2 * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
24 #include <isc/counter.h>
25 #include <isc/platform.h>
26 #include <isc/print.h>
27 #include <isc/string.h>
28 #include <isc/random.h>
30 #include <isc/stats.h>
31 #include <isc/timer.h>
36 #include <dns/cache.h>
38 #include <dns/dispatch.h>
40 #include <dns/events.h>
41 #include <dns/forward.h>
42 #include <dns/keytable.h>
44 #include <dns/message.h>
45 #include <dns/ncache.h>
46 #include <dns/opcode.h>
49 #include <dns/rcode.h>
50 #include <dns/rdata.h>
51 #include <dns/rdataclass.h>
52 #include <dns/rdatalist.h>
53 #include <dns/rdataset.h>
54 #include <dns/rdatastruct.h>
55 #include <dns/rdatatype.h>
56 #include <dns/resolver.h>
57 #include <dns/result.h>
58 #include <dns/rootns.h>
59 #include <dns/stats.h>
61 #include <dns/validator.h>
63 #define DNS_RESOLVER_TRACE
64 #ifdef DNS_RESOLVER_TRACE
65 #define RTRACE(m) isc_log_write(dns_lctx, \
66 DNS_LOGCATEGORY_RESOLVER, \
67 DNS_LOGMODULE_RESOLVER, \
69 "res %p: %s", res, (m))
70 #define RRTRACE(r, m) isc_log_write(dns_lctx, \
71 DNS_LOGCATEGORY_RESOLVER, \
72 DNS_LOGMODULE_RESOLVER, \
74 "res %p: %s", (r), (m))
75 #define FCTXTRACE(m) isc_log_write(dns_lctx, \
76 DNS_LOGCATEGORY_RESOLVER, \
77 DNS_LOGMODULE_RESOLVER, \
79 "fctx %p(%s'): %s", fctx, fctx->info, (m))
80 #define FCTXTRACE2(m1, m2) \
81 isc_log_write(dns_lctx, \
82 DNS_LOGCATEGORY_RESOLVER, \
83 DNS_LOGMODULE_RESOLVER, \
85 "fctx %p(%s): %s %s", \
86 fctx, fctx->info, (m1), (m2))
87 #define FTRACE(m) isc_log_write(dns_lctx, \
88 DNS_LOGCATEGORY_RESOLVER, \
89 DNS_LOGMODULE_RESOLVER, \
91 "fetch %p (fctx %p(%s)): %s", \
92 fetch, fetch->private, \
93 fetch->private->info, (m))
94 #define QTRACE(m) isc_log_write(dns_lctx, \
95 DNS_LOGCATEGORY_RESOLVER, \
96 DNS_LOGMODULE_RESOLVER, \
98 "resquery %p (fctx %p(%s)): %s", \
100 query->fctx->info, (m))
103 #define RRTRACE(r, m)
109 #define US_PER_SEC 1000000U
111 * The maximum time we will wait for a single query.
113 #define MAX_SINGLE_QUERY_TIMEOUT 9U
114 #define MAX_SINGLE_QUERY_TIMEOUT_US (MAX_SINGLE_QUERY_TIMEOUT*US_PER_SEC)
117 * We need to allow a individual query time to complete / timeout.
119 #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)
121 /* The default time in seconds for the whole query to live. */
122 #ifndef DEFAULT_QUERY_TIMEOUT
123 #define DEFAULT_QUERY_TIMEOUT MINIMUM_QUERY_TIMEOUT
126 #ifndef MAXIMUM_QUERY_TIMEOUT
127 #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
130 /* The default maximum number of recursions to follow before giving up. */
131 #ifndef DEFAULT_RECURSION_DEPTH
132 #define DEFAULT_RECURSION_DEPTH 7
135 /* The default maximum number of iterative queries to allow before giving up. */
136 #ifndef DEFAULT_MAX_QUERIES
137 #define DEFAULT_MAX_QUERIES 50
141 * Maximum EDNS0 input packet size.
143 #define RECV_BUFFER_SIZE 4096 /* XXXRTH Constant. */
146 * This defines the maximum number of timeouts we will permit before we
147 * disable EDNS0 on the query.
149 #define MAX_EDNS0_TIMEOUTS 3
151 typedef struct fetchctx fetchctx_t;
153 typedef struct query {
154 /* Locked by task event serialization. */
158 dns_dispatchmgr_t * dispatchmgr;
159 dns_dispatch_t * dispatch;
160 isc_boolean_t exclusivesocket;
161 dns_adbaddrinfo_t * addrinfo;
162 isc_socket_t * tcpsocket;
165 dns_dispentry_t * dispentry;
166 ISC_LINK(struct query) link;
169 dns_tsigkey_t *tsigkey;
170 unsigned int options;
171 unsigned int attributes;
173 unsigned int connects;
174 unsigned char data[512];
177 #define QUERY_MAGIC ISC_MAGIC('Q', '!', '!', '!')
178 #define VALID_QUERY(query) ISC_MAGIC_VALID(query, QUERY_MAGIC)
180 #define RESQUERY_ATTR_CANCELED 0x02
182 #define RESQUERY_CONNECTING(q) ((q)->connects > 0)
183 #define RESQUERY_CANCELED(q) (((q)->attributes & \
184 RESQUERY_ATTR_CANCELED) != 0)
185 #define RESQUERY_SENDING(q) ((q)->sends > 0)
188 fetchstate_init = 0, /*%< Start event has not run yet. */
190 fetchstate_done /*%< FETCHDONE events posted. */
194 badns_unreachable = 0,
202 dns_resolver_t * res;
204 dns_rdatatype_t type;
205 unsigned int options;
206 unsigned int bucketnum;
210 /*% Locked by appropriate bucket lock. */
212 isc_boolean_t want_shutdown;
213 isc_boolean_t cloned;
214 isc_boolean_t spilled;
215 unsigned int references;
216 isc_event_t control_event;
217 ISC_LINK(struct fetchctx) link;
218 ISC_LIST(dns_fetchevent_t) events;
219 /*% Locked by task event serialization. */
221 dns_rdataset_t nameservers;
222 unsigned int attributes;
225 isc_interval_t interval;
226 dns_message_t * qmessage;
227 dns_message_t * rmessage;
228 ISC_LIST(resquery_t) queries;
229 dns_adbfindlist_t finds;
230 dns_adbfind_t * find;
231 dns_adbfindlist_t altfinds;
232 dns_adbfind_t * altfind;
233 dns_adbaddrinfolist_t forwaddrs;
234 dns_adbaddrinfolist_t altaddrs;
235 isc_sockaddrlist_t forwarders;
236 dns_fwdpolicy_t fwdpolicy;
237 isc_sockaddrlist_t bad;
238 isc_sockaddrlist_t edns;
239 isc_sockaddrlist_t edns512;
240 isc_sockaddrlist_t bad_edns;
241 dns_validator_t * validator;
242 ISC_LIST(dns_validator_t) validators;
245 isc_boolean_t ns_ttl_ok;
250 * The number of events we're waiting for.
252 unsigned int pending;
255 * The number of times we've "restarted" the current
256 * nameserver set. This acts as a failsafe to prevent
257 * us from pounding constantly on a particular set of
258 * servers that, for whatever reason, are not giving
259 * us useful responses, but are responding in such a
260 * way that they are not marked "bad".
262 unsigned int restarts;
265 * The number of timeouts that have occurred since we
266 * last successfully received a response packet. This
267 * is used for EDNS0 black hole detection.
269 unsigned int timeouts;
272 * Look aside state for DS lookups.
275 dns_fetch_t * nsfetch;
276 dns_rdataset_t nsrrset;
279 * Number of queries that reference this context.
281 unsigned int nqueries;
284 * The reason to print when logging a successful
285 * response to a query.
290 * Random numbers to use for mixing up server addresses.
292 isc_uint32_t rand_buf;
293 isc_uint32_t rand_bits;
296 * Fetch-local statistics for detailed logging.
298 isc_result_t result; /*%< fetch result */
299 isc_result_t vresult; /*%< validation result */
302 isc_uint64_t duration;
303 isc_boolean_t logged;
304 unsigned int querysent;
305 unsigned int referrals;
306 unsigned int lamecount;
308 unsigned int badresp;
310 unsigned int findfail;
311 unsigned int valfail;
312 isc_boolean_t timeout;
313 dns_adbaddrinfo_t *addrinfo;
314 isc_sockaddr_t *client;
318 #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
319 #define VALID_FCTX(fctx) ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
321 #define FCTX_ATTR_HAVEANSWER 0x0001
322 #define FCTX_ATTR_GLUING 0x0002
323 #define FCTX_ATTR_ADDRWAIT 0x0004
324 #define FCTX_ATTR_SHUTTINGDOWN 0x0008
325 #define FCTX_ATTR_WANTCACHE 0x0010
326 #define FCTX_ATTR_WANTNCACHE 0x0020
327 #define FCTX_ATTR_NEEDEDNS0 0x0040
328 #define FCTX_ATTR_TRIEDFIND 0x0080
329 #define FCTX_ATTR_TRIEDALT 0x0100
331 #define HAVE_ANSWER(f) (((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
333 #define GLUING(f) (((f)->attributes & FCTX_ATTR_GLUING) != \
335 #define ADDRWAIT(f) (((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
337 #define SHUTTINGDOWN(f) (((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
339 #define WANTCACHE(f) (((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
340 #define WANTNCACHE(f) (((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
341 #define NEEDEDNS0(f) (((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
342 #define TRIEDFIND(f) (((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
343 #define TRIEDALT(f) (((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
346 dns_adbaddrinfo_t * addrinfo;
352 fetchctx_t * private;
355 #define DNS_FETCH_MAGIC ISC_MAGIC('F', 't', 'c', 'h')
356 #define DNS_FETCH_VALID(fetch) ISC_MAGIC_VALID(fetch, DNS_FETCH_MAGIC)
358 typedef struct fctxbucket {
361 ISC_LIST(fetchctx_t) fctxs;
362 isc_boolean_t exiting;
366 typedef struct alternate {
367 isc_boolean_t isaddress;
375 ISC_LINK(struct alternate) link;
378 typedef struct dns_badcache dns_badcache_t;
379 struct dns_badcache {
380 dns_badcache_t * next;
381 dns_rdatatype_t type;
383 unsigned int hashval;
386 #define DNS_BADCACHE_SIZE 1021
387 #define DNS_BADCACHE_TTL(fctx) \
388 (((fctx)->res->lame_ttl > 30 ) ? (fctx)->res->lame_ttl : 30)
390 struct dns_resolver {
396 isc_mutex_t primelock;
397 dns_rdataclass_t rdclass;
398 isc_socketmgr_t * socketmgr;
399 isc_timermgr_t * timermgr;
400 isc_taskmgr_t * taskmgr;
402 isc_boolean_t frozen;
403 unsigned int options;
404 dns_dispatchmgr_t * dispatchmgr;
405 dns_dispatch_t * dispatchv4;
406 isc_boolean_t exclusivev4;
407 dns_dispatch_t * dispatchv6;
408 isc_boolean_t exclusivev6;
410 unsigned int nbuckets;
411 fctxbucket_t * buckets;
412 isc_uint32_t lame_ttl;
413 ISC_LIST(alternate_t) alternates;
414 isc_uint16_t udpsize;
416 isc_rwlock_t alglock;
418 dns_rbt_t * algorithms;
420 isc_rwlock_t mbslock;
422 dns_rbt_t * mustbesecure;
423 unsigned int spillatmax;
424 unsigned int spillatmin;
425 isc_timer_t * spillattimer;
426 isc_boolean_t zero_no_soa_ttl;
427 unsigned int query_timeout;
428 unsigned int maxdepth;
429 unsigned int maxqueries;
431 /* Locked by lock. */
432 unsigned int references;
433 isc_boolean_t exiting;
434 isc_eventlist_t whenshutdown;
435 unsigned int activebuckets;
436 isc_boolean_t priming;
437 unsigned int spillat; /* clients-per-query */
438 unsigned int nextdisp;
441 dns_badcache_t ** badcache;
442 unsigned int badcount;
443 unsigned int badhash;
444 unsigned int badsweep;
446 /* Locked by primelock. */
447 dns_fetch_t * primefetch;
448 /* Locked by nlock. */
452 #define RES_MAGIC ISC_MAGIC('R', 'e', 's', '!')
453 #define VALID_RESOLVER(res) ISC_MAGIC_VALID(res, RES_MAGIC)
456 * Private addrinfo flags. These must not conflict with DNS_FETCHOPT_NOEDNS0,
457 * which we also use as an addrinfo flag.
459 #define FCTX_ADDRINFO_MARK 0x0001
460 #define FCTX_ADDRINFO_FORWARDER 0x1000
461 #define FCTX_ADDRINFO_TRIED 0x2000
462 #define UNMARKED(a) (((a)->flags & FCTX_ADDRINFO_MARK) \
464 #define ISFORWARDER(a) (((a)->flags & \
465 FCTX_ADDRINFO_FORWARDER) != 0)
466 #define TRIED(a) (((a)->flags & \
467 FCTX_ADDRINFO_TRIED) != 0)
469 #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
470 #define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
472 static void destroy(dns_resolver_t *res);
473 static void empty_bucket(dns_resolver_t *res);
474 static isc_result_t resquery_send(resquery_t *query);
475 static void resquery_response(isc_task_t *task, isc_event_t *event);
476 static void resquery_connected(isc_task_t *task, isc_event_t *event);
477 static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying,
478 isc_boolean_t badcache);
479 static void fctx_destroy(fetchctx_t *fctx);
480 static isc_boolean_t fctx_unlink(fetchctx_t *fctx);
481 static isc_result_t ncache_adderesult(dns_message_t *message,
482 dns_db_t *cache, dns_dbnode_t *node,
483 dns_rdatatype_t covers,
484 isc_stdtime_t now, dns_ttl_t maxttl,
485 isc_boolean_t optout,
486 dns_rdataset_t *ardataset,
487 isc_result_t *eresultp);
488 static void validated(isc_task_t *task, isc_event_t *event);
489 static isc_boolean_t maybe_destroy(fetchctx_t *fctx, isc_boolean_t locked);
490 static void add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
491 isc_result_t reason, badnstype_t badtype);
494 * Increment resolver-related statistics counters.
497 inc_stats(dns_resolver_t *res, isc_statscounter_t counter) {
498 if (res->view->resstats != NULL)
499 isc_stats_increment(res->view->resstats, counter);
503 valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
504 dns_rdatatype_t type, dns_rdataset_t *rdataset,
505 dns_rdataset_t *sigrdataset, unsigned int valoptions,
508 dns_validator_t *validator = NULL;
509 dns_valarg_t *valarg;
512 valarg = isc_mem_get(fctx->mctx, sizeof(*valarg));
514 return (ISC_R_NOMEMORY);
517 valarg->addrinfo = addrinfo;
519 if (!ISC_LIST_EMPTY(fctx->validators))
520 INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
522 result = dns_validator_create(fctx->res->view, name, type, rdataset,
523 sigrdataset, fctx->rmessage,
524 valoptions, task, validated, valarg,
526 if (result == ISC_R_SUCCESS) {
527 inc_stats(fctx->res, dns_resstatscounter_val);
528 if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
529 INSIST(fctx->validator == NULL);
530 fctx->validator = validator;
532 ISC_LIST_APPEND(fctx->validators, validator, link);
534 isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
539 rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) {
540 dns_namereln_t namereln;
541 dns_rdata_rrsig_t rrsig;
542 dns_rdata_t rdata = DNS_RDATA_INIT;
547 for (result = dns_rdataset_first(rdataset);
548 result == ISC_R_SUCCESS;
549 result = dns_rdataset_next(rdataset)) {
550 dns_rdataset_current(rdataset, &rdata);
551 result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
552 RUNTIME_CHECK(result == ISC_R_SUCCESS);
553 namereln = dns_name_fullcompare(&rrsig.signer, &fctx->domain,
555 if (namereln == dns_namereln_subdomain)
557 dns_rdata_reset(&rdata);
563 fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
565 dns_name_t *domain = &fctx->domain;
566 dns_rdataset_t *rdataset;
567 dns_rdatatype_t type;
569 isc_boolean_t keep_auth = ISC_FALSE;
571 if (message->rcode == dns_rcode_nxdomain)
575 * A DS RRset can appear anywhere in a zone, even for a delegation-only
576 * zone. So a response to an explicit query for this type should be
577 * excluded from delegation-only fixup.
579 * SOA, NS, and DNSKEY can only exist at a zone apex, so a postive
580 * response to a query for these types can never violate the
581 * delegation-only assumption: if the query name is below a
582 * zone cut, the response should normally be a referral, which should
583 * be accepted; if the query name is below a zone cut but the server
584 * happens to have authority for the zone of the query name, the
585 * response is a (non-referral) answer. But this does not violate
586 * delegation-only because the query name must be in a different zone
587 * due to the "apex-only" nature of these types. Note that if the
588 * remote server happens to have authority for a child zone of a
589 * delegation-only zone, we may still incorrectly "fix" the response
590 * with NXDOMAIN for queries for other types. Unfortunately it's
591 * generally impossible to differentiate this case from violation of
592 * the delegation-only assumption. Once the resolver learns the
593 * correct zone cut, possibly via a separate query for an "apex-only"
594 * type, queries for other types will be resolved correctly.
596 * A query for type ANY will be accepted if it hits an exceptional
597 * type above in the answer section as it should be from a child
600 * Also accept answers with RRSIG records from the child zone.
601 * Direct queries for RRSIG records should not be answered from
605 if (message->counts[DNS_SECTION_ANSWER] != 0 &&
606 (fctx->type == dns_rdatatype_ns ||
607 fctx->type == dns_rdatatype_ds ||
608 fctx->type == dns_rdatatype_soa ||
609 fctx->type == dns_rdatatype_any ||
610 fctx->type == dns_rdatatype_rrsig ||
611 fctx->type == dns_rdatatype_dnskey)) {
612 result = dns_message_firstname(message, DNS_SECTION_ANSWER);
613 while (result == ISC_R_SUCCESS) {
615 dns_message_currentname(message, DNS_SECTION_ANSWER,
617 for (rdataset = ISC_LIST_HEAD(name->list);
619 rdataset = ISC_LIST_NEXT(rdataset, link)) {
620 if (!dns_name_equal(name, &fctx->name))
622 type = rdataset->type;
626 if (type == dns_rdatatype_rrsig &&
627 rrsig_fromchildzone(fctx, rdataset))
630 * Direct query for apex records or DS.
632 if (fctx->type == type &&
633 (type == dns_rdatatype_ds ||
634 type == dns_rdatatype_ns ||
635 type == dns_rdatatype_soa ||
636 type == dns_rdatatype_dnskey))
639 * Indirect query for apex records or DS.
641 if (fctx->type == dns_rdatatype_any &&
642 (type == dns_rdatatype_ns ||
643 type == dns_rdatatype_ds ||
644 type == dns_rdatatype_soa ||
645 type == dns_rdatatype_dnskey))
648 result = dns_message_nextname(message,
654 * A NODATA response to a DS query?
656 if (fctx->type == dns_rdatatype_ds &&
657 message->counts[DNS_SECTION_ANSWER] == 0)
660 /* Look for referral or indication of answer from child zone? */
661 if (message->counts[DNS_SECTION_AUTHORITY] == 0)
664 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
665 while (result == ISC_R_SUCCESS) {
667 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
668 for (rdataset = ISC_LIST_HEAD(name->list);
670 rdataset = ISC_LIST_NEXT(rdataset, link)) {
671 type = rdataset->type;
672 if (type == dns_rdatatype_soa &&
673 dns_name_equal(name, domain))
674 keep_auth = ISC_TRUE;
676 if (type != dns_rdatatype_ns &&
677 type != dns_rdatatype_soa &&
678 type != dns_rdatatype_rrsig)
681 if (type == dns_rdatatype_rrsig) {
682 if (rrsig_fromchildzone(fctx, rdataset))
688 /* NS or SOA records. */
689 if (dns_name_equal(name, domain)) {
691 * If a query for ANY causes a negative
692 * response, we can be sure that this is
693 * an empty node. For other type of queries
694 * we cannot differentiate an empty node
695 * from a node that just doesn't have that
696 * type of record. We only accept the former
699 if (message->counts[DNS_SECTION_ANSWER] == 0 &&
700 fctx->type == dns_rdatatype_any)
702 } else if (dns_name_issubdomain(name, domain)) {
703 /* Referral or answer from child zone. */
707 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
711 message->rcode = dns_rcode_nxdomain;
712 message->counts[DNS_SECTION_ANSWER] = 0;
714 message->counts[DNS_SECTION_AUTHORITY] = 0;
715 message->counts[DNS_SECTION_ADDITIONAL] = 0;
719 static inline isc_result_t
720 fctx_starttimer(fetchctx_t *fctx) {
722 * Start the lifetime timer for fctx.
724 * This is also used for stopping the idle timer; in that
725 * case we must purge events already posted to ensure that
726 * no further idle events are delivered.
728 return (isc_timer_reset(fctx->timer, isc_timertype_once,
729 &fctx->expires, NULL, ISC_TRUE));
733 fctx_stoptimer(fetchctx_t *fctx) {
737 * We don't return a result if resetting the timer to inactive fails
738 * since there's nothing to be done about it. Resetting to inactive
739 * should never fail anyway, since the code as currently written
740 * cannot fail in that case.
742 result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
743 NULL, NULL, ISC_TRUE);
744 if (result != ISC_R_SUCCESS) {
745 UNEXPECTED_ERROR(__FILE__, __LINE__,
746 "isc_timer_reset(): %s",
747 isc_result_totext(result));
752 static inline isc_result_t
753 fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) {
755 * Start the idle timer for fctx. The lifetime timer continues
758 return (isc_timer_reset(fctx->timer, isc_timertype_once,
759 &fctx->expires, interval, ISC_FALSE));
763 * Stopping the idle timer is equivalent to calling fctx_starttimer(), but
764 * we use fctx_stopidletimer for readability in the code below.
766 #define fctx_stopidletimer fctx_starttimer
770 resquery_destroy(resquery_t **queryp) {
773 REQUIRE(queryp != NULL);
775 REQUIRE(!ISC_LINK_LINKED(query, link));
777 INSIST(query->tcpsocket == NULL);
779 query->fctx->nqueries--;
780 if (SHUTTINGDOWN(query->fctx)) {
781 dns_resolver_t *res = query->fctx->res;
782 if (maybe_destroy(query->fctx, ISC_FALSE))
786 isc_mem_put(query->mctx, query, sizeof(*query));
791 fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
792 isc_time_t *finish, isc_boolean_t no_response)
796 unsigned int rtt, rttms;
799 dns_adbaddrinfo_t *addrinfo;
800 isc_socket_t *socket;
805 FCTXTRACE("cancelquery");
807 REQUIRE(!RESQUERY_CANCELED(query));
809 query->attributes |= RESQUERY_ATTR_CANCELED;
812 * Should we update the RTT?
814 if (finish != NULL || no_response) {
815 if (finish != NULL) {
817 * We have both the start and finish times for this
818 * packet, so we can compute a real RTT.
820 rtt = (unsigned int)isc_time_microdiff(finish,
822 factor = DNS_ADB_RTTADJDEFAULT;
825 if (rttms < DNS_RESOLVER_QRYRTTCLASS0) {
827 dns_resstatscounter_queryrtt0);
828 } else if (rttms < DNS_RESOLVER_QRYRTTCLASS1) {
830 dns_resstatscounter_queryrtt1);
831 } else if (rttms < DNS_RESOLVER_QRYRTTCLASS2) {
833 dns_resstatscounter_queryrtt2);
834 } else if (rttms < DNS_RESOLVER_QRYRTTCLASS3) {
836 dns_resstatscounter_queryrtt3);
837 } else if (rttms < DNS_RESOLVER_QRYRTTCLASS4) {
839 dns_resstatscounter_queryrtt4);
842 dns_resstatscounter_queryrtt5);
846 * We don't have an RTT for this query. Maybe the
847 * packet was lost, or maybe this server is very
848 * slow. We don't know. Increase the RTT.
851 rtt = query->addrinfo->srtt + 200000;
852 if (rtt > MAX_SINGLE_QUERY_TIMEOUT_US)
853 rtt = MAX_SINGLE_QUERY_TIMEOUT_US;
855 * Replace the current RTT with our value.
857 factor = DNS_ADB_RTTADJREPLACE;
859 dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor);
862 /* Remember that the server has been tried. */
863 if (!TRIED(query->addrinfo)) {
864 dns_adb_changeflags(fctx->adb, query->addrinfo,
865 FCTX_ADDRINFO_TRIED, FCTX_ADDRINFO_TRIED);
869 * Age RTTs of servers not tried.
871 factor = DNS_ADB_RTTADJAGE;
873 for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
875 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
876 if (UNMARKED(addrinfo))
877 dns_adb_adjustsrtt(fctx->adb, addrinfo,
880 if (finish != NULL && TRIEDFIND(fctx))
881 for (find = ISC_LIST_HEAD(fctx->finds);
883 find = ISC_LIST_NEXT(find, publink))
884 for (addrinfo = ISC_LIST_HEAD(find->list);
886 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
887 if (UNMARKED(addrinfo))
888 dns_adb_adjustsrtt(fctx->adb, addrinfo,
891 if (finish != NULL && TRIEDALT(fctx)) {
892 for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
894 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
895 if (UNMARKED(addrinfo))
896 dns_adb_adjustsrtt(fctx->adb, addrinfo,
898 for (find = ISC_LIST_HEAD(fctx->altfinds);
900 find = ISC_LIST_NEXT(find, publink))
901 for (addrinfo = ISC_LIST_HEAD(find->list);
903 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
904 if (UNMARKED(addrinfo))
905 dns_adb_adjustsrtt(fctx->adb, addrinfo,
910 * Check for any outstanding socket events. If they exist, cancel
911 * them and let the event handlers finish the cleanup. The resolver
912 * only needs to worry about managing the connect and send events;
913 * the dispatcher manages the recv events.
915 if (RESQUERY_CONNECTING(query)) {
917 * Cancel the connect.
919 if (query->tcpsocket != NULL) {
920 isc_socket_cancel(query->tcpsocket, NULL,
921 ISC_SOCKCANCEL_CONNECT);
922 } else if (query->dispentry != NULL) {
923 INSIST(query->exclusivesocket);
924 socket = dns_dispatch_getentrysocket(query->dispentry);
926 isc_socket_cancel(socket, NULL,
927 ISC_SOCKCANCEL_CONNECT);
929 } else if (RESQUERY_SENDING(query)) {
931 * Cancel the pending send.
933 if (query->exclusivesocket && query->dispentry != NULL)
934 socket = dns_dispatch_getentrysocket(query->dispentry);
936 socket = dns_dispatch_getsocket(query->dispatch);
938 isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_SEND);
941 if (query->dispentry != NULL)
942 dns_dispatch_removeresponse(&query->dispentry, deventp);
944 ISC_LIST_UNLINK(fctx->queries, query, link);
946 if (query->tsig != NULL)
947 isc_buffer_free(&query->tsig);
949 if (query->tsigkey != NULL)
950 dns_tsigkey_detach(&query->tsigkey);
952 if (query->dispatch != NULL)
953 dns_dispatch_detach(&query->dispatch);
955 if (! (RESQUERY_CONNECTING(query) || RESQUERY_SENDING(query)))
957 * It's safe to destroy the query now.
959 resquery_destroy(&query);
963 fctx_cancelqueries(fetchctx_t *fctx, isc_boolean_t no_response) {
964 resquery_t *query, *next_query;
966 FCTXTRACE("cancelqueries");
968 for (query = ISC_LIST_HEAD(fctx->queries);
970 query = next_query) {
971 next_query = ISC_LIST_NEXT(query, link);
972 fctx_cancelquery(&query, NULL, NULL, no_response);
977 fctx_cleanupfinds(fetchctx_t *fctx) {
978 dns_adbfind_t *find, *next_find;
980 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
982 for (find = ISC_LIST_HEAD(fctx->finds);
985 next_find = ISC_LIST_NEXT(find, publink);
986 ISC_LIST_UNLINK(fctx->finds, find, publink);
987 dns_adb_destroyfind(&find);
993 fctx_cleanupaltfinds(fetchctx_t *fctx) {
994 dns_adbfind_t *find, *next_find;
996 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
998 for (find = ISC_LIST_HEAD(fctx->altfinds);
1001 next_find = ISC_LIST_NEXT(find, publink);
1002 ISC_LIST_UNLINK(fctx->altfinds, find, publink);
1003 dns_adb_destroyfind(&find);
1005 fctx->altfind = NULL;
1009 fctx_cleanupforwaddrs(fetchctx_t *fctx) {
1010 dns_adbaddrinfo_t *addr, *next_addr;
1012 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
1014 for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
1017 next_addr = ISC_LIST_NEXT(addr, publink);
1018 ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
1019 dns_adb_freeaddrinfo(fctx->adb, &addr);
1024 fctx_cleanupaltaddrs(fetchctx_t *fctx) {
1025 dns_adbaddrinfo_t *addr, *next_addr;
1027 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
1029 for (addr = ISC_LIST_HEAD(fctx->altaddrs);
1032 next_addr = ISC_LIST_NEXT(addr, publink);
1033 ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
1034 dns_adb_freeaddrinfo(fctx->adb, &addr);
1039 fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) {
1040 FCTXTRACE("stopeverything");
1041 fctx_cancelqueries(fctx, no_response);
1042 fctx_cleanupfinds(fctx);
1043 fctx_cleanupaltfinds(fctx);
1044 fctx_cleanupforwaddrs(fctx);
1045 fctx_cleanupaltaddrs(fctx);
1046 fctx_stoptimer(fctx);
1050 fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
1051 dns_fetchevent_t *event, *next_event;
1053 unsigned int count = 0;
1055 isc_boolean_t logit = ISC_FALSE;
1057 unsigned int old_spillat;
1058 unsigned int new_spillat = 0; /* initialized to silence
1059 compiler warnings */
1062 * Caller must be holding the appropriate bucket lock.
1064 REQUIRE(fctx->state == fetchstate_done);
1066 FCTXTRACE("sendevents");
1069 * Keep some record of fetch result for logging later (if required).
1071 fctx->result = result;
1072 fctx->exitline = line;
1074 fctx->duration = isc_time_microdiff(&now, &fctx->start);
1076 for (event = ISC_LIST_HEAD(fctx->events);
1078 event = next_event) {
1079 next_event = ISC_LIST_NEXT(event, ev_link);
1080 ISC_LIST_UNLINK(fctx->events, event, ev_link);
1081 task = event->ev_sender;
1082 event->ev_sender = fctx;
1083 event->vresult = fctx->vresult;
1084 if (!HAVE_ANSWER(fctx))
1085 event->result = result;
1087 INSIST(result != ISC_R_SUCCESS ||
1088 dns_rdataset_isassociated(event->rdataset) ||
1089 fctx->type == dns_rdatatype_any ||
1090 fctx->type == dns_rdatatype_rrsig ||
1091 fctx->type == dns_rdatatype_sig);
1094 * Negative results must be indicated in event->result.
1096 if (dns_rdataset_isassociated(event->rdataset) &&
1097 NEGATIVE(event->rdataset)) {
1098 INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
1099 event->result == DNS_R_NCACHENXRRSET);
1102 isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
1106 if ((fctx->attributes & FCTX_ATTR_HAVEANSWER) != 0 &&
1108 (count < fctx->res->spillatmax || fctx->res->spillatmax == 0)) {
1109 LOCK(&fctx->res->lock);
1110 if (count == fctx->res->spillat && !fctx->res->exiting) {
1111 old_spillat = fctx->res->spillat;
1112 fctx->res->spillat += 5;
1113 if (fctx->res->spillat > fctx->res->spillatmax &&
1114 fctx->res->spillatmax != 0)
1115 fctx->res->spillat = fctx->res->spillatmax;
1116 new_spillat = fctx->res->spillat;
1117 if (new_spillat != old_spillat) {
1120 isc_interval_set(&i, 20 * 60, 0);
1121 result = isc_timer_reset(fctx->res->spillattimer,
1122 isc_timertype_ticker, NULL,
1124 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1126 UNLOCK(&fctx->res->lock);
1128 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
1129 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
1130 "clients-per-query increased to %u",
1136 log_edns(fetchctx_t *fctx) {
1137 char domainbuf[DNS_NAME_FORMATSIZE];
1139 if (fctx->reason == NULL)
1142 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
1143 isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
1144 DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
1145 "success resolving '%s' (in '%s'?) after %s",
1146 fctx->info, domainbuf, fctx->reason);
1148 fctx->reason = NULL;
1152 fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
1153 dns_resolver_t *res;
1154 isc_boolean_t no_response;
1162 if (result == ISC_R_SUCCESS) {
1164 * Log any deferred EDNS timeout messages.
1167 no_response = ISC_TRUE;
1169 no_response = ISC_FALSE;
1171 fctx->reason = NULL;
1172 fctx_stopeverything(fctx, no_response);
1174 LOCK(&res->buckets[fctx->bucketnum].lock);
1176 fctx->state = fetchstate_done;
1177 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
1178 fctx_sendevents(fctx, result, line);
1180 UNLOCK(&res->buckets[fctx->bucketnum].lock);
1184 process_sendevent(resquery_t *query, isc_event_t *event) {
1185 isc_socketevent_t *sevent = (isc_socketevent_t *)event;
1186 isc_boolean_t retry = ISC_FALSE;
1187 isc_result_t result;
1192 if (RESQUERY_CANCELED(query)) {
1193 if (query->sends == 0 && query->connects == 0) {
1195 * This query was canceled while the
1196 * isc_socket_sendto/connect() was in progress.
1198 if (query->tcpsocket != NULL)
1199 isc_socket_detach(&query->tcpsocket);
1200 resquery_destroy(&query);
1203 switch (sevent->result) {
1207 case ISC_R_HOSTUNREACH:
1208 case ISC_R_NETUNREACH:
1210 case ISC_R_ADDRNOTAVAIL:
1211 case ISC_R_CONNREFUSED:
1214 * No route to remote.
1216 add_bad(fctx, query->addrinfo, sevent->result,
1218 fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
1223 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
1228 isc_event_free(&event);
1232 * Behave as if the idle timer has expired. For TCP
1233 * this may not actually reflect the latest timer.
1235 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
1236 result = fctx_stopidletimer(fctx);
1237 if (result != ISC_R_SUCCESS)
1238 fctx_done(fctx, result, __LINE__);
1240 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
1245 resquery_udpconnected(isc_task_t *task, isc_event_t *event) {
1246 resquery_t *query = event->ev_arg;
1248 REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
1250 QTRACE("udpconnected");
1254 INSIST(RESQUERY_CONNECTING(query));
1258 process_sendevent(query, event);
1262 resquery_senddone(isc_task_t *task, isc_event_t *event) {
1263 resquery_t *query = event->ev_arg;
1265 REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
1272 * Currently we don't wait for the senddone event before retrying
1273 * a query. This means that if we get really behind, we may end
1274 * up doing extra work!
1279 INSIST(RESQUERY_SENDING(query));
1283 process_sendevent(query, event);
1286 static inline isc_result_t
1287 fctx_addopt(dns_message_t *message, unsigned int version,
1288 isc_uint16_t udpsize, isc_boolean_t request_nsid)
1290 dns_rdataset_t *rdataset;
1291 dns_rdatalist_t *rdatalist;
1293 isc_result_t result;
1296 result = dns_message_gettemprdatalist(message, &rdatalist);
1297 if (result != ISC_R_SUCCESS)
1300 result = dns_message_gettemprdata(message, &rdata);
1301 if (result != ISC_R_SUCCESS)
1304 result = dns_message_gettemprdataset(message, &rdataset);
1305 if (result != ISC_R_SUCCESS)
1307 dns_rdataset_init(rdataset);
1309 rdatalist->type = dns_rdatatype_opt;
1310 rdatalist->covers = 0;
1313 * Set Maximum UDP buffer size.
1315 rdatalist->rdclass = udpsize;
1318 * Set EXTENDED-RCODE and Z to 0, DO to 1.
1320 rdatalist->ttl = (version << 16);
1321 rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
1324 * Set EDNS options if applicable
1327 /* Send empty NSID option (RFC5001) */
1328 unsigned char data[4];
1331 isc_buffer_init(&buf, data, sizeof(data));
1332 isc_buffer_putuint16(&buf, DNS_OPT_NSID);
1333 isc_buffer_putuint16(&buf, 0);
1335 rdata->length = sizeof(data);
1341 rdata->rdclass = rdatalist->rdclass;
1342 rdata->type = rdatalist->type;
1345 ISC_LIST_INIT(rdatalist->rdata);
1346 ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
1347 RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == ISC_R_SUCCESS);
1349 return (dns_message_setopt(message, rdataset));
1353 fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
1354 unsigned int seconds;
1358 * We retry every .8 seconds the first two times through the address
1359 * list, and then we do exponential back-off.
1361 if (fctx->restarts < 3)
1364 us = (800000 << (fctx->restarts - 2));
1367 * Add a fudge factor to the expected rtt based on the current
1372 else if (rtt < 100000)
1378 * Always wait for at least the expected rtt.
1384 * But don't ever wait for more than 10 seconds.
1386 if (us > MAX_SINGLE_QUERY_TIMEOUT_US)
1387 us = MAX_SINGLE_QUERY_TIMEOUT_US;
1389 seconds = us / US_PER_SEC;
1390 us -= seconds * US_PER_SEC;
1391 isc_interval_set(&fctx->interval, seconds, us * 1000);
1395 fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
1396 unsigned int options)
1398 dns_resolver_t *res;
1400 isc_result_t result;
1402 isc_sockaddr_t addr;
1403 isc_boolean_t have_addr = ISC_FALSE;
1409 task = res->buckets[fctx->bucketnum].task;
1411 srtt = addrinfo->srtt;
1414 * A forwarder needs to make multiple queries. Give it at least
1415 * a second to do these in.
1417 if (ISFORWARDER(addrinfo) && srtt < 1000000)
1420 fctx_setretryinterval(fctx, srtt);
1421 result = fctx_startidletimer(fctx, &fctx->interval);
1422 if (result != ISC_R_SUCCESS)
1425 INSIST(ISC_LIST_EMPTY(fctx->validators));
1427 dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
1429 query = isc_mem_get(fctx->mctx, sizeof(*query));
1430 if (query == NULL) {
1431 result = ISC_R_NOMEMORY;
1432 goto stop_idle_timer;
1434 query->mctx = fctx->mctx;
1435 query->options = options;
1436 query->attributes = 0;
1438 query->connects = 0;
1440 * Note that the caller MUST guarantee that 'addrinfo' will remain
1441 * valid until this query is canceled.
1443 query->addrinfo = addrinfo;
1444 TIME_NOW(&query->start);
1447 * If this is a TCP query, then we need to make a socket and
1448 * a dispatch for it here. Otherwise we use the resolver's
1451 query->dispatchmgr = res->dispatchmgr;
1452 query->dispatch = NULL;
1453 query->exclusivesocket = ISC_FALSE;
1454 query->tcpsocket = NULL;
1455 if (res->view->peers != NULL) {
1456 dns_peer_t *peer = NULL;
1457 isc_netaddr_t dstip;
1458 isc_netaddr_fromsockaddr(&dstip, &addrinfo->sockaddr);
1459 result = dns_peerlist_peerbyaddr(res->view->peers,
1461 if (result == ISC_R_SUCCESS) {
1462 result = dns_peer_getquerysource(peer, &addr);
1463 if (result == ISC_R_SUCCESS)
1464 have_addr = ISC_TRUE;
1468 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1471 pf = isc_sockaddr_pf(&addrinfo->sockaddr);
1476 dns_dispatch_getlocaladdress(res->dispatchv4,
1481 dns_dispatch_getlocaladdress(res->dispatchv6,
1485 result = ISC_R_NOTIMPLEMENTED;
1488 if (result != ISC_R_SUCCESS)
1491 isc_sockaddr_setport(&addr, 0);
1493 result = isc_socket_create(res->socketmgr, pf,
1496 if (result != ISC_R_SUCCESS)
1499 #ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
1500 result = isc_socket_bind(query->tcpsocket, &addr, 0);
1501 if (result != ISC_R_SUCCESS)
1502 goto cleanup_socket;
1506 * A dispatch will be created once the connect succeeds.
1510 unsigned int attrs, attrmask;
1511 attrs = DNS_DISPATCHATTR_UDP;
1512 switch (isc_sockaddr_pf(&addr)) {
1514 attrs |= DNS_DISPATCHATTR_IPV4;
1517 attrs |= DNS_DISPATCHATTR_IPV6;
1520 result = ISC_R_NOTIMPLEMENTED;
1523 attrmask = DNS_DISPATCHATTR_UDP;
1524 attrmask |= DNS_DISPATCHATTR_TCP;
1525 attrmask |= DNS_DISPATCHATTR_IPV4;
1526 attrmask |= DNS_DISPATCHATTR_IPV6;
1527 result = dns_dispatch_getudp(res->dispatchmgr,
1529 res->taskmgr, &addr,
1530 4096, 1000, 32768, 16411,
1531 16433, attrs, attrmask,
1533 if (result != ISC_R_SUCCESS)
1536 switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
1538 dns_dispatch_attach(res->dispatchv4,
1540 query->exclusivesocket = res->exclusivev4;
1543 dns_dispatch_attach(res->dispatchv6,
1545 query->exclusivesocket = res->exclusivev6;
1548 result = ISC_R_NOTIMPLEMENTED;
1553 * We should always have a valid dispatcher here. If we
1554 * don't support a protocol family, then its dispatcher
1555 * will be NULL, but we shouldn't be finding addresses for
1556 * protocol types we don't support, so the dispatcher
1557 * we found should never be NULL.
1559 INSIST(query->dispatch != NULL);
1562 query->dispentry = NULL;
1565 query->tsigkey = NULL;
1566 ISC_LINK_INIT(query, link);
1567 query->magic = QUERY_MAGIC;
1569 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1571 * Connect to the remote server.
1573 * XXXRTH Should we attach to the socket?
1575 result = isc_socket_connect(query->tcpsocket,
1576 &addrinfo->sockaddr, task,
1577 resquery_connected, query);
1578 if (result != ISC_R_SUCCESS)
1579 goto cleanup_socket;
1581 QTRACE("connecting via TCP");
1583 result = resquery_send(query);
1584 if (result != ISC_R_SUCCESS)
1585 goto cleanup_dispatch;
1590 ISC_LIST_APPEND(fctx->queries, query, link);
1591 query->fctx->nqueries++;
1592 if (isc_sockaddr_pf(&addrinfo->sockaddr) == PF_INET)
1593 inc_stats(res, dns_resstatscounter_queryv4);
1595 inc_stats(res, dns_resstatscounter_queryv6);
1596 if (res->view->resquerystats != NULL)
1597 dns_rdatatypestats_increment(res->view->resquerystats,
1600 return (ISC_R_SUCCESS);
1603 isc_socket_detach(&query->tcpsocket);
1606 if (query->dispatch != NULL)
1607 dns_dispatch_detach(&query->dispatch);
1610 if (query->connects == 0) {
1612 isc_mem_put(fctx->mctx, query, sizeof(*query));
1616 RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
1621 static isc_boolean_t
1622 bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
1625 for (sa = ISC_LIST_HEAD(fctx->bad_edns);
1627 sa = ISC_LIST_NEXT(sa, link)) {
1628 if (isc_sockaddr_equal(sa, address))
1636 add_bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
1639 if (bad_edns(fctx, address))
1642 sa = isc_mem_get(fctx->mctx, sizeof(*sa));
1647 ISC_LIST_INITANDAPPEND(fctx->bad_edns, sa, link);
1650 static isc_boolean_t
1651 triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
1654 for (sa = ISC_LIST_HEAD(fctx->edns);
1656 sa = ISC_LIST_NEXT(sa, link)) {
1657 if (isc_sockaddr_equal(sa, address))
1665 add_triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
1668 if (triededns(fctx, address))
1671 sa = isc_mem_get(fctx->mctx, sizeof(*sa));
1676 ISC_LIST_INITANDAPPEND(fctx->edns, sa, link);
1679 static isc_boolean_t
1680 triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
1683 for (sa = ISC_LIST_HEAD(fctx->edns512);
1685 sa = ISC_LIST_NEXT(sa, link)) {
1686 if (isc_sockaddr_equal(sa, address))
1694 add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
1697 if (triededns512(fctx, address))
1700 sa = isc_mem_get(fctx->mctx, sizeof(*sa));
1705 ISC_LIST_INITANDAPPEND(fctx->edns512, sa, link);
1709 resquery_send(resquery_t *query) {
1711 isc_result_t result;
1712 dns_name_t *qname = NULL;
1713 dns_rdataset_t *qrdataset = NULL;
1715 dns_resolver_t *res;
1717 isc_socket_t *socket;
1718 isc_buffer_t tcpbuffer;
1719 isc_sockaddr_t *address;
1720 isc_buffer_t *buffer;
1721 isc_netaddr_t ipaddr;
1722 dns_tsigkey_t *tsigkey = NULL;
1723 dns_peer_t *peer = NULL;
1724 isc_boolean_t useedns;
1725 dns_compress_t cctx;
1726 isc_boolean_t cleanup_cctx = ISC_FALSE;
1727 isc_boolean_t secure_domain;
1728 isc_boolean_t connecting = ISC_FALSE;
1734 task = res->buckets[fctx->bucketnum].task;
1737 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1739 * Reserve space for the TCP message length.
1741 isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data));
1742 isc_buffer_init(&query->buffer, query->data + 2,
1743 sizeof(query->data) - 2);
1744 buffer = &tcpbuffer;
1746 isc_buffer_init(&query->buffer, query->data,
1747 sizeof(query->data));
1748 buffer = &query->buffer;
1751 result = dns_message_gettempname(fctx->qmessage, &qname);
1752 if (result != ISC_R_SUCCESS)
1754 result = dns_message_gettemprdataset(fctx->qmessage, &qrdataset);
1755 if (result != ISC_R_SUCCESS)
1759 * Get a query id from the dispatch.
1761 result = dns_dispatch_addresponse2(query->dispatch,
1762 &query->addrinfo->sockaddr,
1769 if (result != ISC_R_SUCCESS)
1772 fctx->qmessage->opcode = dns_opcode_query;
1777 dns_name_init(qname, NULL);
1778 dns_name_clone(&fctx->name, qname);
1779 dns_rdataset_init(qrdataset);
1780 dns_rdataset_makequestion(qrdataset, res->rdclass, fctx->type);
1781 ISC_LIST_APPEND(qname->list, qrdataset, link);
1782 dns_message_addname(fctx->qmessage, qname, DNS_SECTION_QUESTION);
1787 * Set RD if the client has requested that we do a recursive query,
1788 * or if we're sending to a forwarder.
1790 if ((query->options & DNS_FETCHOPT_RECURSIVE) != 0 ||
1791 ISFORWARDER(query->addrinfo))
1792 fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
1795 * Set CD if the client says don't validate or the question is
1796 * under a secure entry point.
1798 if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
1799 fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
1800 } else if (res->view->enablevalidation) {
1801 result = dns_view_issecuredomain(res->view, &fctx->name,
1803 if (result != ISC_R_SUCCESS)
1804 secure_domain = ISC_FALSE;
1805 if (res->view->dlv != NULL)
1806 secure_domain = ISC_TRUE;
1808 fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
1812 * We don't have to set opcode because it defaults to query.
1814 fctx->qmessage->id = query->id;
1817 * Convert the question to wire format.
1819 result = dns_compress_init(&cctx, -1, fctx->res->mctx);
1820 if (result != ISC_R_SUCCESS)
1821 goto cleanup_message;
1822 cleanup_cctx = ISC_TRUE;
1824 result = dns_message_renderbegin(fctx->qmessage, &cctx,
1826 if (result != ISC_R_SUCCESS)
1827 goto cleanup_message;
1829 result = dns_message_rendersection(fctx->qmessage,
1830 DNS_SECTION_QUESTION, 0);
1831 if (result != ISC_R_SUCCESS)
1832 goto cleanup_message;
1835 isc_netaddr_fromsockaddr(&ipaddr, &query->addrinfo->sockaddr);
1836 (void) dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
1839 * The ADB does not know about servers with "edns no". Check this,
1840 * and then inform the ADB for future use.
1842 if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
1844 dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
1847 query->options |= DNS_FETCHOPT_NOEDNS0;
1848 dns_adb_changeflags(fctx->adb, query->addrinfo,
1849 DNS_FETCHOPT_NOEDNS0,
1850 DNS_FETCHOPT_NOEDNS0);
1853 /* Sync NOEDNS0 flag in addrinfo->flags and options now. */
1854 if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0)
1855 query->options |= DNS_FETCHOPT_NOEDNS0;
1858 * Handle timeouts by reducing the UDP response size to 512 bytes
1859 * then if that doesn't work disabling EDNS (includes DO) and CD.
1861 * These timeout can be due to:
1862 * * broken nameservers that don't respond to EDNS queries.
1863 * * broken/misconfigured firewalls and NAT implementations
1864 * that don't handle IP fragmentation.
1865 * * broken/misconfigured firewalls that don't handle responses
1866 * greater than 512 bytes.
1867 * * broken/misconfigured firewalls that don't handle EDNS, DO
1869 * * packet loss / link outage.
1871 if (fctx->timeout) {
1872 if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
1873 fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
1874 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
1875 query->options |= DNS_FETCHOPT_NOEDNS0;
1876 fctx->reason = "disabling EDNS";
1877 } else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
1878 fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
1879 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
1880 query->options |= DNS_FETCHOPT_EDNS512;
1881 fctx->reason = "reducing the advertised EDNS UDP "
1882 "packet size to 512 octets";
1884 fctx->timeout = ISC_FALSE;
1888 * Use EDNS0, unless the caller doesn't want it, or we know that
1889 * the remote server doesn't like it.
1891 if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
1892 if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
1893 unsigned int version = 0; /* Default version. */
1895 isc_uint16_t udpsize = res->udpsize;
1896 isc_boolean_t reqnsid = res->view->requestnsid;
1898 flags = query->addrinfo->flags;
1899 if ((flags & DNS_FETCHOPT_EDNSVERSIONSET) != 0) {
1900 version = flags & DNS_FETCHOPT_EDNSVERSIONMASK;
1901 version >>= DNS_FETCHOPT_EDNSVERSIONSHIFT;
1903 if ((query->options & DNS_FETCHOPT_EDNS512) != 0)
1905 else if (peer != NULL)
1906 (void)dns_peer_getudpsize(peer, &udpsize);
1908 /* request NSID for current view or peer? */
1910 (void) dns_peer_getrequestnsid(peer, &reqnsid);
1911 result = fctx_addopt(fctx->qmessage, version,
1913 if (reqnsid && result == ISC_R_SUCCESS) {
1914 query->options |= DNS_FETCHOPT_WANTNSID;
1915 } else if (result != ISC_R_SUCCESS) {
1917 * We couldn't add the OPT, but we'll press on.
1918 * We're not using EDNS0, so set the NOEDNS0
1921 query->options |= DNS_FETCHOPT_NOEDNS0;
1925 * We know this server doesn't like EDNS0, so we
1926 * won't use it. Set the NOEDNS0 bit since we're
1929 query->options |= DNS_FETCHOPT_NOEDNS0;
1934 * If we need EDNS0 to do this query and aren't using it, we lose.
1936 if (NEEDEDNS0(fctx) && (query->options & DNS_FETCHOPT_NOEDNS0) != 0) {
1937 result = DNS_R_SERVFAIL;
1938 goto cleanup_message;
1941 if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0)
1942 add_triededns(fctx, &query->addrinfo->sockaddr);
1944 if ((query->options & DNS_FETCHOPT_EDNS512) != 0)
1945 add_triededns512(fctx, &query->addrinfo->sockaddr);
1948 * Clear CD if EDNS is not in use.
1950 if ((query->options & DNS_FETCHOPT_NOEDNS0) != 0)
1951 fctx->qmessage->flags &= ~DNS_MESSAGEFLAG_CD;
1954 * Add TSIG record tailored to the current recipient.
1956 result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey);
1957 if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
1958 goto cleanup_message;
1960 if (tsigkey != NULL) {
1961 result = dns_message_settsigkey(fctx->qmessage, tsigkey);
1962 dns_tsigkey_detach(&tsigkey);
1963 if (result != ISC_R_SUCCESS)
1964 goto cleanup_message;
1967 result = dns_message_rendersection(fctx->qmessage,
1968 DNS_SECTION_ADDITIONAL, 0);
1969 if (result != ISC_R_SUCCESS)
1970 goto cleanup_message;
1972 result = dns_message_renderend(fctx->qmessage);
1973 if (result != ISC_R_SUCCESS)
1974 goto cleanup_message;
1976 dns_compress_invalidate(&cctx);
1977 cleanup_cctx = ISC_FALSE;
1979 if (dns_message_gettsigkey(fctx->qmessage) != NULL) {
1980 dns_tsigkey_attach(dns_message_gettsigkey(fctx->qmessage),
1982 result = dns_message_getquerytsig(fctx->qmessage,
1985 if (result != ISC_R_SUCCESS)
1986 goto cleanup_message;
1990 * If using TCP, write the length of the message at the beginning
1993 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1994 isc_buffer_usedregion(&query->buffer, &r);
1995 isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t)r.length);
1996 isc_buffer_add(&tcpbuffer, r.length);
2000 * We're now done with the query message.
2002 dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
2004 if (query->exclusivesocket)
2005 socket = dns_dispatch_getentrysocket(query->dispentry);
2007 socket = dns_dispatch_getsocket(query->dispatch);
2011 if ((query->options & DNS_FETCHOPT_TCP) == 0) {
2012 address = &query->addrinfo->sockaddr;
2013 if (query->exclusivesocket) {
2014 result = isc_socket_connect(socket, address, task,
2015 resquery_udpconnected,
2017 if (result != ISC_R_SUCCESS)
2018 goto cleanup_message;
2019 connecting = ISC_TRUE;
2023 isc_buffer_usedregion(buffer, &r);
2026 * XXXRTH Make sure we don't send to ourselves! We should probably
2027 * prune out these addresses when we get them from the ADB.
2029 result = isc_socket_sendto(socket, &r, task, resquery_senddone,
2030 query, address, NULL);
2031 if (result != ISC_R_SUCCESS) {
2034 * This query is still connecting.
2035 * Mark it as canceled so that it will just be
2036 * cleaned up when the connected event is received.
2037 * Keep fctx around until the event is processed.
2039 query->fctx->nqueries++;
2040 query->attributes |= RESQUERY_ATTR_CANCELED;
2042 goto cleanup_message;
2049 return (ISC_R_SUCCESS);
2053 dns_compress_invalidate(&cctx);
2055 dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
2058 * Stop the dispatcher from listening.
2060 dns_dispatch_removeresponse(&query->dispentry, NULL);
2064 dns_message_puttempname(fctx->qmessage, &qname);
2065 if (qrdataset != NULL)
2066 dns_message_puttemprdataset(fctx->qmessage, &qrdataset);
2072 resquery_connected(isc_task_t *task, isc_event_t *event) {
2073 isc_socketevent_t *sevent = (isc_socketevent_t *)event;
2074 resquery_t *query = event->ev_arg;
2075 isc_boolean_t retry = ISC_FALSE;
2076 isc_interval_t interval;
2077 isc_result_t result;
2081 REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
2082 REQUIRE(VALID_QUERY(query));
2084 QTRACE("connected");
2091 * Currently we don't wait for the connect event before retrying
2092 * a query. This means that if we get really behind, we may end
2093 * up doing extra work!
2099 if (RESQUERY_CANCELED(query)) {
2101 * This query was canceled while the connect() was in
2104 isc_socket_detach(&query->tcpsocket);
2105 resquery_destroy(&query);
2107 switch (sevent->result) {
2111 * Extend the idle timer for TCP. 20 seconds
2112 * should be long enough for a TCP connection to be
2113 * established, a single DNS request to be sent,
2114 * and the response received.
2116 isc_interval_set(&interval, 20, 0);
2117 result = fctx_startidletimer(query->fctx, &interval);
2118 if (result != ISC_R_SUCCESS) {
2119 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
2120 fctx_done(fctx, result, __LINE__);
2124 * We are connected. Create a dispatcher and
2128 attrs |= DNS_DISPATCHATTR_TCP;
2129 attrs |= DNS_DISPATCHATTR_PRIVATE;
2130 attrs |= DNS_DISPATCHATTR_CONNECTED;
2131 if (isc_sockaddr_pf(&query->addrinfo->sockaddr) ==
2133 attrs |= DNS_DISPATCHATTR_IPV4;
2135 attrs |= DNS_DISPATCHATTR_IPV6;
2136 attrs |= DNS_DISPATCHATTR_MAKEQUERY;
2138 result = dns_dispatch_createtcp(query->dispatchmgr,
2140 query->fctx->res->taskmgr,
2141 4096, 2, 1, 1, 3, attrs,
2145 * Regardless of whether dns_dispatch_create()
2146 * succeeded or not, we don't need our reference
2147 * to the socket anymore.
2149 isc_socket_detach(&query->tcpsocket);
2151 if (result == ISC_R_SUCCESS)
2152 result = resquery_send(query);
2154 if (result != ISC_R_SUCCESS) {
2155 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
2156 fctx_done(fctx, result, __LINE__);
2160 case ISC_R_NETUNREACH:
2161 case ISC_R_HOSTUNREACH:
2162 case ISC_R_CONNREFUSED:
2164 case ISC_R_ADDRNOTAVAIL:
2165 case ISC_R_CONNECTIONRESET:
2167 * No route to remote.
2169 isc_socket_detach(&query->tcpsocket);
2170 fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
2175 isc_socket_detach(&query->tcpsocket);
2176 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
2181 isc_event_free(&event);
2185 * Behave as if the idle timer has expired. For TCP
2186 * connections this may not actually reflect the latest timer.
2188 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
2189 result = fctx_stopidletimer(fctx);
2190 if (result != ISC_R_SUCCESS)
2191 fctx_done(fctx, result, __LINE__);
2193 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
2198 fctx_finddone(isc_task_t *task, isc_event_t *event) {
2200 dns_adbfind_t *find;
2201 dns_resolver_t *res;
2202 isc_boolean_t want_try = ISC_FALSE;
2203 isc_boolean_t want_done = ISC_FALSE;
2204 isc_boolean_t bucket_empty = ISC_FALSE;
2205 unsigned int bucketnum;
2206 isc_boolean_t destroy = ISC_FALSE;
2208 find = event->ev_sender;
2209 fctx = event->ev_arg;
2210 REQUIRE(VALID_FCTX(fctx));
2215 FCTXTRACE("finddone");
2217 bucketnum = fctx->bucketnum;
2218 LOCK(&res->buckets[bucketnum].lock);
2220 INSIST(fctx->pending > 0);
2223 if (ADDRWAIT(fctx)) {
2225 * The fetch is waiting for a name to be found.
2227 INSIST(!SHUTTINGDOWN(fctx));
2228 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
2229 if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
2230 want_try = ISC_TRUE;
2233 if (fctx->pending == 0) {
2235 * We've got nothing else to wait for and don't
2236 * know the answer. There's nothing to do but
2239 want_done = ISC_TRUE;
2242 } else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
2243 fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
2245 if (fctx->references == 0) {
2246 bucket_empty = fctx_unlink(fctx);
2250 UNLOCK(&res->buckets[bucketnum].lock);
2252 isc_event_free(&event);
2253 dns_adb_destroyfind(&find);
2256 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
2258 fctx_done(fctx, ISC_R_FAILURE, __LINE__);
2267 static inline isc_boolean_t
2268 bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) {
2271 for (sa = ISC_LIST_HEAD(fctx->bad);
2273 sa = ISC_LIST_NEXT(sa, link)) {
2274 if (isc_sockaddr_equal(sa, address))
2281 static inline isc_boolean_t
2282 mark_bad(fetchctx_t *fctx) {
2283 dns_adbfind_t *curr;
2284 dns_adbaddrinfo_t *addrinfo;
2285 isc_boolean_t all_bad = ISC_TRUE;
2288 * Mark all known bad servers, so we don't try to talk to them
2293 * Mark any bad nameservers.
2295 for (curr = ISC_LIST_HEAD(fctx->finds);
2297 curr = ISC_LIST_NEXT(curr, publink)) {
2298 for (addrinfo = ISC_LIST_HEAD(curr->list);
2300 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2301 if (bad_server(fctx, &addrinfo->sockaddr))
2302 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2304 all_bad = ISC_FALSE;
2309 * Mark any bad forwarders.
2311 for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
2313 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2314 if (bad_server(fctx, &addrinfo->sockaddr))
2315 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2317 all_bad = ISC_FALSE;
2321 * Mark any bad alternates.
2323 for (curr = ISC_LIST_HEAD(fctx->altfinds);
2325 curr = ISC_LIST_NEXT(curr, publink)) {
2326 for (addrinfo = ISC_LIST_HEAD(curr->list);
2328 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2329 if (bad_server(fctx, &addrinfo->sockaddr))
2330 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2332 all_bad = ISC_FALSE;
2336 for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
2338 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2339 if (bad_server(fctx, &addrinfo->sockaddr))
2340 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2342 all_bad = ISC_FALSE;
2349 add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
2350 badnstype_t badtype)
2352 char namebuf[DNS_NAME_FORMATSIZE];
2353 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
2359 const char *spc = "";
2360 isc_sockaddr_t *address = &addrinfo->sockaddr;
2362 if (reason == DNS_R_LAME)
2366 case badns_unreachable:
2369 case badns_response:
2372 case badns_validation:
2373 break; /* counted as 'valfail' */
2377 if (bad_server(fctx, address)) {
2379 * We already know this server is bad.
2384 FCTXTRACE("add_bad");
2386 sa = isc_mem_get(fctx->mctx, sizeof(*sa));
2390 ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
2392 if (reason == DNS_R_LAME) /* already logged */
2395 if (reason == DNS_R_UNEXPECTEDRCODE &&
2396 fctx->rmessage->rcode == dns_rcode_servfail &&
2397 ISFORWARDER(addrinfo))
2400 if (reason == DNS_R_UNEXPECTEDRCODE) {
2401 isc_buffer_init(&b, code, sizeof(code) - 1);
2402 dns_rcode_totext(fctx->rmessage->rcode, &b);
2403 code[isc_buffer_usedlength(&b)] = '\0';
2405 } else if (reason == DNS_R_UNEXPECTEDOPCODE) {
2406 isc_buffer_init(&b, code, sizeof(code) - 1);
2407 dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
2408 code[isc_buffer_usedlength(&b)] = '\0';
2413 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
2414 dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
2415 dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
2416 isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
2417 isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
2418 DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
2419 "error (%s%s%s) resolving '%s/%s/%s': %s",
2420 dns_result_totext(reason), spc, code,
2421 namebuf, typebuf, classbuf, addrbuf);
2425 * Sort addrinfo list by RTT.
2428 sort_adbfind(dns_adbfind_t *find) {
2429 dns_adbaddrinfo_t *best, *curr;
2430 dns_adbaddrinfolist_t sorted;
2432 /* Lame N^2 bubble sort. */
2433 ISC_LIST_INIT(sorted);
2434 while (!ISC_LIST_EMPTY(find->list)) {
2435 best = ISC_LIST_HEAD(find->list);
2436 curr = ISC_LIST_NEXT(best, publink);
2437 while (curr != NULL) {
2438 if (curr->srtt < best->srtt)
2440 curr = ISC_LIST_NEXT(curr, publink);
2442 ISC_LIST_UNLINK(find->list, best, publink);
2443 ISC_LIST_APPEND(sorted, best, publink);
2445 find->list = sorted;
2449 * Sort a list of finds by server RTT.
2452 sort_finds(dns_adbfindlist_t *findlist) {
2453 dns_adbfind_t *best, *curr;
2454 dns_adbfindlist_t sorted;
2455 dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
2457 /* Sort each find's addrinfo list by SRTT. */
2458 for (curr = ISC_LIST_HEAD(*findlist);
2460 curr = ISC_LIST_NEXT(curr, publink))
2463 /* Lame N^2 bubble sort. */
2464 ISC_LIST_INIT(sorted);
2465 while (!ISC_LIST_EMPTY(*findlist)) {
2466 best = ISC_LIST_HEAD(*findlist);
2467 bestaddrinfo = ISC_LIST_HEAD(best->list);
2468 INSIST(bestaddrinfo != NULL);
2469 curr = ISC_LIST_NEXT(best, publink);
2470 while (curr != NULL) {
2471 addrinfo = ISC_LIST_HEAD(curr->list);
2472 INSIST(addrinfo != NULL);
2473 if (addrinfo->srtt < bestaddrinfo->srtt) {
2475 bestaddrinfo = addrinfo;
2477 curr = ISC_LIST_NEXT(curr, publink);
2479 ISC_LIST_UNLINK(*findlist, best, publink);
2480 ISC_LIST_APPEND(sorted, best, publink);
2486 findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
2487 unsigned int options, unsigned int flags, isc_stdtime_t now,
2488 isc_boolean_t *need_alternate)
2490 dns_adbaddrinfo_t *ai;
2491 dns_adbfind_t *find;
2492 dns_resolver_t *res;
2493 isc_boolean_t unshared;
2494 isc_result_t result;
2497 unshared = ISC_TF((fctx->options | DNS_FETCHOPT_UNSHARED) != 0);
2499 * If this name is a subdomain of the query domain, tell
2500 * the ADB to start looking using zone/hint data. This keeps us
2501 * from getting stuck if the nameserver is beneath the zone cut
2502 * and we don't know its address (e.g. because the A record has
2505 if (dns_name_issubdomain(name, &fctx->domain))
2506 options |= DNS_ADBFIND_STARTATZONE;
2507 options |= DNS_ADBFIND_GLUEOK;
2508 options |= DNS_ADBFIND_HINTOK;
2511 * See what we know about this address.
2514 result = dns_adb_createfind2(fctx->adb,
2515 res->buckets[fctx->bucketnum].task,
2516 fctx_finddone, fctx, name,
2517 &fctx->name, fctx->type,
2520 fctx->depth + 1, fctx->qc, &find);
2521 if (result != ISC_R_SUCCESS) {
2522 if (result == DNS_R_ALIAS) {
2524 * XXXRTH Follow the CNAME/DNAME chain?
2526 dns_adb_destroyfind(&find);
2529 } else if (!ISC_LIST_EMPTY(find->list)) {
2531 * We have at least some of the addresses for the
2534 INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
2535 if (flags != 0 || port != 0) {
2536 for (ai = ISC_LIST_HEAD(find->list);
2538 ai = ISC_LIST_NEXT(ai, publink)) {
2541 isc_sockaddr_setport(&ai->sockaddr,
2545 if ((flags & FCTX_ADDRINFO_FORWARDER) != 0)
2546 ISC_LIST_APPEND(fctx->altfinds, find, publink);
2548 ISC_LIST_APPEND(fctx->finds, find, publink);
2551 * We don't know any of the addresses for this
2554 if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
2556 * We're looking for them and will get an
2557 * event about it later.
2563 if (need_alternate != NULL &&
2564 !*need_alternate && unshared &&
2565 ((res->dispatchv4 == NULL &&
2566 find->result_v6 != DNS_R_NXDOMAIN) ||
2567 (res->dispatchv6 == NULL &&
2568 find->result_v4 != DNS_R_NXDOMAIN)))
2569 *need_alternate = ISC_TRUE;
2571 if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
2572 fctx->lamecount++; /* cached lame server */
2574 fctx->adberr++; /* unreachable server, etc. */
2577 * If we know there are no addresses for
2578 * the family we are using then try to add
2579 * an alternative server.
2581 if (need_alternate != NULL && !*need_alternate &&
2582 ((res->dispatchv4 == NULL &&
2583 find->result_v6 == DNS_R_NXRRSET) ||
2584 (res->dispatchv6 == NULL &&
2585 find->result_v4 == DNS_R_NXRRSET)))
2586 *need_alternate = ISC_TRUE;
2587 dns_adb_destroyfind(&find);
2592 static isc_boolean_t
2593 isstrictsubdomain(dns_name_t *name1, dns_name_t *name2) {
2595 unsigned int nlabels;
2596 dns_namereln_t namereln;
2598 namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
2599 return (ISC_TF(namereln == dns_namereln_subdomain));
2603 fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
2604 dns_rdata_t rdata = DNS_RDATA_INIT;
2605 isc_result_t result;
2606 dns_resolver_t *res;
2608 unsigned int stdoptions = 0;
2610 dns_adbaddrinfo_t *ai;
2611 isc_boolean_t all_bad;
2613 isc_boolean_t need_alternate = ISC_FALSE;
2615 FCTXTRACE("getaddresses");
2618 * Don't pound on remote servers. (Failsafe!)
2621 if (fctx->restarts > 10) {
2622 FCTXTRACE("too many restarts");
2623 return (DNS_R_SERVFAIL);
2628 if (fctx->depth > res->maxdepth) {
2629 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
2630 DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
2631 "too much NS indirection resolving '%s'",
2633 return (DNS_R_SERVFAIL);
2640 INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
2641 INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
2644 * If this fctx has forwarders, use them; otherwise use any
2645 * selective forwarders specified in the view; otherwise use the
2646 * resolver's forwarders (if any).
2648 sa = ISC_LIST_HEAD(fctx->forwarders);
2650 dns_forwarders_t *forwarders = NULL;
2651 dns_name_t *name = &fctx->name;
2653 unsigned int labels;
2654 dns_fixedname_t fixed;
2658 * DS records are found in the parent server.
2659 * Strip label to get the correct forwarder (if any).
2661 if (dns_rdatatype_atparent(fctx->type) &&
2662 dns_name_countlabels(name) > 1) {
2663 dns_name_init(&suffix, NULL);
2664 labels = dns_name_countlabels(name);
2665 dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
2669 dns_fixedname_init(&fixed);
2670 domain = dns_fixedname_name(&fixed);
2671 result = dns_fwdtable_find2(fctx->res->view->fwdtable, name,
2672 domain, &forwarders);
2673 if (result == ISC_R_SUCCESS) {
2674 sa = ISC_LIST_HEAD(forwarders->addrs);
2675 fctx->fwdpolicy = forwarders->fwdpolicy;
2676 if (fctx->fwdpolicy == dns_fwdpolicy_only &&
2677 isstrictsubdomain(domain, &fctx->domain)) {
2678 dns_name_free(&fctx->domain, fctx->mctx);
2679 dns_name_init(&fctx->domain, NULL);
2680 result = dns_name_dup(domain, fctx->mctx,
2682 if (result != ISC_R_SUCCESS)
2688 while (sa != NULL) {
2689 if ((isc_sockaddr_pf(sa) == AF_INET &&
2690 fctx->res->dispatchv4 == NULL) ||
2691 (isc_sockaddr_pf(sa) == AF_INET6 &&
2692 fctx->res->dispatchv6 == NULL)) {
2693 sa = ISC_LIST_NEXT(sa, link);
2697 result = dns_adb_findaddrinfo(fctx->adb,
2698 sa, &ai, 0); /* XXXMLG */
2699 if (result == ISC_R_SUCCESS) {
2700 dns_adbaddrinfo_t *cur;
2701 ai->flags |= FCTX_ADDRINFO_FORWARDER;
2702 cur = ISC_LIST_HEAD(fctx->forwaddrs);
2703 while (cur != NULL && cur->srtt < ai->srtt)
2704 cur = ISC_LIST_NEXT(cur, publink);
2706 ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur,
2709 ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
2711 sa = ISC_LIST_NEXT(sa, link);
2715 * If the forwarding policy is "only", we don't need the addresses
2716 * of the nameservers.
2718 if (fctx->fwdpolicy == dns_fwdpolicy_only)
2722 * Normal nameservers.
2725 stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
2726 if (fctx->restarts == 1) {
2728 * To avoid sending out a flood of queries likely to
2729 * result in NXRRSET, we suppress fetches for address
2730 * families we don't have the first time through,
2731 * provided that we have addresses in some family we
2734 * We don't want to set this option all the time, since
2735 * if fctx->restarts > 1, we've clearly been having trouble
2736 * with the addresses we had, so getting more could help.
2738 stdoptions |= DNS_ADBFIND_AVOIDFETCHES;
2740 if (res->dispatchv4 != NULL)
2741 stdoptions |= DNS_ADBFIND_INET;
2742 if (res->dispatchv6 != NULL)
2743 stdoptions |= DNS_ADBFIND_INET6;
2744 isc_stdtime_get(&now);
2746 INSIST(ISC_LIST_EMPTY(fctx->finds));
2747 INSIST(ISC_LIST_EMPTY(fctx->altfinds));
2749 for (result = dns_rdataset_first(&fctx->nameservers);
2750 result == ISC_R_SUCCESS;
2751 result = dns_rdataset_next(&fctx->nameservers))
2753 dns_rdataset_current(&fctx->nameservers, &rdata);
2755 * Extract the name from the NS record.
2757 result = dns_rdata_tostruct(&rdata, &ns, NULL);
2758 if (result != ISC_R_SUCCESS)
2761 findname(fctx, &ns.name, 0, stdoptions, 0, now,
2763 dns_rdata_reset(&rdata);
2764 dns_rdata_freestruct(&ns);
2766 if (result != ISC_R_NOMORE)
2770 * Do we need to use 6 to 4?
2772 if (need_alternate) {
2775 family = (res->dispatchv6 != NULL) ? AF_INET6 : AF_INET;
2776 for (a = ISC_LIST_HEAD(fctx->res->alternates);
2778 a = ISC_LIST_NEXT(a, link)) {
2779 if (!a->isaddress) {
2780 findname(fctx, &a->_u._n.name, a->_u._n.port,
2781 stdoptions, FCTX_ADDRINFO_FORWARDER,
2785 if (isc_sockaddr_pf(&a->_u.addr) != family)
2788 result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr,
2790 if (result == ISC_R_SUCCESS) {
2791 dns_adbaddrinfo_t *cur;
2792 ai->flags |= FCTX_ADDRINFO_FORWARDER;
2793 cur = ISC_LIST_HEAD(fctx->altaddrs);
2794 while (cur != NULL && cur->srtt < ai->srtt)
2795 cur = ISC_LIST_NEXT(cur, publink);
2797 ISC_LIST_INSERTBEFORE(fctx->altaddrs,
2800 ISC_LIST_APPEND(fctx->altaddrs, ai,
2808 * Mark all known bad servers.
2810 all_bad = mark_bad(fctx);
2817 * We've got no addresses.
2819 if (fctx->pending > 0) {
2821 * We're fetching the addresses, but don't have any
2822 * yet. Tell the caller to wait for an answer.
2824 result = DNS_R_WAIT;
2829 * We've lost completely. We don't know any
2830 * addresses, and the ADB has told us it can't get
2833 FCTXTRACE("no addresses");
2834 isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0);
2835 result = isc_time_nowplusinterval(&expire, &i);
2837 (fctx->type == dns_rdatatype_dnskey ||
2838 fctx->type == dns_rdatatype_dlv ||
2839 fctx->type == dns_rdatatype_ds) &&
2840 result == ISC_R_SUCCESS)
2841 dns_resolver_addbadcache(fctx->res,
2843 fctx->type, &expire);
2844 result = ISC_R_FAILURE;
2848 * We've found some addresses. We might still be looking
2849 * for more addresses.
2851 sort_finds(&fctx->finds);
2852 sort_finds(&fctx->altfinds);
2853 result = ISC_R_SUCCESS;
2860 possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
2863 char buf[ISC_NETADDR_FORMATSIZE];
2865 isc_boolean_t aborted = ISC_FALSE;
2866 isc_boolean_t bogus;
2867 dns_acl_t *blackhole;
2868 isc_netaddr_t ipaddr;
2869 dns_peer_t *peer = NULL;
2870 dns_resolver_t *res;
2871 const char *msg = NULL;
2873 sa = &addr->sockaddr;
2876 isc_netaddr_fromsockaddr(&ipaddr, sa);
2877 blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr);
2878 (void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer);
2880 if (blackhole != NULL) {
2883 if (dns_acl_match(&ipaddr, NULL, blackhole,
2885 &match, NULL) == ISC_R_SUCCESS &&
2891 dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
2896 addr->flags |= FCTX_ADDRINFO_MARK;
2897 msg = "ignoring blackholed / bogus server: ";
2898 } else if (isc_sockaddr_ismulticast(sa)) {
2899 addr->flags |= FCTX_ADDRINFO_MARK;
2900 msg = "ignoring multicast address: ";
2901 } else if (isc_sockaddr_isexperimental(sa)) {
2902 addr->flags |= FCTX_ADDRINFO_MARK;
2903 msg = "ignoring experimental address: ";
2904 } else if (sa->type.sa.sa_family != AF_INET6) {
2906 } else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
2907 addr->flags |= FCTX_ADDRINFO_MARK;
2908 msg = "ignoring IPv6 mapped IPV4 address: ";
2909 } else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) {
2910 addr->flags |= FCTX_ADDRINFO_MARK;
2911 msg = "ignoring IPv6 compatibility IPV4 address: ";
2915 if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3)))
2918 isc_netaddr_fromsockaddr(&na, sa);
2919 isc_netaddr_format(&na, buf, sizeof(buf));
2920 FCTXTRACE2(msg, buf);
2923 static inline dns_adbaddrinfo_t *
2924 fctx_nextaddress(fetchctx_t *fctx) {
2925 dns_adbfind_t *find, *start;
2926 dns_adbaddrinfo_t *addrinfo;
2927 dns_adbaddrinfo_t *faddrinfo;
2930 * Return the next untried address, if any.
2934 * Find the first unmarked forwarder (if any).
2936 for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
2938 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2939 if (!UNMARKED(addrinfo))
2941 possibly_mark(fctx, addrinfo);
2942 if (UNMARKED(addrinfo)) {
2943 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2950 * No forwarders. Move to the next find.
2953 fctx->attributes |= FCTX_ATTR_TRIEDFIND;
2957 find = ISC_LIST_HEAD(fctx->finds);
2959 find = ISC_LIST_NEXT(find, publink);
2961 find = ISC_LIST_HEAD(fctx->finds);
2965 * Find the first unmarked addrinfo.
2971 for (addrinfo = ISC_LIST_HEAD(find->list);
2973 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2974 if (!UNMARKED(addrinfo))
2976 possibly_mark(fctx, addrinfo);
2977 if (UNMARKED(addrinfo)) {
2978 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2982 if (addrinfo != NULL)
2984 find = ISC_LIST_NEXT(find, publink);
2986 find = ISC_LIST_HEAD(fctx->finds);
2987 } while (find != start);
2991 if (addrinfo != NULL)
2995 * No nameservers left. Try alternates.
2998 fctx->attributes |= FCTX_ATTR_TRIEDALT;
3000 find = fctx->altfind;
3002 find = ISC_LIST_HEAD(fctx->altfinds);
3004 find = ISC_LIST_NEXT(find, publink);
3006 find = ISC_LIST_HEAD(fctx->altfinds);
3010 * Find the first unmarked addrinfo.
3016 for (addrinfo = ISC_LIST_HEAD(find->list);
3018 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
3019 if (!UNMARKED(addrinfo))
3021 possibly_mark(fctx, addrinfo);
3022 if (UNMARKED(addrinfo)) {
3023 addrinfo->flags |= FCTX_ADDRINFO_MARK;
3027 if (addrinfo != NULL)
3029 find = ISC_LIST_NEXT(find, publink);
3031 find = ISC_LIST_HEAD(fctx->altfinds);
3032 } while (find != start);
3035 faddrinfo = addrinfo;
3038 * See if we have a better alternate server by address.
3041 for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
3043 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
3044 if (!UNMARKED(addrinfo))
3046 possibly_mark(fctx, addrinfo);
3047 if (UNMARKED(addrinfo) &&
3048 (faddrinfo == NULL ||
3049 addrinfo->srtt < faddrinfo->srtt)) {
3050 if (faddrinfo != NULL)
3051 faddrinfo->flags &= ~FCTX_ADDRINFO_MARK;
3052 addrinfo->flags |= FCTX_ADDRINFO_MARK;
3057 if (addrinfo == NULL) {
3058 addrinfo = faddrinfo;
3059 fctx->altfind = find;
3066 fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
3067 isc_result_t result;
3068 dns_adbaddrinfo_t *addrinfo;
3072 REQUIRE(!ADDRWAIT(fctx));
3074 addrinfo = fctx_nextaddress(fctx);
3075 if (addrinfo == NULL) {
3077 * We have no more addresses. Start over.
3079 fctx_cancelqueries(fctx, ISC_TRUE);
3080 fctx_cleanupfinds(fctx);
3081 fctx_cleanupaltfinds(fctx);
3082 fctx_cleanupforwaddrs(fctx);
3083 fctx_cleanupaltaddrs(fctx);
3084 result = fctx_getaddresses(fctx, badcache);
3085 if (result == DNS_R_WAIT) {
3087 * Sleep waiting for addresses.
3089 FCTXTRACE("addrwait");
3090 fctx->attributes |= FCTX_ATTR_ADDRWAIT;
3092 } else if (result != ISC_R_SUCCESS) {
3094 * Something bad happened.
3096 fctx_done(fctx, result, __LINE__);
3100 addrinfo = fctx_nextaddress(fctx);
3102 * While we may have addresses from the ADB, they
3103 * might be bad ones. In this case, return SERVFAIL.
3105 if (addrinfo == NULL) {
3106 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
3111 result = isc_counter_increment(fctx->qc);
3112 if (result != ISC_R_SUCCESS) {
3113 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
3114 DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3),
3115 "exceeded max queries resolving '%s'",
3117 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
3121 result = fctx_query(fctx, addrinfo, fctx->options);
3122 if (result != ISC_R_SUCCESS)
3123 fctx_done(fctx, result, __LINE__);
3125 inc_stats(fctx->res, dns_resstatscounter_retry);
3128 static isc_boolean_t
3129 fctx_unlink(fetchctx_t *fctx) {
3130 dns_resolver_t *res;
3131 unsigned int bucketnum;
3134 * Caller must be holding the bucket lock.
3137 REQUIRE(VALID_FCTX(fctx));
3138 REQUIRE(fctx->state == fetchstate_done ||
3139 fctx->state == fetchstate_init);
3140 REQUIRE(ISC_LIST_EMPTY(fctx->events));
3141 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
3142 REQUIRE(ISC_LIST_EMPTY(fctx->finds));
3143 REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
3144 REQUIRE(fctx->pending == 0);
3145 REQUIRE(fctx->references == 0);
3146 REQUIRE(ISC_LIST_EMPTY(fctx->validators));
3148 FCTXTRACE("unlink");
3151 bucketnum = fctx->bucketnum;
3153 ISC_LIST_UNLINK(res->buckets[bucketnum].fctxs, fctx, link);
3157 UNLOCK(&res->nlock);
3159 if (res->buckets[bucketnum].exiting &&
3160 ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs))
3167 fctx_destroy(fetchctx_t *fctx) {
3168 isc_sockaddr_t *sa, *next_sa;
3170 REQUIRE(VALID_FCTX(fctx));
3171 REQUIRE(fctx->state == fetchstate_done ||
3172 fctx->state == fetchstate_init);
3173 REQUIRE(ISC_LIST_EMPTY(fctx->events));
3174 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
3175 REQUIRE(ISC_LIST_EMPTY(fctx->finds));
3176 REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
3177 REQUIRE(fctx->pending == 0);
3178 REQUIRE(fctx->references == 0);
3179 REQUIRE(ISC_LIST_EMPTY(fctx->validators));
3180 REQUIRE(!ISC_LINK_LINKED(fctx, link));
3182 FCTXTRACE("destroy");
3187 for (sa = ISC_LIST_HEAD(fctx->bad);
3190 next_sa = ISC_LIST_NEXT(sa, link);
3191 ISC_LIST_UNLINK(fctx->bad, sa, link);
3192 isc_mem_put(fctx->mctx, sa, sizeof(*sa));
3195 for (sa = ISC_LIST_HEAD(fctx->edns);
3198 next_sa = ISC_LIST_NEXT(sa, link);
3199 ISC_LIST_UNLINK(fctx->edns, sa, link);
3200 isc_mem_put(fctx->mctx, sa, sizeof(*sa));
3203 for (sa = ISC_LIST_HEAD(fctx->edns512);
3206 next_sa = ISC_LIST_NEXT(sa, link);
3207 ISC_LIST_UNLINK(fctx->edns512, sa, link);
3208 isc_mem_put(fctx->mctx, sa, sizeof(*sa));
3211 for (sa = ISC_LIST_HEAD(fctx->bad_edns);
3214 next_sa = ISC_LIST_NEXT(sa, link);
3215 ISC_LIST_UNLINK(fctx->bad_edns, sa, link);
3216 isc_mem_put(fctx->mctx, sa, sizeof(*sa));
3219 isc_counter_detach(&fctx->qc);
3220 isc_timer_detach(&fctx->timer);
3221 dns_message_destroy(&fctx->rmessage);
3222 dns_message_destroy(&fctx->qmessage);
3223 if (dns_name_countlabels(&fctx->domain) > 0)
3224 dns_name_free(&fctx->domain, fctx->mctx);
3225 if (dns_rdataset_isassociated(&fctx->nameservers))
3226 dns_rdataset_disassociate(&fctx->nameservers);
3227 dns_name_free(&fctx->name, fctx->mctx);
3228 dns_db_detach(&fctx->cache);
3229 dns_adb_detach(&fctx->adb);
3230 isc_mem_free(fctx->mctx, fctx->info);
3231 isc_mem_putanddetach(&fctx->mctx, fctx, sizeof(*fctx));
3235 * Fetch event handlers.
3239 fctx_timeout(isc_task_t *task, isc_event_t *event) {
3240 fetchctx_t *fctx = event->ev_arg;
3241 isc_timerevent_t *tevent = (isc_timerevent_t *)event;
3244 REQUIRE(VALID_FCTX(fctx));
3248 FCTXTRACE("timeout");
3250 inc_stats(fctx->res, dns_resstatscounter_querytimeout);
3252 if (event->ev_type == ISC_TIMEREVENT_LIFE) {
3253 fctx->reason = NULL;
3254 fctx_done(fctx, ISC_R_TIMEDOUT, __LINE__);
3256 isc_result_t result;
3259 fctx->timeout = ISC_TRUE;
3261 * We could cancel the running queries here, or we could let
3262 * them keep going. Since we normally use separate sockets for
3263 * different queries, we adopt the former approach to reduce
3264 * the number of open sockets: cancel the oldest query if it
3265 * expired after the query had started (this is usually the
3266 * case but is not always so, depending on the task schedule
3269 query = ISC_LIST_HEAD(fctx->queries);
3270 if (query != NULL &&
3271 isc_time_compare(&tevent->due, &query->start) >= 0) {
3272 fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
3274 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
3276 * Our timer has triggered. Reestablish the fctx lifetime
3279 result = fctx_starttimer(fctx);
3280 if (result != ISC_R_SUCCESS)
3281 fctx_done(fctx, result, __LINE__);
3286 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
3289 isc_event_free(&event);
3293 fctx_shutdown(fetchctx_t *fctx) {
3294 isc_event_t *cevent;
3297 * Start the shutdown process for fctx, if it isn't already underway.
3300 FCTXTRACE("shutdown");
3303 * The caller must be holding the appropriate bucket lock.
3306 if (fctx->want_shutdown)
3309 fctx->want_shutdown = ISC_TRUE;
3312 * Unless we're still initializing (in which case the
3313 * control event is still outstanding), we need to post
3314 * the control event to tell the fetch we want it to
3317 if (fctx->state != fetchstate_init) {
3318 cevent = &fctx->control_event;
3319 isc_task_send(fctx->res->buckets[fctx->bucketnum].task,
3325 fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
3326 fetchctx_t *fctx = event->ev_arg;
3327 isc_boolean_t bucket_empty = ISC_FALSE;
3328 dns_resolver_t *res;
3329 unsigned int bucketnum;
3330 dns_validator_t *validator;
3331 isc_boolean_t destroy = ISC_FALSE;
3333 REQUIRE(VALID_FCTX(fctx));
3338 bucketnum = fctx->bucketnum;
3340 FCTXTRACE("doshutdown");
3343 * An fctx that is shutting down is no longer in ADDRWAIT mode.
3345 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
3348 * Cancel all pending validators. Note that this must be done
3349 * without the bucket lock held, since that could cause deadlock.
3351 validator = ISC_LIST_HEAD(fctx->validators);
3352 while (validator != NULL) {
3353 dns_validator_cancel(validator);
3354 validator = ISC_LIST_NEXT(validator, link);
3357 if (fctx->nsfetch != NULL)
3358 dns_resolver_cancelfetch(fctx->nsfetch);
3361 * Shut down anything that is still running on behalf of this
3362 * fetch. To avoid deadlock with the ADB, we must do this
3363 * before we lock the bucket lock.
3365 fctx_stopeverything(fctx, ISC_FALSE);
3367 LOCK(&res->buckets[bucketnum].lock);
3369 fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
3371 INSIST(fctx->state == fetchstate_active ||
3372 fctx->state == fetchstate_done);
3373 INSIST(fctx->want_shutdown);
3375 if (fctx->state != fetchstate_done) {
3376 fctx->state = fetchstate_done;
3377 fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
3380 if (fctx->references == 0 && fctx->pending == 0 &&
3381 fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
3382 bucket_empty = fctx_unlink(fctx);
3386 UNLOCK(&res->buckets[bucketnum].lock);
3396 fctx_start(isc_task_t *task, isc_event_t *event) {
3397 fetchctx_t *fctx = event->ev_arg;
3398 isc_boolean_t done = ISC_FALSE, bucket_empty = ISC_FALSE;
3399 dns_resolver_t *res;
3400 unsigned int bucketnum;
3401 isc_boolean_t destroy = ISC_FALSE;
3403 REQUIRE(VALID_FCTX(fctx));
3408 bucketnum = fctx->bucketnum;
3412 LOCK(&res->buckets[bucketnum].lock);
3414 INSIST(fctx->state == fetchstate_init);
3415 if (fctx->want_shutdown) {
3417 * We haven't started this fctx yet, and we've been requested
3420 fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
3421 fctx->state = fetchstate_done;
3422 fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
3424 * Since we haven't started, we INSIST that we have no
3425 * pending ADB finds and no pending validations.
3427 INSIST(fctx->pending == 0);
3428 INSIST(fctx->nqueries == 0);
3429 INSIST(ISC_LIST_EMPTY(fctx->validators));
3430 if (fctx->references == 0) {
3432 * It's now safe to destroy this fctx.
3434 bucket_empty = fctx_unlink(fctx);
3440 * Normal fctx startup.
3442 fctx->state = fetchstate_active;
3444 * Reset the control event for later use in shutting down
3447 ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
3448 DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx,
3452 UNLOCK(&res->buckets[bucketnum].lock);
3455 isc_result_t result;
3460 * All is well. Start working on the fetch.
3462 result = fctx_starttimer(fctx);
3463 if (result != ISC_R_SUCCESS)
3464 fctx_done(fctx, result, __LINE__);
3466 fctx_try(fctx, ISC_FALSE, ISC_FALSE);
3467 } else if (destroy) {
3475 * Fetch Creation, Joining, and Cancelation.
3478 static inline isc_result_t
3479 fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
3480 dns_messageid_t id, isc_taskaction_t action, void *arg,
3481 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
3485 dns_fetchevent_t *event;
3490 * We store the task we're going to send this event to in the
3491 * sender field. We'll make the fetch the sender when we actually
3495 isc_task_attach(task, &clone);
3496 event = (dns_fetchevent_t *)
3497 isc_event_allocate(fctx->res->mctx, clone, DNS_EVENT_FETCHDONE,
3498 action, arg, sizeof(*event));
3499 if (event == NULL) {
3500 isc_task_detach(&clone);
3501 return (ISC_R_NOMEMORY);
3503 event->result = DNS_R_SERVFAIL;
3504 event->qtype = fctx->type;
3507 event->rdataset = rdataset;
3508 event->sigrdataset = sigrdataset;
3509 event->fetch = fetch;
3510 event->client = client;
3512 dns_fixedname_init(&event->foundname);
3515 * Make sure that we can store the sigrdataset in the
3516 * first event if it is needed by any of the events.
3518 if (event->sigrdataset != NULL)
3519 ISC_LIST_PREPEND(fctx->events, event, ev_link);
3521 ISC_LIST_APPEND(fctx->events, event, ev_link);
3523 fctx->client = client;
3525 fetch->magic = DNS_FETCH_MAGIC;
3526 fetch->private = fctx;
3528 return (ISC_R_SUCCESS);
3532 log_ns_ttl(fetchctx_t *fctx, const char *where) {
3533 char namebuf[DNS_NAME_FORMATSIZE];
3534 char domainbuf[DNS_NAME_FORMATSIZE];
3536 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
3537 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
3538 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
3539 DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
3540 "log_ns_ttl: fctx %p: %s: %s (in '%s'?): %u %u",
3541 fctx, where, namebuf, domainbuf,
3542 fctx->ns_ttl_ok, fctx->ns_ttl);
3546 fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
3547 dns_name_t *domain, dns_rdataset_t *nameservers,
3548 unsigned int options, unsigned int bucketnum, unsigned int depth,
3549 isc_counter_t *qc, fetchctx_t **fctxp)
3552 isc_result_t result;
3553 isc_result_t iresult;
3554 isc_interval_t interval;
3555 dns_fixedname_t fixed;
3556 unsigned int findoptions = 0;
3557 char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE];
3558 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3563 * Caller must be holding the lock for bucket number 'bucketnum'.
3565 REQUIRE(fctxp != NULL && *fctxp == NULL);
3567 mctx = res->buckets[bucketnum].mctx;
3568 fctx = isc_mem_get(mctx, sizeof(*fctx));
3570 return (ISC_R_NOMEMORY);
3574 isc_counter_attach(qc, &fctx->qc);
3576 result = isc_counter_create(res->mctx,
3577 res->maxqueries, &fctx->qc);
3578 if (result != ISC_R_SUCCESS)
3583 * Make fctx->info point to a copy of a formatted string
3586 dns_name_format(name, buf, sizeof(buf));
3587 dns_rdatatype_format(type, typebuf, sizeof(typebuf));
3588 strcat(buf, "/"); /* checked */
3589 strcat(buf, typebuf); /* checked */
3590 fctx->info = isc_mem_strdup(mctx, buf);
3591 if (fctx->info == NULL) {
3592 result = ISC_R_NOMEMORY;
3593 goto cleanup_counter;
3595 FCTXTRACE("create");
3596 dns_name_init(&fctx->name, NULL);
3597 result = dns_name_dup(name, mctx, &fctx->name);
3598 if (result != ISC_R_SUCCESS)
3600 dns_name_init(&fctx->domain, NULL);
3601 dns_rdataset_init(&fctx->nameservers);
3604 fctx->options = options;
3606 * Note! We do not attach to the task. We are relying on the
3607 * resolver to ensure that this task doesn't go away while we are
3611 fctx->references = 0;
3612 fctx->bucketnum = bucketnum;
3613 fctx->state = fetchstate_init;
3614 fctx->want_shutdown = ISC_FALSE;
3615 fctx->cloned = ISC_FALSE;
3616 fctx->depth = depth;
3617 ISC_LIST_INIT(fctx->queries);
3618 ISC_LIST_INIT(fctx->finds);
3619 ISC_LIST_INIT(fctx->altfinds);
3620 ISC_LIST_INIT(fctx->forwaddrs);
3621 ISC_LIST_INIT(fctx->altaddrs);
3622 ISC_LIST_INIT(fctx->forwarders);
3623 fctx->fwdpolicy = dns_fwdpolicy_none;
3624 ISC_LIST_INIT(fctx->bad);
3625 ISC_LIST_INIT(fctx->edns);
3626 ISC_LIST_INIT(fctx->edns512);
3627 ISC_LIST_INIT(fctx->bad_edns);
3628 ISC_LIST_INIT(fctx->validators);
3629 fctx->validator = NULL;
3631 fctx->altfind = NULL;
3634 fctx->querysent = 0;
3635 fctx->referrals = 0;
3636 TIME_NOW(&fctx->start);
3638 fctx->lamecount = 0;
3644 fctx->result = ISC_R_FAILURE;
3645 fctx->vresult = ISC_R_SUCCESS;
3646 fctx->exitline = -1; /* sentinel */
3647 fctx->logged = ISC_FALSE;
3648 fctx->attributes = 0;
3649 fctx->spilled = ISC_FALSE;
3651 fctx->reason = NULL;
3653 fctx->rand_bits = 0;
3654 fctx->timeout = ISC_FALSE;
3655 fctx->addrinfo = NULL;
3656 fctx->client = NULL;
3658 fctx->ns_ttl_ok = ISC_FALSE;
3660 dns_name_init(&fctx->nsname, NULL);
3661 fctx->nsfetch = NULL;
3662 dns_rdataset_init(&fctx->nsrrset);
3664 if (domain == NULL) {
3665 dns_forwarders_t *forwarders = NULL;
3666 unsigned int labels;
3667 dns_name_t *fwdname = name;
3670 * DS records are found in the parent server.
3671 * Strip label to get the correct forwarder (if any).
3673 if (dns_rdatatype_atparent(fctx->type) &&
3674 dns_name_countlabels(name) > 1) {
3675 dns_name_init(&suffix, NULL);
3676 labels = dns_name_countlabels(name);
3677 dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
3680 dns_fixedname_init(&fixed);
3681 domain = dns_fixedname_name(&fixed);
3682 result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
3683 domain, &forwarders);
3684 if (result == ISC_R_SUCCESS)
3685 fctx->fwdpolicy = forwarders->fwdpolicy;
3687 if (fctx->fwdpolicy != dns_fwdpolicy_only) {
3689 * The caller didn't supply a query domain and
3690 * nameservers, and we're not in forward-only mode,
3691 * so find the best nameservers to use.
3693 if (dns_rdatatype_atparent(fctx->type))
3694 findoptions |= DNS_DBFIND_NOEXACT;
3695 result = dns_view_findzonecut(res->view, name, domain,
3696 0, findoptions, ISC_TRUE,
3699 if (result != ISC_R_SUCCESS)
3701 result = dns_name_dup(domain, mctx, &fctx->domain);
3702 if (result != ISC_R_SUCCESS) {
3703 dns_rdataset_disassociate(&fctx->nameservers);
3706 fctx->ns_ttl = fctx->nameservers.ttl;
3707 fctx->ns_ttl_ok = ISC_TRUE;
3710 * We're in forward-only mode. Set the query domain.
3712 result = dns_name_dup(domain, mctx, &fctx->domain);
3713 if (result != ISC_R_SUCCESS)
3717 result = dns_name_dup(domain, mctx, &fctx->domain);
3718 if (result != ISC_R_SUCCESS)
3720 dns_rdataset_clone(nameservers, &fctx->nameservers);
3721 fctx->ns_ttl = fctx->nameservers.ttl;
3722 fctx->ns_ttl_ok = ISC_TRUE;
3725 log_ns_ttl(fctx, "fctx_create");
3727 INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain));
3729 fctx->qmessage = NULL;
3730 result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
3733 if (result != ISC_R_SUCCESS)
3734 goto cleanup_domain;
3736 fctx->rmessage = NULL;
3737 result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
3740 if (result != ISC_R_SUCCESS)
3741 goto cleanup_qmessage;
3744 * Compute an expiration time for the entire fetch.
3746 isc_interval_set(&interval, res->query_timeout, 0);
3747 iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
3748 if (iresult != ISC_R_SUCCESS) {
3749 UNEXPECTED_ERROR(__FILE__, __LINE__,
3750 "isc_time_nowplusinterval: %s",
3751 isc_result_totext(iresult));
3752 result = ISC_R_UNEXPECTED;
3753 goto cleanup_rmessage;
3757 * Default retry interval initialization. We set the interval now
3758 * mostly so it won't be uninitialized. It will be set to the
3759 * correct value before a query is issued.
3761 isc_interval_set(&fctx->interval, 2, 0);
3764 * Create an inactive timer. It will be made active when the fetch
3765 * is actually started.
3768 iresult = isc_timer_create(res->timermgr, isc_timertype_inactive,
3770 res->buckets[bucketnum].task, fctx_timeout,
3771 fctx, &fctx->timer);
3772 if (iresult != ISC_R_SUCCESS) {
3773 UNEXPECTED_ERROR(__FILE__, __LINE__,
3774 "isc_timer_create: %s",
3775 isc_result_totext(iresult));
3776 result = ISC_R_UNEXPECTED;
3777 goto cleanup_rmessage;
3781 * Attach to the view's cache and adb.
3784 dns_db_attach(res->view->cachedb, &fctx->cache);
3786 dns_adb_attach(res->view->adb, &fctx->adb);
3788 isc_mem_attach(mctx, &fctx->mctx);
3790 ISC_LIST_INIT(fctx->events);
3791 ISC_LINK_INIT(fctx, link);
3792 fctx->magic = FCTX_MAGIC;
3794 ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link);
3798 UNLOCK(&res->nlock);
3802 return (ISC_R_SUCCESS);
3805 dns_message_destroy(&fctx->rmessage);
3808 dns_message_destroy(&fctx->qmessage);
3811 if (dns_name_countlabels(&fctx->domain) > 0)
3812 dns_name_free(&fctx->domain, mctx);
3813 if (dns_rdataset_isassociated(&fctx->nameservers))
3814 dns_rdataset_disassociate(&fctx->nameservers);
3817 dns_name_free(&fctx->name, mctx);
3820 isc_mem_free(mctx, fctx->info);
3823 isc_counter_detach(&fctx->qc);
3826 isc_mem_put(mctx, fctx, sizeof(*fctx));
3834 static inline isc_boolean_t
3835 is_lame(fetchctx_t *fctx) {
3836 dns_message_t *message = fctx->rmessage;
3838 dns_rdataset_t *rdataset;
3839 isc_result_t result;
3841 if (message->rcode != dns_rcode_noerror &&
3842 message->rcode != dns_rcode_nxdomain)
3845 if (message->counts[DNS_SECTION_ANSWER] != 0)
3848 if (message->counts[DNS_SECTION_AUTHORITY] == 0)
3851 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
3852 while (result == ISC_R_SUCCESS) {
3854 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
3855 for (rdataset = ISC_LIST_HEAD(name->list);
3857 rdataset = ISC_LIST_NEXT(rdataset, link)) {
3858 dns_namereln_t namereln;
3860 unsigned int labels;
3861 if (rdataset->type != dns_rdatatype_ns)
3863 namereln = dns_name_fullcompare(name, &fctx->domain,
3865 if (namereln == dns_namereln_equal &&
3866 (message->flags & DNS_MESSAGEFLAG_AA) != 0)
3868 if (namereln == dns_namereln_subdomain)
3872 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
3879 log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
3880 char namebuf[DNS_NAME_FORMATSIZE];
3881 char domainbuf[DNS_NAME_FORMATSIZE];
3882 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
3884 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
3885 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
3886 isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
3887 isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
3888 DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
3889 "lame server resolving '%s' (in '%s'?): %s",
3890 namebuf, domainbuf, addrbuf);
3894 log_formerr(fetchctx_t *fctx, const char *format, ...) {
3895 char nsbuf[ISC_SOCKADDR_FORMATSIZE];
3896 char clbuf[ISC_SOCKADDR_FORMATSIZE];
3897 const char *clmsg = "";
3901 va_start(args, format);
3902 vsnprintf(msgbuf, sizeof(msgbuf), format, args);
3905 isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
3907 if (fctx->client != NULL) {
3908 clmsg = " for client ";
3909 isc_sockaddr_format(fctx->client, clbuf, sizeof(clbuf));
3914 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
3915 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
3916 "DNS format error from %s resolving %s%s%s: %s",
3917 nsbuf, fctx->info, clmsg, clbuf, msgbuf);
3920 static inline isc_result_t
3921 same_question(fetchctx_t *fctx) {
3922 isc_result_t result;
3923 dns_message_t *message = fctx->rmessage;
3925 dns_rdataset_t *rdataset;
3928 * Caller must be holding the fctx lock.
3932 * XXXRTH Currently we support only one question.
3934 if (message->counts[DNS_SECTION_QUESTION] != 1) {
3935 log_formerr(fctx, "too many questions");
3936 return (DNS_R_FORMERR);
3939 result = dns_message_firstname(message, DNS_SECTION_QUESTION);
3940 if (result != ISC_R_SUCCESS)
3943 dns_message_currentname(message, DNS_SECTION_QUESTION, &name);
3944 rdataset = ISC_LIST_HEAD(name->list);
3945 INSIST(rdataset != NULL);
3946 INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
3948 if (fctx->type != rdataset->type ||
3949 fctx->res->rdclass != rdataset->rdclass ||
3950 !dns_name_equal(&fctx->name, name)) {
3951 char namebuf[DNS_NAME_FORMATSIZE];
3952 char class[DNS_RDATACLASS_FORMATSIZE];
3953 char type[DNS_RDATATYPE_FORMATSIZE];
3955 dns_name_format(name, namebuf, sizeof(namebuf));
3956 dns_rdataclass_format(rdataset->rdclass, class, sizeof(class));
3957 dns_rdatatype_format(rdataset->type, type, sizeof(type));
3958 log_formerr(fctx, "question section mismatch: got %s/%s/%s",
3959 namebuf, class, type);
3960 return (DNS_R_FORMERR);
3963 return (ISC_R_SUCCESS);
3967 clone_results(fetchctx_t *fctx) {
3968 dns_fetchevent_t *event, *hevent;
3969 isc_result_t result;
3970 dns_name_t *name, *hname;
3972 FCTXTRACE("clone_results");
3975 * Set up any other events to have the same data as the first
3978 * Caller must be holding the appropriate lock.
3981 fctx->cloned = ISC_TRUE;
3982 hevent = ISC_LIST_HEAD(fctx->events);
3985 hname = dns_fixedname_name(&hevent->foundname);
3986 for (event = ISC_LIST_NEXT(hevent, ev_link);
3988 event = ISC_LIST_NEXT(event, ev_link)) {
3989 name = dns_fixedname_name(&event->foundname);
3990 result = dns_name_copy(hname, name, NULL);
3991 if (result != ISC_R_SUCCESS)
3992 event->result = result;
3994 event->result = hevent->result;
3995 dns_db_attach(hevent->db, &event->db);
3996 dns_db_attachnode(hevent->db, hevent->node, &event->node);
3997 INSIST(hevent->rdataset != NULL);
3998 INSIST(event->rdataset != NULL);
3999 if (dns_rdataset_isassociated(hevent->rdataset))
4000 dns_rdataset_clone(hevent->rdataset, event->rdataset);
4001 INSIST(! (hevent->sigrdataset == NULL &&
4002 event->sigrdataset != NULL));
4003 if (hevent->sigrdataset != NULL &&
4004 dns_rdataset_isassociated(hevent->sigrdataset) &&
4005 event->sigrdataset != NULL)
4006 dns_rdataset_clone(hevent->sigrdataset,
4007 event->sigrdataset);
4011 #define CACHE(r) (((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
4012 #define ANSWER(r) (((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
4013 #define ANSWERSIG(r) (((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
4014 #define EXTERNAL(r) (((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
4015 #define CHAINING(r) (((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
4016 #define CHASE(r) (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
4017 #define CHECKNAMES(r) (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
4021 * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
4022 * no references and is no longer waiting for any events).
4025 * '*fctx' is shutting down.
4028 * true if the resolver is exiting and this is the last fctx in the bucket.
4030 static isc_boolean_t
4031 maybe_destroy(fetchctx_t *fctx, isc_boolean_t locked) {
4032 unsigned int bucketnum;
4033 isc_boolean_t bucket_empty = ISC_FALSE;
4034 dns_resolver_t *res = fctx->res;
4035 dns_validator_t *validator, *next_validator;
4036 isc_boolean_t destroy = ISC_FALSE;
4038 REQUIRE(SHUTTINGDOWN(fctx));
4040 bucketnum = fctx->bucketnum;
4042 LOCK(&res->buckets[bucketnum].lock);
4043 if (fctx->pending != 0 || fctx->nqueries != 0)
4046 for (validator = ISC_LIST_HEAD(fctx->validators);
4047 validator != NULL; validator = next_validator) {
4048 next_validator = ISC_LIST_NEXT(validator, link);
4049 dns_validator_cancel(validator);
4052 if (fctx->references == 0 && ISC_LIST_EMPTY(fctx->validators)) {
4053 bucket_empty = fctx_unlink(fctx);
4058 UNLOCK(&res->buckets[bucketnum].lock);
4061 return (bucket_empty);
4065 * The validator has finished.
4068 validated(isc_task_t *task, isc_event_t *event) {
4069 dns_adbaddrinfo_t *addrinfo;
4070 dns_dbnode_t *node = NULL;
4071 dns_dbnode_t *nsnode = NULL;
4072 dns_fetchevent_t *hevent;
4074 dns_rdataset_t *ardataset = NULL;
4075 dns_rdataset_t *asigrdataset = NULL;
4076 dns_rdataset_t *rdataset;
4077 dns_rdataset_t *sigrdataset;
4078 dns_resolver_t *res;
4079 dns_valarg_t *valarg;
4080 dns_validatorevent_t *vevent;
4082 isc_boolean_t chaining;
4083 isc_boolean_t negative;
4084 isc_boolean_t sentresponse;
4085 isc_result_t eresult = ISC_R_SUCCESS;
4086 isc_result_t result = ISC_R_SUCCESS;
4090 UNUSED(task); /* for now */
4092 REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
4093 valarg = event->ev_arg;
4094 fctx = valarg->fctx;
4096 addrinfo = valarg->addrinfo;
4097 REQUIRE(VALID_FCTX(fctx));
4098 REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
4100 vevent = (dns_validatorevent_t *)event;
4101 fctx->vresult = vevent->result;
4103 FCTXTRACE("received validation completion event");
4105 LOCK(&res->buckets[fctx->bucketnum].lock);
4107 ISC_LIST_UNLINK(fctx->validators, vevent->validator, link);
4108 fctx->validator = NULL;
4111 * Destroy the validator early so that we can
4112 * destroy the fctx if necessary.
4114 dns_validator_destroy(&vevent->validator);
4115 isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
4117 negative = ISC_TF(vevent->rdataset == NULL);
4119 sentresponse = ISC_TF((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0);
4122 * If shutting down, ignore the results. Check to see if we're
4123 * done waiting for validator completions and ADB pending events; if
4124 * so, destroy the fctx.
4126 if (SHUTTINGDOWN(fctx) && !sentresponse) {
4127 isc_uint32_t bucketnum = fctx->bucketnum;
4128 isc_boolean_t bucket_empty;
4129 bucket_empty = maybe_destroy(fctx, ISC_TRUE);
4130 UNLOCK(&res->buckets[bucketnum].lock);
4136 isc_stdtime_get(&now);
4139 * If chaining, we need to make sure that the right result code is
4140 * returned, and that the rdatasets are bound.
4142 if (vevent->result == ISC_R_SUCCESS &&
4144 vevent->rdataset != NULL &&
4145 CHAINING(vevent->rdataset))
4147 if (vevent->rdataset->type == dns_rdatatype_cname)
4148 eresult = DNS_R_CNAME;
4150 INSIST(vevent->rdataset->type == dns_rdatatype_dname);
4151 eresult = DNS_R_DNAME;
4153 chaining = ISC_TRUE;
4155 chaining = ISC_FALSE;
4158 * Either we're not shutting down, or we are shutting down but want
4159 * to cache the result anyway (if this was a validation started by
4160 * a query with cd set)
4163 hevent = ISC_LIST_HEAD(fctx->events);
4164 if (hevent != NULL) {
4165 if (!negative && !chaining &&
4166 (fctx->type == dns_rdatatype_any ||
4167 fctx->type == dns_rdatatype_rrsig ||
4168 fctx->type == dns_rdatatype_sig)) {
4170 * Don't bind rdatasets; the caller
4171 * will iterate the node.
4174 ardataset = hevent->rdataset;
4175 asigrdataset = hevent->sigrdataset;
4179 if (vevent->result != ISC_R_SUCCESS) {
4180 FCTXTRACE("validation failed");
4181 inc_stats(res, dns_resstatscounter_valfail);
4183 fctx->vresult = vevent->result;
4184 if (fctx->vresult != DNS_R_BROKENCHAIN) {
4185 result = ISC_R_NOTFOUND;
4186 if (vevent->rdataset != NULL)
4187 result = dns_db_findnode(fctx->cache,
4190 if (result == ISC_R_SUCCESS)
4191 (void)dns_db_deleterdataset(fctx->cache, node,
4194 if (result == ISC_R_SUCCESS &&
4195 vevent->sigrdataset != NULL)
4196 (void)dns_db_deleterdataset(fctx->cache, node,
4198 dns_rdatatype_rrsig,
4200 if (result == ISC_R_SUCCESS)
4201 dns_db_detachnode(fctx->cache, &node);
4203 if (fctx->vresult == DNS_R_BROKENCHAIN && !negative) {
4205 * Cache the data as pending for later validation.
4207 result = ISC_R_NOTFOUND;
4208 if (vevent->rdataset != NULL)
4209 result = dns_db_findnode(fctx->cache,
4212 if (result == ISC_R_SUCCESS) {
4213 (void)dns_db_addrdataset(fctx->cache, node,
4215 vevent->rdataset, 0,
4218 if (result == ISC_R_SUCCESS &&
4219 vevent->sigrdataset != NULL)
4220 (void)dns_db_addrdataset(fctx->cache, node,
4222 vevent->sigrdataset,
4224 if (result == ISC_R_SUCCESS)
4225 dns_db_detachnode(fctx->cache, &node);
4227 result = fctx->vresult;
4228 add_bad(fctx, addrinfo, result, badns_validation);
4229 isc_event_free(&event);
4230 UNLOCK(&res->buckets[fctx->bucketnum].lock);
4231 INSIST(fctx->validator == NULL);
4232 fctx->validator = ISC_LIST_HEAD(fctx->validators);
4233 if (fctx->validator != NULL)
4234 dns_validator_send(fctx->validator);
4235 else if (sentresponse)
4236 fctx_done(fctx, result, __LINE__); /* Locks bucket. */
4237 else if (result == DNS_R_BROKENCHAIN) {
4238 isc_result_t tresult;
4242 isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0);
4243 tresult = isc_time_nowplusinterval(&expire, &i);
4245 (fctx->type == dns_rdatatype_dnskey ||
4246 fctx->type == dns_rdatatype_dlv ||
4247 fctx->type == dns_rdatatype_ds) &&
4248 tresult == ISC_R_SUCCESS)
4249 dns_resolver_addbadcache(res, &fctx->name,
4250 fctx->type, &expire);
4251 fctx_done(fctx, result, __LINE__); /* Locks bucket. */
4253 fctx_try(fctx, ISC_TRUE, ISC_TRUE); /* Locks bucket. */
4259 dns_rdatatype_t covers;
4260 FCTXTRACE("nonexistence validation OK");
4262 inc_stats(res, dns_resstatscounter_valnegsuccess);
4264 if (fctx->rmessage->rcode == dns_rcode_nxdomain)
4265 covers = dns_rdatatype_any;
4267 covers = fctx->type;
4269 result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE,
4271 if (result != ISC_R_SUCCESS)
4272 goto noanswer_response;
4275 * If we are asking for a SOA record set the cache time
4276 * to zero to facilitate locating the containing zone of
4279 ttl = res->view->maxncachettl;
4280 if (fctx->type == dns_rdatatype_soa &&
4281 covers == dns_rdatatype_any && res->zero_no_soa_ttl)
4284 result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
4285 covers, now, ttl, vevent->optout,
4286 ardataset, &eresult);
4287 if (result != ISC_R_SUCCESS)
4288 goto noanswer_response;
4289 goto answer_response;
4291 inc_stats(res, dns_resstatscounter_valsuccess);
4293 FCTXTRACE("validation OK");
4295 if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
4297 result = dns_rdataset_addnoqname(vevent->rdataset,
4298 vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
4299 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4300 INSIST(vevent->sigrdataset != NULL);
4301 vevent->sigrdataset->ttl = vevent->rdataset->ttl;
4302 if (vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER] != NULL) {
4303 result = dns_rdataset_addclosest(vevent->rdataset,
4304 vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER]);
4305 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4310 * The data was already cached as pending data.
4311 * Re-cache it as secure and bind the cached
4312 * rdatasets to the first event on the fetch
4315 result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE, &node);
4316 if (result != ISC_R_SUCCESS)
4317 goto noanswer_response;
4319 result = dns_db_addrdataset(fctx->cache, node, NULL, now,
4320 vevent->rdataset, 0, ardataset);
4321 if (result != ISC_R_SUCCESS &&
4322 result != DNS_R_UNCHANGED)
4323 goto noanswer_response;
4324 if (ardataset != NULL && NEGATIVE(ardataset)) {
4325 if (NXDOMAIN(ardataset))
4326 eresult = DNS_R_NCACHENXDOMAIN;
4328 eresult = DNS_R_NCACHENXRRSET;
4329 } else if (vevent->sigrdataset != NULL) {
4330 result = dns_db_addrdataset(fctx->cache, node, NULL, now,
4331 vevent->sigrdataset, 0,
4333 if (result != ISC_R_SUCCESS &&
4334 result != DNS_R_UNCHANGED)
4335 goto noanswer_response;
4339 isc_boolean_t bucket_empty = ISC_FALSE;
4341 * If we only deferred the destroy because we wanted to cache
4342 * the data, destroy now.
4344 dns_db_detachnode(fctx->cache, &node);
4345 if (SHUTTINGDOWN(fctx))
4346 bucket_empty = maybe_destroy(fctx, ISC_TRUE);
4347 UNLOCK(&res->buckets[fctx->bucketnum].lock);
4353 if (!ISC_LIST_EMPTY(fctx->validators)) {
4355 INSIST(fctx->type == dns_rdatatype_any ||
4356 fctx->type == dns_rdatatype_rrsig ||
4357 fctx->type == dns_rdatatype_sig);
4359 * Don't send a response yet - we have
4360 * more rdatasets that still need to
4363 dns_db_detachnode(fctx->cache, &node);
4364 UNLOCK(&res->buckets[fctx->bucketnum].lock);
4365 dns_validator_send(ISC_LIST_HEAD(fctx->validators));
4371 * Cache any NS/NSEC records that happened to be validated.
4373 result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
4374 while (result == ISC_R_SUCCESS) {
4376 dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
4378 for (rdataset = ISC_LIST_HEAD(name->list);
4380 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4381 if ((rdataset->type != dns_rdatatype_ns &&
4382 rdataset->type != dns_rdatatype_nsec) ||
4383 rdataset->trust != dns_trust_secure)
4385 for (sigrdataset = ISC_LIST_HEAD(name->list);
4386 sigrdataset != NULL;
4387 sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
4388 if (sigrdataset->type != dns_rdatatype_rrsig ||
4389 sigrdataset->covers != rdataset->type)
4393 if (sigrdataset == NULL ||
4394 sigrdataset->trust != dns_trust_secure)
4396 result = dns_db_findnode(fctx->cache, name, ISC_TRUE,
4398 if (result != ISC_R_SUCCESS)
4401 result = dns_db_addrdataset(fctx->cache, nsnode, NULL,
4402 now, rdataset, 0, NULL);
4403 if (result == ISC_R_SUCCESS)
4404 result = dns_db_addrdataset(fctx->cache, nsnode,
4408 dns_db_detachnode(fctx->cache, &nsnode);
4409 if (result != ISC_R_SUCCESS)
4412 result = dns_message_nextname(fctx->rmessage,
4413 DNS_SECTION_AUTHORITY);
4416 result = ISC_R_SUCCESS;
4419 * Respond with an answer, positive or negative,
4420 * as opposed to an error. 'node' must be non-NULL.
4423 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
4425 if (hevent != NULL) {
4426 hevent->result = eresult;
4427 RUNTIME_CHECK(dns_name_copy(vevent->name,
4428 dns_fixedname_name(&hevent->foundname), NULL)
4430 dns_db_attach(fctx->cache, &hevent->db);
4431 dns_db_transfernode(fctx->cache, &node, &hevent->node);
4432 clone_results(fctx);
4437 dns_db_detachnode(fctx->cache, &node);
4439 UNLOCK(&res->buckets[fctx->bucketnum].lock);
4440 fctx_done(fctx, result, __LINE__); /* Locks bucket. */
4443 INSIST(node == NULL);
4444 isc_event_free(&event);
4447 static inline isc_result_t
4448 cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
4451 dns_rdataset_t *rdataset, *sigrdataset;
4452 dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset;
4453 dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
4454 dns_dbnode_t *node, **anodep;
4457 dns_resolver_t *res;
4458 isc_boolean_t need_validation, secure_domain, have_answer;
4459 isc_result_t result, eresult;
4460 dns_fetchevent_t *event;
4461 unsigned int options;
4464 unsigned int valoptions = 0;
4467 * The appropriate bucket lock must be held.
4471 need_validation = ISC_FALSE;
4472 POST(need_validation);
4473 secure_domain = ISC_FALSE;
4474 have_answer = ISC_FALSE;
4475 eresult = ISC_R_SUCCESS;
4476 task = res->buckets[fctx->bucketnum].task;
4479 * Is DNSSEC validation required for this name?
4481 if (res->view->enablevalidation) {
4482 result = dns_view_issecuredomain(res->view, name,
4484 if (result != ISC_R_SUCCESS)
4487 if (!secure_domain && res->view->dlv != NULL) {
4488 valoptions = DNS_VALIDATOR_DLV;
4489 secure_domain = ISC_TRUE;
4493 if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
4494 need_validation = ISC_FALSE;
4496 need_validation = secure_domain;
4502 asigrdataset = NULL;
4504 if ((name->attributes & DNS_NAMEATTR_ANSWER) != 0 &&
4506 have_answer = ISC_TRUE;
4507 event = ISC_LIST_HEAD(fctx->events);
4508 if (event != NULL) {
4510 aname = dns_fixedname_name(&event->foundname);
4511 result = dns_name_copy(name, aname, NULL);
4512 if (result != ISC_R_SUCCESS)
4514 anodep = &event->node;
4516 * If this is an ANY, SIG or RRSIG query, we're not
4517 * going to return any rdatasets, unless we encountered
4518 * a CNAME or DNAME as "the answer". In this case,
4519 * we're going to return DNS_R_CNAME or DNS_R_DNAME
4520 * and we must set up the rdatasets.
4522 if ((fctx->type != dns_rdatatype_any &&
4523 fctx->type != dns_rdatatype_rrsig &&
4524 fctx->type != dns_rdatatype_sig) ||
4525 (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
4526 ardataset = event->rdataset;
4527 asigrdataset = event->sigrdataset;
4533 * Find or create the cache node.
4536 result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
4537 if (result != ISC_R_SUCCESS)
4541 * Cache or validate each cacheable rdataset.
4543 fail = ISC_TF((fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0);
4544 for (rdataset = ISC_LIST_HEAD(name->list);
4546 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4547 if (!CACHE(rdataset))
4549 if (CHECKNAMES(rdataset)) {
4550 char namebuf[DNS_NAME_FORMATSIZE];
4551 char typebuf[DNS_RDATATYPE_FORMATSIZE];
4552 char classbuf[DNS_RDATATYPE_FORMATSIZE];
4554 dns_name_format(name, namebuf, sizeof(namebuf));
4555 dns_rdatatype_format(rdataset->type, typebuf,
4557 dns_rdataclass_format(rdataset->rdclass, classbuf,
4559 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
4560 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
4561 "check-names %s %s/%s/%s",
4562 fail ? "failure" : "warning",
4563 namebuf, typebuf, classbuf);
4565 if (ANSWER(rdataset)) {
4566 dns_db_detachnode(fctx->cache, &node);
4567 return (DNS_R_BADNAME);
4574 * Enforce the configure maximum cache TTL.
4576 if (rdataset->ttl > res->view->maxcachettl)
4577 rdataset->ttl = res->view->maxcachettl;
4580 * If this RRset is in a secure domain, is in bailiwick,
4581 * and is not glue, attempt DNSSEC validation. (We do not
4582 * attempt to validate glue or out-of-bailiwick data--even
4583 * though there might be some performance benefit to doing
4584 * so--because it makes it simpler and safer to ensure that
4585 * records from a secure domain are only cached if validated
4586 * within the context of a query to the domain that owns
4589 if (secure_domain && rdataset->trust != dns_trust_glue &&
4590 !EXTERNAL(rdataset)) {
4594 * RRSIGs are validated as part of validating the
4597 if (rdataset->type == dns_rdatatype_rrsig)
4600 * Find the SIG for this rdataset, if we have it.
4602 for (sigrdataset = ISC_LIST_HEAD(name->list);
4603 sigrdataset != NULL;
4604 sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
4605 if (sigrdataset->type == dns_rdatatype_rrsig &&
4606 sigrdataset->covers == rdataset->type)
4609 if (sigrdataset == NULL) {
4610 if (!ANSWER(rdataset) && need_validation) {
4612 * Ignore non-answer rdatasets that
4613 * are missing signatures.
4620 * Normalize the rdataset and sigrdataset TTLs.
4622 if (sigrdataset != NULL) {
4623 rdataset->ttl = ISC_MIN(rdataset->ttl,
4625 sigrdataset->ttl = rdataset->ttl;
4629 * Cache this rdataset/sigrdataset pair as
4630 * pending data. Track whether it was additional
4633 if (rdataset->trust == dns_trust_additional)
4634 trust = dns_trust_pending_additional;
4636 trust = dns_trust_pending_answer;
4638 rdataset->trust = trust;
4639 if (sigrdataset != NULL)
4640 sigrdataset->trust = trust;
4641 if (!need_validation || !ANSWER(rdataset)) {
4642 addedrdataset = ardataset;
4643 result = dns_db_addrdataset(fctx->cache, node,
4644 NULL, now, rdataset,
4646 if (result == DNS_R_UNCHANGED) {
4647 result = ISC_R_SUCCESS;
4648 if (!need_validation &&
4649 ardataset != NULL &&
4650 NEGATIVE(ardataset)) {
4652 * The answer in the cache is
4653 * better than the answer we
4654 * found, and is a negative
4655 * cache entry, so we must set
4656 * eresult appropriately.
4658 if (NXDOMAIN(ardataset))
4660 DNS_R_NCACHENXDOMAIN;
4663 DNS_R_NCACHENXRRSET;
4665 * We have a negative response
4666 * from the cache so don't
4667 * attempt to add the RRSIG
4673 if (result != ISC_R_SUCCESS)
4675 if (sigrdataset != NULL) {
4676 addedrdataset = asigrdataset;
4677 result = dns_db_addrdataset(fctx->cache,
4681 if (result == DNS_R_UNCHANGED)
4682 result = ISC_R_SUCCESS;
4683 if (result != ISC_R_SUCCESS)
4685 } else if (!ANSWER(rdataset))
4689 if (ANSWER(rdataset) && need_validation) {
4690 if (fctx->type != dns_rdatatype_any &&
4691 fctx->type != dns_rdatatype_rrsig &&
4692 fctx->type != dns_rdatatype_sig) {
4694 * This is The Answer. We will
4695 * validate it, but first we cache
4696 * the rest of the response - it may
4697 * contain useful keys.
4699 INSIST(valrdataset == NULL &&
4700 valsigrdataset == NULL);
4701 valrdataset = rdataset;
4702 valsigrdataset = sigrdataset;
4705 * This is one of (potentially)
4706 * multiple answers to an ANY
4707 * or SIG query. To keep things
4708 * simple, we just start the
4709 * validator right away rather
4710 * than caching first and
4711 * having to remember which
4712 * rdatasets needed validation.
4714 result = valcreate(fctx, addrinfo,
4715 name, rdataset->type,
4720 * Defer any further validations.
4721 * This prevents multiple validators
4722 * from manipulating fctx->rmessage
4725 valoptions |= DNS_VALIDATOR_DEFER;
4727 } else if (CHAINING(rdataset)) {
4728 if (rdataset->type == dns_rdatatype_cname)
4729 eresult = DNS_R_CNAME;
4731 INSIST(rdataset->type ==
4732 dns_rdatatype_dname);
4733 eresult = DNS_R_DNAME;
4736 } else if (!EXTERNAL(rdataset)) {
4738 * It's OK to cache this rdataset now.
4740 if (ANSWER(rdataset))
4741 addedrdataset = ardataset;
4742 else if (ANSWERSIG(rdataset))
4743 addedrdataset = asigrdataset;
4745 addedrdataset = NULL;
4746 if (CHAINING(rdataset)) {
4747 if (rdataset->type == dns_rdatatype_cname)
4748 eresult = DNS_R_CNAME;
4750 INSIST(rdataset->type ==
4751 dns_rdatatype_dname);
4752 eresult = DNS_R_DNAME;
4755 if (rdataset->trust == dns_trust_glue &&
4756 (rdataset->type == dns_rdatatype_ns ||
4757 (rdataset->type == dns_rdatatype_rrsig &&
4758 rdataset->covers == dns_rdatatype_ns))) {
4760 * If the trust level is 'dns_trust_glue'
4761 * then we are adding data from a referral
4762 * we got while executing the search algorithm.
4763 * New referral data always takes precedence
4764 * over the existing cache contents.
4766 options = DNS_DBADD_FORCE;
4770 * Now we can add the rdataset.
4772 result = dns_db_addrdataset(fctx->cache,
4777 if (result == DNS_R_UNCHANGED) {
4778 if (ANSWER(rdataset) &&
4779 ardataset != NULL &&
4780 NEGATIVE(ardataset)) {
4782 * The answer in the cache is better
4783 * than the answer we found, and is
4784 * a negative cache entry, so we
4785 * must set eresult appropriately.
4787 if (NXDOMAIN(ardataset))
4788 eresult = DNS_R_NCACHENXDOMAIN;
4790 eresult = DNS_R_NCACHENXRRSET;
4792 result = ISC_R_SUCCESS;
4793 } else if (result != ISC_R_SUCCESS)
4798 if (valrdataset != NULL)
4799 result = valcreate(fctx, addrinfo, name, fctx->type,
4800 valrdataset, valsigrdataset, valoptions,
4803 if (result == ISC_R_SUCCESS && have_answer) {
4804 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
4805 if (event != NULL) {
4807 * Negative results must be indicated in event->result.
4809 if (dns_rdataset_isassociated(event->rdataset) &&
4810 NEGATIVE(event->rdataset)) {
4811 INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
4812 eresult == DNS_R_NCACHENXRRSET);
4814 event->result = eresult;
4815 dns_db_attach(fctx->cache, adbp);
4816 dns_db_transfernode(fctx->cache, &node, anodep);
4817 clone_results(fctx);
4822 dns_db_detachnode(fctx->cache, &node);
4827 static inline isc_result_t
4828 cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
4830 isc_result_t result;
4831 dns_section_t section;
4834 FCTXTRACE("cache_message");
4836 fctx->attributes &= ~FCTX_ATTR_WANTCACHE;
4838 LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
4840 for (section = DNS_SECTION_ANSWER;
4841 section <= DNS_SECTION_ADDITIONAL;
4843 result = dns_message_firstname(fctx->rmessage, section);
4844 while (result == ISC_R_SUCCESS) {
4846 dns_message_currentname(fctx->rmessage, section,
4848 if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) {
4849 result = cache_name(fctx, name, addrinfo, now);
4850 if (result != ISC_R_SUCCESS)
4853 result = dns_message_nextname(fctx->rmessage, section);
4855 if (result != ISC_R_NOMORE)
4858 if (result == ISC_R_NOMORE)
4859 result = ISC_R_SUCCESS;
4861 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
4867 * Do what dns_ncache_addoptout() does, and then compute an appropriate eresult.
4870 ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
4871 dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
4872 isc_boolean_t optout, dns_rdataset_t *ardataset,
4873 isc_result_t *eresultp)
4875 isc_result_t result;
4876 dns_rdataset_t rdataset;
4878 if (ardataset == NULL) {
4879 dns_rdataset_init(&rdataset);
4880 ardataset = &rdataset;
4882 result = dns_ncache_addoptout(message, cache, node, covers, now,
4883 maxttl, optout, ardataset);
4884 if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
4886 * If the cache now contains a negative entry and we
4887 * care about whether it is DNS_R_NCACHENXDOMAIN or
4888 * DNS_R_NCACHENXRRSET then extract it.
4890 if (NEGATIVE(ardataset)) {
4892 * The cache data is a negative cache entry.
4894 if (NXDOMAIN(ardataset))
4895 *eresultp = DNS_R_NCACHENXDOMAIN;
4897 *eresultp = DNS_R_NCACHENXRRSET;
4900 * Either we don't care about the nature of the
4901 * cache rdataset (because no fetch is interested
4902 * in the outcome), or the cache rdataset is not
4903 * a negative cache entry. Whichever case it is,
4904 * we can return success.
4906 * XXXRTH There's a CNAME/DNAME problem here.
4908 *eresultp = ISC_R_SUCCESS;
4910 result = ISC_R_SUCCESS;
4912 if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset))
4913 dns_rdataset_disassociate(ardataset);
4918 static inline isc_result_t
4919 ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
4920 dns_rdatatype_t covers, isc_stdtime_t now)
4922 isc_result_t result, eresult;
4924 dns_resolver_t *res;
4926 dns_dbnode_t *node, **anodep;
4927 dns_rdataset_t *ardataset;
4928 isc_boolean_t need_validation, secure_domain;
4930 dns_fetchevent_t *event;
4932 unsigned int valoptions = 0;
4934 FCTXTRACE("ncache_message");
4936 fctx->attributes &= ~FCTX_ATTR_WANTNCACHE;
4939 need_validation = ISC_FALSE;
4940 POST(need_validation);
4941 secure_domain = ISC_FALSE;
4942 eresult = ISC_R_SUCCESS;
4947 * XXXMPA remove when we follow cnames and adjust the setting
4948 * of FCTX_ATTR_WANTNCACHE in noanswer_response().
4950 INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0);
4953 * Is DNSSEC validation required for this name?
4955 if (fctx->res->view->enablevalidation) {
4956 result = dns_view_issecuredomain(res->view, name,
4958 if (result != ISC_R_SUCCESS)
4961 if (!secure_domain && res->view->dlv != NULL) {
4962 valoptions = DNS_VALIDATOR_DLV;
4963 secure_domain = ISC_TRUE;
4967 if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
4968 need_validation = ISC_FALSE;
4970 need_validation = secure_domain;
4972 if (secure_domain) {
4974 * Mark all rdatasets as pending.
4976 dns_rdataset_t *trdataset;
4979 result = dns_message_firstname(fctx->rmessage,
4980 DNS_SECTION_AUTHORITY);
4981 while (result == ISC_R_SUCCESS) {
4983 dns_message_currentname(fctx->rmessage,
4984 DNS_SECTION_AUTHORITY,
4986 for (trdataset = ISC_LIST_HEAD(tname->list);
4988 trdataset = ISC_LIST_NEXT(trdataset, link))
4989 trdataset->trust = dns_trust_pending_answer;
4990 result = dns_message_nextname(fctx->rmessage,
4991 DNS_SECTION_AUTHORITY);
4993 if (result != ISC_R_NOMORE)
4998 if (need_validation) {
5000 * Do negative response validation.
5002 result = valcreate(fctx, addrinfo, name, fctx->type,
5003 NULL, NULL, valoptions,
5004 res->buckets[fctx->bucketnum].task);
5006 * If validation is necessary, return now. Otherwise continue
5007 * to process the message, letting the validation complete
5008 * in its own good time.
5013 LOCK(&res->buckets[fctx->bucketnum].lock);
5019 if (!HAVE_ANSWER(fctx)) {
5020 event = ISC_LIST_HEAD(fctx->events);
5021 if (event != NULL) {
5023 aname = dns_fixedname_name(&event->foundname);
5024 result = dns_name_copy(name, aname, NULL);
5025 if (result != ISC_R_SUCCESS)
5027 anodep = &event->node;
5028 ardataset = event->rdataset;
5033 result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
5034 if (result != ISC_R_SUCCESS)
5038 * If we are asking for a SOA record set the cache time
5039 * to zero to facilitate locating the containing zone of
5042 ttl = fctx->res->view->maxncachettl;
5043 if (fctx->type == dns_rdatatype_soa &&
5044 covers == dns_rdatatype_any &&
5045 fctx->res->zero_no_soa_ttl)
5048 result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
5049 covers, now, ttl, ISC_FALSE,
5050 ardataset, &eresult);
5051 if (result != ISC_R_SUCCESS)
5054 if (!HAVE_ANSWER(fctx)) {
5055 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
5056 if (event != NULL) {
5057 event->result = eresult;
5058 dns_db_attach(fctx->cache, adbp);
5059 dns_db_transfernode(fctx->cache, &node, anodep);
5060 clone_results(fctx);
5065 UNLOCK(&res->buckets[fctx->bucketnum].lock);
5068 dns_db_detachnode(fctx->cache, &node);
5074 mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
5075 isc_boolean_t external, isc_boolean_t gluing)
5077 name->attributes |= DNS_NAMEATTR_CACHE;
5079 rdataset->trust = dns_trust_glue;
5081 * Glue with 0 TTL causes problems. We force the TTL to
5082 * 1 second to prevent this.
5084 if (rdataset->ttl == 0)
5087 rdataset->trust = dns_trust_additional;
5089 * Avoid infinite loops by only marking new rdatasets.
5091 if (!CACHE(rdataset)) {
5092 name->attributes |= DNS_NAMEATTR_CHASE;
5093 rdataset->attributes |= DNS_RDATASETATTR_CHASE;
5095 rdataset->attributes |= DNS_RDATASETATTR_CACHE;
5097 rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
5101 check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
5102 dns_section_t section)
5104 fetchctx_t *fctx = arg;
5105 isc_result_t result;
5107 dns_rdataset_t *rdataset;
5108 isc_boolean_t external;
5109 dns_rdatatype_t rtype;
5110 isc_boolean_t gluing;
5112 REQUIRE(VALID_FCTX(fctx));
5114 #if CHECK_FOR_GLUE_IN_ANSWER
5115 if (section == DNS_SECTION_ANSWER && type != dns_rdatatype_a)
5116 return (ISC_R_SUCCESS);
5125 result = dns_message_findname(fctx->rmessage, section, addname,
5126 dns_rdatatype_any, 0, &name, NULL);
5127 if (result == ISC_R_SUCCESS) {
5128 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
5129 if (type == dns_rdatatype_a) {
5130 for (rdataset = ISC_LIST_HEAD(name->list);
5132 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5133 if (rdataset->type == dns_rdatatype_rrsig)
5134 rtype = rdataset->covers;
5136 rtype = rdataset->type;
5137 if (rtype == dns_rdatatype_a ||
5138 rtype == dns_rdatatype_aaaa)
5139 mark_related(name, rdataset, external,
5143 result = dns_message_findtype(name, type, 0,
5145 if (result == ISC_R_SUCCESS) {
5146 mark_related(name, rdataset, external, gluing);
5148 * Do we have its SIG too?
5151 result = dns_message_findtype(name,
5152 dns_rdatatype_rrsig,
5154 if (result == ISC_R_SUCCESS)
5155 mark_related(name, rdataset, external,
5161 return (ISC_R_SUCCESS);
5165 check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
5166 return (check_section(arg, addname, type, DNS_SECTION_ADDITIONAL));
5169 #ifndef CHECK_FOR_GLUE_IN_ANSWER
5170 #define CHECK_FOR_GLUE_IN_ANSWER 0
5172 #if CHECK_FOR_GLUE_IN_ANSWER
5174 check_answer(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
5175 return (check_section(arg, addname, type, DNS_SECTION_ANSWER));
5180 chase_additional(fetchctx_t *fctx) {
5181 isc_boolean_t rescan;
5182 dns_section_t section = DNS_SECTION_ADDITIONAL;
5183 isc_result_t result;
5188 for (result = dns_message_firstname(fctx->rmessage, section);
5189 result == ISC_R_SUCCESS;
5190 result = dns_message_nextname(fctx->rmessage, section)) {
5191 dns_name_t *name = NULL;
5192 dns_rdataset_t *rdataset;
5193 dns_message_currentname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
5195 if ((name->attributes & DNS_NAMEATTR_CHASE) == 0)
5197 name->attributes &= ~DNS_NAMEATTR_CHASE;
5198 for (rdataset = ISC_LIST_HEAD(name->list);
5200 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5201 if (CHASE(rdataset)) {
5202 rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
5203 (void)dns_rdataset_additionaldata(rdataset,
5214 static inline isc_result_t
5215 cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
5216 isc_result_t result;
5217 dns_rdata_t rdata = DNS_RDATA_INIT;
5218 dns_rdata_cname_t cname;
5220 result = dns_rdataset_first(rdataset);
5221 if (result != ISC_R_SUCCESS)
5223 dns_rdataset_current(rdataset, &rdata);
5224 result = dns_rdata_tostruct(&rdata, &cname, NULL);
5225 if (result != ISC_R_SUCCESS)
5227 dns_name_init(tname, NULL);
5228 dns_name_clone(&cname.cname, tname);
5229 dns_rdata_freestruct(&cname);
5231 return (ISC_R_SUCCESS);
5234 static inline isc_result_t
5235 dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
5236 dns_name_t *oname, dns_fixedname_t *fixeddname)
5238 isc_result_t result;
5239 dns_rdata_t rdata = DNS_RDATA_INIT;
5240 unsigned int nlabels;
5242 dns_namereln_t namereln;
5243 dns_rdata_dname_t dname;
5244 dns_fixedname_t prefix;
5247 * Get the target name of the DNAME.
5249 result = dns_rdataset_first(rdataset);
5250 if (result != ISC_R_SUCCESS)
5252 dns_rdataset_current(rdataset, &rdata);
5253 result = dns_rdata_tostruct(&rdata, &dname, NULL);
5254 if (result != ISC_R_SUCCESS)
5258 * Get the prefix of qname.
5260 namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
5261 if (namereln != dns_namereln_subdomain) {
5262 char qbuf[DNS_NAME_FORMATSIZE];
5263 char obuf[DNS_NAME_FORMATSIZE];
5265 dns_rdata_freestruct(&dname);
5266 dns_name_format(qname, qbuf, sizeof(qbuf));
5267 dns_name_format(oname, obuf, sizeof(obuf));
5268 log_formerr(fctx, "unrelated DNAME in answer: "
5269 "%s is not in %s", qbuf, obuf);
5270 return (DNS_R_FORMERR);
5272 dns_fixedname_init(&prefix);
5273 dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
5274 dns_fixedname_init(fixeddname);
5275 result = dns_name_concatenate(dns_fixedname_name(&prefix),
5277 dns_fixedname_name(fixeddname), NULL);
5278 dns_rdata_freestruct(&dname);
5282 static isc_boolean_t
5283 is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
5284 dns_rdataset_t *rdataset)
5286 isc_result_t result;
5287 dns_rdata_t rdata = DNS_RDATA_INIT;
5289 struct in6_addr in6a;
5290 isc_netaddr_t netaddr;
5291 char addrbuf[ISC_NETADDR_FORMATSIZE];
5292 char namebuf[DNS_NAME_FORMATSIZE];
5297 /* By default, we allow any addresses. */
5298 if (view->denyansweracl == NULL)
5302 * If the owner name matches one in the exclusion list, either exactly
5303 * or partially, allow it.
5305 if (view->answeracl_exclude != NULL) {
5306 dns_rbtnode_t *node = NULL;
5308 result = dns_rbt_findnode(view->answeracl_exclude, name, NULL,
5309 &node, NULL, 0, NULL, NULL);
5311 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
5316 * Otherwise, search the filter list for a match for each address
5317 * record. If a match is found, the address should be filtered,
5318 * so should the entire answer.
5320 for (result = dns_rdataset_first(rdataset);
5321 result == ISC_R_SUCCESS;
5322 result = dns_rdataset_next(rdataset)) {
5323 dns_rdata_reset(&rdata);
5324 dns_rdataset_current(rdataset, &rdata);
5325 if (rdataset->type == dns_rdatatype_a) {
5326 INSIST(rdata.length == sizeof(ina.s_addr));
5327 memcpy(&ina.s_addr, rdata.data, sizeof(ina.s_addr));
5328 isc_netaddr_fromin(&netaddr, &ina);
5330 INSIST(rdata.length == sizeof(in6a.s6_addr));
5331 memcpy(in6a.s6_addr, rdata.data, sizeof(in6a.s6_addr));
5332 isc_netaddr_fromin6(&netaddr, &in6a);
5335 result = dns_acl_match(&netaddr, NULL, view->denyansweracl,
5336 &view->aclenv, &match, NULL);
5338 if (result == ISC_R_SUCCESS && match > 0) {
5339 isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
5340 dns_name_format(name, namebuf, sizeof(namebuf));
5341 dns_rdatatype_format(rdataset->type, typebuf,
5343 dns_rdataclass_format(rdataset->rdclass, classbuf,
5345 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
5346 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
5347 "answer address %s denied for %s/%s/%s",
5348 addrbuf, namebuf, typebuf, classbuf);
5356 static isc_boolean_t
5357 is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
5358 dns_rdatatype_t type, dns_name_t *tname,
5361 isc_result_t result;
5362 dns_rbtnode_t *node = NULL;
5363 char qnamebuf[DNS_NAME_FORMATSIZE];
5364 char tnamebuf[DNS_NAME_FORMATSIZE];
5368 /* By default, we allow any target name. */
5369 if (view->denyanswernames == NULL)
5373 * If the owner name matches one in the exclusion list, either exactly
5374 * or partially, allow it.
5376 if (view->answernames_exclude != NULL) {
5377 result = dns_rbt_findnode(view->answernames_exclude, name, NULL,
5378 &node, NULL, 0, NULL, NULL);
5379 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
5384 * If the target name is a subdomain of the search domain, allow it.
5386 if (dns_name_issubdomain(tname, domain))
5390 * Otherwise, apply filters.
5392 result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
5393 NULL, 0, NULL, NULL);
5394 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
5395 dns_name_format(name, qnamebuf, sizeof(qnamebuf));
5396 dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
5397 dns_rdatatype_format(type, typebuf, sizeof(typebuf));
5398 dns_rdataclass_format(view->rdclass, classbuf,
5400 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
5401 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
5402 "%s target %s denied for %s/%s",
5403 typebuf, tnamebuf, qnamebuf, classbuf);
5411 trim_ns_ttl(fetchctx_t *fctx, dns_name_t *name, dns_rdataset_t *rdataset) {
5412 char ns_namebuf[DNS_NAME_FORMATSIZE];
5413 char namebuf[DNS_NAME_FORMATSIZE];
5414 char tbuf[DNS_RDATATYPE_FORMATSIZE];
5416 if (fctx->ns_ttl_ok && rdataset->ttl > fctx->ns_ttl) {
5417 dns_name_format(name, ns_namebuf, sizeof(ns_namebuf));
5418 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
5419 dns_rdatatype_format(fctx->type, tbuf, sizeof(tbuf));
5421 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
5422 DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
5423 "fctx %p: trimming ttl of %s/NS for %s/%s: "
5424 "%u -> %u", fctx, ns_namebuf, namebuf, tbuf,
5425 rdataset->ttl, fctx->ns_ttl);
5426 rdataset->ttl = fctx->ns_ttl;
5431 * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
5432 * If look_in_options has LOOK_FOR_NS_IN_ANSWER then we look in the answer
5433 * section for the NS RRset if the query type is NS; if it has
5434 * LOOK_FOR_GLUE_IN_ANSWER we look for glue incorrectly returned in the answer
5435 * section for A and AAAA queries.
5437 #define LOOK_FOR_NS_IN_ANSWER 0x1
5438 #define LOOK_FOR_GLUE_IN_ANSWER 0x2
5441 noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
5442 unsigned int look_in_options)
5444 isc_result_t result;
5445 dns_message_t *message;
5446 dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name;
5447 dns_rdataset_t *rdataset, *ns_rdataset;
5448 isc_boolean_t aa, negative_response;
5449 dns_rdatatype_t type;
5450 dns_section_t section;
5452 FCTXTRACE("noanswer_response");
5454 if ((look_in_options & LOOK_FOR_NS_IN_ANSWER) != 0) {
5455 INSIST(fctx->type == dns_rdatatype_ns);
5456 section = DNS_SECTION_ANSWER;
5458 section = DNS_SECTION_AUTHORITY;
5460 message = fctx->rmessage;
5465 if (oqname == NULL) {
5467 * We have a normal, non-chained negative response or
5470 if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
5474 qname = &fctx->name;
5477 * We're being invoked by answer_response() after it has
5478 * followed a CNAME/DNAME chain.
5483 * If the current qname is not a subdomain of the query
5484 * domain, there's no point in looking at the authority
5485 * section without doing DNSSEC validation.
5487 * Until we do that validation, we'll just return success
5490 if (!dns_name_issubdomain(qname, &fctx->domain))
5491 return (ISC_R_SUCCESS);
5495 * We have to figure out if this is a negative response, or a
5500 * Sometimes we can tell if its a negative response by looking at
5501 * the message header.
5503 negative_response = ISC_FALSE;
5504 if (message->rcode == dns_rcode_nxdomain ||
5505 (message->counts[DNS_SECTION_ANSWER] == 0 &&
5506 message->counts[DNS_SECTION_AUTHORITY] == 0))
5507 negative_response = ISC_TRUE;
5510 * Process the authority section.
5516 result = dns_message_firstname(message, section);
5517 while (result == ISC_R_SUCCESS) {
5519 dns_message_currentname(message, section, &name);
5520 if (dns_name_issubdomain(name, &fctx->domain)) {
5522 * Look for NS/SOA RRsets first.
5524 for (rdataset = ISC_LIST_HEAD(name->list);
5526 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5527 type = rdataset->type;
5528 if (type == dns_rdatatype_rrsig)
5529 type = rdataset->covers;
5530 if (((type == dns_rdatatype_ns ||
5531 type == dns_rdatatype_soa) &&
5532 !dns_name_issubdomain(qname, name))) {
5533 char qbuf[DNS_NAME_FORMATSIZE];
5534 char nbuf[DNS_NAME_FORMATSIZE];
5535 char tbuf[DNS_RDATATYPE_FORMATSIZE];
5536 dns_rdatatype_format(type, tbuf,
5538 dns_name_format(name, nbuf,
5540 dns_name_format(qname, qbuf,
5543 "unrelated %s %s in "
5544 "%s authority section",
5546 return (DNS_R_FORMERR);
5548 if (type == dns_rdatatype_ns) {
5552 * Only one set of NS RRs is allowed.
5554 if (rdataset->type ==
5556 if (ns_name != NULL &&
5563 return (DNS_R_FORMERR);
5566 ns_rdataset = rdataset;
5570 rdataset->attributes |=
5571 DNS_RDATASETATTR_CACHE;
5572 rdataset->trust = dns_trust_glue;
5574 if (type == dns_rdatatype_soa) {
5576 * SOA, or RRSIG SOA.
5578 * Only one SOA is allowed.
5580 if (rdataset->type ==
5581 dns_rdatatype_soa) {
5582 if (soa_name != NULL &&
5589 return (DNS_R_FORMERR);
5594 DNS_NAMEATTR_NCACHE;
5595 rdataset->attributes |=
5596 DNS_RDATASETATTR_NCACHE;
5599 dns_trust_authauthority;
5600 else if (ISFORWARDER(fctx->addrinfo))
5605 dns_trust_additional;
5609 result = dns_message_nextname(message, section);
5610 if (result == ISC_R_NOMORE)
5612 else if (result != ISC_R_SUCCESS)
5616 log_ns_ttl(fctx, "noanswer_response");
5618 if (ns_rdataset != NULL && dns_name_equal(&fctx->domain, ns_name) &&
5619 !dns_name_equal(ns_name, dns_rootname))
5620 trim_ns_ttl(fctx, ns_name, ns_rdataset);
5623 * A negative response has a SOA record (Type 2)
5624 * and a optional NS RRset (Type 1) or it has neither
5625 * a SOA or a NS RRset (Type 3, handled above) or
5626 * rcode is NXDOMAIN (handled above) in which case
5627 * the NS RRset is allowed (Type 4).
5629 if (soa_name != NULL)
5630 negative_response = ISC_TRUE;
5632 result = dns_message_firstname(message, section);
5633 while (result == ISC_R_SUCCESS) {
5635 dns_message_currentname(message, section, &name);
5636 if (dns_name_issubdomain(name, &fctx->domain)) {
5637 for (rdataset = ISC_LIST_HEAD(name->list);
5639 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5640 type = rdataset->type;
5641 if (type == dns_rdatatype_rrsig)
5642 type = rdataset->covers;
5643 if (type == dns_rdatatype_nsec ||
5644 type == dns_rdatatype_nsec3) {
5646 * NSEC or RRSIG NSEC.
5648 if (negative_response) {
5650 DNS_NAMEATTR_NCACHE;
5651 rdataset->attributes |=
5652 DNS_RDATASETATTR_NCACHE;
5653 } else if (type == dns_rdatatype_nsec) {
5656 rdataset->attributes |=
5657 DNS_RDATASETATTR_CACHE;
5661 dns_trust_authauthority;
5662 else if (ISFORWARDER(fctx->addrinfo))
5667 dns_trust_additional;
5669 * No additional data needs to be
5672 } else if (type == dns_rdatatype_ds) {
5676 * These should only be here if
5677 * this is a referral, and there
5678 * should only be one DS RRset.
5680 if (ns_name == NULL) {
5684 return (DNS_R_FORMERR);
5686 if (rdataset->type ==
5688 if (ds_name != NULL &&
5695 return (DNS_R_FORMERR);
5701 rdataset->attributes |=
5702 DNS_RDATASETATTR_CACHE;
5705 dns_trust_authauthority;
5706 else if (ISFORWARDER(fctx->addrinfo))
5711 dns_trust_additional;
5715 result = dns_message_nextname(message, section);
5716 if (result == ISC_R_NOMORE)
5718 else if (result != ISC_R_SUCCESS)
5723 * Trigger lookups for DNS nameservers.
5725 if (negative_response && message->rcode == dns_rcode_noerror &&
5726 fctx->type == dns_rdatatype_ds && soa_name != NULL &&
5727 dns_name_equal(soa_name, qname) &&
5728 !dns_name_equal(qname, dns_rootname))
5729 return (DNS_R_CHASEDSSERVERS);
5732 * Did we find anything?
5734 if (!negative_response && ns_name == NULL) {
5738 if (oqname != NULL) {
5740 * We've already got a partial CNAME/DNAME chain,
5741 * and haven't found else anything useful here, but
5742 * no error has occurred since we have an answer.
5744 return (ISC_R_SUCCESS);
5747 * The responder is insane.
5749 log_formerr(fctx, "invalid response");
5750 return (DNS_R_FORMERR);
5755 * If we found both NS and SOA, they should be the same name.
5757 if (ns_name != NULL && soa_name != NULL && ns_name != soa_name) {
5758 log_formerr(fctx, "NS/SOA mismatch");
5759 return (DNS_R_FORMERR);
5763 * Do we have a referral? (We only want to follow a referral if
5764 * we're not following a chain.)
5766 if (!negative_response && ns_name != NULL && oqname == NULL) {
5768 * We already know ns_name is a subdomain of fctx->domain.
5769 * If ns_name is equal to fctx->domain, we're not making
5770 * progress. We return DNS_R_FORMERR so that we'll keep
5771 * trying other servers.
5773 if (dns_name_equal(ns_name, &fctx->domain)) {
5774 log_formerr(fctx, "non-improving referral");
5775 return (DNS_R_FORMERR);
5779 * If the referral name is not a parent of the query
5780 * name, consider the responder insane.
5782 if (! dns_name_issubdomain(&fctx->name, ns_name)) {
5784 log_formerr(fctx, "referral to non-parent");
5785 FCTXTRACE("referral to non-parent");
5786 return (DNS_R_FORMERR);
5790 * Mark any additional data related to this rdataset.
5791 * It's important that we do this before we change the
5794 INSIST(ns_rdataset != NULL);
5795 fctx->attributes |= FCTX_ATTR_GLUING;
5796 (void)dns_rdataset_additionaldata(ns_rdataset, check_related,
5798 #if CHECK_FOR_GLUE_IN_ANSWER
5800 * Look in the answer section for "glue" that is incorrectly
5801 * returned as a answer. This is needed if the server also
5802 * minimizes the response size by not adding records to the
5803 * additional section that are in the answer section or if
5804 * the record gets dropped due to message size constraints.
5806 if ((look_in_options & LOOK_FOR_GLUE_IN_ANSWER) != 0 &&
5807 (fctx->type == dns_rdatatype_aaaa ||
5808 fctx->type == dns_rdatatype_a))
5809 (void)dns_rdataset_additionaldata(ns_rdataset,
5810 check_answer, fctx);
5812 fctx->attributes &= ~FCTX_ATTR_GLUING;
5814 * NS rdatasets with 0 TTL cause problems.
5815 * dns_view_findzonecut() will not find them when we
5816 * try to follow the referral, and we'll SERVFAIL
5817 * because the best nameservers are now above QDOMAIN.
5818 * We force the TTL to 1 second to prevent this.
5820 if (ns_rdataset->ttl == 0)
5821 ns_rdataset->ttl = 1;
5823 * Set the current query domain to the referral name.
5825 * XXXRTH We should check if we're in forward-only mode, and
5826 * if so we should bail out.
5828 INSIST(dns_name_countlabels(&fctx->domain) > 0);
5829 dns_name_free(&fctx->domain, fctx->mctx);
5830 if (dns_rdataset_isassociated(&fctx->nameservers))
5831 dns_rdataset_disassociate(&fctx->nameservers);
5832 dns_name_init(&fctx->domain, NULL);
5833 result = dns_name_dup(ns_name, fctx->mctx, &fctx->domain);
5834 if (result != ISC_R_SUCCESS)
5836 fctx->attributes |= FCTX_ATTR_WANTCACHE;
5837 fctx->ns_ttl_ok = ISC_FALSE;
5838 log_ns_ttl(fctx, "DELEGATION");
5839 return (DNS_R_DELEGATION);
5843 * Since we're not doing a referral, we don't want to cache any
5844 * NS RRs we may have found.
5846 if (ns_name != NULL)
5847 ns_name->attributes &= ~DNS_NAMEATTR_CACHE;
5849 if (negative_response && oqname == NULL)
5850 fctx->attributes |= FCTX_ATTR_WANTNCACHE;
5852 return (ISC_R_SUCCESS);
5856 answer_response(fetchctx_t *fctx) {
5857 isc_result_t result;
5858 dns_message_t *message;
5859 dns_name_t *name, *qname, tname, *ns_name;
5860 dns_rdataset_t *rdataset, *ns_rdataset;
5861 isc_boolean_t done, external, chaining, aa, found, want_chaining;
5862 isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
5864 dns_rdatatype_t type;
5865 dns_fixedname_t dname, fqname;
5868 FCTXTRACE("answer_response");
5870 message = fctx->rmessage;
5873 * Examine the answer section, marking those rdatasets which are
5874 * part of the answer and should be cached.
5878 found_cname = ISC_FALSE;
5879 found_type = ISC_FALSE;
5880 chaining = ISC_FALSE;
5881 have_answer = ISC_FALSE;
5882 want_chaining = ISC_FALSE;
5883 POST(want_chaining);
5884 if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
5888 qname = &fctx->name;
5890 view = fctx->res->view;
5891 result = dns_message_firstname(message, DNS_SECTION_ANSWER);
5892 while (!done && result == ISC_R_SUCCESS) {
5894 dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
5895 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
5896 if (dns_name_equal(name, qname)) {
5897 wanted_chaining = ISC_FALSE;
5898 for (rdataset = ISC_LIST_HEAD(name->list);
5900 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5902 want_chaining = ISC_FALSE;
5904 if (rdataset->type == dns_rdatatype_nsec3) {
5906 * NSEC3 records are not allowed to
5907 * appear in the answer section.
5909 log_formerr(fctx, "NSEC3 in answer");
5910 return (DNS_R_FORMERR);
5914 * Apply filters, if given, on answers to reject
5915 * a malicious attempt of rebinding.
5917 if ((rdataset->type == dns_rdatatype_a ||
5918 rdataset->type == dns_rdatatype_aaaa) &&
5919 !is_answeraddress_allowed(view, name,
5921 return (DNS_R_SERVFAIL);
5924 if (rdataset->type == type && !found_cname) {
5926 * We've found an ordinary answer.
5929 found_type = ISC_TRUE;
5931 aflag = DNS_RDATASETATTR_ANSWER;
5932 } else if (type == dns_rdatatype_any) {
5934 * We've found an answer matching
5935 * an ANY query. There may be
5939 aflag = DNS_RDATASETATTR_ANSWER;
5940 } else if (rdataset->type == dns_rdatatype_rrsig
5941 && rdataset->covers == type
5944 * We've found a signature that
5945 * covers the type we're looking for.
5948 found_type = ISC_TRUE;
5949 aflag = DNS_RDATASETATTR_ANSWERSIG;
5950 } else if (rdataset->type ==
5954 * We're looking for something else,
5955 * but we found a CNAME.
5957 * Getting a CNAME response for some
5958 * query types is an error.
5960 if (type == dns_rdatatype_rrsig ||
5961 type == dns_rdatatype_dnskey ||
5962 type == dns_rdatatype_nsec ||
5963 type == dns_rdatatype_nsec3) {
5964 char buf[DNS_RDATATYPE_FORMATSIZE];
5965 dns_rdatatype_format(fctx->type,
5970 return (DNS_R_FORMERR);
5973 found_cname = ISC_TRUE;
5974 want_chaining = ISC_TRUE;
5975 aflag = DNS_RDATASETATTR_ANSWER;
5976 result = cname_target(rdataset,
5978 if (result != ISC_R_SUCCESS)
5980 /* Apply filters on the target name. */
5981 if (!is_answertarget_allowed(view,
5986 return (DNS_R_SERVFAIL);
5988 } else if (rdataset->type == dns_rdatatype_rrsig
5989 && rdataset->covers ==
5993 * We're looking for something else,
5994 * but we found a SIG CNAME.
5997 found_cname = ISC_TRUE;
5998 aflag = DNS_RDATASETATTR_ANSWERSIG;
6003 * We've found an answer to our
6008 rdataset->attributes |=
6009 DNS_RDATASETATTR_CACHE;
6010 rdataset->trust = dns_trust_answer;
6013 * This data is "the" answer
6014 * to our question only if
6015 * we're not chaining (i.e.
6016 * if we haven't followed
6017 * a CNAME or DNAME).
6021 DNS_RDATASETATTR_ANSWER)
6022 have_answer = ISC_TRUE;
6024 DNS_NAMEATTR_ANSWER;
6025 rdataset->attributes |= aflag;
6028 dns_trust_authanswer;
6029 } else if (external) {
6031 * This data is outside of
6032 * our query domain, and
6033 * may not be cached.
6035 rdataset->attributes |=
6036 DNS_RDATASETATTR_EXTERNAL;
6040 * Mark any additional data related
6043 (void)dns_rdataset_additionaldata(
6051 if (want_chaining) {
6052 wanted_chaining = ISC_TRUE;
6054 DNS_NAMEATTR_CHAINING;
6055 rdataset->attributes |=
6056 DNS_RDATASETATTR_CHAINING;
6061 * We could add an "else" clause here and
6062 * log that we're ignoring this rdataset.
6066 * If wanted_chaining is true, we've done
6067 * some chaining as the result of processing
6068 * this node, and thus we need to set
6071 * We don't set chaining inside of the
6072 * rdataset loop because doing that would
6073 * cause us to ignore the signatures of
6076 if (wanted_chaining)
6077 chaining = ISC_TRUE;
6080 * Look for a DNAME (or its SIG). Anything else is
6083 wanted_chaining = ISC_FALSE;
6084 for (rdataset = ISC_LIST_HEAD(name->list);
6086 rdataset = ISC_LIST_NEXT(rdataset, link)) {
6087 isc_boolean_t found_dname = ISC_FALSE;
6088 dns_name_t *dname_name;
6092 if (rdataset->type == dns_rdatatype_dname) {
6094 * We're looking for something else,
6095 * but we found a DNAME.
6097 * If we're not chaining, then the
6098 * DNAME should not be external.
6100 if (!chaining && external) {
6103 return (DNS_R_FORMERR);
6106 want_chaining = ISC_TRUE;
6107 POST(want_chaining);
6108 aflag = DNS_RDATASETATTR_ANSWER;
6109 result = dname_target(fctx, rdataset,
6112 if (result == ISC_R_NOSPACE) {
6114 * We can't construct the
6115 * DNAME target. Do not
6118 want_chaining = ISC_FALSE;
6119 POST(want_chaining);
6120 } else if (result != ISC_R_SUCCESS)
6123 found_dname = ISC_TRUE;
6125 dname_name = dns_fixedname_name(&dname);
6126 if (!is_answertarget_allowed(view,
6131 return (DNS_R_SERVFAIL);
6133 } else if (rdataset->type == dns_rdatatype_rrsig
6134 && rdataset->covers ==
6135 dns_rdatatype_dname) {
6137 * We've found a signature that
6141 aflag = DNS_RDATASETATTR_ANSWERSIG;
6146 * We've found an answer to our
6151 rdataset->attributes |=
6152 DNS_RDATASETATTR_CACHE;
6153 rdataset->trust = dns_trust_answer;
6156 * This data is "the" answer
6157 * to our question only if
6158 * we're not chaining.
6162 DNS_RDATASETATTR_ANSWER)
6163 have_answer = ISC_TRUE;
6165 DNS_NAMEATTR_ANSWER;
6166 rdataset->attributes |= aflag;
6169 dns_trust_authanswer;
6170 } else if (external) {
6171 rdataset->attributes |=
6172 DNS_RDATASETATTR_EXTERNAL;
6180 * Copy the dname into the
6183 * Although we check for
6184 * failure of the copy
6185 * operation, in practice it
6186 * should never fail since
6187 * we already know that the
6188 * result fits in a fixedname.
6190 dns_fixedname_init(&fqname);
6191 result = dns_name_copy(
6192 dns_fixedname_name(&dname),
6193 dns_fixedname_name(&fqname),
6195 if (result != ISC_R_SUCCESS)
6197 wanted_chaining = ISC_TRUE;
6199 DNS_NAMEATTR_CHAINING;
6200 rdataset->attributes |=
6201 DNS_RDATASETATTR_CHAINING;
6202 qname = dns_fixedname_name(
6207 if (wanted_chaining)
6208 chaining = ISC_TRUE;
6210 result = dns_message_nextname(message, DNS_SECTION_ANSWER);
6212 if (result == ISC_R_NOMORE)
6213 result = ISC_R_SUCCESS;
6214 if (result != ISC_R_SUCCESS)
6218 * We should have found an answer.
6221 log_formerr(fctx, "reply has no answer");
6222 return (DNS_R_FORMERR);
6226 * This response is now potentially cacheable.
6228 fctx->attributes |= FCTX_ATTR_WANTCACHE;
6231 * Did chaining end before we got the final answer?
6235 * Yes. This may be a negative reply, so hand off
6236 * authority section processing to the noanswer code.
6237 * If it isn't a noanswer response, no harm will be
6240 return (noanswer_response(fctx, qname, 0));
6244 * We didn't end with an incomplete chain, so the rcode should be
6247 if (message->rcode != dns_rcode_noerror) {
6248 log_formerr(fctx, "CNAME/DNAME chain complete, but RCODE "
6250 return (DNS_R_FORMERR);
6254 * Examine the authority section (if there is one).
6256 * We expect there to be only one owner name for all the rdatasets
6257 * in this section, and we expect that it is not external.
6262 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
6263 while (!done && result == ISC_R_SUCCESS) {
6265 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
6266 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
6269 * We expect to find NS or SIG NS rdatasets, and
6272 for (rdataset = ISC_LIST_HEAD(name->list);
6274 rdataset = ISC_LIST_NEXT(rdataset, link)) {
6275 if (rdataset->type == dns_rdatatype_ns ||
6276 (rdataset->type == dns_rdatatype_rrsig &&
6277 rdataset->covers == dns_rdatatype_ns)) {
6280 rdataset->attributes |=
6281 DNS_RDATASETATTR_CACHE;
6282 if (aa && !chaining)
6284 dns_trust_authauthority;
6287 dns_trust_additional;
6289 if (rdataset->type == dns_rdatatype_ns) {
6291 ns_rdataset = rdataset;
6294 * Mark any additional data related
6297 (void)dns_rdataset_additionaldata(
6305 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
6307 if (result == ISC_R_NOMORE)
6308 result = ISC_R_SUCCESS;
6310 log_ns_ttl(fctx, "answer_response");
6312 if (ns_rdataset != NULL && dns_name_equal(&fctx->domain, ns_name) &&
6313 !dns_name_equal(ns_name, dns_rootname))
6314 trim_ns_ttl(fctx, ns_name, ns_rdataset);
6319 static isc_boolean_t
6320 fctx_decreference(fetchctx_t *fctx) {
6321 isc_boolean_t bucket_empty = ISC_FALSE;
6323 INSIST(fctx->references > 0);
6325 if (fctx->references == 0) {
6327 * No one cares about the result of this fetch anymore.
6329 if (fctx->pending == 0 && fctx->nqueries == 0 &&
6330 ISC_LIST_EMPTY(fctx->validators) && SHUTTINGDOWN(fctx)) {
6332 * This fctx is already shutdown; we were just
6333 * waiting for the last reference to go away.
6335 bucket_empty = fctx_unlink(fctx);
6339 * Initiate shutdown.
6341 fctx_shutdown(fctx);
6344 return (bucket_empty);
6348 resume_dslookup(isc_task_t *task, isc_event_t *event) {
6349 dns_fetchevent_t *fevent;
6350 dns_resolver_t *res;
6352 isc_result_t result;
6353 isc_boolean_t bucket_empty;
6354 isc_boolean_t locked = ISC_FALSE;
6355 unsigned int bucketnum;
6356 dns_rdataset_t nameservers;
6357 dns_fixedname_t fixed;
6360 REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
6361 fevent = (dns_fetchevent_t *)event;
6362 fctx = event->ev_arg;
6363 REQUIRE(VALID_FCTX(fctx));
6367 FCTXTRACE("resume_dslookup");
6369 if (fevent->node != NULL)
6370 dns_db_detachnode(fevent->db, &fevent->node);
6371 if (fevent->db != NULL)
6372 dns_db_detach(&fevent->db);
6374 dns_rdataset_init(&nameservers);
6376 bucketnum = fctx->bucketnum;
6377 if (fevent->result == ISC_R_CANCELED) {
6378 dns_resolver_destroyfetch(&fctx->nsfetch);
6379 fctx_done(fctx, ISC_R_CANCELED, __LINE__);
6380 } else if (fevent->result == ISC_R_SUCCESS) {
6382 FCTXTRACE("resuming DS lookup");
6384 dns_resolver_destroyfetch(&fctx->nsfetch);
6385 if (dns_rdataset_isassociated(&fctx->nameservers))
6386 dns_rdataset_disassociate(&fctx->nameservers);
6387 dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
6388 fctx->ns_ttl = fctx->nameservers.ttl;
6389 fctx->ns_ttl_ok = ISC_TRUE;
6390 log_ns_ttl(fctx, "resume_dslookup");
6391 dns_name_free(&fctx->domain, fctx->mctx);
6392 dns_name_init(&fctx->domain, NULL);
6393 result = dns_name_dup(&fctx->nsname, fctx->mctx, &fctx->domain);
6394 if (result != ISC_R_SUCCESS) {
6395 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
6401 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
6404 dns_rdataset_t *nsrdataset = NULL;
6407 * Retrieve state from fctx->nsfetch before we destroy it.
6409 dns_fixedname_init(&fixed);
6410 domain = dns_fixedname_name(&fixed);
6411 dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
6412 if (dns_name_equal(&fctx->nsname, domain)) {
6413 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
6414 dns_resolver_destroyfetch(&fctx->nsfetch);
6417 if (dns_rdataset_isassociated(
6418 &fctx->nsfetch->private->nameservers)) {
6420 &fctx->nsfetch->private->nameservers,
6422 nsrdataset = &nameservers;
6425 dns_resolver_destroyfetch(&fctx->nsfetch);
6426 n = dns_name_countlabels(&fctx->nsname);
6427 dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
6430 if (dns_rdataset_isassociated(fevent->rdataset))
6431 dns_rdataset_disassociate(fevent->rdataset);
6432 FCTXTRACE("continuing to look for parent's NS records");
6433 result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
6434 dns_rdatatype_ns, domain,
6435 nsrdataset, NULL, 0, task,
6436 resume_dslookup, fctx,
6437 &fctx->nsrrset, NULL,
6439 if (result != ISC_R_SUCCESS)
6440 fctx_done(fctx, result, __LINE__);
6442 LOCK(&res->buckets[bucketnum].lock);
6449 if (dns_rdataset_isassociated(&nameservers))
6450 dns_rdataset_disassociate(&nameservers);
6451 if (dns_rdataset_isassociated(fevent->rdataset))
6452 dns_rdataset_disassociate(fevent->rdataset);
6453 INSIST(fevent->sigrdataset == NULL);
6454 isc_event_free(&event);
6456 LOCK(&res->buckets[bucketnum].lock);
6457 bucket_empty = fctx_decreference(fctx);
6458 UNLOCK(&res->buckets[bucketnum].lock);
6464 checknamessection(dns_message_t *message, dns_section_t section) {
6465 isc_result_t result;
6467 dns_rdata_t rdata = DNS_RDATA_INIT;
6468 dns_rdataset_t *rdataset;
6470 for (result = dns_message_firstname(message, section);
6471 result == ISC_R_SUCCESS;
6472 result = dns_message_nextname(message, section))
6475 dns_message_currentname(message, section, &name);
6476 for (rdataset = ISC_LIST_HEAD(name->list);
6478 rdataset = ISC_LIST_NEXT(rdataset, link)) {
6479 for (result = dns_rdataset_first(rdataset);
6480 result == ISC_R_SUCCESS;
6481 result = dns_rdataset_next(rdataset)) {
6482 dns_rdataset_current(rdataset, &rdata);
6483 if (!dns_rdata_checkowner(name, rdata.rdclass,
6486 !dns_rdata_checknames(&rdata, name, NULL))
6488 rdataset->attributes |=
6489 DNS_RDATASETATTR_CHECKNAMES;
6491 dns_rdata_reset(&rdata);
6498 checknames(dns_message_t *message) {
6500 checknamessection(message, DNS_SECTION_ANSWER);
6501 checknamessection(message, DNS_SECTION_AUTHORITY);
6502 checknamessection(message, DNS_SECTION_ADDITIONAL);
6506 * Log server NSID at log level 'level'
6509 log_nsid(dns_rdataset_t *opt, resquery_t *query, int level, isc_mem_t *mctx)
6511 static const char hex[17] = "0123456789abcdef";
6512 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
6513 isc_uint16_t optcode, nsid_len, buflen, i;
6514 isc_result_t result;
6515 isc_buffer_t nsidbuf;
6517 unsigned char *p, *buf, *nsid;
6519 /* Extract rdata from OPT rdataset */
6520 result = dns_rdataset_first(opt);
6521 if (result != ISC_R_SUCCESS)
6522 return (ISC_R_FAILURE);
6524 dns_rdata_init(&rdata);
6525 dns_rdataset_current(opt, &rdata);
6526 if (rdata.length < 4)
6527 return (ISC_R_FAILURE);
6529 /* Check for NSID */
6530 isc_buffer_init(&nsidbuf, rdata.data, rdata.length);
6531 isc_buffer_add(&nsidbuf, rdata.length);
6532 optcode = isc_buffer_getuint16(&nsidbuf);
6533 nsid_len = isc_buffer_getuint16(&nsidbuf);
6534 if (optcode != DNS_OPT_NSID || nsid_len == 0)
6535 return (ISC_R_FAILURE);
6537 /* Allocate buffer for storing hex version of the NSID */
6538 buflen = nsid_len * 2 + 1;
6539 buf = isc_mem_get(mctx, buflen);
6541 return (ISC_R_NOSPACE);
6543 /* Convert to hex */
6545 nsid = rdata.data + 4;
6546 for (i = 0; i < nsid_len; i++) {
6547 *p++ = hex[(nsid[0] >> 4) & 0xf];
6548 *p++ = hex[nsid[0] & 0xf];
6553 isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
6555 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
6556 DNS_LOGMODULE_RESOLVER, level,
6557 "received NSID '%s' from %s", buf, addrbuf);
6560 isc_mem_put(mctx, buf, buflen);
6561 return (ISC_R_SUCCESS);
6565 log_packet(dns_message_t *message, int level, isc_mem_t *mctx) {
6566 isc_buffer_t buffer;
6569 isc_result_t result;
6571 if (! isc_log_wouldlog(dns_lctx, level))
6575 * Note that these are multiline debug messages. We want a newline
6576 * to appear in the log after each message.
6580 buf = isc_mem_get(mctx, len);
6583 isc_buffer_init(&buffer, buf, len);
6584 result = dns_message_totext(message, &dns_master_style_debug,
6586 if (result == ISC_R_NOSPACE) {
6587 isc_mem_put(mctx, buf, len);
6589 } else if (result == ISC_R_SUCCESS)
6590 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
6591 DNS_LOGMODULE_RESOLVER, level,
6592 "received packet:\n%.*s",
6593 (int)isc_buffer_usedlength(&buffer),
6595 } while (result == ISC_R_NOSPACE);
6598 isc_mem_put(mctx, buf, len);
6601 static isc_boolean_t
6602 iscname(fetchctx_t *fctx) {
6603 isc_result_t result;
6605 result = dns_message_findname(fctx->rmessage, DNS_SECTION_ANSWER,
6606 &fctx->name, dns_rdatatype_cname, 0,
6608 return (result == ISC_R_SUCCESS ? ISC_TRUE : ISC_FALSE);
6611 static isc_boolean_t
6612 betterreferral(fetchctx_t *fctx) {
6613 isc_result_t result;
6615 dns_rdataset_t *rdataset;
6616 dns_message_t *message = fctx->rmessage;
6618 for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
6619 result == ISC_R_SUCCESS;
6620 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) {
6622 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
6623 if (!isstrictsubdomain(name, &fctx->domain))
6625 for (rdataset = ISC_LIST_HEAD(name->list);
6627 rdataset = ISC_LIST_NEXT(rdataset, link))
6628 if (rdataset->type == dns_rdatatype_ns)
6635 resquery_response(isc_task_t *task, isc_event_t *event) {
6636 isc_result_t result = ISC_R_SUCCESS;
6637 resquery_t *query = event->ev_arg;
6638 dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
6639 isc_boolean_t keep_trying, get_nameservers, resend;
6640 isc_boolean_t truncated;
6641 dns_message_t *message;
6642 dns_rdataset_t *opt;
6645 dns_fixedname_t foundname;
6647 isc_time_t tnow, *finish;
6648 dns_adbaddrinfo_t *addrinfo;
6649 unsigned int options;
6650 unsigned int findoptions;
6651 isc_result_t broken_server;
6652 badnstype_t broken_type = badns_response;
6653 isc_boolean_t no_response;
6655 REQUIRE(VALID_QUERY(query));
6657 options = query->options;
6658 REQUIRE(VALID_FCTX(fctx));
6659 REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
6663 if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET)
6664 inc_stats(fctx->res, dns_resstatscounter_responsev4);
6666 inc_stats(fctx->res, dns_resstatscounter_responsev6);
6668 (void)isc_timer_touch(fctx->timer);
6670 keep_trying = ISC_FALSE;
6671 broken_server = ISC_R_SUCCESS;
6672 get_nameservers = ISC_FALSE;
6674 truncated = ISC_FALSE;
6676 no_response = ISC_FALSE;
6678 if (fctx->res->exiting) {
6679 result = ISC_R_SHUTTINGDOWN;
6684 fctx->timeout = ISC_FALSE;
6685 fctx->addrinfo = query->addrinfo;
6688 * XXXRTH We should really get the current time just once. We
6689 * need a routine to convert from an isc_time_t to an
6694 isc_stdtime_get(&now);
6697 * Did the dispatcher have a problem?
6699 if (devent->result != ISC_R_SUCCESS) {
6700 if (devent->result == ISC_R_EOF &&
6701 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
6703 * The problem might be that they
6704 * don't understand EDNS0. Turn it
6705 * off and try again.
6707 options |= DNS_FETCHOPT_NOEDNS0;
6710 * Remember that they don't like EDNS0.
6712 dns_adb_changeflags(fctx->adb,
6714 DNS_FETCHOPT_NOEDNS0,
6715 DNS_FETCHOPT_NOEDNS0);
6718 * There's no hope for this query.
6720 keep_trying = ISC_TRUE;
6723 * If this is a network error on an exclusive query
6724 * socket, mark the server as bad so that we won't try
6725 * it for this fetch again. Also adjust finish and
6726 * no_response so that we penalize this address in SRTT
6729 if (query->exclusivesocket &&
6730 (devent->result == ISC_R_HOSTUNREACH ||
6731 devent->result == ISC_R_NETUNREACH ||
6732 devent->result == ISC_R_CONNREFUSED ||
6733 devent->result == ISC_R_CANCELED)) {
6734 broken_server = devent->result;
6735 broken_type = badns_unreachable;
6737 no_response = ISC_TRUE;
6743 message = fctx->rmessage;
6745 if (query->tsig != NULL) {
6746 result = dns_message_setquerytsig(message, query->tsig);
6747 if (result != ISC_R_SUCCESS)
6751 if (query->tsigkey) {
6752 result = dns_message_settsigkey(message, query->tsigkey);
6753 if (result != ISC_R_SUCCESS)
6757 result = dns_message_parse(message, &devent->buffer, 0);
6758 if (result != ISC_R_SUCCESS) {
6760 case ISC_R_UNEXPECTEDEND:
6761 if (!message->question_ok ||
6762 (message->flags & DNS_MESSAGEFLAG_TC) == 0 ||
6763 (options & DNS_FETCHOPT_TCP) != 0) {
6765 * Either the message ended prematurely,
6766 * and/or wasn't marked as being truncated,
6767 * and/or this is a response to a query we
6768 * sent over TCP. In all of these cases,
6769 * something is wrong with the remote
6770 * server and we don't want to retry using
6773 if ((query->options & DNS_FETCHOPT_NOEDNS0)
6776 * The problem might be that they
6777 * don't understand EDNS0. Turn it
6778 * off and try again.
6780 options |= DNS_FETCHOPT_NOEDNS0;
6783 * Remember that they don't like EDNS0.
6785 dns_adb_changeflags(
6788 DNS_FETCHOPT_NOEDNS0,
6789 DNS_FETCHOPT_NOEDNS0);
6790 inc_stats(fctx->res,
6791 dns_resstatscounter_edns0fail);
6793 broken_server = result;
6794 keep_trying = ISC_TRUE;
6799 * We defer retrying via TCP for a bit so we can
6800 * check out this message further.
6802 truncated = ISC_TRUE;
6805 if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
6807 * The problem might be that they
6808 * don't understand EDNS0. Turn it
6809 * off and try again.
6811 options |= DNS_FETCHOPT_NOEDNS0;
6814 * Remember that they don't like EDNS0.
6816 dns_adb_changeflags(fctx->adb,
6818 DNS_FETCHOPT_NOEDNS0,
6819 DNS_FETCHOPT_NOEDNS0);
6820 inc_stats(fctx->res,
6821 dns_resstatscounter_edns0fail);
6823 broken_server = DNS_R_UNEXPECTEDRCODE;
6824 keep_trying = ISC_TRUE;
6829 * Something bad has happened.
6837 * Log the incoming packet.
6839 log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
6842 * Did we request NSID? If so, and if the response contains
6843 * NSID data, log it at INFO level.
6845 opt = dns_message_getopt(message);
6846 if (opt != NULL && (query->options & DNS_FETCHOPT_WANTNSID) != 0)
6847 log_nsid(opt, query, ISC_LOG_INFO, fctx->res->mctx);
6850 * If the message is signed, check the signature. If not, this
6851 * returns success anyway.
6853 result = dns_message_checksig(message, fctx->res->view);
6854 if (result != ISC_R_SUCCESS)
6858 * The dispatcher should ensure we only get responses with QR set.
6860 INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0);
6862 * INSIST() that the message comes from the place we sent it to,
6863 * since the dispatch code should ensure this.
6865 * INSIST() that the message id is correct (this should also be
6866 * ensured by the dispatch code).
6870 * We have an affirmative response to the query and we have
6871 * previously got a response from this server which indicated
6872 * EDNS may not be supported so we can now cache the lack of
6876 (message->rcode == dns_rcode_noerror ||
6877 message->rcode == dns_rcode_nxdomain ||
6878 message->rcode == dns_rcode_refused ||
6879 message->rcode == dns_rcode_yxdomain) &&
6880 bad_edns(fctx, &query->addrinfo->sockaddr)) {
6881 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
6882 isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
6884 dns_adb_changeflags(fctx->adb, query->addrinfo,
6885 DNS_FETCHOPT_NOEDNS0,
6886 DNS_FETCHOPT_NOEDNS0);
6890 * Deal with truncated responses by retrying using TCP.
6892 if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
6893 truncated = ISC_TRUE;
6896 inc_stats(fctx->res, dns_resstatscounter_truncated);
6897 if ((options & DNS_FETCHOPT_TCP) != 0) {
6898 broken_server = DNS_R_TRUNCATEDTCP;
6899 keep_trying = ISC_TRUE;
6901 options |= DNS_FETCHOPT_TCP;
6908 * Is it a query response?
6910 if (message->opcode != dns_opcode_query) {
6912 broken_server = DNS_R_UNEXPECTEDOPCODE;
6913 keep_trying = ISC_TRUE;
6918 * Update statistics about erroneous responses.
6920 if (message->rcode != dns_rcode_noerror) {
6921 switch (message->rcode) {
6922 case dns_rcode_nxdomain:
6923 inc_stats(fctx->res, dns_resstatscounter_nxdomain);
6925 case dns_rcode_servfail:
6926 inc_stats(fctx->res, dns_resstatscounter_servfail);
6928 case dns_rcode_formerr:
6929 inc_stats(fctx->res, dns_resstatscounter_formerr);
6932 inc_stats(fctx->res, dns_resstatscounter_othererror);
6938 * Is the remote server broken, or does it dislike us?
6940 if (message->rcode != dns_rcode_noerror &&
6941 message->rcode != dns_rcode_nxdomain) {
6942 if (((message->rcode == dns_rcode_formerr ||
6943 message->rcode == dns_rcode_notimp) ||
6944 (message->rcode == dns_rcode_servfail &&
6945 dns_message_getopt(message) == NULL)) &&
6946 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
6948 * It's very likely they don't like EDNS0.
6949 * If the response code is SERVFAIL, also check if the
6950 * response contains an OPT RR and don't cache the
6951 * failure since it can be returned for various other
6954 * XXXRTH We should check if the question
6955 * we're asking requires EDNS0, and
6956 * if so, we should bail out.
6958 options |= DNS_FETCHOPT_NOEDNS0;
6961 * Remember that they may not like EDNS0.
6963 add_bad_edns(fctx, &query->addrinfo->sockaddr);
6964 inc_stats(fctx->res, dns_resstatscounter_edns0fail);
6965 } else if (message->rcode == dns_rcode_formerr) {
6966 if (ISFORWARDER(query->addrinfo)) {
6968 * This forwarder doesn't understand us,
6969 * but other forwarders might. Keep trying.
6971 broken_server = DNS_R_REMOTEFORMERR;
6972 keep_trying = ISC_TRUE;
6975 * The server doesn't understand us. Since
6976 * all servers for a zone need similar
6977 * capabilities, we assume that we will get
6978 * FORMERR from all servers, and thus we
6979 * cannot make any more progress with this
6982 log_formerr(fctx, "server sent FORMERR");
6983 result = DNS_R_FORMERR;
6985 } else if (message->rcode == dns_rcode_yxdomain) {
6987 * DNAME mapping failed because the new name
6988 * was too long. There's no chance of success
6991 result = DNS_R_YXDOMAIN;
6992 } else if (message->rcode == dns_rcode_badvers) {
6993 unsigned int flags, mask;
6994 unsigned int version;
6997 INSIST(opt != NULL);
6998 version = (opt->ttl >> 16) & 0xff;
6999 flags = (version << DNS_FETCHOPT_EDNSVERSIONSHIFT) |
7000 DNS_FETCHOPT_EDNSVERSIONSET;
7001 mask = DNS_FETCHOPT_EDNSVERSIONMASK |
7002 DNS_FETCHOPT_EDNSVERSIONSET;
7005 dns_adb_changeflags(fctx->adb, query->addrinfo,
7009 broken_server = DNS_R_BADVERS;
7010 keep_trying = ISC_TRUE;
7017 broken_server = DNS_R_UNEXPECTEDRCODE;
7018 INSIST(broken_server != ISC_R_SUCCESS);
7019 keep_trying = ISC_TRUE;
7025 * Is the question the same as the one we asked?
7027 result = same_question(fctx);
7028 if (result != ISC_R_SUCCESS) {
7030 if (result == DNS_R_FORMERR)
7031 keep_trying = ISC_TRUE;
7036 * Is the server lame?
7038 if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
7040 inc_stats(fctx->res, dns_resstatscounter_lame);
7041 log_lame(fctx, query->addrinfo);
7042 result = dns_adb_marklame(fctx->adb, query->addrinfo,
7043 &fctx->name, fctx->type,
7044 now + fctx->res->lame_ttl);
7045 if (result != ISC_R_SUCCESS)
7046 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
7047 DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
7048 "could not mark server as lame: %s",
7049 isc_result_totext(result));
7050 broken_server = DNS_R_LAME;
7051 keep_trying = ISC_TRUE;
7056 * Enforce delegations only zones like NET and COM.
7058 if (!ISFORWARDER(query->addrinfo) &&
7059 dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
7060 !dns_name_equal(&fctx->domain, &fctx->name) &&
7061 fix_mustbedelegationornxdomain(message, fctx)) {
7062 char namebuf[DNS_NAME_FORMATSIZE];
7063 char domainbuf[DNS_NAME_FORMATSIZE];
7064 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
7068 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
7069 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
7070 dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
7071 dns_rdataclass_format(fctx->res->rdclass, classbuf,
7073 isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
7076 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
7077 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
7078 "enforced delegation-only for '%s' (%s/%s/%s) "
7080 domainbuf, namebuf, typebuf, classbuf, addrbuf);
7083 if ((fctx->res->options & DNS_RESOLVER_CHECKNAMES) != 0)
7084 checknames(message);
7089 fctx->attributes &= ~(FCTX_ATTR_WANTNCACHE | FCTX_ATTR_WANTCACHE);
7092 * Did we get any answers?
7094 if (message->counts[DNS_SECTION_ANSWER] > 0 &&
7095 (message->rcode == dns_rcode_noerror ||
7096 message->rcode == dns_rcode_nxdomain)) {
7099 * We've got answers. If it has an authoritative answer or an
7100 * answer from a forwarder, we're done.
7102 if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 ||
7103 ISFORWARDER(query->addrinfo))
7104 result = answer_response(fctx);
7105 else if (iscname(fctx) &&
7106 fctx->type != dns_rdatatype_any &&
7107 fctx->type != dns_rdatatype_cname) {
7109 * A BIND8 server could return a non-authoritative
7110 * answer when a CNAME is followed. We should treat
7111 * it as a valid answer.
7113 result = answer_response(fctx);
7114 } else if (fctx->type != dns_rdatatype_ns &&
7115 !betterreferral(fctx)) {
7117 * Lame response !!!.
7119 result = answer_response(fctx);
7121 if (fctx->type == dns_rdatatype_ns) {
7123 * A BIND 8 server could incorrectly return a
7124 * non-authoritative answer to an NS query
7125 * instead of a referral. Since this answer
7126 * lacks the SIGs necessary to do DNSSEC
7127 * validation, we must invoke the following
7128 * special kludge to treat it as a referral.
7130 result = noanswer_response(fctx, NULL,
7131 LOOK_FOR_NS_IN_ANSWER);
7134 * Some other servers may still somehow include
7135 * an answer when it should return a referral
7136 * with an empty answer. Check to see if we can
7137 * treat this as a referral by ignoring the
7138 * answer. Further more, there may be an
7139 * implementation that moves A/AAAA glue records
7140 * to the answer section for that type of
7141 * delegation when the query is for that glue
7142 * record. LOOK_FOR_GLUE_IN_ANSWER will handle
7143 * such a corner case.
7145 result = noanswer_response(fctx, NULL,
7146 LOOK_FOR_GLUE_IN_ANSWER);
7148 if (result != DNS_R_DELEGATION) {
7150 * At this point, AA is not set, the response
7151 * is not a referral, and the server is not a
7152 * forwarder. It is technically lame and it's
7153 * easier to treat it as such than to figure out
7154 * some more elaborate course of action.
7156 broken_server = DNS_R_LAME;
7157 keep_trying = ISC_TRUE;
7160 goto force_referral;
7162 if (result != ISC_R_SUCCESS) {
7163 if (result == DNS_R_FORMERR)
7164 keep_trying = ISC_TRUE;
7167 } else if (message->counts[DNS_SECTION_AUTHORITY] > 0 ||
7168 message->rcode == dns_rcode_noerror ||
7169 message->rcode == dns_rcode_nxdomain) {
7171 * NXDOMAIN, NXRDATASET, or referral.
7173 result = noanswer_response(fctx, NULL, 0);
7174 if (result == DNS_R_CHASEDSSERVERS) {
7175 } else if (result == DNS_R_DELEGATION) {
7178 * We don't have the answer, but we know a better
7181 get_nameservers = ISC_TRUE;
7182 keep_trying = ISC_TRUE;
7184 * We have a new set of name servers, and it
7185 * has not experienced any restarts yet.
7190 * Update local statistics counters collected for each
7194 fctx->querysent = 0;
7195 fctx->lamecount = 0;
7200 result = ISC_R_SUCCESS;
7201 } else if (result != ISC_R_SUCCESS) {
7203 * Something has gone wrong.
7205 if (result == DNS_R_FORMERR)
7206 keep_trying = ISC_TRUE;
7211 * The server is insane.
7214 broken_server = DNS_R_UNEXPECTEDRCODE;
7215 keep_trying = ISC_TRUE;
7220 * Follow additional section data chains.
7222 chase_additional(fctx);
7225 * Cache the cacheable parts of the message. This may also cause
7226 * work to be queued to the DNSSEC validator.
7228 if (WANTCACHE(fctx)) {
7229 result = cache_message(fctx, query->addrinfo, now);
7230 if (result != ISC_R_SUCCESS)
7235 * Ncache the negatively cacheable parts of the message. This may
7236 * also cause work to be queued to the DNSSEC validator.
7238 if (WANTNCACHE(fctx)) {
7239 dns_rdatatype_t covers;
7240 if (message->rcode == dns_rcode_nxdomain)
7241 covers = dns_rdatatype_any;
7243 covers = fctx->type;
7246 * Cache any negative cache entries in the message.
7248 result = ncache_message(fctx, query->addrinfo, covers, now);
7253 * Remember the query's addrinfo, in case we need to mark the
7256 addrinfo = query->addrinfo;
7261 * XXXRTH Don't cancel the query if waiting for validation?
7263 fctx_cancelquery(&query, &devent, finish, no_response);
7266 if (result == DNS_R_FORMERR)
7267 broken_server = DNS_R_FORMERR;
7268 if (broken_server != ISC_R_SUCCESS) {
7270 * Add this server to the list of bad servers for
7273 add_bad(fctx, addrinfo, broken_server, broken_type);
7276 if (get_nameservers) {
7278 dns_fixedname_init(&foundname);
7279 fname = dns_fixedname_name(&foundname);
7280 if (result != ISC_R_SUCCESS) {
7281 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
7285 if (dns_rdatatype_atparent(fctx->type))
7286 findoptions |= DNS_DBFIND_NOEXACT;
7287 if ((options & DNS_FETCHOPT_UNSHARED) == 0)
7290 name = &fctx->domain;
7291 result = dns_view_findzonecut(fctx->res->view,
7297 if (result != ISC_R_SUCCESS) {
7298 FCTXTRACE("couldn't find a zonecut");
7299 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
7302 if (!dns_name_issubdomain(fname, &fctx->domain)) {
7304 * The best nameservers are now above our
7307 FCTXTRACE("nameservers now above QDOMAIN");
7308 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
7311 dns_name_free(&fctx->domain, fctx->mctx);
7312 dns_name_init(&fctx->domain, NULL);
7313 result = dns_name_dup(fname, fctx->mctx, &fctx->domain);
7314 if (result != ISC_R_SUCCESS) {
7315 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
7318 fctx->ns_ttl = fctx->nameservers.ttl;
7319 fctx->ns_ttl_ok = ISC_TRUE;
7320 fctx_cancelqueries(fctx, ISC_TRUE);
7321 fctx_cleanupfinds(fctx);
7322 fctx_cleanupaltfinds(fctx);
7323 fctx_cleanupforwaddrs(fctx);
7324 fctx_cleanupaltaddrs(fctx);
7329 fctx_try(fctx, !get_nameservers, ISC_FALSE);
7330 } else if (resend) {
7332 * Resend (probably with changed options).
7334 FCTXTRACE("resend");
7335 inc_stats(fctx->res, dns_resstatscounter_retry);
7336 result = fctx_query(fctx, addrinfo, options);
7337 if (result != ISC_R_SUCCESS)
7338 fctx_done(fctx, result, __LINE__);
7339 } else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
7341 * All has gone well so far, but we are waiting for the
7342 * DNSSEC validator to validate the answer.
7344 FCTXTRACE("wait for validator");
7345 fctx_cancelqueries(fctx, ISC_TRUE);
7347 * We must not retransmit while the validator is working;
7348 * it has references to the current rmessage.
7350 result = fctx_stopidletimer(fctx);
7351 if (result != ISC_R_SUCCESS)
7352 fctx_done(fctx, result, __LINE__);
7353 } else if (result == DNS_R_CHASEDSSERVERS) {
7355 add_bad(fctx, addrinfo, result, broken_type);
7356 fctx_cancelqueries(fctx, ISC_TRUE);
7357 fctx_cleanupfinds(fctx);
7358 fctx_cleanupforwaddrs(fctx);
7360 n = dns_name_countlabels(&fctx->name);
7361 dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
7363 FCTXTRACE("suspending DS lookup to find parent's NS records");
7365 result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
7367 NULL, NULL, NULL, 0, task,
7368 resume_dslookup, fctx,
7369 &fctx->nsrrset, NULL,
7371 if (result != ISC_R_SUCCESS)
7372 fctx_done(fctx, result, __LINE__);
7374 LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
7376 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
7377 result = fctx_stopidletimer(fctx);
7378 if (result != ISC_R_SUCCESS)
7379 fctx_done(fctx, result, __LINE__);
7385 fctx_done(fctx, result, __LINE__);
7391 *** Resolver Methods
7394 destroy_badcache(dns_resolver_t *res) {
7395 dns_badcache_t *bad, *next;
7398 if (res->badcache != NULL) {
7399 for (i = 0; i < res->badhash; i++)
7400 for (bad = res->badcache[i]; bad != NULL;
7403 isc_mem_put(res->mctx, bad, sizeof(*bad) +
7407 isc_mem_put(res->mctx, res->badcache,
7408 sizeof(*res->badcache) * res->badhash);
7409 res->badcache = NULL;
7411 INSIST(res->badcount == 0);
7416 destroy(dns_resolver_t *res) {
7420 REQUIRE(res->references == 0);
7421 REQUIRE(!res->priming);
7422 REQUIRE(res->primefetch == NULL);
7426 INSIST(res->nfctx == 0);
7428 DESTROYLOCK(&res->primelock);
7429 DESTROYLOCK(&res->nlock);
7430 DESTROYLOCK(&res->lock);
7431 for (i = 0; i < res->nbuckets; i++) {
7432 INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs));
7433 isc_task_shutdown(res->buckets[i].task);
7434 isc_task_detach(&res->buckets[i].task);
7435 DESTROYLOCK(&res->buckets[i].lock);
7436 isc_mem_detach(&res->buckets[i].mctx);
7438 isc_mem_put(res->mctx, res->buckets,
7439 res->nbuckets * sizeof(fctxbucket_t));
7440 if (res->dispatchv4 != NULL)
7441 dns_dispatch_detach(&res->dispatchv4);
7442 if (res->dispatchv6 != NULL)
7443 dns_dispatch_detach(&res->dispatchv6);
7444 while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
7445 ISC_LIST_UNLINK(res->alternates, a, link);
7447 dns_name_free(&a->_u._n.name, res->mctx);
7448 isc_mem_put(res->mctx, a, sizeof(*a));
7450 dns_resolver_reset_algorithms(res);
7451 destroy_badcache(res);
7452 dns_resolver_resetmustbesecure(res);
7454 isc_rwlock_destroy(&res->alglock);
7457 isc_rwlock_destroy(&res->mbslock);
7459 isc_timer_detach(&res->spillattimer);
7461 isc_mem_put(res->mctx, res, sizeof(*res));
7465 send_shutdown_events(dns_resolver_t *res) {
7466 isc_event_t *event, *next_event;
7470 * Caller must be holding the resolver lock.
7473 for (event = ISC_LIST_HEAD(res->whenshutdown);
7475 event = next_event) {
7476 next_event = ISC_LIST_NEXT(event, ev_link);
7477 ISC_LIST_UNLINK(res->whenshutdown, event, ev_link);
7478 etask = event->ev_sender;
7479 event->ev_sender = res;
7480 isc_task_sendanddetach(&etask, &event);
7485 empty_bucket(dns_resolver_t *res) {
7486 RTRACE("empty_bucket");
7490 INSIST(res->activebuckets > 0);
7491 res->activebuckets--;
7492 if (res->activebuckets == 0)
7493 send_shutdown_events(res);
7499 spillattimer_countdown(isc_task_t *task, isc_event_t *event) {
7500 dns_resolver_t *res = event->ev_arg;
7501 isc_result_t result;
7503 isc_boolean_t logit = ISC_FALSE;
7505 REQUIRE(VALID_RESOLVER(res));
7510 INSIST(!res->exiting);
7511 if (res->spillat > res->spillatmin) {
7515 if (res->spillat <= res->spillatmin) {
7516 result = isc_timer_reset(res->spillattimer,
7517 isc_timertype_inactive, NULL,
7519 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7521 count = res->spillat;
7524 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
7525 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
7526 "clients-per-query decreased to %u", count);
7528 isc_event_free(&event);
7532 dns_resolver_create(dns_view_t *view,
7533 isc_taskmgr_t *taskmgr, unsigned int ntasks,
7534 isc_socketmgr_t *socketmgr,
7535 isc_timermgr_t *timermgr,
7536 unsigned int options,
7537 dns_dispatchmgr_t *dispatchmgr,
7538 dns_dispatch_t *dispatchv4,
7539 dns_dispatch_t *dispatchv6,
7540 dns_resolver_t **resp)
7542 dns_resolver_t *res;
7543 isc_result_t result = ISC_R_SUCCESS;
7544 unsigned int i, buckets_created = 0;
7545 isc_task_t *task = NULL;
7550 * Create a resolver.
7553 REQUIRE(DNS_VIEW_VALID(view));
7554 REQUIRE(ntasks > 0);
7555 REQUIRE(resp != NULL && *resp == NULL);
7556 REQUIRE(dispatchmgr != NULL);
7557 REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
7559 res = isc_mem_get(view->mctx, sizeof(*res));
7561 return (ISC_R_NOMEMORY);
7563 res->mctx = view->mctx;
7564 res->rdclass = view->rdclass;
7565 res->socketmgr = socketmgr;
7566 res->timermgr = timermgr;
7567 res->taskmgr = taskmgr;
7568 res->dispatchmgr = dispatchmgr;
7570 res->options = options;
7572 ISC_LIST_INIT(res->alternates);
7573 res->udpsize = RECV_BUFFER_SIZE;
7574 res->algorithms = NULL;
7575 res->badcache = NULL;
7579 res->mustbesecure = NULL;
7580 res->spillatmin = res->spillat = 10;
7581 res->spillatmax = 100;
7582 res->spillattimer = NULL;
7583 res->zero_no_soa_ttl = ISC_FALSE;
7584 res->query_timeout = DEFAULT_QUERY_TIMEOUT;
7586 res->nextdisp = 0; /* meaningless at this point, but init it */
7587 res->maxdepth = DEFAULT_RECURSION_DEPTH;
7588 res->maxqueries = DEFAULT_MAX_QUERIES;
7589 res->nbuckets = ntasks;
7590 res->activebuckets = ntasks;
7591 res->buckets = isc_mem_get(view->mctx,
7592 ntasks * sizeof(fctxbucket_t));
7593 if (res->buckets == NULL) {
7594 result = ISC_R_NOMEMORY;
7597 for (i = 0; i < ntasks; i++) {
7598 result = isc_mutex_init(&res->buckets[i].lock);
7599 if (result != ISC_R_SUCCESS)
7600 goto cleanup_buckets;
7601 res->buckets[i].task = NULL;
7602 result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
7603 if (result != ISC_R_SUCCESS) {
7604 DESTROYLOCK(&res->buckets[i].lock);
7605 goto cleanup_buckets;
7607 res->buckets[i].mctx = NULL;
7608 snprintf(name, sizeof(name), "res%u", i);
7609 #ifdef ISC_PLATFORM_USETHREADS
7611 * Use a separate memory context for each bucket to reduce
7612 * contention among multiple threads. Do this only when
7613 * enabling threads because it will be require more memory.
7615 result = isc_mem_create(0, 0, &res->buckets[i].mctx);
7616 if (result != ISC_R_SUCCESS) {
7617 isc_task_detach(&res->buckets[i].task);
7618 DESTROYLOCK(&res->buckets[i].lock);
7619 goto cleanup_buckets;
7621 isc_mem_setname(res->buckets[i].mctx, name, NULL);
7623 isc_mem_attach(view->mctx, &res->buckets[i].mctx);
7625 isc_task_setname(res->buckets[i].task, name, res);
7626 ISC_LIST_INIT(res->buckets[i].fctxs);
7627 res->buckets[i].exiting = ISC_FALSE;
7631 res->dispatchv4 = NULL;
7632 if (dispatchv4 != NULL) {
7633 dns_dispatch_attach(dispatchv4, &res->dispatchv4);
7634 dispattr = dns_dispatch_getattributes(dispatchv4);
7636 ISC_TF((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0);
7639 res->dispatchv6 = NULL;
7640 if (dispatchv6 != NULL) {
7641 dns_dispatch_attach(dispatchv6, &res->dispatchv6);
7642 dispattr = dns_dispatch_getattributes(dispatchv6);
7644 ISC_TF((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0);
7647 res->references = 1;
7648 res->exiting = ISC_FALSE;
7649 res->frozen = ISC_FALSE;
7650 ISC_LIST_INIT(res->whenshutdown);
7651 res->priming = ISC_FALSE;
7652 res->primefetch = NULL;
7655 result = isc_mutex_init(&res->lock);
7656 if (result != ISC_R_SUCCESS)
7657 goto cleanup_dispatches;
7659 result = isc_mutex_init(&res->nlock);
7660 if (result != ISC_R_SUCCESS)
7663 result = isc_mutex_init(&res->primelock);
7664 if (result != ISC_R_SUCCESS)
7668 result = isc_task_create(taskmgr, 0, &task);
7669 if (result != ISC_R_SUCCESS)
7670 goto cleanup_primelock;
7672 result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
7673 task, spillattimer_countdown, res,
7674 &res->spillattimer);
7675 isc_task_detach(&task);
7676 if (result != ISC_R_SUCCESS)
7677 goto cleanup_primelock;
7680 result = isc_rwlock_init(&res->alglock, 0, 0);
7681 if (result != ISC_R_SUCCESS)
7682 goto cleanup_spillattimer;
7685 result = isc_rwlock_init(&res->mbslock, 0, 0);
7686 if (result != ISC_R_SUCCESS)
7687 goto cleanup_alglock;
7690 res->magic = RES_MAGIC;
7694 return (ISC_R_SUCCESS);
7699 isc_rwlock_destroy(&res->alglock);
7702 #if USE_ALGLOCK || USE_MBSLOCK
7703 cleanup_spillattimer:
7704 isc_timer_detach(&res->spillattimer);
7708 DESTROYLOCK(&res->primelock);
7711 DESTROYLOCK(&res->nlock);
7714 DESTROYLOCK(&res->lock);
7717 if (res->dispatchv6 != NULL)
7718 dns_dispatch_detach(&res->dispatchv6);
7719 if (res->dispatchv4 != NULL)
7720 dns_dispatch_detach(&res->dispatchv4);
7723 for (i = 0; i < buckets_created; i++) {
7724 isc_mem_detach(&res->buckets[i].mctx);
7725 DESTROYLOCK(&res->buckets[i].lock);
7726 isc_task_shutdown(res->buckets[i].task);
7727 isc_task_detach(&res->buckets[i].task);
7729 isc_mem_put(view->mctx, res->buckets,
7730 res->nbuckets * sizeof(fctxbucket_t));
7733 isc_mem_put(view->mctx, res, sizeof(*res));
7740 prime_done(isc_task_t *task, isc_event_t *event) {
7741 dns_resolver_t *res;
7742 dns_fetchevent_t *fevent;
7744 dns_db_t *db = NULL;
7746 REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
7747 fevent = (dns_fetchevent_t *)event;
7748 res = event->ev_arg;
7749 REQUIRE(VALID_RESOLVER(res));
7755 INSIST(res->priming);
7756 res->priming = ISC_FALSE;
7757 LOCK(&res->primelock);
7758 fetch = res->primefetch;
7759 res->primefetch = NULL;
7760 UNLOCK(&res->primelock);
7764 if (fevent->result == ISC_R_SUCCESS &&
7765 res->view->cache != NULL && res->view->hints != NULL) {
7766 dns_cache_attachdb(res->view->cache, &db);
7767 dns_root_checkhints(res->view, res->view->hints, db);
7771 if (fevent->node != NULL)
7772 dns_db_detachnode(fevent->db, &fevent->node);
7773 if (fevent->db != NULL)
7774 dns_db_detach(&fevent->db);
7775 if (dns_rdataset_isassociated(fevent->rdataset))
7776 dns_rdataset_disassociate(fevent->rdataset);
7777 INSIST(fevent->sigrdataset == NULL);
7779 isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset));
7781 isc_event_free(&event);
7782 dns_resolver_destroyfetch(&fetch);
7786 dns_resolver_prime(dns_resolver_t *res) {
7787 isc_boolean_t want_priming = ISC_FALSE;
7788 dns_rdataset_t *rdataset;
7789 isc_result_t result;
7791 REQUIRE(VALID_RESOLVER(res));
7792 REQUIRE(res->frozen);
7794 RTRACE("dns_resolver_prime");
7798 if (!res->exiting && !res->priming) {
7799 INSIST(res->primefetch == NULL);
7800 res->priming = ISC_TRUE;
7801 want_priming = ISC_TRUE;
7808 * To avoid any possible recursive locking problems, we
7809 * start the priming fetch like any other fetch, and holding
7810 * no resolver locks. No one else will try to start it
7811 * because we're the ones who set res->priming to true.
7812 * Any other callers of dns_resolver_prime() while we're
7813 * running will see that res->priming is already true and
7817 rdataset = isc_mem_get(res->mctx, sizeof(*rdataset));
7818 if (rdataset == NULL) {
7820 INSIST(res->priming);
7821 INSIST(res->primefetch == NULL);
7822 res->priming = ISC_FALSE;
7826 dns_rdataset_init(rdataset);
7827 LOCK(&res->primelock);
7828 result = dns_resolver_createfetch(res, dns_rootname,
7830 NULL, NULL, NULL, 0,
7831 res->buckets[0].task,
7833 res, rdataset, NULL,
7835 UNLOCK(&res->primelock);
7836 if (result != ISC_R_SUCCESS) {
7838 INSIST(res->priming);
7839 res->priming = ISC_FALSE;
7847 dns_resolver_freeze(dns_resolver_t *res) {
7852 REQUIRE(VALID_RESOLVER(res));
7854 res->frozen = ISC_TRUE;
7858 dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) {
7859 REQUIRE(VALID_RESOLVER(source));
7860 REQUIRE(targetp != NULL && *targetp == NULL);
7862 RRTRACE(source, "attach");
7863 LOCK(&source->lock);
7864 REQUIRE(!source->exiting);
7866 INSIST(source->references > 0);
7867 source->references++;
7868 INSIST(source->references != 0);
7869 UNLOCK(&source->lock);
7875 dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
7876 isc_event_t **eventp)
7881 REQUIRE(VALID_RESOLVER(res));
7882 REQUIRE(eventp != NULL);
7889 if (res->exiting && res->activebuckets == 0) {
7891 * We're already shutdown. Send the event.
7893 event->ev_sender = res;
7894 isc_task_send(task, &event);
7897 isc_task_attach(task, &clone);
7898 event->ev_sender = clone;
7899 ISC_LIST_APPEND(res->whenshutdown, event, ev_link);
7906 dns_resolver_shutdown(dns_resolver_t *res) {
7910 isc_result_t result;
7912 REQUIRE(VALID_RESOLVER(res));
7918 if (!res->exiting) {
7920 res->exiting = ISC_TRUE;
7922 for (i = 0; i < res->nbuckets; i++) {
7923 LOCK(&res->buckets[i].lock);
7924 for (fctx = ISC_LIST_HEAD(res->buckets[i].fctxs);
7926 fctx = ISC_LIST_NEXT(fctx, link))
7927 fctx_shutdown(fctx);
7928 if (res->dispatchv4 != NULL && !res->exclusivev4) {
7929 sock = dns_dispatch_getsocket(res->dispatchv4);
7930 isc_socket_cancel(sock, res->buckets[i].task,
7931 ISC_SOCKCANCEL_ALL);
7933 if (res->dispatchv6 != NULL && !res->exclusivev6) {
7934 sock = dns_dispatch_getsocket(res->dispatchv6);
7935 isc_socket_cancel(sock, res->buckets[i].task,
7936 ISC_SOCKCANCEL_ALL);
7938 res->buckets[i].exiting = ISC_TRUE;
7939 if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) {
7940 INSIST(res->activebuckets > 0);
7941 res->activebuckets--;
7943 UNLOCK(&res->buckets[i].lock);
7945 if (res->activebuckets == 0)
7946 send_shutdown_events(res);
7947 result = isc_timer_reset(res->spillattimer,
7948 isc_timertype_inactive, NULL,
7950 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7957 dns_resolver_detach(dns_resolver_t **resp) {
7958 dns_resolver_t *res;
7959 isc_boolean_t need_destroy = ISC_FALSE;
7961 REQUIRE(resp != NULL);
7963 REQUIRE(VALID_RESOLVER(res));
7969 INSIST(res->references > 0);
7971 if (res->references == 0) {
7972 INSIST(res->exiting && res->activebuckets == 0);
7973 need_destroy = ISC_TRUE;
7984 static inline isc_boolean_t
7985 fctx_match(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
7986 unsigned int options)
7989 * Don't match fetch contexts that are shutting down.
7991 if (fctx->cloned || fctx->state == fetchstate_done ||
7992 ISC_LIST_EMPTY(fctx->events))
7995 if (fctx->type != type || fctx->options != options)
7997 return (dns_name_equal(&fctx->name, name));
8001 log_fetch(dns_name_t *name, dns_rdatatype_t type) {
8002 char namebuf[DNS_NAME_FORMATSIZE];
8003 char typebuf[DNS_RDATATYPE_FORMATSIZE];
8004 int level = ISC_LOG_DEBUG(1);
8006 if (! isc_log_wouldlog(dns_lctx, level))
8009 dns_name_format(name, namebuf, sizeof(namebuf));
8010 dns_rdatatype_format(type, typebuf, sizeof(typebuf));
8012 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
8013 DNS_LOGMODULE_RESOLVER, level,
8014 "createfetch: %s %s", namebuf, typebuf);
8018 dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
8019 dns_rdatatype_t type,
8020 dns_name_t *domain, dns_rdataset_t *nameservers,
8021 dns_forwarders_t *forwarders,
8022 unsigned int options, isc_task_t *task,
8023 isc_taskaction_t action, void *arg,
8024 dns_rdataset_t *rdataset,
8025 dns_rdataset_t *sigrdataset,
8026 dns_fetch_t **fetchp)
8028 return (dns_resolver_createfetch3(res, name, type, domain,
8029 nameservers, forwarders, NULL, 0,
8030 options, 0, NULL, task, action, arg,
8031 rdataset, sigrdataset, fetchp));
8035 dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
8036 dns_rdatatype_t type,
8037 dns_name_t *domain, dns_rdataset_t *nameservers,
8038 dns_forwarders_t *forwarders,
8039 isc_sockaddr_t *client, dns_messageid_t id,
8040 unsigned int options, isc_task_t *task,
8041 isc_taskaction_t action, void *arg,
8042 dns_rdataset_t *rdataset,
8043 dns_rdataset_t *sigrdataset,
8044 dns_fetch_t **fetchp)
8046 return (dns_resolver_createfetch3(res, name, type, domain,
8047 nameservers, forwarders, client, id,
8048 options, 0, NULL, task, action, arg,
8049 rdataset, sigrdataset, fetchp));
8053 dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
8054 dns_rdatatype_t type,
8055 dns_name_t *domain, dns_rdataset_t *nameservers,
8056 dns_forwarders_t *forwarders,
8057 isc_sockaddr_t *client, dns_messageid_t id,
8058 unsigned int options, unsigned int depth,
8059 isc_counter_t *qc, isc_task_t *task,
8060 isc_taskaction_t action, void *arg,
8061 dns_rdataset_t *rdataset,
8062 dns_rdataset_t *sigrdataset,
8063 dns_fetch_t **fetchp)
8066 fetchctx_t *fctx = NULL;
8067 isc_result_t result = ISC_R_SUCCESS;
8068 unsigned int bucketnum;
8069 isc_boolean_t new_fctx = ISC_FALSE;
8071 unsigned int count = 0;
8072 unsigned int spillat;
8073 unsigned int spillatmin;
8074 isc_boolean_t destroy = ISC_FALSE;
8078 REQUIRE(VALID_RESOLVER(res));
8079 REQUIRE(res->frozen);
8080 /* XXXRTH Check for meta type */
8081 if (domain != NULL) {
8082 REQUIRE(DNS_RDATASET_VALID(nameservers));
8083 REQUIRE(nameservers->type == dns_rdatatype_ns);
8085 REQUIRE(nameservers == NULL);
8086 REQUIRE(forwarders == NULL);
8087 REQUIRE(!dns_rdataset_isassociated(rdataset));
8088 REQUIRE(sigrdataset == NULL ||
8089 !dns_rdataset_isassociated(sigrdataset));
8090 REQUIRE(fetchp != NULL && *fetchp == NULL);
8092 log_fetch(name, type);
8095 * XXXRTH use a mempool?
8097 fetch = isc_mem_get(res->mctx, sizeof(*fetch));
8099 return (ISC_R_NOMEMORY);
8101 bucketnum = dns_name_fullhash(name, ISC_FALSE) % res->nbuckets;
8104 spillat = res->spillat;
8105 spillatmin = res->spillatmin;
8107 LOCK(&res->buckets[bucketnum].lock);
8109 if (res->buckets[bucketnum].exiting) {
8110 result = ISC_R_SHUTTINGDOWN;
8114 if ((options & DNS_FETCHOPT_UNSHARED) == 0) {
8115 for (fctx = ISC_LIST_HEAD(res->buckets[bucketnum].fctxs);
8117 fctx = ISC_LIST_NEXT(fctx, link)) {
8118 if (fctx_match(fctx, name, type, options))
8124 * Is this a duplicate?
8126 if (fctx != NULL && client != NULL) {
8127 dns_fetchevent_t *fevent;
8128 for (fevent = ISC_LIST_HEAD(fctx->events);
8130 fevent = ISC_LIST_NEXT(fevent, ev_link)) {
8131 if (fevent->client != NULL && fevent->id == id &&
8132 isc_sockaddr_equal(fevent->client, client)) {
8133 result = DNS_R_DUPLICATE;
8139 if (count >= spillatmin && spillatmin != 0) {
8140 INSIST(fctx != NULL);
8141 if (count >= spillat)
8142 fctx->spilled = ISC_TRUE;
8143 if (fctx->spilled) {
8144 result = DNS_R_DROP;
8150 result = fctx_create(res, name, type, domain, nameservers,
8151 options, bucketnum, depth, qc, &fctx);
8152 if (result != ISC_R_SUCCESS)
8154 new_fctx = ISC_TRUE;
8155 } else if (fctx->depth > depth)
8156 fctx->depth = depth;
8158 result = fctx_join(fctx, task, client, id, action, arg,
8159 rdataset, sigrdataset, fetch);
8161 if (result == ISC_R_SUCCESS) {
8165 event = &fctx->control_event;
8166 ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
8167 DNS_EVENT_FETCHCONTROL,
8168 fctx_start, fctx, NULL,
8170 isc_task_send(res->buckets[bucketnum].task, &event);
8173 * We don't care about the result of fctx_unlink()
8174 * since we know we're not exiting.
8176 (void)fctx_unlink(fctx);
8182 UNLOCK(&res->buckets[bucketnum].lock);
8187 if (result == ISC_R_SUCCESS) {
8191 isc_mem_put(res->mctx, fetch, sizeof(*fetch));
8197 dns_resolver_cancelfetch(dns_fetch_t *fetch) {
8199 dns_resolver_t *res;
8200 dns_fetchevent_t *event, *next_event;
8203 REQUIRE(DNS_FETCH_VALID(fetch));
8204 fctx = fetch->private;
8205 REQUIRE(VALID_FCTX(fctx));
8208 FTRACE("cancelfetch");
8210 LOCK(&res->buckets[fctx->bucketnum].lock);
8213 * Find the completion event for this fetch (as opposed
8214 * to those for other fetches that have joined the same
8215 * fctx) and send it with result = ISC_R_CANCELED.
8218 if (fctx->state != fetchstate_done) {
8219 for (event = ISC_LIST_HEAD(fctx->events);
8221 event = next_event) {
8222 next_event = ISC_LIST_NEXT(event, ev_link);
8223 if (event->fetch == fetch) {
8224 ISC_LIST_UNLINK(fctx->events, event, ev_link);
8229 if (event != NULL) {
8230 etask = event->ev_sender;
8231 event->ev_sender = fctx;
8232 event->result = ISC_R_CANCELED;
8233 isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
8236 * The fctx continues running even if no fetches remain;
8237 * the answer is still cached.
8240 UNLOCK(&res->buckets[fctx->bucketnum].lock);
8244 dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
8246 dns_resolver_t *res;
8247 dns_fetchevent_t *event, *next_event;
8249 unsigned int bucketnum;
8250 isc_boolean_t bucket_empty;
8252 REQUIRE(fetchp != NULL);
8254 REQUIRE(DNS_FETCH_VALID(fetch));
8255 fctx = fetch->private;
8256 REQUIRE(VALID_FCTX(fctx));
8259 FTRACE("destroyfetch");
8261 bucketnum = fctx->bucketnum;
8262 LOCK(&res->buckets[bucketnum].lock);
8265 * Sanity check: the caller should have gotten its event before
8266 * trying to destroy the fetch.
8269 if (fctx->state != fetchstate_done) {
8270 for (event = ISC_LIST_HEAD(fctx->events);
8272 event = next_event) {
8273 next_event = ISC_LIST_NEXT(event, ev_link);
8274 RUNTIME_CHECK(event->fetch != fetch);
8278 bucket_empty = fctx_decreference(fctx);
8280 UNLOCK(&res->buckets[bucketnum].lock);
8282 isc_mem_put(res->mctx, fetch, sizeof(*fetch));
8290 dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
8291 isc_logcategory_t *category, isc_logmodule_t *module,
8292 int level, isc_boolean_t duplicateok)
8295 dns_resolver_t *res;
8296 char domainbuf[DNS_NAME_FORMATSIZE];
8298 REQUIRE(DNS_FETCH_VALID(fetch));
8299 fctx = fetch->private;
8300 REQUIRE(VALID_FCTX(fctx));
8303 LOCK(&res->buckets[fctx->bucketnum].lock);
8305 INSIST(fctx->exitline >= 0);
8306 if (!fctx->logged || duplicateok) {
8307 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
8308 isc_log_write(lctx, category, module, level,
8309 "fetch completed at %s:%d for %s in "
8310 "%" ISC_PRINT_QUADFORMAT "u."
8311 "%06" ISC_PRINT_QUADFORMAT "u: %s/%s "
8312 "[domain:%s,referral:%u,restart:%u,qrysent:%u,"
8313 "timeout:%u,lame:%u,neterr:%u,badresp:%u,"
8314 "adberr:%u,findfail:%u,valfail:%u]",
8315 __FILE__, fctx->exitline, fctx->info,
8316 fctx->duration / US_PER_SEC,
8317 fctx->duration % US_PER_SEC,
8318 isc_result_totext(fctx->result),
8319 isc_result_totext(fctx->vresult), domainbuf,
8320 fctx->referrals, fctx->restarts,
8321 fctx->querysent, fctx->timeouts, fctx->lamecount,
8322 fctx->neterr, fctx->badresp, fctx->adberr,
8323 fctx->findfail, fctx->valfail);
8324 fctx->logged = ISC_TRUE;
8327 UNLOCK(&res->buckets[fctx->bucketnum].lock);
8331 dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
8332 REQUIRE(VALID_RESOLVER(resolver));
8333 return (resolver->dispatchmgr);
8337 dns_resolver_dispatchv4(dns_resolver_t *resolver) {
8338 REQUIRE(VALID_RESOLVER(resolver));
8339 return (resolver->dispatchv4);
8343 dns_resolver_dispatchv6(dns_resolver_t *resolver) {
8344 REQUIRE(VALID_RESOLVER(resolver));
8345 return (resolver->dispatchv6);
8349 dns_resolver_socketmgr(dns_resolver_t *resolver) {
8350 REQUIRE(VALID_RESOLVER(resolver));
8351 return (resolver->socketmgr);
8355 dns_resolver_taskmgr(dns_resolver_t *resolver) {
8356 REQUIRE(VALID_RESOLVER(resolver));
8357 return (resolver->taskmgr);
8361 dns_resolver_getlamettl(dns_resolver_t *resolver) {
8362 REQUIRE(VALID_RESOLVER(resolver));
8363 return (resolver->lame_ttl);
8367 dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl) {
8368 REQUIRE(VALID_RESOLVER(resolver));
8369 resolver->lame_ttl = lame_ttl;
8373 dns_resolver_nrunning(dns_resolver_t *resolver) {
8375 LOCK(&resolver->nlock);
8376 n = resolver->nfctx;
8377 UNLOCK(&resolver->nlock);
8382 dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
8383 dns_name_t *name, in_port_t port) {
8385 isc_result_t result;
8387 REQUIRE(VALID_RESOLVER(resolver));
8388 REQUIRE(!resolver->frozen);
8389 REQUIRE((alt == NULL) ^ (name == NULL));
8391 a = isc_mem_get(resolver->mctx, sizeof(*a));
8393 return (ISC_R_NOMEMORY);
8395 a->isaddress = ISC_TRUE;
8398 a->isaddress = ISC_FALSE;
8399 a->_u._n.port = port;
8400 dns_name_init(&a->_u._n.name, NULL);
8401 result = dns_name_dup(name, resolver->mctx, &a->_u._n.name);
8402 if (result != ISC_R_SUCCESS) {
8403 isc_mem_put(resolver->mctx, a, sizeof(*a));
8407 ISC_LINK_INIT(a, link);
8408 ISC_LIST_APPEND(resolver->alternates, a, link);
8410 return (ISC_R_SUCCESS);
8414 dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize) {
8415 REQUIRE(VALID_RESOLVER(resolver));
8416 resolver->udpsize = udpsize;
8420 dns_resolver_getudpsize(dns_resolver_t *resolver) {
8421 REQUIRE(VALID_RESOLVER(resolver));
8422 return (resolver->udpsize);
8426 dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name) {
8428 dns_badcache_t *bad, *prev, *next;
8430 REQUIRE(VALID_RESOLVER(resolver));
8432 LOCK(&resolver->lock);
8433 if (resolver->badcache == NULL)
8438 isc_result_t result;
8439 result = isc_time_now(&now);
8440 if (result != ISC_R_SUCCESS)
8441 isc_time_settoepoch(&now);
8442 i = dns_name_hash(name, ISC_FALSE) % resolver->badhash;
8444 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8447 n = isc_time_compare(&bad->expire, &now);
8448 if (n < 0 || dns_name_equal(name, &bad->name)) {
8450 resolver->badcache[i] = bad->next;
8452 prev->next = bad->next;
8453 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8455 resolver->badcount--;
8460 destroy_badcache(resolver);
8463 UNLOCK(&resolver->lock);
8468 resizehash(dns_resolver_t *resolver, isc_time_t *now, isc_boolean_t grow) {
8469 unsigned int newsize;
8470 dns_badcache_t **new, *bad, *next;
8474 newsize = resolver->badhash * 2 + 1;
8476 newsize = (resolver->badhash - 1) / 2;
8478 new = isc_mem_get(resolver->mctx,
8479 sizeof(*resolver->badcache) * newsize);
8482 memset(new, 0, sizeof(*resolver->badcache) * newsize);
8483 for (i = 0; i < resolver->badhash; i++) {
8484 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8486 if (isc_time_compare(&bad->expire, now) < 0) {
8487 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8489 resolver->badcount--;
8491 bad->next = new[bad->hashval % newsize];
8492 new[bad->hashval % newsize] = bad;
8496 isc_mem_put(resolver->mctx, resolver->badcache,
8497 sizeof(*resolver->badcache) * resolver->badhash);
8498 resolver->badhash = newsize;
8499 resolver->badcache = new;
8503 dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name,
8504 dns_rdatatype_t type, isc_time_t *expire)
8507 isc_result_t result = ISC_R_SUCCESS;
8508 unsigned int i, hashval;
8509 dns_badcache_t *bad, *prev, *next;
8511 REQUIRE(VALID_RESOLVER(resolver));
8513 LOCK(&resolver->lock);
8514 if (resolver->badcache == NULL) {
8515 resolver->badcache = isc_mem_get(resolver->mctx,
8516 sizeof(*resolver->badcache) *
8518 if (resolver->badcache == NULL)
8520 resolver->badhash = DNS_BADCACHE_SIZE;
8521 memset(resolver->badcache, 0, sizeof(*resolver->badcache) *
8525 result = isc_time_now(&now);
8526 if (result != ISC_R_SUCCESS)
8527 isc_time_settoepoch(&now);
8528 hashval = dns_name_hash(name, ISC_FALSE);
8529 i = hashval % resolver->badhash;
8531 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8533 if (bad->type == type && dns_name_equal(name, &bad->name))
8535 if (isc_time_compare(&bad->expire, &now) < 0) {
8537 resolver->badcache[i] = bad->next;
8539 prev->next = bad->next;
8540 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8542 resolver->badcount--;
8547 isc_buffer_t buffer;
8548 bad = isc_mem_get(resolver->mctx, sizeof(*bad) + name->length);
8552 bad->hashval = hashval;
8553 bad->expire = *expire;
8554 isc_buffer_init(&buffer, bad + 1, name->length);
8555 dns_name_init(&bad->name, NULL);
8556 dns_name_copy(name, &bad->name, &buffer);
8557 bad->next = resolver->badcache[i];
8558 resolver->badcache[i] = bad;
8559 resolver->badcount++;
8560 if (resolver->badcount > resolver->badhash * 8)
8561 resizehash(resolver, &now, ISC_TRUE);
8562 if (resolver->badcount < resolver->badhash * 2 &&
8563 resolver->badhash > DNS_BADCACHE_SIZE)
8564 resizehash(resolver, &now, ISC_FALSE);
8566 bad->expire = *expire;
8568 UNLOCK(&resolver->lock);
8572 dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name,
8573 dns_rdatatype_t type, isc_time_t *now)
8575 dns_badcache_t *bad, *prev, *next;
8576 isc_boolean_t answer = ISC_FALSE;
8579 REQUIRE(VALID_RESOLVER(resolver));
8581 LOCK(&resolver->lock);
8582 if (resolver->badcache == NULL)
8585 i = dns_name_hash(name, ISC_FALSE) % resolver->badhash;
8587 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8590 * Search the hash list. Clean out expired records as we go.
8592 if (isc_time_compare(&bad->expire, now) < 0) {
8594 prev->next = bad->next;
8596 resolver->badcache[i] = bad->next;
8597 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8599 resolver->badcount--;
8602 if (bad->type == type && dns_name_equal(name, &bad->name)) {
8610 * Slow sweep to clean out stale records.
8612 i = resolver->badsweep++ % resolver->badhash;
8613 bad = resolver->badcache[i];
8614 if (bad != NULL && isc_time_compare(&bad->expire, now) < 0) {
8615 resolver->badcache[i] = bad->next;
8616 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8618 resolver->badcount--;
8622 UNLOCK(&resolver->lock);
8627 dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp) {
8628 char namebuf[DNS_NAME_FORMATSIZE];
8629 char typebuf[DNS_RDATATYPE_FORMATSIZE];
8630 dns_badcache_t *bad, *next, *prev;
8635 LOCK(&resolver->lock);
8636 fprintf(fp, ";\n; Bad cache\n;\n");
8638 if (resolver->badcache == NULL)
8642 for (i = 0; i < resolver->badhash; i++) {
8644 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8646 if (isc_time_compare(&bad->expire, &now) < 0) {
8648 prev->next = bad->next;
8650 resolver->badcache[i] = bad->next;
8651 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8653 resolver->badcount--;
8657 dns_name_format(&bad->name, namebuf, sizeof(namebuf));
8658 dns_rdatatype_format(bad->type, typebuf,
8660 t = isc_time_microdiff(&bad->expire, &now);
8662 fprintf(fp, "; %s/%s [ttl "
8663 "%" ISC_PLATFORM_QUADFORMAT "u]\n",
8664 namebuf, typebuf, t);
8669 UNLOCK(&resolver->lock);
8673 free_algorithm(void *node, void *arg) {
8674 unsigned char *algorithms = node;
8675 isc_mem_t *mctx = arg;
8677 isc_mem_put(mctx, algorithms, *algorithms);
8681 dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
8683 REQUIRE(VALID_RESOLVER(resolver));
8686 RWLOCK(&resolver->alglock, isc_rwlocktype_write);
8688 if (resolver->algorithms != NULL)
8689 dns_rbt_destroy(&resolver->algorithms);
8691 RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
8696 dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
8699 unsigned int len, mask;
8701 unsigned char *algorithms;
8702 isc_result_t result;
8703 dns_rbtnode_t *node = NULL;
8705 REQUIRE(VALID_RESOLVER(resolver));
8707 return (ISC_R_RANGE);
8710 RWLOCK(&resolver->alglock, isc_rwlocktype_write);
8712 if (resolver->algorithms == NULL) {
8713 result = dns_rbt_create(resolver->mctx, free_algorithm,
8714 resolver->mctx, &resolver->algorithms);
8715 if (result != ISC_R_SUCCESS)
8720 mask = 1 << (alg%8);
8722 result = dns_rbt_addnode(resolver->algorithms, name, &node);
8724 if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
8725 algorithms = node->data;
8726 if (algorithms == NULL || len > *algorithms) {
8727 new = isc_mem_get(resolver->mctx, len);
8729 result = ISC_R_NOMEMORY;
8732 memset(new, 0, len);
8733 if (algorithms != NULL)
8734 memcpy(new, algorithms, *algorithms);
8738 if (algorithms != NULL)
8739 isc_mem_put(resolver->mctx, algorithms,
8742 algorithms[len-1] |= mask;
8744 result = ISC_R_SUCCESS;
8747 RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
8753 dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
8756 unsigned int len, mask;
8757 unsigned char *algorithms;
8759 isc_result_t result;
8760 isc_boolean_t found = ISC_FALSE;
8762 REQUIRE(VALID_RESOLVER(resolver));
8765 RWLOCK(&resolver->alglock, isc_rwlocktype_read);
8767 if (resolver->algorithms == NULL)
8769 result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data);
8770 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
8772 mask = 1 << (alg%8);
8774 if (len <= *algorithms && (algorithms[len-1] & mask) != 0)
8779 RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
8783 return (dst_algorithm_supported(alg));
8787 dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) {
8790 return (dns_ds_digest_supported(digest));
8794 dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
8796 REQUIRE(VALID_RESOLVER(resolver));
8799 RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
8801 if (resolver->mustbesecure != NULL)
8802 dns_rbt_destroy(&resolver->mustbesecure);
8804 RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
8808 static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE;
8811 dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
8812 isc_boolean_t value)
8814 isc_result_t result;
8816 REQUIRE(VALID_RESOLVER(resolver));
8819 RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
8821 if (resolver->mustbesecure == NULL) {
8822 result = dns_rbt_create(resolver->mctx, NULL, NULL,
8823 &resolver->mustbesecure);
8824 if (result != ISC_R_SUCCESS)
8827 result = dns_rbt_addname(resolver->mustbesecure, name,
8828 value ? &yes : &no);
8831 RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
8837 dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) {
8839 isc_boolean_t value = ISC_FALSE;
8840 isc_result_t result;
8842 REQUIRE(VALID_RESOLVER(resolver));
8845 RWLOCK(&resolver->mbslock, isc_rwlocktype_read);
8847 if (resolver->mustbesecure == NULL)
8849 result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data);
8850 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
8851 value = *(isc_boolean_t*)data;
8854 RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read);
8860 dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur,
8861 isc_uint32_t *min, isc_uint32_t *max)
8863 REQUIRE(VALID_RESOLVER(resolver));
8865 LOCK(&resolver->lock);
8867 *cur = resolver->spillat;
8869 *min = resolver->spillatmin;
8871 *max = resolver->spillatmax;
8872 UNLOCK(&resolver->lock);
8876 dns_resolver_setclientsperquery(dns_resolver_t *resolver, isc_uint32_t min,
8879 REQUIRE(VALID_RESOLVER(resolver));
8881 LOCK(&resolver->lock);
8882 resolver->spillatmin = resolver->spillat = min;
8883 resolver->spillatmax = max;
8884 UNLOCK(&resolver->lock);
8888 dns_resolver_getzeronosoattl(dns_resolver_t *resolver) {
8889 REQUIRE(VALID_RESOLVER(resolver));
8891 return (resolver->zero_no_soa_ttl);
8895 dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state) {
8896 REQUIRE(VALID_RESOLVER(resolver));
8898 resolver->zero_no_soa_ttl = state;
8902 dns_resolver_getoptions(dns_resolver_t *resolver) {
8903 REQUIRE(VALID_RESOLVER(resolver));
8905 return (resolver->options);
8909 dns_resolver_gettimeout(dns_resolver_t *resolver) {
8910 REQUIRE(VALID_RESOLVER(resolver));
8912 return (resolver->query_timeout);
8916 dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
8917 REQUIRE(VALID_RESOLVER(resolver));
8920 seconds = DEFAULT_QUERY_TIMEOUT;
8921 if (seconds > MAXIMUM_QUERY_TIMEOUT)
8922 seconds = MAXIMUM_QUERY_TIMEOUT;
8923 if (seconds < MINIMUM_QUERY_TIMEOUT)
8924 seconds = MINIMUM_QUERY_TIMEOUT;
8926 resolver->query_timeout = seconds;
8930 dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) {
8931 REQUIRE(VALID_RESOLVER(resolver));
8932 resolver->maxdepth = maxdepth;
8936 dns_resolver_getmaxdepth(dns_resolver_t *resolver) {
8937 REQUIRE(VALID_RESOLVER(resolver));
8938 return (resolver->maxdepth);
8942 dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries) {
8943 REQUIRE(VALID_RESOLVER(resolver));
8944 resolver->maxqueries = queries;
8948 dns_resolver_getmaxqueries(dns_resolver_t *resolver) {
8949 REQUIRE(VALID_RESOLVER(resolver));
8950 return (resolver->maxqueries);