2 * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: query.c,v 1.353.8.11.4.1 2011-11-16 09:32:08 marka Exp $ */
28 #include <isc/stats.h>
32 #include <dns/byaddr.h>
35 #include <dns/dns64.h>
36 #include <dns/dnssec.h>
37 #include <dns/events.h>
38 #include <dns/message.h>
39 #include <dns/ncache.h>
40 #include <dns/nsec3.h>
41 #include <dns/order.h>
42 #include <dns/rdata.h>
43 #include <dns/rdataclass.h>
44 #include <dns/rdatalist.h>
45 #include <dns/rdataset.h>
46 #include <dns/rdatasetiter.h>
47 #include <dns/rdatastruct.h>
48 #include <dns/rdatatype.h>
49 #include <dns/resolver.h>
50 #include <dns/result.h>
51 #include <dns/stats.h>
57 #include <named/client.h>
58 #include <named/globals.h>
59 #include <named/log.h>
60 #include <named/server.h>
61 #include <named/sortlist.h>
62 #include <named/xfrout.h>
66 * It has been recommended that DNS64 be changed to return excluded
67 * AAAA addresses if DNS64 synthesis does not occur. This minimises
68 * the impact on the lookup results. While most DNS AAAA lookups are
69 * done to send IP packets to a host, not all of them are and filtering
70 * excluded addresses has a negative impact on those uses.
72 #define dns64_bis_return_excluded_addresses 1
75 /*% Partial answer? */
76 #define PARTIALANSWER(c) (((c)->query.attributes & \
77 NS_QUERYATTR_PARTIALANSWER) != 0)
79 #define USECACHE(c) (((c)->query.attributes & \
80 NS_QUERYATTR_CACHEOK) != 0)
82 #define RECURSIONOK(c) (((c)->query.attributes & \
83 NS_QUERYATTR_RECURSIONOK) != 0)
85 #define RECURSING(c) (((c)->query.attributes & \
86 NS_QUERYATTR_RECURSING) != 0)
88 #define CACHEGLUEOK(c) (((c)->query.attributes & \
89 NS_QUERYATTR_CACHEGLUEOK) != 0)
90 /*% Want Recursion? */
91 #define WANTRECURSION(c) (((c)->query.attributes & \
92 NS_QUERYATTR_WANTRECURSION) != 0)
94 #define WANTDNSSEC(c) (((c)->attributes & \
95 NS_CLIENTATTR_WANTDNSSEC) != 0)
97 #define NOAUTHORITY(c) (((c)->query.attributes & \
98 NS_QUERYATTR_NOAUTHORITY) != 0)
100 #define NOADDITIONAL(c) (((c)->query.attributes & \
101 NS_QUERYATTR_NOADDITIONAL) != 0)
103 #define SECURE(c) (((c)->query.attributes & \
104 NS_QUERYATTR_SECURE) != 0)
105 /*% DNS64 A lookup? */
106 #define DNS64(c) (((c)->query.attributes & \
107 NS_QUERYATTR_DNS64) != 0)
109 #define DNS64EXCLUDE(c) (((c)->query.attributes & \
110 NS_QUERYATTR_DNS64EXCLUDE) != 0)
112 /*% No QNAME Proof? */
113 #define NOQNAME(r) (((r)->attributes & \
114 DNS_RDATASETATTR_NOQNAME) != 0)
117 #define CTRACE(m) isc_log_write(ns_g_lctx, \
118 NS_LOGCATEGORY_CLIENT, \
119 NS_LOGMODULE_QUERY, \
121 "client %p: %s", client, (m))
122 #define QTRACE(m) isc_log_write(ns_g_lctx, \
123 NS_LOGCATEGORY_GENERAL, \
124 NS_LOGMODULE_QUERY, \
126 "query %p: %s", query, (m))
128 #define CTRACE(m) ((void)m)
129 #define QTRACE(m) ((void)m)
132 #define DNS_GETDB_NOEXACT 0x01U
133 #define DNS_GETDB_NOLOG 0x02U
134 #define DNS_GETDB_PARTIAL 0x04U
135 #define DNS_GETDB_IGNOREACL 0x08U
137 #define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0)
139 typedef struct client_additionalctx {
141 dns_rdataset_t *rdataset;
142 } client_additionalctx_t;
145 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
148 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
149 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
152 query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
153 dns_dbversion_t *version, ns_client_t *client,
154 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
155 dns_name_t *fname, isc_boolean_t exact,
159 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
162 rpz_st_clear(ns_client_t *client);
165 * Increment query statistics counters.
168 inc_stats(ns_client_t *client, isc_statscounter_t counter) {
169 dns_zone_t *zone = client->query.authzone;
171 isc_stats_increment(ns_g_server->nsstats, counter);
174 isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
175 if (zonestats != NULL)
176 isc_stats_increment(zonestats, counter);
181 query_send(ns_client_t *client) {
182 isc_statscounter_t counter;
183 if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
184 inc_stats(client, dns_nsstatscounter_nonauthans);
186 inc_stats(client, dns_nsstatscounter_authans);
187 if (client->message->rcode == dns_rcode_noerror) {
188 if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) {
189 if (client->query.isreferral) {
190 counter = dns_nsstatscounter_referral;
192 counter = dns_nsstatscounter_nxrrset;
195 counter = dns_nsstatscounter_success;
197 } else if (client->message->rcode == dns_rcode_nxdomain) {
198 counter = dns_nsstatscounter_nxdomain;
200 /* We end up here in case of YXDOMAIN, and maybe others */
201 counter = dns_nsstatscounter_failure;
203 inc_stats(client, counter);
204 ns_client_send(client);
208 query_error(ns_client_t *client, isc_result_t result, int line) {
209 int loglevel = ISC_LOG_DEBUG(3);
213 loglevel = ISC_LOG_DEBUG(1);
214 inc_stats(client, dns_nsstatscounter_servfail);
217 inc_stats(client, dns_nsstatscounter_formerr);
220 inc_stats(client, dns_nsstatscounter_failure);
224 log_queryerror(client, result, line, loglevel);
226 ns_client_error(client, result);
230 query_next(ns_client_t *client, isc_result_t result) {
231 if (result == DNS_R_DUPLICATE)
232 inc_stats(client, dns_nsstatscounter_duplicate);
233 else if (result == DNS_R_DROP)
234 inc_stats(client, dns_nsstatscounter_dropped);
236 inc_stats(client, dns_nsstatscounter_failure);
237 ns_client_next(client, result);
241 query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
242 ns_dbversion_t *dbversion, *dbversion_next;
245 for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
247 dbversion = dbversion_next, i++)
249 dbversion_next = ISC_LIST_NEXT(dbversion, link);
251 * If we're not freeing everything, we keep the first three
252 * dbversions structures around.
254 if (i > 3 || everything) {
255 ISC_LIST_UNLINK(client->query.freeversions, dbversion,
257 isc_mem_put(client->mctx, dbversion,
264 ns_query_cancel(ns_client_t *client) {
265 LOCK(&client->query.fetchlock);
266 if (client->query.fetch != NULL) {
267 dns_resolver_cancelfetch(client->query.fetch);
269 client->query.fetch = NULL;
271 UNLOCK(&client->query.fetchlock);
275 query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
276 dns_rdataset_t *rdataset = *rdatasetp;
278 CTRACE("query_putrdataset");
279 if (rdataset != NULL) {
280 if (dns_rdataset_isassociated(rdataset))
281 dns_rdataset_disassociate(rdataset);
282 dns_message_puttemprdataset(client->message, rdatasetp);
284 CTRACE("query_putrdataset: done");
288 query_reset(ns_client_t *client, isc_boolean_t everything) {
289 isc_buffer_t *dbuf, *dbuf_next;
290 ns_dbversion_t *dbversion, *dbversion_next;
293 * Reset the query state of a client to its default state.
297 * Cancel the fetch if it's running.
299 ns_query_cancel(client);
302 * Cleanup any active versions.
304 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
306 dbversion = dbversion_next) {
307 dbversion_next = ISC_LIST_NEXT(dbversion, link);
308 dns_db_closeversion(dbversion->db, &dbversion->version,
310 dns_db_detach(&dbversion->db);
311 ISC_LIST_INITANDAPPEND(client->query.freeversions,
314 ISC_LIST_INIT(client->query.activeversions);
316 if (client->query.authdb != NULL)
317 dns_db_detach(&client->query.authdb);
318 if (client->query.authzone != NULL)
319 dns_zone_detach(&client->query.authzone);
321 if (client->query.dns64_aaaa != NULL)
322 query_putrdataset(client, &client->query.dns64_aaaa);
323 if (client->query.dns64_sigaaaa != NULL)
324 query_putrdataset(client, &client->query.dns64_sigaaaa);
325 if (client->query.dns64_aaaaok != NULL) {
326 isc_mem_put(client->mctx, client->query.dns64_aaaaok,
327 client->query.dns64_aaaaoklen *
328 sizeof(isc_boolean_t));
329 client->query.dns64_aaaaok = NULL;
330 client->query.dns64_aaaaoklen = 0;
333 query_freefreeversions(client, everything);
335 for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
338 dbuf_next = ISC_LIST_NEXT(dbuf, link);
339 if (dbuf_next != NULL || everything) {
340 ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
341 isc_buffer_free(&dbuf);
345 if (client->query.restarts > 0) {
347 * client->query.qname was dynamically allocated.
349 dns_message_puttempname(client->message,
350 &client->query.qname);
352 client->query.qname = NULL;
353 client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
354 NS_QUERYATTR_CACHEOK |
355 NS_QUERYATTR_SECURE);
356 client->query.restarts = 0;
357 client->query.timerset = ISC_FALSE;
358 if (client->query.rpz_st != NULL) {
359 rpz_st_clear(client);
361 isc_mem_put(client->mctx, client->query.rpz_st,
362 sizeof(*client->query.rpz_st));
363 client->query.rpz_st = NULL;
366 client->query.origqname = NULL;
367 client->query.dboptions = 0;
368 client->query.fetchoptions = 0;
369 client->query.gluedb = NULL;
370 client->query.authdbset = ISC_FALSE;
371 client->query.isreferral = ISC_FALSE;
372 client->query.dns64_options = 0;
373 client->query.dns64_ttl = ISC_UINT32_MAX;
377 query_next_callback(ns_client_t *client) {
378 query_reset(client, ISC_FALSE);
382 ns_query_free(ns_client_t *client) {
383 query_reset(client, ISC_TRUE);
386 static inline isc_result_t
387 query_newnamebuf(ns_client_t *client) {
391 CTRACE("query_newnamebuf");
393 * Allocate a name buffer.
397 result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
398 if (result != ISC_R_SUCCESS) {
399 CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
402 ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
404 CTRACE("query_newnamebuf: done");
405 return (ISC_R_SUCCESS);
408 static inline isc_buffer_t *
409 query_getnamebuf(ns_client_t *client) {
414 CTRACE("query_getnamebuf");
416 * Return a name buffer with space for a maximal name, allocating
417 * a new one if necessary.
420 if (ISC_LIST_EMPTY(client->query.namebufs)) {
421 result = query_newnamebuf(client);
422 if (result != ISC_R_SUCCESS) {
423 CTRACE("query_getnamebuf: query_newnamebuf failed: done");
428 dbuf = ISC_LIST_TAIL(client->query.namebufs);
429 INSIST(dbuf != NULL);
430 isc_buffer_availableregion(dbuf, &r);
431 if (r.length < 255) {
432 result = query_newnamebuf(client);
433 if (result != ISC_R_SUCCESS) {
434 CTRACE("query_getnamebuf: query_newnamebuf failed: done");
438 dbuf = ISC_LIST_TAIL(client->query.namebufs);
439 isc_buffer_availableregion(dbuf, &r);
440 INSIST(r.length >= 255);
442 CTRACE("query_getnamebuf: done");
447 query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
450 CTRACE("query_keepname");
452 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
453 * adjusted to take account of that. We do the adjustment.
456 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
458 dns_name_toregion(name, &r);
459 isc_buffer_add(dbuf, r.length);
460 dns_name_setbuffer(name, NULL);
461 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
465 query_releasename(ns_client_t *client, dns_name_t **namep) {
466 dns_name_t *name = *namep;
469 * 'name' is no longer needed. Return it to our pool of temporary
470 * names. If it is using a name buffer, relinquish its exclusive
471 * rights on the buffer.
474 CTRACE("query_releasename");
475 if (dns_name_hasbuffer(name)) {
476 INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
478 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
480 dns_message_puttempname(client->message, namep);
481 CTRACE("query_releasename: done");
484 static inline dns_name_t *
485 query_newname(ns_client_t *client, isc_buffer_t *dbuf,
492 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
494 CTRACE("query_newname");
496 result = dns_message_gettempname(client->message, &name);
497 if (result != ISC_R_SUCCESS) {
498 CTRACE("query_newname: dns_message_gettempname failed: done");
501 isc_buffer_availableregion(dbuf, &r);
502 isc_buffer_init(nbuf, r.base, r.length);
503 dns_name_init(name, NULL);
504 dns_name_setbuffer(name, nbuf);
505 client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
507 CTRACE("query_newname: done");
511 static inline dns_rdataset_t *
512 query_newrdataset(ns_client_t *client) {
513 dns_rdataset_t *rdataset;
516 CTRACE("query_newrdataset");
518 result = dns_message_gettemprdataset(client->message, &rdataset);
519 if (result != ISC_R_SUCCESS) {
520 CTRACE("query_newrdataset: "
521 "dns_message_gettemprdataset failed: done");
524 dns_rdataset_init(rdataset);
526 CTRACE("query_newrdataset: done");
530 static inline isc_result_t
531 query_newdbversion(ns_client_t *client, unsigned int n) {
533 ns_dbversion_t *dbversion;
535 for (i = 0; i < n; i++) {
536 dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
537 if (dbversion != NULL) {
538 dbversion->db = NULL;
539 dbversion->version = NULL;
540 ISC_LIST_INITANDAPPEND(client->query.freeversions,
544 * We only return ISC_R_NOMEMORY if we couldn't
548 return (ISC_R_NOMEMORY);
550 return (ISC_R_SUCCESS);
554 return (ISC_R_SUCCESS);
557 static inline ns_dbversion_t *
558 query_getdbversion(ns_client_t *client) {
560 ns_dbversion_t *dbversion;
562 if (ISC_LIST_EMPTY(client->query.freeversions)) {
563 result = query_newdbversion(client, 1);
564 if (result != ISC_R_SUCCESS)
567 dbversion = ISC_LIST_HEAD(client->query.freeversions);
568 INSIST(dbversion != NULL);
569 ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
575 ns_query_init(ns_client_t *client) {
578 ISC_LIST_INIT(client->query.namebufs);
579 ISC_LIST_INIT(client->query.activeversions);
580 ISC_LIST_INIT(client->query.freeversions);
581 client->query.restarts = 0;
582 client->query.timerset = ISC_FALSE;
583 client->query.rpz_st = NULL;
584 client->query.qname = NULL;
585 result = isc_mutex_init(&client->query.fetchlock);
586 if (result != ISC_R_SUCCESS)
588 client->query.fetch = NULL;
589 client->query.authdb = NULL;
590 client->query.authzone = NULL;
591 client->query.authdbset = ISC_FALSE;
592 client->query.isreferral = ISC_FALSE;
593 client->query.dns64_aaaa = NULL;
594 client->query.dns64_sigaaaa = NULL;
595 client->query.dns64_aaaaok = NULL;
596 client->query.dns64_aaaaoklen = 0;
597 query_reset(client, ISC_FALSE);
598 result = query_newdbversion(client, 3);
599 if (result != ISC_R_SUCCESS) {
600 DESTROYLOCK(&client->query.fetchlock);
603 result = query_newnamebuf(client);
604 if (result != ISC_R_SUCCESS)
605 query_freefreeversions(client, ISC_TRUE);
610 static inline ns_dbversion_t *
611 query_findversion(ns_client_t *client, dns_db_t *db)
613 ns_dbversion_t *dbversion;
616 * We may already have done a query related to this
617 * database. If so, we must be sure to make subsequent
618 * queries from the same version.
620 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
622 dbversion = ISC_LIST_NEXT(dbversion, link)) {
623 if (dbversion->db == db)
627 if (dbversion == NULL) {
629 * This is a new zone for this query. Add it to
632 dbversion = query_getdbversion(client);
633 if (dbversion == NULL)
635 dns_db_attach(db, &dbversion->db);
636 dns_db_currentversion(db, &dbversion->version);
637 dbversion->acl_checked = ISC_FALSE;
638 dbversion->queryok = ISC_FALSE;
639 ISC_LIST_APPEND(client->query.activeversions,
646 static inline isc_result_t
647 query_validatezonedb(ns_client_t *client, dns_name_t *name,
648 dns_rdatatype_t qtype, unsigned int options,
649 dns_zone_t *zone, dns_db_t *db,
650 dns_dbversion_t **versionp)
654 ns_dbversion_t *dbversion;
656 REQUIRE(zone != NULL);
660 * This limits our searching to the zone where the first name
661 * (the query target) was looked for. This prevents following
662 * CNAMES or DNAMES into other zones and prevents returning
663 * additional data from other zones.
665 if (!client->view->additionalfromauth &&
666 client->query.authdbset &&
667 db != client->query.authdb)
668 return (DNS_R_REFUSED);
671 * Non recursive query to a static-stub zone is prohibited; its
672 * zone content is not public data, but a part of local configuration
673 * and should not be disclosed.
675 if (dns_zone_gettype(zone) == dns_zone_staticstub &&
676 !RECURSIONOK(client)) {
677 return (DNS_R_REFUSED);
681 * If the zone has an ACL, we'll check it, otherwise
682 * we use the view's "allow-query" ACL. Each ACL is only checked
685 * Also, get the database version to use.
689 * Get the current version of this database.
691 dbversion = query_findversion(client, db);
692 if (dbversion == NULL)
693 return (DNS_R_SERVFAIL);
695 if ((options & DNS_GETDB_IGNOREACL) != 0)
697 if (dbversion->acl_checked) {
698 if (!dbversion->queryok)
699 return (DNS_R_REFUSED);
703 queryacl = dns_zone_getqueryacl(zone);
704 if (queryacl == NULL) {
705 queryacl = client->view->queryacl;
706 if ((client->query.attributes &
707 NS_QUERYATTR_QUERYOKVALID) != 0) {
709 * We've evaluated the view's queryacl already. If
710 * NS_QUERYATTR_QUERYOK is set, then the client is
711 * allowed to make queries, otherwise the query should
714 dbversion->acl_checked = ISC_TRUE;
715 if ((client->query.attributes &
716 NS_QUERYATTR_QUERYOK) == 0) {
717 dbversion->queryok = ISC_FALSE;
718 return (DNS_R_REFUSED);
720 dbversion->queryok = ISC_TRUE;
725 result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
726 if ((options & DNS_GETDB_NOLOG) == 0) {
727 char msg[NS_CLIENT_ACLMSGSIZE("query")];
728 if (result == ISC_R_SUCCESS) {
729 if (isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(3))) {
730 ns_client_aclmsg("query", name, qtype,
731 client->view->rdclass,
733 ns_client_log(client,
734 DNS_LOGCATEGORY_SECURITY,
740 ns_client_aclmsg("query", name, qtype,
741 client->view->rdclass,
743 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
744 NS_LOGMODULE_QUERY, ISC_LOG_INFO,
749 if (queryacl == client->view->queryacl) {
750 if (result == ISC_R_SUCCESS) {
752 * We were allowed by the default
753 * "allow-query" ACL. Remember this so we
754 * don't have to check again.
756 client->query.attributes |= NS_QUERYATTR_QUERYOK;
759 * We've now evaluated the view's query ACL, and
760 * the NS_QUERYATTR_QUERYOK attribute is now valid.
762 client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
765 dbversion->acl_checked = ISC_TRUE;
766 if (result != ISC_R_SUCCESS) {
767 dbversion->queryok = ISC_FALSE;
768 return (DNS_R_REFUSED);
770 dbversion->queryok = ISC_TRUE;
773 /* Transfer ownership, if necessary. */
774 if (versionp != NULL)
775 *versionp = dbversion->version;
776 return (ISC_R_SUCCESS);
779 static inline isc_result_t
780 query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
781 unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
782 dns_dbversion_t **versionp)
785 unsigned int ztoptions;
786 dns_zone_t *zone = NULL;
788 isc_boolean_t partial = ISC_FALSE;
790 REQUIRE(zonep != NULL && *zonep == NULL);
791 REQUIRE(dbp != NULL && *dbp == NULL);
794 * Find a zone database to answer the query.
796 ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
797 DNS_ZTFIND_NOEXACT : 0;
799 result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
801 if (result == DNS_R_PARTIALMATCH)
803 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
804 result = dns_zone_getdb(zone, &db);
806 if (result != ISC_R_SUCCESS)
809 result = query_validatezonedb(client, name, qtype, options, zone, db,
812 if (result != ISC_R_SUCCESS)
815 /* Transfer ownership. */
819 if (partial && (options & DNS_GETDB_PARTIAL) != 0)
820 return (DNS_R_PARTIALMATCH);
821 return (ISC_R_SUCCESS);
825 dns_zone_detach(&zone);
833 rpz_log(ns_client_t *client) {
834 char namebuf1[DNS_NAME_FORMATSIZE];
835 char namebuf2[DNS_NAME_FORMATSIZE];
839 if (!ns_g_server->log_queries ||
840 !isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
843 st = client->query.rpz_st;
844 dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
845 dns_name_format(st->qname, namebuf2, sizeof(namebuf2));
847 switch (st->m.policy) {
848 case DNS_RPZ_POLICY_NO_OP:
849 pat ="response policy %s rewrite %s NO-OP using %s";
851 case DNS_RPZ_POLICY_NXDOMAIN:
852 pat = "response policy %s rewrite %s to NXDOMAIN using %s";
854 case DNS_RPZ_POLICY_NODATA:
855 pat = "response policy %s rewrite %s to NODATA using %s";
857 case DNS_RPZ_POLICY_RECORD:
858 case DNS_RPZ_POLICY_CNAME:
859 pat = "response policy %s rewrite %s using %s";
864 ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
865 DNS_RPZ_INFO_LEVEL, pat, dns_rpz_type2str(st->m.type),
870 rpz_fail_log(ns_client_t *client, int level, dns_rpz_type_t rpz_type,
871 dns_name_t *name, const char *str, isc_result_t result)
873 char namebuf1[DNS_NAME_FORMATSIZE];
874 char namebuf2[DNS_NAME_FORMATSIZE];
876 if (!ns_g_server->log_queries || !isc_log_wouldlog(ns_g_lctx, level))
879 dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
880 dns_name_format(name, namebuf2, sizeof(namebuf2));
881 ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
882 NS_LOGMODULE_QUERY, level,
883 "response policy %s rewrite %s via %s %sfailed: %s",
884 dns_rpz_type2str(rpz_type),
885 namebuf1, namebuf2, str, isc_result_totext(result));
889 * Get a policy rewrite zone database.
892 rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type,
893 dns_name_t *rpz_qname, dns_zone_t **zonep,
894 dns_db_t **dbp, dns_dbversion_t **versionp)
896 char namebuf1[DNS_NAME_FORMATSIZE];
897 char namebuf2[DNS_NAME_FORMATSIZE];
898 dns_dbversion_t *rpz_version = NULL;
901 result = query_getzonedb(client, rpz_qname, dns_rdatatype_any,
902 DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version);
903 if (result == ISC_R_SUCCESS) {
904 if (ns_g_server->log_queries &&
905 isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
906 dns_name_format(client->query.qname, namebuf1,
908 dns_name_format(rpz_qname, namebuf2, sizeof(namebuf2));
909 ns_client_log(client, NS_LOGCATEGORY_QUERIES,
910 NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2,
911 "try rpz %s rewrite %s via %s",
912 dns_rpz_type2str(rpz_type),
915 *versionp = rpz_version;
916 return (ISC_R_SUCCESS);
918 rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname,
919 "query_getzonedb() ", result);
923 static inline isc_result_t
924 query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
925 dns_db_t **dbp, unsigned int options)
928 isc_boolean_t check_acl;
931 REQUIRE(dbp != NULL && *dbp == NULL);
934 * Find a cache database to answer the query.
935 * This may fail with DNS_R_REFUSED if the client
936 * is not allowed to use the cache.
939 if (!USECACHE(client))
940 return (DNS_R_REFUSED);
941 dns_db_attach(client->view->cachedb, &db);
943 if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) {
945 * We've evaluated the view's cacheacl already. If
946 * NS_QUERYATTR_CACHEACLOK is set, then the client is
947 * allowed to make queries, otherwise the query should
950 check_acl = ISC_FALSE;
951 if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0)
955 * We haven't evaluated the view's queryacl yet.
957 check_acl = ISC_TRUE;
961 isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
962 char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
964 result = ns_client_checkaclsilent(client, NULL,
965 client->view->cacheacl,
967 if (result == ISC_R_SUCCESS) {
969 * We were allowed by the "allow-query-cache" ACL.
970 * Remember this so we don't have to check again.
972 client->query.attributes |=
973 NS_QUERYATTR_CACHEACLOK;
974 if (log && isc_log_wouldlog(ns_g_lctx,
977 ns_client_aclmsg("query (cache)", name, qtype,
978 client->view->rdclass,
980 ns_client_log(client,
981 DNS_LOGCATEGORY_SECURITY,
987 ns_client_aclmsg("query (cache)", name, qtype,
988 client->view->rdclass, msg,
990 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
991 NS_LOGMODULE_QUERY, ISC_LOG_INFO,
995 * We've now evaluated the view's query ACL, and
996 * the NS_QUERYATTR_CACHEACLOKVALID attribute is now valid.
998 client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID;
1000 if (result != ISC_R_SUCCESS)
1006 /* Transfer ownership. */
1009 return (ISC_R_SUCCESS);
1012 result = DNS_R_REFUSED;
1021 static inline isc_result_t
1022 query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
1023 unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
1024 dns_dbversion_t **versionp, isc_boolean_t *is_zonep)
1026 isc_result_t result;
1028 isc_result_t tresult;
1029 unsigned int namelabels;
1030 unsigned int zonelabels;
1031 dns_zone_t *zone = NULL;
1034 REQUIRE(zonep != NULL && *zonep == NULL);
1038 /* Calculate how many labels are in name. */
1039 namelabels = dns_name_countlabels(name);
1042 /* Try to find name in bind's standard database. */
1043 result = query_getzonedb(client, name, qtype, options, &zone,
1046 /* See how many labels are in the zone's name. */
1047 if (result == ISC_R_SUCCESS && zone != NULL)
1048 zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
1050 * If # zone labels < # name labels, try to find an even better match
1051 * Only try if a DLZ driver is loaded for this view
1053 if (zonelabels < namelabels && client->view->dlzdatabase != NULL) {
1054 tresult = dns_dlzfindzone(client->view, name,
1056 /* If we successful, we found a better match. */
1057 if (tresult == ISC_R_SUCCESS) {
1059 * If the previous search returned a zone, detach it.
1062 dns_zone_detach(&zone);
1065 * If the previous search returned a database,
1072 * If the previous search returned a version, clear it.
1077 * Get our database version.
1079 dns_db_currentversion(tdbp, versionp);
1082 * Be sure to return our database.
1087 * We return a null zone, No stats for DLZ zones.
1094 /* If successful, Transfer ownership of zone. */
1095 if (result == ISC_R_SUCCESS) {
1098 * If neither attempt above succeeded, return the cache instead
1100 *is_zonep = ISC_TRUE;
1101 } else if (result == ISC_R_NOTFOUND) {
1102 result = query_getcachedb(client, name, qtype, dbp, options);
1103 *is_zonep = ISC_FALSE;
1108 static inline isc_boolean_t
1109 query_isduplicate(ns_client_t *client, dns_name_t *name,
1110 dns_rdatatype_t type, dns_name_t **mnamep)
1112 dns_section_t section;
1113 dns_name_t *mname = NULL;
1114 isc_result_t result;
1116 CTRACE("query_isduplicate");
1118 for (section = DNS_SECTION_ANSWER;
1119 section <= DNS_SECTION_ADDITIONAL;
1121 result = dns_message_findname(client->message, section,
1122 name, type, 0, &mname, NULL);
1123 if (result == ISC_R_SUCCESS) {
1125 * We've already got this RRset in the response.
1127 CTRACE("query_isduplicate: true: done");
1129 } else if (result == DNS_R_NXRRSET) {
1131 * The name exists, but the rdataset does not.
1133 if (section == DNS_SECTION_ADDITIONAL)
1136 RUNTIME_CHECK(result == DNS_R_NXDOMAIN);
1142 CTRACE("query_isduplicate: false: done");
1147 query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
1148 ns_client_t *client = arg;
1149 isc_result_t result, eresult;
1152 dns_name_t *fname, *mname;
1153 dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
1156 dns_dbversion_t *version;
1157 isc_boolean_t added_something, need_addname;
1159 dns_rdatatype_t type;
1161 REQUIRE(NS_CLIENT_VALID(client));
1162 REQUIRE(qtype != dns_rdatatype_any);
1164 if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
1165 return (ISC_R_SUCCESS);
1167 CTRACE("query_addadditional");
1172 eresult = ISC_R_SUCCESS;
1180 added_something = ISC_FALSE;
1181 need_addname = ISC_FALSE;
1185 * We treat type A additional section processing as if it
1186 * were "any address type" additional section processing.
1187 * To avoid multiple lookups, we do an 'any' database
1188 * lookup and iterate over the node.
1190 if (qtype == dns_rdatatype_a)
1191 type = dns_rdatatype_any;
1196 * Get some resources.
1198 dbuf = query_getnamebuf(client);
1201 fname = query_newname(client, dbuf, &b);
1202 rdataset = query_newrdataset(client);
1203 if (fname == NULL || rdataset == NULL)
1205 if (WANTDNSSEC(client)) {
1206 sigrdataset = query_newrdataset(client);
1207 if (sigrdataset == NULL)
1212 * Look for a zone database that might contain authoritative
1215 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1216 &zone, &db, &version);
1217 if (result != ISC_R_SUCCESS)
1220 CTRACE("query_addadditional: db_find");
1223 * Since we are looking for authoritative data, we do not set
1224 * the GLUEOK flag. Glue will be looked for later, but not
1225 * necessarily in the same database.
1228 result = dns_db_find(db, name, version, type, client->query.dboptions,
1229 client->now, &node, fname, rdataset,
1231 if (result == ISC_R_SUCCESS) {
1232 if (sigrdataset != NULL && !dns_db_issecure(db) &&
1233 dns_rdataset_isassociated(sigrdataset))
1234 dns_rdataset_disassociate(sigrdataset);
1238 if (dns_rdataset_isassociated(rdataset))
1239 dns_rdataset_disassociate(rdataset);
1240 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
1241 dns_rdataset_disassociate(sigrdataset);
1243 dns_db_detachnode(db, &node);
1248 * No authoritative data was found. The cache is our next best bet.
1252 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
1253 if (result != ISC_R_SUCCESS)
1255 * Most likely the client isn't allowed to query the cache.
1259 * Attempt to validate glue.
1261 if (sigrdataset == NULL) {
1262 sigrdataset = query_newrdataset(client);
1263 if (sigrdataset == NULL)
1266 result = dns_db_find(db, name, version, type,
1267 client->query.dboptions |
1268 DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
1269 client->now, &node, fname, rdataset,
1271 if (result == DNS_R_GLUE &&
1272 validate(client, db, fname, rdataset, sigrdataset))
1273 result = ISC_R_SUCCESS;
1274 if (!WANTDNSSEC(client))
1275 query_putrdataset(client, &sigrdataset);
1276 if (result == ISC_R_SUCCESS)
1279 if (dns_rdataset_isassociated(rdataset))
1280 dns_rdataset_disassociate(rdataset);
1281 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
1282 dns_rdataset_disassociate(sigrdataset);
1284 dns_db_detachnode(db, &node);
1289 * No cached data was found. Glue is our last chance.
1292 * NS records cause both the usual additional section
1293 * processing to locate a type A record, and, when used
1294 * in a referral, a special search of the zone in which
1295 * they reside for glue information.
1297 * This is the "special search". Note that we must search
1298 * the zone where the NS record resides, not the zone it
1299 * points to, and that we only do the search in the delegation
1300 * case (identified by client->query.gluedb being set).
1303 if (client->query.gluedb == NULL)
1307 * Don't poison caches using the bailiwick protection model.
1309 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
1312 dns_db_attach(client->query.gluedb, &db);
1313 result = dns_db_find(db, name, version, type,
1314 client->query.dboptions | DNS_DBFIND_GLUEOK,
1315 client->now, &node, fname, rdataset,
1317 if (!(result == ISC_R_SUCCESS ||
1318 result == DNS_R_ZONECUT ||
1319 result == DNS_R_GLUE))
1324 * We have found a potential additional data rdataset, or
1325 * at least a node to iterate over.
1327 query_keepname(client, fname, dbuf);
1330 * If we have an rdataset, add it to the additional data
1334 if (dns_rdataset_isassociated(rdataset) &&
1335 !query_isduplicate(client, fname, type, &mname)) {
1336 if (mname != NULL) {
1337 INSIST(mname != fname);
1338 query_releasename(client, &fname);
1341 need_addname = ISC_TRUE;
1342 ISC_LIST_APPEND(fname->list, rdataset, link);
1343 trdataset = rdataset;
1345 added_something = ISC_TRUE;
1347 * Note: we only add SIGs if we've added the type they cover,
1348 * so we do not need to check if the SIG rdataset is already
1351 if (sigrdataset != NULL &&
1352 dns_rdataset_isassociated(sigrdataset))
1354 ISC_LIST_APPEND(fname->list, sigrdataset, link);
1359 if (qtype == dns_rdatatype_a) {
1361 * We now go looking for A and AAAA records, along with
1364 * XXXRTH This code could be more efficient.
1366 if (rdataset != NULL) {
1367 if (dns_rdataset_isassociated(rdataset))
1368 dns_rdataset_disassociate(rdataset);
1370 rdataset = query_newrdataset(client);
1371 if (rdataset == NULL)
1374 if (sigrdataset != NULL) {
1375 if (dns_rdataset_isassociated(sigrdataset))
1376 dns_rdataset_disassociate(sigrdataset);
1377 } else if (WANTDNSSEC(client)) {
1378 sigrdataset = query_newrdataset(client);
1379 if (sigrdataset == NULL)
1382 result = dns_db_findrdataset(db, node, version,
1384 client->now, rdataset,
1386 if (result == DNS_R_NCACHENXDOMAIN)
1388 if (result == DNS_R_NCACHENXRRSET) {
1389 dns_rdataset_disassociate(rdataset);
1390 if (sigrdataset != NULL &&
1391 dns_rdataset_isassociated(sigrdataset))
1392 dns_rdataset_disassociate(sigrdataset);
1394 if (result == ISC_R_SUCCESS) {
1396 if (!query_isduplicate(client, fname,
1397 dns_rdatatype_a, &mname)) {
1398 if (mname != fname) {
1399 if (mname != NULL) {
1400 query_releasename(client, &fname);
1403 need_addname = ISC_TRUE;
1405 ISC_LIST_APPEND(fname->list, rdataset, link);
1406 added_something = ISC_TRUE;
1407 if (sigrdataset != NULL &&
1408 dns_rdataset_isassociated(sigrdataset))
1410 ISC_LIST_APPEND(fname->list,
1413 query_newrdataset(client);
1415 rdataset = query_newrdataset(client);
1416 if (rdataset == NULL)
1418 if (WANTDNSSEC(client) && sigrdataset == NULL)
1421 dns_rdataset_disassociate(rdataset);
1422 if (sigrdataset != NULL &&
1423 dns_rdataset_isassociated(sigrdataset))
1424 dns_rdataset_disassociate(sigrdataset);
1427 result = dns_db_findrdataset(db, node, version,
1428 dns_rdatatype_aaaa, 0,
1429 client->now, rdataset,
1431 if (result == DNS_R_NCACHENXDOMAIN)
1433 if (result == DNS_R_NCACHENXRRSET) {
1434 dns_rdataset_disassociate(rdataset);
1435 if (sigrdataset != NULL &&
1436 dns_rdataset_isassociated(sigrdataset))
1437 dns_rdataset_disassociate(sigrdataset);
1439 if (result == ISC_R_SUCCESS) {
1441 if (!query_isduplicate(client, fname,
1442 dns_rdatatype_aaaa, &mname)) {
1443 if (mname != fname) {
1444 if (mname != NULL) {
1445 query_releasename(client, &fname);
1448 need_addname = ISC_TRUE;
1450 ISC_LIST_APPEND(fname->list, rdataset, link);
1451 added_something = ISC_TRUE;
1452 if (sigrdataset != NULL &&
1453 dns_rdataset_isassociated(sigrdataset))
1455 ISC_LIST_APPEND(fname->list,
1465 CTRACE("query_addadditional: addname");
1467 * If we haven't added anything, then we're done.
1469 if (!added_something)
1473 * We may have added our rdatasets to an existing name, if so, then
1474 * need_addname will be ISC_FALSE. Whether we used an existing name
1475 * or a new one, we must set fname to NULL to prevent cleanup.
1478 dns_message_addname(client->message, fname,
1479 DNS_SECTION_ADDITIONAL);
1483 * In a few cases, we want to add additional data for additional
1484 * data. It's simpler to just deal with special cases here than
1485 * to try to create a general purpose mechanism and allow the
1486 * rdata implementations to do it themselves.
1488 * This involves recursion, but the depth is limited. The
1489 * most complex case is adding a SRV rdataset, which involves
1490 * recursing to add address records, which in turn can cause
1491 * recursion to add KEYs.
1493 if (type == dns_rdatatype_srv && trdataset != NULL) {
1495 * If we're adding SRV records to the additional data
1496 * section, it's helpful if we add the SRV additional data
1499 eresult = dns_rdataset_additionaldata(trdataset,
1500 query_addadditional,
1505 CTRACE("query_addadditional: cleanup");
1506 query_putrdataset(client, &rdataset);
1507 if (sigrdataset != NULL)
1508 query_putrdataset(client, &sigrdataset);
1510 query_releasename(client, &fname);
1512 dns_db_detachnode(db, &node);
1516 dns_zone_detach(&zone);
1518 CTRACE("query_addadditional: done");
1523 query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
1524 dns_rdatasetadditional_t additionaltype,
1525 dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp,
1526 dns_dbversion_t **versionp, dns_dbnode_t **nodep,
1529 dns_rdataset_t *rdataset;
1531 while ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
1532 ISC_LIST_UNLINK(fname->list, rdataset, link);
1533 query_putrdataset(client, &rdataset);
1535 if (*versionp != NULL)
1536 dns_db_closeversion(*dbp, versionp, ISC_FALSE);
1538 dns_db_detachnode(*dbp, nodep);
1542 dns_zone_detach(zonep);
1543 (void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
1544 additionaltype, type);
1547 static inline isc_result_t
1548 query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0,
1549 dns_dbversion_t *version)
1551 isc_result_t result = ISC_R_SUCCESS;
1552 dns_dbversion_t *version_current = NULL;
1553 dns_db_t *db_current = db0;
1555 if (db_current == NULL) {
1556 result = dns_zone_getdb(zone, &db_current);
1557 if (result != ISC_R_SUCCESS)
1560 dns_db_currentversion(db_current, &version_current);
1561 if (db_current != db || version_current != version) {
1562 result = ISC_R_FAILURE;
1567 dns_db_closeversion(db_current, &version_current, ISC_FALSE);
1568 if (db0 == NULL && db_current != NULL)
1569 dns_db_detach(&db_current);
1575 query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
1576 client_additionalctx_t *additionalctx = arg;
1577 dns_rdataset_t *rdataset_base;
1578 ns_client_t *client;
1579 isc_result_t result, eresult;
1580 dns_dbnode_t *node, *cnode;
1582 dns_name_t *fname, *mname0, cfname;
1583 dns_rdataset_t *rdataset, *sigrdataset;
1584 dns_rdataset_t *crdataset, *crdataset_next;
1587 dns_dbversion_t *version, *cversion;
1588 isc_boolean_t added_something, need_addname, needadditionalcache;
1589 isc_boolean_t need_sigrrset;
1591 dns_rdatatype_t type;
1592 dns_rdatasetadditional_t additionaltype;
1594 if (qtype != dns_rdatatype_a) {
1596 * This function is optimized for "address" types. For other
1597 * types, use a generic routine.
1598 * XXX: ideally, this function should be generic enough.
1600 return (query_addadditional(additionalctx->client,
1607 rdataset_base = additionalctx->rdataset;
1608 client = additionalctx->client;
1609 REQUIRE(NS_CLIENT_VALID(client));
1610 eresult = ISC_R_SUCCESS;
1620 added_something = ISC_FALSE;
1621 need_addname = ISC_FALSE;
1623 needadditionalcache = ISC_FALSE;
1624 POST(needadditionalcache);
1625 additionaltype = dns_rdatasetadditional_fromauth;
1626 dns_name_init(&cfname, NULL);
1628 CTRACE("query_addadditional2");
1631 * We treat type A additional section processing as if it
1632 * were "any address type" additional section processing.
1633 * To avoid multiple lookups, we do an 'any' database
1634 * lookup and iterate over the node.
1635 * XXXJT: this approach can cause a suboptimal result when the cache
1636 * DB only has partial address types and the glue DB has remaining
1639 type = dns_rdatatype_any;
1642 * Get some resources.
1644 dbuf = query_getnamebuf(client);
1647 fname = query_newname(client, dbuf, &b);
1650 dns_name_setbuffer(&cfname, &b); /* share the buffer */
1652 /* Check additional cache */
1653 result = dns_rdataset_getadditional(rdataset_base, additionaltype,
1654 type, client->view->acache, &zone,
1655 &cdb, &cversion, &cnode, &cfname,
1656 client->message, client->now);
1657 if (result != ISC_R_SUCCESS)
1660 CTRACE("query_addadditional2: auth zone not found");
1664 /* Is the cached DB up-to-date? */
1665 result = query_iscachevalid(zone, cdb, NULL, cversion);
1666 if (result != ISC_R_SUCCESS) {
1667 CTRACE("query_addadditional2: old auth additional cache");
1668 query_discardcache(client, rdataset_base, additionaltype,
1669 type, &zone, &cdb, &cversion, &cnode,
1674 if (cnode == NULL) {
1676 * We have a negative cache. We don't have to check the zone
1677 * ACL, since the result (not using this zone) would be same
1678 * regardless of the result.
1680 CTRACE("query_addadditional2: negative auth additional cache");
1681 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1682 dns_db_detach(&cdb);
1683 dns_zone_detach(&zone);
1687 result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
1689 if (result != ISC_R_SUCCESS) {
1690 query_discardcache(client, rdataset_base, additionaltype,
1691 type, &zone, &cdb, &cversion, &cnode,
1696 /* We've got an active cache. */
1697 CTRACE("query_addadditional2: auth additional cache");
1698 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1701 dns_name_clone(&cfname, fname);
1702 query_keepname(client, fname, dbuf);
1706 * Look for a zone database that might contain authoritative
1710 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1711 &zone, &db, &version);
1712 if (result != ISC_R_SUCCESS) {
1713 /* Cache the negative result */
1714 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1715 type, client->view->acache,
1716 NULL, NULL, NULL, NULL,
1721 CTRACE("query_addadditional2: db_find");
1724 * Since we are looking for authoritative data, we do not set
1725 * the GLUEOK flag. Glue will be looked for later, but not
1726 * necessarily in the same database.
1729 result = dns_db_find(db, name, version, type, client->query.dboptions,
1730 client->now, &node, fname, NULL, NULL);
1731 if (result == ISC_R_SUCCESS)
1734 /* Cache the negative result */
1735 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1736 type, client->view->acache, zone, db,
1737 version, NULL, fname);
1740 dns_db_detachnode(db, &node);
1745 * No authoritative data was found. The cache is our next best bet.
1749 additionaltype = dns_rdatasetadditional_fromcache;
1750 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
1751 if (result != ISC_R_SUCCESS)
1753 * Most likely the client isn't allowed to query the cache.
1757 result = dns_db_find(db, name, version, type,
1758 client->query.dboptions |
1759 DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
1760 client->now, &node, fname, NULL, NULL);
1761 if (result == ISC_R_SUCCESS)
1765 dns_db_detachnode(db, &node);
1770 * No cached data was found. Glue is our last chance.
1773 * NS records cause both the usual additional section
1774 * processing to locate a type A record, and, when used
1775 * in a referral, a special search of the zone in which
1776 * they reside for glue information.
1778 * This is the "special search". Note that we must search
1779 * the zone where the NS record resides, not the zone it
1780 * points to, and that we only do the search in the delegation
1781 * case (identified by client->query.gluedb being set).
1783 if (client->query.gluedb == NULL)
1787 * Don't poison caches using the bailiwick protection model.
1789 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
1792 /* Check additional cache */
1793 additionaltype = dns_rdatasetadditional_fromglue;
1794 result = dns_rdataset_getadditional(rdataset_base, additionaltype,
1795 type, client->view->acache, NULL,
1796 &cdb, &cversion, &cnode, &cfname,
1797 client->message, client->now);
1798 if (result != ISC_R_SUCCESS)
1801 result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
1802 if (result != ISC_R_SUCCESS) {
1803 CTRACE("query_addadditional2: old glue additional cache");
1804 query_discardcache(client, rdataset_base, additionaltype,
1805 type, &zone, &cdb, &cversion, &cnode,
1810 if (cnode == NULL) {
1811 /* We have a negative cache. */
1812 CTRACE("query_addadditional2: negative glue additional cache");
1813 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1814 dns_db_detach(&cdb);
1819 CTRACE("query_addadditional2: glue additional cache");
1820 dns_db_closeversion(cdb, &cversion, ISC_FALSE);
1823 dns_name_clone(&cfname, fname);
1824 query_keepname(client, fname, dbuf);
1828 dns_db_attach(client->query.gluedb, &db);
1829 result = dns_db_find(db, name, version, type,
1830 client->query.dboptions | DNS_DBFIND_GLUEOK,
1831 client->now, &node, fname, NULL, NULL);
1832 if (!(result == ISC_R_SUCCESS ||
1833 result == DNS_R_ZONECUT ||
1834 result == DNS_R_GLUE)) {
1835 /* cache the negative result */
1836 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1837 type, client->view->acache,
1838 NULL, db, version, NULL,
1845 * We have found a DB node to iterate over from a DB.
1846 * We are going to look for address RRsets (i.e., A and AAAA) in the DB
1847 * node we've just found. We'll then store the complete information
1848 * in the additional data cache.
1850 dns_name_clone(fname, &cfname);
1851 query_keepname(client, fname, dbuf);
1852 needadditionalcache = ISC_TRUE;
1854 rdataset = query_newrdataset(client);
1855 if (rdataset == NULL)
1858 sigrdataset = query_newrdataset(client);
1859 if (sigrdataset == NULL)
1863 * Find A RRset with sig RRset. Even if we don't find a sig RRset
1864 * for a client using DNSSEC, we'll continue the process to make a
1865 * complete list to be cached. However, we need to cancel the
1866 * caching when something unexpected happens, in order to avoid
1867 * caching incomplete information.
1869 result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
1870 client->now, rdataset, sigrdataset);
1872 * If we can't promote glue/pending from the cache to secure
1875 if (result == ISC_R_SUCCESS &&
1876 additionaltype == dns_rdatasetadditional_fromcache &&
1877 (DNS_TRUST_PENDING(rdataset->trust) ||
1878 DNS_TRUST_GLUE(rdataset->trust)) &&
1879 !validate(client, db, fname, rdataset, sigrdataset)) {
1880 dns_rdataset_disassociate(rdataset);
1881 if (dns_rdataset_isassociated(sigrdataset))
1882 dns_rdataset_disassociate(sigrdataset);
1883 result = ISC_R_NOTFOUND;
1885 if (result == DNS_R_NCACHENXDOMAIN)
1887 if (result == DNS_R_NCACHENXRRSET) {
1888 dns_rdataset_disassociate(rdataset);
1889 if (dns_rdataset_isassociated(sigrdataset))
1890 dns_rdataset_disassociate(sigrdataset);
1892 if (result == ISC_R_SUCCESS) {
1893 /* Remember the result as a cache */
1894 ISC_LIST_APPEND(cfname.list, rdataset, link);
1895 if (dns_rdataset_isassociated(sigrdataset)) {
1896 ISC_LIST_APPEND(cfname.list, sigrdataset, link);
1897 sigrdataset = query_newrdataset(client);
1899 rdataset = query_newrdataset(client);
1900 if (sigrdataset == NULL || rdataset == NULL) {
1901 /* do not cache incomplete information */
1906 /* Find AAAA RRset with sig RRset */
1907 result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
1908 0, client->now, rdataset, sigrdataset);
1910 * If we can't promote glue/pending from the cache to secure
1913 if (result == ISC_R_SUCCESS &&
1914 additionaltype == dns_rdatasetadditional_fromcache &&
1915 (DNS_TRUST_PENDING(rdataset->trust) ||
1916 DNS_TRUST_GLUE(rdataset->trust)) &&
1917 !validate(client, db, fname, rdataset, sigrdataset)) {
1918 dns_rdataset_disassociate(rdataset);
1919 if (dns_rdataset_isassociated(sigrdataset))
1920 dns_rdataset_disassociate(sigrdataset);
1921 result = ISC_R_NOTFOUND;
1923 if (result == ISC_R_SUCCESS) {
1924 ISC_LIST_APPEND(cfname.list, rdataset, link);
1926 if (dns_rdataset_isassociated(sigrdataset)) {
1927 ISC_LIST_APPEND(cfname.list, sigrdataset, link);
1934 * Set the new result in the cache if required. We do not support
1935 * caching additional data from a cache DB.
1937 if (needadditionalcache == ISC_TRUE &&
1938 (additionaltype == dns_rdatasetadditional_fromauth ||
1939 additionaltype == dns_rdatasetadditional_fromglue)) {
1940 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
1941 type, client->view->acache,
1942 zone, db, version, node,
1947 need_sigrrset = ISC_FALSE;
1949 for (crdataset = ISC_LIST_HEAD(cfname.list);
1951 crdataset = crdataset_next) {
1954 crdataset_next = ISC_LIST_NEXT(crdataset, link);
1957 if (crdataset->type == dns_rdatatype_a ||
1958 crdataset->type == dns_rdatatype_aaaa) {
1959 if (!query_isduplicate(client, fname, crdataset->type,
1961 if (mname != fname) {
1962 if (mname != NULL) {
1964 * A different type of this name is
1965 * already stored in the additional
1966 * section. We'll reuse the name.
1967 * Note that this should happen at most
1968 * once. Otherwise, fname->link could
1971 INSIST(mname0 == NULL);
1973 query_releasename(client, &fname);
1977 need_addname = ISC_TRUE;
1979 ISC_LIST_UNLINK(cfname.list, crdataset, link);
1980 ISC_LIST_APPEND(fname->list, crdataset, link);
1981 added_something = ISC_TRUE;
1982 need_sigrrset = ISC_TRUE;
1984 need_sigrrset = ISC_FALSE;
1985 } else if (crdataset->type == dns_rdatatype_rrsig &&
1986 need_sigrrset && WANTDNSSEC(client)) {
1987 ISC_LIST_UNLINK(cfname.list, crdataset, link);
1988 ISC_LIST_APPEND(fname->list, crdataset, link);
1989 added_something = ISC_TRUE; /* just in case */
1990 need_sigrrset = ISC_FALSE;
1994 CTRACE("query_addadditional2: addname");
1997 * If we haven't added anything, then we're done.
1999 if (!added_something)
2003 * We may have added our rdatasets to an existing name, if so, then
2004 * need_addname will be ISC_FALSE. Whether we used an existing name
2005 * or a new one, we must set fname to NULL to prevent cleanup.
2008 dns_message_addname(client->message, fname,
2009 DNS_SECTION_ADDITIONAL);
2013 CTRACE("query_addadditional2: cleanup");
2015 if (rdataset != NULL)
2016 query_putrdataset(client, &rdataset);
2017 if (sigrdataset != NULL)
2018 query_putrdataset(client, &sigrdataset);
2019 while ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) {
2020 ISC_LIST_UNLINK(cfname.list, crdataset, link);
2021 query_putrdataset(client, &crdataset);
2024 query_releasename(client, &fname);
2026 dns_db_detachnode(db, &node);
2030 dns_zone_detach(&zone);
2032 CTRACE("query_addadditional2: done");
2037 query_addrdataset(ns_client_t *client, dns_name_t *fname,
2038 dns_rdataset_t *rdataset)
2040 client_additionalctx_t additionalctx;
2043 * Add 'rdataset' and any pertinent additional data to
2044 * 'fname', a name in the response message for 'client'.
2047 CTRACE("query_addrdataset");
2049 ISC_LIST_APPEND(fname->list, rdataset, link);
2051 if (client->view->order != NULL)
2052 rdataset->attributes |= dns_order_find(client->view->order,
2053 fname, rdataset->type,
2055 rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
2057 if (NOADDITIONAL(client))
2061 * Add additional data.
2063 * We don't care if dns_rdataset_additionaldata() fails.
2065 additionalctx.client = client;
2066 additionalctx.rdataset = rdataset;
2067 (void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
2069 CTRACE("query_addrdataset: done");
2073 query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset,
2074 dns_rdataset_t *sigrdataset, isc_buffer_t *dbuf,
2075 dns_section_t section)
2077 dns_name_t *name, *mname;
2078 dns_rdata_t *dns64_rdata;
2079 dns_rdata_t rdata = DNS_RDATA_INIT;
2080 dns_rdatalist_t *dns64_rdatalist;
2081 dns_rdataset_t *dns64_rdataset;
2082 dns_rdataset_t *mrdataset;
2083 isc_buffer_t *buffer;
2085 isc_result_t result;
2086 dns_view_t *view = client->view;
2087 isc_netaddr_t netaddr;
2089 unsigned int flags = 0;
2092 * To the current response for 'client', add the answer RRset
2093 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
2094 * owner name '*namep', to section 'section', unless they are
2095 * already there. Also add any pertinent additional data.
2097 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
2098 * stored in 'dbuf'. In this case, query_addrrset() guarantees that
2099 * when it returns the name will either have been kept or released.
2101 CTRACE("query_dns64");
2107 dns64_rdataset = NULL;
2108 dns64_rdatalist = NULL;
2109 result = dns_message_findname(client->message, section,
2110 name, dns_rdatatype_aaaa,
2112 &mname, &mrdataset);
2113 if (result == ISC_R_SUCCESS) {
2115 * We've already got an RRset of the given name and type.
2116 * There's nothing else to do;
2118 CTRACE("query_dns64: dns_message_findname succeeded: done");
2120 query_releasename(client, namep);
2121 return (ISC_R_SUCCESS);
2122 } else if (result == DNS_R_NXDOMAIN) {
2124 * The name doesn't exist.
2127 query_keepname(client, name, dbuf);
2128 dns_message_addname(client->message, name, section);
2132 RUNTIME_CHECK(result == DNS_R_NXRRSET);
2134 query_releasename(client, namep);
2137 if (rdataset->trust != dns_trust_secure &&
2138 (section == DNS_SECTION_ANSWER ||
2139 section == DNS_SECTION_AUTHORITY))
2140 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2142 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
2144 result = isc_buffer_allocate(client->mctx, &buffer, view->dns64cnt *
2145 16 * dns_rdataset_count(rdataset));
2146 if (result != ISC_R_SUCCESS)
2148 result = dns_message_gettemprdataset(client->message, &dns64_rdataset);
2149 if (result != ISC_R_SUCCESS)
2151 result = dns_message_gettemprdatalist(client->message,
2153 if (result != ISC_R_SUCCESS)
2156 dns_rdataset_init(dns64_rdataset);
2157 dns_rdatalist_init(dns64_rdatalist);
2158 dns64_rdatalist->rdclass = dns_rdataclass_in;
2159 dns64_rdatalist->type = dns_rdatatype_aaaa;
2160 if (client->query.dns64_ttl != ISC_UINT32_MAX)
2161 dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl,
2162 client->query.dns64_ttl);
2164 dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl, 600);
2166 if (RECURSIONOK(client))
2167 flags |= DNS_DNS64_RECURSIVE;
2170 * We use the signatures from the A lookup to set DNS_DNS64_DNSSEC
2171 * as this provides a easy way to see if the answer was signed.
2173 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
2174 flags |= DNS_DNS64_DNSSEC;
2176 for (result = dns_rdataset_first(rdataset);
2177 result == ISC_R_SUCCESS;
2178 result = dns_rdataset_next(rdataset)) {
2179 for (dns64 = ISC_LIST_HEAD(client->view->dns64);
2180 dns64 != NULL; dns64 = dns_dns64_next(dns64)) {
2182 dns_rdataset_current(rdataset, &rdata);
2183 isc__buffer_availableregion(buffer, &r);
2184 INSIST(r.length >= 16);
2185 result = dns_dns64_aaaafroma(dns64, &netaddr,
2187 &ns_g_server->aclenv,
2188 flags, rdata.data, r.base);
2189 if (result != ISC_R_SUCCESS) {
2190 dns_rdata_reset(&rdata);
2193 isc_buffer_add(buffer, 16);
2194 isc_buffer_remainingregion(buffer, &r);
2195 isc_buffer_forward(buffer, 16);
2196 result = dns_message_gettemprdata(client->message,
2198 if (result != ISC_R_SUCCESS)
2200 dns_rdata_init(dns64_rdata);
2201 dns_rdata_fromregion(dns64_rdata, dns_rdataclass_in,
2202 dns_rdatatype_aaaa, &r);
2203 ISC_LIST_APPEND(dns64_rdatalist->rdata, dns64_rdata,
2206 dns_rdata_reset(&rdata);
2209 if (result != ISC_R_NOMORE)
2212 if (ISC_LIST_EMPTY(dns64_rdatalist->rdata))
2215 result = dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset);
2216 if (result != ISC_R_SUCCESS)
2218 client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
2219 dns64_rdataset->trust = rdataset->trust;
2220 query_addrdataset(client, mname, dns64_rdataset);
2221 dns64_rdataset = NULL;
2222 dns64_rdatalist = NULL;
2223 dns_message_takebuffer(client->message, &buffer);
2224 result = ISC_R_SUCCESS;
2228 isc_buffer_free(&buffer);
2230 if (dns64_rdata != NULL)
2231 dns_message_puttemprdata(client->message, &dns64_rdata);
2233 if (dns64_rdataset != NULL)
2234 dns_message_puttemprdataset(client->message, &dns64_rdataset);
2236 if (dns64_rdatalist != NULL) {
2237 for (dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata);
2238 dns64_rdata != NULL;
2239 dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata))
2241 ISC_LIST_UNLINK(dns64_rdatalist->rdata,
2243 dns_message_puttemprdata(client->message, &dns64_rdata);
2245 dns_message_puttemprdatalist(client->message, &dns64_rdatalist);
2248 CTRACE("query_dns64: done");
2253 query_filter64(ns_client_t *client, dns_name_t **namep,
2254 dns_rdataset_t *rdataset, isc_buffer_t *dbuf,
2255 dns_section_t section)
2257 dns_name_t *name, *mname;
2258 dns_rdata_t *myrdata;
2259 dns_rdata_t rdata = DNS_RDATA_INIT;
2260 dns_rdatalist_t *myrdatalist;
2261 dns_rdataset_t *myrdataset;
2262 isc_buffer_t *buffer;
2264 isc_result_t result;
2267 CTRACE("query_filter64");
2269 INSIST(client->query.dns64_aaaaok != NULL);
2270 INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset));
2278 result = dns_message_findname(client->message, section,
2279 name, dns_rdatatype_aaaa,
2281 &mname, &myrdataset);
2282 if (result == ISC_R_SUCCESS) {
2284 * We've already got an RRset of the given name and type.
2285 * There's nothing else to do;
2287 CTRACE("query_filter64: dns_message_findname succeeded: done");
2289 query_releasename(client, namep);
2291 } else if (result == DNS_R_NXDOMAIN) {
2295 RUNTIME_CHECK(result == DNS_R_NXRRSET);
2297 query_releasename(client, namep);
2301 if (rdataset->trust != dns_trust_secure &&
2302 (section == DNS_SECTION_ANSWER ||
2303 section == DNS_SECTION_AUTHORITY))
2304 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2306 result = isc_buffer_allocate(client->mctx, &buffer,
2307 16 * dns_rdataset_count(rdataset));
2308 if (result != ISC_R_SUCCESS)
2310 result = dns_message_gettemprdataset(client->message, &myrdataset);
2311 if (result != ISC_R_SUCCESS)
2313 result = dns_message_gettemprdatalist(client->message, &myrdatalist);
2314 if (result != ISC_R_SUCCESS)
2317 dns_rdataset_init(myrdataset);
2318 dns_rdatalist_init(myrdatalist);
2319 myrdatalist->rdclass = dns_rdataclass_in;
2320 myrdatalist->type = dns_rdatatype_aaaa;
2321 myrdatalist->ttl = rdataset->ttl;
2324 for (result = dns_rdataset_first(rdataset);
2325 result == ISC_R_SUCCESS;
2326 result = dns_rdataset_next(rdataset)) {
2327 if (!client->query.dns64_aaaaok[i++])
2329 dns_rdataset_current(rdataset, &rdata);
2330 INSIST(rdata.length == 16);
2331 isc_buffer_putmem(buffer, rdata.data, rdata.length);
2332 isc_buffer_remainingregion(buffer, &r);
2333 isc_buffer_forward(buffer, rdata.length);
2334 result = dns_message_gettemprdata(client->message, &myrdata);
2335 if (result != ISC_R_SUCCESS)
2337 dns_rdata_init(myrdata);
2338 dns_rdata_fromregion(myrdata, dns_rdataclass_in,
2339 dns_rdatatype_aaaa, &r);
2340 ISC_LIST_APPEND(myrdatalist->rdata, myrdata, link);
2342 dns_rdata_reset(&rdata);
2344 if (result != ISC_R_NOMORE)
2347 result = dns_rdatalist_tordataset(myrdatalist, myrdataset);
2348 if (result != ISC_R_SUCCESS)
2350 client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
2351 if (mname == name) {
2353 query_keepname(client, name, dbuf);
2354 dns_message_addname(client->message, name, section);
2357 myrdataset->trust = rdataset->trust;
2358 query_addrdataset(client, mname, myrdataset);
2361 dns_message_takebuffer(client->message, &buffer);
2365 isc_buffer_free(&buffer);
2367 if (myrdata != NULL)
2368 dns_message_puttemprdata(client->message, &myrdata);
2370 if (myrdataset != NULL)
2371 dns_message_puttemprdataset(client->message, &myrdataset);
2373 if (myrdatalist != NULL) {
2374 for (myrdata = ISC_LIST_HEAD(myrdatalist->rdata);
2376 myrdata = ISC_LIST_HEAD(myrdatalist->rdata))
2378 ISC_LIST_UNLINK(myrdatalist->rdata, myrdata, link);
2379 dns_message_puttemprdata(client->message, &myrdata);
2381 dns_message_puttemprdatalist(client->message, &myrdatalist);
2384 query_releasename(client, &name);
2386 CTRACE("query_filter64: done");
2390 query_addrrset(ns_client_t *client, dns_name_t **namep,
2391 dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
2392 isc_buffer_t *dbuf, dns_section_t section)
2394 dns_name_t *name, *mname;
2395 dns_rdataset_t *rdataset, *mrdataset, *sigrdataset;
2396 isc_result_t result;
2399 * To the current response for 'client', add the answer RRset
2400 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
2401 * owner name '*namep', to section 'section', unless they are
2402 * already there. Also add any pertinent additional data.
2404 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
2405 * stored in 'dbuf'. In this case, query_addrrset() guarantees that
2406 * when it returns the name will either have been kept or released.
2408 CTRACE("query_addrrset");
2410 rdataset = *rdatasetp;
2411 if (sigrdatasetp != NULL)
2412 sigrdataset = *sigrdatasetp;
2417 result = dns_message_findname(client->message, section,
2418 name, rdataset->type, rdataset->covers,
2419 &mname, &mrdataset);
2420 if (result == ISC_R_SUCCESS) {
2422 * We've already got an RRset of the given name and type.
2423 * There's nothing else to do;
2425 CTRACE("query_addrrset: dns_message_findname succeeded: done");
2427 query_releasename(client, namep);
2429 } else if (result == DNS_R_NXDOMAIN) {
2431 * The name doesn't exist.
2434 query_keepname(client, name, dbuf);
2435 dns_message_addname(client->message, name, section);
2439 RUNTIME_CHECK(result == DNS_R_NXRRSET);
2441 query_releasename(client, namep);
2444 if (rdataset->trust != dns_trust_secure &&
2445 (section == DNS_SECTION_ANSWER ||
2446 section == DNS_SECTION_AUTHORITY))
2447 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2449 * Note: we only add SIGs if we've added the type they cover, so
2450 * we do not need to check if the SIG rdataset is already in the
2453 query_addrdataset(client, mname, rdataset);
2455 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
2457 * We have a signature. Add it to the response.
2459 ISC_LIST_APPEND(mname->list, sigrdataset, link);
2460 *sigrdatasetp = NULL;
2462 CTRACE("query_addrrset: done");
2465 static inline isc_result_t
2466 query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
2467 unsigned int override_ttl, isc_boolean_t isassociated)
2471 isc_result_t result, eresult;
2472 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2473 dns_rdataset_t **sigrdatasetp = NULL;
2475 CTRACE("query_addsoa");
2479 eresult = ISC_R_SUCCESS;
2485 * Don't add the SOA record for test which set "-T nosoa".
2487 if (ns_g_nosoa && (!WANTDNSSEC(client) || !isassociated))
2488 return (ISC_R_SUCCESS);
2491 * Get resources and make 'name' be the database origin.
2493 result = dns_message_gettempname(client->message, &name);
2494 if (result != ISC_R_SUCCESS)
2496 dns_name_init(name, NULL);
2497 dns_name_clone(dns_db_origin(db), name);
2498 rdataset = query_newrdataset(client);
2499 if (rdataset == NULL) {
2500 eresult = DNS_R_SERVFAIL;
2503 if (WANTDNSSEC(client) && dns_db_issecure(db)) {
2504 sigrdataset = query_newrdataset(client);
2505 if (sigrdataset == NULL) {
2506 eresult = DNS_R_SERVFAIL;
2514 result = dns_db_getoriginnode(db, &node);
2515 if (result == ISC_R_SUCCESS) {
2516 result = dns_db_findrdataset(db, node, version,
2518 0, client->now, rdataset,
2521 dns_fixedname_t foundname;
2524 dns_fixedname_init(&foundname);
2525 fname = dns_fixedname_name(&foundname);
2527 result = dns_db_find(db, name, version, dns_rdatatype_soa,
2528 client->query.dboptions, 0, &node,
2529 fname, rdataset, sigrdataset);
2531 if (result != ISC_R_SUCCESS) {
2533 * This is bad. We tried to get the SOA RR at the zone top
2534 * and it didn't work!
2536 eresult = DNS_R_SERVFAIL;
2539 * Extract the SOA MINIMUM.
2541 dns_rdata_soa_t soa;
2542 dns_rdata_t rdata = DNS_RDATA_INIT;
2543 result = dns_rdataset_first(rdataset);
2544 RUNTIME_CHECK(result == ISC_R_SUCCESS);
2545 dns_rdataset_current(rdataset, &rdata);
2546 result = dns_rdata_tostruct(&rdata, &soa, NULL);
2547 if (result != ISC_R_SUCCESS)
2550 if (override_ttl != ISC_UINT32_MAX &&
2551 override_ttl < rdataset->ttl) {
2552 rdataset->ttl = override_ttl;
2553 if (sigrdataset != NULL)
2554 sigrdataset->ttl = override_ttl;
2558 * Add the SOA and its SIG to the response, with the
2559 * TTLs adjusted per RFC2308 section 3.
2561 if (rdataset->ttl > soa.minimum)
2562 rdataset->ttl = soa.minimum;
2563 if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum)
2564 sigrdataset->ttl = soa.minimum;
2566 if (sigrdataset != NULL)
2567 sigrdatasetp = &sigrdataset;
2569 sigrdatasetp = NULL;
2570 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2571 DNS_SECTION_AUTHORITY);
2575 query_putrdataset(client, &rdataset);
2576 if (sigrdataset != NULL)
2577 query_putrdataset(client, &sigrdataset);
2579 query_releasename(client, &name);
2581 dns_db_detachnode(db, &node);
2586 static inline isc_result_t
2587 query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
2588 dns_name_t *name, *fname;
2590 isc_result_t result, eresult;
2591 dns_fixedname_t foundname;
2592 dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
2593 dns_rdataset_t **sigrdatasetp = NULL;
2595 CTRACE("query_addns");
2599 eresult = ISC_R_SUCCESS;
2603 dns_fixedname_init(&foundname);
2604 fname = dns_fixedname_name(&foundname);
2607 * Get resources and make 'name' be the database origin.
2609 result = dns_message_gettempname(client->message, &name);
2610 if (result != ISC_R_SUCCESS) {
2611 CTRACE("query_addns: dns_message_gettempname failed: done");
2614 dns_name_init(name, NULL);
2615 dns_name_clone(dns_db_origin(db), name);
2616 rdataset = query_newrdataset(client);
2617 if (rdataset == NULL) {
2618 CTRACE("query_addns: query_newrdataset failed");
2619 eresult = DNS_R_SERVFAIL;
2622 if (WANTDNSSEC(client) && dns_db_issecure(db)) {
2623 sigrdataset = query_newrdataset(client);
2624 if (sigrdataset == NULL) {
2625 CTRACE("query_addns: query_newrdataset failed");
2626 eresult = DNS_R_SERVFAIL;
2632 * Find the NS rdataset.
2634 result = dns_db_getoriginnode(db, &node);
2635 if (result == ISC_R_SUCCESS) {
2636 result = dns_db_findrdataset(db, node, version,
2638 0, client->now, rdataset,
2641 CTRACE("query_addns: calling dns_db_find");
2642 result = dns_db_find(db, name, NULL, dns_rdatatype_ns,
2643 client->query.dboptions, 0, &node,
2644 fname, rdataset, sigrdataset);
2645 CTRACE("query_addns: dns_db_find complete");
2647 if (result != ISC_R_SUCCESS) {
2648 CTRACE("query_addns: "
2649 "dns_db_findrdataset or dns_db_find failed");
2651 * This is bad. We tried to get the NS rdataset at the zone
2652 * top and it didn't work!
2654 eresult = DNS_R_SERVFAIL;
2656 if (sigrdataset != NULL)
2657 sigrdatasetp = &sigrdataset;
2659 sigrdatasetp = NULL;
2660 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2661 DNS_SECTION_AUTHORITY);
2665 CTRACE("query_addns: cleanup");
2666 query_putrdataset(client, &rdataset);
2667 if (sigrdataset != NULL)
2668 query_putrdataset(client, &sigrdataset);
2670 query_releasename(client, &name);
2672 dns_db_detachnode(db, &node);
2674 CTRACE("query_addns: done");
2679 query_add_cname(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
2680 dns_trust_t trust, dns_ttl_t ttl)
2682 dns_rdataset_t *rdataset;
2683 dns_rdatalist_t *rdatalist;
2687 isc_result_t result;
2690 * We assume the name data referred to by tname won't go away.
2694 result = dns_message_gettempname(client->message, &aname);
2695 if (result != ISC_R_SUCCESS)
2697 result = dns_name_dup(qname, client->mctx, aname);
2698 if (result != ISC_R_SUCCESS) {
2699 dns_message_puttempname(client->message, &aname);
2704 result = dns_message_gettemprdatalist(client->message, &rdatalist);
2705 if (result != ISC_R_SUCCESS) {
2706 dns_message_puttempname(client->message, &aname);
2710 result = dns_message_gettemprdata(client->message, &rdata);
2711 if (result != ISC_R_SUCCESS) {
2712 dns_message_puttempname(client->message, &aname);
2713 dns_message_puttemprdatalist(client->message, &rdatalist);
2717 result = dns_message_gettemprdataset(client->message, &rdataset);
2718 if (result != ISC_R_SUCCESS) {
2719 dns_message_puttempname(client->message, &aname);
2720 dns_message_puttemprdatalist(client->message, &rdatalist);
2721 dns_message_puttemprdata(client->message, &rdata);
2724 dns_rdataset_init(rdataset);
2725 rdatalist->type = dns_rdatatype_cname;
2726 rdatalist->covers = 0;
2727 rdatalist->rdclass = client->message->rdclass;
2728 rdatalist->ttl = ttl;
2730 dns_name_toregion(tname, &r);
2731 rdata->data = r.base;
2732 rdata->length = r.length;
2733 rdata->rdclass = client->message->rdclass;
2734 rdata->type = dns_rdatatype_cname;
2736 ISC_LIST_INIT(rdatalist->rdata);
2737 ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
2738 RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
2740 rdataset->trust = trust;
2742 query_addrrset(client, &aname, &rdataset, NULL, NULL,
2743 DNS_SECTION_ANSWER);
2744 if (rdataset != NULL) {
2745 if (dns_rdataset_isassociated(rdataset))
2746 dns_rdataset_disassociate(rdataset);
2747 dns_message_puttemprdataset(client->message, &rdataset);
2750 dns_message_puttempname(client->message, &aname);
2752 return (ISC_R_SUCCESS);
2756 * Mark the RRsets as secure. Update the cache (db) to reflect the
2757 * change in trust level.
2760 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
2761 isc_uint32_t ttl, dns_rdataset_t *rdataset,
2762 dns_rdataset_t *sigrdataset)
2764 isc_result_t result;
2765 dns_dbnode_t *node = NULL;
2767 rdataset->trust = dns_trust_secure;
2768 sigrdataset->trust = dns_trust_secure;
2771 * Save the updated secure state. Ignore failures.
2773 result = dns_db_findnode(db, name, ISC_TRUE, &node);
2774 if (result != ISC_R_SUCCESS)
2777 * Bound the validated ttls then minimise.
2779 if (sigrdataset->ttl > ttl)
2780 sigrdataset->ttl = ttl;
2781 if (rdataset->ttl > ttl)
2782 rdataset->ttl = ttl;
2783 if (rdataset->ttl > sigrdataset->ttl)
2784 rdataset->ttl = sigrdataset->ttl;
2786 sigrdataset->ttl = rdataset->ttl;
2788 (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
2790 (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset,
2792 dns_db_detachnode(db, &node);
2796 * Find the secure key that corresponds to rrsig.
2797 * Note: 'keyrdataset' maintains state between successive calls,
2798 * there may be multiple keys with the same keyid.
2799 * Return ISC_FALSE if we have exhausted all the possible keys.
2801 static isc_boolean_t
2802 get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
2803 dns_rdataset_t *keyrdataset, dst_key_t **keyp)
2805 isc_result_t result;
2806 dns_dbnode_t *node = NULL;
2807 isc_boolean_t secure = ISC_FALSE;
2809 if (!dns_rdataset_isassociated(keyrdataset)) {
2810 result = dns_db_findnode(db, &rrsig->signer, ISC_FALSE, &node);
2811 if (result != ISC_R_SUCCESS)
2814 result = dns_db_findrdataset(db, node, NULL,
2815 dns_rdatatype_dnskey, 0,
2816 client->now, keyrdataset, NULL);
2817 dns_db_detachnode(db, &node);
2818 if (result != ISC_R_SUCCESS)
2821 if (keyrdataset->trust != dns_trust_secure)
2824 result = dns_rdataset_first(keyrdataset);
2826 result = dns_rdataset_next(keyrdataset);
2828 for ( ; result == ISC_R_SUCCESS;
2829 result = dns_rdataset_next(keyrdataset)) {
2830 dns_rdata_t rdata = DNS_RDATA_INIT;
2833 dns_rdataset_current(keyrdataset, &rdata);
2834 isc_buffer_init(&b, rdata.data, rdata.length);
2835 isc_buffer_add(&b, rdata.length);
2836 result = dst_key_fromdns(&rrsig->signer, rdata.rdclass, &b,
2837 client->mctx, keyp);
2838 if (result != ISC_R_SUCCESS)
2840 if (rrsig->algorithm == (dns_secalg_t)dst_key_alg(*keyp) &&
2841 rrsig->keyid == (dns_keytag_t)dst_key_id(*keyp) &&
2842 dst_key_iszonekey(*keyp)) {
2851 static isc_boolean_t
2852 verify(dst_key_t *key, dns_name_t *name, dns_rdataset_t *rdataset,
2853 dns_rdata_t *rdata, isc_mem_t *mctx, isc_boolean_t acceptexpired)
2855 isc_result_t result;
2856 dns_fixedname_t fixed;
2857 isc_boolean_t ignore = ISC_FALSE;
2859 dns_fixedname_init(&fixed);
2862 result = dns_dnssec_verify2(name, rdataset, key, ignore, mctx,
2864 if (result == DNS_R_SIGEXPIRED && acceptexpired) {
2868 if (result == ISC_R_SUCCESS || result == DNS_R_FROMWILDCARD)
2874 * Validate the rdataset if possible with available records.
2876 static isc_boolean_t
2877 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
2878 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
2880 isc_result_t result;
2881 dns_rdata_t rdata = DNS_RDATA_INIT;
2882 dns_rdata_rrsig_t rrsig;
2883 dst_key_t *key = NULL;
2884 dns_rdataset_t keyrdataset;
2886 if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
2889 for (result = dns_rdataset_first(sigrdataset);
2890 result == ISC_R_SUCCESS;
2891 result = dns_rdataset_next(sigrdataset)) {
2893 dns_rdata_reset(&rdata);
2894 dns_rdataset_current(sigrdataset, &rdata);
2895 result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
2896 if (result != ISC_R_SUCCESS)
2898 if (!dns_resolver_algorithm_supported(client->view->resolver,
2899 name, rrsig.algorithm))
2901 if (!dns_name_issubdomain(name, &rrsig.signer))
2903 dns_rdataset_init(&keyrdataset);
2905 if (!get_key(client, db, &rrsig, &keyrdataset, &key))
2907 if (verify(key, name, rdataset, &rdata, client->mctx,
2908 client->view->acceptexpired)) {
2910 dns_rdataset_disassociate(&keyrdataset);
2911 mark_secure(client, db, name,
2913 rdataset, sigrdataset);
2918 if (dns_rdataset_isassociated(&keyrdataset))
2919 dns_rdataset_disassociate(&keyrdataset);
2925 query_addbestns(ns_client_t *client) {
2928 dns_name_t *fname, *zfname;
2929 dns_rdataset_t *rdataset, *sigrdataset, *zrdataset, *zsigrdataset;
2930 isc_boolean_t is_zone, use_zone;
2932 isc_result_t result;
2933 dns_dbversion_t *version;
2937 CTRACE("query_addbestns");
2943 zsigrdataset = NULL;
2949 is_zone = ISC_FALSE;
2950 use_zone = ISC_FALSE;
2953 * Find the right database.
2955 result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
2956 &zone, &db, &version, &is_zone);
2957 if (result != ISC_R_SUCCESS)
2962 * We'll need some resources...
2964 dbuf = query_getnamebuf(client);
2967 fname = query_newname(client, dbuf, &b);
2968 rdataset = query_newrdataset(client);
2969 if (fname == NULL || rdataset == NULL)
2972 * Get the RRSIGs if the client requested them or if we may
2973 * need to validate answers from the cache.
2975 if (WANTDNSSEC(client) || !is_zone) {
2976 sigrdataset = query_newrdataset(client);
2977 if (sigrdataset == NULL)
2982 * Now look for the zonecut.
2985 result = dns_db_find(db, client->query.qname, version,
2986 dns_rdatatype_ns, client->query.dboptions,
2987 client->now, &node, fname,
2988 rdataset, sigrdataset);
2989 if (result != DNS_R_DELEGATION)
2991 if (USECACHE(client)) {
2992 query_keepname(client, fname, dbuf);
2996 zrdataset = rdataset;
2998 zsigrdataset = sigrdataset;
3000 dns_db_detachnode(db, &node);
3003 dns_db_attach(client->view->cachedb, &db);
3004 is_zone = ISC_FALSE;
3008 result = dns_db_findzonecut(db, client->query.qname,
3009 client->query.dboptions,
3010 client->now, &node, fname,
3011 rdataset, sigrdataset);
3012 if (result == ISC_R_SUCCESS) {
3013 if (zfname != NULL &&
3014 !dns_name_issubdomain(fname, zfname)) {
3016 * We found a zonecut in the cache, but our
3017 * zone delegation is better.
3019 use_zone = ISC_TRUE;
3021 } else if (result == ISC_R_NOTFOUND && zfname != NULL) {
3023 * We didn't find anything in the cache, but we
3024 * have a zone delegation, so use it.
3026 use_zone = ISC_TRUE;
3032 query_releasename(client, &fname);
3036 * We've already done query_keepname() on
3037 * zfname, so we must set dbuf to NULL to
3038 * prevent query_addrrset() from trying to
3039 * call query_keepname() again.
3042 query_putrdataset(client, &rdataset);
3043 if (sigrdataset != NULL)
3044 query_putrdataset(client, &sigrdataset);
3045 rdataset = zrdataset;
3047 sigrdataset = zsigrdataset;
3048 zsigrdataset = NULL;
3052 * Attempt to validate RRsets that are pending or that are glue.
3054 if ((DNS_TRUST_PENDING(rdataset->trust) ||
3055 (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust)))
3056 && !validate(client, db, fname, rdataset, sigrdataset) &&
3057 !PENDINGOK(client->query.dboptions))
3060 if ((DNS_TRUST_GLUE(rdataset->trust) ||
3061 (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
3062 !validate(client, db, fname, rdataset, sigrdataset) &&
3063 SECURE(client) && WANTDNSSEC(client))
3067 * If the client doesn't want DNSSEC we can discard the sigrdataset
3070 if (!WANTDNSSEC(client))
3071 query_putrdataset(client, &sigrdataset);
3072 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
3073 DNS_SECTION_AUTHORITY);
3076 if (rdataset != NULL)
3077 query_putrdataset(client, &rdataset);
3078 if (sigrdataset != NULL)
3079 query_putrdataset(client, &sigrdataset);
3081 query_releasename(client, &fname);
3083 dns_db_detachnode(db, &node);
3087 dns_zone_detach(&zone);
3089 query_putrdataset(client, &zrdataset);
3090 if (zsigrdataset != NULL)
3091 query_putrdataset(client, &zsigrdataset);
3093 query_releasename(client, &zfname);
3094 dns_db_detach(&zdb);
3099 fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) {
3100 if (*rdataset == NULL)
3101 *rdataset = query_newrdataset(client);
3102 else if (dns_rdataset_isassociated(*rdataset))
3103 dns_rdataset_disassociate(*rdataset);
3107 fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf,
3110 if (*fname == NULL) {
3111 *dbuf = query_getnamebuf(client);
3114 *fname = query_newname(client, *dbuf, nbuf);
3119 query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
3120 dns_dbversion_t *version, dns_name_t *name)
3122 dns_fixedname_t fixed;
3123 dns_name_t *fname = NULL;
3125 dns_rdataset_t *rdataset, *sigrdataset;
3126 isc_buffer_t *dbuf, b;
3127 isc_result_t result;
3130 CTRACE("query_addds");
3136 * We'll need some resources...
3138 rdataset = query_newrdataset(client);
3139 sigrdataset = query_newrdataset(client);
3140 if (rdataset == NULL || sigrdataset == NULL)
3144 * Look for the DS record, which may or may not be present.
3146 result = dns_db_findrdataset(db, node, version, dns_rdatatype_ds, 0,
3147 client->now, rdataset, sigrdataset);
3149 * If we didn't find it, look for an NSEC.
3151 if (result == ISC_R_NOTFOUND)
3152 result = dns_db_findrdataset(db, node, version,
3153 dns_rdatatype_nsec, 0, client->now,
3154 rdataset, sigrdataset);
3155 if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
3157 if (!dns_rdataset_isassociated(rdataset) ||
3158 !dns_rdataset_isassociated(sigrdataset))
3162 * We've already added the NS record, so if the name's not there,
3163 * we have other problems. Use this name rather than calling
3166 result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
3167 if (result != ISC_R_SUCCESS)
3171 dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
3173 result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL);
3174 if (result != ISC_R_SUCCESS)
3177 ISC_LIST_APPEND(rname->list, rdataset, link);
3178 ISC_LIST_APPEND(rname->list, sigrdataset, link);
3184 if (!dns_db_iszone(db))
3187 * Add the NSEC3 which proves the DS does not exist.
3189 dbuf = query_getnamebuf(client);
3192 fname = query_newname(client, dbuf, &b);
3193 dns_fixedname_init(&fixed);
3194 if (dns_rdataset_isassociated(rdataset))
3195 dns_rdataset_disassociate(rdataset);
3196 if (dns_rdataset_isassociated(sigrdataset))
3197 dns_rdataset_disassociate(sigrdataset);
3198 query_findclosestnsec3(name, db, version, client, rdataset,
3199 sigrdataset, fname, ISC_TRUE,
3200 dns_fixedname_name(&fixed));
3201 if (!dns_rdataset_isassociated(rdataset))
3203 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
3204 DNS_SECTION_AUTHORITY);
3206 * Did we find the closest provable encloser instead?
3207 * If so add the nearest to the closest provable encloser.
3209 if (!dns_name_equal(name, dns_fixedname_name(&fixed))) {
3210 count = dns_name_countlabels(dns_fixedname_name(&fixed)) + 1;
3211 dns_name_getlabelsequence(name,
3212 dns_name_countlabels(name) - count,
3213 count, dns_fixedname_name(&fixed));
3214 fixfname(client, &fname, &dbuf, &b);
3215 fixrdataset(client, &rdataset);
3216 fixrdataset(client, &sigrdataset);
3217 if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
3219 query_findclosestnsec3(dns_fixedname_name(&fixed), db, version,
3220 client, rdataset, sigrdataset, fname,
3222 if (!dns_rdataset_isassociated(rdataset))
3224 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
3225 DNS_SECTION_AUTHORITY);
3229 if (rdataset != NULL)
3230 query_putrdataset(client, &rdataset);
3231 if (sigrdataset != NULL)
3232 query_putrdataset(client, &sigrdataset);
3234 query_releasename(client, &fname);
3238 query_addwildcardproof(ns_client_t *client, dns_db_t *db,
3239 dns_dbversion_t *version, dns_name_t *name,
3240 isc_boolean_t ispositive, isc_boolean_t nodata)
3242 isc_buffer_t *dbuf, b;
3244 dns_rdataset_t *rdataset, *sigrdataset;
3245 dns_fixedname_t wfixed;
3248 unsigned int options;
3249 unsigned int olabels, nlabels, labels;
3250 isc_result_t result;
3251 dns_rdata_t rdata = DNS_RDATA_INIT;
3252 dns_rdata_nsec_t nsec;
3253 isc_boolean_t have_wname;
3255 dns_fixedname_t cfixed;
3258 CTRACE("query_addwildcardproof");
3265 * Get the NOQNAME proof then if !ispositive
3266 * get the NOWILDCARD proof.
3268 * DNS_DBFIND_NOWILD finds the NSEC records that covers the
3269 * name ignoring any wildcard. From the owner and next names
3270 * of this record you can compute which wildcard (if it exists)
3271 * will match by finding the longest common suffix of the
3272 * owner name and next names with the qname and prefixing that
3273 * with the wildcard label.
3278 * example NSEC b.example
3280 * b.example NSEC a.d.example
3282 * a.d.example NSEC g.f.example
3284 * g.f.example NSEC z.i.example
3286 * z.i.example NSEC example
3289 * a.example -> example NSEC b.example
3290 * owner common example
3291 * next common example
3293 * d.b.example -> b.example NSEC a.d.example
3294 * owner common b.example
3295 * next common example
3297 * a.f.example -> a.d.example NSEC g.f.example
3298 * owner common example
3299 * next common f.example
3301 * j.example -> z.i.example NSEC example
3302 * owner common example
3303 * next common example
3306 options = client->query.dboptions | DNS_DBFIND_NOWILD;
3307 dns_fixedname_init(&wfixed);
3308 wname = dns_fixedname_name(&wfixed);
3310 have_wname = ISC_FALSE;
3312 * We'll need some resources...
3314 dbuf = query_getnamebuf(client);
3317 fname = query_newname(client, dbuf, &b);
3318 rdataset = query_newrdataset(client);
3319 sigrdataset = query_newrdataset(client);
3320 if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
3323 result = dns_db_find(db, name, version, dns_rdatatype_nsec, options,
3324 0, &node, fname, rdataset, sigrdataset);
3326 dns_db_detachnode(db, &node);
3328 if (!dns_rdataset_isassociated(rdataset)) {
3330 * No NSEC proof available, return NSEC3 proofs instead.
3332 dns_fixedname_init(&cfixed);
3333 cname = dns_fixedname_name(&cfixed);
3335 * Find the closest encloser.
3337 dns_name_copy(name, cname, NULL);
3338 while (result == DNS_R_NXDOMAIN) {
3339 labels = dns_name_countlabels(cname) - 1;
3340 dns_name_split(cname, labels, NULL, cname);
3341 result = dns_db_find(db, cname, version,
3343 options, 0, NULL, fname,
3347 * Add closest (provable) encloser NSEC3.
3349 query_findclosestnsec3(cname, db, NULL, client, rdataset,
3350 sigrdataset, fname, ISC_TRUE, cname);
3351 if (!dns_rdataset_isassociated(rdataset))
3353 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3354 dbuf, DNS_SECTION_AUTHORITY);
3357 * Replace resources which were consumed by query_addrrset.
3359 if (fname == NULL) {
3360 dbuf = query_getnamebuf(client);
3363 fname = query_newname(client, dbuf, &b);
3366 if (rdataset == NULL)
3367 rdataset = query_newrdataset(client);
3368 else if (dns_rdataset_isassociated(rdataset))
3369 dns_rdataset_disassociate(rdataset);
3371 if (sigrdataset == NULL)
3372 sigrdataset = query_newrdataset(client);
3373 else if (dns_rdataset_isassociated(sigrdataset))
3374 dns_rdataset_disassociate(sigrdataset);
3376 if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
3379 * Add no qname proof.
3381 labels = dns_name_countlabels(cname) + 1;
3382 if (dns_name_countlabels(name) == labels)
3383 dns_name_copy(name, wname, NULL);
3385 dns_name_split(name, labels, NULL, wname);
3387 query_findclosestnsec3(wname, db, NULL, client, rdataset,
3388 sigrdataset, fname, ISC_FALSE, NULL);
3389 if (!dns_rdataset_isassociated(rdataset))
3391 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3392 dbuf, DNS_SECTION_AUTHORITY);
3398 * Replace resources which were consumed by query_addrrset.
3400 if (fname == NULL) {
3401 dbuf = query_getnamebuf(client);
3404 fname = query_newname(client, dbuf, &b);
3407 if (rdataset == NULL)
3408 rdataset = query_newrdataset(client);
3409 else if (dns_rdataset_isassociated(rdataset))
3410 dns_rdataset_disassociate(rdataset);
3412 if (sigrdataset == NULL)
3413 sigrdataset = query_newrdataset(client);
3414 else if (dns_rdataset_isassociated(sigrdataset))
3415 dns_rdataset_disassociate(sigrdataset);
3417 if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
3420 * Add the no wildcard proof.
3422 result = dns_name_concatenate(dns_wildcardname,
3423 cname, wname, NULL);
3424 if (result != ISC_R_SUCCESS)
3427 query_findclosestnsec3(wname, db, NULL, client, rdataset,
3428 sigrdataset, fname, nodata, NULL);
3429 if (!dns_rdataset_isassociated(rdataset))
3431 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3432 dbuf, DNS_SECTION_AUTHORITY);
3435 } else if (result == DNS_R_NXDOMAIN) {
3437 result = dns_rdataset_first(rdataset);
3438 if (result == ISC_R_SUCCESS) {
3439 dns_rdataset_current(rdataset, &rdata);
3440 result = dns_rdata_tostruct(&rdata, &nsec, NULL);
3442 if (result == ISC_R_SUCCESS) {
3443 (void)dns_name_fullcompare(name, fname, &order,
3445 (void)dns_name_fullcompare(name, &nsec.next, &order,
3448 * Check for a pathological condition created when
3449 * serving some malformed signed zones and bail out.
3451 if (dns_name_countlabels(name) == nlabels)
3454 if (olabels > nlabels)
3455 dns_name_split(name, olabels, NULL, wname);
3457 dns_name_split(name, nlabels, NULL, wname);
3458 result = dns_name_concatenate(dns_wildcardname,
3459 wname, wname, NULL);
3460 if (result == ISC_R_SUCCESS)
3461 have_wname = ISC_TRUE;
3462 dns_rdata_freestruct(&nsec);
3464 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3465 dbuf, DNS_SECTION_AUTHORITY);
3467 if (rdataset != NULL)
3468 query_putrdataset(client, &rdataset);
3469 if (sigrdataset != NULL)
3470 query_putrdataset(client, &sigrdataset);
3472 query_releasename(client, &fname);
3474 ispositive = ISC_TRUE; /* prevent loop */
3475 if (!dns_name_equal(name, wname)) {
3481 if (rdataset != NULL)
3482 query_putrdataset(client, &rdataset);
3483 if (sigrdataset != NULL)
3484 query_putrdataset(client, &sigrdataset);
3486 query_releasename(client, &fname);
3490 query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db,
3491 dns_dbversion_t *version, dns_name_t **namep,
3492 dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
3495 dns_rdataset_t *sigrdataset;
3496 dns_rdata_t sigrdata;
3497 dns_rdata_rrsig_t sig;
3498 unsigned int labels;
3499 isc_buffer_t *dbuf, b;
3501 isc_result_t result;
3504 if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
3505 query_addrrset(client, namep, rdatasetp, sigrdatasetp,
3506 NULL, DNS_SECTION_AUTHORITY);
3510 if (sigrdatasetp == NULL)
3513 sigrdataset = *sigrdatasetp;
3514 if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
3516 result = dns_rdataset_first(sigrdataset);
3517 if (result != ISC_R_SUCCESS)
3519 dns_rdata_init(&sigrdata);
3520 dns_rdataset_current(sigrdataset, &sigrdata);
3521 result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
3522 if (result != ISC_R_SUCCESS)
3525 labels = dns_name_countlabels(name);
3526 if ((unsigned int)sig.labels + 1 >= labels)
3530 query_addwildcardproof(client, db, version, client->query.qname,
3531 ISC_TRUE, ISC_FALSE);
3534 * We'll need some resources...
3536 dbuf = query_getnamebuf(client);
3539 fname = query_newname(client, dbuf, &b);
3542 dns_name_split(name, sig.labels + 1, NULL, fname);
3543 /* This will succeed, since we've stripped labels. */
3544 RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname,
3545 NULL) == ISC_R_SUCCESS);
3546 query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
3547 dbuf, DNS_SECTION_AUTHORITY);
3551 query_resume(isc_task_t *task, isc_event_t *event) {
3552 dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
3554 ns_client_t *client;
3555 isc_boolean_t fetch_canceled, client_shuttingdown;
3556 isc_result_t result;
3557 isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_EERRORS;
3561 * Resume a query after recursion.
3566 REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
3567 client = devent->ev_arg;
3568 REQUIRE(NS_CLIENT_VALID(client));
3569 REQUIRE(task == client->task);
3570 REQUIRE(RECURSING(client));
3572 LOCK(&client->query.fetchlock);
3573 if (client->query.fetch != NULL) {
3575 * This is the fetch we've been waiting for.
3577 INSIST(devent->fetch == client->query.fetch);
3578 client->query.fetch = NULL;
3579 fetch_canceled = ISC_FALSE;
3581 * Update client->now.
3583 isc_stdtime_get(&client->now);
3586 * This is a fetch completion event for a canceled fetch.
3587 * Clean up and don't resume the find.
3589 fetch_canceled = ISC_TRUE;
3591 UNLOCK(&client->query.fetchlock);
3592 INSIST(client->query.fetch == NULL);
3594 client->query.attributes &= ~NS_QUERYATTR_RECURSING;
3595 fetch = devent->fetch;
3596 devent->fetch = NULL;
3599 * If this client is shutting down, or this transaction
3600 * has timed out, do not resume the find.
3602 client_shuttingdown = ns_client_shuttingdown(client);
3603 if (fetch_canceled || client_shuttingdown) {
3604 if (devent->node != NULL)
3605 dns_db_detachnode(devent->db, &devent->node);
3606 if (devent->db != NULL)
3607 dns_db_detach(&devent->db);
3608 query_putrdataset(client, &devent->rdataset);
3609 if (devent->sigrdataset != NULL)
3610 query_putrdataset(client, &devent->sigrdataset);
3611 isc_event_free(&event);
3613 query_error(client, DNS_R_SERVFAIL, __LINE__);
3615 query_next(client, ISC_R_CANCELED);
3617 * This may destroy the client.
3619 ns_client_detach(&client);
3621 result = query_find(client, devent, 0);
3622 if (result != ISC_R_SUCCESS) {
3623 if (result == DNS_R_SERVFAIL)
3624 errorloglevel = ISC_LOG_DEBUG(2);
3626 errorloglevel = ISC_LOG_DEBUG(4);
3627 if (isc_log_wouldlog(ns_g_lctx, errorloglevel)) {
3628 dns_resolver_logfetch(fetch, ns_g_lctx,
3631 errorloglevel, ISC_FALSE);
3636 dns_resolver_destroyfetch(&fetch);
3640 query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
3641 dns_name_t *qdomain, dns_rdataset_t *nameservers,
3642 isc_boolean_t resuming)
3644 isc_result_t result;
3645 dns_rdataset_t *rdataset, *sigrdataset;
3646 isc_sockaddr_t *peeraddr;
3649 inc_stats(client, dns_nsstatscounter_recursion);
3652 * We are about to recurse, which means that this client will
3653 * be unavailable for serving new requests for an indeterminate
3654 * amount of time. If this client is currently responsible
3655 * for handling incoming queries, set up a new client
3656 * object to handle them while we are waiting for a
3657 * response. There is no need to replace TCP clients
3658 * because those have already been replaced when the
3659 * connection was accepted (if allowed by the TCP quota).
3661 if (client->recursionquota == NULL) {
3662 result = isc_quota_attach(&ns_g_server->recursionquota,
3663 &client->recursionquota);
3664 if (result == ISC_R_SOFTQUOTA) {
3665 static isc_stdtime_t last = 0;
3667 isc_stdtime_get(&now);
3670 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3673 "recursive-clients soft limit "
3674 "exceeded (%d/%d/%d), "
3675 "aborting oldest query",
3676 client->recursionquota->used,
3677 client->recursionquota->soft,
3678 client->recursionquota->max);
3680 ns_client_killoldestquery(client);
3681 result = ISC_R_SUCCESS;
3682 } else if (result == ISC_R_QUOTA) {
3683 static isc_stdtime_t last = 0;
3685 isc_stdtime_get(&now);
3688 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3691 "no more recursive clients "
3693 ns_g_server->recursionquota.used,
3694 ns_g_server->recursionquota.soft,
3695 ns_g_server->recursionquota.max,
3696 isc_result_totext(result));
3698 ns_client_killoldestquery(client);
3700 if (result == ISC_R_SUCCESS && !client->mortal &&
3701 (client->attributes & NS_CLIENTATTR_TCP) == 0) {
3702 result = ns_client_replace(client);
3703 if (result != ISC_R_SUCCESS) {
3704 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3707 "ns_client_replace() failed: %s",
3708 isc_result_totext(result));
3709 isc_quota_detach(&client->recursionquota);
3712 if (result != ISC_R_SUCCESS)
3714 ns_client_recursing(client);
3718 * Invoke the resolver.
3720 REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns);
3721 REQUIRE(client->query.fetch == NULL);
3723 rdataset = query_newrdataset(client);
3724 if (rdataset == NULL)
3725 return (ISC_R_NOMEMORY);
3726 if (WANTDNSSEC(client)) {
3727 sigrdataset = query_newrdataset(client);
3728 if (sigrdataset == NULL) {
3729 query_putrdataset(client, &rdataset);
3730 return (ISC_R_NOMEMORY);
3735 if (client->query.timerset == ISC_FALSE)
3736 ns_client_settimeout(client, 60);
3737 if ((client->attributes & NS_CLIENTATTR_TCP) == 0)
3738 peeraddr = &client->peeraddr;
3741 result = dns_resolver_createfetch2(client->view->resolver,
3742 qname, qtype, qdomain, nameservers,
3743 NULL, peeraddr, client->message->id,
3744 client->query.fetchoptions,
3746 query_resume, client,
3747 rdataset, sigrdataset,
3748 &client->query.fetch);
3750 if (result == ISC_R_SUCCESS) {
3752 * Record that we're waiting for an event. A client which
3753 * is shutting down will not be destroyed until all the
3754 * events have been received.
3757 query_putrdataset(client, &rdataset);
3758 if (sigrdataset != NULL)
3759 query_putrdataset(client, &sigrdataset);
3766 rpz_clean(dns_zone_t **zonep, dns_db_t **dbp, dns_dbnode_t **nodep,
3767 dns_rdataset_t **rdatasetp)
3769 if (nodep != NULL && *nodep != NULL) {
3770 REQUIRE(dbp != NULL && *dbp != NULL);
3771 dns_db_detachnode(*dbp, nodep);
3773 if (dbp != NULL && *dbp != NULL)
3775 if (zonep != NULL && *zonep != NULL)
3776 dns_zone_detach(zonep);
3777 if (rdatasetp != NULL && *rdatasetp != NULL &&
3778 dns_rdataset_isassociated(*rdatasetp))
3779 dns_rdataset_disassociate(*rdatasetp);
3782 static inline isc_result_t
3783 rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp,
3784 dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp)
3786 REQUIRE(rdatasetp != NULL);
3788 rpz_clean(zonep, dbp, nodep, rdatasetp);
3789 if (*rdatasetp == NULL) {
3790 *rdatasetp = query_newrdataset(client);
3791 if (*rdatasetp == NULL)
3792 return (DNS_R_SERVFAIL);
3794 return (ISC_R_SUCCESS);
3798 rpz_st_clear(ns_client_t *client) {
3799 dns_rpz_st_t *st = client->query.rpz_st;
3801 rpz_clean(&st->m.zone, &st->m.db, &st->m.node, NULL);
3802 if (st->m.rdataset != NULL)
3803 query_putrdataset(client, &st->m.rdataset);
3805 rpz_clean(NULL, &st->ns.db, NULL, NULL);
3806 if (st->ns.ns_rdataset != NULL)
3807 query_putrdataset(client, &st->ns.ns_rdataset);
3808 if (st->ns.r_rdataset != NULL)
3809 query_putrdataset(client, &st->ns.r_rdataset);
3811 rpz_clean(&st->q.zone, &st->q.db, &st->q.node, NULL);
3812 if (st->q.rdataset != NULL)
3813 query_putrdataset(client, &st->q.rdataset);
3814 if (st->q.sigrdataset != NULL)
3815 query_putrdataset(client, &st->q.sigrdataset);
3820 * Get NS, A, or AAAA rrset for rpz nsdname or nsip checking.
3823 rpz_ns_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
3824 dns_db_t **dbp, dns_dbversion_t *version,
3825 dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
3828 isc_boolean_t is_zone;
3830 dns_fixedname_t fixed;
3832 isc_result_t result;
3834 st = client->query.rpz_st;
3835 if ((st->state & DNS_RPZ_RECURSING) != 0) {
3836 INSIST(st->ns.r_type == type);
3837 INSIST(dns_name_equal(name, st->r_name));
3838 INSIST(*rdatasetp == NULL ||
3839 !dns_rdataset_isassociated(*rdatasetp));
3840 st->state &= ~DNS_RPZ_RECURSING;
3843 if (*rdatasetp != NULL)
3844 query_putrdataset(client, rdatasetp);
3845 *rdatasetp = st->ns.r_rdataset;
3846 st->ns.r_rdataset = NULL;
3847 result = st->ns.r_result;
3848 if (result == DNS_R_DELEGATION) {
3849 rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
3850 DNS_RPZ_TYPE_NSIP, name,
3851 "rpz_ns_find() ", result);
3852 st->m.policy = DNS_RPZ_POLICY_ERROR;
3853 result = DNS_R_SERVFAIL;
3858 result = rpz_ready(client, NULL, NULL, NULL, rdatasetp);
3859 if (result != ISC_R_SUCCESS) {
3860 st->m.policy = DNS_RPZ_POLICY_ERROR;
3864 is_zone = ISC_FALSE;
3870 result = query_getdb(client, name, type, 0, &zone, dbp,
3871 &version, &is_zone);
3872 if (result != ISC_R_SUCCESS) {
3873 rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
3874 DNS_RPZ_TYPE_NSIP, name, "NS getdb() ",
3876 st->m.policy = DNS_RPZ_POLICY_ERROR;
3878 dns_zone_detach(&zone);
3882 dns_zone_detach(&zone);
3886 dns_fixedname_init(&fixed);
3887 found = dns_fixedname_name(&fixed);
3888 result = dns_db_find(*dbp, name, version, type, 0, client->now, &node,
3889 found, *rdatasetp, NULL);
3890 if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) {
3892 * Try the cache if we're authoritative for an
3893 * ancestor but not the domain itself.
3895 rpz_clean(NULL, dbp, &node, rdatasetp);
3897 dns_db_attach(client->view->cachedb, dbp);
3898 result = dns_db_find(*dbp, name, version, dns_rdatatype_ns,
3899 0, client->now, &node, found,
3902 rpz_clean(NULL, dbp, &node, NULL);
3903 if (result == DNS_R_DELEGATION) {
3905 * Recurse to get NS rrset or A or AAAA rrset for an NS name.
3907 rpz_clean(NULL, NULL, NULL, rdatasetp);
3908 dns_name_copy(name, st->r_name, NULL);
3909 result = query_recurse(client, type, st->r_name, NULL, NULL,
3911 if (result == ISC_R_SUCCESS) {
3912 st->state |= DNS_RPZ_RECURSING;
3913 result = DNS_R_DELEGATION;
3920 * Check the IP address in an A or AAAA rdataset against
3921 * the IP or NSIP response policy rules of a view.
3924 rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset,
3925 dns_rpz_type_t rpz_type)
3928 dns_dbversion_t *version;
3931 dns_rpz_zone_t *new_rpz;
3932 isc_result_t result;
3934 st = client->query.rpz_st;
3935 if (st->m.rdataset == NULL) {
3936 st->m.rdataset = query_newrdataset(client);
3937 if (st->m.rdataset == NULL)
3938 return (DNS_R_SERVFAIL);
3942 for (new_rpz = ISC_LIST_HEAD(client->view->rpz_zones);
3944 new_rpz = ISC_LIST_NEXT(new_rpz, link)) {
3948 * Find the database for this policy zone to get its
3951 result = rpz_getdb(client, rpz_type, &new_rpz->origin,
3952 &zone, &db, &version);
3953 if (result != ISC_R_SUCCESS) {
3954 rpz_clean(&zone, &db, NULL, NULL);
3958 * Look for a better (e.g. longer prefix) hit for an IP address
3959 * in this rdataset in this radix tree than than the previous
3960 * hit, if any. Note the domain name and quality of the
3963 result = dns_db_rpz_findips(new_rpz, rpz_type, zone, db,
3964 version, rdataset, st);
3965 RUNTIME_CHECK(result == ISC_R_SUCCESS);
3966 rpz_clean(&zone, &db, NULL, NULL);
3968 return (ISC_R_SUCCESS);
3972 rpz_rewrite_nsip(ns_client_t *client, dns_rdatatype_t type, dns_name_t *name,
3973 dns_db_t **dbp, dns_dbversion_t *version,
3974 dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
3976 isc_result_t result;
3978 result = rpz_ns_find(client, name, type, dbp, version, rdatasetp,
3982 result = rpz_rewrite_ip(client, *rdatasetp, DNS_RPZ_TYPE_NSIP);
3984 case DNS_R_EMPTYNAME:
3985 case DNS_R_EMPTYWILD:
3986 case DNS_R_NXDOMAIN:
3987 case DNS_R_NCACHENXDOMAIN:
3989 case DNS_R_NCACHENXRRSET:
3990 result = ISC_R_SUCCESS;
3992 case DNS_R_DELEGATION:
3993 case DNS_R_DUPLICATE:
3997 if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
3998 client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR;
3999 rpz_fail_log(client, ISC_LOG_WARNING, DNS_RPZ_TYPE_NSIP,
4000 name, "NS address rewrite nsip ", result);
4008 * Get the rrset from a response policy zone.
4011 rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
4012 dns_name_t *sname, dns_rpz_type_t rpz_type, dns_zone_t **zonep,
4013 dns_db_t **dbp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
4014 dns_rpz_policy_t *policyp)
4016 dns_dbversion_t *version;
4017 dns_rpz_policy_t policy;
4018 dns_fixedname_t fixed;
4020 isc_result_t result;
4022 result = rpz_ready(client, zonep, dbp, nodep, rdatasetp);
4023 if (result != ISC_R_SUCCESS) {
4024 *policyp = DNS_RPZ_POLICY_ERROR;
4029 * Try to get either a CNAME or the type of record demanded by the
4030 * request from the policy zone.
4033 result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, &version);
4034 if (result != ISC_R_SUCCESS) {
4035 *policyp = DNS_RPZ_POLICY_MISS;
4036 return (DNS_R_NXDOMAIN);
4039 dns_fixedname_init(&fixed);
4040 found = dns_fixedname_name(&fixed);
4041 result = dns_db_find(*dbp, qnamef, version, dns_rdatatype_any, 0,
4042 client->now, nodep, found, *rdatasetp, NULL);
4043 if (result == ISC_R_SUCCESS) {
4044 dns_rdatasetiter_t *rdsiter;
4047 result = dns_db_allrdatasets(*dbp, *nodep, version, 0,
4049 if (result != ISC_R_SUCCESS) {
4050 dns_db_detachnode(*dbp, nodep);
4051 rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
4052 qnamef, "allrdatasets()", result);
4053 *policyp = DNS_RPZ_POLICY_ERROR;
4054 return (DNS_R_SERVFAIL);
4056 for (result = dns_rdatasetiter_first(rdsiter);
4057 result == ISC_R_SUCCESS;
4058 result = dns_rdatasetiter_next(rdsiter)) {
4059 dns_rdatasetiter_current(rdsiter, *rdatasetp);
4060 if ((*rdatasetp)->type == dns_rdatatype_cname ||
4061 (*rdatasetp)->type == qtype)
4063 dns_rdataset_disassociate(*rdatasetp);
4065 dns_rdatasetiter_destroy(&rdsiter);
4066 if (result != ISC_R_SUCCESS) {
4067 if (result != ISC_R_NOMORE) {
4068 rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
4069 rpz_type, qnamef, "rdatasetiter",
4071 *policyp = DNS_RPZ_POLICY_ERROR;
4072 return (DNS_R_SERVFAIL);
4075 * Ask again to get the right DNS_R_DNAME/NXRRSET/...
4076 * result if there is neither a CNAME nor target type.
4078 if (dns_rdataset_isassociated(*rdatasetp))
4079 dns_rdataset_disassociate(*rdatasetp);
4080 dns_db_detachnode(*dbp, nodep);
4082 if (qtype == dns_rdatatype_rrsig ||
4083 qtype == dns_rdatatype_sig)
4084 result = DNS_R_NXRRSET;
4086 result = dns_db_find(*dbp, qnamef, version,
4087 qtype, 0, client->now,
4088 nodep, found, *rdatasetp,
4094 if ((*rdatasetp)->type != dns_rdatatype_cname) {
4095 policy = DNS_RPZ_POLICY_RECORD;
4097 policy = dns_rpz_decode_cname(*rdatasetp, sname);
4098 if (policy == DNS_RPZ_POLICY_RECORD &&
4099 qtype != dns_rdatatype_cname &&
4100 qtype != dns_rdatatype_any)
4101 result = DNS_R_CNAME;
4106 * DNAME policy RRs have very few if any uses that are not
4107 * better served with simple wildcards. Making the work would
4108 * require complications to get the number of labels matched
4109 * in the name or the found name itself to the main DNS_R_DNAME
4110 * case in query_find(). So fall through to treat them as NODATA.
4113 policy = DNS_RPZ_POLICY_NODATA;
4115 case DNS_R_NXDOMAIN:
4116 case DNS_R_EMPTYNAME:
4118 * If we don't get a qname hit,
4119 * see if it is worth looking for other types.
4121 dns_db_rpz_enabled(*dbp, client->query.rpz_st);
4123 dns_zone_detach(zonep);
4124 policy = DNS_RPZ_POLICY_MISS;
4128 dns_zone_detach(zonep);
4129 rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
4131 policy = DNS_RPZ_POLICY_ERROR;
4132 result = DNS_R_SERVFAIL;
4141 * Build and look for a QNAME or NSDNAME owner name in a response policy zone.
4144 rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
4145 dns_rpz_type_t rpz_type, dns_rdataset_t **rdatasetp)
4148 dns_rpz_zone_t *rpz;
4149 dns_fixedname_t prefixf, rpz_qnamef;
4150 dns_name_t *prefix, *suffix, *rpz_qname;
4154 dns_rpz_policy_t policy;
4155 unsigned int labels;
4156 isc_result_t result;
4158 st = client->query.rpz_st;
4163 for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
4165 rpz = ISC_LIST_NEXT(rpz, link)) {
4167 * Construct the rule's owner name.
4169 dns_fixedname_init(&prefixf);
4170 prefix = dns_fixedname_name(&prefixf);
4171 dns_name_split(qname, 1, prefix, NULL);
4172 if (rpz_type == DNS_RPZ_TYPE_NSDNAME)
4173 suffix = &rpz->nsdname;
4175 suffix = &rpz->origin;
4176 dns_fixedname_init(&rpz_qnamef);
4177 rpz_qname = dns_fixedname_name(&rpz_qnamef);
4179 result = dns_name_concatenate(prefix, suffix,
4181 if (result == ISC_R_SUCCESS)
4183 INSIST(result == DNS_R_NAMETOOLONG);
4184 labels = dns_name_countlabels(prefix);
4186 rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
4188 "concatentate() ", result);
4189 return (ISC_R_SUCCESS);
4191 if (labels+1 == dns_name_countlabels(qname)) {
4192 rpz_fail_log(client, DNS_RPZ_DEBUG_LEVEL1,
4194 "concatentate() ", result);
4196 dns_name_split(prefix, labels - 1, NULL, prefix);
4200 * See if the qname rule (or RR) exists.
4202 result = rpz_find(client, qtype, rpz_qname, qname, rpz_type,
4203 &zone, &db, &node, rdatasetp, &policy);
4205 case DNS_R_NXDOMAIN:
4206 case DNS_R_EMPTYNAME:
4208 case DNS_R_SERVFAIL:
4209 rpz_clean(&zone, &db, &node, rdatasetp);
4210 st->m.policy = DNS_RPZ_POLICY_ERROR;
4211 return (DNS_R_SERVFAIL);
4214 * when more than one name or address hits a rule,
4215 * prefer the first set of names (qname or NS),
4216 * the first policy zone, and the smallest name
4218 if (st->m.type == rpz_type &&
4219 rpz->num > st->m.rpz->num &&
4220 0 <= dns_name_compare(rpz_qname, st->qname))
4222 rpz_clean(&st->m.zone, &st->m.db, &st->m.node,
4225 st->m.type = rpz_type;
4227 st->m.policy = policy;
4228 st->m.result = result;
4229 dns_name_copy(rpz_qname, st->qname, NULL);
4230 if (dns_rdataset_isassociated(*rdatasetp)) {
4231 dns_rdataset_t *trdataset;
4233 trdataset = st->m.rdataset;
4234 st->m.rdataset = *rdatasetp;
4235 *rdatasetp = trdataset;
4236 st->m.ttl = st->m.rdataset->ttl;
4238 st->m.ttl = DNS_RPZ_TTL_DEFAULT;
4249 rpz_clean(&zone, &db, &node, rdatasetp);
4250 return (ISC_R_SUCCESS);
4254 * Look for response policy zone NSIP and NSDNAME rewriting.
4257 rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
4258 isc_boolean_t resuming)
4262 dns_rdataset_t *rdataset;
4263 dns_fixedname_t nsnamef;
4265 dns_dbversion_t *version;
4266 isc_result_t result;
4271 st = client->query.rpz_st;
4273 st = isc_mem_get(client->mctx, sizeof(*st));
4275 return (ISC_R_NOMEMORY);
4277 memset(&st->m, 0, sizeof(st->m));
4278 memset(&st->ns, 0, sizeof(st->ns));
4279 memset(&st->q, 0, sizeof(st->q));
4280 dns_fixedname_init(&st->_qnamef);
4281 dns_fixedname_init(&st->_r_namef);
4282 dns_fixedname_init(&st->_fnamef);
4283 st->qname = dns_fixedname_name(&st->_qnamef);
4284 st->r_name = dns_fixedname_name(&st->_r_namef);
4285 st->fname = dns_fixedname_name(&st->_fnamef);
4286 client->query.rpz_st = st;
4288 if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
4289 st->state = DNS_RPZ_DONE_QNAME;
4290 st->m.type = DNS_RPZ_TYPE_BAD;
4291 st->m.policy = DNS_RPZ_POLICY_MISS;
4294 * Check rules for the name if this it the first time,
4295 * i.e. we've not been recursing.
4297 st->state &= ~(DNS_RPZ_HAVE_IP | DNS_RPZ_HAVE_NSIPv4 |
4298 DNS_RPZ_HAVE_NSIPv6 | DNS_RPZ_HAD_NSDNAME);
4299 result = rpz_rewrite_name(client, qtype, client->query.qname,
4300 DNS_RPZ_TYPE_QNAME, &rdataset);
4301 if (result != ISC_R_SUCCESS)
4303 if (st->m.policy != DNS_RPZ_POLICY_MISS)
4305 if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 |
4306 DNS_RPZ_HAD_NSDNAME)) == 0)
4308 st->ns.label = dns_name_countlabels(client->query.qname);
4311 dns_fixedname_init(&nsnamef);
4312 dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
4313 while (st->ns.label > 1 && st->m.policy == DNS_RPZ_POLICY_MISS) {
4314 if (st->ns.label == dns_name_countlabels(client->query.qname)) {
4315 nsname = client->query.qname;
4317 nsname = dns_fixedname_name(&nsnamef);
4318 dns_name_split(client->query.qname, st->ns.label,
4321 if (st->ns.ns_rdataset == NULL ||
4322 !dns_rdataset_isassociated(st->ns.ns_rdataset)) {
4323 dns_db_t *db = NULL;
4324 result = rpz_ns_find(client, nsname, dns_rdatatype_ns,
4325 &db, NULL, &st->ns.ns_rdataset,
4329 if (result != ISC_R_SUCCESS) {
4330 if (result == DNS_R_DELEGATION)
4332 if (result == DNS_R_EMPTYNAME ||
4333 result == DNS_R_NXRRSET ||
4334 result == DNS_R_EMPTYWILD ||
4335 result == DNS_R_NXDOMAIN ||
4336 result == DNS_R_NCACHENXDOMAIN ||
4337 result == DNS_R_NCACHENXRRSET ||
4338 result == DNS_R_CNAME ||
4339 result == DNS_R_DNAME) {
4340 rpz_fail_log(client,
4341 DNS_RPZ_DEBUG_LEVEL2,
4342 DNS_RPZ_TYPE_NSIP, nsname,
4343 "NS db_find() ", result);
4344 dns_rdataset_disassociate(st->ns.
4349 if (st->m.policy != DNS_RPZ_POLICY_ERROR) {
4350 rpz_fail_log(client, DNS_RPZ_INFO_LEVEL,
4351 DNS_RPZ_TYPE_NSIP, nsname,
4352 "NS db_find() ", result);
4353 st->m.policy = DNS_RPZ_POLICY_ERROR;
4357 result = dns_rdataset_first(st->ns.ns_rdataset);
4358 if (result != ISC_R_SUCCESS)
4362 * Check all NS names.
4366 dns_rdata_t nsrdata = DNS_RDATA_INIT;
4368 dns_rdataset_current(st->ns.ns_rdataset, &nsrdata);
4369 result = dns_rdata_tostruct(&nsrdata, &ns, NULL);
4370 dns_rdata_reset(&nsrdata);
4371 if (result != ISC_R_SUCCESS) {
4372 rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
4373 DNS_RPZ_TYPE_NSIP, nsname,
4374 "rdata_tostruct() ", result);
4375 st->m.policy = DNS_RPZ_POLICY_ERROR;
4378 if ((st->state & DNS_RPZ_HAD_NSDNAME) != 0) {
4379 result = rpz_rewrite_name(client, qtype,
4381 DNS_RPZ_TYPE_NSDNAME,
4383 if (result != ISC_R_SUCCESS) {
4384 dns_rdata_freestruct(&ns);
4389 * Check all IP addresses for this NS name, but don't
4390 * bother without NSIP rules or with a NSDNAME hit.
4393 if ((st->state & DNS_RPZ_HAVE_NSIPv4) != 0 &&
4394 st->m.type != DNS_RPZ_TYPE_NSDNAME &&
4395 (st->state & DNS_RPZ_DONE_A) == 0) {
4396 result = rpz_rewrite_nsip(client,
4401 if (result == ISC_R_SUCCESS)
4402 st->state |= DNS_RPZ_DONE_A;
4404 if (result == ISC_R_SUCCESS &&
4405 (st->state & DNS_RPZ_HAVE_NSIPv6) != 0 &&
4406 st->m.type != DNS_RPZ_TYPE_NSDNAME) {
4407 result = rpz_rewrite_nsip(client,
4413 dns_rdata_freestruct(&ns);
4415 dns_db_detach(&ipdb);
4416 if (result != ISC_R_SUCCESS)
4418 st->state &= ~DNS_RPZ_DONE_A;
4419 result = dns_rdataset_next(st->ns.ns_rdataset);
4420 } while (result == ISC_R_SUCCESS);
4421 dns_rdataset_disassociate(st->ns.ns_rdataset);
4426 * Use the best, if any, hit.
4428 result = ISC_R_SUCCESS;
4431 if (st->m.policy != DNS_RPZ_POLICY_MISS &&
4432 st->m.policy != DNS_RPZ_POLICY_NO_OP &&
4433 st->m.policy != DNS_RPZ_POLICY_ERROR &&
4434 st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN)
4435 st->m.policy = st->m.rpz->policy;
4436 if (st->m.policy == DNS_RPZ_POLICY_NO_OP)
4438 if (st->m.policy == DNS_RPZ_POLICY_MISS ||
4439 st->m.policy == DNS_RPZ_POLICY_NO_OP ||
4440 st->m.policy == DNS_RPZ_POLICY_ERROR)
4441 rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
4442 if (st->m.policy != DNS_RPZ_POLICY_MISS)
4443 st->state |= DNS_RPZ_REWRITTEN;
4444 if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
4445 st->m.type = DNS_RPZ_TYPE_BAD;
4446 result = DNS_R_SERVFAIL;
4448 if (rdataset != NULL)
4449 query_putrdataset(client, &rdataset);
4450 if ((st->state & DNS_RPZ_RECURSING) == 0) {
4451 rpz_clean(NULL, &st->ns.db, NULL, &st->ns.ns_rdataset);
4457 #define MAX_RESTARTS 16
4459 #define QUERY_ERROR(r) \
4462 want_restart = ISC_FALSE; \
4466 #define RECURSE_ERROR(r) \
4468 if ((r) == DNS_R_DUPLICATE || (r) == DNS_R_DROP) \
4471 QUERY_ERROR(DNS_R_SERVFAIL); \
4475 * Extract a network address from the RDATA of an A or AAAA
4480 * ISC_R_NOTIMPLEMENTED The rdata is not a known address type.
4483 rdata_tonetaddr(const dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
4485 struct in6_addr in6a;
4487 switch (rdata->type) {
4488 case dns_rdatatype_a:
4489 INSIST(rdata->length == 4);
4490 memcpy(&ina.s_addr, rdata->data, 4);
4491 isc_netaddr_fromin(netaddr, &ina);
4492 return (ISC_R_SUCCESS);
4493 case dns_rdatatype_aaaa:
4494 INSIST(rdata->length == 16);
4495 memcpy(in6a.s6_addr, rdata->data, 16);
4496 isc_netaddr_fromin6(netaddr, &in6a);
4497 return (ISC_R_SUCCESS);
4499 return (ISC_R_NOTIMPLEMENTED);
4504 * Find the sort order of 'rdata' in the topology-like
4505 * ACL forming the second element in a 2-element top-level
4506 * sortlist statement.
4509 query_sortlist_order_2element(const dns_rdata_t *rdata, const void *arg) {
4510 isc_netaddr_t netaddr;
4512 if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
4514 return (ns_sortlist_addrorder2(&netaddr, arg));
4518 * Find the sort order of 'rdata' in the matching element
4519 * of a 1-element top-level sortlist statement.
4522 query_sortlist_order_1element(const dns_rdata_t *rdata, const void *arg) {
4523 isc_netaddr_t netaddr;
4525 if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
4527 return (ns_sortlist_addrorder1(&netaddr, arg));
4531 * Find the sortlist statement that applies to 'client' and set up
4532 * the sortlist info in in client->message appropriately.
4535 setup_query_sortlist(ns_client_t *client) {
4536 isc_netaddr_t netaddr;
4537 dns_rdatasetorderfunc_t order = NULL;
4538 const void *order_arg = NULL;
4540 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
4541 switch (ns_sortlist_setup(client->view->sortlist,
4542 &netaddr, &order_arg)) {
4543 case NS_SORTLISTTYPE_1ELEMENT:
4544 order = query_sortlist_order_1element;
4546 case NS_SORTLISTTYPE_2ELEMENT:
4547 order = query_sortlist_order_2element;
4549 case NS_SORTLISTTYPE_NONE:
4556 dns_message_setsortorder(client->message, order, order_arg);
4560 query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
4561 isc_buffer_t *dbuf, b;
4563 dns_rdataset_t *neg, *negsig;
4564 isc_result_t result = ISC_R_NOMEMORY;
4566 CTRACE("query_addnoqnameproof");
4572 dbuf = query_getnamebuf(client);
4575 fname = query_newname(client, dbuf, &b);
4576 neg = query_newrdataset(client);
4577 negsig = query_newrdataset(client);
4578 if (fname == NULL || neg == NULL || negsig == NULL)
4581 result = dns_rdataset_getnoqname(rdataset, fname, neg, negsig);
4582 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4584 query_addrrset(client, &fname, &neg, &negsig, dbuf,
4585 DNS_SECTION_AUTHORITY);
4587 if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) == 0)
4590 if (fname == NULL) {
4591 dbuf = query_getnamebuf(client);
4594 fname = query_newname(client, dbuf, &b);
4597 neg = query_newrdataset(client);
4598 else if (dns_rdataset_isassociated(neg))
4599 dns_rdataset_disassociate(neg);
4601 negsig = query_newrdataset(client);
4602 else if (dns_rdataset_isassociated(negsig))
4603 dns_rdataset_disassociate(negsig);
4604 if (fname == NULL || neg == NULL || negsig == NULL)
4606 result = dns_rdataset_getclosest(rdataset, fname, neg, negsig);
4607 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4609 query_addrrset(client, &fname, &neg, &negsig, dbuf,
4610 DNS_SECTION_AUTHORITY);
4614 query_putrdataset(client, &neg);
4616 query_putrdataset(client, &negsig);
4618 query_releasename(client, &fname);
4622 answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
4625 dns_section_t section = DNS_SECTION_ADDITIONAL;
4626 dns_rdataset_t *rdataset = NULL;
4628 msg = client->message;
4629 for (name = ISC_LIST_HEAD(msg->sections[section]);
4631 name = ISC_LIST_NEXT(name, link))
4632 if (dns_name_equal(name, client->query.qname)) {
4633 for (rdataset = ISC_LIST_HEAD(name->list);
4635 rdataset = ISC_LIST_NEXT(rdataset, link))
4636 if (rdataset->type == qtype)
4640 if (rdataset != NULL) {
4641 ISC_LIST_UNLINK(msg->sections[section], name, link);
4642 ISC_LIST_PREPEND(msg->sections[section], name, link);
4643 ISC_LIST_UNLINK(name->list, rdataset, link);
4644 ISC_LIST_PREPEND(name->list, rdataset, link);
4645 rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE;
4649 #define NS_NAME_INIT(A,B) \
4652 A, sizeof(A), sizeof(B), \
4653 DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
4654 B, NULL, { (void *)-1, (void *)-1}, \
4658 static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
4659 static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
4660 static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
4662 static unsigned char inaddr10[] = "\00210\007IN-ADDR\004ARPA";
4664 static unsigned char inaddr16172[] = "\00216\003172\007IN-ADDR\004ARPA";
4665 static unsigned char inaddr17172[] = "\00217\003172\007IN-ADDR\004ARPA";
4666 static unsigned char inaddr18172[] = "\00218\003172\007IN-ADDR\004ARPA";
4667 static unsigned char inaddr19172[] = "\00219\003172\007IN-ADDR\004ARPA";
4668 static unsigned char inaddr20172[] = "\00220\003172\007IN-ADDR\004ARPA";
4669 static unsigned char inaddr21172[] = "\00221\003172\007IN-ADDR\004ARPA";
4670 static unsigned char inaddr22172[] = "\00222\003172\007IN-ADDR\004ARPA";
4671 static unsigned char inaddr23172[] = "\00223\003172\007IN-ADDR\004ARPA";
4672 static unsigned char inaddr24172[] = "\00224\003172\007IN-ADDR\004ARPA";
4673 static unsigned char inaddr25172[] = "\00225\003172\007IN-ADDR\004ARPA";
4674 static unsigned char inaddr26172[] = "\00226\003172\007IN-ADDR\004ARPA";
4675 static unsigned char inaddr27172[] = "\00227\003172\007IN-ADDR\004ARPA";
4676 static unsigned char inaddr28172[] = "\00228\003172\007IN-ADDR\004ARPA";
4677 static unsigned char inaddr29172[] = "\00229\003172\007IN-ADDR\004ARPA";
4678 static unsigned char inaddr30172[] = "\00230\003172\007IN-ADDR\004ARPA";
4679 static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
4681 static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
4683 static dns_name_t rfc1918names[] = {
4684 NS_NAME_INIT(inaddr10, inaddr10_offsets),
4685 NS_NAME_INIT(inaddr16172, inaddr172_offsets),
4686 NS_NAME_INIT(inaddr17172, inaddr172_offsets),
4687 NS_NAME_INIT(inaddr18172, inaddr172_offsets),
4688 NS_NAME_INIT(inaddr19172, inaddr172_offsets),
4689 NS_NAME_INIT(inaddr20172, inaddr172_offsets),
4690 NS_NAME_INIT(inaddr21172, inaddr172_offsets),
4691 NS_NAME_INIT(inaddr22172, inaddr172_offsets),
4692 NS_NAME_INIT(inaddr23172, inaddr172_offsets),
4693 NS_NAME_INIT(inaddr24172, inaddr172_offsets),
4694 NS_NAME_INIT(inaddr25172, inaddr172_offsets),
4695 NS_NAME_INIT(inaddr26172, inaddr172_offsets),
4696 NS_NAME_INIT(inaddr27172, inaddr172_offsets),
4697 NS_NAME_INIT(inaddr28172, inaddr172_offsets),
4698 NS_NAME_INIT(inaddr29172, inaddr172_offsets),
4699 NS_NAME_INIT(inaddr30172, inaddr172_offsets),
4700 NS_NAME_INIT(inaddr31172, inaddr172_offsets),
4701 NS_NAME_INIT(inaddr168192, inaddr192_offsets)
4705 static unsigned char prisoner_data[] = "\010prisoner\004iana\003org";
4706 static unsigned char hostmaster_data[] = "\012hostmaster\014root-servers\003org";
4708 static unsigned char prisoner_offsets[] = { 0, 9, 14, 18 };
4709 static unsigned char hostmaster_offsets[] = { 0, 11, 24, 28 };
4711 static dns_name_t prisoner = NS_NAME_INIT(prisoner_data, prisoner_offsets);
4712 static dns_name_t hostmaster = NS_NAME_INIT(hostmaster_data, hostmaster_offsets);
4715 warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
4717 dns_rdata_t rdata = DNS_RDATA_INIT;
4718 dns_rdata_soa_t soa;
4719 dns_rdataset_t found;
4720 isc_result_t result;
4722 for (i = 0; i < (sizeof(rfc1918names)/sizeof(*rfc1918names)); i++) {
4723 if (dns_name_issubdomain(fname, &rfc1918names[i])) {
4724 dns_rdataset_init(&found);
4725 result = dns_ncache_getrdataset(rdataset,
4729 if (result != ISC_R_SUCCESS)
4732 result = dns_rdataset_first(&found);
4733 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4734 dns_rdataset_current(&found, &rdata);
4735 result = dns_rdata_tostruct(&rdata, &soa, NULL);
4736 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4737 if (dns_name_equal(&soa.origin, &prisoner) &&
4738 dns_name_equal(&soa.contact, &hostmaster)) {
4739 char buf[DNS_NAME_FORMATSIZE];
4740 dns_name_format(fname, buf, sizeof(buf));
4741 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
4744 "RFC 1918 response from "
4745 "Internet for %s", buf);
4747 dns_rdataset_disassociate(&found);
4754 query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
4755 dns_dbversion_t *version, ns_client_t *client,
4756 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
4757 dns_name_t *fname, isc_boolean_t exact,
4760 unsigned char salt[256];
4762 isc_uint16_t iterations;
4763 isc_result_t result;
4764 unsigned int dboptions;
4765 dns_fixedname_t fixed;
4770 dns_rdata_nsec3_t nsec3;
4771 dns_rdata_t rdata = DNS_RDATA_INIT;
4772 isc_boolean_t optout;
4774 salt_length = sizeof(salt);
4775 result = dns_db_getnsec3parameters(db, version, &hash, NULL,
4776 &iterations, salt, &salt_length);
4777 if (result != ISC_R_SUCCESS)
4780 dns_name_init(&name, NULL);
4781 dns_name_clone(qname, &name);
4784 * Map unknown algorithm to known value.
4786 if (hash == DNS_NSEC3_UNKNOWNALG)
4790 dns_fixedname_init(&fixed);
4791 result = dns_nsec3_hashname(&fixed, NULL, NULL, &name,
4792 dns_db_origin(db), hash,
4793 iterations, salt, salt_length);
4794 if (result != ISC_R_SUCCESS)
4797 dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3;
4798 result = dns_db_find(db, dns_fixedname_name(&fixed), version,
4799 dns_rdatatype_nsec3, dboptions, client->now,
4800 NULL, fname, rdataset, sigrdataset);
4802 if (result == DNS_R_NXDOMAIN) {
4803 if (!dns_rdataset_isassociated(rdataset)) {
4806 result = dns_rdataset_first(rdataset);
4807 INSIST(result == ISC_R_SUCCESS);
4808 dns_rdataset_current(rdataset, &rdata);
4809 dns_rdata_tostruct(&rdata, &nsec3, NULL);
4810 dns_rdata_reset(&rdata);
4811 optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
4812 if (found != NULL && optout &&
4813 dns_name_fullcompare(&name, dns_db_origin(db), &order,
4814 &count) == dns_namereln_subdomain) {
4815 dns_rdataset_disassociate(rdataset);
4816 if (dns_rdataset_isassociated(sigrdataset))
4817 dns_rdataset_disassociate(sigrdataset);
4818 count = dns_name_countlabels(&name) - 1;
4819 dns_name_getlabelsequence(&name, 1, count, &name);
4820 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
4821 NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
4822 "looking for closest provable encloser");
4826 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
4827 NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
4828 "expected a exact match NSEC3, got "
4829 "a covering record");
4831 } else if (result != ISC_R_SUCCESS) {
4834 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
4835 NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
4836 "expected covering NSEC3, got an exact match");
4838 dns_name_copy(&name, found, NULL);
4842 #ifdef ALLOW_FILTER_AAAA_ON_V4
4843 static isc_boolean_t
4844 is_v4_client(ns_client_t *client) {
4845 if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
4847 if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
4848 IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
4855 dns64_ttl(dns_db_t *db, dns_dbversion_t *version) {
4856 dns_dbnode_t *node = NULL;
4857 dns_rdata_soa_t soa;
4858 dns_rdata_t rdata = DNS_RDATA_INIT;
4859 dns_rdataset_t rdataset;
4860 isc_result_t result;
4861 isc_uint32_t ttl = ISC_UINT32_MAX;
4863 result = dns_db_getoriginnode(db, &node);
4864 if (result != ISC_R_SUCCESS)
4866 dns_rdataset_init(&rdataset);
4867 result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
4868 0, 0, &rdataset, NULL);
4869 if (result != ISC_R_SUCCESS)
4871 result = dns_rdataset_first(&rdataset);
4872 if (result != ISC_R_SUCCESS)
4875 dns_rdataset_current(&rdataset, &rdata);
4876 result = dns_rdata_tostruct(&rdata, &soa, NULL);
4877 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4878 ttl = ISC_MIN(rdataset.ttl, soa.minimum);
4881 if (dns_rdataset_isassociated(&rdataset))
4882 dns_rdataset_disassociate(&rdataset);
4884 dns_db_detachnode(db, &node);
4888 static isc_boolean_t
4889 dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset,
4890 dns_rdataset_t *sigrdataset)
4892 isc_netaddr_t netaddr;
4893 dns_dns64_t *dns64 = ISC_LIST_HEAD(client->view->dns64);
4894 unsigned int flags = 0;
4895 unsigned int i, count;
4896 isc_boolean_t *aaaaok;
4898 INSIST(client->query.dns64_aaaaok == NULL);
4899 INSIST(client->query.dns64_aaaaoklen == 0);
4900 INSIST(client->query.dns64_aaaa == NULL);
4901 INSIST(client->query.dns64_sigaaaa == NULL);
4906 if (RECURSIONOK(client))
4907 flags |= DNS_DNS64_RECURSIVE;
4909 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
4910 flags |= DNS_DNS64_DNSSEC;
4912 count = dns_rdataset_count(rdataset);
4913 aaaaok = isc_mem_get(client->mctx, sizeof(isc_boolean_t) * count);
4915 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
4916 if (dns_dns64_aaaaok(dns64, &netaddr, client->signer,
4917 &ns_g_server->aclenv, flags, rdataset,
4919 for (i = 0; i < count; i++) {
4920 if (aaaaok != NULL && !aaaaok[i]) {
4921 client->query.dns64_aaaaok = aaaaok;
4922 client->query.dns64_aaaaoklen = count;
4926 if (i == count && aaaaok != NULL)
4927 isc_mem_put(client->mctx, aaaaok,
4928 sizeof(isc_boolean_t) * count);
4932 isc_mem_put(client->mctx, aaaaok,
4933 sizeof(isc_boolean_t) * count);
4938 * Do the bulk of query processing for the current query of 'client'.
4939 * If 'event' is non-NULL, we are returning from recursion and 'qtype'
4940 * is ignored. Otherwise, 'qtype' is the query type.
4943 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
4947 dns_rdatatype_t type;
4948 dns_name_t *fname, *zfname, *tname, *prefix;
4949 dns_rdataset_t *rdataset, *trdataset;
4950 dns_rdataset_t *sigrdataset, *zrdataset, *zsigrdataset;
4951 dns_rdataset_t **sigrdatasetp;
4952 dns_rdata_t rdata = DNS_RDATA_INIT;
4953 dns_rdatasetiter_t *rdsiter;
4954 isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof;
4955 isc_boolean_t is_staticstub_zone;
4956 unsigned int n, nlabels;
4957 dns_namereln_t namereln;
4961 isc_result_t result, eresult;
4962 dns_fixedname_t fixed;
4963 dns_fixedname_t wildcardname;
4964 dns_dbversion_t *version, *zversion;
4966 dns_rdata_cname_t cname;
4967 dns_rdata_dname_t dname;
4968 unsigned int options;
4969 isc_boolean_t empty_wild;
4970 dns_rdataset_t *noqname;
4971 dns_rpz_st_t *rpz_st;
4972 isc_boolean_t resuming;
4974 isc_boolean_t dns64_exclude, dns64;
4976 CTRACE("query_find");
4979 * One-time initialization.
4981 * It's especially important to initialize anything that the cleanup
4982 * code might cleanup.
4985 eresult = ISC_R_SUCCESS;
4991 zsigrdataset = NULL;
4998 need_wildcardproof = ISC_FALSE;
4999 empty_wild = ISC_FALSE;
5000 dns64_exclude = dns64 = ISC_FALSE;
5002 resuming = ISC_FALSE;
5003 is_zone = ISC_FALSE;
5004 is_staticstub_zone = ISC_FALSE;
5006 if (event != NULL) {
5008 * We're returning from recursion. Restore the query context
5011 want_restart = ISC_FALSE;
5013 rpz_st = client->query.rpz_st;
5014 if (rpz_st != NULL &&
5015 (rpz_st->state & DNS_RPZ_RECURSING) != 0) {
5016 is_zone = rpz_st->q.is_zone;
5017 authoritative = rpz_st->q.authoritative;
5018 zone = rpz_st->q.zone;
5019 rpz_st->q.zone = NULL;
5020 node = rpz_st->q.node;
5021 rpz_st->q.node = NULL;
5023 rpz_st->q.db = NULL;
5024 rdataset = rpz_st->q.rdataset;
5025 rpz_st->q.rdataset = NULL;
5026 sigrdataset = rpz_st->q.sigrdataset;
5027 rpz_st->q.sigrdataset = NULL;
5028 qtype = rpz_st->q.qtype;
5030 if (event->node != NULL)
5031 dns_db_detachnode(db, &event->node);
5032 rpz_st->ns.db = event->db;
5033 rpz_st->ns.r_type = event->qtype;
5034 rpz_st->ns.r_rdataset = event->rdataset;
5035 if (event->sigrdataset != NULL &&
5036 dns_rdataset_isassociated(event->sigrdataset))
5037 dns_rdataset_disassociate(event->sigrdataset);
5039 authoritative = ISC_FALSE;
5041 qtype = event->qtype;
5044 rdataset = event->rdataset;
5045 sigrdataset = event->sigrdataset;
5048 if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
5049 type = dns_rdatatype_any;
5053 if (DNS64(client)) {
5054 client->query.attributes &= ~NS_QUERYATTR_DNS64;
5057 if (DNS64EXCLUDE(client)) {
5058 client->query.attributes &= ~NS_QUERYATTR_DNS64EXCLUDE;
5059 dns64_exclude = ISC_TRUE;
5063 * We'll need some resources...
5065 dbuf = query_getnamebuf(client);
5067 QUERY_ERROR(DNS_R_SERVFAIL);
5070 fname = query_newname(client, dbuf, &b);
5071 if (fname == NULL) {
5072 QUERY_ERROR(DNS_R_SERVFAIL);
5075 if (rpz_st != NULL &&
5076 (rpz_st->state & DNS_RPZ_RECURSING) != 0) {
5077 tname = rpz_st->fname;
5079 tname = dns_fixedname_name(&event->foundname);
5081 result = dns_name_copy(tname, fname, NULL);
5082 if (result != ISC_R_SUCCESS) {
5083 QUERY_ERROR(DNS_R_SERVFAIL);
5086 if (rpz_st != NULL &&
5087 (rpz_st->state & DNS_RPZ_RECURSING) != 0) {
5088 rpz_st->ns.r_result = event->result;
5089 result = rpz_st->q.result;
5090 isc_event_free(ISC_EVENT_PTR(&event));
5092 result = event->result;
5094 resuming = ISC_TRUE;
5099 * Not returning from recursion.
5103 * If it's a SIG query, we'll iterate the node.
5105 if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
5106 type = dns_rdatatype_any;
5111 CTRACE("query_find: restart");
5112 want_restart = ISC_FALSE;
5113 authoritative = ISC_FALSE;
5115 need_wildcardproof = ISC_FALSE;
5117 if (client->view->checknames &&
5118 !dns_rdata_checkowner(client->query.qname,
5119 client->message->rdclass,
5120 qtype, ISC_FALSE)) {
5121 char namebuf[DNS_NAME_FORMATSIZE];
5122 char typename[DNS_RDATATYPE_FORMATSIZE];
5123 char classname[DNS_RDATACLASS_FORMATSIZE];
5125 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
5126 dns_rdatatype_format(qtype, typename, sizeof(typename));
5127 dns_rdataclass_format(client->message->rdclass, classname,
5129 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
5130 NS_LOGMODULE_QUERY, ISC_LOG_ERROR,
5131 "check-names failure %s/%s/%s", namebuf,
5132 typename, classname);
5133 QUERY_ERROR(DNS_R_REFUSED);
5138 * First we must find the right database.
5140 options &= DNS_GETDB_NOLOG; /* Preserve DNS_GETDB_NOLOG. */
5141 if (dns_rdatatype_atparent(qtype) &&
5142 !dns_name_equal(client->query.qname, dns_rootname))
5143 options |= DNS_GETDB_NOEXACT;
5144 result = query_getdb(client, client->query.qname, qtype, options,
5145 &zone, &db, &version, &is_zone);
5146 if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) &&
5147 (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) {
5149 * Look to see if we are authoritative for the
5150 * child zone if the query type is DS.
5152 dns_db_t *tdb = NULL;
5153 dns_zone_t *tzone = NULL;
5154 dns_dbversion_t *tversion = NULL;
5155 isc_result_t tresult;
5157 tresult = query_getzonedb(client, client->query.qname, qtype,
5158 DNS_GETDB_PARTIAL, &tzone, &tdb,
5160 if (tresult == ISC_R_SUCCESS) {
5161 options &= ~DNS_GETDB_NOEXACT;
5162 query_putrdataset(client, &rdataset);
5166 dns_zone_detach(&zone);
5171 result = ISC_R_SUCCESS;
5174 dns_db_detach(&tdb);
5176 dns_zone_detach(&tzone);
5179 if (result != ISC_R_SUCCESS) {
5180 if (result == DNS_R_REFUSED) {
5181 if (WANTRECURSION(client)) {
5183 dns_nsstatscounter_recurserej);
5185 inc_stats(client, dns_nsstatscounter_authrej);
5186 if (!PARTIALANSWER(client))
5187 QUERY_ERROR(DNS_R_REFUSED);
5189 QUERY_ERROR(DNS_R_SERVFAIL);
5193 is_staticstub_zone = ISC_FALSE;
5195 authoritative = ISC_TRUE;
5197 dns_zone_gettype(zone) == dns_zone_staticstub)
5198 is_staticstub_zone = ISC_TRUE;
5201 if (event == NULL && client->query.restarts == 0) {
5205 * if is_zone = true, zone = NULL then this is
5206 * a DLZ zone. Don't attempt to attach zone.
5208 dns_zone_attach(zone, &client->query.authzone);
5210 dns_db_attach(db, &client->query.authdb);
5212 client->query.authdbset = ISC_TRUE;
5216 CTRACE("query_find: db_find");
5218 * We'll need some resources...
5220 dbuf = query_getnamebuf(client);
5222 QUERY_ERROR(DNS_R_SERVFAIL);
5225 fname = query_newname(client, dbuf, &b);
5226 rdataset = query_newrdataset(client);
5227 if (fname == NULL || rdataset == NULL) {
5228 QUERY_ERROR(DNS_R_SERVFAIL);
5231 if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) {
5232 sigrdataset = query_newrdataset(client);
5233 if (sigrdataset == NULL) {
5234 QUERY_ERROR(DNS_R_SERVFAIL);
5240 * Now look for an answer in the database.
5242 result = dns_db_find(db, client->query.qname, version, type,
5243 client->query.dboptions, client->now,
5244 &node, fname, rdataset, sigrdataset);
5247 CTRACE("query_find: resume");
5249 if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
5250 RECURSIONOK(client) && !RECURSING(client) &&
5251 result != DNS_R_DELEGATION && result != ISC_R_NOTFOUND &&
5252 (client->query.rpz_st == NULL ||
5253 (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) &&
5254 !dns_name_equal(client->query.qname, dns_rootname)) {
5255 isc_result_t rresult;
5257 rresult = rpz_rewrite(client, qtype, resuming);
5258 rpz_st = client->query.rpz_st;
5262 case DNS_R_DELEGATION:
5264 * recursing for NS names or addresses,
5265 * so save the main query state
5267 rpz_st->q.qtype = qtype;
5268 rpz_st->q.is_zone = is_zone;
5269 rpz_st->q.authoritative = authoritative;
5270 rpz_st->q.zone = zone;
5274 rpz_st->q.node = node;
5276 rpz_st->q.rdataset = rdataset;
5278 rpz_st->q.sigrdataset = sigrdataset;
5280 dns_name_copy(fname, rpz_st->fname, NULL);
5281 rpz_st->q.result = result;
5282 client->query.attributes |= NS_QUERYATTR_RECURSING;
5285 RECURSE_ERROR(rresult);
5288 if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
5289 rpz_st->m.policy != DNS_RPZ_POLICY_NO_OP) {
5290 result = dns_name_copy(client->query.qname, fname,
5292 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5294 rpz_clean(&zone, &db, &node, NULL);
5295 if (rpz_st->m.rdataset != NULL) {
5296 if (rdataset != NULL)
5297 query_putrdataset(client, &rdataset);
5298 rdataset = rpz_st->m.rdataset;
5299 rpz_st->m.rdataset = NULL;
5300 } else if (rdataset != NULL &&
5301 dns_rdataset_isassociated(rdataset)) {
5302 dns_rdataset_disassociate(rdataset);
5304 node = rpz_st->m.node;
5305 rpz_st->m.node = NULL;
5307 rpz_st->m.db = NULL;
5308 zone = rpz_st->m.zone;
5309 rpz_st->m.zone = NULL;
5311 result = rpz_st->m.result;
5312 switch (rpz_st->m.policy) {
5313 case DNS_RPZ_POLICY_NXDOMAIN:
5314 result = DNS_R_NXDOMAIN;
5316 case DNS_RPZ_POLICY_NODATA:
5317 result = DNS_R_NXRRSET;
5319 case DNS_RPZ_POLICY_RECORD:
5320 if (type == dns_rdatatype_any &&
5321 result != DNS_R_CNAME &&
5322 dns_rdataset_isassociated(rdataset))
5323 dns_rdataset_disassociate(rdataset);
5325 case DNS_RPZ_POLICY_CNAME:
5326 result = dns_name_copy(&rpz_st->m.rpz->cname,
5328 RUNTIME_CHECK(result == ISC_R_SUCCESS);
5329 query_keepname(client, fname, dbuf);
5330 result = query_add_cname(client,
5331 client->query.qname,
5333 dns_trust_authanswer,
5335 if (result != ISC_R_SUCCESS)
5337 ns_client_qnamereplace(client, fname);
5339 client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
5341 want_restart = ISC_TRUE;
5348 * Turn off DNSSEC because the results of a
5349 * response policy zone cannot verify.
5351 client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
5352 if (sigrdataset != NULL &&
5353 dns_rdataset_isassociated(sigrdataset))
5354 dns_rdataset_disassociate(sigrdataset);
5363 * This case is handled in the main line below.
5369 * These cases are handled in the main line below.
5372 authoritative = ISC_FALSE;
5374 case ISC_R_NOTFOUND:
5376 * The cache doesn't even have the root NS. Get them from
5383 if (client->view->hints == NULL) {
5384 /* We have no hints. */
5385 result = ISC_R_FAILURE;
5387 dns_db_attach(client->view->hints, &db);
5388 result = dns_db_find(db, dns_rootname,
5389 NULL, dns_rdatatype_ns,
5390 0, client->now, &node, fname,
5391 rdataset, sigrdataset);
5393 if (result != ISC_R_SUCCESS) {
5395 * Nonsensical root hints may require cleanup.
5397 if (dns_rdataset_isassociated(rdataset))
5398 dns_rdataset_disassociate(rdataset);
5399 if (sigrdataset != NULL &&
5400 dns_rdataset_isassociated(sigrdataset))
5401 dns_rdataset_disassociate(sigrdataset);
5403 dns_db_detachnode(db, &node);
5406 * We don't have any root server hints, but
5407 * we may have working forwarders, so try to
5410 if (RECURSIONOK(client)) {
5411 result = query_recurse(client, qtype,
5412 client->query.qname,
5413 NULL, NULL, resuming);
5414 if (result == ISC_R_SUCCESS) {
5415 client->query.attributes |=
5416 NS_QUERYATTR_RECURSING;
5418 client->query.attributes |=
5421 client->query.attributes |=
5422 NS_QUERYATTR_DNS64EXCLUDE;
5424 RECURSE_ERROR(result);
5427 /* Unable to give root server referral. */
5428 QUERY_ERROR(DNS_R_SERVFAIL);
5433 * XXXRTH We should trigger root server priming here.
5436 case DNS_R_DELEGATION:
5437 authoritative = ISC_FALSE;
5440 * Look to see if we are authoritative for the
5441 * child zone if the query type is DS.
5443 if (!RECURSIONOK(client) &&
5444 (options & DNS_GETDB_NOEXACT) != 0 &&
5445 qtype == dns_rdatatype_ds) {
5446 dns_db_t *tdb = NULL;
5447 dns_zone_t *tzone = NULL;
5448 dns_dbversion_t *tversion = NULL;
5449 result = query_getzonedb(client,
5450 client->query.qname,
5455 if (result == ISC_R_SUCCESS) {
5456 options &= ~DNS_GETDB_NOEXACT;
5457 query_putrdataset(client, &rdataset);
5458 if (sigrdataset != NULL)
5459 query_putrdataset(client,
5462 query_releasename(client,
5465 dns_db_detachnode(db, &node);
5469 dns_zone_detach(&zone);
5473 authoritative = ISC_TRUE;
5477 dns_db_detach(&tdb);
5479 dns_zone_detach(&tzone);
5482 * We're authoritative for an ancestor of QNAME.
5484 if (!USECACHE(client) || !RECURSIONOK(client)) {
5485 dns_fixedname_t fixed;
5487 dns_fixedname_init(&fixed);
5488 dns_name_copy(fname,
5489 dns_fixedname_name(&fixed), NULL);
5492 * If we don't have a cache, this is the best
5495 * If the client is making a nonrecursive
5496 * query we always give out the authoritative
5497 * delegation. This way even if we get
5498 * junk in our cache, we won't fail in our
5499 * role as the delegating authority if another
5500 * nameserver asks us about a delegated
5503 * We enable the retrieval of glue for this
5504 * database by setting client->query.gluedb.
5506 client->query.gluedb = db;
5507 client->query.isreferral = ISC_TRUE;
5509 * We must ensure NOADDITIONAL is off,
5510 * because the generation of
5511 * additional data is required in
5514 client->query.attributes &=
5515 ~NS_QUERYATTR_NOADDITIONAL;
5516 if (sigrdataset != NULL)
5517 sigrdatasetp = &sigrdataset;
5519 sigrdatasetp = NULL;
5520 query_addrrset(client, &fname,
5521 &rdataset, sigrdatasetp,
5522 dbuf, DNS_SECTION_AUTHORITY);
5523 client->query.gluedb = NULL;
5524 if (WANTDNSSEC(client))
5525 query_addds(client, db, node, version,
5526 dns_fixedname_name(&fixed));
5529 * We might have a better answer or delegation
5530 * in the cache. We'll remember the current
5531 * values of fname, rdataset, and sigrdataset.
5532 * We'll then go looking for QNAME in the
5533 * cache. If we find something better, we'll
5536 query_keepname(client, fname, dbuf);
5540 zrdataset = rdataset;
5542 zsigrdataset = sigrdataset;
5544 dns_db_detachnode(db, &node);
5548 dns_db_attach(client->view->cachedb, &db);
5549 is_zone = ISC_FALSE;
5553 if (zfname != NULL &&
5554 (!dns_name_issubdomain(fname, zfname) ||
5555 (is_staticstub_zone &&
5556 dns_name_equal(fname, zfname)))) {
5558 * In the following cases use "authoritative"
5559 * data instead of the cache delegation:
5560 * 1. We've already got a delegation from
5561 * authoritative data, and it is better
5562 * than what we found in the cache.
5563 * 2. The query name matches the origin name
5564 * of a static-stub zone. This needs to be
5565 * considered for the case where the NS of
5566 * the static-stub zone and the cached NS
5567 * are different. We still need to contact
5568 * the nameservers configured in the
5571 query_releasename(client, &fname);
5575 * We've already done query_keepname() on
5576 * zfname, so we must set dbuf to NULL to
5577 * prevent query_addrrset() from trying to
5578 * call query_keepname() again.
5581 query_putrdataset(client, &rdataset);
5582 if (sigrdataset != NULL)
5583 query_putrdataset(client,
5585 rdataset = zrdataset;
5587 sigrdataset = zsigrdataset;
5588 zsigrdataset = NULL;
5592 * We don't clean up zdb here because we
5593 * may still need it. It will get cleaned
5594 * up by the main cleanup code.
5598 if (RECURSIONOK(client)) {
5602 if (dns_rdatatype_atparent(type))
5603 result = query_recurse(client, qtype,
5604 client->query.qname,
5605 NULL, NULL, resuming);
5607 result = query_recurse(client,
5609 client->query.qname,
5610 NULL, NULL, resuming);
5612 result = query_recurse(client, qtype,
5613 client->query.qname,
5617 if (result == ISC_R_SUCCESS) {
5618 client->query.attributes |=
5619 NS_QUERYATTR_RECURSING;
5621 client->query.attributes |=
5624 client->query.attributes |=
5625 NS_QUERYATTR_DNS64EXCLUDE;
5626 } else if (result == DNS_R_DUPLICATE ||
5627 result == DNS_R_DROP)
5628 QUERY_ERROR(result);
5630 RECURSE_ERROR(result);
5632 dns_fixedname_t fixed;
5634 dns_fixedname_init(&fixed);
5635 dns_name_copy(fname,
5636 dns_fixedname_name(&fixed), NULL);
5638 * This is the best answer.
5640 client->query.attributes |=
5641 NS_QUERYATTR_CACHEGLUEOK;
5642 client->query.gluedb = zdb;
5643 client->query.isreferral = ISC_TRUE;
5645 * We must ensure NOADDITIONAL is off,
5646 * because the generation of
5647 * additional data is required in
5650 client->query.attributes &=
5651 ~NS_QUERYATTR_NOADDITIONAL;
5652 if (sigrdataset != NULL)
5653 sigrdatasetp = &sigrdataset;
5655 sigrdatasetp = NULL;
5656 query_addrrset(client, &fname,
5657 &rdataset, sigrdatasetp,
5658 dbuf, DNS_SECTION_AUTHORITY);
5659 client->query.gluedb = NULL;
5660 client->query.attributes &=
5661 ~NS_QUERYATTR_CACHEGLUEOK;
5662 if (WANTDNSSEC(client))
5663 query_addds(client, db, node, version,
5664 dns_fixedname_name(&fixed));
5669 case DNS_R_EMPTYNAME:
5674 #ifdef dns64_bis_return_excluded_addresses
5677 if (dns64 && !dns64_exclude)
5681 * Restore the answers from the previous AAAA lookup.
5683 if (rdataset != NULL)
5684 query_putrdataset(client, &rdataset);
5685 if (sigrdataset != NULL)
5686 query_putrdataset(client, &sigrdataset);
5687 rdataset = client->query.dns64_aaaa;
5688 sigrdataset = client->query.dns64_sigaaaa;
5689 if (fname == NULL) {
5690 dbuf = query_getnamebuf(client);
5692 QUERY_ERROR(DNS_R_SERVFAIL);
5695 fname = query_newname(client, dbuf, &b);
5696 if (fname == NULL) {
5697 QUERY_ERROR(DNS_R_SERVFAIL);
5701 dns_name_copy(client->query.qname, fname, NULL);
5702 client->query.dns64_aaaa = NULL;
5703 client->query.dns64_sigaaaa = NULL;
5705 #ifdef dns64_bis_return_excluded_addresses
5707 * Resume the diverted processing of the AAAA response?
5712 } else if (result == DNS_R_NXRRSET &&
5713 !ISC_LIST_EMPTY(client->view->dns64) &&
5714 client->message->rdclass == dns_rdataclass_in &&
5715 qtype == dns_rdatatype_aaaa)
5718 * Look to see if there are A records for this
5721 INSIST(client->query.dns64_aaaa == NULL);
5722 INSIST(client->query.dns64_sigaaaa == NULL);
5723 client->query.dns64_aaaa = rdataset;
5724 client->query.dns64_sigaaaa = sigrdataset;
5725 client->query.dns64_ttl = dns64_ttl(db, version);
5726 query_releasename(client, &fname);
5727 dns_db_detachnode(db, &node);
5730 type = qtype = dns_rdatatype_a;
5736 * Look for a NSEC3 record if we don't have a NSEC record.
5738 if (!dns_rdataset_isassociated(rdataset) &&
5739 WANTDNSSEC(client)) {
5740 if ((fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
5744 dns_fixedname_init(&fixed);
5745 found = dns_fixedname_name(&fixed);
5746 qname = client->query.qname;
5748 query_findclosestnsec3(qname, db, version,
5753 * Did we find the closest provable encloser
5754 * instead? If so add the nearest to the
5755 * closest provable encloser.
5757 if (dns_rdataset_isassociated(rdataset) &&
5758 !dns_name_equal(qname, found)) {
5763 * Add the closest provable encloser.
5765 query_addrrset(client, &fname,
5766 &rdataset, &sigrdataset,
5768 DNS_SECTION_AUTHORITY);
5770 count = dns_name_countlabels(found)
5772 skip = dns_name_countlabels(qname) -
5774 dns_name_getlabelsequence(qname, skip,
5778 fixfname(client, &fname, &dbuf, &b);
5779 fixrdataset(client, &rdataset);
5780 fixrdataset(client, &sigrdataset);
5781 if (fname == NULL ||
5783 sigrdataset == NULL) {
5784 QUERY_ERROR(DNS_R_SERVFAIL);
5788 * 'nearest' doesn't exist so
5789 * 'exist' is set to ISC_FALSE.
5791 query_findclosestnsec3(found, db,
5801 query_releasename(client, &fname);
5802 query_addwildcardproof(client, db, version,
5803 client->query.qname,
5804 ISC_FALSE, ISC_TRUE);
5807 if (dns_rdataset_isassociated(rdataset)) {
5809 * If we've got a NSEC record, we need to save the
5810 * name now because we're going call query_addsoa()
5811 * below, and it needs to use the name buffer.
5813 query_keepname(client, fname, dbuf);
5814 } else if (fname != NULL) {
5816 * We're not going to use fname, and need to release
5817 * our hold on the name buffer so query_addsoa()
5820 query_releasename(client, &fname);
5825 result = query_addsoa(client, db, version, ISC_UINT32_MAX,
5826 dns_rdataset_isassociated(rdataset));
5827 if (result != ISC_R_SUCCESS) {
5828 QUERY_ERROR(result);
5832 * Add NSEC record if we found one.
5834 if (WANTDNSSEC(client)) {
5835 if (dns_rdataset_isassociated(rdataset))
5836 query_addnxrrsetnsec(client, db, version,
5842 case DNS_R_EMPTYWILD:
5843 empty_wild = ISC_TRUE;
5846 case DNS_R_NXDOMAIN:
5848 if (dns_rdataset_isassociated(rdataset)) {
5850 * If we've got a NSEC record, we need to save the
5851 * name now because we're going call query_addsoa()
5852 * below, and it needs to use the name buffer.
5854 query_keepname(client, fname, dbuf);
5855 } else if (fname != NULL) {
5857 * We're not going to use fname, and need to release
5858 * our hold on the name buffer so query_addsoa()
5861 query_releasename(client, &fname);
5864 * Add SOA. If the query was for a SOA record force the
5865 * ttl to zero so that it is possible for clients to find
5866 * the containing zone of an arbitrary name with a stub
5867 * resolver and not have it cached.
5869 if (qtype == dns_rdatatype_soa &&
5871 dns_zone_getzeronosoattl(zone))
5872 result = query_addsoa(client, db, version, 0,
5873 dns_rdataset_isassociated(rdataset));
5875 result = query_addsoa(client, db, version,
5877 dns_rdataset_isassociated(rdataset));
5878 if (result != ISC_R_SUCCESS) {
5879 QUERY_ERROR(result);
5883 if (WANTDNSSEC(client)) {
5885 * Add NSEC record if we found one.
5887 if (dns_rdataset_isassociated(rdataset))
5888 query_addrrset(client, &fname, &rdataset,
5890 NULL, DNS_SECTION_AUTHORITY);
5891 query_addwildcardproof(client, db, version,
5892 client->query.qname, ISC_FALSE,
5897 * Set message rcode.
5900 client->message->rcode = dns_rcode_noerror;
5902 client->message->rcode = dns_rcode_nxdomain;
5905 case DNS_R_NCACHENXDOMAIN:
5906 case DNS_R_NCACHENXRRSET:
5909 authoritative = ISC_FALSE;
5911 * Set message rcode, if required.
5913 if (result == DNS_R_NCACHENXDOMAIN)
5914 client->message->rcode = dns_rcode_nxdomain;
5916 * Look for RFC 1918 leakage from Internet.
5918 if (result == DNS_R_NCACHENXDOMAIN &&
5919 qtype == dns_rdatatype_ptr &&
5920 client->message->rdclass == dns_rdataclass_in &&
5921 dns_name_countlabels(fname) == 7)
5922 warn_rfc1918(client, fname, rdataset);
5924 #ifdef dns64_bis_return_excluded_addresses
5927 if (dns64 && !dns64_exclude)
5931 * Restore the answers from the previous AAAA lookup.
5933 if (rdataset != NULL)
5934 query_putrdataset(client, &rdataset);
5935 if (sigrdataset != NULL)
5936 query_putrdataset(client, &sigrdataset);
5937 rdataset = client->query.dns64_aaaa;
5938 sigrdataset = client->query.dns64_sigaaaa;
5939 if (fname == NULL) {
5940 dbuf = query_getnamebuf(client);
5942 QUERY_ERROR(DNS_R_SERVFAIL);
5945 fname = query_newname(client, dbuf, &b);
5946 if (fname == NULL) {
5947 QUERY_ERROR(DNS_R_SERVFAIL);
5951 dns_name_copy(client->query.qname, fname, NULL);
5952 client->query.dns64_aaaa = NULL;
5953 client->query.dns64_sigaaaa = NULL;
5955 #ifdef dns64_bis_return_excluded_addresses
5959 } else if (result == DNS_R_NCACHENXRRSET &&
5960 !ISC_LIST_EMPTY(client->view->dns64) &&
5961 client->message->rdclass == dns_rdataclass_in &&
5962 qtype == dns_rdatatype_aaaa)
5965 * Look to see if there are A records for this
5968 INSIST(client->query.dns64_aaaa == NULL);
5969 INSIST(client->query.dns64_sigaaaa == NULL);
5970 client->query.dns64_aaaa = rdataset;
5971 client->query.dns64_sigaaaa = sigrdataset;
5973 * If the ttl is zero we need to workout if we have just
5974 * decremented to zero or if there was no negative cache
5975 * ttl in the answer.
5977 if (rdataset->ttl != 0)
5978 client->query.dns64_ttl = rdataset->ttl;
5979 else if (dns_rdataset_first(rdataset) == ISC_R_SUCCESS)
5980 client->query.dns64_ttl = 0;
5981 query_releasename(client, &fname);
5982 dns_db_detachnode(db, &node);
5986 type = qtype = dns_rdatatype_a;
5992 * We don't call query_addrrset() because we don't need any
5993 * of its extra features (and things would probably break!).
5995 query_keepname(client, fname, dbuf);
5996 dns_message_addname(client->message, fname,
5997 DNS_SECTION_AUTHORITY);
5998 ISC_LIST_APPEND(fname->list, rdataset, link);
6005 * Keep a copy of the rdataset. We have to do this because
6006 * query_addrrset may clear 'rdataset' (to prevent the
6007 * cleanup code from cleaning it up).
6009 trdataset = rdataset;
6011 * Add the CNAME to the answer section.
6013 if (sigrdataset != NULL)
6014 sigrdatasetp = &sigrdataset;
6016 sigrdatasetp = NULL;
6017 if (WANTDNSSEC(client) &&
6018 (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
6020 dns_fixedname_init(&wildcardname);
6021 dns_name_copy(fname, dns_fixedname_name(&wildcardname),
6023 need_wildcardproof = ISC_TRUE;
6025 if (NOQNAME(rdataset) && WANTDNSSEC(client))
6029 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
6030 DNS_SECTION_ANSWER);
6031 if (noqname != NULL)
6032 query_addnoqnameproof(client, noqname);
6034 * We set the PARTIALANSWER attribute so that if anything goes
6035 * wrong later on, we'll return what we've got so far.
6037 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
6039 * Reset qname to be the target name of the CNAME and restart
6043 result = dns_message_gettempname(client->message, &tname);
6044 if (result != ISC_R_SUCCESS)
6046 result = dns_rdataset_first(trdataset);
6047 if (result != ISC_R_SUCCESS) {
6048 dns_message_puttempname(client->message, &tname);
6051 dns_rdataset_current(trdataset, &rdata);
6052 result = dns_rdata_tostruct(&rdata, &cname, NULL);
6053 dns_rdata_reset(&rdata);
6054 if (result != ISC_R_SUCCESS) {
6055 dns_message_puttempname(client->message, &tname);
6058 dns_name_init(tname, NULL);
6059 result = dns_name_dup(&cname.cname, client->mctx, tname);
6060 if (result != ISC_R_SUCCESS) {
6061 dns_message_puttempname(client->message, &tname);
6062 dns_rdata_freestruct(&cname);
6065 dns_rdata_freestruct(&cname);
6066 ns_client_qnamereplace(client, tname);
6067 want_restart = ISC_TRUE;
6068 if (!WANTRECURSION(client))
6069 options |= DNS_GETDB_NOLOG;
6073 * Compare the current qname to the found name. We need
6074 * to know how many labels and bits are in common because
6075 * we're going to have to split qname later on.
6077 namereln = dns_name_fullcompare(client->query.qname, fname,
6079 INSIST(namereln == dns_namereln_subdomain);
6081 * Keep a copy of the rdataset. We have to do this because
6082 * query_addrrset may clear 'rdataset' (to prevent the
6083 * cleanup code from cleaning it up).
6085 trdataset = rdataset;
6087 * Add the DNAME to the answer section.
6089 if (sigrdataset != NULL)
6090 sigrdatasetp = &sigrdataset;
6092 sigrdatasetp = NULL;
6093 if (WANTDNSSEC(client) &&
6094 (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
6096 dns_fixedname_init(&wildcardname);
6097 dns_name_copy(fname, dns_fixedname_name(&wildcardname),
6099 need_wildcardproof = ISC_TRUE;
6101 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
6102 DNS_SECTION_ANSWER);
6104 * We set the PARTIALANSWER attribute so that if anything goes
6105 * wrong later on, we'll return what we've got so far.
6107 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
6109 * Get the target name of the DNAME.
6112 result = dns_message_gettempname(client->message, &tname);
6113 if (result != ISC_R_SUCCESS)
6115 result = dns_rdataset_first(trdataset);
6116 if (result != ISC_R_SUCCESS) {
6117 dns_message_puttempname(client->message, &tname);
6120 dns_rdataset_current(trdataset, &rdata);
6121 result = dns_rdata_tostruct(&rdata, &dname, NULL);
6122 dns_rdata_reset(&rdata);
6123 if (result != ISC_R_SUCCESS) {
6124 dns_message_puttempname(client->message, &tname);
6127 dns_name_clone(&dname.dname, tname);
6128 dns_rdata_freestruct(&dname);
6130 * Construct the new qname consisting of
6131 * <found name prefix>.<dname target>
6133 dns_fixedname_init(&fixed);
6134 prefix = dns_fixedname_name(&fixed);
6135 dns_name_split(client->query.qname, nlabels, prefix, NULL);
6136 INSIST(fname == NULL);
6137 dbuf = query_getnamebuf(client);
6139 dns_message_puttempname(client->message, &tname);
6142 fname = query_newname(client, dbuf, &b);
6143 if (fname == NULL) {
6144 dns_message_puttempname(client->message, &tname);
6147 result = dns_name_concatenate(prefix, tname, fname, NULL);
6148 dns_message_puttempname(client->message, &tname);
6151 * RFC2672, section 4.1, subsection 3c says
6152 * we should return YXDOMAIN if the constructed
6153 * name would be too long.
6155 if (result == DNS_R_NAMETOOLONG)
6156 client->message->rcode = dns_rcode_yxdomain;
6157 if (result != ISC_R_SUCCESS)
6160 query_keepname(client, fname, dbuf);
6162 * Synthesize a CNAME consisting of
6163 * <old qname> <dname ttl> CNAME <new qname>
6164 * with <dname trust value>
6166 * Synthesize a CNAME so old old clients that don't understand
6169 * We do not try to synthesize a signature because we hope
6170 * that security aware servers will understand DNAME. Also,
6171 * even if we had an online key, making a signature
6172 * on-the-fly is costly, and not really legitimate anyway
6173 * since the synthesized CNAME is NOT in the zone.
6175 result = query_add_cname(client, client->query.qname, fname,
6176 trdataset->trust, trdataset->ttl);
6177 if (result != ISC_R_SUCCESS)
6180 * Switch to the new qname and restart.
6182 ns_client_qnamereplace(client, fname);
6184 want_restart = ISC_TRUE;
6185 if (!WANTRECURSION(client))
6186 options |= DNS_GETDB_NOLOG;
6190 * Something has gone wrong.
6192 QUERY_ERROR(DNS_R_SERVFAIL);
6196 if (WANTDNSSEC(client) &&
6197 (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
6199 dns_fixedname_init(&wildcardname);
6200 dns_name_copy(fname, dns_fixedname_name(&wildcardname), NULL);
6201 need_wildcardproof = ISC_TRUE;
6204 if (type == dns_rdatatype_any) {
6205 #ifdef ALLOW_FILTER_AAAA_ON_V4
6206 isc_boolean_t have_aaaa, have_a, have_sig, filter_aaaa;
6209 * The filter-aaaa-on-v4 option should
6210 * suppress AAAAs for IPv4 clients if there is an A.
6211 * If we are not authoritative, assume there is a A
6212 * even in if it is not in our cache. This assumption could
6213 * be wrong but it is a good bet.
6215 have_aaaa = ISC_FALSE;
6216 have_a = !authoritative;
6217 have_sig = ISC_FALSE;
6218 if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
6219 is_v4_client(client) &&
6220 ns_client_checkaclsilent(client, NULL,
6221 client->view->v4_aaaa_acl,
6222 ISC_TRUE) == ISC_R_SUCCESS)
6223 filter_aaaa = ISC_TRUE;
6225 filter_aaaa = ISC_FALSE;
6228 * XXXRTH Need to handle zonecuts with special case
6233 result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
6234 if (result != ISC_R_SUCCESS) {
6235 QUERY_ERROR(DNS_R_SERVFAIL);
6240 * Check all A and AAAA records in all response policy
6243 rpz_st = client->query.rpz_st;
6244 if (rpz_st != NULL &&
6245 (rpz_st->state & DNS_RPZ_DONE_QNAME) != 0 &&
6246 (rpz_st->state & DNS_RPZ_REWRITTEN) == 0 &&
6247 RECURSIONOK(client) && !RECURSING(client) &&
6248 (rpz_st->state & DNS_RPZ_HAVE_IP) != 0) {
6249 for (result = dns_rdatasetiter_first(rdsiter);
6250 result == ISC_R_SUCCESS;
6251 result = dns_rdatasetiter_next(rdsiter)) {
6252 dns_rdatasetiter_current(rdsiter, rdataset);
6253 if (rdataset->type == dns_rdatatype_a ||
6254 rdataset->type == dns_rdatatype_aaaa)
6255 result = rpz_rewrite_ip(client,
6258 dns_rdataset_disassociate(rdataset);
6259 if (result != ISC_R_SUCCESS)
6262 if (result != ISC_R_NOMORE) {
6263 dns_rdatasetiter_destroy(&rdsiter);
6264 QUERY_ERROR(DNS_R_SERVFAIL);
6267 switch (rpz_st->m.policy) {
6268 case DNS_RPZ_POLICY_MISS:
6270 case DNS_RPZ_POLICY_NO_OP:
6272 rpz_st->state |= DNS_RPZ_REWRITTEN;
6274 case DNS_RPZ_POLICY_NXDOMAIN:
6275 case DNS_RPZ_POLICY_NODATA:
6276 case DNS_RPZ_POLICY_RECORD:
6277 case DNS_RPZ_POLICY_CNAME:
6278 dns_rdatasetiter_destroy(&rdsiter);
6279 rpz_st->state |= DNS_RPZ_REWRITTEN;
6280 goto finish_rewrite;
6287 * Calling query_addrrset() with a non-NULL dbuf is going
6288 * to either keep or release the name. We don't want it to
6289 * release fname, since we may have to call query_addrrset()
6290 * more than once. That means we have to call query_keepname()
6291 * now, and pass a NULL dbuf to query_addrrset().
6293 * If we do a query_addrrset() below, we must set fname to
6294 * NULL before leaving this block, otherwise we might try to
6295 * cleanup fname even though we're using it!
6297 query_keepname(client, fname, dbuf);
6299 result = dns_rdatasetiter_first(rdsiter);
6300 while (result == ISC_R_SUCCESS) {
6301 dns_rdatasetiter_current(rdsiter, rdataset);
6302 #ifdef ALLOW_FILTER_AAAA_ON_V4
6304 * Notice the presence of A and AAAAs so
6305 * that AAAAs can be hidden from IPv4 clients.
6308 if (rdataset->type == dns_rdatatype_aaaa)
6309 have_aaaa = ISC_TRUE;
6310 else if (rdataset->type == dns_rdatatype_a)
6314 if (is_zone && qtype == dns_rdatatype_any &&
6315 !dns_db_issecure(db) &&
6316 dns_rdatatype_isdnssec(rdataset->type)) {
6318 * The zone is transitioning from insecure
6319 * to secure. Hide the dnssec records from
6322 dns_rdataset_disassociate(rdataset);
6323 } else if ((qtype == dns_rdatatype_any ||
6324 rdataset->type == qtype) && rdataset->type != 0) {
6325 #ifdef ALLOW_FILTER_AAAA_ON_V4
6326 if (dns_rdatatype_isdnssec(rdataset->type))
6327 have_sig = ISC_TRUE;
6329 if (NOQNAME(rdataset) && WANTDNSSEC(client))
6333 query_addrrset(client,
6334 fname != NULL ? &fname : &tname,
6336 NULL, DNS_SECTION_ANSWER);
6337 if (noqname != NULL)
6338 query_addnoqnameproof(client, noqname);
6340 INSIST(tname != NULL);
6342 * rdataset is non-NULL only in certain
6343 * pathological cases involving DNAMEs.
6345 if (rdataset != NULL)
6346 query_putrdataset(client, &rdataset);
6347 rdataset = query_newrdataset(client);
6348 if (rdataset == NULL)
6352 * We're not interested in this rdataset.
6354 dns_rdataset_disassociate(rdataset);
6356 result = dns_rdatasetiter_next(rdsiter);
6359 #ifdef ALLOW_FILTER_AAAA_ON_V4
6361 * Filter AAAAs if there is an A and there is no signature
6362 * or we are supposed to break DNSSEC.
6364 if (filter_aaaa && have_aaaa && have_a &&
6365 (!have_sig || !WANTDNSSEC(client) ||
6366 client->view->v4_aaaa == dns_v4_aaaa_break_dnssec))
6367 client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
6370 dns_message_puttempname(client->message, &fname);
6372 if (n == 0 && is_zone) {
6374 * We didn't match any rdatasets.
6376 if ((qtype == dns_rdatatype_rrsig ||
6377 qtype == dns_rdatatype_sig) &&
6378 result == ISC_R_NOMORE) {
6380 * XXXRTH If this is a secure zone and we
6381 * didn't find any SIGs, we should generate
6382 * an error unless we were searching for
6387 * Note: this is dead code because
6388 * is_zone is always true due to the
6389 * condition above. But naive
6390 * recursion would cause infinite
6391 * attempts of recursion because
6392 * the answer to (RR)SIG queries
6393 * won't be cached. Until we figure
6394 * out what we should do and implement
6395 * it we intentionally keep this code
6398 authoritative = ISC_FALSE;
6399 dns_rdatasetiter_destroy(&rdsiter);
6400 if (RECURSIONOK(client)) {
6401 result = query_recurse(client,
6403 client->query.qname,
6406 if (result == ISC_R_SUCCESS)
6407 client->query.attributes |=
6408 NS_QUERYATTR_RECURSING;
6410 RECURSE_ERROR(result);
6415 * We were searching for SIG records in
6416 * a nonsecure zone. Send a "no error,
6417 * no data" response.
6422 result = query_addsoa(client, db, version,
6425 if (result == ISC_R_SUCCESS)
6426 result = ISC_R_NOMORE;
6429 * Something went wrong.
6431 result = DNS_R_SERVFAIL;
6434 dns_rdatasetiter_destroy(&rdsiter);
6435 if (result != ISC_R_NOMORE) {
6436 QUERY_ERROR(DNS_R_SERVFAIL);
6441 * This is the "normal" case -- an ordinary question to which
6442 * we know the answer.
6446 * Check all A and AAAA records in all response policy
6449 rpz_st = client->query.rpz_st;
6450 if (rpz_st != NULL &&
6451 (rpz_st->state & DNS_RPZ_DONE_QNAME) != 0 &&
6452 (rpz_st->state & DNS_RPZ_REWRITTEN) == 0 &&
6453 RECURSIONOK(client) && !RECURSING(client) &&
6454 (rpz_st->state & DNS_RPZ_HAVE_IP) != 0 &&
6455 (qtype == dns_rdatatype_aaaa || qtype == dns_rdatatype_a)) {
6456 result = rpz_rewrite_ip(client, rdataset,
6458 if (result != ISC_R_SUCCESS) {
6459 QUERY_ERROR(DNS_R_SERVFAIL);
6463 * After a hit in the radix tree for the policy domain,
6464 * either stop trying to rewrite (DNS_RPZ_POLICY_NO_OP)
6465 * or restart to ask the ordinary database of the
6466 * policy zone for the DNS record corresponding to the
6467 * record in the radix tree.
6469 switch (rpz_st->m.policy) {
6470 case DNS_RPZ_POLICY_MISS:
6472 case DNS_RPZ_POLICY_NO_OP:
6474 rpz_st->state |= DNS_RPZ_REWRITTEN;
6476 case DNS_RPZ_POLICY_NXDOMAIN:
6477 case DNS_RPZ_POLICY_NODATA:
6478 case DNS_RPZ_POLICY_RECORD:
6479 case DNS_RPZ_POLICY_CNAME:
6480 rpz_st->state |= DNS_RPZ_REWRITTEN;
6481 goto finish_rewrite;
6487 #ifdef ALLOW_FILTER_AAAA_ON_V4
6489 * Optionally hide AAAAs from IPv4 clients if there is an A.
6490 * We add the AAAAs now, but might refuse to render them later
6491 * after DNSSEC is figured out.
6492 * This could be more efficient, but the whole idea is
6493 * so fundamentally wrong, unavoidably inaccurate, and
6494 * unneeded that it is best to keep it as short as possible.
6496 if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
6497 is_v4_client(client) &&
6498 ns_client_checkaclsilent(client, NULL,
6499 client->view->v4_aaaa_acl,
6500 ISC_TRUE) == ISC_R_SUCCESS &&
6501 (!WANTDNSSEC(client) ||
6502 sigrdataset == NULL ||
6503 !dns_rdataset_isassociated(sigrdataset) ||
6504 client->view->v4_aaaa == dns_v4_aaaa_break_dnssec)) {
6505 if (qtype == dns_rdatatype_aaaa) {
6506 trdataset = query_newrdataset(client);
6507 result = dns_db_findrdataset(db, node, version,
6511 if (dns_rdataset_isassociated(trdataset))
6512 dns_rdataset_disassociate(trdataset);
6513 query_putrdataset(client, &trdataset);
6516 * We have an AAAA but the A is not in our cache.
6517 * Assume any result other than DNS_R_DELEGATION
6518 * or ISC_R_NOTFOUND means there is no A and
6520 * Assume there is no A if we can't recurse
6521 * for this client, although that could be
6522 * the wrong answer. What else can we do?
6523 * Besides, that we have the AAAA and are using
6524 * this mechanism suggests that we care more
6525 * about As than AAAAs and would have cached
6526 * the A if it existed.
6528 if (result == ISC_R_SUCCESS) {
6529 client->attributes |=
6530 NS_CLIENTATTR_FILTER_AAAA;
6532 } else if (authoritative ||
6533 !RECURSIONOK(client) ||
6534 (result != DNS_R_DELEGATION &&
6535 result != ISC_R_NOTFOUND)) {
6536 client->attributes &=
6537 ~NS_CLIENTATTR_FILTER_AAAA;
6540 * This is an ugly kludge to recurse
6541 * for the A and discard the result.
6543 * Continue to add the AAAA now.
6544 * We'll make a note to not render it
6545 * if the recursion for the A succeeds.
6547 result = query_recurse(client,
6549 client->query.qname,
6550 NULL, NULL, resuming);
6551 if (result == ISC_R_SUCCESS) {
6552 client->attributes |=
6553 NS_CLIENTATTR_FILTER_AAAA_RC;
6554 client->query.attributes |=
6555 NS_QUERYATTR_RECURSING;
6559 } else if (qtype == dns_rdatatype_a &&
6560 (client->attributes &
6561 NS_CLIENTATTR_FILTER_AAAA_RC) != 0) {
6562 client->attributes &=
6563 ~NS_CLIENTATTR_FILTER_AAAA_RC;
6564 client->attributes |=
6565 NS_CLIENTATTR_FILTER_AAAA;
6566 dns_rdataset_disassociate(rdataset);
6567 if (sigrdataset != NULL &&
6568 dns_rdataset_isassociated(sigrdataset))
6569 dns_rdataset_disassociate(sigrdataset);
6575 * Check to see if the AAAA RRset has non-excluded addresses
6576 * in it. If not look for a A RRset.
6578 INSIST(client->query.dns64_aaaaok == NULL);
6580 if (qtype == dns_rdatatype_aaaa && !dns64_exclude &&
6581 !ISC_LIST_EMPTY(client->view->dns64) &&
6582 client->message->rdclass == dns_rdataclass_in &&
6583 !dns64_aaaaok(client, rdataset, sigrdataset)) {
6585 * Look to see if there are A records for this
6588 client->query.dns64_aaaa = rdataset;
6589 client->query.dns64_sigaaaa = sigrdataset;
6590 client->query.dns64_ttl = rdataset->ttl;
6591 query_releasename(client, &fname);
6592 dns_db_detachnode(db, &node);
6595 type = qtype = dns_rdatatype_a;
6596 dns64_exclude = dns64 = ISC_TRUE;
6600 if (sigrdataset != NULL)
6601 sigrdatasetp = &sigrdataset;
6603 sigrdatasetp = NULL;
6604 if (NOQNAME(rdataset) && WANTDNSSEC(client))
6609 * BIND 8 priming queries need the additional section.
6611 if (is_zone && qtype == dns_rdatatype_ns &&
6612 dns_name_equal(client->query.qname, dns_rootname))
6613 client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL;
6616 qtype = type = dns_rdatatype_aaaa;
6617 result = query_dns64(client, &fname, rdataset,
6619 DNS_SECTION_ANSWER);
6620 dns_rdataset_disassociate(rdataset);
6621 dns_message_puttemprdataset(client->message, &rdataset);
6622 if (result == ISC_R_NOMORE) {
6623 #ifndef dns64_bis_return_excluded_addresses
6624 if (dns64_exclude) {
6628 * Add a fake SOA record.
6630 (void)query_addsoa(client, db, version,
6638 goto ncache_nxrrset;
6639 } else if (result != ISC_R_SUCCESS) {
6643 } else if (client->query.dns64_aaaaok != NULL) {
6644 query_filter64(client, &fname, rdataset, dbuf,
6645 DNS_SECTION_ANSWER);
6646 query_putrdataset(client, &rdataset);
6648 query_addrrset(client, &fname, &rdataset,
6649 sigrdatasetp, dbuf, DNS_SECTION_ANSWER);
6651 if (noqname != NULL)
6652 query_addnoqnameproof(client, noqname);
6654 * We shouldn't ever fail to add 'rdataset'
6655 * because it's already in the answer.
6657 INSIST(rdataset == NULL);
6661 CTRACE("query_find: addauth");
6663 * Add NS records to the authority section (if we haven't already
6664 * added them to the answer section).
6666 if (!want_restart && !NOAUTHORITY(client)) {
6668 if (!((qtype == dns_rdatatype_ns ||
6669 qtype == dns_rdatatype_any) &&
6670 dns_name_equal(client->query.qname,
6671 dns_db_origin(db))))
6672 (void)query_addns(client, db, version);
6673 } else if (qtype != dns_rdatatype_ns) {
6675 query_releasename(client, &fname);
6676 query_addbestns(client);
6681 * Add NSEC records to the authority section if they're needed for
6682 * DNSSEC wildcard proofs.
6684 if (need_wildcardproof && dns_db_issecure(db))
6685 query_addwildcardproof(client, db, version,
6686 dns_fixedname_name(&wildcardname),
6687 ISC_TRUE, ISC_FALSE);
6689 CTRACE("query_find: cleanup");
6693 rpz_st = client->query.rpz_st;
6694 if (rpz_st != NULL && (rpz_st->state & DNS_RPZ_RECURSING) == 0)
6695 rpz_clean(&rpz_st->m.zone, &rpz_st->m.db, &rpz_st->m.node,
6696 &rpz_st->m.rdataset);
6697 if (rdataset != NULL)
6698 query_putrdataset(client, &rdataset);
6699 if (sigrdataset != NULL)
6700 query_putrdataset(client, &sigrdataset);
6702 query_releasename(client, &fname);
6704 dns_db_detachnode(db, &node);
6708 dns_zone_detach(&zone);
6710 query_putrdataset(client, &zrdataset);
6711 if (zsigrdataset != NULL)
6712 query_putrdataset(client, &zsigrdataset);
6714 query_releasename(client, &zfname);
6715 dns_db_detach(&zdb);
6718 isc_event_free(ISC_EVENT_PTR(&event));
6723 if (client->query.restarts == 0 && !authoritative) {
6725 * We're not authoritative, so we must ensure the AA bit
6728 client->message->flags &= ~DNS_MESSAGEFLAG_AA;
6732 * Restart the query?
6734 if (want_restart && client->query.restarts < MAX_RESTARTS) {
6735 client->query.restarts++;
6739 if (eresult != ISC_R_SUCCESS &&
6740 (!PARTIALANSWER(client) || WANTRECURSION(client))) {
6741 if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) {
6743 * This was a duplicate query that we are
6744 * recursing on. Don't send a response now.
6745 * The original query will still cause a response.
6747 query_next(client, eresult);
6750 * If we don't have any answer to give the client,
6751 * or if the client requested recursion and thus wanted
6752 * the complete answer, send an error response.
6755 query_error(client, eresult, line);
6757 ns_client_detach(&client);
6758 } else if (!RECURSING(client)) {
6760 * We are done. Set up sortlist data for the message
6761 * rendering code, make a final tweak to the AA bit if the
6762 * auth-nxdomain config option says so, then render and
6763 * send the response.
6765 setup_query_sortlist(client);
6768 * If this is a referral and the answer to the question
6769 * is in the glue sort it to the start of the additional
6772 if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) &&
6773 client->message->rcode == dns_rcode_noerror &&
6774 (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa))
6775 answer_in_glue(client, qtype);
6777 if (client->message->rcode == dns_rcode_nxdomain &&
6778 client->view->auth_nxdomain == ISC_TRUE)
6779 client->message->flags |= DNS_MESSAGEFLAG_AA;
6782 * If the response is somehow unexpected for the client and this
6783 * is a result of recursion, return an error to the caller
6784 * to indicate it may need to be logged.
6787 (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) ||
6788 client->message->rcode != dns_rcode_noerror))
6789 eresult = ISC_R_FAILURE;
6792 ns_client_detach(&client);
6794 CTRACE("query_find: done");
6800 log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
6801 char namebuf[DNS_NAME_FORMATSIZE];
6802 char typename[DNS_RDATATYPE_FORMATSIZE];
6803 char classname[DNS_RDATACLASS_FORMATSIZE];
6804 char onbuf[ISC_NETADDR_FORMATSIZE];
6805 dns_rdataset_t *rdataset;
6806 int level = ISC_LOG_INFO;
6808 if (! isc_log_wouldlog(ns_g_lctx, level))
6811 rdataset = ISC_LIST_HEAD(client->query.qname->list);
6812 INSIST(rdataset != NULL);
6813 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
6814 dns_rdataclass_format(rdataset->rdclass, classname, sizeof(classname));
6815 dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
6816 isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf));
6818 ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
6819 level, "query: %s %s %s %s%s%s%s%s%s (%s)", namebuf,
6820 classname, typename, WANTRECURSION(client) ? "+" : "-",
6821 (client->signer != NULL) ? "S": "",
6822 (client->opt != NULL) ? "E" : "",
6823 ((client->attributes & NS_CLIENTATTR_TCP) != 0) ?
6825 ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
6826 ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "",
6831 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) {
6832 char namebuf[DNS_NAME_FORMATSIZE];
6833 char typename[DNS_RDATATYPE_FORMATSIZE];
6834 char classname[DNS_RDATACLASS_FORMATSIZE];
6835 const char *namep, *typep, *classp, *sep1, *sep2;
6836 dns_rdataset_t *rdataset;
6838 if (!isc_log_wouldlog(ns_g_lctx, level))
6841 namep = typep = classp = sep1 = sep2 = "";
6844 * Query errors can happen for various reasons. In some cases we cannot
6845 * even assume the query contains a valid question section, so we should
6846 * expect exceptional cases.
6848 if (client->query.origqname != NULL) {
6849 dns_name_format(client->query.origqname, namebuf,
6854 rdataset = ISC_LIST_HEAD(client->query.origqname->list);
6855 if (rdataset != NULL) {
6856 dns_rdataclass_format(rdataset->rdclass, classname,
6859 dns_rdatatype_format(rdataset->type, typename,
6866 ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY,
6867 level, "query failed (%s)%s%s%s%s%s%s at %s:%d",
6868 isc_result_totext(result), sep1, namep, sep2,
6869 classp, sep2, typep, __FILE__, line);
6873 ns_query_start(ns_client_t *client) {
6874 isc_result_t result;
6875 dns_message_t *message = client->message;
6876 dns_rdataset_t *rdataset;
6877 ns_client_t *qclient;
6878 dns_rdatatype_t qtype;
6879 unsigned int saved_extflags = client->extflags;
6880 unsigned int saved_flags = client->message->flags;
6881 isc_boolean_t want_ad;
6883 CTRACE("ns_query_start");
6888 if (ns_g_clienttest && (client->attributes & NS_CLIENTATTR_TCP) == 0)
6889 RUNTIME_CHECK(ns_client_replace(client) == ISC_R_SUCCESS);
6892 * Ensure that appropriate cleanups occur.
6894 client->next = query_next_callback;
6897 * Behave as if we don't support DNSSEC if not enabled.
6899 if (!client->view->enablednssec) {
6900 message->flags &= ~DNS_MESSAGEFLAG_CD;
6901 client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
6902 if (client->opt != NULL)
6903 client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
6906 if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
6907 client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
6909 if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
6910 client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
6912 if (client->view->minimalresponses)
6913 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
6914 NS_QUERYATTR_NOADDITIONAL);
6916 if ((client->view->cachedb == NULL)
6917 || (!client->view->additionalfromcache)) {
6919 * We don't have a cache. Turn off cache support and
6922 client->query.attributes &=
6923 ~(NS_QUERYATTR_RECURSIONOK|NS_QUERYATTR_CACHEOK);
6924 } else if ((client->attributes & NS_CLIENTATTR_RA) == 0 ||
6925 (message->flags & DNS_MESSAGEFLAG_RD) == 0) {
6927 * If the client isn't allowed to recurse (due to
6928 * "recursion no", the allow-recursion ACL, or the
6929 * lack of a resolver in this view), or if it
6930 * doesn't want recursion, turn recursion off.
6932 client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
6936 * Get the question name.
6938 result = dns_message_firstname(message, DNS_SECTION_QUESTION);
6939 if (result != ISC_R_SUCCESS) {
6940 query_error(client, result, __LINE__);
6943 dns_message_currentname(message, DNS_SECTION_QUESTION,
6944 &client->query.qname);
6945 client->query.origqname = client->query.qname;
6946 result = dns_message_nextname(message, DNS_SECTION_QUESTION);
6947 if (result != ISC_R_NOMORE) {
6948 if (result == ISC_R_SUCCESS) {
6950 * There's more than one QNAME in the question
6953 query_error(client, DNS_R_FORMERR, __LINE__);
6955 query_error(client, result, __LINE__);
6959 if (ns_g_server->log_queries)
6960 log_query(client, saved_flags, saved_extflags);
6963 * Check for multiple question queries, since edns1 is dead.
6965 if (message->counts[DNS_SECTION_QUESTION] > 1) {
6966 query_error(client, DNS_R_FORMERR, __LINE__);
6971 * Check for meta-queries like IXFR and AXFR.
6973 rdataset = ISC_LIST_HEAD(client->query.qname->list);
6974 INSIST(rdataset != NULL);
6975 qtype = rdataset->type;
6976 dns_rdatatypestats_increment(ns_g_server->rcvquerystats, qtype);
6977 if (dns_rdatatype_ismeta(qtype)) {
6979 case dns_rdatatype_any:
6980 break; /* Let query_find handle it. */
6981 case dns_rdatatype_ixfr:
6982 case dns_rdatatype_axfr:
6983 ns_xfr_start(client, rdataset->type);
6985 case dns_rdatatype_maila:
6986 case dns_rdatatype_mailb:
6987 query_error(client, DNS_R_NOTIMP, __LINE__);
6989 case dns_rdatatype_tkey:
6990 result = dns_tkey_processquery(client->message,
6991 ns_g_server->tkeyctx,
6992 client->view->dynamickeys);
6993 if (result == ISC_R_SUCCESS)
6996 query_error(client, result, __LINE__);
6998 default: /* TSIG, etc. */
6999 query_error(client, DNS_R_FORMERR, __LINE__);
7005 * Turn on minimal response for DNSKEY and DS queries.
7007 if (qtype == dns_rdatatype_dnskey || qtype == dns_rdatatype_ds)
7008 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
7009 NS_QUERYATTR_NOADDITIONAL);
7012 * Turn on minimal responses for EDNS/UDP bufsize 512 queries.
7014 if (client->opt != NULL && client->udpsize <= 512U &&
7015 (client->attributes & NS_CLIENTATTR_TCP) == 0)
7016 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
7017 NS_QUERYATTR_NOADDITIONAL);
7020 * If the client has requested that DNSSEC checking be disabled,
7021 * allow lookups to return pending data and instruct the resolver
7022 * to return data before validation has completed.
7024 * We don't need to set DNS_DBFIND_PENDINGOK when validation is
7025 * disabled as there will be no pending data.
7027 if (message->flags & DNS_MESSAGEFLAG_CD ||
7028 qtype == dns_rdatatype_rrsig)
7030 client->query.dboptions |= DNS_DBFIND_PENDINGOK;
7031 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
7032 } else if (!client->view->enablevalidation)
7033 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
7036 * Allow glue NS records to be added to the authority section
7037 * if the answer is secure.
7039 if (message->flags & DNS_MESSAGEFLAG_CD)
7040 client->query.attributes &= ~NS_QUERYATTR_SECURE;
7043 * Set 'want_ad' if the client has set AD in the query.
7044 * This allows AD to be returned on queries without DO set.
7046 if ((message->flags & DNS_MESSAGEFLAG_AD) != 0)
7049 want_ad = ISC_FALSE;
7052 * This is an ordinary query.
7054 result = dns_message_reply(message, ISC_TRUE);
7055 if (result != ISC_R_SUCCESS) {
7056 query_next(client, result);
7061 * Assume authoritative response until it is known to be
7064 * If "-T noaa" has been set on the command line don't set
7065 * AA on authoritative answers.
7068 message->flags |= DNS_MESSAGEFLAG_AA;
7071 * Set AD. We must clear it if we add non-validated data to a
7074 if (WANTDNSSEC(client) || want_ad)
7075 message->flags |= DNS_MESSAGEFLAG_AD;
7078 ns_client_attach(client, &qclient);
7079 (void)query_find(qclient, NULL, qtype);