatchmgr;
121 dns_dispatch_t * dispatch;
122 dns_adbaddrinfo_t * addrinfo;
123 isc_socket_t * tcpsocket;
126 dns_dispentry_t * dispentry;
127 ISC_LINK(struct query) link;
130 dns_tsigkey_t *tsigkey;
131 unsigned int options;
132 unsigned int attributes;
134 unsigned int connects;
135 unsigned char data[512];
138 #define QUERY_MAGIC ISC_MAGIC('Q', '!', '!', '!')
139 #define VALID_QUERY(query) ISC_MAGIC_VALID(query, QUERY_MAGIC)
141 #define RESQUERY_ATTR_CANCELED 0x02
143 #define RESQUERY_CONNECTING(q) ((q)->connects > 0)
144 #define RESQUERY_CANCELED(q) (((q)->attributes & \
145 RESQUERY_ATTR_CANCELED) != 0)
146 #define RESQUERY_SENDING(q) ((q)->sends > 0)
149 fetchstate_init = 0, /* Start event has not run yet. */
151 fetchstate_done /* FETCHDONE events posted. */
157 dns_resolver_t * res;
159 dns_rdatatype_t type;
160 unsigned int options;
161 unsigned int bucketnum;
163 /* Locked by appropriate bucket lock. */
165 isc_boolean_t want_shutdown;
166 isc_boolean_t cloned;
167 unsigned int references;
168 isc_event_t control_event;
169 ISC_LINK(struct fetchctx) link;
170 ISC_LIST(dns_fetchevent_t) events;
171 /* Locked by task event serialization. */
173 dns_rdataset_t nameservers;
174 unsigned int attributes;
177 isc_interval_t interval;
178 dns_message_t * qmessage;
179 dns_message_t * rmessage;
180 ISC_LIST(resquery_t) queries;
181 dns_adbfindlist_t finds;
182 dns_adbfind_t * find;
183 dns_adbfindlist_t altfinds;
184 dns_adbfind_t * altfind;
185 dns_adbaddrinfolist_t forwaddrs;
186 dns_adbaddrinfolist_t altaddrs;
187 isc_sockaddrlist_t forwarders;
188 dns_fwdpolicy_t fwdpolicy;
189 isc_sockaddrlist_t bad;
190 dns_validator_t *validator;
191 ISC_LIST(dns_validator_t) validators;
196 * The number of events we're waiting for.
198 unsigned int pending;
201 * The number of times we've "restarted" the current
202 * nameserver set. This acts as a failsafe to prevent
203 * us from pounding constantly on a particular set of
204 * servers that, for whatever reason, are not giving
205 * us useful responses, but are responding in such a
206 * way that they are not marked "bad".
208 unsigned int restarts;
211 * The number of timeouts that have occurred since we
212 * last successfully received a response packet. This
213 * is used for EDNS0 black hole detection.
215 unsigned int timeouts;
217 * Look aside state for DS lookups.
220 dns_fetch_t * nsfetch;
221 dns_rdataset_t nsrrset;
224 * Number of queries that reference this context.
226 unsigned int nqueries;
229 #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
230 #define VALID_FCTX(fctx) ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
232 #define FCTX_ATTR_HAVEANSWER 0x0001
233 #define FCTX_ATTR_GLUING 0x0002
234 #define FCTX_ATTR_ADDRWAIT 0x0004
235 #define FCTX_ATTR_SHUTTINGDOWN 0x0008
236 #define FCTX_ATTR_WANTCACHE 0x0010
237 #define FCTX_ATTR_WANTNCACHE 0x0020
238 #define FCTX_ATTR_NEEDEDNS0 0x0040
239 #define FCTX_ATTR_TRIEDFIND 0x0080
240 #define FCTX_ATTR_TRIEDALT 0x0100
242 #define HAVE_ANSWER(f) (((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
244 #define GLUING(f) (((f)->attributes & FCTX_ATTR_GLUING) != \
246 #define ADDRWAIT(f) (((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
248 #define SHUTTINGDOWN(f) (((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
250 #define WANTCACHE(f) (((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
251 #define WANTNCACHE(f) (((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
252 #define NEEDEDNS0(f) (((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
253 #define TRIEDFIND(f) (((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
254 #define TRIEDALT(f) (((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
257 dns_adbaddrinfo_t * addrinfo;
263 fetchctx_t * private;
266 #define DNS_FETCH_MAGIC ISC_MAGIC('F', 't', 'c', 'h')
267 #define DNS_FETCH_VALID(fetch) ISC_MAGIC_VALID(fetch, DNS_FETCH_MAGIC)
269 typedef struct fctxbucket {
272 ISC_LIST(fetchctx_t) fctxs;
273 isc_boolean_t exiting;
276 typedef struct alternate {
277 isc_boolean_t isaddress;
285 ISC_LINK(struct alternate) link;
288 struct dns_resolver {
294 isc_mutex_t primelock;
295 dns_rdataclass_t rdclass;
296 isc_socketmgr_t * socketmgr;
297 isc_timermgr_t * timermgr;
298 isc_taskmgr_t * taskmgr;
300 isc_boolean_t frozen;
301 unsigned int options;
302 dns_dispatchmgr_t * dispatchmgr;
303 dns_dispatch_t * dispatchv4;
304 dns_dispatch_t * dispatchv6;
305 unsigned int nbuckets;
306 fctxbucket_t * buckets;
307 isc_uint32_t lame_ttl;
308 ISC_LIST(alternate_t) alternates;
309 isc_uint16_t udpsize;
311 isc_rwlock_t alglock;
313 dns_rbt_t * algorithms;
315 isc_rwlock_t mbslock;
317 dns_rbt_t * mustbesecure;
318 /* Locked by lock. */
319 unsigned int references;
320 isc_boolean_t exiting;
321 isc_eventlist_t whenshutdown;
322 unsigned int activebuckets;
323 isc_boolean_t priming;
324 /* Locked by primelock. */
325 dns_fetch_t * primefetch;
326 /* Locked by nlock. */
330 #define RES_MAGIC ISC_MAGIC('R', 'e', 's', '!')
331 #define VALID_RESOLVER(res) ISC_MAGIC_VALID(res, RES_MAGIC)
334 * Private addrinfo flags. These must not conflict with DNS_FETCHOPT_NOEDNS0,
335 * which we also use as an addrinfo flag.
337 #define FCTX_ADDRINFO_MARK 0x0001
338 #define FCTX_ADDRINFO_FORWARDER 0x1000
339 #define UNMARKED(a) (((a)->flags & FCTX_ADDRINFO_MARK) \
341 #define ISFORWARDER(a) (((a)->flags & \
342 FCTX_ADDRINFO_FORWARDER) != 0)
344 #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
346 #define dns_db_transfernode(a,b,c) do { (*c) = (*b); (*b) = NULL; } while (0)
348 static void destroy(dns_resolver_t *res);
349 static void empty_bucket(dns_resolver_t *res);
350 static isc_result_t resquery_send(resquery_t *query);
351 static void resquery_response(isc_task_t *task, isc_event_t *event);
352 static void resquery_connected(isc_task_t *task, isc_event_t *event);
353 static void fctx_try(fetchctx_t *fctx);
354 static isc_boolean_t fctx_destroy(fetchctx_t *fctx);
355 static isc_result_t ncache_adderesult(dns_message_t *message,
356 dns_db_t *cache, dns_dbnode_t *node,
357 dns_rdatatype_t covers,
358 isc_stdtime_t now, dns_ttl_t maxttl,
359 dns_rdataset_t *ardataset,
360 isc_result_t *eresultp);
361 static void validated(isc_task_t *task, isc_event_t *event);
362 static void maybe_destroy(fetchctx_t *fctx);
365 valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
366 dns_rdatatype_t type, dns_rdataset_t *rdataset,
367 dns_rdataset_t *sigrdataset, unsigned int valoptions,
370 dns_validator_t *validator = NULL;
371 dns_valarg_t *valarg;
374 valarg = isc_mem_get(fctx->res->mctx, sizeof(*valarg));
376 return (ISC_R_NOMEMORY);
379 valarg->addrinfo = addrinfo;
381 if (!ISC_LIST_EMPTY(fctx->validators))
382 INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
384 result = dns_validator_create(fctx->res->view, name, type, rdataset,
385 sigrdataset, fctx->rmessage,
386 valoptions, task, validated, valarg,
388 if (result == ISC_R_SUCCESS) {
389 if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
390 INSIST(fctx->validator == NULL);
391 fctx->validator = validator;
393 ISC_LIST_APPEND(fctx->validators, validator, link);
395 isc_mem_put(fctx->res->mctx, valarg, sizeof(*valarg));
400 fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
402 dns_name_t *domain = &fctx->domain;
403 dns_rdataset_t *rdataset;
404 dns_rdatatype_t type;
406 isc_boolean_t keep_auth = ISC_FALSE;
408 if (message->rcode == dns_rcode_nxdomain)
412 * Look for BIND 8 style delegations.
413 * Also look for answers to ANY queries where the duplicate NS RRset
414 * may have been stripped from the authority section.
416 if (message->counts[DNS_SECTION_ANSWER] != 0 &&
417 (fctx->type == dns_rdatatype_ns ||
418 fctx->type == dns_rdatatype_any)) {
419 result = dns_message_firstname(message, DNS_SECTION_ANSWER);
420 while (result == ISC_R_SUCCESS) {
422 dns_message_currentname(message, DNS_SECTION_ANSWER,
424 for (rdataset = ISC_LIST_HEAD(name->list);
426 rdataset = ISC_LIST_NEXT(rdataset, link)) {
427 type = rdataset->type;
428 if (type != dns_rdatatype_ns)
430 if (dns_name_issubdomain(name, domain))
433 result = dns_message_nextname(message,
438 /* Look for referral. */
439 if (message->counts[DNS_SECTION_AUTHORITY] == 0)
442 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
443 while (result == ISC_R_SUCCESS) {
445 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
446 for (rdataset = ISC_LIST_HEAD(name->list);
448 rdataset = ISC_LIST_NEXT(rdataset, link)) {
449 type = rdataset->type;
450 if (type == dns_rdatatype_soa &&
451 dns_name_equal(name, domain))
452 keep_auth = ISC_TRUE;
453 if (type != dns_rdatatype_ns &&
454 type != dns_rdatatype_soa)
456 if (dns_name_equal(name, domain))
458 if (dns_name_issubdomain(name, domain))
461 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
465 message->rcode = dns_rcode_nxdomain;
466 message->counts[DNS_SECTION_ANSWER] = 0;
468 message->counts[DNS_SECTION_AUTHORITY] = 0;
469 message->counts[DNS_SECTION_ADDITIONAL] = 0;
473 static inline isc_result_t
474 fctx_starttimer(fetchctx_t *fctx) {
476 * Start the lifetime timer for fctx.
478 * This is also used for stopping the idle timer; in that
479 * case we must purge events already posted to ensure that
480 * no further idle events are delivered.
482 return (isc_timer_reset(fctx->timer, isc_timertype_once,
483 &fctx->expires, NULL, ISC_TRUE));
487 fctx_stoptimer(fetchctx_t *fctx) {
491 * We don't return a result if resetting the timer to inactive fails
492 * since there's nothing to be done about it. Resetting to inactive
493 * should never fail anyway, since the code as currently written
494 * cannot fail in that case.
496 result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
497 NULL, NULL, ISC_TRUE);
498 if (result != ISC_R_SUCCESS) {
499 UNEXPECTED_ERROR(__FILE__, __LINE__,
500 "isc_timer_reset(): %s",
501 isc_result_totext(result));
506 static inline isc_result_t
507 fctx_startidletimer(fetchctx_t *fctx) {
509 * Start the idle timer for fctx. The lifetime timer continues
512 return (isc_timer_reset(fctx->timer, isc_timertype_once,
513 &fctx->expires, &fctx->interval,
518 * Stopping the idle timer is equivalent to calling fctx_starttimer(), but
519 * we use fctx_stopidletimer for readability in the code below.
521 #define fctx_stopidletimer fctx_starttimer
525 resquery_destroy(resquery_t **queryp) {
528 REQUIRE(queryp != NULL);
530 REQUIRE(!ISC_LINK_LINKED(query, link));
532 INSIST(query->tcpsocket == NULL);
534 query->fctx->nqueries--;
535 if (SHUTTINGDOWN(query->fctx))
536 maybe_destroy(query->fctx); /* Locks bucket. */
538 isc_mem_put(query->mctx, query, sizeof(*query));
543 fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
544 isc_time_t *finish, isc_boolean_t no_response)
551 dns_adbaddrinfo_t *addrinfo;
556 FCTXTRACE("cancelquery");
558 REQUIRE(!RESQUERY_CANCELED(query));
560 query->attributes |= RESQUERY_ATTR_CANCELED;
563 * Should we update the RTT?
565 if (finish != NULL || no_response) {
566 if (finish != NULL) {
568 * We have both the start and finish times for this
569 * packet, so we can compute a real RTT.
571 rtt = (unsigned int)isc_time_microdiff(finish,
573 factor = DNS_ADB_RTTADJDEFAULT;
576 * We don't have an RTT for this query. Maybe the
577 * packet was lost, or maybe this server is very
578 * slow. We don't know. Increase the RTT.
581 rtt = query->addrinfo->srtt +
582 (200000 * fctx->restarts);
586 * Replace the current RTT with our value.
588 factor = DNS_ADB_RTTADJREPLACE;
590 dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor);
594 * Age RTTs of servers not tried.
596 factor = DNS_ADB_RTTADJAGE;
598 for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
600 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
601 if (UNMARKED(addrinfo))
602 dns_adb_adjustsrtt(fctx->adb, addrinfo,
605 if (finish != NULL && TRIEDFIND(fctx))
606 for (find = ISC_LIST_HEAD(fctx->finds);
608 find = ISC_LIST_NEXT(find, publink))
609 for (addrinfo = ISC_LIST_HEAD(find->list);
611 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
612 if (UNMARKED(addrinfo))
613 dns_adb_adjustsrtt(fctx->adb, addrinfo,
616 if (finish != NULL && TRIEDALT(fctx)) {
617 for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
619 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
620 if (UNMARKED(addrinfo))
621 dns_adb_adjustsrtt(fctx->adb, addrinfo,
623 for (find = ISC_LIST_HEAD(fctx->altfinds);
625 find = ISC_LIST_NEXT(find, publink))
626 for (addrinfo = ISC_LIST_HEAD(find->list);
628 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
629 if (UNMARKED(addrinfo))
630 dns_adb_adjustsrtt(fctx->adb, addrinfo,
634 if (query->dispentry != NULL)
635 dns_dispatch_removeresponse(&query->dispentry, deventp);
637 ISC_LIST_UNLINK(fctx->queries, query, link);
639 if (query->tsig != NULL)
640 isc_buffer_free(&query->tsig);
642 if (query->tsigkey != NULL)
643 dns_tsigkey_detach(&query->tsigkey);
646 * Check for any outstanding socket events. If they exist, cancel
647 * them and let the event handlers finish the cleanup. The resolver
648 * only needs to worry about managing the connect and send events;
649 * the dispatcher manages the recv events.
651 if (RESQUERY_CONNECTING(query))
653 * Cancel the connect.
655 isc_socket_cancel(query->tcpsocket, NULL,
656 ISC_SOCKCANCEL_CONNECT);
657 else if (RESQUERY_SENDING(query))
659 * Cancel the pending send.
661 isc_socket_cancel(dns_dispatch_getsocket(query->dispatch),
662 NULL, ISC_SOCKCANCEL_SEND);
664 if (query->dispatch != NULL)
665 dns_dispatch_detach(&query->dispatch);
667 if (! (RESQUERY_CONNECTING(query) || RESQUERY_SENDING(query)))
669 * It's safe to destroy the query now.
671 resquery_destroy(&query);
675 fctx_cancelqueries(fetchctx_t *fctx, isc_boolean_t no_response) {
676 resquery_t *query, *next_query;
678 FCTXTRACE("cancelqueries");
680 for (query = ISC_LIST_HEAD(fctx->queries);
682 query = next_query) {
683 next_query = ISC_LIST_NEXT(query, link);
684 fctx_cancelquery(&query, NULL, NULL, no_response);
689 fctx_cleanupfinds(fetchctx_t *fctx) {
690 dns_adbfind_t *find, *next_find;
692 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
694 for (find = ISC_LIST_HEAD(fctx->finds);
697 next_find = ISC_LIST_NEXT(find, publink);
698 ISC_LIST_UNLINK(fctx->finds, find, publink);
699 dns_adb_destroyfind(&find);
705 fctx_cleanupaltfinds(fetchctx_t *fctx) {
706 dns_adbfind_t *find, *next_find;
708 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
710 for (find = ISC_LIST_HEAD(fctx->altfinds);
713 next_find = ISC_LIST_NEXT(find, publink);
714 ISC_LIST_UNLINK(fctx->altfinds, find, publink);
715 dns_adb_destroyfind(&find);
717 fctx->altfind = NULL;
721 fctx_cleanupforwaddrs(fetchctx_t *fctx) {
722 dns_adbaddrinfo_t *addr, *next_addr;
724 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
726 for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
729 next_addr = ISC_LIST_NEXT(addr, publink);
730 ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
731 dns_adb_freeaddrinfo(fctx->adb, &addr);
736 fctx_cleanupaltaddrs(fetchctx_t *fctx) {
737 dns_adbaddrinfo_t *addr, *next_addr;
739 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
741 for (addr = ISC_LIST_HEAD(fctx->altaddrs);
744 next_addr = ISC_LIST_NEXT(addr, publink);
745 ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
746 dns_adb_freeaddrinfo(fctx->adb, &addr);
751 fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) {
752 FCTXTRACE("stopeverything");
753 fctx_cancelqueries(fctx, no_response);
754 fctx_cleanupfinds(fctx);
755 fctx_cleanupaltfinds(fctx);
756 fctx_cleanupforwaddrs(fctx);
757 fctx_cleanupaltaddrs(fctx);
758 fctx_stoptimer(fctx);
762 fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
763 dns_fetchevent_t *event, *next_event;
767 * Caller must be holding the appropriate bucket lock.
769 REQUIRE(fctx->state == fetchstate_done);
771 FCTXTRACE("sendevents");
773 for (event = ISC_LIST_HEAD(fctx->events);
775 event = next_event) {
776 next_event = ISC_LIST_NEXT(event, ev_link);
777 ISC_LIST_UNLINK(fctx->events, event, ev_link);
778 task = event->ev_sender;
779 event->ev_sender = fctx;
780 if (!HAVE_ANSWER(fctx))
781 event->result = result;
783 INSIST(result != ISC_R_SUCCESS ||
784 dns_rdataset_isassociated(event->rdataset) ||
785 fctx->type == dns_rdatatype_any ||
786 fctx->type == dns_rdatatype_rrsig ||
787 fctx->type == dns_rdatatype_sig);
790 * Negative results must be indicated in event->result.
792 if (dns_rdataset_isassociated(event->rdataset) &&
793 event->rdataset->type == dns_rdatatype_none) {
794 INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
795 event->result == DNS_R_NCACHENXRRSET);
798 isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
803 fctx_done(fetchctx_t *fctx, isc_result_t result) {
805 isc_boolean_t no_response;
811 if (result == ISC_R_SUCCESS)
812 no_response = ISC_TRUE;
814 no_response = ISC_FALSE;
815 fctx_stopeverything(fctx, no_response);
817 LOCK(&res->buckets[fctx->bucketnum].lock);
819 fctx->state = fetchstate_done;
820 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
821 fctx_sendevents(fctx, result);
823 UNLOCK(&res->buckets[fctx->bucketnum].lock);
827 resquery_senddone(isc_task_t *task, isc_event_t *event) {
828 isc_socketevent_t *sevent = (isc_socketevent_t *)event;
829 resquery_t *query = event->ev_arg;
830 isc_boolean_t retry = ISC_FALSE;
834 REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
841 * Currently we don't wait for the senddone event before retrying
842 * a query. This means that if we get really behind, we may end
843 * up doing extra work!
848 INSIST(RESQUERY_SENDING(query));
853 if (RESQUERY_CANCELED(query)) {
854 if (query->sends == 0) {
856 * This query was canceled while the
857 * isc_socket_sendto() was in progress.
859 if (query->tcpsocket != NULL)
860 isc_socket_detach(&query->tcpsocket);
861 resquery_destroy(&query);
864 switch (sevent->result) {
868 case ISC_R_HOSTUNREACH:
869 case ISC_R_NETUNREACH:
871 case ISC_R_ADDRNOTAVAIL:
872 case ISC_R_CONNREFUSED:
875 * No route to remote.
877 fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
882 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
886 isc_event_free(&event);
890 * Behave as if the idle timer has expired. For TCP
891 * this may not actually reflect the latest timer.
893 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
894 result = fctx_stopidletimer(fctx);
895 if (result != ISC_R_SUCCESS)
896 fctx_done(fctx, result);
902 static inline isc_result_t
903 fctx_addopt(dns_message_t *message, dns_resolver_t *res) {
904 dns_rdataset_t *rdataset;
905 dns_rdatalist_t *rdatalist;
910 result = dns_message_gettemprdatalist(message, &rdatalist);
911 if (result != ISC_R_SUCCESS)
914 result = dns_message_gettemprdata(message, &rdata);
915 if (result != ISC_R_SUCCESS)
918 result = dns_message_gettemprdataset(message, &rdataset);
919 if (result != ISC_R_SUCCESS)
921 dns_rdataset_init(rdataset);
923 rdatalist->type = dns_rdatatype_opt;
924 rdatalist->covers = 0;
927 * Set Maximum UDP buffer size.
929 rdatalist->rdclass = res->udpsize;
932 * Set EXTENDED-RCODE, VERSION, and Z to 0, and the DO bit to 1.
934 rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
941 rdata->rdclass = rdatalist->rdclass;
942 rdata->type = rdatalist->type;
945 ISC_LIST_INIT(rdatalist->rdata);
946 ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
947 RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == ISC_R_SUCCESS);
949 return (dns_message_setopt(message, rdataset));
953 fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
954 unsigned int seconds;
957 * We retry every 2 seconds the first two times through the address
958 * list, and then we do exponential back-off.
960 if (fctx->restarts < 3)
963 seconds = (2 << (fctx->restarts - 1));
966 * Double the round-trip time and convert to seconds.
971 * Always wait for at least the doubled round-trip time.
977 * But don't ever wait for more than 30 seconds.
982 isc_interval_set(&fctx->interval, seconds, 0);
986 fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
987 unsigned int options)
997 task = res->buckets[fctx->bucketnum].task;
999 fctx_setretryinterval(fctx, addrinfo->srtt);
1000 result = fctx_startidletimer(fctx);
1001 if (result != ISC_R_SUCCESS)
1004 INSIST(ISC_LIST_EMPTY(fctx->validators));
1006 dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
1008 query = isc_mem_get(res->mctx, sizeof(*query));
1009 if (query == NULL) {
1010 result = ISC_R_NOMEMORY;
1011 goto stop_idle_timer;
1013 query->mctx = res->mctx;
1014 query->options = options;
1015 query->attributes = 0;
1017 query->connects = 0;
1019 * Note that the caller MUST guarantee that 'addrinfo' will remain
1020 * valid until this query is canceled.
1022 query->addrinfo = addrinfo;
1023 TIME_NOW(&query->start);
1026 * If this is a TCP query, then we need to make a socket and
1027 * a dispatch for it here. Otherwise we use the resolver's
1030 query->dispatchmgr = res->dispatchmgr;
1031 query->dispatch = NULL;
1032 query->tcpsocket = NULL;
1033 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1034 isc_sockaddr_t addr;
1037 pf = isc_sockaddr_pf(&addrinfo->sockaddr);
1041 result = dns_dispatch_getlocaladdress(res->dispatchv4,
1045 result = dns_dispatch_getlocaladdress(res->dispatchv6,
1049 result = ISC_R_NOTIMPLEMENTED;
1052 if (result != ISC_R_SUCCESS)
1055 isc_sockaddr_setport(&addr, 0);
1057 result = isc_socket_create(res->socketmgr, pf,
1060 if (result != ISC_R_SUCCESS)
1063 #ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
1064 result = isc_socket_bind(query->tcpsocket, &addr);
1065 if (result != ISC_R_SUCCESS)
1066 goto cleanup_socket;
1070 * A dispatch will be created once the connect succeeds.
1073 switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
1075 dns_dispatch_attach(res->dispatchv4, &query->dispatch);
1078 dns_dispatch_attach(res->dispatchv6, &query->dispatch);
1081 result = ISC_R_NOTIMPLEMENTED;
1085 * We should always have a valid dispatcher here. If we
1086 * don't support a protocol family, then its dispatcher
1087 * will be NULL, but we shouldn't be finding addresses for
1088 * protocol types we don't support, so the dispatcher
1089 * we found should never be NULL.
1091 INSIST(query->dispatch != NULL);
1094 query->dispentry = NULL;
1097 query->tsigkey = NULL;
1098 ISC_LINK_INIT(query, link);
1099 query->magic = QUERY_MAGIC;
1101 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1103 * Connect to the remote server.
1105 * XXXRTH Should we attach to the socket?
1107 result = isc_socket_connect(query->tcpsocket,
1108 &addrinfo->sockaddr, task,
1109 resquery_connected, query);
1110 if (result != ISC_R_SUCCESS)
1111 goto cleanup_socket;
1113 QTRACE("connecting via TCP");
1115 result = resquery_send(query);
1116 if (result != ISC_R_SUCCESS)
1117 goto cleanup_dispatch;
1120 ISC_LIST_APPEND(fctx->queries, query, link);
1121 query->fctx->nqueries++;
1123 return (ISC_R_SUCCESS);
1126 isc_socket_detach(&query->tcpsocket);
1129 if (query->dispatch != NULL)
1130 dns_dispatch_detach(&query->dispatch);
1134 isc_mem_put(res->mctx, query, sizeof(*query));
1137 RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
1143 resquery_send(resquery_t *query) {
1145 isc_result_t result;
1146 dns_name_t *qname = NULL;
1147 dns_rdataset_t *qrdataset = NULL;
1149 dns_resolver_t *res;
1151 isc_socket_t *socket;
1152 isc_buffer_t tcpbuffer;
1153 isc_sockaddr_t *address;
1154 isc_buffer_t *buffer;
1155 isc_netaddr_t ipaddr;
1156 dns_tsigkey_t *tsigkey = NULL;
1157 dns_peer_t *peer = NULL;
1158 isc_boolean_t useedns;
1159 dns_compress_t cctx;
1160 isc_boolean_t cleanup_cctx = ISC_FALSE;
1161 isc_boolean_t secure_domain;
1167 task = res->buckets[fctx->bucketnum].task;
1170 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1172 * Reserve space for the TCP message length.
1174 isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data));
1175 isc_buffer_init(&query->buffer, query->data + 2,
1176 sizeof(query->data) - 2);
1177 buffer = &tcpbuffer;
1179 isc_buffer_init(&query->buffer, query->data,
1180 sizeof(query->data));
1181 buffer = &query->buffer;
1184 result = dns_message_gettempname(fctx->qmessage, &qname);
1185 if (result != ISC_R_SUCCESS)
1187 result = dns_message_gettemprdataset(fctx->qmessage, &qrdataset);
1188 if (result != ISC_R_SUCCESS)
1192 * Get a query id from the dispatch.
1194 result = dns_dispatch_addresponse(query->dispatch,
1195 &query->addrinfo->sockaddr,
1201 if (result != ISC_R_SUCCESS)
1204 fctx->qmessage->opcode = dns_opcode_query;
1209 dns_name_init(qname, NULL);
1210 dns_name_clone(&fctx->name, qname);
1211 dns_rdataset_init(qrdataset);
1212 dns_rdataset_makequestion(qrdataset, res->rdclass, fctx->type);
1213 ISC_LIST_APPEND(qname->list, qrdataset, link);
1214 dns_message_addname(fctx->qmessage, qname, DNS_SECTION_QUESTION);
1219 * Set RD if the client has requested that we do a recursive query,
1220 * or if we're sending to a forwarder.
1222 if ((query->options & DNS_FETCHOPT_RECURSIVE) != 0 ||
1223 ISFORWARDER(query->addrinfo))
1224 fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
1227 * Set CD if the client says don't validate or the question is
1228 * under a secure entry point.
1230 if ((query->options & DNS_FETCHOPT_NOVALIDATE) == 0) {
1231 result = dns_keytable_issecuredomain(res->view->secroots,
1234 if (result != ISC_R_SUCCESS)
1235 secure_domain = ISC_FALSE;
1236 if (res->view->dlv != NULL)
1237 secure_domain = ISC_TRUE;
1239 fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
1241 fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
1244 * We don't have to set opcode because it defaults to query.
1246 fctx->qmessage->id = query->id;
1249 * Convert the question to wire format.
1251 result = dns_compress_init(&cctx, -1, fctx->res->mctx);
1252 if (result != ISC_R_SUCCESS)
1253 goto cleanup_message;
1254 cleanup_cctx = ISC_TRUE;
1256 result = dns_message_renderbegin(fctx->qmessage, &cctx,
1258 if (result != ISC_R_SUCCESS)
1259 goto cleanup_message;
1261 result = dns_message_rendersection(fctx->qmessage,
1262 DNS_SECTION_QUESTION, 0);
1263 if (result != ISC_R_SUCCESS)
1264 goto cleanup_message;
1267 isc_netaddr_fromsockaddr(&ipaddr, &query->addrinfo->sockaddr);
1268 (void) dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
1271 * The ADB does not know about servers with "edns no". Check this,
1272 * and then inform the ADB for future use.
1274 if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
1276 dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
1279 query->options |= DNS_FETCHOPT_NOEDNS0;
1280 dns_adb_changeflags(fctx->adb,
1282 DNS_FETCHOPT_NOEDNS0,
1283 DNS_FETCHOPT_NOEDNS0);
1287 * Use EDNS0, unless the caller doesn't want it, or we know that
1288 * the remote server doesn't like it.
1290 if (fctx->timeouts >= MAX_EDNS0_TIMEOUTS &&
1291 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
1292 query->options |= DNS_FETCHOPT_NOEDNS0;
1293 FCTXTRACE("too many timeouts, disabling EDNS0");
1296 if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
1297 if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
1298 result = fctx_addopt(fctx->qmessage, res);
1299 if (result != ISC_R_SUCCESS) {
1301 * We couldn't add the OPT, but we'll press on.
1302 * We're not using EDNS0, so set the NOEDNS0
1305 query->options |= DNS_FETCHOPT_NOEDNS0;
1309 * We know this server doesn't like EDNS0, so we
1310 * won't use it. Set the NOEDNS0 bit since we're
1313 query->options |= DNS_FETCHOPT_NOEDNS0;
1318 * If we need EDNS0 to do this query and aren't using it, we lose.
1320 if (NEEDEDNS0(fctx) && (query->options & DNS_FETCHOPT_NOEDNS0) != 0) {
1321 result = DNS_R_SERVFAIL;
1322 goto cleanup_message;
1326 * Clear CD if EDNS is not in use.
1328 if ((query->options & DNS_FETCHOPT_NOEDNS0) != 0)
1329 fctx->qmessage->flags &= ~DNS_MESSAGEFLAG_CD;
1332 * Add TSIG record tailored to the current recipient.
1334 result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey);
1335 if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
1336 goto cleanup_message;
1338 if (tsigkey != NULL) {
1339 result = dns_message_settsigkey(fctx->qmessage, tsigkey);
1340 dns_tsigkey_detach(&tsigkey);
1341 if (result != ISC_R_SUCCESS)
1342 goto cleanup_message;
1345 result = dns_message_rendersection(fctx->qmessage,
1346 DNS_SECTION_ADDITIONAL, 0);
1347 if (result != ISC_R_SUCCESS)
1348 goto cleanup_message;
1350 result = dns_message_renderend(fctx->qmessage);
1351 if (result != ISC_R_SUCCESS)
1352 goto cleanup_message;
1354 dns_compress_invalidate(&cctx);
1355 cleanup_cctx = ISC_FALSE;
1357 if (dns_message_gettsigkey(fctx->qmessage) != NULL) {
1358 dns_tsigkey_attach(dns_message_gettsigkey(fctx->qmessage),
1360 result = dns_message_getquerytsig(fctx->qmessage,
1363 if (result != ISC_R_SUCCESS)
1364 goto cleanup_message;
1368 * If using TCP, write the length of the message at the beginning
1371 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1372 isc_buffer_usedregion(&query->buffer, &r);
1373 isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t)r.length);
1374 isc_buffer_add(&tcpbuffer, r.length);
1378 * We're now done with the query message.
1380 dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
1382 socket = dns_dispatch_getsocket(query->dispatch);
1386 if ((query->options & DNS_FETCHOPT_TCP) == 0)
1387 address = &query->addrinfo->sockaddr;
1388 isc_buffer_usedregion(buffer, &r);
1391 * XXXRTH Make sure we don't send to ourselves! We should probably
1392 * prune out these addresses when we get them from the ADB.
1394 result = isc_socket_sendto(socket, &r, task, resquery_senddone,
1395 query, address, NULL);
1396 if (result != ISC_R_SUCCESS)
1397 goto cleanup_message;
1401 return (ISC_R_SUCCESS);
1405 dns_compress_invalidate(&cctx);
1407 dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
1410 * Stop the dispatcher from listening.
1412 dns_dispatch_removeresponse(&query->dispentry, NULL);
1416 dns_message_puttempname(fctx->qmessage, &qname);
1417 if (qrdataset != NULL)
1418 dns_message_puttemprdataset(fctx->qmessage, &qrdataset);
1424 resquery_connected(isc_task_t *task, isc_event_t *event) {
1425 isc_socketevent_t *sevent = (isc_socketevent_t *)event;
1426 resquery_t *query = event->ev_arg;
1427 isc_boolean_t retry = ISC_FALSE;
1428 isc_result_t result;
1432 REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
1433 REQUIRE(VALID_QUERY(query));
1435 QTRACE("connected");
1442 * Currently we don't wait for the connect event before retrying
1443 * a query. This means that if we get really behind, we may end
1444 * up doing extra work!
1450 if (RESQUERY_CANCELED(query)) {
1452 * This query was canceled while the connect() was in
1455 isc_socket_detach(&query->tcpsocket);
1456 resquery_destroy(&query);
1458 switch (sevent->result) {
1461 * We are connected. Create a dispatcher and
1465 attrs |= DNS_DISPATCHATTR_TCP;
1466 attrs |= DNS_DISPATCHATTR_PRIVATE;
1467 attrs |= DNS_DISPATCHATTR_CONNECTED;
1468 if (isc_sockaddr_pf(&query->addrinfo->sockaddr) ==
1470 attrs |= DNS_DISPATCHATTR_IPV4;
1472 attrs |= DNS_DISPATCHATTR_IPV6;
1473 attrs |= DNS_DISPATCHATTR_MAKEQUERY;
1475 result = dns_dispatch_createtcp(query->dispatchmgr,
1477 query->fctx->res->taskmgr,
1478 4096, 2, 1, 1, 3, attrs,
1482 * Regardless of whether dns_dispatch_create()
1483 * succeeded or not, we don't need our reference
1484 * to the socket anymore.
1486 isc_socket_detach(&query->tcpsocket);
1488 if (result == ISC_R_SUCCESS)
1489 result = resquery_send(query);
1491 if (result != ISC_R_SUCCESS) {
1492 fctx_cancelquery(&query, NULL, NULL,
1494 fctx_done(fctx, result);
1498 case ISC_R_NETUNREACH:
1499 case ISC_R_HOSTUNREACH:
1500 case ISC_R_CONNREFUSED:
1502 case ISC_R_ADDRNOTAVAIL:
1503 case ISC_R_CONNECTIONRESET:
1505 * No route to remote.
1507 isc_socket_detach(&query->tcpsocket);
1508 fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
1513 isc_socket_detach(&query->tcpsocket);
1514 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
1519 isc_event_free(&event);
1523 * Behave as if the idle timer has expired. For TCP
1524 * connections this may not actually reflect the latest timer.
1526 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
1527 result = fctx_stopidletimer(fctx);
1528 if (result != ISC_R_SUCCESS)
1529 fctx_done(fctx, result);
1536 fctx_finddone(isc_task_t *task, isc_event_t *event) {
1538 dns_adbfind_t *find;
1539 dns_resolver_t *res;
1540 isc_boolean_t want_try = ISC_FALSE;
1541 isc_boolean_t want_done = ISC_FALSE;
1542 isc_boolean_t bucket_empty = ISC_FALSE;
1543 unsigned int bucketnum;
1545 find = event->ev_sender;
1546 fctx = event->ev_arg;
1547 REQUIRE(VALID_FCTX(fctx));
1552 FCTXTRACE("finddone");
1554 INSIST(fctx->pending > 0);
1557 if (ADDRWAIT(fctx)) {
1559 * The fetch is waiting for a name to be found.
1561 INSIST(!SHUTTINGDOWN(fctx));
1562 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
1563 if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
1564 want_try = ISC_TRUE;
1565 else if (fctx->pending == 0) {
1567 * We've got nothing else to wait for and don't
1568 * know the answer. There's nothing to do but
1571 want_done = ISC_TRUE;
1573 } else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
1574 fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
1575 bucketnum = fctx->bucketnum;
1576 LOCK(&res->buckets[bucketnum].lock);
1578 * Note that we had to wait until we had the lock before
1579 * looking at fctx->references.
1581 if (fctx->references == 0)
1582 bucket_empty = fctx_destroy(fctx);
1583 UNLOCK(&res->buckets[bucketnum].lock);
1586 isc_event_free(&event);
1587 dns_adb_destroyfind(&find);
1592 fctx_done(fctx, ISC_R_FAILURE);
1593 else if (bucket_empty)
1598 static inline isc_boolean_t
1599 bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) {
1602 for (sa = ISC_LIST_HEAD(fctx->bad);
1604 sa = ISC_LIST_NEXT(sa, link)) {
1605 if (isc_sockaddr_equal(sa, address))
1612 static inline isc_boolean_t
1613 mark_bad(fetchctx_t *fctx) {
1614 dns_adbfind_t *curr;
1615 dns_adbaddrinfo_t *addrinfo;
1616 isc_boolean_t all_bad = ISC_TRUE;
1619 * Mark all known bad servers, so we don't try to talk to them
1624 * Mark any bad nameservers.
1626 for (curr = ISC_LIST_HEAD(fctx->finds);
1628 curr = ISC_LIST_NEXT(curr, publink)) {
1629 for (addrinfo = ISC_LIST_HEAD(curr->list);
1631 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
1632 if (bad_server(fctx, &addrinfo->sockaddr))
1633 addrinfo->flags |= FCTX_ADDRINFO_MARK;
1635 all_bad = ISC_FALSE;
1640 * Mark any bad forwarders.
1642 for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
1644 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
1645 if (bad_server(fctx, &addrinfo->sockaddr))
1646 addrinfo->flags |= FCTX_ADDRINFO_MARK;
1648 all_bad = ISC_FALSE;
1652 * Mark any bad alternates.
1654 for (curr = ISC_LIST_HEAD(fctx->altfinds);
1656 curr = ISC_LIST_NEXT(curr, publink)) {
1657 for (addrinfo = ISC_LIST_HEAD(curr->list);
1659 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
1660 if (bad_server(fctx, &addrinfo->sockaddr))
1661 addrinfo->flags |= FCTX_ADDRINFO_MARK;
1663 all_bad = ISC_FALSE;
1667 for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
1669 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
1670 if (bad_server(fctx, &addrinfo->sockaddr))
1671 addrinfo->flags |= FCTX_ADDRINFO_MARK;
1673 all_bad = ISC_FALSE;
1680 add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason) {
1681 char namebuf[DNS_NAME_FORMATSIZE];
1682 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
1688 const char *sep1, *sep2;
1689 isc_sockaddr_t *address = &addrinfo->sockaddr;
1691 if (bad_server(fctx, address)) {
1693 * We already know this server is bad.
1698 FCTXTRACE("add_bad");
1700 sa = isc_mem_get(fctx->res->mctx, sizeof(*sa));
1704 ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
1706 if (reason == DNS_R_LAME) /* already logged */
1709 if (reason == DNS_R_UNEXPECTEDRCODE &&
1710 fctx->rmessage->opcode == dns_rcode_servfail &&
1711 ISFORWARDER(addrinfo))
1714 if (reason == DNS_R_UNEXPECTEDRCODE) {
1715 isc_buffer_init(&b, code, sizeof(code) - 1);
1716 dns_rcode_totext(fctx->rmessage->rcode, &b);
1717 code[isc_buffer_usedlength(&b)] = '\0';
1720 } else if (reason == DNS_R_UNEXPECTEDOPCODE) {
1721 isc_buffer_init(&b, code, sizeof(code) - 1);
1722 dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
1723 code[isc_buffer_usedlength(&b)] = '\0';
1731 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
1732 dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
1733 dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
1734 isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
1735 isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
1736 DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
1737 "%s %s%s%sresolving '%s/%s/%s': %s",
1738 dns_result_totext(reason), sep1, code, sep2,
1739 namebuf, typebuf, classbuf, addrbuf);
1743 sort_adbfind(dns_adbfind_t *find) {
1744 dns_adbaddrinfo_t *best, *curr;
1745 dns_adbaddrinfolist_t sorted;
1748 * Lame N^2 bubble sort.
1751 ISC_LIST_INIT(sorted);
1752 while (!ISC_LIST_EMPTY(find->list)) {
1753 best = ISC_LIST_HEAD(find->list);
1754 curr = ISC_LIST_NEXT(best, publink);
1755 while (curr != NULL) {
1756 if (curr->srtt < best->srtt)
1758 curr = ISC_LIST_NEXT(curr, publink);
1760 ISC_LIST_UNLINK(find->list, best, publink);
1761 ISC_LIST_APPEND(sorted, best, publink);
1763 find->list = sorted;
1767 sort_finds(fetchctx_t *fctx) {
1768 dns_adbfind_t *best, *curr;
1769 dns_adbfindlist_t sorted;
1770 dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
1773 * Lame N^2 bubble sort.
1776 ISC_LIST_INIT(sorted);
1777 while (!ISC_LIST_EMPTY(fctx->finds)) {
1778 best = ISC_LIST_HEAD(fctx->finds);
1779 bestaddrinfo = ISC_LIST_HEAD(best->list);
1780 INSIST(bestaddrinfo != NULL);
1781 curr = ISC_LIST_NEXT(best, publink);
1782 while (curr != NULL) {
1783 addrinfo = ISC_LIST_HEAD(curr->list);
1784 INSIST(addrinfo != NULL);
1785 if (addrinfo->srtt < bestaddrinfo->srtt) {
1787 bestaddrinfo = addrinfo;
1789 curr = ISC_LIST_NEXT(curr, publink);
1791 ISC_LIST_UNLINK(fctx->finds, best, publink);
1792 ISC_LIST_APPEND(sorted, best, publink);
1794 fctx->finds = sorted;
1796 ISC_LIST_INIT(sorted);
1797 while (!ISC_LIST_EMPTY(fctx->altfinds)) {
1798 best = ISC_LIST_HEAD(fctx->altfinds);
1799 bestaddrinfo = ISC_LIST_HEAD(best->list);
1800 INSIST(bestaddrinfo != NULL);
1801 curr = ISC_LIST_NEXT(best, publink);
1802 while (curr != NULL) {
1803 addrinfo = ISC_LIST_HEAD(curr->list);
1804 INSIST(addrinfo != NULL);
1805 if (addrinfo->srtt < bestaddrinfo->srtt) {
1807 bestaddrinfo = addrinfo;
1809 curr = ISC_LIST_NEXT(curr, publink);
1811 ISC_LIST_UNLINK(fctx->altfinds, best, publink);
1812 ISC_LIST_APPEND(sorted, best, publink);
1814 fctx->altfinds = sorted;
1818 findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
1819 unsigned int options, unsigned int flags, isc_stdtime_t now,
1820 isc_boolean_t *pruned, isc_boolean_t *need_alternate)
1822 dns_adbaddrinfo_t *ai;
1823 dns_adbfind_t *find;
1824 dns_resolver_t *res;
1825 isc_boolean_t unshared;
1826 isc_result_t result;
1829 unshared = ISC_TF((fctx->options | DNS_FETCHOPT_UNSHARED) != 0);
1831 * If this name is a subdomain of the query domain, tell
1832 * the ADB to start looking using zone/hint data. This keeps us
1833 * from getting stuck if the nameserver is beneath the zone cut
1834 * and we don't know its address (e.g. because the A record has
1837 if (dns_name_issubdomain(name, &fctx->domain))
1838 options |= DNS_ADBFIND_STARTATZONE;
1839 options |= DNS_ADBFIND_GLUEOK;
1840 options |= DNS_ADBFIND_HINTOK;
1843 * See what we know about this address.
1846 result = dns_adb_createfind(fctx->adb,
1847 res->buckets[fctx->bucketnum].task,
1848 fctx_finddone, fctx, name,
1849 &fctx->domain, options, now, NULL,
1850 res->view->dstport, &find);
1851 if (result != ISC_R_SUCCESS) {
1852 if (result == DNS_R_ALIAS) {
1854 * XXXRTH Follow the CNAME/DNAME chain?
1856 dns_adb_destroyfind(&find);
1858 } else if (!ISC_LIST_EMPTY(find->list)) {
1860 * We have at least some of the addresses for the
1863 INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
1865 if (flags != 0 || port != 0) {
1866 for (ai = ISC_LIST_HEAD(find->list);
1868 ai = ISC_LIST_NEXT(ai, publink)) {
1871 isc_sockaddr_setport(&ai->sockaddr,
1875 if ((flags & FCTX_ADDRINFO_FORWARDER) != 0)
1876 ISC_LIST_APPEND(fctx->altfinds, find, publink);
1878 ISC_LIST_APPEND(fctx->finds, find, publink);
1881 * We don't know any of the addresses for this
1884 if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
1886 * We're looking for them and will get an
1887 * event about it later.
1893 if (need_alternate != NULL &&
1894 !*need_alternate && unshared &&
1895 ((res->dispatchv4 == NULL &&
1896 find->result_v6 != DNS_R_NXDOMAIN) ||
1897 (res->dispatchv6 == NULL &&
1898 find->result_v4 != DNS_R_NXDOMAIN)))
1899 *need_alternate = ISC_TRUE;
1902 * If we know there are no addresses for
1903 * the family we are using then try to add
1904 * an alternative server.
1906 if (need_alternate != NULL && !*need_alternate &&
1907 ((res->dispatchv4 == NULL &&
1908 find->result_v6 == DNS_R_NXRRSET) ||
1909 (res->dispatchv6 == NULL &&
1910 find->result_v4 == DNS_R_NXRRSET)))
1911 *need_alternate = ISC_TRUE;
1913 * And ADB isn't going to send us any events
1914 * either. This find loses.
1916 if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0) {
1918 * The ADB pruned lame servers for
1919 * this name. Remember that in case
1920 * we get desperate later on.
1924 dns_adb_destroyfind(&find);
1930 fctx_getaddresses(fetchctx_t *fctx) {
1931 dns_rdata_t rdata = DNS_RDATA_INIT;
1932 isc_result_t result;
1933 dns_resolver_t *res;
1935 unsigned int stdoptions;
1937 dns_adbaddrinfo_t *ai;
1938 isc_boolean_t pruned, all_bad;
1940 isc_boolean_t need_alternate = ISC_FALSE;
1942 FCTXTRACE("getaddresses");
1945 * Don't pound on remote servers. (Failsafe!)
1948 if (fctx->restarts > 10) {
1949 FCTXTRACE("too many restarts");
1950 return (DNS_R_SERVFAIL);
1955 stdoptions = 0; /* Keep compiler happy. */
1961 INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
1962 INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
1965 * If this fctx has forwarders, use them; otherwise use any
1966 * selective forwarders specified in the view; otherwise use the
1967 * resolver's forwarders (if any).
1969 sa = ISC_LIST_HEAD(fctx->forwarders);
1971 dns_forwarders_t *forwarders = NULL;
1972 dns_name_t *name = &fctx->name;
1974 unsigned int labels;
1977 * DS records are found in the parent server.
1978 * Strip label to get the correct forwarder (if any).
1980 if (fctx->type == dns_rdatatype_ds &&
1981 dns_name_countlabels(name) > 1) {
1982 dns_name_init(&suffix, NULL);
1983 labels = dns_name_countlabels(name);
1984 dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
1987 result = dns_fwdtable_find(fctx->res->view->fwdtable, name,
1989 if (result == ISC_R_SUCCESS) {
1990 sa = ISC_LIST_HEAD(forwarders->addrs);
1991 fctx->fwdpolicy = forwarders->fwdpolicy;
1995 while (sa != NULL) {
1997 result = dns_adb_findaddrinfo(fctx->adb,
1998 sa, &ai, 0); /* XXXMLG */
1999 if (result == ISC_R_SUCCESS) {
2000 dns_adbaddrinfo_t *cur;
2001 ai->flags |= FCTX_ADDRINFO_FORWARDER;
2002 cur = ISC_LIST_HEAD(fctx->forwaddrs);
2003 while (cur != NULL && cur->srtt < ai->srtt)
2004 cur = ISC_LIST_NEXT(cur, publink);
2006 ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur,
2009 ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
2011 sa = ISC_LIST_NEXT(sa, link);
2015 * If the forwarding policy is "only", we don't need the addresses
2016 * of the nameservers.
2018 if (fctx->fwdpolicy == dns_fwdpolicy_only)
2022 * Normal nameservers.
2025 stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
2026 if (fctx->restarts == 1) {
2028 * To avoid sending out a flood of queries likely to
2029 * result in NXRRSET, we suppress fetches for address
2030 * families we don't have the first time through,
2031 * provided that we have addresses in some family we
2034 * We don't want to set this option all the time, since
2035 * if fctx->restarts > 1, we've clearly been having trouble
2036 * with the addresses we had, so getting more could help.
2038 stdoptions |= DNS_ADBFIND_AVOIDFETCHES;
2040 if (res->dispatchv4 != NULL)
2041 stdoptions |= DNS_ADBFIND_INET;
2042 if (res->dispatchv6 != NULL)
2043 stdoptions |= DNS_ADBFIND_INET6;
2044 isc_stdtime_get(&now);
2047 INSIST(ISC_LIST_EMPTY(fctx->finds));
2048 INSIST(ISC_LIST_EMPTY(fctx->altfinds));
2050 for (result = dns_rdataset_first(&fctx->nameservers);
2051 result == ISC_R_SUCCESS;
2052 result = dns_rdataset_next(&fctx->nameservers))
2054 dns_rdataset_current(&fctx->nameservers, &rdata);
2056 * Extract the name from the NS record.
2058 result = dns_rdata_tostruct(&rdata, &ns, NULL);
2059 if (result != ISC_R_SUCCESS)
2062 findname(fctx, &ns.name, 0, stdoptions, 0, now,
2063 &pruned, &need_alternate);
2064 dns_rdata_reset(&rdata);
2065 dns_rdata_freestruct(&ns);
2067 if (result != ISC_R_NOMORE)
2071 * Do we need to use 6 to 4?
2073 if (need_alternate) {
2076 family = (res->dispatchv6 != NULL) ? AF_INET6 : AF_INET;
2077 for (a = ISC_LIST_HEAD(fctx->res->alternates);
2079 a = ISC_LIST_NEXT(a, link)) {
2080 if (!a->isaddress) {
2081 findname(fctx, &a->_u._n.name, a->_u._n.port,
2082 stdoptions, FCTX_ADDRINFO_FORWARDER,
2083 now, &pruned, NULL);
2086 if (isc_sockaddr_pf(&a->_u.addr) != family)
2089 result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr,
2091 if (result == ISC_R_SUCCESS) {
2092 dns_adbaddrinfo_t *cur;
2093 ai->flags |= FCTX_ADDRINFO_FORWARDER;
2094 cur = ISC_LIST_HEAD(fctx->altaddrs);
2095 while (cur != NULL && cur->srtt < ai->srtt)
2096 cur = ISC_LIST_NEXT(cur, publink);
2098 ISC_LIST_INSERTBEFORE(fctx->altaddrs,
2101 ISC_LIST_APPEND(fctx->altaddrs, ai,
2109 * Mark all known bad servers.
2111 all_bad = mark_bad(fctx);
2118 * We've got no addresses.
2120 if (fctx->pending > 0) {
2122 * We're fetching the addresses, but don't have any
2123 * yet. Tell the caller to wait for an answer.
2125 result = DNS_R_WAIT;
2126 } else if (pruned) {
2128 * Some addresses were removed by lame pruning.
2129 * Turn pruning off and try again.
2131 FCTXTRACE("restarting with returnlame");
2132 INSIST((stdoptions & DNS_ADBFIND_RETURNLAME) == 0);
2133 stdoptions |= DNS_ADBFIND_RETURNLAME;
2135 fctx_cleanupaltfinds(fctx);
2136 fctx_cleanupfinds(fctx);
2140 * We've lost completely. We don't know any
2141 * addresses, and the ADB has told us it can't get
2144 FCTXTRACE("no addresses");
2145 result = ISC_R_FAILURE;
2149 * We've found some addresses. We might still be looking
2150 * for more addresses.
2153 result = ISC_R_SUCCESS;
2160 possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
2163 char buf[ISC_NETADDR_FORMATSIZE];
2165 isc_boolean_t aborted = ISC_FALSE;
2166 isc_boolean_t bogus;
2167 dns_acl_t *blackhole;
2168 isc_netaddr_t ipaddr;
2169 dns_peer_t *peer = NULL;
2170 dns_resolver_t *res;
2171 const char *msg = NULL;
2173 sa = &addr->sockaddr;
2176 isc_netaddr_fromsockaddr(&ipaddr, sa);
2177 blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr);
2178 (void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer);
2180 if (blackhole != NULL) {
2183 if (dns_acl_match(&ipaddr, NULL, blackhole,
2185 &match, NULL) == ISC_R_SUCCESS &&
2191 dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
2196 addr->flags |= FCTX_ADDRINFO_MARK;
2197 msg = "ignoring blackholed / bogus server: ";
2198 } else if (isc_sockaddr_ismulticast(sa)) {
2199 addr->flags |= FCTX_ADDRINFO_MARK;
2200 msg = "ignoring multicast address: ";
2201 } else if (isc_sockaddr_isexperimental(sa)) {
2202 addr->flags |= FCTX_ADDRINFO_MARK;
2203 msg = "ignoring experimental address: ";
2204 } else if (sa->type.sa.sa_family != AF_INET6) {
2206 } else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
2207 addr->flags |= FCTX_ADDRINFO_MARK;
2208 msg = "ignoring IPv6 mapped IPV4 address: ";
2209 } else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) {
2210 addr->flags |= FCTX_ADDRINFO_MARK;
2211 msg = "ignoring IPv6 compatibility IPV4 address: ";
2215 if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3)))
2218 isc_netaddr_fromsockaddr(&na, sa);
2219 isc_netaddr_format(&na, buf, sizeof(buf));
2220 FCTXTRACE2(msg, buf);
2223 static inline dns_adbaddrinfo_t *
2224 fctx_nextaddress(fetchctx_t *fctx) {
2225 dns_adbfind_t *find, *start;
2226 dns_adbaddrinfo_t *addrinfo;
2227 dns_adbaddrinfo_t *faddrinfo;
2230 * Return the next untried address, if any.
2234 * Find the first unmarked forwarder (if any).
2236 for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
2238 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2239 if (!UNMARKED(addrinfo))
2241 possibly_mark(fctx, addrinfo);
2242 if (UNMARKED(addrinfo)) {
2243 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2250 * No forwarders. Move to the next find.
2253 fctx->attributes |= FCTX_ATTR_TRIEDFIND;
2257 find = ISC_LIST_HEAD(fctx->finds);
2259 find = ISC_LIST_NEXT(find, publink);
2261 find = ISC_LIST_HEAD(fctx->finds);
2265 * Find the first unmarked addrinfo.
2271 for (addrinfo = ISC_LIST_HEAD(find->list);
2273 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2274 if (!UNMARKED(addrinfo))
2276 possibly_mark(fctx, addrinfo);
2277 if (UNMARKED(addrinfo)) {
2278 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2282 if (addrinfo != NULL)
2284 find = ISC_LIST_NEXT(find, publink);
2286 find = ISC_LIST_HEAD(fctx->finds);
2287 } while (find != start);
2291 if (addrinfo != NULL)
2295 * No nameservers left. Try alternates.
2298 fctx->attributes |= FCTX_ATTR_TRIEDALT;
2300 find = fctx->altfind;
2302 find = ISC_LIST_HEAD(fctx->altfinds);
2304 find = ISC_LIST_NEXT(find, publink);
2306 find = ISC_LIST_HEAD(fctx->altfinds);
2310 * Find the first unmarked addrinfo.
2316 for (addrinfo = ISC_LIST_HEAD(find->list);
2318 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2319 if (!UNMARKED(addrinfo))
2321 possibly_mark(fctx, addrinfo);
2322 if (UNMARKED(addrinfo)) {
2323 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2327 if (addrinfo != NULL)
2329 find = ISC_LIST_NEXT(find, publink);
2331 find = ISC_LIST_HEAD(fctx->altfinds);
2332 } while (find != start);
2335 faddrinfo = addrinfo;
2338 * See if we have a better alternate server by address.
2341 for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
2343 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2344 if (!UNMARKED(addrinfo))
2346 possibly_mark(fctx, addrinfo);
2347 if (UNMARKED(addrinfo) &&
2348 (faddrinfo == NULL ||
2349 addrinfo->srtt < faddrinfo->srtt)) {
2350 if (faddrinfo != NULL)
2351 faddrinfo->flags &= ~FCTX_ADDRINFO_MARK;
2352 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2357 if (addrinfo == NULL) {
2358 addrinfo = faddrinfo;
2359 fctx->altfind = find;
2366 fctx_try(fetchctx_t *fctx) {
2367 isc_result_t result;
2368 dns_adbaddrinfo_t *addrinfo;
2372 REQUIRE(!ADDRWAIT(fctx));
2374 addrinfo = fctx_nextaddress(fctx);
2375 if (addrinfo == NULL) {
2377 * We have no more addresses. Start over.
2379 fctx_cancelqueries(fctx, ISC_TRUE);
2380 fctx_cleanupfinds(fctx);
2381 fctx_cleanupaltfinds(fctx);
2382 fctx_cleanupforwaddrs(fctx);
2383 fctx_cleanupaltaddrs(fctx);
2384 result = fctx_getaddresses(fctx);
2385 if (result == DNS_R_WAIT) {
2387 * Sleep waiting for addresses.
2389 FCTXTRACE("addrwait");
2390 fctx->attributes |= FCTX_ATTR_ADDRWAIT;
2392 } else if (result != ISC_R_SUCCESS) {
2394 * Something bad happened.
2396 fctx_done(fctx, result);
2400 addrinfo = fctx_nextaddress(fctx);
2402 * While we may have addresses from the ADB, they
2403 * might be bad ones. In this case, return SERVFAIL.
2405 if (addrinfo == NULL) {
2406 fctx_done(fctx, DNS_R_SERVFAIL);
2411 result = fctx_query(fctx, addrinfo, fctx->options);
2412 if (result != ISC_R_SUCCESS)
2413 fctx_done(fctx, result);
2416 static isc_boolean_t
2417 fctx_destroy(fetchctx_t *fctx) {
2418 dns_resolver_t *res;
2419 unsigned int bucketnum;
2420 isc_sockaddr_t *sa, *next_sa;
2423 * Caller must be holding the bucket lock.
2426 REQUIRE(VALID_FCTX(fctx));
2427 REQUIRE(fctx->state == fetchstate_done ||
2428 fctx->state == fetchstate_init);
2429 REQUIRE(ISC_LIST_EMPTY(fctx->events));
2430 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
2431 REQUIRE(ISC_LIST_EMPTY(fctx->finds));
2432 REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
2433 REQUIRE(fctx->pending == 0);
2434 REQUIRE(fctx->references == 0);
2435 REQUIRE(ISC_LIST_EMPTY(fctx->validators));
2437 FCTXTRACE("destroy");
2440 bucketnum = fctx->bucketnum;
2442 ISC_LIST_UNLINK(res->buckets[bucketnum].fctxs, fctx, link);
2447 for (sa = ISC_LIST_HEAD(fctx->bad);
2450 next_sa = ISC_LIST_NEXT(sa, link);
2451 ISC_LIST_UNLINK(fctx->bad, sa, link);
2452 isc_mem_put(res->mctx, sa, sizeof(*sa));
2455 isc_timer_detach(&fctx->timer);
2456 dns_message_destroy(&fctx->rmessage);
2457 dns_message_destroy(&fctx->qmessage);
2458 if (dns_name_countlabels(&fctx->domain) > 0)
2459 dns_name_free(&fctx->domain, res->mctx);
2460 if (dns_rdataset_isassociated(&fctx->nameservers))
2461 dns_rdataset_disassociate(&fctx->nameservers);
2462 dns_name_free(&fctx->name, res->mctx);
2463 dns_db_detach(&fctx->cache);
2464 dns_adb_detach(&fctx->adb);
2465 isc_mem_free(res->mctx, fctx->info);
2466 isc_mem_put(res->mctx, fctx, sizeof(*fctx));
2470 UNLOCK(&res->nlock);
2472 if (res->buckets[bucketnum].exiting &&
2473 ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs))
2480 * Fetch event handlers.
2484 fctx_timeout(isc_task_t *task, isc_event_t *event) {
2485 fetchctx_t *fctx = event->ev_arg;
2487 REQUIRE(VALID_FCTX(fctx));
2491 FCTXTRACE("timeout");
2493 if (event->ev_type == ISC_TIMEREVENT_LIFE) {
2494 fctx_done(fctx, ISC_R_TIMEDOUT);
2496 isc_result_t result;
2500 * We could cancel the running queries here, or we could let
2501 * them keep going. Right now we choose the latter...
2503 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
2505 * Our timer has triggered. Reestablish the fctx lifetime
2508 result = fctx_starttimer(fctx);
2509 if (result != ISC_R_SUCCESS)
2510 fctx_done(fctx, result);
2518 isc_event_free(&event);
2522 fctx_shutdown(fetchctx_t *fctx) {
2523 isc_event_t *cevent;
2526 * Start the shutdown process for fctx, if it isn't already underway.
2529 FCTXTRACE("shutdown");
2532 * The caller must be holding the appropriate bucket lock.
2535 if (fctx->want_shutdown)
2538 fctx->want_shutdown = ISC_TRUE;
2541 * Unless we're still initializing (in which case the
2542 * control event is still outstanding), we need to post
2543 * the control event to tell the fetch we want it to
2546 if (fctx->state != fetchstate_init) {
2547 cevent = &fctx->control_event;
2548 isc_task_send(fctx->res->buckets[fctx->bucketnum].task,
2554 fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
2555 fetchctx_t *fctx = event->ev_arg;
2556 isc_boolean_t bucket_empty = ISC_FALSE;
2557 dns_resolver_t *res;
2558 unsigned int bucketnum;
2559 dns_validator_t *validator;
2561 REQUIRE(VALID_FCTX(fctx));
2566 bucketnum = fctx->bucketnum;
2568 FCTXTRACE("doshutdown");
2571 * An fctx that is shutting down is no longer in ADDRWAIT mode.
2573 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
2576 * Cancel all pending validators. Note that this must be done
2577 * without the bucket lock held, since that could cause deadlock.
2579 validator = ISC_LIST_HEAD(fctx->validators);
2580 while (validator != NULL) {
2581 dns_validator_cancel(validator);
2582 validator = ISC_LIST_NEXT(validator, link);
2585 if (fctx->nsfetch != NULL)
2586 dns_resolver_cancelfetch(fctx->nsfetch);
2589 * Shut down anything that is still running on behalf of this
2590 * fetch. To avoid deadlock with the ADB, we must do this
2591 * before we lock the bucket lock.
2593 fctx_stopeverything(fctx, ISC_FALSE);
2595 LOCK(&res->buckets[bucketnum].lock);
2597 fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
2599 INSIST(fctx->state == fetchstate_active ||
2600 fctx->state == fetchstate_done);
2601 INSIST(fctx->want_shutdown);
2603 if (fctx->state != fetchstate_done) {
2604 fctx->state = fetchstate_done;
2605 fctx_sendevents(fctx, ISC_R_CANCELED);
2608 if (fctx->references == 0 && fctx->pending == 0 &&
2609 fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators))
2610 bucket_empty = fctx_destroy(fctx);
2612 UNLOCK(&res->buckets[bucketnum].lock);
2619 fctx_start(isc_task_t *task, isc_event_t *event) {
2620 fetchctx_t *fctx = event->ev_arg;
2621 isc_boolean_t done = ISC_FALSE, bucket_empty = ISC_FALSE;
2622 dns_resolver_t *res;
2623 unsigned int bucketnum;
2625 REQUIRE(VALID_FCTX(fctx));
2630 bucketnum = fctx->bucketnum;
2634 LOCK(&res->buckets[bucketnum].lock);
2636 INSIST(fctx->state == fetchstate_init);
2637 if (fctx->want_shutdown) {
2639 * We haven't started this fctx yet, and we've been requested
2642 fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
2643 fctx->state = fetchstate_done;
2644 fctx_sendevents(fctx, ISC_R_CANCELED);
2646 * Since we haven't started, we INSIST that we have no
2647 * pending ADB finds and no pending validations.
2649 INSIST(fctx->pending == 0);
2650 INSIST(fctx->nqueries == 0);
2651 INSIST(ISC_LIST_EMPTY(fctx->validators));
2652 if (fctx->references == 0) {
2654 * It's now safe to destroy this fctx.
2656 bucket_empty = fctx_destroy(fctx);
2661 * Normal fctx startup.
2663 fctx->state = fetchstate_active;
2665 * Reset the control event for later use in shutting down
2668 ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
2669 DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx,
2673 UNLOCK(&res->buckets[bucketnum].lock);
2676 isc_result_t result;
2679 * All is well. Start working on the fetch.
2681 result = fctx_starttimer(fctx);
2682 if (result != ISC_R_SUCCESS)
2683 fctx_done(fctx, result);
2686 } else if (bucket_empty)
2691 * Fetch Creation, Joining, and Cancelation.
2694 static inline isc_result_t
2695 fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_taskaction_t action,
2696 void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
2700 dns_fetchevent_t *event;
2705 * We store the task we're going to send this event to in the
2706 * sender field. We'll make the fetch the sender when we actually
2710 isc_task_attach(task, &clone);
2711 event = (dns_fetchevent_t *)
2712 isc_event_allocate(fctx->res->mctx, clone,
2713 DNS_EVENT_FETCHDONE,
2714 action, arg, sizeof(*event));
2715 if (event == NULL) {
2716 isc_task_detach(&clone);
2717 return (ISC_R_NOMEMORY);
2719 event->result = DNS_R_SERVFAIL;
2720 event->qtype = fctx->type;
2723 event->rdataset = rdataset;
2724 event->sigrdataset = sigrdataset;
2725 event->fetch = fetch;
2726 dns_fixedname_init(&event->foundname);
2729 * Make sure that we can store the sigrdataset in the
2730 * first event if it is needed by any of the events.
2732 if (event->sigrdataset != NULL)
2733 ISC_LIST_PREPEND(fctx->events, event, ev_link);
2735 ISC_LIST_APPEND(fctx->events, event, ev_link);
2738 fetch->magic = DNS_FETCH_MAGIC;
2739 fetch->private = fctx;
2741 return (ISC_R_SUCCESS);
2745 fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
2746 dns_name_t *domain, dns_rdataset_t *nameservers,
2747 unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
2750 isc_result_t result;
2751 isc_result_t iresult;
2752 isc_interval_t interval;
2753 dns_fixedname_t fixed;
2754 unsigned int findoptions = 0;
2755 char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE];
2756 char typebuf[DNS_RDATATYPE_FORMATSIZE];
2760 * Caller must be holding the lock for bucket number 'bucketnum'.
2762 REQUIRE(fctxp != NULL && *fctxp == NULL);
2764 fctx = isc_mem_get(res->mctx, sizeof(*fctx));
2766 return (ISC_R_NOMEMORY);
2767 dns_name_format(name, buf, sizeof(buf));
2768 dns_rdatatype_format(type, typebuf, sizeof(typebuf));
2769 strcat(buf, "/"); /* checked */
2770 strcat(buf, typebuf); /* checked */
2771 fctx->info = isc_mem_strdup(res->mctx, buf);
2772 if (fctx->info == NULL) {
2773 result = ISC_R_NOMEMORY;
2776 FCTXTRACE("create");
2777 dns_name_init(&fctx->name, NULL);
2778 result = dns_name_dup(name, res->mctx, &fctx->name);
2779 if (result != ISC_R_SUCCESS)
2781 dns_name_init(&fctx->domain, NULL);
2782 dns_rdataset_init(&fctx->nameservers);
2785 fctx->options = options;
2787 * Note! We do not attach to the task. We are relying on the
2788 * resolver to ensure that this task doesn't go away while we are
2792 fctx->references = 0;
2793 fctx->bucketnum = bucketnum;
2794 fctx->state = fetchstate_init;
2795 fctx->want_shutdown = ISC_FALSE;
2796 fctx->cloned = ISC_FALSE;
2797 ISC_LIST_INIT(fctx->queries);
2798 ISC_LIST_INIT(fctx->finds);
2799 ISC_LIST_INIT(fctx->altfinds);
2800 ISC_LIST_INIT(fctx->forwaddrs);
2801 ISC_LIST_INIT(fctx->altaddrs);
2802 ISC_LIST_INIT(fctx->forwarders);
2803 fctx->fwdpolicy = dns_fwdpolicy_none;
2804 ISC_LIST_INIT(fctx->bad);
2805 ISC_LIST_INIT(fctx->validators);
2806 fctx->validator = NULL;
2808 fctx->altfind = NULL;
2812 fctx->attributes = 0;
2815 dns_name_init(&fctx->nsname, NULL);
2816 fctx->nsfetch = NULL;
2817 dns_rdataset_init(&fctx->nsrrset);
2819 if (domain == NULL) {
2820 dns_forwarders_t *forwarders = NULL;
2821 unsigned int labels;
2824 * DS records are found in the parent server.
2825 * Strip label to get the correct forwarder (if any).
2827 if (fctx->type == dns_rdatatype_ds &&
2828 dns_name_countlabels(name) > 1) {
2829 dns_name_init(&suffix, NULL);
2830 labels = dns_name_countlabels(name);
2831 dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
2834 dns_fixedname_init(&fixed);
2835 domain = dns_fixedname_name(&fixed);
2836 result = dns_fwdtable_find2(fctx->res->view->fwdtable, name,
2837 domain, &forwarders);
2838 if (result == ISC_R_SUCCESS)
2839 fctx->fwdpolicy = forwarders->fwdpolicy;
2841 if (fctx->fwdpolicy != dns_fwdpolicy_only) {
2843 * The caller didn't supply a query domain and
2844 * nameservers, and we're not in forward-only mode,
2845 * so find the best nameservers to use.
2847 if (dns_rdatatype_atparent(type))
2848 findoptions |= DNS_DBFIND_NOEXACT;
2849 result = dns_view_findzonecut(res->view, name, domain,
2850 0, findoptions, ISC_TRUE,
2853 if (result != ISC_R_SUCCESS)
2855 result = dns_name_dup(domain, res->mctx, &fctx->domain);
2856 if (result != ISC_R_SUCCESS) {
2857 dns_rdataset_disassociate(&fctx->nameservers);
2862 * We're in forward-only mode. Set the query domain.
2864 result = dns_name_dup(domain, res->mctx, &fctx->domain);
2865 if (result != ISC_R_SUCCESS)
2869 result = dns_name_dup(domain, res->mctx, &fctx->domain);
2870 if (result != ISC_R_SUCCESS)
2872 dns_rdataset_clone(nameservers, &fctx->nameservers);
2875 INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain));
2877 fctx->qmessage = NULL;
2878 result = dns_message_create(res->mctx, DNS_MESSAGE_INTENTRENDER,
2881 if (result != ISC_R_SUCCESS)
2882 goto cleanup_domain;
2884 fctx->rmessage = NULL;
2885 result = dns_message_create(res->mctx, DNS_MESSAGE_INTENTPARSE,
2888 if (result != ISC_R_SUCCESS)
2889 goto cleanup_qmessage;
2892 * Compute an expiration time for the entire fetch.
2894 isc_interval_set(&interval, 30, 0); /* XXXRTH constant */
2895 iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
2896 if (iresult != ISC_R_SUCCESS) {
2897 UNEXPECTED_ERROR(__FILE__, __LINE__,
2898 "isc_time_nowplusinterval: %s",
2899 isc_result_totext(iresult));
2900 result = ISC_R_UNEXPECTED;
2901 goto cleanup_rmessage;
2905 * Default retry interval initialization. We set the interval now
2906 * mostly so it won't be uninitialized. It will be set to the
2907 * correct value before a query is issued.
2909 isc_interval_set(&fctx->interval, 2, 0);
2912 * Create an inactive timer. It will be made active when the fetch
2913 * is actually started.
2916 iresult = isc_timer_create(res->timermgr, isc_timertype_inactive,
2918 res->buckets[bucketnum].task, fctx_timeout,
2919 fctx, &fctx->timer);
2920 if (iresult != ISC_R_SUCCESS) {
2921 UNEXPECTED_ERROR(__FILE__, __LINE__,
2922 "isc_timer_create: %s",
2923 isc_result_totext(iresult));
2924 result = ISC_R_UNEXPECTED;
2925 goto cleanup_rmessage;
2929 * Attach to the view's cache and adb.
2932 dns_db_attach(res->view->cachedb, &fctx->cache);
2934 dns_adb_attach(res->view->adb, &fctx->adb);
2936 ISC_LIST_INIT(fctx->events);
2937 ISC_LINK_INIT(fctx, link);
2938 fctx->magic = FCTX_MAGIC;
2940 ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link);
2944 UNLOCK(&res->nlock);
2948 return (ISC_R_SUCCESS);
2951 dns_message_destroy(&fctx->rmessage);
2954 dns_message_destroy(&fctx->qmessage);
2957 if (dns_name_countlabels(&fctx->domain) > 0)
2958 dns_name_free(&fctx->domain, res->mctx);
2959 if (dns_rdataset_isassociated(&fctx->nameservers))
2960 dns_rdataset_disassociate(&fctx->nameservers);
2963 dns_name_free(&fctx->name, res->mctx);
2966 isc_mem_free(res->mctx, fctx->info);
2969 isc_mem_put(res->mctx, fctx, sizeof(*fctx));
2977 static inline isc_boolean_t
2978 is_lame(fetchctx_t *fctx) {
2979 dns_message_t *message = fctx->rmessage;
2981 dns_rdataset_t *rdataset;
2982 isc_result_t result;
2984 if (message->rcode != dns_rcode_noerror &&
2985 message->rcode != dns_rcode_nxdomain)
2988 if (message->counts[DNS_SECTION_ANSWER] != 0)
2991 if (message->counts[DNS_SECTION_AUTHORITY] == 0)
2994 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
2995 while (result == ISC_R_SUCCESS) {
2997 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
2998 for (rdataset = ISC_LIST_HEAD(name->list);
3000 rdataset = ISC_LIST_NEXT(rdataset, link)) {
3001 dns_namereln_t namereln;
3003 unsigned int labels;
3004 if (rdataset->type != dns_rdatatype_ns)
3006 namereln = dns_name_fullcompare(name, &fctx->domain,
3008 if (namereln == dns_namereln_equal &&
3009 (message->flags & DNS_MESSAGEFLAG_AA) != 0)
3011 if (namereln == dns_namereln_subdomain)
3015 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
3022 log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
3023 char namebuf[DNS_NAME_FORMATSIZE];
3024 char domainbuf[DNS_NAME_FORMATSIZE];
3025 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
3027 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
3028 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
3029 isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
3030 isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
3031 DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
3032 "lame server resolving '%s' (in '%s'?): %s",
3033 namebuf, domainbuf, addrbuf);
3036 static inline isc_result_t
3037 same_question(fetchctx_t *fctx) {
3038 isc_result_t result;
3039 dns_message_t *message = fctx->rmessage;
3041 dns_rdataset_t *rdataset;
3044 * Caller must be holding the fctx lock.
3048 * XXXRTH Currently we support only one question.
3050 if (message->counts[DNS_SECTION_QUESTION] != 1)
3051 return (DNS_R_FORMERR);
3053 result = dns_message_firstname(message, DNS_SECTION_QUESTION);
3054 if (result != ISC_R_SUCCESS)
3057 dns_message_currentname(message, DNS_SECTION_QUESTION, &name);
3058 rdataset = ISC_LIST_HEAD(name->list);
3059 INSIST(rdataset != NULL);
3060 INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
3061 if (fctx->type != rdataset->type ||
3062 fctx->res->rdclass != rdataset->rdclass ||
3063 !dns_name_equal(&fctx->name, name))
3064 return (DNS_R_FORMERR);
3066 return (ISC_R_SUCCESS);
3070 clone_results(fetchctx_t *fctx) {
3071 dns_fetchevent_t *event, *hevent;
3072 isc_result_t result;
3073 dns_name_t *name, *hname;
3075 FCTXTRACE("clone_results");
3078 * Set up any other events to have the same data as the first
3081 * Caller must be holding the appropriate lock.
3084 fctx->cloned = ISC_TRUE;
3085 hevent = ISC_LIST_HEAD(fctx->events);
3088 hname = dns_fixedname_name(&hevent->foundname);
3089 for (event = ISC_LIST_NEXT(hevent, ev_link);
3091 event = ISC_LIST_NEXT(event, ev_link)) {
3092 name = dns_fixedname_name(&event->foundname);
3093 result = dns_name_copy(hname, name, NULL);
3094 if (result != ISC_R_SUCCESS)
3095 event->result = result;
3097 event->result = hevent->result;
3098 dns_db_attach(hevent->db, &event->db);
3099 dns_db_attachnode(hevent->db, hevent->node, &event->node);
3100 INSIST(hevent->rdataset != NULL);
3101 INSIST(event->rdataset != NULL);
3102 if (dns_rdataset_isassociated(hevent->rdataset))
3103 dns_rdataset_clone(hevent->rdataset, event->rdataset);
3104 INSIST(! (hevent->sigrdataset == NULL &&
3105 event->sigrdataset != NULL));
3106 if (hevent->sigrdataset != NULL &&
3107 dns_rdataset_isassociated(hevent->sigrdataset) &&
3108 event->sigrdataset != NULL)
3109 dns_rdataset_clone(hevent->sigrdataset,
3110 event->sigrdataset);
3114 #define CACHE(r) (((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
3115 #define ANSWER(r) (((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
3116 #define ANSWERSIG(r) (((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
3117 #define EXTERNAL(r) (((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
3118 #define CHAINING(r) (((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
3119 #define CHASE(r) (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
3120 #define CHECKNAMES(r) (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
3124 * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
3125 * no references and is no longer waiting for any events). If this
3126 * was the last fctx in the resolver, destroy the resolver.
3129 * '*fctx' is shutting down.
3132 maybe_destroy(fetchctx_t *fctx) {
3133 unsigned int bucketnum;
3134 isc_boolean_t bucket_empty = ISC_FALSE;
3135 dns_resolver_t *res = fctx->res;
3136 dns_validator_t *validator, *next_validator;
3138 REQUIRE(SHUTTINGDOWN(fctx));
3140 if (fctx->pending != 0 || fctx->nqueries != 0)
3143 for (validator = ISC_LIST_HEAD(fctx->validators);
3144 validator != NULL; validator = next_validator) {
3145 next_validator = ISC_LIST_NEXT(validator, link);
3146 dns_validator_cancel(validator);
3148 * If this is a active validator wait for the cancel
3149 * to complete before calling dns_validator_destroy().
3151 if (validator == fctx->validator)
3153 ISC_LIST_UNLINK(fctx->validators, validator, link);
3154 dns_validator_destroy(&validator);
3157 bucketnum = fctx->bucketnum;
3158 LOCK(&res->buckets[bucketnum].lock);
3159 if (fctx->references == 0 && ISC_LIST_EMPTY(fctx->validators))
3160 bucket_empty = fctx_destroy(fctx);
3161 UNLOCK(&res->buckets[bucketnum].lock);
3168 * The validator has finished.
3171 validated(isc_task_t *task, isc_event_t *event) {
3172 isc_result_t result = ISC_R_SUCCESS;
3173 isc_result_t eresult = ISC_R_SUCCESS;
3176 dns_validatorevent_t *vevent;
3177 dns_fetchevent_t *hevent;
3178 dns_rdataset_t *ardataset = NULL;
3179 dns_rdataset_t *asigrdataset = NULL;
3180 dns_dbnode_t *node = NULL;
3181 isc_boolean_t negative;
3182 isc_boolean_t chaining;
3183 isc_boolean_t sentresponse;
3185 dns_dbnode_t *nsnode = NULL;
3187 dns_rdataset_t *rdataset;
3188 dns_rdataset_t *sigrdataset;
3189 dns_valarg_t *valarg;
3190 dns_adbaddrinfo_t *addrinfo;
3192 UNUSED(task); /* for now */
3194 REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
3195 valarg = event->ev_arg;
3196 fctx = valarg->fctx;
3197 addrinfo = valarg->addrinfo;
3198 REQUIRE(VALID_FCTX(fctx));
3199 REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
3201 vevent = (dns_validatorevent_t *)event;
3203 FCTXTRACE("received validation completion event");
3205 ISC_LIST_UNLINK(fctx->validators, vevent->validator, link);
3206 fctx->validator = NULL;
3209 * Destroy the validator early so that we can
3210 * destroy the fctx if necessary.
3212 dns_validator_destroy(&vevent->validator);
3213 isc_mem_put(fctx->res->mctx, valarg, sizeof(*valarg));
3215 negative = ISC_TF(vevent->rdataset == NULL);
3217 sentresponse = ISC_TF((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0);
3220 * If shutting down, ignore the results. Check to see if we're
3221 * done waiting for validator completions and ADB pending events; if
3222 * so, destroy the fctx.
3224 if (SHUTTINGDOWN(fctx) && !sentresponse) {
3225 maybe_destroy(fctx); /* Locks bucket. */
3229 LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
3232 * If chaining, we need to make sure that the right result code is
3233 * returned, and that the rdatasets are bound.
3235 if (vevent->result == ISC_R_SUCCESS &&
3237 vevent->rdataset != NULL &&
3238 CHAINING(vevent->rdataset))
3240 if (vevent->rdataset->type == dns_rdatatype_cname)
3241 eresult = DNS_R_CNAME;
3243 INSIST(vevent->rdataset->type == dns_rdatatype_dname);
3244 eresult = DNS_R_DNAME;
3246 chaining = ISC_TRUE;
3248 chaining = ISC_FALSE;
3251 * Either we're not shutting down, or we are shutting down but want
3252 * to cache the result anyway (if this was a validation started by
3253 * a query with cd set)
3256 hevent = ISC_LIST_HEAD(fctx->events);
3257 if (hevent != NULL) {
3258 if (!negative && !chaining &&
3259 (fctx->type == dns_rdatatype_any ||
3260 fctx->type == dns_rdatatype_rrsig ||
3261 fctx->type == dns_rdatatype_sig)) {
3263 * Don't bind rdatasets; the caller
3264 * will iterate the node.
3267 ardataset = hevent->rdataset;
3268 asigrdataset = hevent->sigrdataset;
3272 if (vevent->result != ISC_R_SUCCESS) {
3273 FCTXTRACE("validation failed");
3274 result = ISC_R_NOTFOUND;
3275 if (vevent->rdataset != NULL)
3276 result = dns_db_findnode(fctx->cache, vevent->name,
3278 if (result == ISC_R_SUCCESS)
3279 (void)dns_db_deleterdataset(fctx->cache, node, NULL,
3281 if (result == ISC_R_SUCCESS && vevent->sigrdataset != NULL)
3282 (void)dns_db_deleterdataset(fctx->cache, node, NULL,
3283 dns_rdatatype_rrsig,
3285 if (result == ISC_R_SUCCESS)
3286 dns_db_detachnode(fctx->cache, &node);
3287 result = vevent->result;
3288 add_bad(fctx, addrinfo, result);
3289 isc_event_free(&event);
3290 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
3291 INSIST(fctx->validator == NULL);
3292 fctx->validator = ISC_LIST_HEAD(fctx->validators);
3293 if (fctx->validator != NULL) {
3294 dns_validator_send(fctx->validator);
3295 } else if (sentresponse)
3296 fctx_done(fctx, result); /* Locks bucket. */
3298 fctx_try(fctx); /* Locks bucket. */
3302 isc_stdtime_get(&now);
3305 dns_rdatatype_t covers;
3306 FCTXTRACE("nonexistence validation OK");
3308 if (fctx->rmessage->rcode == dns_rcode_nxdomain)
3309 covers = dns_rdatatype_any;
3311 covers = fctx->type;
3313 result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE,
3315 if (result != ISC_R_SUCCESS)
3316 goto noanswer_response;
3319 * If we are asking for a SOA record set the cache time
3320 * to zero to facilitate locating the containing zone of
3323 ttl = fctx->res->view->maxncachettl;
3324 if (fctx->type == dns_rdatatype_soa &&
3325 covers == dns_rdatatype_any)
3328 result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
3330 ardataset, &eresult);
3331 if (result != ISC_R_SUCCESS)
3332 goto noanswer_response;
3333 goto answer_response;
3336 FCTXTRACE("validation OK");
3338 if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
3340 result = dns_rdataset_addnoqname(vevent->rdataset,
3341 vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
3342 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3343 INSIST(vevent->sigrdataset != NULL);
3344 vevent->sigrdataset->ttl = vevent->rdataset->ttl;
3348 * The data was already cached as pending data.
3349 * Re-cache it as secure and bind the cached
3350 * rdatasets to the first event on the fetch
3353 result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE, &node);
3354 if (result != ISC_R_SUCCESS)
3355 goto noanswer_response;
3357 result = dns_db_addrdataset(fctx->cache, node, NULL, now,
3358 vevent->rdataset, 0, ardataset);
3359 if (result != ISC_R_SUCCESS &&
3360 result != DNS_R_UNCHANGED)
3361 goto noanswer_response;
3362 if (ardataset != NULL && ardataset->type == 0) {
3363 if (NXDOMAIN(ardataset))
3364 eresult = DNS_R_NCACHENXDOMAIN;
3366 eresult = DNS_R_NCACHENXRRSET;
3367 } else if (vevent->sigrdataset != NULL) {
3368 result = dns_db_addrdataset(fctx->cache, node, NULL, now,
3369 vevent->sigrdataset, 0,
3371 if (result != ISC_R_SUCCESS &&
3372 result != DNS_R_UNCHANGED)
3373 goto noanswer_response;
3378 * If we only deferred the destroy because we wanted to cache
3379 * the data, destroy now.
3381 dns_db_detachnode(fctx->cache, &node);
3382 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
3383 if (SHUTTINGDOWN(fctx))
3384 maybe_destroy(fctx); /* Locks bucket. */
3388 if (!ISC_LIST_EMPTY(fctx->validators)) {
3390 INSIST(fctx->type == dns_rdatatype_any ||
3391 fctx->type == dns_rdatatype_rrsig ||
3392 fctx->type == dns_rdatatype_sig);
3394 * Don't send a response yet - we have
3395 * more rdatasets that still need to
3398 dns_db_detachnode(fctx->cache, &node);
3399 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
3400 dns_validator_send(ISC_LIST_HEAD(fctx->validators));
3406 * Cache any NS/NSEC records that happened to be validated.
3408 result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
3409 while (result == ISC_R_SUCCESS) {
3411 dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
3413 for (rdataset = ISC_LIST_HEAD(name->list);
3415 rdataset = ISC_LIST_NEXT(rdataset, link)) {
3416 if ((rdataset->type != dns_rdatatype_ns &&
3417 rdataset->type != dns_rdatatype_nsec) ||
3418 rdataset->trust != dns_trust_secure)
3420 for (sigrdataset = ISC_LIST_HEAD(name->list);
3421 sigrdataset != NULL;
3422 sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
3423 if (sigrdataset->type != dns_rdatatype_rrsig ||
3424 sigrdataset->covers != rdataset->type)
3428 if (sigrdataset == NULL ||
3429 sigrdataset->trust != dns_trust_secure)
3431 result = dns_db_findnode(fctx->cache, name, ISC_TRUE,
3433 if (result != ISC_R_SUCCESS)
3436 result = dns_db_addrdataset(fctx->cache, nsnode, NULL,
3437 now, rdataset, 0, NULL);
3438 if (result == ISC_R_SUCCESS)
3439 result = dns_db_addrdataset(fctx->cache, nsnode,
3443 dns_db_detachnode(fctx->cache, &nsnode);
3445 result = dns_message_nextname(fctx->rmessage,
3446 DNS_SECTION_AUTHORITY);
3449 result = ISC_R_SUCCESS;
3452 * Respond with an answer, positive or negative,
3453 * as opposed to an error. 'node' must be non-NULL.
3456 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
3458 if (hevent != NULL) {
3459 hevent->result = eresult;
3460 RUNTIME_CHECK(dns_name_copy(vevent->name,
3461 dns_fixedname_name(&hevent->foundname), NULL)
3463 dns_db_attach(fctx->cache, &hevent->db);
3464 dns_db_transfernode(fctx->cache, &node, &hevent->node);
3465 clone_results(fctx);
3470 dns_db_detachnode(fctx->cache, &node);
3472 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
3474 fctx_done(fctx, result); /* Locks bucket. */
3477 INSIST(node == NULL);
3478 isc_event_free(&event);
3481 static inline isc_result_t
3482 cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
3485 dns_rdataset_t *rdataset, *sigrdataset;
3486 dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset;
3487 dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
3488 dns_dbnode_t *node, **anodep;
3491 dns_resolver_t *res;
3492 isc_boolean_t need_validation, secure_domain, have_answer;
3493 isc_result_t result, eresult;
3494 dns_fetchevent_t *event;
3495 unsigned int options;
3498 unsigned int valoptions = 0;
3501 * The appropriate bucket lock must be held.
3505 need_validation = ISC_FALSE;
3506 secure_domain = ISC_FALSE;
3507 have_answer = ISC_FALSE;
3508 eresult = ISC_R_SUCCESS;
3509 task = res->buckets[fctx->bucketnum].task;
3512 * Is DNSSEC validation required for this name?
3514 result = dns_keytable_issecuredomain(res->view->secroots, name,
3516 if (result != ISC_R_SUCCESS)
3519 if (!secure_domain && res->view->dlv != NULL) {
3520 valoptions = DNS_VALIDATOR_DLV;
3521 secure_domain = ISC_TRUE;
3524 if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
3525 need_validation = ISC_FALSE;
3527 need_validation = secure_domain;
3533 asigrdataset = NULL;
3535 if ((name->attributes & DNS_NAMEATTR_ANSWER) != 0 &&
3537 have_answer = ISC_TRUE;
3538 event = ISC_LIST_HEAD(fctx->events);
3539 if (event != NULL) {
3541 aname = dns_fixedname_name(&event->foundname);
3542 result = dns_name_copy(name, aname, NULL);
3543 if (result != ISC_R_SUCCESS)
3545 anodep = &event->node;
3547 * If this is an ANY, SIG or RRSIG query, we're not
3548 * going to return any rdatasets, unless we encountered
3549 * a CNAME or DNAME as "the answer". In this case,
3550 * we're going to return DNS_R_CNAME or DNS_R_DNAME
3551 * and we must set up the rdatasets.
3553 if ((fctx->type != dns_rdatatype_any &&
3554 fctx->type != dns_rdatatype_rrsig &&
3555 fctx->type != dns_rdatatype_sig) ||
3556 (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
3557 ardataset = event->rdataset;
3558 asigrdataset = event->sigrdataset;
3564 * Find or create the cache node.
3567 result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
3568 if (result != ISC_R_SUCCESS)
3572 * Cache or validate each cacheable rdataset.
3574 fail = ISC_TF((fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0);
3575 for (rdataset = ISC_LIST_HEAD(name->list);
3577 rdataset = ISC_LIST_NEXT(rdataset, link)) {
3578 if (!CACHE(rdataset))
3580 if (CHECKNAMES(rdataset)) {
3581 char namebuf[DNS_NAME_FORMATSIZE];
3582 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3583 char classbuf[DNS_RDATATYPE_FORMATSIZE];
3585 dns_name_format(name, namebuf, sizeof(namebuf));
3586 dns_rdatatype_format(rdataset->type, typebuf,
3588 dns_rdataclass_format(rdataset->rdclass, classbuf,
3590 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
3591 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
3592 "check-names %s %s/%s/%s",
3593 fail ? "failure" : "warning",
3594 namebuf, typebuf, classbuf);
3596 if (ANSWER(rdataset)) {
3597 dns_db_detachnode(fctx->cache, &node);
3598 return (DNS_R_BADNAME);
3605 * Enforce the configure maximum cache TTL.
3607 if (rdataset->ttl > res->view->maxcachettl)
3608 rdataset->ttl = res->view->maxcachettl;
3611 * If this rrset is in a secure domain, do DNSSEC validation
3612 * for it, unless it is glue.
3614 if (secure_domain && rdataset->trust != dns_trust_glue) {
3616 * RRSIGs are validated as part of validating the
3619 if (rdataset->type == dns_rdatatype_rrsig)
3622 * Find the SIG for this rdataset, if we have it.
3624 for (sigrdataset = ISC_LIST_HEAD(name->list);
3625 sigrdataset != NULL;
3626 sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
3627 if (sigrdataset->type == dns_rdatatype_rrsig &&
3628 sigrdataset->covers == rdataset->type)
3631 if (sigrdataset == NULL) {
3632 if (!ANSWER(rdataset) && need_validation) {
3634 * Ignore non-answer rdatasets that
3635 * are missing signatures.
3642 * Normalize the rdataset and sigrdataset TTLs.
3644 if (sigrdataset != NULL) {
3645 rdataset->ttl = ISC_MIN(rdataset->ttl,
3647 sigrdataset->ttl = rdataset->ttl;
3651 * Cache this rdataset/sigrdataset pair as
3654 rdataset->trust = dns_trust_pending;
3655 if (sigrdataset != NULL)
3656 sigrdataset->trust = dns_trust_pending;
3657 if (!need_validation)
3658 addedrdataset = ardataset;
3660 addedrdataset = NULL;
3661 result = dns_db_addrdataset(fctx->cache, node, NULL,
3664 if (result == DNS_R_UNCHANGED) {
3665 result = ISC_R_SUCCESS;
3666 if (!need_validation &&
3667 ardataset != NULL &&
3668 ardataset->type == 0) {
3670 * The answer in the cache is better
3671 * than the answer we found, and is
3672 * a negative cache entry, so we
3673 * must set eresult appropriately.
3675 if (NXDOMAIN(ardataset))
3676 eresult = DNS_R_NCACHENXDOMAIN;
3678 eresult = DNS_R_NCACHENXRRSET;
3680 * We have a negative response from
3681 * the cache so don't attempt to
3682 * add the RRSIG rrset.
3687 if (result != ISC_R_SUCCESS)
3689 if (sigrdataset != NULL) {
3690 if (!need_validation)
3691 addedrdataset = asigrdataset;
3693 addedrdataset = NULL;
3694 result = dns_db_addrdataset(fctx->cache,
3698 if (result == DNS_R_UNCHANGED)
3699 result = ISC_R_SUCCESS;
3700 if (result != ISC_R_SUCCESS)
3702 } else if (!ANSWER(rdataset))
3705 if (ANSWER(rdataset) && need_validation) {
3706 if (fctx->type != dns_rdatatype_any &&
3707 fctx->type != dns_rdatatype_rrsig &&
3708 fctx->type != dns_rdatatype_sig) {
3710 * This is The Answer. We will
3711 * validate it, but first we cache
3712 * the rest of the response - it may
3713 * contain useful keys.
3715 INSIST(valrdataset == NULL &&
3716 valsigrdataset == NULL);
3717 valrdataset = rdataset;
3718 valsigrdataset = sigrdataset;
3721 * This is one of (potentially)
3722 * multiple answers to an ANY
3723 * or SIG query. To keep things
3724 * simple, we just start the
3725 * validator right away rather
3726 * than caching first and
3727 * having to remember which
3728 * rdatasets needed validation.
3730 result = valcreate(fctx, addrinfo,
3731 name, rdataset->type,
3736 * Defer any further validations.
3737 * This prevents multiple validators
3738 * from manipulating fctx->rmessage
3741 valoptions |= DNS_VALIDATOR_DEFER;
3743 } else if (CHAINING(rdataset)) {
3744 if (rdataset->type == dns_rdatatype_cname)
3745 eresult = DNS_R_CNAME;
3747 INSIST(rdataset->type ==
3748 dns_rdatatype_dname);
3749 eresult = DNS_R_DNAME;
3752 } else if (!EXTERNAL(rdataset)) {
3754 * It's OK to cache this rdataset now.
3756 if (ANSWER(rdataset))
3757 addedrdataset = ardataset;
3758 else if (ANSWERSIG(rdataset))
3759 addedrdataset = asigrdataset;
3761 addedrdataset = NULL;
3762 if (CHAINING(rdataset)) {
3763 if (rdataset->type == dns_rdatatype_cname)
3764 eresult = DNS_R_CNAME;
3766 INSIST(rdataset->type ==
3767 dns_rdatatype_dname);
3768 eresult = DNS_R_DNAME;
3771 if (rdataset->trust == dns_trust_glue &&
3772 (rdataset->type == dns_rdatatype_ns ||
3773 (rdataset->type == dns_rdatatype_rrsig &&
3774 rdataset->covers == dns_rdatatype_ns))) {
3776 * If the trust level is 'dns_trust_glue'
3777 * then we are adding data from a referral
3778 * we got while executing the search algorithm.
3779 * New referral data always takes precedence
3780 * over the existing cache contents.
3782 options = DNS_DBADD_FORCE;
3786 * Now we can add the rdataset.
3788 result = dns_db_addrdataset(fctx->cache,
3793 if (result == DNS_R_UNCHANGED) {
3794 if (ANSWER(rdataset) &&
3795 ardataset != NULL &&
3796 ardataset->type == 0) {
3798 * The answer in the cache is better
3799 * than the answer we found, and is
3800 * a negative cache entry, so we
3801 * must set eresult appropriately.
3803 if (NXDOMAIN(ardataset))
3804 eresult = DNS_R_NCACHENXDOMAIN;
3806 eresult = DNS_R_NCACHENXRRSET;
3808 result = ISC_R_SUCCESS;
3809 } else if (result != ISC_R_SUCCESS)
3814 if (valrdataset != NULL)
3815 result = valcreate(fctx, addrinfo, name, fctx->type,
3816 valrdataset, valsigrdataset, valoptions,
3819 if (result == ISC_R_SUCCESS && have_answer) {
3820 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
3821 if (event != NULL) {
3823 * Negative results must be indicated in event->result.
3825 if (dns_rdataset_isassociated(event->rdataset) &&
3826 event->rdataset->type == dns_rdatatype_none) {
3827 INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
3828 eresult == DNS_R_NCACHENXRRSET);
3830 event->result = eresult;
3831 dns_db_attach(fctx->cache, adbp);
3832 dns_db_transfernode(fctx->cache, &node, anodep);
3833 clone_results(fctx);
3838 dns_db_detachnode(fctx->cache, &node);
3843 static inline isc_result_t
3844 cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
3846 isc_result_t result;
3847 dns_section_t section;
3850 FCTXTRACE("cache_message");
3852 fctx->attributes &= ~FCTX_ATTR_WANTCACHE;
3854 LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
3856 for (section = DNS_SECTION_ANSWER;
3857 section <= DNS_SECTION_ADDITIONAL;
3859 result = dns_message_firstname(fctx->rmessage, section);
3860 while (result == ISC_R_SUCCESS) {
3862 dns_message_currentname(fctx->rmessage, section,
3864 if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) {
3865 result = cache_name(fctx, name, addrinfo, now);
3866 if (result != ISC_R_SUCCESS)
3869 result = dns_message_nextname(fctx->rmessage, section);
3871 if (result != ISC_R_NOMORE)
3874 if (result == ISC_R_NOMORE)
3875 result = ISC_R_SUCCESS;
3877 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
3883 * Do what dns_ncache_add() does, and then compute an appropriate eresult.
3886 ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
3887 dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
3888 dns_rdataset_t *ardataset,
3889 isc_result_t *eresultp)
3891 isc_result_t result;
3892 dns_rdataset_t rdataset;
3894 if (ardataset == NULL) {
3895 dns_rdataset_init(&rdataset);
3896 ardataset = &rdataset;
3898 result = dns_ncache_add(message, cache, node, covers, now,
3900 if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
3902 * If the cache now contains a negative entry and we
3903 * care about whether it is DNS_R_NCACHENXDOMAIN or
3904 * DNS_R_NCACHENXRRSET then extract it.
3906 if (ardataset->type == 0) {
3908 * The cache data is a negative cache entry.
3910 if (NXDOMAIN(ardataset))
3911 *eresultp = DNS_R_NCACHENXDOMAIN;
3913 *eresultp = DNS_R_NCACHENXRRSET;
3916 * Either we don't care about the nature of the
3917 * cache rdataset (because no fetch is interested
3918 * in the outcome), or the cache rdataset is not
3919 * a negative cache entry. Whichever case it is,
3920 * we can return success.
3922 * XXXRTH There's a CNAME/DNAME problem here.
3924 *eresultp = ISC_R_SUCCESS;
3926 result = ISC_R_SUCCESS;
3928 if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset))
3929 dns_rdataset_disassociate(ardataset);
3934 static inline isc_result_t
3935 ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
3936 dns_rdatatype_t covers, isc_stdtime_t now)
3938 isc_result_t result, eresult;
3940 dns_resolver_t *res;
3942 dns_dbnode_t *node, **anodep;
3943 dns_rdataset_t *ardataset;
3944 isc_boolean_t need_validation, secure_domain;
3946 dns_fetchevent_t *event;
3948 unsigned int valoptions = 0;
3950 FCTXTRACE("ncache_message");
3952 fctx->attributes &= ~FCTX_ATTR_WANTNCACHE;
3955 need_validation = ISC_FALSE;
3956 secure_domain = ISC_FALSE;
3957 eresult = ISC_R_SUCCESS;
3962 * XXXMPA remove when we follow cnames and adjust the setting
3963 * of FCTX_ATTR_WANTNCACHE in noanswer_response().
3965 INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0);
3968 * Is DNSSEC validation required for this name?
3970 result = dns_keytable_issecuredomain(res->view->secroots, name,
3972 if (result != ISC_R_SUCCESS)
3975 if (!secure_domain && res->view->dlv != NULL) {
3976 valoptions = DNS_VALIDATOR_DLV;
3977 secure_domain = ISC_TRUE;
3980 if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
3981 need_validation = ISC_FALSE;
3983 need_validation = secure_domain;
3985 if (secure_domain) {
3987 * Mark all rdatasets as pending.
3989 dns_rdataset_t *trdataset;
3992 result = dns_message_firstname(fctx->rmessage,
3993 DNS_SECTION_AUTHORITY);
3994 while (result == ISC_R_SUCCESS) {
3996 dns_message_currentname(fctx->rmessage,
3997 DNS_SECTION_AUTHORITY,
3999 for (trdataset = ISC_LIST_HEAD(tname->list);
4001 trdataset = ISC_LIST_NEXT(trdataset, link))
4002 trdataset->trust = dns_trust_pending;
4003 result = dns_message_nextname(fctx->rmessage,
4004 DNS_SECTION_AUTHORITY);
4006 if (result != ISC_R_NOMORE)
4011 if (need_validation) {
4013 * Do negative response validation.
4015 result = valcreate(fctx, addrinfo, name, fctx->type,
4016 NULL, NULL, valoptions,
4017 res->buckets[fctx->bucketnum].task);
4019 * If validation is necessary, return now. Otherwise continue
4020 * to process the message, letting the validation complete
4021 * in its own good time.
4026 LOCK(&res->buckets[fctx->bucketnum].lock);
4032 if (!HAVE_ANSWER(fctx)) {
4033 event = ISC_LIST_HEAD(fctx->events);
4034 if (event != NULL) {
4036 aname = dns_fixedname_name(&event->foundname);
4037 result = dns_name_copy(name, aname, NULL);
4038 if (result != ISC_R_SUCCESS)
4040 anodep = &event->node;
4041 ardataset = event->rdataset;
4046 result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
4047 if (result != ISC_R_SUCCESS)
4051 * If we are asking for a SOA record set the cache time
4052 * to zero to facilitate locating the containing zone of
4055 ttl = fctx->res->view->maxncachettl;
4056 if (fctx->type == dns_rdatatype_soa &&
4057 covers == dns_rdatatype_any)
4060 result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
4061 covers, now, ttl, ardataset, &eresult);
4062 if (result != ISC_R_SUCCESS)
4065 if (!HAVE_ANSWER(fctx)) {
4066 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
4067 if (event != NULL) {
4068 event->result = eresult;
4069 dns_db_attach(fctx->cache, adbp);
4070 dns_db_transfernode(fctx->cache, &node, anodep);
4071 clone_results(fctx);
4076 UNLOCK(&res->buckets[fctx->bucketnum].lock);
4079 dns_db_detachnode(fctx->cache, &node);
4085 mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
4086 isc_boolean_t external, isc_boolean_t gluing)
4088 name->attributes |= DNS_NAMEATTR_CACHE;
4090 rdataset->trust = dns_trust_glue;
4092 * Glue with 0 TTL causes problems. We force the TTL to
4093 * 1 second to prevent this.
4095 if (rdataset->ttl == 0)
4098 rdataset->trust = dns_trust_additional;
4100 * Avoid infinite loops by only marking new rdatasets.
4102 if (!CACHE(rdataset)) {
4103 name->attributes |= DNS_NAMEATTR_CHASE;
4104 rdataset->attributes |= DNS_RDATASETATTR_CHASE;
4106 rdataset->attributes |= DNS_RDATASETATTR_CACHE;
4108 rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
4112 check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
4113 fetchctx_t *fctx = arg;
4114 isc_result_t result;
4116 dns_rdataset_t *rdataset;
4117 isc_boolean_t external;
4118 dns_rdatatype_t rtype;
4119 isc_boolean_t gluing;
4121 REQUIRE(VALID_FCTX(fctx));
4129 result = dns_message_findname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
4130 addname, dns_rdatatype_any, 0, &name,
4132 if (result == ISC_R_SUCCESS) {
4133 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
4134 if (type == dns_rdatatype_a) {
4135 for (rdataset = ISC_LIST_HEAD(name->list);
4137 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4138 if (rdataset->type == dns_rdatatype_rrsig)
4139 rtype = rdataset->covers;
4141 rtype = rdataset->type;
4142 if (rtype == dns_rdatatype_a ||
4143 rtype == dns_rdatatype_aaaa)
4144 mark_related(name, rdataset, external,
4148 result = dns_message_findtype(name, type, 0,
4150 if (result == ISC_R_SUCCESS) {
4151 mark_related(name, rdataset, external, gluing);
4153 * Do we have its SIG too?
4156 result = dns_message_findtype(name,
4157 dns_rdatatype_rrsig,
4159 if (result == ISC_R_SUCCESS)
4160 mark_related(name, rdataset, external,
4166 return (ISC_R_SUCCESS);
4170 chase_additional(fetchctx_t *fctx) {
4171 isc_boolean_t rescan;
4172 dns_section_t section = DNS_SECTION_ADDITIONAL;
4173 isc_result_t result;
4178 for (result = dns_message_firstname(fctx->rmessage, section);
4179 result == ISC_R_SUCCESS;
4180 result = dns_message_nextname(fctx->rmessage, section)) {
4181 dns_name_t *name = NULL;
4182 dns_rdataset_t *rdataset;
4183 dns_message_currentname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
4185 if ((name->attributes & DNS_NAMEATTR_CHASE) == 0)
4187 name->attributes &= ~DNS_NAMEATTR_CHASE;
4188 for (rdataset = ISC_LIST_HEAD(name->list);
4190 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4191 if (CHASE(rdataset)) {
4192 rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
4193 (void)dns_rdataset_additionaldata(rdataset,
4204 static inline isc_result_t
4205 cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
4206 isc_result_t result;
4207 dns_rdata_t rdata = DNS_RDATA_INIT;
4208 dns_rdata_cname_t cname;
4210 result = dns_rdataset_first(rdataset);
4211 if (result != ISC_R_SUCCESS)
4213 dns_rdataset_current(rdataset, &rdata);
4214 result = dns_rdata_tostruct(&rdata, &cname, NULL);
4215 if (result != ISC_R_SUCCESS)
4217 dns_name_init(tname, NULL);
4218 dns_name_clone(&cname.cname, tname);
4219 dns_rdata_freestruct(&cname);
4221 return (ISC_R_SUCCESS);
4224 static inline isc_result_t
4225 dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
4226 dns_fixedname_t *fixeddname)
4228 isc_result_t result;
4229 dns_rdata_t rdata = DNS_RDATA_INIT;
4230 unsigned int nlabels;
4232 dns_namereln_t namereln;
4233 dns_rdata_dname_t dname;
4234 dns_fixedname_t prefix;
4237 * Get the target name of the DNAME.
4240 result = dns_rdataset_first(rdataset);
4241 if (result != ISC_R_SUCCESS)
4243 dns_rdataset_current(rdataset, &rdata);
4244 result = dns_rdata_tostruct(&rdata, &dname, NULL);
4245 if (result != ISC_R_SUCCESS)
4249 * Get the prefix of qname.
4251 namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
4252 if (namereln != dns_namereln_subdomain) {
4253 dns_rdata_freestruct(&dname);
4254 return (DNS_R_FORMERR);
4256 dns_fixedname_init(&prefix);
4257 dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
4258 dns_fixedname_init(fixeddname);
4259 result = dns_name_concatenate(dns_fixedname_name(&prefix),
4261 dns_fixedname_name(fixeddname), NULL);
4262 dns_rdata_freestruct(&dname);
4267 * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
4268 * If bind8_ns_resp is ISC_TRUE, this is a suspected BIND 8
4269 * response to an NS query that should be treated as a referral
4270 * even though the NS records occur in the answer section
4271 * rather than the authority section.
4274 noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
4275 isc_boolean_t bind8_ns_resp)
4277 isc_result_t result;
4278 dns_message_t *message;
4279 dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name;
4280 dns_rdataset_t *rdataset, *ns_rdataset;
4281 isc_boolean_t aa, negative_response;
4282 dns_rdatatype_t type;
4283 dns_section_t section =
4284 bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY;
4286 FCTXTRACE("noanswer_response");
4288 message = fctx->rmessage;
4293 if (oqname == NULL) {
4295 * We have a normal, non-chained negative response or
4298 if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
4302 qname = &fctx->name;
4305 * We're being invoked by answer_response() after it has
4306 * followed a CNAME/DNAME chain.
4311 * If the current qname is not a subdomain of the query
4312 * domain, there's no point in looking at the authority
4313 * section without doing DNSSEC validation.
4315 * Until we do that validation, we'll just return success
4318 if (!dns_name_issubdomain(qname, &fctx->domain))
4319 return (ISC_R_SUCCESS);
4323 * We have to figure out if this is a negative response, or a
4328 * Sometimes we can tell if its a negative response by looking at
4329 * the message header.
4331 negative_response = ISC_FALSE;
4332 if (message->rcode == dns_rcode_nxdomain ||
4333 (message->counts[DNS_SECTION_ANSWER] == 0 &&
4334 message->counts[DNS_SECTION_AUTHORITY] == 0))
4335 negative_response = ISC_TRUE;
4338 * Process the authority section.
4344 result = dns_message_firstname(message, section);
4345 while (result == ISC_R_SUCCESS) {
4347 dns_message_currentname(message, section, &name);
4348 if (dns_name_issubdomain(name, &fctx->domain)) {
4350 * Look for NS/SOA RRsets first.
4352 for (rdataset = ISC_LIST_HEAD(name->list);
4354 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4355 type = rdataset->type;
4356 if (type == dns_rdatatype_rrsig)
4357 type = rdataset->covers;
4358 if (((type == dns_rdatatype_ns ||
4359 type == dns_rdatatype_soa) &&
4360 !dns_name_issubdomain(qname, name)))
4361 return (DNS_R_FORMERR);
4362 if (type == dns_rdatatype_ns) {
4366 * Only one set of NS RRs is allowed.
4368 if (rdataset->type ==
4370 if (ns_name != NULL &&
4372 return (DNS_R_FORMERR);
4374 ns_rdataset = rdataset;
4378 rdataset->attributes |=
4379 DNS_RDATASETATTR_CACHE;
4380 rdataset->trust = dns_trust_glue;
4382 if (type == dns_rdatatype_soa) {
4384 * SOA, or RRSIG SOA.
4386 * Only one SOA is allowed.
4388 if (rdataset->type ==
4389 dns_rdatatype_soa) {
4390 if (soa_name != NULL &&
4392 return (DNS_R_FORMERR);
4396 DNS_NAMEATTR_NCACHE;
4397 rdataset->attributes |=
4398 DNS_RDATASETATTR_NCACHE;
4401 dns_trust_authauthority;
4404 dns_trust_additional;
4408 result = dns_message_nextname(message, section);
4409 if (result == ISC_R_NOMORE)
4411 else if (result != ISC_R_SUCCESS)
4416 * A negative response has a SOA record (Type 2)
4417 * and a optional NS RRset (Type 1) or it has neither
4418 * a SOA or a NS RRset (Type 3, handled above) or
4419 * rcode is NXDOMAIN (handled above) in which case
4420 * the NS RRset is allowed (Type 4).
4422 if (soa_name != NULL)
4423 negative_response = ISC_TRUE;
4425 result = dns_message_firstname(message, section);
4426 while (result == ISC_R_SUCCESS) {
4428 dns_message_currentname(message, section, &name);
4429 if (dns_name_issubdomain(name, &fctx->domain)) {
4430 for (rdataset = ISC_LIST_HEAD(name->list);
4432 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4433 type = rdataset->type;
4434 if (type == dns_rdatatype_rrsig)
4435 type = rdataset->covers;
4436 if (type == dns_rdatatype_nsec) {
4438 * NSEC or RRSIG NSEC.
4440 if (negative_response) {
4442 DNS_NAMEATTR_NCACHE;
4443 rdataset->attributes |=
4444 DNS_RDATASETATTR_NCACHE;
4448 rdataset->attributes |=
4449 DNS_RDATASETATTR_CACHE;
4453 dns_trust_authauthority;
4456 dns_trust_additional;
4458 * No additional data needs to be
4461 } else if (type == dns_rdatatype_ds) {
4465 * These should only be here if
4466 * this is a referral, and there
4467 * should only be one DS.
4469 if (ns_name == NULL)
4470 return (DNS_R_FORMERR);
4471 if (rdataset->type ==
4473 if (ds_name != NULL &&
4475 return (DNS_R_FORMERR);
4480 rdataset->attributes |=
4481 DNS_RDATASETATTR_CACHE;
4484 dns_trust_authauthority;
4487 dns_trust_additional;
4491 result = dns_message_nextname(message, section);
4492 if (result == ISC_R_NOMORE)
4494 else if (result != ISC_R_SUCCESS)
4499 * Trigger lookups for DNS nameservers.
4501 if (negative_response && message->rcode == dns_rcode_noerror &&
4502 fctx->type == dns_rdatatype_ds && soa_name != NULL &&
4503 dns_name_equal(soa_name, qname) &&
4504 !dns_name_equal(qname, dns_rootname))
4505 return (DNS_R_CHASEDSSERVERS);
4508 * Did we find anything?
4510 if (!negative_response && ns_name == NULL) {
4514 if (oqname != NULL) {
4516 * We've already got a partial CNAME/DNAME chain,
4517 * and haven't found else anything useful here, but
4518 * no error has occurred since we have an answer.
4520 return (ISC_R_SUCCESS);
4523 * The responder is insane.
4525 return (DNS_R_FORMERR);
4530 * If we found both NS and SOA, they should be the same name.
4532 if (ns_name != NULL && soa_name != NULL && ns_name != soa_name)
4533 return (DNS_R_FORMERR);
4536 * Do we have a referral? (We only want to follow a referral if
4537 * we're not following a chain.)
4539 if (!negative_response && ns_name != NULL && oqname == NULL) {
4541 * We already know ns_name is a subdomain of fctx->domain.
4542 * If ns_name is equal to fctx->domain, we're not making
4543 * progress. We return DNS_R_FORMERR so that we'll keep
4544 * trying other servers.
4546 if (dns_name_equal(ns_name, &fctx->domain))
4547 return (DNS_R_FORMERR);
4550 * If the referral name is not a parent of the query
4551 * name, consider the responder insane.
4553 if (! dns_name_issubdomain(&fctx->name, ns_name)) {
4554 FCTXTRACE("referral to non-parent");
4555 return (DNS_R_FORMERR);
4559 * Mark any additional data related to this rdataset.
4560 * It's important that we do this before we change the
4563 INSIST(ns_rdataset != NULL);
4564 fctx->attributes |= FCTX_ATTR_GLUING;
4565 (void)dns_rdataset_additionaldata(ns_rdataset, check_related,
4567 fctx->attributes &= ~FCTX_ATTR_GLUING;
4569 * NS rdatasets with 0 TTL cause problems.
4570 * dns_view_findzonecut() will not find them when we
4571 * try to follow the referral, and we'll SERVFAIL
4572 * because the best nameservers are now above QDOMAIN.
4573 * We force the TTL to 1 second to prevent this.
4575 if (ns_rdataset->ttl == 0)
4576 ns_rdataset->ttl = 1;
4578 * Set the current query domain to the referral name.
4580 * XXXRTH We should check if we're in forward-only mode, and
4581 * if so we should bail out.
4583 INSIST(dns_name_countlabels(&fctx->domain) > 0);
4584 dns_name_free(&fctx->domain, fctx->res->mctx);
4585 if (dns_rdataset_isassociated(&fctx->nameservers))
4586 dns_rdataset_disassociate(&fctx->nameservers);
4587 dns_name_init(&fctx->domain, NULL);
4588 result = dns_name_dup(ns_name, fctx->res->mctx, &fctx->domain);
4589 if (result != ISC_R_SUCCESS)
4591 fctx->attributes |= FCTX_ATTR_WANTCACHE;
4592 return (DNS_R_DELEGATION);
4596 * Since we're not doing a referral, we don't want to cache any
4597 * NS RRs we may have found.
4599 if (ns_name != NULL)
4600 ns_name->attributes &= ~DNS_NAMEATTR_CACHE;
4602 if (negative_response && oqname == NULL)
4603 fctx->attributes |= FCTX_ATTR_WANTNCACHE;
4605 return (ISC_R_SUCCESS);
4609 answer_response(fetchctx_t *fctx) {
4610 isc_result_t result;
4611 dns_message_t *message;
4612 dns_name_t *name, *qname, tname;
4613 dns_rdataset_t *rdataset;
4614 isc_boolean_t done, external, chaining, aa, found, want_chaining;
4615 isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
4617 dns_rdatatype_t type;
4618 dns_fixedname_t dname, fqname;
4620 FCTXTRACE("answer_response");
4622 message = fctx->rmessage;
4625 * Examine the answer section, marking those rdatasets which are
4626 * part of the answer and should be cached.
4630 found_cname = ISC_FALSE;
4631 found_type = ISC_FALSE;
4632 chaining = ISC_FALSE;
4633 have_answer = ISC_FALSE;
4634 want_chaining = ISC_FALSE;
4635 if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
4639 qname = &fctx->name;
4641 result = dns_message_firstname(message, DNS_SECTION_ANSWER);
4642 while (!done && result == ISC_R_SUCCESS) {
4644 dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
4645 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
4646 if (dns_name_equal(name, qname)) {
4647 wanted_chaining = ISC_FALSE;
4648 for (rdataset = ISC_LIST_HEAD(name->list);
4650 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4652 want_chaining = ISC_FALSE;
4654 if (rdataset->type == type && !found_cname) {
4656 * We've found an ordinary answer.
4659 found_type = ISC_TRUE;
4661 aflag = DNS_RDATASETATTR_ANSWER;
4662 } else if (type == dns_rdatatype_any) {
4664 * We've found an answer matching
4665 * an ANY query. There may be
4669 aflag = DNS_RDATASETATTR_ANSWER;
4670 } else if (rdataset->type == dns_rdatatype_rrsig
4671 && rdataset->covers == type
4674 * We've found a signature that
4675 * covers the type we're looking for.
4678 found_type = ISC_TRUE;
4679 aflag = DNS_RDATASETATTR_ANSWERSIG;
4680 } else if (rdataset->type ==
4684 * We're looking for something else,
4685 * but we found a CNAME.
4687 * Getting a CNAME response for some
4688 * query types is an error.
4690 if (type == dns_rdatatype_rrsig ||
4691 type == dns_rdatatype_dnskey ||
4692 type == dns_rdatatype_nsec)
4693 return (DNS_R_FORMERR);
4695 found_cname = ISC_TRUE;
4696 want_chaining = ISC_TRUE;
4697 aflag = DNS_RDATASETATTR_ANSWER;
4698 result = cname_target(rdataset,
4700 if (result != ISC_R_SUCCESS)
4702 } else if (rdataset->type == dns_rdatatype_rrsig
4703 && rdataset->covers ==
4707 * We're looking for something else,
4708 * but we found a SIG CNAME.
4711 found_cname = ISC_TRUE;
4712 aflag = DNS_RDATASETATTR_ANSWERSIG;
4717 * We've found an answer to our
4722 rdataset->attributes |=
4723 DNS_RDATASETATTR_CACHE;
4724 rdataset->trust = dns_trust_answer;
4727 * This data is "the" answer
4728 * to our question only if
4729 * we're not chaining (i.e.
4730 * if we haven't followed
4731 * a CNAME or DNAME).
4735 DNS_RDATASETATTR_ANSWER)
4736 have_answer = ISC_TRUE;
4738 DNS_NAMEATTR_ANSWER;
4739 rdataset->attributes |= aflag;
4742 dns_trust_authanswer;
4743 } else if (external) {
4745 * This data is outside of
4746 * our query domain, and
4747 * may only be cached if it
4748 * comes from a secure zone
4751 rdataset->attributes |=
4752 DNS_RDATASETATTR_EXTERNAL;
4756 * Mark any additional data related
4759 (void)dns_rdataset_additionaldata(
4767 if (want_chaining) {
4768 wanted_chaining = ISC_TRUE;
4770 DNS_NAMEATTR_CHAINING;
4771 rdataset->attributes |=
4772 DNS_RDATASETATTR_CHAINING;
4777 * We could add an "else" clause here and
4778 * log that we're ignoring this rdataset.
4782 * If wanted_chaining is true, we've done
4783 * some chaining as the result of processing
4784 * this node, and thus we need to set
4787 * We don't set chaining inside of the
4788 * rdataset loop because doing that would
4789 * cause us to ignore the signatures of
4792 if (wanted_chaining)
4793 chaining = ISC_TRUE;
4796 * Look for a DNAME (or its SIG). Anything else is
4799 wanted_chaining = ISC_FALSE;
4800 for (rdataset = ISC_LIST_HEAD(name->list);
4802 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4803 isc_boolean_t found_dname = ISC_FALSE;
4806 if (rdataset->type == dns_rdatatype_dname) {
4808 * We're looking for something else,
4809 * but we found a DNAME.
4811 * If we're not chaining, then the
4812 * DNAME should not be external.
4814 if (!chaining && external)
4815 return (DNS_R_FORMERR);
4817 want_chaining = ISC_TRUE;
4818 aflag = DNS_RDATASETATTR_ANSWER;
4819 result = dname_target(rdataset,
4822 if (result == ISC_R_NOSPACE) {
4824 * We can't construct the
4825 * DNAME target. Do not
4828 want_chaining = ISC_FALSE;
4829 } else if (result != ISC_R_SUCCESS)
4832 found_dname = ISC_TRUE;
4833 } else if (rdataset->type == dns_rdatatype_rrsig
4834 && rdataset->covers ==
4835 dns_rdatatype_dname) {
4837 * We've found a signature that
4841 aflag = DNS_RDATASETATTR_ANSWERSIG;
4846 * We've found an answer to our
4851 rdataset->attributes |=
4852 DNS_RDATASETATTR_CACHE;
4853 rdataset->trust = dns_trust_answer;
4856 * This data is "the" answer
4857 * to our question only if
4858 * we're not chaining.
4862 DNS_RDATASETATTR_ANSWER)
4863 have_answer = ISC_TRUE;
4865 DNS_NAMEATTR_ANSWER;
4866 rdataset->attributes |= aflag;
4869 dns_trust_authanswer;
4870 } else if (external) {
4871 rdataset->attributes |=
4872 DNS_RDATASETATTR_EXTERNAL;
4880 * Copy the the dname into the
4883 * Although we check for
4884 * failure of the copy
4885 * operation, in practice it
4886 * should never fail since
4887 * we already know that the
4888 * result fits in a fixedname.
4890 dns_fixedname_init(&fqname);
4891 result = dns_name_copy(
4892 dns_fixedname_name(&dname),
4893 dns_fixedname_name(&fqname),
4895 if (result != ISC_R_SUCCESS)
4897 wanted_chaining = ISC_TRUE;
4899 DNS_NAMEATTR_CHAINING;
4900 rdataset->attributes |=
4901 DNS_RDATASETATTR_CHAINING;
4902 qname = dns_fixedname_name(
4907 if (wanted_chaining)
4908 chaining = ISC_TRUE;
4910 result = dns_message_nextname(message, DNS_SECTION_ANSWER);
4912 if (result == ISC_R_NOMORE)
4913 result = ISC_R_SUCCESS;
4914 if (result != ISC_R_SUCCESS)
4918 * We should have found an answer.
4921 return (DNS_R_FORMERR);
4924 * This response is now potentially cacheable.
4926 fctx->attributes |= FCTX_ATTR_WANTCACHE;
4929 * Did chaining end before we got the final answer?
4933 * Yes. This may be a negative reply, so hand off
4934 * authority section processing to the noanswer code.
4935 * If it isn't a noanswer response, no harm will be
4938 return (noanswer_response(fctx, qname, ISC_FALSE));
4942 * We didn't end with an incomplete chain, so the rcode should be
4945 if (message->rcode != dns_rcode_noerror)
4946 return (DNS_R_FORMERR);
4949 * Examine the authority section (if there is one).
4951 * We expect there to be only one owner name for all the rdatasets
4952 * in this section, and we expect that it is not external.
4955 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
4956 while (!done && result == ISC_R_SUCCESS) {
4958 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
4959 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
4962 * We expect to find NS or SIG NS rdatasets, and
4965 for (rdataset = ISC_LIST_HEAD(name->list);
4967 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4968 if (rdataset->type == dns_rdatatype_ns ||
4969 (rdataset->type == dns_rdatatype_rrsig &&
4970 rdataset->covers == dns_rdatatype_ns)) {
4973 rdataset->attributes |=
4974 DNS_RDATASETATTR_CACHE;
4975 if (aa && !chaining)
4977 dns_trust_authauthority;
4980 dns_trust_additional;
4983 * Mark any additional data related
4986 (void)dns_rdataset_additionaldata(
4994 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
4996 if (result == ISC_R_NOMORE)
4997 result = ISC_R_SUCCESS;
5003 resume_dslookup(isc_task_t *task, isc_event_t *event) {
5004 dns_fetchevent_t *fevent;
5005 dns_resolver_t *res;
5007 isc_result_t result;
5008 isc_boolean_t bucket_empty = ISC_FALSE;
5009 isc_boolean_t locked = ISC_FALSE;
5010 unsigned int bucketnum;
5011 dns_rdataset_t nameservers;
5012 dns_fixedname_t fixed;
5015 REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
5016 fevent = (dns_fetchevent_t *)event;
5017 fctx = event->ev_arg;
5018 REQUIRE(VALID_FCTX(fctx));
5022 FCTXTRACE("resume_dslookup");
5024 if (fevent->node != NULL)
5025 dns_db_detachnode(fevent->db, &fevent->node);
5026 if (fevent->db != NULL)
5027 dns_db_detach(&fevent->db);
5029 dns_rdataset_init(&nameservers);
5031 bucketnum = fctx->bucketnum;
5032 if (fevent->result == ISC_R_CANCELED) {
5033 dns_resolver_destroyfetch(&fctx->nsfetch);
5034 fctx_done(fctx, ISC_R_CANCELED);
5035 } else if (fevent->result == ISC_R_SUCCESS) {
5037 FCTXTRACE("resuming DS lookup");
5039 dns_resolver_destroyfetch(&fctx->nsfetch);
5040 if (dns_rdataset_isassociated(&fctx->nameservers))
5041 dns_rdataset_disassociate(&fctx->nameservers);
5042 dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
5043 dns_name_free(&fctx->domain, fctx->res->mctx);
5044 dns_name_init(&fctx->domain, NULL);
5045 result = dns_name_dup(&fctx->nsname, fctx->res->mctx,
5047 if (result != ISC_R_SUCCESS) {
5048 fctx_done(fctx, DNS_R_SERVFAIL);
5057 dns_rdataset_t *nsrdataset = NULL;
5060 * Retrieve state from fctx->nsfetch before we destroy it.
5062 dns_fixedname_init(&fixed);
5063 domain = dns_fixedname_name(&fixed);
5064 dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
5065 if (dns_name_equal(&fctx->nsname, domain)) {
5066 fctx_done(fctx, DNS_R_SERVFAIL);
5067 dns_resolver_destroyfetch(&fctx->nsfetch);
5070 if (dns_rdataset_isassociated(
5071 &fctx->nsfetch->private->nameservers)) {
5073 &fctx->nsfetch->private->nameservers,
5075 nsrdataset = &nameservers;
5078 dns_resolver_destroyfetch(&fctx->nsfetch);
5079 n = dns_name_countlabels(&fctx->nsname);
5080 dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
5083 if (dns_rdataset_isassociated(fevent->rdataset))
5084 dns_rdataset_disassociate(fevent->rdataset);
5085 FCTXTRACE("continuing to look for parent's NS records");
5086 result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
5087 dns_rdatatype_ns, domain,
5088 nsrdataset, NULL, 0, task,
5089 resume_dslookup, fctx,
5090 &fctx->nsrrset, NULL,
5092 if (result != ISC_R_SUCCESS)
5093 fctx_done(fctx, result);
5095 LOCK(&res->buckets[bucketnum].lock);
5102 if (dns_rdataset_isassociated(&nameservers))
5103 dns_rdataset_disassociate(&nameservers);
5104 if (dns_rdataset_isassociated(fevent->rdataset))
5105 dns_rdataset_disassociate(fevent->rdataset);
5106 INSIST(fevent->sigrdataset == NULL);
5107 isc_event_free(&event);
5109 LOCK(&res->buckets[bucketnum].lock);
5111 if (fctx->references == 0)
5112 bucket_empty = fctx_destroy(fctx);
5113 UNLOCK(&res->buckets[bucketnum].lock);
5119 checknamessection(dns_message_t *message, dns_section_t section) {
5120 isc_result_t result;
5122 dns_rdata_t rdata = DNS_RDATA_INIT;
5123 dns_rdataset_t *rdataset;
5125 for (result = dns_message_firstname(message, section);
5126 result == ISC_R_SUCCESS;
5127 result = dns_message_nextname(message, section))
5130 dns_message_currentname(message, section, &name);
5131 for (rdataset = ISC_LIST_HEAD(name->list);
5133 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5134 for (result = dns_rdataset_first(rdataset);
5135 result == ISC_R_SUCCESS;
5136 result = dns_rdataset_next(rdataset)) {
5137 dns_rdataset_current(rdataset, &rdata);
5138 if (!dns_rdata_checkowner(name, rdata.rdclass,
5141 !dns_rdata_checknames(&rdata, name, NULL))
5143 rdataset->attributes |=
5144 DNS_RDATASETATTR_CHECKNAMES;
5146 dns_rdata_reset(&rdata);
5153 checknames(dns_message_t *message) {
5155 checknamessection(message, DNS_SECTION_ANSWER);
5156 checknamessection(message, DNS_SECTION_AUTHORITY);
5157 checknamessection(message, DNS_SECTION_ADDITIONAL);
5161 log_packet(dns_message_t *message, int level, isc_mem_t *mctx) {
5162 isc_buffer_t buffer;
5165 isc_result_t result;
5167 if (! isc_log_wouldlog(dns_lctx, level))
5171 * Note that these are multiline debug messages. We want a newline
5172 * to appear in the log after each message.
5176 buf = isc_mem_get(mctx, len);
5179 isc_buffer_init(&buffer, buf, len);
5180 result = dns_message_totext(message, &dns_master_style_debug,
5182 if (result == ISC_R_NOSPACE) {
5183 isc_mem_put(mctx, buf, len);
5185 } else if (result == ISC_R_SUCCESS)
5186 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
5187 DNS_LOGMODULE_RESOLVER, level,
5188 "received packet:\n%.*s",
5189 (int)isc_buffer_usedlength(&buffer),
5191 } while (result == ISC_R_NOSPACE);
5194 isc_mem_put(mctx, buf, len);
5198 resquery_response(isc_task_t *task, isc_event_t *event) {
5199 isc_result_t result = ISC_R_SUCCESS;
5200 resquery_t *query = event->ev_arg;
5201 dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
5202 isc_boolean_t keep_trying, get_nameservers, resend;
5203 isc_boolean_t truncated;
5204 dns_message_t *message;
5207 dns_fixedname_t foundname;
5209 isc_time_t tnow, *finish;
5210 dns_adbaddrinfo_t *addrinfo;
5211 unsigned int options;
5212 unsigned int findoptions;
5213 isc_result_t broken_server;
5215 REQUIRE(VALID_QUERY(query));
5217 options = query->options;
5218 REQUIRE(VALID_FCTX(fctx));
5219 REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
5223 (void)isc_timer_touch(fctx->timer);
5225 keep_trying = ISC_FALSE;
5226 broken_server = ISC_R_SUCCESS;
5227 get_nameservers = ISC_FALSE;
5229 truncated = ISC_FALSE;
5232 if (fctx->res->exiting) {
5233 result = ISC_R_SHUTTINGDOWN;
5240 * XXXRTH We should really get the current time just once. We
5241 * need a routine to convert from an isc_time_t to an
5246 isc_stdtime_get(&now);
5249 * Did the dispatcher have a problem?
5251 if (devent->result != ISC_R_SUCCESS) {
5252 if (devent->result == ISC_R_EOF &&
5253 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
5255 * The problem might be that they
5256 * don't understand EDNS0. Turn it
5257 * off and try again.
5259 options |= DNS_FETCHOPT_NOEDNS0;
5262 * Remember that they don't like EDNS0.
5264 dns_adb_changeflags(fctx->adb,
5266 DNS_FETCHOPT_NOEDNS0,
5267 DNS_FETCHOPT_NOEDNS0);
5270 * There's no hope for this query.
5272 keep_trying = ISC_TRUE;
5277 message = fctx->rmessage;
5279 if (query->tsig != NULL) {
5280 result = dns_message_setquerytsig(message, query->tsig);
5281 if (result != ISC_R_SUCCESS)
5285 if (query->tsigkey) {
5286 result = dns_message_settsigkey(message, query->tsigkey);
5287 if (result != ISC_R_SUCCESS)
5291 result = dns_message_parse(message, &devent->buffer, 0);
5292 if (result != ISC_R_SUCCESS) {
5294 case ISC_R_UNEXPECTEDEND:
5295 if (!message->question_ok ||
5296 (message->flags & DNS_MESSAGEFLAG_TC) == 0 ||
5297 (options & DNS_FETCHOPT_TCP) != 0) {
5299 * Either the message ended prematurely,
5300 * and/or wasn't marked as being truncated,
5301 * and/or this is a response to a query we
5302 * sent over TCP. In all of these cases,
5303 * something is wrong with the remote
5304 * server and we don't want to retry using
5307 if ((query->options & DNS_FETCHOPT_NOEDNS0)
5310 * The problem might be that they
5311 * don't understand EDNS0. Turn it
5312 * off and try again.
5314 options |= DNS_FETCHOPT_NOEDNS0;
5317 * Remember that they don't like EDNS0.
5319 dns_adb_changeflags(
5322 DNS_FETCHOPT_NOEDNS0,
5323 DNS_FETCHOPT_NOEDNS0);
5325 broken_server = result;
5326 keep_trying = ISC_TRUE;
5331 * We defer retrying via TCP for a bit so we can
5332 * check out this message further.
5334 truncated = ISC_TRUE;
5337 if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
5339 * The problem might be that they
5340 * don't understand EDNS0. Turn it
5341 * off and try again.
5343 options |= DNS_FETCHOPT_NOEDNS0;
5346 * Remember that they don't like EDNS0.
5348 dns_adb_changeflags(fctx->adb,
5350 DNS_FETCHOPT_NOEDNS0,
5351 DNS_FETCHOPT_NOEDNS0);
5353 broken_server = DNS_R_UNEXPECTEDRCODE;
5354 keep_trying = ISC_TRUE;
5359 * Something bad has happened.
5366 * Log the incoming packet.
5368 log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
5371 * If the message is signed, check the signature. If not, this
5372 * returns success anyway.
5374 result = dns_message_checksig(message, fctx->res->view);
5375 if (result != ISC_R_SUCCESS)
5379 * The dispatcher should ensure we only get responses with QR set.
5381 INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0);
5383 * INSIST() that the message comes from the place we sent it to,
5384 * since the dispatch code should ensure this.
5386 * INSIST() that the message id is correct (this should also be
5387 * ensured by the dispatch code).
5392 * Deal with truncated responses by retrying using TCP.
5394 if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
5395 truncated = ISC_TRUE;
5398 if ((options & DNS_FETCHOPT_TCP) != 0) {
5399 broken_server = DNS_R_TRUNCATEDTCP;
5400 keep_trying = ISC_TRUE;
5402 options |= DNS_FETCHOPT_TCP;
5409 * Is it a query response?
5411 if (message->opcode != dns_opcode_query) {
5413 broken_server = DNS_R_UNEXPECTEDOPCODE;
5414 keep_trying = ISC_TRUE;
5419 * Is the remote server broken, or does it dislike us?
5421 if (message->rcode != dns_rcode_noerror &&
5422 message->rcode != dns_rcode_nxdomain) {
5423 if ((message->rcode == dns_rcode_formerr ||
5424 message->rcode == dns_rcode_notimp ||
5425 message->rcode == dns_rcode_servfail) &&
5426 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
5428 * It's very likely they don't like EDNS0.
5430 * XXXRTH We should check if the question
5431 * we're asking requires EDNS0, and
5432 * if so, we should bail out.
5434 options |= DNS_FETCHOPT_NOEDNS0;
5437 * Remember that they don't like EDNS0.
5439 if (message->rcode != dns_rcode_servfail)
5440 dns_adb_changeflags(fctx->adb, query->addrinfo,
5441 DNS_FETCHOPT_NOEDNS0,
5442 DNS_FETCHOPT_NOEDNS0);
5443 } else if (message->rcode == dns_rcode_formerr) {
5444 if (ISFORWARDER(query->addrinfo)) {
5446 * This forwarder doesn't understand us,
5447 * but other forwarders might. Keep trying.
5449 broken_server = DNS_R_REMOTEFORMERR;
5450 keep_trying = ISC_TRUE;
5453 * The server doesn't understand us. Since
5454 * all servers for a zone need similar
5455 * capabilities, we assume that we will get
5456 * FORMERR from all servers, and thus we
5457 * cannot make any more progress with this
5460 result = DNS_R_FORMERR;
5462 } else if (message->rcode == dns_rcode_yxdomain) {
5464 * DNAME mapping failed because the new name
5465 * was too long. There's no chance of success
5468 result = DNS_R_YXDOMAIN;
5473 broken_server = DNS_R_UNEXPECTEDRCODE;
5474 INSIST(broken_server != ISC_R_SUCCESS);
5475 keep_trying = ISC_TRUE;
5481 * Is the question the same as the one we asked?
5483 result = same_question(fctx);
5484 if (result != ISC_R_SUCCESS) {
5486 if (result == DNS_R_FORMERR)
5487 keep_trying = ISC_TRUE;
5492 * Is the server lame?
5494 if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
5496 log_lame(fctx, query->addrinfo);
5497 result = dns_adb_marklame(fctx->adb, query->addrinfo,
5499 now + fctx->res->lame_ttl);
5500 if (result != ISC_R_SUCCESS)
5501 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
5502 DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
5503 "could not mark server as lame: %s",
5504 isc_result_totext(result));
5505 broken_server = DNS_R_LAME;
5506 keep_trying = ISC_TRUE;
5511 * Enforce delegations only zones like NET and COM.
5513 if (!ISFORWARDER(query->addrinfo) &&
5514 dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
5515 !dns_name_equal(&fctx->domain, &fctx->name) &&
5516 fix_mustbedelegationornxdomain(message, fctx)) {
5517 char namebuf[DNS_NAME_FORMATSIZE];
5518 char domainbuf[DNS_NAME_FORMATSIZE];
5519 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
5523 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
5524 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
5525 dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
5526 dns_rdataclass_format(fctx->res->rdclass, classbuf,
5528 isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
5531 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
5532 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
5533 "enforced delegation-only for '%s' (%s/%s/%s) "
5535 domainbuf, namebuf, typebuf, classbuf, addrbuf);
5538 if ((fctx->res->options & DNS_RESOLVER_CHECKNAMES) != 0)
5539 checknames(message);
5544 fctx->attributes &= ~(FCTX_ATTR_WANTNCACHE | FCTX_ATTR_WANTCACHE);
5547 * Did we get any answers?
5549 if (message->counts[DNS_SECTION_ANSWER] > 0 &&
5550 (message->rcode == dns_rcode_noerror ||
5551 message->rcode == dns_rcode_nxdomain)) {
5553 * We've got answers. However, if we sent
5554 * a BIND 8 server an NS query, it may have
5555 * incorrectly responded with a non-authoritative
5556 * answer instead of a referral. Since this
5557 * answer lacks the SIGs necessary to do DNSSEC
5558 * validation, we must invoke the following special
5559 * kludge to treat it as a referral.
5561 if (fctx->type == dns_rdatatype_ns &&
5562 (message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
5563 !ISFORWARDER(query->addrinfo))
5565 result = noanswer_response(fctx, NULL, ISC_TRUE);
5566 if (result != DNS_R_DELEGATION) {
5568 * The answer section must have contained
5569 * something other than the NS records
5570 * we asked for. Since AA is not set
5571 * and the server is not a forwarder,
5572 * it is technically lame and it's easier
5573 * to treat it as such than to figure out
5574 * some more elaborate course of action.
5576 broken_server = DNS_R_LAME;
5577 keep_trying = ISC_TRUE;
5580 goto force_referral;
5582 result = answer_response(fctx);
5583 if (result != ISC_R_SUCCESS) {
5584 if (result == DNS_R_FORMERR)
5585 keep_trying = ISC_TRUE;
5588 } else if (message->counts[DNS_SECTION_AUTHORITY] > 0 ||
5589 message->rcode == dns_rcode_noerror ||
5590 message->rcode == dns_rcode_nxdomain) {
5592 * NXDOMAIN, NXRDATASET, or referral.
5594 result = noanswer_response(fctx, NULL, ISC_FALSE);
5595 if (result == DNS_R_CHASEDSSERVERS) {
5596 } else if (result == DNS_R_DELEGATION) {
5599 * We don't have the answer, but we know a better
5602 get_nameservers = ISC_TRUE;
5603 keep_trying = ISC_TRUE;
5605 * We have a new set of name servers, and it
5606 * has not experienced any restarts yet.
5609 result = ISC_R_SUCCESS;
5610 } else if (result != ISC_R_SUCCESS) {
5612 * Something has gone wrong.
5614 if (result == DNS_R_FORMERR)
5615 keep_trying = ISC_TRUE;
5620 * The server is insane.
5623 broken_server = DNS_R_UNEXPECTEDRCODE;
5624 keep_trying = ISC_TRUE;
5629 * Follow additional section data chains.
5631 chase_additional(fctx);
5634 * Cache the cacheable parts of the message. This may also cause
5635 * work to be queued to the DNSSEC validator.
5637 if (WANTCACHE(fctx)) {
5638 result = cache_message(fctx, query->addrinfo, now);
5639 if (result != ISC_R_SUCCESS)
5644 * Ncache the negatively cacheable parts of the message. This may
5645 * also cause work to be queued to the DNSSEC validator.
5647 if (WANTNCACHE(fctx)) {
5648 dns_rdatatype_t covers;
5649 if (message->rcode == dns_rcode_nxdomain)
5650 covers = dns_rdatatype_any;
5652 covers = fctx->type;
5655 * Cache any negative cache entries in the message.
5657 result = ncache_message(fctx, query->addrinfo, covers, now);
5662 * Remember the query's addrinfo, in case we need to mark the
5665 addrinfo = query->addrinfo;
5670 * XXXRTH Don't cancel the query if waiting for validation?
5672 fctx_cancelquery(&query, &devent, finish, ISC_FALSE);
5675 if (result == DNS_R_FORMERR)
5676 broken_server = DNS_R_FORMERR;
5677 if (broken_server != ISC_R_SUCCESS) {
5679 * Add this server to the list of bad servers for
5682 add_bad(fctx, addrinfo, broken_server);
5685 if (get_nameservers) {
5687 dns_fixedname_init(&foundname);
5688 fname = dns_fixedname_name(&foundname);
5689 if (result != ISC_R_SUCCESS) {
5690 fctx_done(fctx, DNS_R_SERVFAIL);
5694 if (dns_rdatatype_atparent(fctx->type))
5695 findoptions |= DNS_DBFIND_NOEXACT;
5696 if ((options & DNS_FETCHOPT_UNSHARED) == 0)
5699 name = &fctx->domain;
5700 result = dns_view_findzonecut(fctx->res->view,
5706 if (result != ISC_R_SUCCESS) {
5707 FCTXTRACE("couldn't find a zonecut");
5708 fctx_done(fctx, DNS_R_SERVFAIL);
5711 if (!dns_name_issubdomain(fname, &fctx->domain)) {
5713 * The best nameservers are now above our
5716 FCTXTRACE("nameservers now above QDOMAIN");
5717 fctx_done(fctx, DNS_R_SERVFAIL);
5720 dns_name_free(&fctx->domain, fctx->res->mctx);
5721 dns_name_init(&fctx->domain, NULL);
5722 result = dns_name_dup(fname, fctx->res->mctx,
5724 if (result != ISC_R_SUCCESS) {
5725 fctx_done(fctx, DNS_R_SERVFAIL);
5728 fctx_cancelqueries(fctx, ISC_TRUE);
5729 fctx_cleanupfinds(fctx);
5730 fctx_cleanupaltfinds(fctx);
5731 fctx_cleanupforwaddrs(fctx);
5732 fctx_cleanupaltaddrs(fctx);
5738 } else if (resend) {
5740 * Resend (probably with changed options).
5742 FCTXTRACE("resend");
5743 result = fctx_query(fctx, addrinfo, options);
5744 if (result != ISC_R_SUCCESS)
5745 fctx_done(fctx, result);
5746 } else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
5748 * All has gone well so far, but we are waiting for the
5749 * DNSSEC validator to validate the answer.
5751 FCTXTRACE("wait for validator");
5752 fctx_cancelqueries(fctx, ISC_TRUE);
5754 * We must not retransmit while the validator is working;
5755 * it has references to the current rmessage.
5757 result = fctx_stopidletimer(fctx);
5758 if (result != ISC_R_SUCCESS)
5759 fctx_done(fctx, result);
5760 } else if (result == DNS_R_CHASEDSSERVERS) {
5762 add_bad(fctx, addrinfo, result);
5763 fctx_cancelqueries(fctx, ISC_TRUE);
5764 fctx_cleanupfinds(fctx);
5765 fctx_cleanupforwaddrs(fctx);
5767 n = dns_name_countlabels(&fctx->name);
5768 dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
5770 FCTXTRACE("suspending DS lookup to find parent's NS records");
5772 result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
5774 NULL, NULL, NULL, 0, task,
5775 resume_dslookup, fctx,
5776 &fctx->nsrrset, NULL,
5778 if (result != ISC_R_SUCCESS)
5779 fctx_done(fctx, result);
5780 LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
5782 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
5783 result = fctx_stopidletimer(fctx);
5784 if (result != ISC_R_SUCCESS)
5785 fctx_done(fctx, result);
5790 fctx_done(fctx, result);
5796 *** Resolver Methods
5800 destroy(dns_resolver_t *res) {
5804 REQUIRE(res->references == 0);
5805 REQUIRE(!res->priming);
5806 REQUIRE(res->primefetch == NULL);
5810 INSIST(res->nfctx == 0);
5812 DESTROYLOCK(&res->primelock);
5813 DESTROYLOCK(&res->nlock);
5814 DESTROYLOCK(&res->lock);
5815 for (i = 0; i < res->nbuckets; i++) {
5816 INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs));
5817 isc_task_shutdown(res->buckets[i].task);
5818 isc_task_detach(&res->buckets[i].task);
5819 DESTROYLOCK(&res->buckets[i].lock);
5821 isc_mem_put(res->mctx, res->buckets,
5822 res->nbuckets * sizeof(fctxbucket_t));
5823 if (res->dispatchv4 != NULL)
5824 dns_dispatch_detach(&res->dispatchv4);
5825 if (res->dispatchv6 != NULL)
5826 dns_dispatch_detach(&res->dispatchv6);
5827 while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
5828 ISC_LIST_UNLINK(res->alternates, a, link);
5830 dns_name_free(&a->_u._n.name, res->mctx);
5831 isc_mem_put(res->mctx, a, sizeof(*a));
5833 dns_resolver_reset_algorithms(res);
5834 dns_resolver_resetmustbesecure(res);
5836 isc_rwlock_destroy(&res->alglock);
5839 isc_rwlock_destroy(&res->mbslock);
5842 isc_mem_put(res->mctx, res, sizeof(*res));
5846 send_shutdown_events(dns_resolver_t *res) {
5847 isc_event_t *event, *next_event;
5851 * Caller must be holding the resolver lock.
5854 for (event = ISC_LIST_HEAD(res->whenshutdown);
5856 event = next_event) {
5857 next_event = ISC_LIST_NEXT(event, ev_link);
5858 ISC_LIST_UNLINK(res->whenshutdown, event, ev_link);
5859 etask = event->ev_sender;
5860 event->ev_sender = res;
5861 isc_task_sendanddetach(&etask, &event);
5866 empty_bucket(dns_resolver_t *res) {
5867 RTRACE("empty_bucket");
5871 INSIST(res->activebuckets > 0);
5872 res->activebuckets--;
5873 if (res->activebuckets == 0)
5874 send_shutdown_events(res);
5880 dns_resolver_create(dns_view_t *view,
5881 isc_taskmgr_t *taskmgr, unsigned int ntasks,
5882 isc_socketmgr_t *socketmgr,
5883 isc_timermgr_t *timermgr,
5884 unsigned int options,
5885 dns_dispatchmgr_t *dispatchmgr,
5886 dns_dispatch_t *dispatchv4,
5887 dns_dispatch_t *dispatchv6,
5888 dns_resolver_t **resp)
5890 dns_resolver_t *res;
5891 isc_result_t result = ISC_R_SUCCESS;
5892 unsigned int i, buckets_created = 0;
5896 * Create a resolver.
5899 REQUIRE(DNS_VIEW_VALID(view));
5900 REQUIRE(ntasks > 0);
5901 REQUIRE(resp != NULL && *resp == NULL);
5902 REQUIRE(dispatchmgr != NULL);
5903 REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
5905 res = isc_mem_get(view->mctx, sizeof(*res));
5907 return (ISC_R_NOMEMORY);
5909 res->mctx = view->mctx;
5910 res->rdclass = view->rdclass;
5911 res->socketmgr = socketmgr;
5912 res->timermgr = timermgr;
5913 res->taskmgr = taskmgr;
5914 res->dispatchmgr = dispatchmgr;
5916 res->options = options;
5918 ISC_LIST_INIT(res->alternates);
5919 res->udpsize = RECV_BUFFER_SIZE;
5920 res->algorithms = NULL;
5921 res->mustbesecure = NULL;
5923 res->nbuckets = ntasks;
5924 res->activebuckets = ntasks;
5925 res->buckets = isc_mem_get(view->mctx,
5926 ntasks * sizeof(fctxbucket_t));
5927 if (res->buckets == NULL) {
5928 result = ISC_R_NOMEMORY;
5931 for (i = 0; i < ntasks; i++) {
5932 result = isc_mutex_init(&res->buckets[i].lock);
5933 if (result != ISC_R_SUCCESS)
5934 goto cleanup_buckets;
5935 res->buckets[i].task = NULL;
5936 result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
5937 if (result != ISC_R_SUCCESS) {
5938 DESTROYLOCK(&res->buckets[i].lock);
5939 goto cleanup_buckets;
5941 snprintf(name, sizeof(name), "res%u", i);
5942 isc_task_setname(res->buckets[i].task, name, res);
5943 ISC_LIST_INIT(res->buckets[i].fctxs);
5944 res->buckets[i].exiting = ISC_FALSE;
5948 res->dispatchv4 = NULL;
5949 if (dispatchv4 != NULL)
5950 dns_dispatch_attach(dispatchv4, &res->dispatchv4);
5951 res->dispatchv6 = NULL;
5952 if (dispatchv6 != NULL)
5953 dns_dispatch_attach(dispatchv6, &res->dispatchv6);
5955 res->references = 1;
5956 res->exiting = ISC_FALSE;
5957 res->frozen = ISC_FALSE;
5958 ISC_LIST_INIT(res->whenshutdown);
5959 res->priming = ISC_FALSE;
5960 res->primefetch = NULL;
5963 result = isc_mutex_init(&res->lock);
5964 if (result != ISC_R_SUCCESS)
5965 goto cleanup_dispatches;
5967 result = isc_mutex_init(&res->nlock);
5968 if (result != ISC_R_SUCCESS)
5971 result = isc_mutex_init(&res->primelock);
5972 if (result != ISC_R_SUCCESS)
5976 result = isc_rwlock_init(&res->alglock, 0, 0);
5977 if (result != ISC_R_SUCCESS)
5978 goto cleanup_primelock;
5981 result = isc_rwlock_init(&res->mbslock, 0, 0);
5982 if (result != ISC_R_SUCCESS)
5983 goto cleanup_alglock;
5986 res->magic = RES_MAGIC;
5990 return (ISC_R_SUCCESS);
5995 isc_rwlock_destroy(&res->alglock);
5998 #if USE_ALGLOCK || USE_MBSLOCK
6000 DESTROYLOCK(&res->primelock);
6004 DESTROYLOCK(&res->nlock);
6007 DESTROYLOCK(&res->lock);
6010 if (res->dispatchv6 != NULL)
6011 dns_dispatch_detach(&res->dispatchv6);
6012 if (res->dispatchv4 != NULL)
6013 dns_dispatch_detach(&res->dispatchv4);
6016 for (i = 0; i < buckets_created; i++) {
6017 DESTROYLOCK(&res->buckets[i].lock);
6018 isc_task_shutdown(res->buckets[i].task);
6019 isc_task_detach(&res->buckets[i].task);
6021 isc_mem_put(view->mctx, res->buckets,
6022 res->nbuckets * sizeof(fctxbucket_t));
6025 isc_mem_put(view->mctx, res, sizeof(*res));
6031 prime_done(isc_task_t *task, isc_event_t *event) {
6032 dns_resolver_t *res;
6033 dns_fetchevent_t *fevent;
6036 REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
6037 fevent = (dns_fetchevent_t *)event;
6038 res = event->ev_arg;
6039 REQUIRE(VALID_RESOLVER(res));
6045 INSIST(res->priming);
6046 res->priming = ISC_FALSE;
6047 LOCK(&res->primelock);
6048 fetch = res->primefetch;
6049 res->primefetch = NULL;
6050 UNLOCK(&res->primelock);
6054 if (fevent->node != NULL)
6055 dns_db_detachnode(fevent->db, &fevent->node);
6056 if (fevent->db != NULL)
6057 dns_db_detach(&fevent->db);
6058 if (dns_rdataset_isassociated(fevent->rdataset))
6059 dns_rdataset_disassociate(fevent->rdataset);
6060 INSIST(fevent->sigrdataset == NULL);
6062 isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset));
6064 isc_event_free(&event);
6065 dns_resolver_destroyfetch(&fetch);
6069 dns_resolver_prime(dns_resolver_t *res) {
6070 isc_boolean_t want_priming = ISC_FALSE;
6071 dns_rdataset_t *rdataset;
6072 isc_result_t result;
6074 REQUIRE(VALID_RESOLVER(res));
6075 REQUIRE(res->frozen);
6077 RTRACE("dns_resolver_prime");
6081 if (!res->exiting && !res->priming) {
6082 INSIST(res->primefetch == NULL);
6083 res->priming = ISC_TRUE;
6084 want_priming = ISC_TRUE;
6091 * To avoid any possible recursive locking problems, we
6092 * start the priming fetch like any other fetch, and holding
6093 * no resolver locks. No one else will try to start it
6094 * because we're the ones who set res->priming to true.
6095 * Any other callers of dns_resolver_prime() while we're
6096 * running will see that res->priming is already true and
6100 rdataset = isc_mem_get(res->mctx, sizeof(*rdataset));
6101 if (rdataset == NULL) {
6103 INSIST(res->priming);
6104 INSIST(res->primefetch == NULL);
6105 res->priming = ISC_FALSE;
6109 dns_rdataset_init(rdataset);
6110 LOCK(&res->primelock);
6111 result = dns_resolver_createfetch(res, dns_rootname,
6113 NULL, NULL, NULL, 0,
6114 res->buckets[0].task,
6116 res, rdataset, NULL,
6118 UNLOCK(&res->primelock);
6119 if (result != ISC_R_SUCCESS) {
6121 INSIST(res->priming);
6122 res->priming = ISC_FALSE;
6129 dns_resolver_freeze(dns_resolver_t *res) {
6135 REQUIRE(VALID_RESOLVER(res));
6136 REQUIRE(!res->frozen);
6138 res->frozen = ISC_TRUE;
6142 dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) {
6143 REQUIRE(VALID_RESOLVER(source));
6144 REQUIRE(targetp != NULL && *targetp == NULL);
6146 RRTRACE(source, "attach");
6147 LOCK(&source->lock);
6148 REQUIRE(!source->exiting);
6150 INSIST(source->references > 0);
6151 source->references++;
6152 INSIST(source->references != 0);
6153 UNLOCK(&source->lock);
6159 dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
6160 isc_event_t **eventp)
6165 REQUIRE(VALID_RESOLVER(res));
6166 REQUIRE(eventp != NULL);
6173 if (res->exiting && res->activebuckets == 0) {
6175 * We're already shutdown. Send the event.
6177 event->ev_sender = res;
6178 isc_task_send(task, &event);
6181 isc_task_attach(task, &clone);
6182 event->ev_sender = clone;
6183 ISC_LIST_APPEND(res->whenshutdown, event, ev_link);
6190 dns_resolver_shutdown(dns_resolver_t *res) {
6195 REQUIRE(VALID_RESOLVER(res));
6201 if (!res->exiting) {
6203 res->exiting = ISC_TRUE;
6205 for (i = 0; i < res->nbuckets; i++) {
6206 LOCK(&res->buckets[i].lock);
6207 for (fctx = ISC_LIST_HEAD(res->buckets[i].fctxs);
6209 fctx = ISC_LIST_NEXT(fctx, link))
6210 fctx_shutdown(fctx);
6211 if (res->dispatchv4 != NULL) {
6212 sock = dns_dispatch_getsocket(res->dispatchv4);
6213 isc_socket_cancel(sock, res->buckets[i].task,
6214 ISC_SOCKCANCEL_ALL);
6216 if (res->dispatchv6 != NULL) {
6217 sock = dns_dispatch_getsocket(res->dispatchv6);
6218 isc_socket_cancel(sock, res->buckets[i].task,
6219 ISC_SOCKCANCEL_ALL);
6221 res->buckets[i].exiting = ISC_TRUE;
6222 if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) {
6223 INSIST(res->activebuckets > 0);
6224 res->activebuckets--;
6226 UNLOCK(&res->buckets[i].lock);
6228 if (res->activebuckets == 0)
6229 send_shutdown_events(res);
6236 dns_resolver_detach(dns_resolver_t **resp) {
6237 dns_resolver_t *res;
6238 isc_boolean_t need_destroy = ISC_FALSE;
6240 REQUIRE(resp != NULL);
6242 REQUIRE(VALID_RESOLVER(res));
6248 INSIST(res->references > 0);
6250 if (res->references == 0) {
6251 INSIST(res->exiting && res->activebuckets == 0);
6252 need_destroy = ISC_TRUE;
6263 static inline isc_boolean_t
6264 fctx_match(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
6265 unsigned int options)
6267 if (fctx->type != type || fctx->options != options)
6269 return (dns_name_equal(&fctx->name, name));
6273 log_fetch(dns_name_t *name, dns_rdatatype_t type) {
6274 char namebuf[DNS_NAME_FORMATSIZE];
6275 char typebuf[DNS_RDATATYPE_FORMATSIZE];
6276 int level = ISC_LOG_DEBUG(1);
6278 if (! isc_log_wouldlog(dns_lctx, level))
6281 dns_name_format(name, namebuf, sizeof(namebuf));
6282 dns_rdatatype_format(type, typebuf, sizeof(typebuf));
6284 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
6285 DNS_LOGMODULE_RESOLVER, level,
6286 "createfetch: %s %s", namebuf, typebuf);
6290 dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
6291 dns_rdatatype_t type,
6292 dns_name_t *domain, dns_rdataset_t *nameservers,
6293 dns_forwarders_t *forwarders,
6294 unsigned int options, isc_task_t *task,
6295 isc_taskaction_t action, void *arg,
6296 dns_rdataset_t *rdataset,
6297 dns_rdataset_t *sigrdataset,
6298 dns_fetch_t **fetchp)
6301 fetchctx_t *fctx = NULL;
6302 isc_result_t result;
6303 unsigned int bucketnum;
6304 isc_boolean_t new_fctx = ISC_FALSE;
6309 REQUIRE(VALID_RESOLVER(res));
6310 REQUIRE(res->frozen);
6311 /* XXXRTH Check for meta type */
6312 if (domain != NULL) {
6313 REQUIRE(DNS_RDATASET_VALID(nameservers));
6314 REQUIRE(nameservers->type == dns_rdatatype_ns);
6316 REQUIRE(nameservers == NULL);
6317 REQUIRE(forwarders == NULL);
6318 REQUIRE(!dns_rdataset_isassociated(rdataset));
6319 REQUIRE(sigrdataset == NULL ||
6320 !dns_rdataset_isassociated(sigrdataset));
6321 REQUIRE(fetchp != NULL && *fetchp == NULL);
6323 log_fetch(name, type);
6326 * XXXRTH use a mempool?
6328 fetch = isc_mem_get(res->mctx, sizeof(*fetch));
6330 return (ISC_R_NOMEMORY);
6332 bucketnum = dns_name_hash(name, ISC_FALSE) % res->nbuckets;
6334 LOCK(&res->buckets[bucketnum].lock);
6336 if (res->buckets[bucketnum].exiting) {
6337 result = ISC_R_SHUTTINGDOWN;
6341 if ((options & DNS_FETCHOPT_UNSHARED) == 0) {
6342 for (fctx = ISC_LIST_HEAD(res->buckets[bucketnum].fctxs);
6344 fctx = ISC_LIST_NEXT(fctx, link)) {
6345 if (fctx_match(fctx, name, type, options))
6351 * If we didn't have a fetch, would attach to a done fetch, this
6352 * fetch has already cloned its results, or if the fetch has gone
6353 * "idle" (no one was interested in it), we need to start a new
6354 * fetch instead of joining with the existing one.
6357 fctx->state == fetchstate_done ||
6359 ISC_LIST_EMPTY(fctx->events)) {
6361 result = fctx_create(res, name, type, domain, nameservers,
6362 options, bucketnum, &fctx);
6363 if (result != ISC_R_SUCCESS)
6365 new_fctx = ISC_TRUE;
6368 result = fctx_join(fctx, task, action, arg,
6369 rdataset, sigrdataset, fetch);
6371 if (result == ISC_R_SUCCESS) {
6375 event = &fctx->control_event;
6376 ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
6377 DNS_EVENT_FETCHCONTROL,
6378 fctx_start, fctx, NULL,
6380 isc_task_send(res->buckets[bucketnum].task, &event);
6383 * We don't care about the result of fctx_destroy()
6384 * since we know we're not exiting.
6386 (void)fctx_destroy(fctx);
6391 UNLOCK(&res->buckets[bucketnum].lock);
6393 if (result == ISC_R_SUCCESS) {
6397 isc_mem_put(res->mctx, fetch, sizeof(*fetch));
6403 dns_resolver_cancelfetch(dns_fetch_t *fetch) {
6405 dns_resolver_t *res;
6406 dns_fetchevent_t *event, *next_event;
6409 REQUIRE(DNS_FETCH_VALID(fetch));
6410 fctx = fetch->private;
6411 REQUIRE(VALID_FCTX(fctx));
6414 FTRACE("cancelfetch");
6416 LOCK(&res->buckets[fctx->bucketnum].lock);
6419 * Find the completion event for this fetch (as opposed
6420 * to those for other fetches that have joined the same
6421 * fctx) and send it with result = ISC_R_CANCELED.
6424 if (fctx->state != fetchstate_done) {
6425 for (event = ISC_LIST_HEAD(fctx->events);
6427 event = next_event) {
6428 next_event = ISC_LIST_NEXT(event, ev_link);
6429 if (event->fetch == fetch) {
6430 ISC_LIST_UNLINK(fctx->events, event, ev_link);
6435 if (event != NULL) {
6436 etask = event->ev_sender;
6437 event->ev_sender = fctx;
6438 event->result = ISC_R_CANCELED;
6439 isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
6442 * The fctx continues running even if no fetches remain;
6443 * the answer is still cached.
6446 UNLOCK(&res->buckets[fctx->bucketnum].lock);
6450 dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
6452 dns_resolver_t *res;
6453 dns_fetchevent_t *event, *next_event;
6455 unsigned int bucketnum;
6456 isc_boolean_t bucket_empty = ISC_FALSE;
6458 REQUIRE(fetchp != NULL);
6460 REQUIRE(DNS_FETCH_VALID(fetch));
6461 fctx = fetch->private;
6462 REQUIRE(VALID_FCTX(fctx));
6465 FTRACE("destroyfetch");
6467 bucketnum = fctx->bucketnum;
6468 LOCK(&res->buckets[bucketnum].lock);
6471 * Sanity check: the caller should have gotten its event before
6472 * trying to destroy the fetch.
6475 if (fctx->state != fetchstate_done) {
6476 for (event = ISC_LIST_HEAD(fctx->events);
6478 event = next_event) {
6479 next_event = ISC_LIST_NEXT(event, ev_link);
6480 RUNTIME_CHECK(event->fetch != fetch);
6484 INSIST(fctx->references > 0);
6486 if (fctx->references == 0) {
6488 * No one cares about the result of this fetch anymore.
6490 if (fctx->pending == 0 && fctx->nqueries == 0 &&
6491 ISC_LIST_EMPTY(fctx->validators) &&
6492 SHUTTINGDOWN(fctx)) {
6494 * This fctx is already shutdown; we were just
6495 * waiting for the last reference to go away.
6497 bucket_empty = fctx_destroy(fctx);
6500 * Initiate shutdown.
6502 fctx_shutdown(fctx);
6506 UNLOCK(&res->buckets[bucketnum].lock);
6508 isc_mem_put(res->mctx, fetch, sizeof(*fetch));
6516 dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
6517 REQUIRE(VALID_RESOLVER(resolver));
6518 return (resolver->dispatchmgr);
6522 dns_resolver_dispatchv4(dns_resolver_t *resolver) {
6523 REQUIRE(VALID_RESOLVER(resolver));
6524 return (resolver->dispatchv4);
6528 dns_resolver_dispatchv6(dns_resolver_t *resolver) {
6529 REQUIRE(VALID_RESOLVER(resolver));
6530 return (resolver->dispatchv6);
6534 dns_resolver_socketmgr(dns_resolver_t *resolver) {
6535 REQUIRE(VALID_RESOLVER(resolver));
6536 return (resolver->socketmgr);
6540 dns_resolver_taskmgr(dns_resolver_t *resolver) {
6541 REQUIRE(VALID_RESOLVER(resolver));
6542 return (resolver->taskmgr);
6546 dns_resolver_getlamettl(dns_resolver_t *resolver) {
6547 REQUIRE(VALID_RESOLVER(resolver));
6548 return (resolver->lame_ttl);
6552 dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl) {
6553 REQUIRE(VALID_RESOLVER(resolver));
6554 resolver->lame_ttl = lame_ttl;
6558 dns_resolver_nrunning(dns_resolver_t *resolver) {
6560 LOCK(&resolver->nlock);
6561 n = resolver->nfctx;
6562 UNLOCK(&resolver->nlock);
6567 dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
6568 dns_name_t *name, in_port_t port) {
6570 isc_result_t result;
6572 REQUIRE(VALID_RESOLVER(resolver));
6573 REQUIRE(!resolver->frozen);
6574 REQUIRE((alt == NULL) ^ (name == NULL));
6576 a = isc_mem_get(resolver->mctx, sizeof(*a));
6578 return (ISC_R_NOMEMORY);
6580 a->isaddress = ISC_TRUE;
6583 a->isaddress = ISC_FALSE;
6584 a->_u._n.port = port;
6585 dns_name_init(&a->_u._n.name, NULL);
6586 result = dns_name_dup(name, resolver->mctx, &a->_u._n.name);
6587 if (result != ISC_R_SUCCESS) {
6588 isc_mem_put(resolver->mctx, a, sizeof(*a));
6592 ISC_LINK_INIT(a, link);
6593 ISC_LIST_APPEND(resolver->alternates, a, link);
6595 return (ISC_R_SUCCESS);
6599 dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize) {
6600 REQUIRE(VALID_RESOLVER(resolver));
6601 resolver->udpsize = udpsize;
6605 dns_resolver_getudpsize(dns_resolver_t *resolver) {
6606 REQUIRE(VALID_RESOLVER(resolver));
6607 return (resolver->udpsize);
6611 free_algorithm(void *node, void *arg) {
6612 unsigned char *algorithms = node;
6613 isc_mem_t *mctx = arg;
6615 isc_mem_put(mctx, algorithms, *algorithms);
6619 dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
6621 REQUIRE(VALID_RESOLVER(resolver));
6624 RWLOCK(&resolver->alglock, isc_rwlocktype_write);
6626 if (resolver->algorithms != NULL)
6627 dns_rbt_destroy(&resolver->algorithms);
6629 RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
6634 dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
6637 unsigned int len, mask;
6639 unsigned char *algorithms;
6640 isc_result_t result;
6641 dns_rbtnode_t *node = NULL;
6643 REQUIRE(VALID_RESOLVER(resolver));
6645 return (ISC_R_RANGE);
6648 RWLOCK(&resolver->alglock, isc_rwlocktype_write);
6650 if (resolver->algorithms == NULL) {
6651 result = dns_rbt_create(resolver->mctx, free_algorithm,
6652 resolver->mctx, &resolver->algorithms);
6653 if (result != ISC_R_SUCCESS)
6658 mask = 1 << (alg%8);
6660 result = dns_rbt_addnode(resolver->algorithms, name, &node);
6662 if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
6663 algorithms = node->data;
6664 if (algorithms == NULL || len > *algorithms) {
6665 new = isc_mem_get(resolver->mctx, len);
6667 result = ISC_R_NOMEMORY;
6670 memset(new, 0, len);
6671 if (algorithms != NULL)
6672 memcpy(new, algorithms, *algorithms);
6676 if (algorithms != NULL)
6677 isc_mem_put(resolver->mctx, algorithms,
6680 algorithms[len-1] |= mask;
6682 result = ISC_R_SUCCESS;
6685 RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
6691 dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
6694 unsigned int len, mask;
6695 unsigned char *algorithms;
6697 isc_result_t result;
6698 isc_boolean_t found = ISC_FALSE;
6700 REQUIRE(VALID_RESOLVER(resolver));
6703 RWLOCK(&resolver->alglock, isc_rwlocktype_read);
6705 if (resolver->algorithms == NULL)
6707 result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data);
6708 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
6710 mask = 1 << (alg%8);
6712 if (len <= *algorithms && (algorithms[len-1] & mask) != 0)
6717 RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
6721 return (dst_algorithm_supported(alg));
6725 dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
6727 REQUIRE(VALID_RESOLVER(resolver));
6730 RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
6732 if (resolver->mustbesecure != NULL)
6733 dns_rbt_destroy(&resolver->mustbesecure);
6735 RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
6739 static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE;
6742 dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
6743 isc_boolean_t value)
6745 isc_result_t result;
6747 REQUIRE(VALID_RESOLVER(resolver));
6750 RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
6752 if (resolver->mustbesecure == NULL) {
6753 result = dns_rbt_create(resolver->mctx, NULL, NULL,
6754 &resolver->mustbesecure);
6755 if (result != ISC_R_SUCCESS)
6758 result = dns_rbt_addname(resolver->mustbesecure, name,
6759 value ? &yes : &no);
6762 RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
6768 dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) {
6770 isc_boolean_t value = ISC_FALSE;
6771 isc_result_t result;
6773 REQUIRE(VALID_RESOLVER(resolver));
6776 RWLOCK(&resolver->mbslock, isc_rwlocktype_read);
6778 if (resolver->mustbesecure == NULL)
6780 result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data);
6781 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
6782 value = *(isc_boolean_t*)data;
6785 RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read);