2 * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2003 Internet Software Consortium.
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
25 #include <isc/platform.h>
26 #include <isc/print.h>
27 #include <isc/string.h>
28 #include <isc/random.h>
29 #include <isc/socket.h>
30 #include <isc/stats.h>
32 #include <isc/timer.h>
37 #include <dns/cache.h>
39 #include <dns/dispatch.h>
41 #include <dns/events.h>
42 #include <dns/forward.h>
43 #include <dns/keytable.h>
45 #include <dns/message.h>
46 #include <dns/ncache.h>
48 #include <dns/nsec3.h>
49 #include <dns/opcode.h>
52 #include <dns/rcode.h>
53 #include <dns/rdata.h>
54 #include <dns/rdataclass.h>
55 #include <dns/rdatalist.h>
56 #include <dns/rdataset.h>
57 #include <dns/rdatastruct.h>
58 #include <dns/rdatatype.h>
59 #include <dns/resolver.h>
60 #include <dns/result.h>
61 #include <dns/rootns.h>
62 #include <dns/stats.h>
64 #include <dns/validator.h>
66 #define DNS_RESOLVER_TRACE
67 #ifdef DNS_RESOLVER_TRACE
68 #define RTRACE(m) isc_log_write(dns_lctx, \
69 DNS_LOGCATEGORY_RESOLVER, \
70 DNS_LOGMODULE_RESOLVER, \
72 "res %p: %s", res, (m))
73 #define RRTRACE(r, m) isc_log_write(dns_lctx, \
74 DNS_LOGCATEGORY_RESOLVER, \
75 DNS_LOGMODULE_RESOLVER, \
77 "res %p: %s", (r), (m))
78 #define FCTXTRACE(m) isc_log_write(dns_lctx, \
79 DNS_LOGCATEGORY_RESOLVER, \
80 DNS_LOGMODULE_RESOLVER, \
82 "fctx %p(%s): %s", fctx, fctx->info, (m))
83 #define FCTXTRACE2(m1, m2) \
84 isc_log_write(dns_lctx, \
85 DNS_LOGCATEGORY_RESOLVER, \
86 DNS_LOGMODULE_RESOLVER, \
88 "fctx %p(%s): %s %s", \
89 fctx, fctx->info, (m1), (m2))
90 #define FTRACE(m) isc_log_write(dns_lctx, \
91 DNS_LOGCATEGORY_RESOLVER, \
92 DNS_LOGMODULE_RESOLVER, \
94 "fetch %p (fctx %p(%s)): %s", \
95 fetch, fetch->private, \
96 fetch->private->info, (m))
97 #define QTRACE(m) isc_log_write(dns_lctx, \
98 DNS_LOGCATEGORY_RESOLVER, \
99 DNS_LOGMODULE_RESOLVER, \
101 "resquery %p (fctx %p(%s)): %s", \
102 query, query->fctx, \
103 query->fctx->info, (m))
106 #define RRTRACE(r, m)
108 #define FCTXTRACE2(m1, m2)
113 #define US_PER_SEC 1000000U
115 * The maximum time we will wait for a single query.
117 #define MAX_SINGLE_QUERY_TIMEOUT 9U
118 #define MAX_SINGLE_QUERY_TIMEOUT_US (MAX_SINGLE_QUERY_TIMEOUT*US_PER_SEC)
121 * We need to allow a individual query time to complete / timeout.
123 #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)
125 /* The default time in seconds for the whole query to live. */
126 #ifndef DEFAULT_QUERY_TIMEOUT
127 #define DEFAULT_QUERY_TIMEOUT MINIMUM_QUERY_TIMEOUT
130 #ifndef MAXIMUM_QUERY_TIMEOUT
131 #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
134 /* The default maximum number of recursions to follow before giving up. */
135 #ifndef DEFAULT_RECURSION_DEPTH
136 #define DEFAULT_RECURSION_DEPTH 7
139 /* The default maximum number of iterative queries to allow before giving up. */
140 #ifndef DEFAULT_MAX_QUERIES
141 #define DEFAULT_MAX_QUERIES 50
145 * Maximum EDNS0 input packet size.
147 #define RECV_BUFFER_SIZE 4096 /* XXXRTH Constant. */
151 * This defines the maximum number of timeouts we will permit before we
152 * disable EDNS0 on the query.
154 #define MAX_EDNS0_TIMEOUTS 3
156 typedef struct fetchctx fetchctx_t;
158 typedef struct query {
159 /* Locked by task event serialization. */
163 dns_dispatchmgr_t * dispatchmgr;
164 dns_dispatch_t * dispatch;
165 isc_boolean_t exclusivesocket;
166 dns_adbaddrinfo_t * addrinfo;
167 isc_socket_t * tcpsocket;
170 dns_dispentry_t * dispentry;
171 ISC_LINK(struct query) link;
174 dns_tsigkey_t *tsigkey;
175 isc_socketevent_t sendevent;
176 unsigned int options;
177 unsigned int attributes;
179 unsigned int connects;
180 unsigned char data[512];
183 #define QUERY_MAGIC ISC_MAGIC('Q', '!', '!', '!')
184 #define VALID_QUERY(query) ISC_MAGIC_VALID(query, QUERY_MAGIC)
186 #define RESQUERY_ATTR_CANCELED 0x02
188 #define RESQUERY_CONNECTING(q) ((q)->connects > 0)
189 #define RESQUERY_CANCELED(q) (((q)->attributes & \
190 RESQUERY_ATTR_CANCELED) != 0)
191 #define RESQUERY_SENDING(q) ((q)->sends > 0)
194 fetchstate_init = 0, /*%< Start event has not run yet. */
196 fetchstate_done /*%< FETCHDONE events posted. */
200 badns_unreachable = 0,
208 dns_resolver_t * res;
210 dns_rdatatype_t type;
211 unsigned int options;
212 unsigned int bucketnum;
216 /*% Locked by appropriate bucket lock. */
218 isc_boolean_t want_shutdown;
219 isc_boolean_t cloned;
220 isc_boolean_t spilled;
221 unsigned int references;
222 isc_event_t control_event;
223 ISC_LINK(struct fetchctx) link;
224 ISC_LIST(dns_fetchevent_t) events;
225 /*% Locked by task event serialization. */
227 dns_rdataset_t nameservers;
228 unsigned int attributes;
231 isc_interval_t interval;
232 dns_message_t * qmessage;
233 dns_message_t * rmessage;
234 ISC_LIST(resquery_t) queries;
235 dns_adbfindlist_t finds;
236 dns_adbfind_t * find;
237 dns_adbfindlist_t altfinds;
238 dns_adbfind_t * altfind;
239 dns_adbaddrinfolist_t forwaddrs;
240 dns_adbaddrinfolist_t altaddrs;
241 isc_sockaddrlist_t forwarders;
242 dns_fwdpolicy_t fwdpolicy;
243 isc_sockaddrlist_t bad;
244 isc_sockaddrlist_t edns;
245 isc_sockaddrlist_t edns512;
246 isc_sockaddrlist_t bad_edns;
247 dns_validator_t *validator;
248 ISC_LIST(dns_validator_t) validators;
251 isc_boolean_t ns_ttl_ok;
255 * The number of events we're waiting for.
257 unsigned int pending;
260 * The number of times we've "restarted" the current
261 * nameserver set. This acts as a failsafe to prevent
262 * us from pounding constantly on a particular set of
263 * servers that, for whatever reason, are not giving
264 * us useful responses, but are responding in such a
265 * way that they are not marked "bad".
267 unsigned int restarts;
270 * The number of timeouts that have occurred since we
271 * last successfully received a response packet. This
272 * is used for EDNS0 black hole detection.
274 unsigned int timeouts;
277 * Look aside state for DS lookups.
280 dns_fetch_t * nsfetch;
281 dns_rdataset_t nsrrset;
284 * Number of queries that reference this context.
286 unsigned int nqueries;
289 * The reason to print when logging a successful
290 * response to a query.
295 * Random numbers to use for mixing up server addresses.
297 isc_uint32_t rand_buf;
298 isc_uint32_t rand_bits;
301 * Fetch-local statistics for detailed logging.
303 isc_result_t result; /*%< fetch result */
304 isc_result_t vresult; /*%< validation result */
307 isc_uint64_t duration;
308 isc_boolean_t logged;
309 unsigned int querysent;
310 unsigned int totalqueries;
311 unsigned int referrals;
312 unsigned int lamecount;
314 unsigned int badresp;
316 unsigned int findfail;
317 unsigned int valfail;
318 isc_boolean_t timeout;
319 dns_adbaddrinfo_t *addrinfo;
320 isc_sockaddr_t *client;
324 #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
325 #define VALID_FCTX(fctx) ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
327 #define FCTX_ATTR_HAVEANSWER 0x0001
328 #define FCTX_ATTR_GLUING 0x0002
329 #define FCTX_ATTR_ADDRWAIT 0x0004
330 #define FCTX_ATTR_SHUTTINGDOWN 0x0008
331 #define FCTX_ATTR_WANTCACHE 0x0010
332 #define FCTX_ATTR_WANTNCACHE 0x0020
333 #define FCTX_ATTR_NEEDEDNS0 0x0040
334 #define FCTX_ATTR_TRIEDFIND 0x0080
335 #define FCTX_ATTR_TRIEDALT 0x0100
337 #define HAVE_ANSWER(f) (((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
339 #define GLUING(f) (((f)->attributes & FCTX_ATTR_GLUING) != \
341 #define ADDRWAIT(f) (((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
343 #define SHUTTINGDOWN(f) (((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
345 #define WANTCACHE(f) (((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
346 #define WANTNCACHE(f) (((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
347 #define NEEDEDNS0(f) (((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
348 #define TRIEDFIND(f) (((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
349 #define TRIEDALT(f) (((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
352 dns_adbaddrinfo_t * addrinfo;
358 fetchctx_t * private;
361 #define DNS_FETCH_MAGIC ISC_MAGIC('F', 't', 'c', 'h')
362 #define DNS_FETCH_VALID(fetch) ISC_MAGIC_VALID(fetch, DNS_FETCH_MAGIC)
364 typedef struct fctxbucket {
367 ISC_LIST(fetchctx_t) fctxs;
368 isc_boolean_t exiting;
372 typedef struct alternate {
373 isc_boolean_t isaddress;
381 ISC_LINK(struct alternate) link;
384 typedef struct dns_badcache dns_badcache_t;
385 struct dns_badcache {
386 dns_badcache_t * next;
387 dns_rdatatype_t type;
389 unsigned int hashval;
392 #define DNS_BADCACHE_SIZE 1021
393 #define DNS_BADCACHE_TTL(fctx) \
394 (((fctx)->res->lame_ttl > 30 ) ? (fctx)->res->lame_ttl : 30)
396 struct dns_resolver {
402 isc_mutex_t primelock;
403 dns_rdataclass_t rdclass;
404 isc_socketmgr_t * socketmgr;
405 isc_timermgr_t * timermgr;
406 isc_taskmgr_t * taskmgr;
408 isc_boolean_t frozen;
409 unsigned int options;
410 dns_dispatchmgr_t * dispatchmgr;
411 dns_dispatchset_t * dispatches4;
412 isc_boolean_t exclusivev4;
413 dns_dispatchset_t * dispatches6;
414 isc_boolean_t exclusivev6;
415 unsigned int nbuckets;
416 fctxbucket_t * buckets;
417 isc_uint32_t lame_ttl;
418 ISC_LIST(alternate_t) alternates;
419 isc_uint16_t udpsize;
421 isc_rwlock_t alglock;
423 dns_rbt_t * algorithms;
425 isc_rwlock_t mbslock;
427 dns_rbt_t * mustbesecure;
428 unsigned int spillatmax;
429 unsigned int spillatmin;
430 isc_timer_t * spillattimer;
431 isc_boolean_t zero_no_soa_ttl;
432 unsigned int query_timeout;
433 unsigned int maxdepth;
435 /* Locked by lock. */
436 unsigned int references;
437 isc_boolean_t exiting;
438 isc_eventlist_t whenshutdown;
439 unsigned int activebuckets;
440 isc_boolean_t priming;
441 unsigned int spillat; /* clients-per-query */
444 dns_badcache_t ** badcache;
445 unsigned int badcount;
446 unsigned int badhash;
447 unsigned int badsweep;
449 /* Locked by primelock. */
450 dns_fetch_t * primefetch;
451 /* Locked by nlock. */
455 #define RES_MAGIC ISC_MAGIC('R', 'e', 's', '!')
456 #define VALID_RESOLVER(res) ISC_MAGIC_VALID(res, RES_MAGIC)
459 * Private addrinfo flags. These must not conflict with DNS_FETCHOPT_NOEDNS0,
460 * which we also use as an addrinfo flag.
462 #define FCTX_ADDRINFO_MARK 0x0001
463 #define FCTX_ADDRINFO_FORWARDER 0x1000
464 #define FCTX_ADDRINFO_TRIED 0x2000
465 #define UNMARKED(a) (((a)->flags & FCTX_ADDRINFO_MARK) \
467 #define ISFORWARDER(a) (((a)->flags & \
468 FCTX_ADDRINFO_FORWARDER) != 0)
469 #define TRIED(a) (((a)->flags & \
470 FCTX_ADDRINFO_TRIED) != 0)
472 #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
473 #define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
475 static void destroy(dns_resolver_t *res);
476 static void empty_bucket(dns_resolver_t *res);
477 static isc_result_t resquery_send(resquery_t *query);
478 static void resquery_response(isc_task_t *task, isc_event_t *event);
479 static void resquery_connected(isc_task_t *task, isc_event_t *event);
480 static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying,
481 isc_boolean_t badcache);
482 static void fctx_destroy(fetchctx_t *fctx);
483 static isc_boolean_t fctx_unlink(fetchctx_t *fctx);
484 static isc_result_t ncache_adderesult(dns_message_t *message,
485 dns_db_t *cache, dns_dbnode_t *node,
486 dns_rdatatype_t covers,
487 isc_stdtime_t now, dns_ttl_t maxttl,
488 isc_boolean_t optout,
489 isc_boolean_t secure,
490 dns_rdataset_t *ardataset,
491 isc_result_t *eresultp);
492 static void validated(isc_task_t *task, isc_event_t *event);
493 static isc_boolean_t maybe_destroy(fetchctx_t *fctx, isc_boolean_t locked);
494 static void add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
495 isc_result_t reason, badnstype_t badtype);
496 static inline isc_result_t findnoqname(fetchctx_t *fctx, dns_name_t *name,
497 dns_rdatatype_t type,
498 dns_name_t **noqname);
501 * Increment resolver-related statistics counters.
504 inc_stats(dns_resolver_t *res, isc_statscounter_t counter) {
505 if (res->view->resstats != NULL)
506 isc_stats_increment(res->view->resstats, counter);
510 valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
511 dns_rdatatype_t type, dns_rdataset_t *rdataset,
512 dns_rdataset_t *sigrdataset, unsigned int valoptions,
515 dns_validator_t *validator = NULL;
516 dns_valarg_t *valarg;
519 valarg = isc_mem_get(fctx->mctx, sizeof(*valarg));
521 return (ISC_R_NOMEMORY);
524 valarg->addrinfo = addrinfo;
526 if (!ISC_LIST_EMPTY(fctx->validators))
527 valoptions |= DNS_VALIDATOR_DEFER;
529 valoptions &= ~DNS_VALIDATOR_DEFER;
531 result = dns_validator_create(fctx->res->view, name, type, rdataset,
532 sigrdataset, fctx->rmessage,
533 valoptions, task, validated, valarg,
535 if (result == ISC_R_SUCCESS) {
536 inc_stats(fctx->res, dns_resstatscounter_val);
537 if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
538 INSIST(fctx->validator == NULL);
539 fctx->validator = validator;
541 ISC_LIST_APPEND(fctx->validators, validator, link);
543 isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
548 rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) {
549 dns_namereln_t namereln;
550 dns_rdata_rrsig_t rrsig;
551 dns_rdata_t rdata = DNS_RDATA_INIT;
556 for (result = dns_rdataset_first(rdataset);
557 result == ISC_R_SUCCESS;
558 result = dns_rdataset_next(rdataset)) {
559 dns_rdataset_current(rdataset, &rdata);
560 result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
561 RUNTIME_CHECK(result == ISC_R_SUCCESS);
562 namereln = dns_name_fullcompare(&rrsig.signer, &fctx->domain,
564 if (namereln == dns_namereln_subdomain)
566 dns_rdata_reset(&rdata);
572 fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
574 dns_name_t *domain = &fctx->domain;
575 dns_rdataset_t *rdataset;
576 dns_rdatatype_t type;
578 isc_boolean_t keep_auth = ISC_FALSE;
580 if (message->rcode == dns_rcode_nxdomain)
584 * A DS RRset can appear anywhere in a zone, even for a delegation-only
585 * zone. So a response to an explicit query for this type should be
586 * excluded from delegation-only fixup.
588 * SOA, NS, and DNSKEY can only exist at a zone apex, so a postive
589 * response to a query for these types can never violate the
590 * delegation-only assumption: if the query name is below a
591 * zone cut, the response should normally be a referral, which should
592 * be accepted; if the query name is below a zone cut but the server
593 * happens to have authority for the zone of the query name, the
594 * response is a (non-referral) answer. But this does not violate
595 * delegation-only because the query name must be in a different zone
596 * due to the "apex-only" nature of these types. Note that if the
597 * remote server happens to have authority for a child zone of a
598 * delegation-only zone, we may still incorrectly "fix" the response
599 * with NXDOMAIN for queries for other types. Unfortunately it's
600 * generally impossible to differentiate this case from violation of
601 * the delegation-only assumption. Once the resolver learns the
602 * correct zone cut, possibly via a separate query for an "apex-only"
603 * type, queries for other types will be resolved correctly.
605 * A query for type ANY will be accepted if it hits an exceptional
606 * type above in the answer section as it should be from a child
609 * Also accept answers with RRSIG records from the child zone.
610 * Direct queries for RRSIG records should not be answered from
614 if (message->counts[DNS_SECTION_ANSWER] != 0 &&
615 (fctx->type == dns_rdatatype_ns ||
616 fctx->type == dns_rdatatype_ds ||
617 fctx->type == dns_rdatatype_soa ||
618 fctx->type == dns_rdatatype_any ||
619 fctx->type == dns_rdatatype_rrsig ||
620 fctx->type == dns_rdatatype_dnskey)) {
621 result = dns_message_firstname(message, DNS_SECTION_ANSWER);
622 while (result == ISC_R_SUCCESS) {
624 dns_message_currentname(message, DNS_SECTION_ANSWER,
626 for (rdataset = ISC_LIST_HEAD(name->list);
628 rdataset = ISC_LIST_NEXT(rdataset, link)) {
629 if (!dns_name_equal(name, &fctx->name))
631 type = rdataset->type;
635 if (type == dns_rdatatype_rrsig &&
636 rrsig_fromchildzone(fctx, rdataset))
639 * Direct query for apex records or DS.
641 if (fctx->type == type &&
642 (type == dns_rdatatype_ds ||
643 type == dns_rdatatype_ns ||
644 type == dns_rdatatype_soa ||
645 type == dns_rdatatype_dnskey))
648 * Indirect query for apex records or DS.
650 if (fctx->type == dns_rdatatype_any &&
651 (type == dns_rdatatype_ns ||
652 type == dns_rdatatype_ds ||
653 type == dns_rdatatype_soa ||
654 type == dns_rdatatype_dnskey))
657 result = dns_message_nextname(message,
663 * A NODATA response to a DS query?
665 if (fctx->type == dns_rdatatype_ds &&
666 message->counts[DNS_SECTION_ANSWER] == 0)
669 /* Look for referral or indication of answer from child zone? */
670 if (message->counts[DNS_SECTION_AUTHORITY] == 0)
673 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
674 while (result == ISC_R_SUCCESS) {
676 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
677 for (rdataset = ISC_LIST_HEAD(name->list);
679 rdataset = ISC_LIST_NEXT(rdataset, link)) {
680 type = rdataset->type;
681 if (type == dns_rdatatype_soa &&
682 dns_name_equal(name, domain))
683 keep_auth = ISC_TRUE;
685 if (type != dns_rdatatype_ns &&
686 type != dns_rdatatype_soa &&
687 type != dns_rdatatype_rrsig)
690 if (type == dns_rdatatype_rrsig) {
691 if (rrsig_fromchildzone(fctx, rdataset))
697 /* NS or SOA records. */
698 if (dns_name_equal(name, domain)) {
700 * If a query for ANY causes a negative
701 * response, we can be sure that this is
702 * an empty node. For other type of queries
703 * we cannot differentiate an empty node
704 * from a node that just doesn't have that
705 * type of record. We only accept the former
708 if (message->counts[DNS_SECTION_ANSWER] == 0 &&
709 fctx->type == dns_rdatatype_any)
711 } else if (dns_name_issubdomain(name, domain)) {
712 /* Referral or answer from child zone. */
716 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
720 message->rcode = dns_rcode_nxdomain;
721 message->counts[DNS_SECTION_ANSWER] = 0;
723 message->counts[DNS_SECTION_AUTHORITY] = 0;
724 message->counts[DNS_SECTION_ADDITIONAL] = 0;
728 static inline isc_result_t
729 fctx_starttimer(fetchctx_t *fctx) {
731 * Start the lifetime timer for fctx.
733 * This is also used for stopping the idle timer; in that
734 * case we must purge events already posted to ensure that
735 * no further idle events are delivered.
737 return (isc_timer_reset(fctx->timer, isc_timertype_once,
738 &fctx->expires, NULL, ISC_TRUE));
742 fctx_stoptimer(fetchctx_t *fctx) {
746 * We don't return a result if resetting the timer to inactive fails
747 * since there's nothing to be done about it. Resetting to inactive
748 * should never fail anyway, since the code as currently written
749 * cannot fail in that case.
751 result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
752 NULL, NULL, ISC_TRUE);
753 if (result != ISC_R_SUCCESS) {
754 UNEXPECTED_ERROR(__FILE__, __LINE__,
755 "isc_timer_reset(): %s",
756 isc_result_totext(result));
761 static inline isc_result_t
762 fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) {
764 * Start the idle timer for fctx. The lifetime timer continues
767 return (isc_timer_reset(fctx->timer, isc_timertype_once,
768 &fctx->expires, interval, ISC_FALSE));
772 * Stopping the idle timer is equivalent to calling fctx_starttimer(), but
773 * we use fctx_stopidletimer for readability in the code below.
775 #define fctx_stopidletimer fctx_starttimer
779 resquery_destroy(resquery_t **queryp) {
782 REQUIRE(queryp != NULL);
784 REQUIRE(!ISC_LINK_LINKED(query, link));
786 INSIST(query->tcpsocket == NULL);
788 query->fctx->nqueries--;
789 if (SHUTTINGDOWN(query->fctx)) {
790 dns_resolver_t *res = query->fctx->res;
791 if (maybe_destroy(query->fctx, ISC_FALSE))
795 isc_mem_put(query->mctx, query, sizeof(*query));
800 fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
801 isc_time_t *finish, isc_boolean_t no_response)
805 unsigned int rtt, rttms;
808 dns_adbaddrinfo_t *addrinfo;
809 isc_socket_t *socket;
814 FCTXTRACE("cancelquery");
816 REQUIRE(!RESQUERY_CANCELED(query));
818 query->attributes |= RESQUERY_ATTR_CANCELED;
821 * Should we update the RTT?
823 if (finish != NULL || no_response) {
824 if (finish != NULL) {
826 * We have both the start and finish times for this
827 * packet, so we can compute a real RTT.
829 rtt = (unsigned int)isc_time_microdiff(finish,
831 factor = DNS_ADB_RTTADJDEFAULT;
834 if (rttms < DNS_RESOLVER_QRYRTTCLASS0) {
836 dns_resstatscounter_queryrtt0);
837 } else if (rttms < DNS_RESOLVER_QRYRTTCLASS1) {
839 dns_resstatscounter_queryrtt1);
840 } else if (rttms < DNS_RESOLVER_QRYRTTCLASS2) {
842 dns_resstatscounter_queryrtt2);
843 } else if (rttms < DNS_RESOLVER_QRYRTTCLASS3) {
845 dns_resstatscounter_queryrtt3);
846 } else if (rttms < DNS_RESOLVER_QRYRTTCLASS4) {
848 dns_resstatscounter_queryrtt4);
851 dns_resstatscounter_queryrtt5);
855 * We don't have an RTT for this query. Maybe the
856 * packet was lost, or maybe this server is very
857 * slow. We don't know. Increase the RTT.
860 rtt = query->addrinfo->srtt + 200000;
861 if (rtt > MAX_SINGLE_QUERY_TIMEOUT_US)
862 rtt = MAX_SINGLE_QUERY_TIMEOUT_US;
864 * Replace the current RTT with our value.
866 factor = DNS_ADB_RTTADJREPLACE;
868 dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor);
871 /* Remember that the server has been tried. */
872 if (!TRIED(query->addrinfo)) {
873 dns_adb_changeflags(fctx->adb, query->addrinfo,
874 FCTX_ADDRINFO_TRIED, FCTX_ADDRINFO_TRIED);
878 * Age RTTs of servers not tried.
880 factor = DNS_ADB_RTTADJAGE;
882 for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
884 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
885 if (UNMARKED(addrinfo))
886 dns_adb_adjustsrtt(fctx->adb, addrinfo,
889 if (finish != NULL && TRIEDFIND(fctx))
890 for (find = ISC_LIST_HEAD(fctx->finds);
892 find = ISC_LIST_NEXT(find, publink))
893 for (addrinfo = ISC_LIST_HEAD(find->list);
895 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
896 if (UNMARKED(addrinfo))
897 dns_adb_adjustsrtt(fctx->adb, addrinfo,
900 if (finish != NULL && TRIEDALT(fctx)) {
901 for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
903 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
904 if (UNMARKED(addrinfo))
905 dns_adb_adjustsrtt(fctx->adb, addrinfo,
907 for (find = ISC_LIST_HEAD(fctx->altfinds);
909 find = ISC_LIST_NEXT(find, publink))
910 for (addrinfo = ISC_LIST_HEAD(find->list);
912 addrinfo = ISC_LIST_NEXT(addrinfo, publink))
913 if (UNMARKED(addrinfo))
914 dns_adb_adjustsrtt(fctx->adb, addrinfo,
919 * Check for any outstanding socket events. If they exist, cancel
920 * them and let the event handlers finish the cleanup. The resolver
921 * only needs to worry about managing the connect and send events;
922 * the dispatcher manages the recv events.
924 if (RESQUERY_CONNECTING(query)) {
926 * Cancel the connect.
928 if (query->tcpsocket != NULL) {
929 isc_socket_cancel(query->tcpsocket, NULL,
930 ISC_SOCKCANCEL_CONNECT);
931 } else if (query->dispentry != NULL) {
932 INSIST(query->exclusivesocket);
933 socket = dns_dispatch_getentrysocket(query->dispentry);
935 isc_socket_cancel(socket, NULL,
936 ISC_SOCKCANCEL_CONNECT);
938 } else if (RESQUERY_SENDING(query)) {
940 * Cancel the pending send.
942 if (query->exclusivesocket && query->dispentry != NULL)
943 socket = dns_dispatch_getentrysocket(query->dispentry);
945 socket = dns_dispatch_getsocket(query->dispatch);
947 isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_SEND);
950 if (query->dispentry != NULL)
951 dns_dispatch_removeresponse(&query->dispentry, deventp);
953 ISC_LIST_UNLINK(fctx->queries, query, link);
955 if (query->tsig != NULL)
956 isc_buffer_free(&query->tsig);
958 if (query->tsigkey != NULL)
959 dns_tsigkey_detach(&query->tsigkey);
961 if (query->dispatch != NULL)
962 dns_dispatch_detach(&query->dispatch);
964 if (! (RESQUERY_CONNECTING(query) || RESQUERY_SENDING(query)))
966 * It's safe to destroy the query now.
968 resquery_destroy(&query);
972 fctx_cancelqueries(fetchctx_t *fctx, isc_boolean_t no_response) {
973 resquery_t *query, *next_query;
975 FCTXTRACE("cancelqueries");
977 for (query = ISC_LIST_HEAD(fctx->queries);
979 query = next_query) {
980 next_query = ISC_LIST_NEXT(query, link);
981 fctx_cancelquery(&query, NULL, NULL, no_response);
986 fctx_cleanupfinds(fetchctx_t *fctx) {
987 dns_adbfind_t *find, *next_find;
989 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
991 for (find = ISC_LIST_HEAD(fctx->finds);
994 next_find = ISC_LIST_NEXT(find, publink);
995 ISC_LIST_UNLINK(fctx->finds, find, publink);
996 dns_adb_destroyfind(&find);
1002 fctx_cleanupaltfinds(fetchctx_t *fctx) {
1003 dns_adbfind_t *find, *next_find;
1005 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
1007 for (find = ISC_LIST_HEAD(fctx->altfinds);
1010 next_find = ISC_LIST_NEXT(find, publink);
1011 ISC_LIST_UNLINK(fctx->altfinds, find, publink);
1012 dns_adb_destroyfind(&find);
1014 fctx->altfind = NULL;
1018 fctx_cleanupforwaddrs(fetchctx_t *fctx) {
1019 dns_adbaddrinfo_t *addr, *next_addr;
1021 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
1023 for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
1026 next_addr = ISC_LIST_NEXT(addr, publink);
1027 ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
1028 dns_adb_freeaddrinfo(fctx->adb, &addr);
1033 fctx_cleanupaltaddrs(fetchctx_t *fctx) {
1034 dns_adbaddrinfo_t *addr, *next_addr;
1036 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
1038 for (addr = ISC_LIST_HEAD(fctx->altaddrs);
1041 next_addr = ISC_LIST_NEXT(addr, publink);
1042 ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
1043 dns_adb_freeaddrinfo(fctx->adb, &addr);
1048 fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) {
1049 FCTXTRACE("stopeverything");
1050 fctx_cancelqueries(fctx, no_response);
1051 fctx_cleanupfinds(fctx);
1052 fctx_cleanupaltfinds(fctx);
1053 fctx_cleanupforwaddrs(fctx);
1054 fctx_cleanupaltaddrs(fctx);
1055 fctx_stoptimer(fctx);
1059 fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
1060 dns_fetchevent_t *event, *next_event;
1062 unsigned int count = 0;
1064 isc_boolean_t logit = ISC_FALSE;
1066 unsigned int old_spillat;
1067 unsigned int new_spillat = 0; /* initialized to silence
1068 compiler warnings */
1071 * Caller must be holding the appropriate bucket lock.
1073 REQUIRE(fctx->state == fetchstate_done);
1075 FCTXTRACE("sendevents");
1078 * Keep some record of fetch result for logging later (if required).
1080 fctx->result = result;
1081 fctx->exitline = line;
1083 fctx->duration = isc_time_microdiff(&now, &fctx->start);
1085 for (event = ISC_LIST_HEAD(fctx->events);
1087 event = next_event) {
1088 next_event = ISC_LIST_NEXT(event, ev_link);
1089 ISC_LIST_UNLINK(fctx->events, event, ev_link);
1090 task = event->ev_sender;
1091 event->ev_sender = fctx;
1092 event->vresult = fctx->vresult;
1093 if (!HAVE_ANSWER(fctx))
1094 event->result = result;
1096 INSIST(result != ISC_R_SUCCESS ||
1097 dns_rdataset_isassociated(event->rdataset) ||
1098 fctx->type == dns_rdatatype_any ||
1099 fctx->type == dns_rdatatype_rrsig ||
1100 fctx->type == dns_rdatatype_sig);
1103 * Negative results must be indicated in event->result.
1105 if (dns_rdataset_isassociated(event->rdataset) &&
1106 NEGATIVE(event->rdataset)) {
1107 INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
1108 event->result == DNS_R_NCACHENXRRSET);
1111 event->qtotal = fctx->totalqueries;
1112 isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
1116 if ((fctx->attributes & FCTX_ATTR_HAVEANSWER) != 0 &&
1118 (count < fctx->res->spillatmax || fctx->res->spillatmax == 0)) {
1119 LOCK(&fctx->res->lock);
1120 if (count == fctx->res->spillat && !fctx->res->exiting) {
1121 old_spillat = fctx->res->spillat;
1122 fctx->res->spillat += 5;
1123 if (fctx->res->spillat > fctx->res->spillatmax &&
1124 fctx->res->spillatmax != 0)
1125 fctx->res->spillat = fctx->res->spillatmax;
1126 new_spillat = fctx->res->spillat;
1127 if (new_spillat != old_spillat) {
1130 isc_interval_set(&i, 20 * 60, 0);
1131 result = isc_timer_reset(fctx->res->spillattimer,
1132 isc_timertype_ticker, NULL,
1134 RUNTIME_CHECK(result == ISC_R_SUCCESS);
1136 UNLOCK(&fctx->res->lock);
1138 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
1139 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
1140 "clients-per-query increased to %u",
1146 log_edns(fetchctx_t *fctx) {
1147 char domainbuf[DNS_NAME_FORMATSIZE];
1149 if (fctx->reason == NULL)
1153 * We do not know if fctx->domain is the actual domain the record
1154 * lives in or a parent domain so we have a '?' after it.
1156 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
1157 isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
1158 DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
1159 "success resolving '%s' (in '%s'?) after %s",
1160 fctx->info, domainbuf, fctx->reason);
1162 fctx->reason = NULL;
1166 fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
1167 dns_resolver_t *res;
1168 isc_boolean_t no_response;
1176 if (result == ISC_R_SUCCESS) {
1178 * Log any deferred EDNS timeout messages.
1181 no_response = ISC_TRUE;
1183 no_response = ISC_FALSE;
1185 fctx->reason = NULL;
1186 fctx_stopeverything(fctx, no_response);
1188 LOCK(&res->buckets[fctx->bucketnum].lock);
1190 fctx->state = fetchstate_done;
1191 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
1192 fctx_sendevents(fctx, result, line);
1194 UNLOCK(&res->buckets[fctx->bucketnum].lock);
1198 process_sendevent(resquery_t *query, isc_event_t *event) {
1199 isc_socketevent_t *sevent = (isc_socketevent_t *)event;
1200 isc_boolean_t retry = ISC_FALSE;
1201 isc_result_t result;
1206 if (RESQUERY_CANCELED(query)) {
1207 if (query->sends == 0 && query->connects == 0) {
1209 * This query was canceled while the
1210 * isc_socket_sendto/connect() was in progress.
1212 if (query->tcpsocket != NULL)
1213 isc_socket_detach(&query->tcpsocket);
1214 resquery_destroy(&query);
1217 switch (sevent->result) {
1221 case ISC_R_HOSTUNREACH:
1222 case ISC_R_NETUNREACH:
1224 case ISC_R_ADDRNOTAVAIL:
1225 case ISC_R_CONNREFUSED:
1228 * No route to remote.
1230 add_bad(fctx, query->addrinfo, sevent->result,
1232 fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
1237 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
1242 if (event->ev_type == ISC_SOCKEVENT_CONNECT)
1243 isc_event_free(&event);
1247 * Behave as if the idle timer has expired. For TCP
1248 * this may not actually reflect the latest timer.
1250 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
1251 result = fctx_stopidletimer(fctx);
1252 if (result != ISC_R_SUCCESS)
1253 fctx_done(fctx, result, __LINE__);
1255 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
1260 resquery_udpconnected(isc_task_t *task, isc_event_t *event) {
1261 resquery_t *query = event->ev_arg;
1263 REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
1265 QTRACE("udpconnected");
1269 INSIST(RESQUERY_CONNECTING(query));
1273 process_sendevent(query, event);
1277 resquery_senddone(isc_task_t *task, isc_event_t *event) {
1278 resquery_t *query = event->ev_arg;
1280 REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
1287 * Currently we don't wait for the senddone event before retrying
1288 * a query. This means that if we get really behind, we may end
1289 * up doing extra work!
1294 INSIST(RESQUERY_SENDING(query));
1298 process_sendevent(query, event);
1301 static inline isc_result_t
1302 fctx_addopt(dns_message_t *message, unsigned int version,
1303 isc_uint16_t udpsize, dns_ednsopt_t *ednsopts, size_t count)
1305 dns_rdataset_t *rdataset = NULL;
1306 isc_result_t result;
1308 result = dns_message_buildopt(message, &rdataset, version, udpsize,
1309 DNS_MESSAGEEXTFLAG_DO, ednsopts, count);
1310 if (result != ISC_R_SUCCESS)
1312 return (dns_message_setopt(message, rdataset));
1316 fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
1317 unsigned int seconds;
1321 * We retry every .8 seconds the first two times through the address
1322 * list, and then we do exponential back-off.
1324 if (fctx->restarts < 3)
1327 us = (800000 << (fctx->restarts - 2));
1330 * Add a fudge factor to the expected rtt based on the current
1335 else if (rtt < 100000)
1341 * Always wait for at least the expected rtt.
1347 * But don't ever wait for more than 10 seconds.
1349 if (us > MAX_SINGLE_QUERY_TIMEOUT_US)
1350 us = MAX_SINGLE_QUERY_TIMEOUT_US;
1352 seconds = us / US_PER_SEC;
1353 us -= seconds * US_PER_SEC;
1354 isc_interval_set(&fctx->interval, seconds, us * 1000);
1358 fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
1359 unsigned int options)
1361 dns_resolver_t *res;
1363 isc_result_t result;
1365 isc_sockaddr_t addr;
1366 isc_boolean_t have_addr = ISC_FALSE;
1372 task = res->buckets[fctx->bucketnum].task;
1374 srtt = addrinfo->srtt;
1377 * A forwarder needs to make multiple queries. Give it at least
1378 * a second to do these in.
1380 if (ISFORWARDER(addrinfo) && srtt < 1000000)
1383 fctx_setretryinterval(fctx, srtt);
1384 result = fctx_startidletimer(fctx, &fctx->interval);
1385 if (result != ISC_R_SUCCESS)
1388 INSIST(ISC_LIST_EMPTY(fctx->validators));
1390 dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
1392 query = isc_mem_get(fctx->mctx, sizeof(*query));
1393 if (query == NULL) {
1394 result = ISC_R_NOMEMORY;
1395 goto stop_idle_timer;
1397 query->mctx = fctx->mctx;
1398 query->options = options;
1399 query->attributes = 0;
1401 query->connects = 0;
1403 * Note that the caller MUST guarantee that 'addrinfo' will remain
1404 * valid until this query is canceled.
1406 query->addrinfo = addrinfo;
1407 TIME_NOW(&query->start);
1410 * If this is a TCP query, then we need to make a socket and
1411 * a dispatch for it here. Otherwise we use the resolver's
1414 query->dispatchmgr = res->dispatchmgr;
1415 query->dispatch = NULL;
1416 query->exclusivesocket = ISC_FALSE;
1417 query->tcpsocket = NULL;
1418 if (res->view->peers != NULL) {
1419 dns_peer_t *peer = NULL;
1420 isc_netaddr_t dstip;
1421 isc_netaddr_fromsockaddr(&dstip, &addrinfo->sockaddr);
1422 result = dns_peerlist_peerbyaddr(res->view->peers,
1424 if (result == ISC_R_SUCCESS) {
1425 result = dns_peer_getquerysource(peer, &addr);
1426 if (result == ISC_R_SUCCESS)
1427 have_addr = ISC_TRUE;
1431 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1434 pf = isc_sockaddr_pf(&addrinfo->sockaddr);
1438 result = dns_dispatch_getlocaladdress(
1439 res->dispatches4->dispatches[0],
1443 result = dns_dispatch_getlocaladdress(
1444 res->dispatches6->dispatches[0],
1448 result = ISC_R_NOTIMPLEMENTED;
1451 if (result != ISC_R_SUCCESS)
1454 isc_sockaddr_setport(&addr, 0);
1456 result = isc_socket_create(res->socketmgr, pf,
1459 if (result != ISC_R_SUCCESS)
1462 #ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
1463 result = isc_socket_bind(query->tcpsocket, &addr, 0);
1464 if (result != ISC_R_SUCCESS)
1465 goto cleanup_socket;
1469 * A dispatch will be created once the connect succeeds.
1473 unsigned int attrs, attrmask;
1474 attrs = DNS_DISPATCHATTR_UDP;
1475 switch (isc_sockaddr_pf(&addr)) {
1477 attrs |= DNS_DISPATCHATTR_IPV4;
1480 attrs |= DNS_DISPATCHATTR_IPV6;
1483 result = ISC_R_NOTIMPLEMENTED;
1486 attrmask = DNS_DISPATCHATTR_UDP;
1487 attrmask |= DNS_DISPATCHATTR_TCP;
1488 attrmask |= DNS_DISPATCHATTR_IPV4;
1489 attrmask |= DNS_DISPATCHATTR_IPV6;
1490 result = dns_dispatch_getudp(res->dispatchmgr,
1492 res->taskmgr, &addr,
1493 4096, 1000, 32768, 16411,
1494 16433, attrs, attrmask,
1496 if (result != ISC_R_SUCCESS)
1499 switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
1501 dns_dispatch_attach(
1502 dns_resolver_dispatchv4(res),
1504 query->exclusivesocket = res->exclusivev4;
1507 dns_dispatch_attach(
1508 dns_resolver_dispatchv6(res),
1510 query->exclusivesocket = res->exclusivev6;
1513 result = ISC_R_NOTIMPLEMENTED;
1518 * We should always have a valid dispatcher here. If we
1519 * don't support a protocol family, then its dispatcher
1520 * will be NULL, but we shouldn't be finding addresses for
1521 * protocol types we don't support, so the dispatcher
1522 * we found should never be NULL.
1524 INSIST(query->dispatch != NULL);
1527 query->dispentry = NULL;
1530 query->tsigkey = NULL;
1531 ISC_LINK_INIT(query, link);
1532 query->magic = QUERY_MAGIC;
1534 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1536 * Connect to the remote server.
1538 * XXXRTH Should we attach to the socket?
1540 result = isc_socket_connect(query->tcpsocket,
1541 &addrinfo->sockaddr, task,
1542 resquery_connected, query);
1543 if (result != ISC_R_SUCCESS)
1544 goto cleanup_socket;
1546 QTRACE("connecting via TCP");
1548 result = resquery_send(query);
1549 if (result != ISC_R_SUCCESS)
1550 goto cleanup_dispatch;
1554 fctx->totalqueries++;
1556 ISC_LIST_APPEND(fctx->queries, query, link);
1557 query->fctx->nqueries++;
1558 if (isc_sockaddr_pf(&addrinfo->sockaddr) == PF_INET)
1559 inc_stats(res, dns_resstatscounter_queryv4);
1561 inc_stats(res, dns_resstatscounter_queryv6);
1562 if (res->view->resquerystats != NULL)
1563 dns_rdatatypestats_increment(res->view->resquerystats,
1566 return (ISC_R_SUCCESS);
1569 isc_socket_detach(&query->tcpsocket);
1572 if (query->dispatch != NULL)
1573 dns_dispatch_detach(&query->dispatch);
1576 if (query->connects == 0) {
1578 isc_mem_put(fctx->mctx, query, sizeof(*query));
1582 RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
1587 static isc_boolean_t
1588 bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
1591 for (sa = ISC_LIST_HEAD(fctx->bad_edns);
1593 sa = ISC_LIST_NEXT(sa, link)) {
1594 if (isc_sockaddr_equal(sa, address))
1602 add_bad_edns(fetchctx_t *fctx, isc_sockaddr_t *address) {
1605 if (bad_edns(fctx, address))
1608 sa = isc_mem_get(fctx->mctx, sizeof(*sa));
1613 ISC_LIST_INITANDAPPEND(fctx->bad_edns, sa, link);
1616 static isc_boolean_t
1617 triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
1620 for (sa = ISC_LIST_HEAD(fctx->edns);
1622 sa = ISC_LIST_NEXT(sa, link)) {
1623 if (isc_sockaddr_equal(sa, address))
1631 add_triededns(fetchctx_t *fctx, isc_sockaddr_t *address) {
1634 if (triededns(fctx, address))
1637 sa = isc_mem_get(fctx->mctx, sizeof(*sa));
1642 ISC_LIST_INITANDAPPEND(fctx->edns, sa, link);
1645 static isc_boolean_t
1646 triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
1649 for (sa = ISC_LIST_HEAD(fctx->edns512);
1651 sa = ISC_LIST_NEXT(sa, link)) {
1652 if (isc_sockaddr_equal(sa, address))
1660 add_triededns512(fetchctx_t *fctx, isc_sockaddr_t *address) {
1663 if (triededns512(fctx, address))
1666 sa = isc_mem_get(fctx->mctx, sizeof(*sa));
1671 ISC_LIST_INITANDAPPEND(fctx->edns512, sa, link);
1675 resquery_send(resquery_t *query) {
1677 isc_result_t result;
1678 dns_name_t *qname = NULL;
1679 dns_rdataset_t *qrdataset = NULL;
1681 dns_resolver_t *res;
1683 isc_socket_t *socket;
1684 isc_buffer_t tcpbuffer;
1685 isc_sockaddr_t *address;
1686 isc_buffer_t *buffer;
1687 isc_netaddr_t ipaddr;
1688 dns_tsigkey_t *tsigkey = NULL;
1689 dns_peer_t *peer = NULL;
1690 isc_boolean_t useedns;
1691 dns_compress_t cctx;
1692 isc_boolean_t cleanup_cctx = ISC_FALSE;
1693 isc_boolean_t secure_domain;
1694 isc_boolean_t connecting = ISC_FALSE;
1695 dns_ednsopt_t ednsopts[EDNSOPTS];
1696 unsigned ednsopt = 0;
1702 task = res->buckets[fctx->bucketnum].task;
1705 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1707 * Reserve space for the TCP message length.
1709 isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data));
1710 isc_buffer_init(&query->buffer, query->data + 2,
1711 sizeof(query->data) - 2);
1712 buffer = &tcpbuffer;
1714 isc_buffer_init(&query->buffer, query->data,
1715 sizeof(query->data));
1716 buffer = &query->buffer;
1719 result = dns_message_gettempname(fctx->qmessage, &qname);
1720 if (result != ISC_R_SUCCESS)
1722 result = dns_message_gettemprdataset(fctx->qmessage, &qrdataset);
1723 if (result != ISC_R_SUCCESS)
1727 * Get a query id from the dispatch.
1729 result = dns_dispatch_addresponse2(query->dispatch,
1730 &query->addrinfo->sockaddr,
1737 if (result != ISC_R_SUCCESS)
1740 fctx->qmessage->opcode = dns_opcode_query;
1745 dns_name_init(qname, NULL);
1746 dns_name_clone(&fctx->name, qname);
1747 dns_rdataset_init(qrdataset);
1748 dns_rdataset_makequestion(qrdataset, res->rdclass, fctx->type);
1749 ISC_LIST_APPEND(qname->list, qrdataset, link);
1750 dns_message_addname(fctx->qmessage, qname, DNS_SECTION_QUESTION);
1755 * Set RD if the client has requested that we do a recursive query,
1756 * or if we're sending to a forwarder.
1758 if ((query->options & DNS_FETCHOPT_RECURSIVE) != 0 ||
1759 ISFORWARDER(query->addrinfo))
1760 fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
1763 * Set CD if the client says don't validate or the question is
1764 * under a secure entry point.
1766 if ((query->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
1767 fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
1768 } else if (res->view->enablevalidation) {
1769 result = dns_view_issecuredomain(res->view, &fctx->name,
1771 if (result != ISC_R_SUCCESS)
1772 secure_domain = ISC_FALSE;
1773 if (res->view->dlv != NULL)
1774 secure_domain = ISC_TRUE;
1776 fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
1780 * We don't have to set opcode because it defaults to query.
1782 fctx->qmessage->id = query->id;
1785 * Convert the question to wire format.
1787 result = dns_compress_init(&cctx, -1, fctx->res->mctx);
1788 if (result != ISC_R_SUCCESS)
1789 goto cleanup_message;
1790 cleanup_cctx = ISC_TRUE;
1792 result = dns_message_renderbegin(fctx->qmessage, &cctx,
1794 if (result != ISC_R_SUCCESS)
1795 goto cleanup_message;
1797 result = dns_message_rendersection(fctx->qmessage,
1798 DNS_SECTION_QUESTION, 0);
1799 if (result != ISC_R_SUCCESS)
1800 goto cleanup_message;
1803 isc_netaddr_fromsockaddr(&ipaddr, &query->addrinfo->sockaddr);
1804 (void) dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
1807 * The ADB does not know about servers with "edns no". Check this,
1808 * and then inform the ADB for future use.
1810 if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
1812 dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
1815 query->options |= DNS_FETCHOPT_NOEDNS0;
1816 dns_adb_changeflags(fctx->adb, query->addrinfo,
1817 DNS_FETCHOPT_NOEDNS0,
1818 DNS_FETCHOPT_NOEDNS0);
1821 /* Sync NOEDNS0 flag in addrinfo->flags and options now. */
1822 if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0)
1823 query->options |= DNS_FETCHOPT_NOEDNS0;
1826 * Handle timeouts by reducing the UDP response size to 512 bytes
1827 * then if that doesn't work disabling EDNS (includes DO) and CD.
1829 * These timeout can be due to:
1830 * * broken nameservers that don't respond to EDNS queries.
1831 * * broken/misconfigured firewalls and NAT implementations
1832 * that don't handle IP fragmentation.
1833 * * broken/misconfigured firewalls that don't handle responses
1834 * greater than 512 bytes.
1835 * * broken/misconfigured firewalls that don't handle EDNS, DO
1837 * * packet loss / link outage.
1839 if (fctx->timeout) {
1840 if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
1841 fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
1842 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
1843 query->options |= DNS_FETCHOPT_NOEDNS0;
1844 fctx->reason = "disabling EDNS";
1845 } else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
1846 fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
1847 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
1848 query->options |= DNS_FETCHOPT_EDNS512;
1849 fctx->reason = "reducing the advertised EDNS UDP "
1850 "packet size to 512 octets";
1852 fctx->timeout = ISC_FALSE;
1856 * Use EDNS0, unless the caller doesn't want it, or we know that
1857 * the remote server doesn't like it.
1859 if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
1860 if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
1861 unsigned int version = 0; /* Default version. */
1863 isc_uint16_t udpsize = res->udpsize;
1864 isc_boolean_t reqnsid = res->view->requestnsid;
1866 flags = query->addrinfo->flags;
1867 if ((flags & DNS_FETCHOPT_EDNSVERSIONSET) != 0) {
1868 version = flags & DNS_FETCHOPT_EDNSVERSIONMASK;
1869 version >>= DNS_FETCHOPT_EDNSVERSIONSHIFT;
1871 if ((query->options & DNS_FETCHOPT_EDNS512) != 0)
1873 else if (peer != NULL)
1874 (void)dns_peer_getudpsize(peer, &udpsize);
1876 /* request NSID for current view or peer? */
1878 (void) dns_peer_getrequestnsid(peer, &reqnsid);
1880 INSIST(ednsopt < EDNSOPTS);
1881 ednsopts[ednsopt].code = DNS_OPT_NSID;
1882 ednsopts[ednsopt].length = 0;
1883 ednsopts[ednsopt].value = NULL;
1886 result = fctx_addopt(fctx->qmessage, version,
1887 udpsize, ednsopts, ednsopt);
1888 if (reqnsid && result == ISC_R_SUCCESS) {
1889 query->options |= DNS_FETCHOPT_WANTNSID;
1890 } else if (result != ISC_R_SUCCESS) {
1892 * We couldn't add the OPT, but we'll press on.
1893 * We're not using EDNS0, so set the NOEDNS0
1896 query->options |= DNS_FETCHOPT_NOEDNS0;
1900 * We know this server doesn't like EDNS0, so we
1901 * won't use it. Set the NOEDNS0 bit since we're
1904 query->options |= DNS_FETCHOPT_NOEDNS0;
1909 * If we need EDNS0 to do this query and aren't using it, we lose.
1911 if (NEEDEDNS0(fctx) && (query->options & DNS_FETCHOPT_NOEDNS0) != 0) {
1912 result = DNS_R_SERVFAIL;
1913 goto cleanup_message;
1916 if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0)
1917 add_triededns(fctx, &query->addrinfo->sockaddr);
1919 if ((query->options & DNS_FETCHOPT_EDNS512) != 0)
1920 add_triededns512(fctx, &query->addrinfo->sockaddr);
1923 * Clear CD if EDNS is not in use.
1925 if ((query->options & DNS_FETCHOPT_NOEDNS0) != 0)
1926 fctx->qmessage->flags &= ~DNS_MESSAGEFLAG_CD;
1929 * Add TSIG record tailored to the current recipient.
1931 result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey);
1932 if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
1933 goto cleanup_message;
1935 if (tsigkey != NULL) {
1936 result = dns_message_settsigkey(fctx->qmessage, tsigkey);
1937 dns_tsigkey_detach(&tsigkey);
1938 if (result != ISC_R_SUCCESS)
1939 goto cleanup_message;
1942 result = dns_message_rendersection(fctx->qmessage,
1943 DNS_SECTION_ADDITIONAL, 0);
1944 if (result != ISC_R_SUCCESS)
1945 goto cleanup_message;
1947 result = dns_message_renderend(fctx->qmessage);
1948 if (result != ISC_R_SUCCESS)
1949 goto cleanup_message;
1951 dns_compress_invalidate(&cctx);
1952 cleanup_cctx = ISC_FALSE;
1954 if (dns_message_gettsigkey(fctx->qmessage) != NULL) {
1955 dns_tsigkey_attach(dns_message_gettsigkey(fctx->qmessage),
1957 result = dns_message_getquerytsig(fctx->qmessage,
1960 if (result != ISC_R_SUCCESS)
1961 goto cleanup_message;
1965 * If using TCP, write the length of the message at the beginning
1968 if ((query->options & DNS_FETCHOPT_TCP) != 0) {
1969 isc_buffer_usedregion(&query->buffer, &r);
1970 isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t)r.length);
1971 isc_buffer_add(&tcpbuffer, r.length);
1975 * We're now done with the query message.
1977 dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
1979 if (query->exclusivesocket)
1980 socket = dns_dispatch_getentrysocket(query->dispentry);
1982 socket = dns_dispatch_getsocket(query->dispatch);
1986 if ((query->options & DNS_FETCHOPT_TCP) == 0) {
1987 address = &query->addrinfo->sockaddr;
1988 if (query->exclusivesocket) {
1989 result = isc_socket_connect(socket, address, task,
1990 resquery_udpconnected,
1992 if (result != ISC_R_SUCCESS)
1993 goto cleanup_message;
1994 connecting = ISC_TRUE;
1998 isc_buffer_usedregion(buffer, &r);
2001 * XXXRTH Make sure we don't send to ourselves! We should probably
2002 * prune out these addresses when we get them from the ADB.
2004 ISC_EVENT_INIT(&query->sendevent, sizeof(query->sendevent), 0, NULL,
2005 ISC_SOCKEVENT_SENDDONE, resquery_senddone, query,
2007 result = isc_socket_sendto2(socket, &r, task, address, NULL,
2008 &query->sendevent, 0);
2009 if (result != ISC_R_SUCCESS) {
2012 * This query is still connecting.
2013 * Mark it as canceled so that it will just be
2014 * cleaned up when the connected event is received.
2015 * Keep fctx around until the event is processed.
2017 query->fctx->nqueries++;
2018 query->attributes |= RESQUERY_ATTR_CANCELED;
2020 goto cleanup_message;
2027 return (ISC_R_SUCCESS);
2031 dns_compress_invalidate(&cctx);
2033 dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
2036 * Stop the dispatcher from listening.
2038 dns_dispatch_removeresponse(&query->dispentry, NULL);
2042 dns_message_puttempname(fctx->qmessage, &qname);
2043 if (qrdataset != NULL)
2044 dns_message_puttemprdataset(fctx->qmessage, &qrdataset);
2050 resquery_connected(isc_task_t *task, isc_event_t *event) {
2051 isc_socketevent_t *sevent = (isc_socketevent_t *)event;
2052 resquery_t *query = event->ev_arg;
2053 isc_boolean_t retry = ISC_FALSE;
2054 isc_interval_t interval;
2055 isc_result_t result;
2059 REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
2060 REQUIRE(VALID_QUERY(query));
2062 QTRACE("connected");
2069 * Currently we don't wait for the connect event before retrying
2070 * a query. This means that if we get really behind, we may end
2071 * up doing extra work!
2077 if (RESQUERY_CANCELED(query)) {
2079 * This query was canceled while the connect() was in
2082 isc_socket_detach(&query->tcpsocket);
2083 resquery_destroy(&query);
2085 switch (sevent->result) {
2089 * Extend the idle timer for TCP. 20 seconds
2090 * should be long enough for a TCP connection to be
2091 * established, a single DNS request to be sent,
2092 * and the response received.
2094 isc_interval_set(&interval, 20, 0);
2095 result = fctx_startidletimer(query->fctx, &interval);
2096 if (result != ISC_R_SUCCESS) {
2097 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
2098 fctx_done(fctx, result, __LINE__);
2102 * We are connected. Create a dispatcher and
2106 attrs |= DNS_DISPATCHATTR_TCP;
2107 attrs |= DNS_DISPATCHATTR_PRIVATE;
2108 attrs |= DNS_DISPATCHATTR_CONNECTED;
2109 if (isc_sockaddr_pf(&query->addrinfo->sockaddr) ==
2111 attrs |= DNS_DISPATCHATTR_IPV4;
2113 attrs |= DNS_DISPATCHATTR_IPV6;
2114 attrs |= DNS_DISPATCHATTR_MAKEQUERY;
2116 result = dns_dispatch_createtcp(query->dispatchmgr,
2118 query->fctx->res->taskmgr,
2119 4096, 2, 1, 1, 3, attrs,
2123 * Regardless of whether dns_dispatch_create()
2124 * succeeded or not, we don't need our reference
2125 * to the socket anymore.
2127 isc_socket_detach(&query->tcpsocket);
2129 if (result == ISC_R_SUCCESS)
2130 result = resquery_send(query);
2132 if (result != ISC_R_SUCCESS) {
2133 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
2134 fctx_done(fctx, result, __LINE__);
2138 case ISC_R_NETUNREACH:
2139 case ISC_R_HOSTUNREACH:
2140 case ISC_R_CONNREFUSED:
2142 case ISC_R_ADDRNOTAVAIL:
2143 case ISC_R_CONNECTIONRESET:
2145 * No route to remote.
2147 isc_socket_detach(&query->tcpsocket);
2148 fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
2153 isc_socket_detach(&query->tcpsocket);
2154 fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
2159 isc_event_free(&event);
2163 * Behave as if the idle timer has expired. For TCP
2164 * connections this may not actually reflect the latest timer.
2166 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
2167 result = fctx_stopidletimer(fctx);
2168 if (result != ISC_R_SUCCESS)
2169 fctx_done(fctx, result, __LINE__);
2171 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
2176 fctx_finddone(isc_task_t *task, isc_event_t *event) {
2178 dns_adbfind_t *find;
2179 dns_resolver_t *res;
2180 isc_boolean_t want_try = ISC_FALSE;
2181 isc_boolean_t want_done = ISC_FALSE;
2182 isc_boolean_t bucket_empty = ISC_FALSE;
2183 unsigned int bucketnum;
2184 isc_boolean_t destroy = ISC_FALSE;
2186 find = event->ev_sender;
2187 fctx = event->ev_arg;
2188 REQUIRE(VALID_FCTX(fctx));
2193 FCTXTRACE("finddone");
2195 bucketnum = fctx->bucketnum;
2196 LOCK(&res->buckets[bucketnum].lock);
2198 INSIST(fctx->pending > 0);
2201 if (ADDRWAIT(fctx)) {
2203 * The fetch is waiting for a name to be found.
2205 INSIST(!SHUTTINGDOWN(fctx));
2206 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
2207 if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
2208 want_try = ISC_TRUE;
2209 fctx->totalqueries += find->qtotal;
2212 if (fctx->pending == 0) {
2214 * We've got nothing else to wait for and don't
2215 * know the answer. There's nothing to do but
2218 want_done = ISC_TRUE;
2221 } else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
2222 fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
2224 if (fctx->references == 0) {
2225 bucket_empty = fctx_unlink(fctx);
2229 UNLOCK(&res->buckets[bucketnum].lock);
2231 isc_event_free(&event);
2232 dns_adb_destroyfind(&find);
2235 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
2237 fctx_done(fctx, ISC_R_FAILURE, __LINE__);
2246 static inline isc_boolean_t
2247 bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) {
2250 for (sa = ISC_LIST_HEAD(fctx->bad);
2252 sa = ISC_LIST_NEXT(sa, link)) {
2253 if (isc_sockaddr_equal(sa, address))
2260 static inline isc_boolean_t
2261 mark_bad(fetchctx_t *fctx) {
2262 dns_adbfind_t *curr;
2263 dns_adbaddrinfo_t *addrinfo;
2264 isc_boolean_t all_bad = ISC_TRUE;
2267 * Mark all known bad servers, so we don't try to talk to them
2272 * Mark any bad nameservers.
2274 for (curr = ISC_LIST_HEAD(fctx->finds);
2276 curr = ISC_LIST_NEXT(curr, publink)) {
2277 for (addrinfo = ISC_LIST_HEAD(curr->list);
2279 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2280 if (bad_server(fctx, &addrinfo->sockaddr))
2281 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2283 all_bad = ISC_FALSE;
2288 * Mark any bad forwarders.
2290 for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
2292 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2293 if (bad_server(fctx, &addrinfo->sockaddr))
2294 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2296 all_bad = ISC_FALSE;
2300 * Mark any bad alternates.
2302 for (curr = ISC_LIST_HEAD(fctx->altfinds);
2304 curr = ISC_LIST_NEXT(curr, publink)) {
2305 for (addrinfo = ISC_LIST_HEAD(curr->list);
2307 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2308 if (bad_server(fctx, &addrinfo->sockaddr))
2309 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2311 all_bad = ISC_FALSE;
2315 for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
2317 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2318 if (bad_server(fctx, &addrinfo->sockaddr))
2319 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2321 all_bad = ISC_FALSE;
2328 add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
2329 badnstype_t badtype)
2331 char namebuf[DNS_NAME_FORMATSIZE];
2332 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
2338 const char *spc = "";
2339 isc_sockaddr_t *address = &addrinfo->sockaddr;
2341 if (reason == DNS_R_LAME)
2345 case badns_unreachable:
2348 case badns_response:
2351 case badns_validation:
2352 break; /* counted as 'valfail' */
2356 if (bad_server(fctx, address)) {
2358 * We already know this server is bad.
2363 FCTXTRACE("add_bad");
2365 sa = isc_mem_get(fctx->mctx, sizeof(*sa));
2369 ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
2371 if (reason == DNS_R_LAME) /* already logged */
2374 if (reason == DNS_R_UNEXPECTEDRCODE &&
2375 fctx->rmessage->rcode == dns_rcode_servfail &&
2376 ISFORWARDER(addrinfo))
2379 if (reason == DNS_R_UNEXPECTEDRCODE) {
2380 isc_buffer_init(&b, code, sizeof(code) - 1);
2381 dns_rcode_totext(fctx->rmessage->rcode, &b);
2382 code[isc_buffer_usedlength(&b)] = '\0';
2384 } else if (reason == DNS_R_UNEXPECTEDOPCODE) {
2385 isc_buffer_init(&b, code, sizeof(code) - 1);
2386 dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
2387 code[isc_buffer_usedlength(&b)] = '\0';
2392 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
2393 dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
2394 dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
2395 isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
2396 isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
2397 DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
2398 "error (%s%s%s) resolving '%s/%s/%s': %s",
2399 dns_result_totext(reason), spc, code,
2400 namebuf, typebuf, classbuf, addrbuf);
2404 * Sort addrinfo list by RTT.
2407 sort_adbfind(dns_adbfind_t *find) {
2408 dns_adbaddrinfo_t *best, *curr;
2409 dns_adbaddrinfolist_t sorted;
2411 /* Lame N^2 bubble sort. */
2412 ISC_LIST_INIT(sorted);
2413 while (!ISC_LIST_EMPTY(find->list)) {
2414 best = ISC_LIST_HEAD(find->list);
2415 curr = ISC_LIST_NEXT(best, publink);
2416 while (curr != NULL) {
2417 if (curr->srtt < best->srtt)
2419 curr = ISC_LIST_NEXT(curr, publink);
2421 ISC_LIST_UNLINK(find->list, best, publink);
2422 ISC_LIST_APPEND(sorted, best, publink);
2424 find->list = sorted;
2428 * Sort a list of finds by server RTT.
2431 sort_finds(dns_adbfindlist_t *findlist) {
2432 dns_adbfind_t *best, *curr;
2433 dns_adbfindlist_t sorted;
2434 dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
2436 /* Sort each find's addrinfo list by SRTT. */
2437 for (curr = ISC_LIST_HEAD(*findlist);
2439 curr = ISC_LIST_NEXT(curr, publink))
2442 /* Lame N^2 bubble sort. */
2443 ISC_LIST_INIT(sorted);
2444 while (!ISC_LIST_EMPTY(*findlist)) {
2445 best = ISC_LIST_HEAD(*findlist);
2446 bestaddrinfo = ISC_LIST_HEAD(best->list);
2447 INSIST(bestaddrinfo != NULL);
2448 curr = ISC_LIST_NEXT(best, publink);
2449 while (curr != NULL) {
2450 addrinfo = ISC_LIST_HEAD(curr->list);
2451 INSIST(addrinfo != NULL);
2452 if (addrinfo->srtt < bestaddrinfo->srtt) {
2454 bestaddrinfo = addrinfo;
2456 curr = ISC_LIST_NEXT(curr, publink);
2458 ISC_LIST_UNLINK(*findlist, best, publink);
2459 ISC_LIST_APPEND(sorted, best, publink);
2465 findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
2466 unsigned int options, unsigned int flags, isc_stdtime_t now,
2467 isc_boolean_t *need_alternate)
2469 dns_adbaddrinfo_t *ai;
2470 dns_adbfind_t *find;
2471 dns_resolver_t *res;
2472 isc_boolean_t unshared;
2473 isc_result_t result;
2476 unshared = ISC_TF((fctx->options & DNS_FETCHOPT_UNSHARED) != 0);
2478 * If this name is a subdomain of the query domain, tell
2479 * the ADB to start looking using zone/hint data. This keeps us
2480 * from getting stuck if the nameserver is beneath the zone cut
2481 * and we don't know its address (e.g. because the A record has
2484 if (dns_name_issubdomain(name, &fctx->domain))
2485 options |= DNS_ADBFIND_STARTATZONE;
2486 options |= DNS_ADBFIND_GLUEOK;
2487 options |= DNS_ADBFIND_HINTOK;
2490 * See what we know about this address.
2493 result = dns_adb_createfind2(fctx->adb,
2494 res->buckets[fctx->bucketnum].task,
2495 fctx_finddone, fctx, name,
2496 &fctx->name, fctx->type,
2499 fctx->depth + 1, &find);
2500 if (result != ISC_R_SUCCESS) {
2501 if (result == DNS_R_ALIAS) {
2503 * XXXRTH Follow the CNAME/DNAME chain?
2505 dns_adb_destroyfind(&find);
2508 } else if (!ISC_LIST_EMPTY(find->list)) {
2510 * We have at least some of the addresses for the
2513 INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
2514 if (flags != 0 || port != 0) {
2515 for (ai = ISC_LIST_HEAD(find->list);
2517 ai = ISC_LIST_NEXT(ai, publink)) {
2520 isc_sockaddr_setport(&ai->sockaddr,
2524 if ((flags & FCTX_ADDRINFO_FORWARDER) != 0)
2525 ISC_LIST_APPEND(fctx->altfinds, find, publink);
2527 ISC_LIST_APPEND(fctx->finds, find, publink);
2530 * We don't know any of the addresses for this
2533 if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
2535 * We're looking for them and will get an
2536 * event about it later.
2542 if (need_alternate != NULL &&
2543 !*need_alternate && unshared &&
2544 ((res->dispatches4 == NULL &&
2545 find->result_v6 != DNS_R_NXDOMAIN) ||
2546 (res->dispatches6 == NULL &&
2547 find->result_v4 != DNS_R_NXDOMAIN)))
2548 *need_alternate = ISC_TRUE;
2550 if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
2551 fctx->lamecount++; /* cached lame server */
2553 fctx->adberr++; /* unreachable server, etc. */
2556 * If we know there are no addresses for
2557 * the family we are using then try to add
2558 * an alternative server.
2560 if (need_alternate != NULL && !*need_alternate &&
2561 ((res->dispatches4 == NULL &&
2562 find->result_v6 == DNS_R_NXRRSET) ||
2563 (res->dispatches6 == NULL &&
2564 find->result_v4 == DNS_R_NXRRSET)))
2565 *need_alternate = ISC_TRUE;
2566 dns_adb_destroyfind(&find);
2571 static isc_boolean_t
2572 isstrictsubdomain(dns_name_t *name1, dns_name_t *name2) {
2574 unsigned int nlabels;
2575 dns_namereln_t namereln;
2577 namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
2578 return (ISC_TF(namereln == dns_namereln_subdomain));
2582 fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
2583 dns_rdata_t rdata = DNS_RDATA_INIT;
2584 isc_result_t result;
2585 dns_resolver_t *res;
2587 unsigned int stdoptions = 0;
2589 dns_adbaddrinfo_t *ai;
2590 isc_boolean_t all_bad;
2592 isc_boolean_t need_alternate = ISC_FALSE;
2594 FCTXTRACE("getaddresses");
2597 * Don't pound on remote servers. (Failsafe!)
2600 if (fctx->restarts > 10) {
2601 FCTXTRACE("too many restarts");
2602 return (DNS_R_SERVFAIL);
2607 if (fctx->depth > res->maxdepth) {
2608 FCTXTRACE("too much NS indirection");
2609 return (DNS_R_SERVFAIL);
2616 INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
2617 INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
2620 * If this fctx has forwarders, use them; otherwise use any
2621 * selective forwarders specified in the view; otherwise use the
2622 * resolver's forwarders (if any).
2624 sa = ISC_LIST_HEAD(fctx->forwarders);
2626 dns_forwarders_t *forwarders = NULL;
2627 dns_name_t *name = &fctx->name;
2629 unsigned int labels;
2630 dns_fixedname_t fixed;
2634 * DS records are found in the parent server.
2635 * Strip label to get the correct forwarder (if any).
2637 if (dns_rdatatype_atparent(fctx->type) &&
2638 dns_name_countlabels(name) > 1) {
2639 dns_name_init(&suffix, NULL);
2640 labels = dns_name_countlabels(name);
2641 dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
2645 dns_fixedname_init(&fixed);
2646 domain = dns_fixedname_name(&fixed);
2647 result = dns_fwdtable_find2(fctx->res->view->fwdtable, name,
2648 domain, &forwarders);
2649 if (result == ISC_R_SUCCESS) {
2650 sa = ISC_LIST_HEAD(forwarders->addrs);
2651 fctx->fwdpolicy = forwarders->fwdpolicy;
2652 if (fctx->fwdpolicy == dns_fwdpolicy_only &&
2653 isstrictsubdomain(domain, &fctx->domain)) {
2654 dns_name_free(&fctx->domain, fctx->mctx);
2655 dns_name_init(&fctx->domain, NULL);
2656 result = dns_name_dup(domain, fctx->mctx,
2658 if (result != ISC_R_SUCCESS)
2664 while (sa != NULL) {
2665 if ((isc_sockaddr_pf(sa) == AF_INET &&
2666 fctx->res->dispatches4 == NULL) ||
2667 (isc_sockaddr_pf(sa) == AF_INET6 &&
2668 fctx->res->dispatches6 == NULL)) {
2669 sa = ISC_LIST_NEXT(sa, link);
2673 result = dns_adb_findaddrinfo(fctx->adb,
2674 sa, &ai, 0); /* XXXMLG */
2675 if (result == ISC_R_SUCCESS) {
2676 dns_adbaddrinfo_t *cur;
2677 ai->flags |= FCTX_ADDRINFO_FORWARDER;
2678 cur = ISC_LIST_HEAD(fctx->forwaddrs);
2679 while (cur != NULL && cur->srtt < ai->srtt)
2680 cur = ISC_LIST_NEXT(cur, publink);
2682 ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur,
2685 ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
2687 sa = ISC_LIST_NEXT(sa, link);
2691 * If the forwarding policy is "only", we don't need the addresses
2692 * of the nameservers.
2694 if (fctx->fwdpolicy == dns_fwdpolicy_only)
2698 * Normal nameservers.
2701 stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
2702 if (fctx->restarts == 1) {
2704 * To avoid sending out a flood of queries likely to
2705 * result in NXRRSET, we suppress fetches for address
2706 * families we don't have the first time through,
2707 * provided that we have addresses in some family we
2710 * We don't want to set this option all the time, since
2711 * if fctx->restarts > 1, we've clearly been having trouble
2712 * with the addresses we had, so getting more could help.
2714 stdoptions |= DNS_ADBFIND_AVOIDFETCHES;
2716 if (res->dispatches4 != NULL)
2717 stdoptions |= DNS_ADBFIND_INET;
2718 if (res->dispatches6 != NULL)
2719 stdoptions |= DNS_ADBFIND_INET6;
2720 isc_stdtime_get(&now);
2722 INSIST(ISC_LIST_EMPTY(fctx->finds));
2723 INSIST(ISC_LIST_EMPTY(fctx->altfinds));
2725 for (result = dns_rdataset_first(&fctx->nameservers);
2726 result == ISC_R_SUCCESS;
2727 result = dns_rdataset_next(&fctx->nameservers))
2729 dns_rdataset_current(&fctx->nameservers, &rdata);
2731 * Extract the name from the NS record.
2733 result = dns_rdata_tostruct(&rdata, &ns, NULL);
2734 if (result != ISC_R_SUCCESS)
2737 findname(fctx, &ns.name, 0, stdoptions, 0, now,
2739 dns_rdata_reset(&rdata);
2740 dns_rdata_freestruct(&ns);
2742 if (result != ISC_R_NOMORE)
2746 * Do we need to use 6 to 4?
2748 if (need_alternate) {
2751 family = (res->dispatches6 != NULL) ? AF_INET6 : AF_INET;
2752 for (a = ISC_LIST_HEAD(fctx->res->alternates);
2754 a = ISC_LIST_NEXT(a, link)) {
2755 if (!a->isaddress) {
2756 findname(fctx, &a->_u._n.name, a->_u._n.port,
2757 stdoptions, FCTX_ADDRINFO_FORWARDER,
2761 if (isc_sockaddr_pf(&a->_u.addr) != family)
2764 result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr,
2766 if (result == ISC_R_SUCCESS) {
2767 dns_adbaddrinfo_t *cur;
2768 ai->flags |= FCTX_ADDRINFO_FORWARDER;
2769 cur = ISC_LIST_HEAD(fctx->altaddrs);
2770 while (cur != NULL && cur->srtt < ai->srtt)
2771 cur = ISC_LIST_NEXT(cur, publink);
2773 ISC_LIST_INSERTBEFORE(fctx->altaddrs,
2776 ISC_LIST_APPEND(fctx->altaddrs, ai,
2784 * Mark all known bad servers.
2786 all_bad = mark_bad(fctx);
2793 * We've got no addresses.
2795 if (fctx->pending > 0) {
2797 * We're fetching the addresses, but don't have any
2798 * yet. Tell the caller to wait for an answer.
2800 result = DNS_R_WAIT;
2805 * We've lost completely. We don't know any
2806 * addresses, and the ADB has told us it can't get
2809 FCTXTRACE("no addresses");
2810 isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0);
2811 result = isc_time_nowplusinterval(&expire, &i);
2813 (fctx->type == dns_rdatatype_dnskey ||
2814 fctx->type == dns_rdatatype_dlv ||
2815 fctx->type == dns_rdatatype_ds) &&
2816 result == ISC_R_SUCCESS)
2817 dns_resolver_addbadcache(fctx->res,
2819 fctx->type, &expire);
2820 result = ISC_R_FAILURE;
2824 * We've found some addresses. We might still be looking
2825 * for more addresses.
2827 sort_finds(&fctx->finds);
2828 sort_finds(&fctx->altfinds);
2829 result = ISC_R_SUCCESS;
2836 possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
2839 char buf[ISC_NETADDR_FORMATSIZE];
2841 isc_boolean_t aborted = ISC_FALSE;
2842 isc_boolean_t bogus;
2843 dns_acl_t *blackhole;
2844 isc_netaddr_t ipaddr;
2845 dns_peer_t *peer = NULL;
2846 dns_resolver_t *res;
2847 const char *msg = NULL;
2849 sa = &addr->sockaddr;
2852 isc_netaddr_fromsockaddr(&ipaddr, sa);
2853 blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr);
2854 (void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer);
2856 if (blackhole != NULL) {
2859 if (dns_acl_match(&ipaddr, NULL, blackhole,
2861 &match, NULL) == ISC_R_SUCCESS &&
2867 dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
2872 addr->flags |= FCTX_ADDRINFO_MARK;
2873 msg = "ignoring blackholed / bogus server: ";
2874 } else if (isc_sockaddr_ismulticast(sa)) {
2875 addr->flags |= FCTX_ADDRINFO_MARK;
2876 msg = "ignoring multicast address: ";
2877 } else if (isc_sockaddr_isexperimental(sa)) {
2878 addr->flags |= FCTX_ADDRINFO_MARK;
2879 msg = "ignoring experimental address: ";
2880 } else if (sa->type.sa.sa_family != AF_INET6) {
2882 } else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
2883 addr->flags |= FCTX_ADDRINFO_MARK;
2884 msg = "ignoring IPv6 mapped IPV4 address: ";
2885 } else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) {
2886 addr->flags |= FCTX_ADDRINFO_MARK;
2887 msg = "ignoring IPv6 compatibility IPV4 address: ";
2891 if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3)))
2894 isc_netaddr_fromsockaddr(&na, sa);
2895 isc_netaddr_format(&na, buf, sizeof(buf));
2896 FCTXTRACE2(msg, buf);
2899 static inline dns_adbaddrinfo_t *
2900 fctx_nextaddress(fetchctx_t *fctx) {
2901 dns_adbfind_t *find, *start;
2902 dns_adbaddrinfo_t *addrinfo;
2903 dns_adbaddrinfo_t *faddrinfo;
2906 * Return the next untried address, if any.
2910 * Find the first unmarked forwarder (if any).
2912 for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
2914 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2915 if (!UNMARKED(addrinfo))
2917 possibly_mark(fctx, addrinfo);
2918 if (UNMARKED(addrinfo)) {
2919 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2926 * No forwarders. Move to the next find.
2929 fctx->attributes |= FCTX_ATTR_TRIEDFIND;
2933 find = ISC_LIST_HEAD(fctx->finds);
2935 find = ISC_LIST_NEXT(find, publink);
2937 find = ISC_LIST_HEAD(fctx->finds);
2941 * Find the first unmarked addrinfo.
2947 for (addrinfo = ISC_LIST_HEAD(find->list);
2949 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2950 if (!UNMARKED(addrinfo))
2952 possibly_mark(fctx, addrinfo);
2953 if (UNMARKED(addrinfo)) {
2954 addrinfo->flags |= FCTX_ADDRINFO_MARK;
2958 if (addrinfo != NULL)
2960 find = ISC_LIST_NEXT(find, publink);
2962 find = ISC_LIST_HEAD(fctx->finds);
2963 } while (find != start);
2967 if (addrinfo != NULL)
2971 * No nameservers left. Try alternates.
2974 fctx->attributes |= FCTX_ATTR_TRIEDALT;
2976 find = fctx->altfind;
2978 find = ISC_LIST_HEAD(fctx->altfinds);
2980 find = ISC_LIST_NEXT(find, publink);
2982 find = ISC_LIST_HEAD(fctx->altfinds);
2986 * Find the first unmarked addrinfo.
2992 for (addrinfo = ISC_LIST_HEAD(find->list);
2994 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
2995 if (!UNMARKED(addrinfo))
2997 possibly_mark(fctx, addrinfo);
2998 if (UNMARKED(addrinfo)) {
2999 addrinfo->flags |= FCTX_ADDRINFO_MARK;
3003 if (addrinfo != NULL)
3005 find = ISC_LIST_NEXT(find, publink);
3007 find = ISC_LIST_HEAD(fctx->altfinds);
3008 } while (find != start);
3011 faddrinfo = addrinfo;
3014 * See if we have a better alternate server by address.
3017 for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
3019 addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
3020 if (!UNMARKED(addrinfo))
3022 possibly_mark(fctx, addrinfo);
3023 if (UNMARKED(addrinfo) &&
3024 (faddrinfo == NULL ||
3025 addrinfo->srtt < faddrinfo->srtt)) {
3026 if (faddrinfo != NULL)
3027 faddrinfo->flags &= ~FCTX_ADDRINFO_MARK;
3028 addrinfo->flags |= FCTX_ADDRINFO_MARK;
3033 if (addrinfo == NULL) {
3034 addrinfo = faddrinfo;
3035 fctx->altfind = find;
3042 fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
3043 isc_result_t result;
3044 dns_adbaddrinfo_t *addrinfo;
3048 REQUIRE(!ADDRWAIT(fctx));
3050 if (fctx->totalqueries > DEFAULT_MAX_QUERIES)
3051 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
3053 addrinfo = fctx_nextaddress(fctx);
3054 if (addrinfo == NULL) {
3056 * We have no more addresses. Start over.
3058 fctx_cancelqueries(fctx, ISC_TRUE);
3059 fctx_cleanupfinds(fctx);
3060 fctx_cleanupaltfinds(fctx);
3061 fctx_cleanupforwaddrs(fctx);
3062 fctx_cleanupaltaddrs(fctx);
3063 result = fctx_getaddresses(fctx, badcache);
3064 if (result == DNS_R_WAIT) {
3066 * Sleep waiting for addresses.
3068 FCTXTRACE("addrwait");
3069 fctx->attributes |= FCTX_ATTR_ADDRWAIT;
3071 } else if (result != ISC_R_SUCCESS) {
3073 * Something bad happened.
3075 fctx_done(fctx, result, __LINE__);
3079 addrinfo = fctx_nextaddress(fctx);
3081 * While we may have addresses from the ADB, they
3082 * might be bad ones. In this case, return SERVFAIL.
3084 if (addrinfo == NULL) {
3085 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
3090 result = fctx_query(fctx, addrinfo, fctx->options);
3091 if (result != ISC_R_SUCCESS)
3092 fctx_done(fctx, result, __LINE__);
3094 inc_stats(fctx->res, dns_resstatscounter_retry);
3097 static isc_boolean_t
3098 fctx_unlink(fetchctx_t *fctx) {
3099 dns_resolver_t *res;
3100 unsigned int bucketnum;
3103 * Caller must be holding the bucket lock.
3106 REQUIRE(VALID_FCTX(fctx));
3107 REQUIRE(fctx->state == fetchstate_done ||
3108 fctx->state == fetchstate_init);
3109 REQUIRE(ISC_LIST_EMPTY(fctx->events));
3110 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
3111 REQUIRE(ISC_LIST_EMPTY(fctx->finds));
3112 REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
3113 REQUIRE(fctx->pending == 0);
3114 REQUIRE(fctx->references == 0);
3115 REQUIRE(ISC_LIST_EMPTY(fctx->validators));
3117 FCTXTRACE("unlink");
3120 bucketnum = fctx->bucketnum;
3122 ISC_LIST_UNLINK(res->buckets[bucketnum].fctxs, fctx, link);
3126 UNLOCK(&res->nlock);
3128 if (res->buckets[bucketnum].exiting &&
3129 ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs))
3136 fctx_destroy(fetchctx_t *fctx) {
3137 isc_sockaddr_t *sa, *next_sa;
3139 REQUIRE(VALID_FCTX(fctx));
3140 REQUIRE(fctx->state == fetchstate_done ||
3141 fctx->state == fetchstate_init);
3142 REQUIRE(ISC_LIST_EMPTY(fctx->events));
3143 REQUIRE(ISC_LIST_EMPTY(fctx->queries));
3144 REQUIRE(ISC_LIST_EMPTY(fctx->finds));
3145 REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
3146 REQUIRE(fctx->pending == 0);
3147 REQUIRE(fctx->references == 0);
3148 REQUIRE(ISC_LIST_EMPTY(fctx->validators));
3149 REQUIRE(!ISC_LINK_LINKED(fctx, link));
3151 FCTXTRACE("destroy");
3156 for (sa = ISC_LIST_HEAD(fctx->bad);
3159 next_sa = ISC_LIST_NEXT(sa, link);
3160 ISC_LIST_UNLINK(fctx->bad, sa, link);
3161 isc_mem_put(fctx->mctx, sa, sizeof(*sa));
3164 for (sa = ISC_LIST_HEAD(fctx->edns);
3167 next_sa = ISC_LIST_NEXT(sa, link);
3168 ISC_LIST_UNLINK(fctx->edns, sa, link);
3169 isc_mem_put(fctx->mctx, sa, sizeof(*sa));
3172 for (sa = ISC_LIST_HEAD(fctx->edns512);
3175 next_sa = ISC_LIST_NEXT(sa, link);
3176 ISC_LIST_UNLINK(fctx->edns512, sa, link);
3177 isc_mem_put(fctx->mctx, sa, sizeof(*sa));
3180 for (sa = ISC_LIST_HEAD(fctx->bad_edns);
3183 next_sa = ISC_LIST_NEXT(sa, link);
3184 ISC_LIST_UNLINK(fctx->bad_edns, sa, link);
3185 isc_mem_put(fctx->mctx, sa, sizeof(*sa));
3188 isc_timer_detach(&fctx->timer);
3189 dns_message_destroy(&fctx->rmessage);
3190 dns_message_destroy(&fctx->qmessage);
3191 if (dns_name_countlabels(&fctx->domain) > 0)
3192 dns_name_free(&fctx->domain, fctx->mctx);
3193 if (dns_rdataset_isassociated(&fctx->nameservers))
3194 dns_rdataset_disassociate(&fctx->nameservers);
3195 dns_name_free(&fctx->name, fctx->mctx);
3196 dns_db_detach(&fctx->cache);
3197 dns_adb_detach(&fctx->adb);
3198 isc_mem_free(fctx->mctx, fctx->info);
3199 isc_mem_putanddetach(&fctx->mctx, fctx, sizeof(*fctx));
3203 * Fetch event handlers.
3207 fctx_timeout(isc_task_t *task, isc_event_t *event) {
3208 fetchctx_t *fctx = event->ev_arg;
3209 isc_timerevent_t *tevent = (isc_timerevent_t *)event;
3212 REQUIRE(VALID_FCTX(fctx));
3216 FCTXTRACE("timeout");
3218 inc_stats(fctx->res, dns_resstatscounter_querytimeout);
3220 if (event->ev_type == ISC_TIMEREVENT_LIFE) {
3221 fctx->reason = NULL;
3222 fctx_done(fctx, ISC_R_TIMEDOUT, __LINE__);
3224 isc_result_t result;
3227 fctx->timeout = ISC_TRUE;
3229 * We could cancel the running queries here, or we could let
3230 * them keep going. Since we normally use separate sockets for
3231 * different queries, we adopt the former approach to reduce
3232 * the number of open sockets: cancel the oldest query if it
3233 * expired after the query had started (this is usually the
3234 * case but is not always so, depending on the task schedule
3237 query = ISC_LIST_HEAD(fctx->queries);
3238 if (query != NULL &&
3239 isc_time_compare(&tevent->due, &query->start) >= 0) {
3240 fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
3242 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
3244 * Our timer has triggered. Reestablish the fctx lifetime
3247 result = fctx_starttimer(fctx);
3248 if (result != ISC_R_SUCCESS)
3249 fctx_done(fctx, result, __LINE__);
3254 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
3257 isc_event_free(&event);
3261 fctx_shutdown(fetchctx_t *fctx) {
3262 isc_event_t *cevent;
3265 * Start the shutdown process for fctx, if it isn't already underway.
3268 FCTXTRACE("shutdown");
3271 * The caller must be holding the appropriate bucket lock.
3274 if (fctx->want_shutdown)
3277 fctx->want_shutdown = ISC_TRUE;
3280 * Unless we're still initializing (in which case the
3281 * control event is still outstanding), we need to post
3282 * the control event to tell the fetch we want it to
3285 if (fctx->state != fetchstate_init) {
3286 cevent = &fctx->control_event;
3287 isc_task_send(fctx->res->buckets[fctx->bucketnum].task,
3293 fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
3294 fetchctx_t *fctx = event->ev_arg;
3295 isc_boolean_t bucket_empty = ISC_FALSE;
3296 dns_resolver_t *res;
3297 unsigned int bucketnum;
3298 dns_validator_t *validator;
3299 isc_boolean_t destroy = ISC_FALSE;
3301 REQUIRE(VALID_FCTX(fctx));
3306 bucketnum = fctx->bucketnum;
3308 FCTXTRACE("doshutdown");
3311 * An fctx that is shutting down is no longer in ADDRWAIT mode.
3313 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
3316 * Cancel all pending validators. Note that this must be done
3317 * without the bucket lock held, since that could cause deadlock.
3319 validator = ISC_LIST_HEAD(fctx->validators);
3320 while (validator != NULL) {
3321 dns_validator_cancel(validator);
3322 validator = ISC_LIST_NEXT(validator, link);
3325 if (fctx->nsfetch != NULL)
3326 dns_resolver_cancelfetch(fctx->nsfetch);
3329 * Shut down anything that is still running on behalf of this
3330 * fetch. To avoid deadlock with the ADB, we must do this
3331 * before we lock the bucket lock.
3333 fctx_stopeverything(fctx, ISC_FALSE);
3335 LOCK(&res->buckets[bucketnum].lock);
3337 fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
3339 INSIST(fctx->state == fetchstate_active ||
3340 fctx->state == fetchstate_done);
3341 INSIST(fctx->want_shutdown);
3343 if (fctx->state != fetchstate_done) {
3344 fctx->state = fetchstate_done;
3345 fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
3348 if (fctx->references == 0 && fctx->pending == 0 &&
3349 fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
3350 bucket_empty = fctx_unlink(fctx);
3354 UNLOCK(&res->buckets[bucketnum].lock);
3364 fctx_start(isc_task_t *task, isc_event_t *event) {
3365 fetchctx_t *fctx = event->ev_arg;
3366 isc_boolean_t done = ISC_FALSE, bucket_empty = ISC_FALSE;
3367 dns_resolver_t *res;
3368 unsigned int bucketnum;
3369 isc_boolean_t destroy = ISC_FALSE;
3371 REQUIRE(VALID_FCTX(fctx));
3376 bucketnum = fctx->bucketnum;
3380 LOCK(&res->buckets[bucketnum].lock);
3382 INSIST(fctx->state == fetchstate_init);
3383 if (fctx->want_shutdown) {
3385 * We haven't started this fctx yet, and we've been requested
3388 fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
3389 fctx->state = fetchstate_done;
3390 fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
3392 * Since we haven't started, we INSIST that we have no
3393 * pending ADB finds and no pending validations.
3395 INSIST(fctx->pending == 0);
3396 INSIST(fctx->nqueries == 0);
3397 INSIST(ISC_LIST_EMPTY(fctx->validators));
3398 if (fctx->references == 0) {
3400 * It's now safe to destroy this fctx.
3402 bucket_empty = fctx_unlink(fctx);
3408 * Normal fctx startup.
3410 fctx->state = fetchstate_active;
3411 fctx->totalqueries = 0;
3413 * Reset the control event for later use in shutting down
3416 ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
3417 DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx,
3421 UNLOCK(&res->buckets[bucketnum].lock);
3424 isc_result_t result;
3429 * All is well. Start working on the fetch.
3431 result = fctx_starttimer(fctx);
3432 if (result != ISC_R_SUCCESS)
3433 fctx_done(fctx, result, __LINE__);
3435 fctx_try(fctx, ISC_FALSE, ISC_FALSE);
3436 } else if (destroy) {
3444 * Fetch Creation, Joining, and Cancelation.
3447 static inline isc_result_t
3448 fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
3449 dns_messageid_t id, isc_taskaction_t action, void *arg,
3450 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
3454 dns_fetchevent_t *event;
3459 * We store the task we're going to send this event to in the
3460 * sender field. We'll make the fetch the sender when we actually
3464 isc_task_attach(task, &clone);
3465 event = (dns_fetchevent_t *)
3466 isc_event_allocate(fctx->res->mctx, clone, DNS_EVENT_FETCHDONE,
3467 action, arg, sizeof(*event));
3468 if (event == NULL) {
3469 isc_task_detach(&clone);
3470 return (ISC_R_NOMEMORY);
3472 event->result = DNS_R_SERVFAIL;
3473 event->qtype = fctx->type;
3476 event->rdataset = rdataset;
3477 event->sigrdataset = sigrdataset;
3478 event->fetch = fetch;
3479 event->client = client;
3482 dns_fixedname_init(&event->foundname);
3485 * Make sure that we can store the sigrdataset in the
3486 * first event if it is needed by any of the events.
3488 if (event->sigrdataset != NULL)
3489 ISC_LIST_PREPEND(fctx->events, event, ev_link);
3491 ISC_LIST_APPEND(fctx->events, event, ev_link);
3493 fctx->client = client;
3495 fetch->magic = DNS_FETCH_MAGIC;
3496 fetch->private = fctx;
3498 return (ISC_R_SUCCESS);
3502 log_ns_ttl(fetchctx_t *fctx, const char *where) {
3503 char namebuf[DNS_NAME_FORMATSIZE];
3504 char domainbuf[DNS_NAME_FORMATSIZE];
3506 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
3507 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
3508 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
3509 DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
3510 "log_ns_ttl: fctx %p: %s: %s (in '%s'?): %u %u",
3511 fctx, where, namebuf, domainbuf,
3512 fctx->ns_ttl_ok, fctx->ns_ttl);
3516 fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
3517 dns_name_t *domain, dns_rdataset_t *nameservers,
3518 unsigned int options, unsigned int bucketnum, unsigned int depth,
3522 isc_result_t result;
3523 isc_result_t iresult;
3524 isc_interval_t interval;
3525 dns_fixedname_t fixed;
3526 unsigned int findoptions = 0;
3527 char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE];
3528 char typebuf[DNS_RDATATYPE_FORMATSIZE];
3533 * Caller must be holding the lock for bucket number 'bucketnum'.
3535 REQUIRE(fctxp != NULL && *fctxp == NULL);
3537 mctx = res->buckets[bucketnum].mctx;
3538 fctx = isc_mem_get(mctx, sizeof(*fctx));
3540 return (ISC_R_NOMEMORY);
3541 dns_name_format(name, buf, sizeof(buf));
3542 dns_rdatatype_format(type, typebuf, sizeof(typebuf));
3543 strcat(buf, "/"); /* checked */
3544 strcat(buf, typebuf); /* checked */
3545 fctx->info = isc_mem_strdup(mctx, buf);
3546 if (fctx->info == NULL) {
3547 result = ISC_R_NOMEMORY;
3550 FCTXTRACE("create");
3551 dns_name_init(&fctx->name, NULL);
3552 result = dns_name_dup(name, mctx, &fctx->name);
3553 if (result != ISC_R_SUCCESS)
3555 dns_name_init(&fctx->domain, NULL);
3556 dns_rdataset_init(&fctx->nameservers);
3559 fctx->options = options;
3561 * Note! We do not attach to the task. We are relying on the
3562 * resolver to ensure that this task doesn't go away while we are
3566 fctx->references = 0;
3567 fctx->bucketnum = bucketnum;
3568 fctx->state = fetchstate_init;
3569 fctx->want_shutdown = ISC_FALSE;
3570 fctx->cloned = ISC_FALSE;
3571 fctx->depth = depth;
3572 ISC_LIST_INIT(fctx->queries);
3573 ISC_LIST_INIT(fctx->finds);
3574 ISC_LIST_INIT(fctx->altfinds);
3575 ISC_LIST_INIT(fctx->forwaddrs);
3576 ISC_LIST_INIT(fctx->altaddrs);
3577 ISC_LIST_INIT(fctx->forwarders);
3578 fctx->fwdpolicy = dns_fwdpolicy_none;
3579 ISC_LIST_INIT(fctx->bad);
3580 ISC_LIST_INIT(fctx->edns);
3581 ISC_LIST_INIT(fctx->edns512);
3582 ISC_LIST_INIT(fctx->bad_edns);
3583 ISC_LIST_INIT(fctx->validators);
3584 fctx->validator = NULL;
3586 fctx->altfind = NULL;
3589 fctx->querysent = 0;
3590 fctx->totalqueries = 0;
3591 fctx->referrals = 0;
3592 TIME_NOW(&fctx->start);
3594 fctx->lamecount = 0;
3600 fctx->result = ISC_R_FAILURE;
3601 fctx->vresult = ISC_R_SUCCESS;
3602 fctx->exitline = -1; /* sentinel */
3603 fctx->logged = ISC_FALSE;
3604 fctx->attributes = 0;
3605 fctx->spilled = ISC_FALSE;
3607 fctx->reason = NULL;
3609 fctx->rand_bits = 0;
3610 fctx->timeout = ISC_FALSE;
3611 fctx->addrinfo = NULL;
3612 fctx->client = NULL;
3614 fctx->ns_ttl_ok = ISC_FALSE;
3616 dns_name_init(&fctx->nsname, NULL);
3617 fctx->nsfetch = NULL;
3618 dns_rdataset_init(&fctx->nsrrset);
3620 if (domain == NULL) {
3621 dns_forwarders_t *forwarders = NULL;
3622 unsigned int labels;
3623 dns_name_t *fwdname = name;
3626 * DS records are found in the parent server.
3627 * Strip label to get the correct forwarder (if any).
3629 if (dns_rdatatype_atparent(fctx->type) &&
3630 dns_name_countlabels(name) > 1) {
3631 dns_name_init(&suffix, NULL);
3632 labels = dns_name_countlabels(name);
3633 dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
3636 dns_fixedname_init(&fixed);
3637 domain = dns_fixedname_name(&fixed);
3638 result = dns_fwdtable_find2(fctx->res->view->fwdtable, fwdname,
3639 domain, &forwarders);
3640 if (result == ISC_R_SUCCESS)
3641 fctx->fwdpolicy = forwarders->fwdpolicy;
3643 if (fctx->fwdpolicy != dns_fwdpolicy_only) {
3645 * The caller didn't supply a query domain and
3646 * nameservers, and we're not in forward-only mode,
3647 * so find the best nameservers to use.
3649 if (dns_rdatatype_atparent(fctx->type))
3650 findoptions |= DNS_DBFIND_NOEXACT;
3651 result = dns_view_findzonecut(res->view, fwdname,
3652 domain, 0, findoptions,
3656 if (result != ISC_R_SUCCESS)
3659 result = dns_name_dup(domain, mctx, &fctx->domain);
3660 if (result != ISC_R_SUCCESS) {
3661 dns_rdataset_disassociate(&fctx->nameservers);
3664 fctx->ns_ttl = fctx->nameservers.ttl;
3665 fctx->ns_ttl_ok = ISC_TRUE;
3668 * We're in forward-only mode. Set the query domain.
3670 result = dns_name_dup(domain, mctx, &fctx->domain);
3671 if (result != ISC_R_SUCCESS)
3675 result = dns_name_dup(domain, mctx, &fctx->domain);
3676 if (result != ISC_R_SUCCESS)
3678 dns_rdataset_clone(nameservers, &fctx->nameservers);
3679 fctx->ns_ttl = fctx->nameservers.ttl;
3680 fctx->ns_ttl_ok = ISC_TRUE;
3683 log_ns_ttl(fctx, "fctx_create");
3685 INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain));
3687 fctx->qmessage = NULL;
3688 result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
3691 if (result != ISC_R_SUCCESS)
3692 goto cleanup_domain;
3694 fctx->rmessage = NULL;
3695 result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
3698 if (result != ISC_R_SUCCESS)
3699 goto cleanup_qmessage;
3702 * Compute an expiration time for the entire fetch.
3704 isc_interval_set(&interval, res->query_timeout, 0);
3705 iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
3706 if (iresult != ISC_R_SUCCESS) {
3707 UNEXPECTED_ERROR(__FILE__, __LINE__,
3708 "isc_time_nowplusinterval: %s",
3709 isc_result_totext(iresult));
3710 result = ISC_R_UNEXPECTED;
3711 goto cleanup_rmessage;
3715 * Default retry interval initialization. We set the interval now
3716 * mostly so it won't be uninitialized. It will be set to the
3717 * correct value before a query is issued.
3719 isc_interval_set(&fctx->interval, 2, 0);
3722 * Create an inactive timer. It will be made active when the fetch
3723 * is actually started.
3726 iresult = isc_timer_create(res->timermgr, isc_timertype_inactive,
3728 res->buckets[bucketnum].task, fctx_timeout,
3729 fctx, &fctx->timer);
3730 if (iresult != ISC_R_SUCCESS) {
3731 UNEXPECTED_ERROR(__FILE__, __LINE__,
3732 "isc_timer_create: %s",
3733 isc_result_totext(iresult));
3734 result = ISC_R_UNEXPECTED;
3735 goto cleanup_rmessage;
3739 * Attach to the view's cache and adb.
3742 dns_db_attach(res->view->cachedb, &fctx->cache);
3744 dns_adb_attach(res->view->adb, &fctx->adb);
3746 isc_mem_attach(mctx, &fctx->mctx);
3748 ISC_LIST_INIT(fctx->events);
3749 ISC_LINK_INIT(fctx, link);
3750 fctx->magic = FCTX_MAGIC;
3752 ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link);
3756 UNLOCK(&res->nlock);
3760 return (ISC_R_SUCCESS);
3763 dns_message_destroy(&fctx->rmessage);
3766 dns_message_destroy(&fctx->qmessage);
3769 if (dns_name_countlabels(&fctx->domain) > 0)
3770 dns_name_free(&fctx->domain, mctx);
3771 if (dns_rdataset_isassociated(&fctx->nameservers))
3772 dns_rdataset_disassociate(&fctx->nameservers);
3775 dns_name_free(&fctx->name, mctx);
3778 isc_mem_free(mctx, fctx->info);
3781 isc_mem_put(mctx, fctx, sizeof(*fctx));
3789 static inline isc_boolean_t
3790 is_lame(fetchctx_t *fctx) {
3791 dns_message_t *message = fctx->rmessage;
3793 dns_rdataset_t *rdataset;
3794 isc_result_t result;
3796 if (message->rcode != dns_rcode_noerror &&
3797 message->rcode != dns_rcode_nxdomain)
3800 if (message->counts[DNS_SECTION_ANSWER] != 0)
3803 if (message->counts[DNS_SECTION_AUTHORITY] == 0)
3806 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
3807 while (result == ISC_R_SUCCESS) {
3809 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
3810 for (rdataset = ISC_LIST_HEAD(name->list);
3812 rdataset = ISC_LIST_NEXT(rdataset, link)) {
3813 dns_namereln_t namereln;
3815 unsigned int labels;
3816 if (rdataset->type != dns_rdatatype_ns)
3818 namereln = dns_name_fullcompare(name, &fctx->domain,
3820 if (namereln == dns_namereln_equal &&
3821 (message->flags & DNS_MESSAGEFLAG_AA) != 0)
3823 if (namereln == dns_namereln_subdomain)
3827 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
3834 log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
3835 char namebuf[DNS_NAME_FORMATSIZE];
3836 char domainbuf[DNS_NAME_FORMATSIZE];
3837 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
3839 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
3840 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
3841 isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
3842 isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
3843 DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
3844 "lame server resolving '%s' (in '%s'?): %s",
3845 namebuf, domainbuf, addrbuf);
3849 log_formerr(fetchctx_t *fctx, const char *format, ...) {
3850 char nsbuf[ISC_SOCKADDR_FORMATSIZE];
3851 char clbuf[ISC_SOCKADDR_FORMATSIZE];
3852 const char *clmsg = "";
3856 va_start(args, format);
3857 vsnprintf(msgbuf, sizeof(msgbuf), format, args);
3860 isc_sockaddr_format(&fctx->addrinfo->sockaddr, nsbuf, sizeof(nsbuf));
3862 if (fctx->client != NULL) {
3863 clmsg = " for client ";
3864 isc_sockaddr_format(fctx->client, clbuf, sizeof(clbuf));
3869 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
3870 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
3871 "DNS format error from %s resolving %s%s%s: %s",
3872 nsbuf, fctx->info, clmsg, clbuf, msgbuf);
3875 static inline isc_result_t
3876 same_question(fetchctx_t *fctx) {
3877 isc_result_t result;
3878 dns_message_t *message = fctx->rmessage;
3880 dns_rdataset_t *rdataset;
3883 * Caller must be holding the fctx lock.
3887 * XXXRTH Currently we support only one question.
3889 if (message->counts[DNS_SECTION_QUESTION] != 1) {
3890 log_formerr(fctx, "too many questions");
3891 return (DNS_R_FORMERR);
3894 result = dns_message_firstname(message, DNS_SECTION_QUESTION);
3895 if (result != ISC_R_SUCCESS)
3898 dns_message_currentname(message, DNS_SECTION_QUESTION, &name);
3899 rdataset = ISC_LIST_HEAD(name->list);
3900 INSIST(rdataset != NULL);
3901 INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
3903 if (fctx->type != rdataset->type ||
3904 fctx->res->rdclass != rdataset->rdclass ||
3905 !dns_name_equal(&fctx->name, name)) {
3906 char namebuf[DNS_NAME_FORMATSIZE];
3907 char class[DNS_RDATACLASS_FORMATSIZE];
3908 char type[DNS_RDATATYPE_FORMATSIZE];
3910 dns_name_format(name, namebuf, sizeof(namebuf));
3911 dns_rdataclass_format(rdataset->rdclass, class, sizeof(class));
3912 dns_rdatatype_format(rdataset->type, type, sizeof(type));
3913 log_formerr(fctx, "question section mismatch: got %s/%s/%s",
3914 namebuf, class, type);
3915 return (DNS_R_FORMERR);
3918 return (ISC_R_SUCCESS);
3922 clone_results(fetchctx_t *fctx) {
3923 dns_fetchevent_t *event, *hevent;
3924 isc_result_t result;
3925 dns_name_t *name, *hname;
3927 FCTXTRACE("clone_results");
3930 * Set up any other events to have the same data as the first
3933 * Caller must be holding the appropriate lock.
3936 fctx->cloned = ISC_TRUE;
3937 hevent = ISC_LIST_HEAD(fctx->events);
3940 hname = dns_fixedname_name(&hevent->foundname);
3941 for (event = ISC_LIST_NEXT(hevent, ev_link);
3943 event = ISC_LIST_NEXT(event, ev_link)) {
3944 name = dns_fixedname_name(&event->foundname);
3945 result = dns_name_copy(hname, name, NULL);
3946 if (result != ISC_R_SUCCESS)
3947 event->result = result;
3949 event->result = hevent->result;
3950 dns_db_attach(hevent->db, &event->db);
3951 dns_db_attachnode(hevent->db, hevent->node, &event->node);
3952 INSIST(hevent->rdataset != NULL);
3953 INSIST(event->rdataset != NULL);
3954 if (dns_rdataset_isassociated(hevent->rdataset))
3955 dns_rdataset_clone(hevent->rdataset, event->rdataset);
3956 INSIST(! (hevent->sigrdataset == NULL &&
3957 event->sigrdataset != NULL));
3958 if (hevent->sigrdataset != NULL &&
3959 dns_rdataset_isassociated(hevent->sigrdataset) &&
3960 event->sigrdataset != NULL)
3961 dns_rdataset_clone(hevent->sigrdataset,
3962 event->sigrdataset);
3966 #define CACHE(r) (((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
3967 #define ANSWER(r) (((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
3968 #define ANSWERSIG(r) (((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
3969 #define EXTERNAL(r) (((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
3970 #define CHAINING(r) (((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
3971 #define CHASE(r) (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
3972 #define CHECKNAMES(r) (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
3976 * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
3977 * no references and is no longer waiting for any events).
3980 * '*fctx' is shutting down.
3983 * true if the resolver is exiting and this is the last fctx in the bucket.
3985 static isc_boolean_t
3986 maybe_destroy(fetchctx_t *fctx, isc_boolean_t locked) {
3987 unsigned int bucketnum;
3988 isc_boolean_t bucket_empty = ISC_FALSE;
3989 dns_resolver_t *res = fctx->res;
3990 dns_validator_t *validator, *next_validator;
3991 isc_boolean_t destroy = ISC_FALSE;
3993 REQUIRE(SHUTTINGDOWN(fctx));
3995 bucketnum = fctx->bucketnum;
3997 LOCK(&res->buckets[bucketnum].lock);
3998 if (fctx->pending != 0 || fctx->nqueries != 0)
4001 for (validator = ISC_LIST_HEAD(fctx->validators);
4002 validator != NULL; validator = next_validator) {
4003 next_validator = ISC_LIST_NEXT(validator, link);
4004 dns_validator_cancel(validator);
4007 if (fctx->references == 0 && ISC_LIST_EMPTY(fctx->validators)) {
4008 bucket_empty = fctx_unlink(fctx);
4013 UNLOCK(&res->buckets[bucketnum].lock);
4016 return (bucket_empty);
4020 * The validator has finished.
4023 validated(isc_task_t *task, isc_event_t *event) {
4024 dns_adbaddrinfo_t *addrinfo;
4025 dns_dbnode_t *node = NULL;
4026 dns_dbnode_t *nsnode = NULL;
4027 dns_fetchevent_t *hevent;
4029 dns_rdataset_t *ardataset = NULL;
4030 dns_rdataset_t *asigrdataset = NULL;
4031 dns_rdataset_t *rdataset;
4032 dns_rdataset_t *sigrdataset;
4033 dns_resolver_t *res;
4034 dns_valarg_t *valarg;
4035 dns_validatorevent_t *vevent;
4037 isc_boolean_t chaining;
4038 isc_boolean_t negative;
4039 isc_boolean_t sentresponse;
4040 isc_result_t eresult = ISC_R_SUCCESS;
4041 isc_result_t result = ISC_R_SUCCESS;
4045 UNUSED(task); /* for now */
4047 REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
4048 valarg = event->ev_arg;
4049 fctx = valarg->fctx;
4051 addrinfo = valarg->addrinfo;
4052 REQUIRE(VALID_FCTX(fctx));
4053 REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
4055 vevent = (dns_validatorevent_t *)event;
4056 fctx->vresult = vevent->result;
4058 FCTXTRACE("received validation completion event");
4060 LOCK(&res->buckets[fctx->bucketnum].lock);
4062 ISC_LIST_UNLINK(fctx->validators, vevent->validator, link);
4063 fctx->validator = NULL;
4066 * Destroy the validator early so that we can
4067 * destroy the fctx if necessary.
4069 dns_validator_destroy(&vevent->validator);
4070 isc_mem_put(fctx->mctx, valarg, sizeof(*valarg));
4072 negative = ISC_TF(vevent->rdataset == NULL);
4074 sentresponse = ISC_TF((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0);
4077 * If shutting down, ignore the results. Check to see if we're
4078 * done waiting for validator completions and ADB pending events; if
4079 * so, destroy the fctx.
4081 if (SHUTTINGDOWN(fctx) && !sentresponse) {
4082 isc_uint32_t bucketnum = fctx->bucketnum;
4083 isc_boolean_t bucket_empty;
4084 bucket_empty = maybe_destroy(fctx, ISC_TRUE);
4085 UNLOCK(&res->buckets[bucketnum].lock);
4091 isc_stdtime_get(&now);
4094 * If chaining, we need to make sure that the right result code is
4095 * returned, and that the rdatasets are bound.
4097 if (vevent->result == ISC_R_SUCCESS &&
4099 vevent->rdataset != NULL &&
4100 CHAINING(vevent->rdataset))
4102 if (vevent->rdataset->type == dns_rdatatype_cname)
4103 eresult = DNS_R_CNAME;
4105 INSIST(vevent->rdataset->type == dns_rdatatype_dname);
4106 eresult = DNS_R_DNAME;
4108 chaining = ISC_TRUE;
4110 chaining = ISC_FALSE;
4113 * Either we're not shutting down, or we are shutting down but want
4114 * to cache the result anyway (if this was a validation started by
4115 * a query with cd set)
4118 hevent = ISC_LIST_HEAD(fctx->events);
4119 if (hevent != NULL) {
4120 if (!negative && !chaining &&
4121 (fctx->type == dns_rdatatype_any ||
4122 fctx->type == dns_rdatatype_rrsig ||
4123 fctx->type == dns_rdatatype_sig)) {
4125 * Don't bind rdatasets; the caller
4126 * will iterate the node.
4129 ardataset = hevent->rdataset;
4130 asigrdataset = hevent->sigrdataset;
4134 if (vevent->result != ISC_R_SUCCESS) {
4135 FCTXTRACE("validation failed");
4136 inc_stats(res, dns_resstatscounter_valfail);
4138 fctx->vresult = vevent->result;
4139 if (fctx->vresult != DNS_R_BROKENCHAIN) {
4140 result = ISC_R_NOTFOUND;
4141 if (vevent->rdataset != NULL)
4142 result = dns_db_findnode(fctx->cache,
4145 if (result == ISC_R_SUCCESS)
4146 (void)dns_db_deleterdataset(fctx->cache, node,
4149 if (result == ISC_R_SUCCESS &&
4150 vevent->sigrdataset != NULL)
4151 (void)dns_db_deleterdataset(fctx->cache, node,
4153 dns_rdatatype_rrsig,
4155 if (result == ISC_R_SUCCESS)
4156 dns_db_detachnode(fctx->cache, &node);
4158 if (fctx->vresult == DNS_R_BROKENCHAIN && !negative) {
4160 * Cache the data as pending for later validation.
4162 result = ISC_R_NOTFOUND;
4163 if (vevent->rdataset != NULL)
4164 result = dns_db_findnode(fctx->cache,
4167 if (result == ISC_R_SUCCESS) {
4168 (void)dns_db_addrdataset(fctx->cache, node,
4170 vevent->rdataset, 0,
4173 if (result == ISC_R_SUCCESS &&
4174 vevent->sigrdataset != NULL)
4175 (void)dns_db_addrdataset(fctx->cache, node,
4177 vevent->sigrdataset,
4179 if (result == ISC_R_SUCCESS)
4180 dns_db_detachnode(fctx->cache, &node);
4182 result = fctx->vresult;
4183 add_bad(fctx, addrinfo, result, badns_validation);
4184 isc_event_free(&event);
4185 UNLOCK(&res->buckets[fctx->bucketnum].lock);
4186 INSIST(fctx->validator == NULL);
4187 fctx->validator = ISC_LIST_HEAD(fctx->validators);
4188 if (fctx->validator != NULL)
4189 dns_validator_send(fctx->validator);
4190 else if (sentresponse)
4191 fctx_done(fctx, result, __LINE__); /* Locks bucket. */
4192 else if (result == DNS_R_BROKENCHAIN) {
4193 isc_result_t tresult;
4197 isc_interval_set(&i, DNS_BADCACHE_TTL(fctx), 0);
4198 tresult = isc_time_nowplusinterval(&expire, &i);
4200 (fctx->type == dns_rdatatype_dnskey ||
4201 fctx->type == dns_rdatatype_dlv ||
4202 fctx->type == dns_rdatatype_ds) &&
4203 tresult == ISC_R_SUCCESS)
4204 dns_resolver_addbadcache(res, &fctx->name,
4205 fctx->type, &expire);
4206 fctx_done(fctx, result, __LINE__); /* Locks bucket. */
4208 fctx_try(fctx, ISC_TRUE, ISC_TRUE); /* Locks bucket. */
4214 dns_rdatatype_t covers;
4215 FCTXTRACE("nonexistence validation OK");
4217 inc_stats(res, dns_resstatscounter_valnegsuccess);
4219 if (fctx->rmessage->rcode == dns_rcode_nxdomain)
4220 covers = dns_rdatatype_any;
4222 covers = fctx->type;
4224 result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE,
4226 if (result != ISC_R_SUCCESS)
4227 goto noanswer_response;
4230 * If we are asking for a SOA record set the cache time
4231 * to zero to facilitate locating the containing zone of
4234 ttl = res->view->maxncachettl;
4235 if (fctx->type == dns_rdatatype_soa &&
4236 covers == dns_rdatatype_any && res->zero_no_soa_ttl)
4239 result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
4240 covers, now, ttl, vevent->optout,
4241 vevent->secure, ardataset, &eresult);
4242 if (result != ISC_R_SUCCESS)
4243 goto noanswer_response;
4244 goto answer_response;
4246 inc_stats(res, dns_resstatscounter_valsuccess);
4248 FCTXTRACE("validation OK");
4250 if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
4251 result = dns_rdataset_addnoqname(vevent->rdataset,
4252 vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
4253 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4254 INSIST(vevent->sigrdataset != NULL);
4255 vevent->sigrdataset->ttl = vevent->rdataset->ttl;
4256 if (vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER] != NULL) {
4257 result = dns_rdataset_addclosest(vevent->rdataset,
4258 vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER]);
4259 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4261 } else if (vevent->rdataset->trust == dns_trust_answer &&
4262 vevent->rdataset->type != dns_rdatatype_rrsig)
4264 isc_result_t tresult;
4265 dns_name_t *noqname = NULL;
4266 tresult = findnoqname(fctx, vevent->name,
4267 vevent->rdataset->type, &noqname);
4268 if (tresult == ISC_R_SUCCESS && noqname != NULL) {
4269 tresult = dns_rdataset_addnoqname(vevent->rdataset,
4271 RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
4276 * The data was already cached as pending data.
4277 * Re-cache it as secure and bind the cached
4278 * rdatasets to the first event on the fetch
4281 result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE, &node);
4282 if (result != ISC_R_SUCCESS)
4283 goto noanswer_response;
4285 result = dns_db_addrdataset(fctx->cache, node, NULL, now,
4286 vevent->rdataset, 0, ardataset);
4287 if (result != ISC_R_SUCCESS &&
4288 result != DNS_R_UNCHANGED)
4289 goto noanswer_response;
4290 if (ardataset != NULL && NEGATIVE(ardataset)) {
4291 if (NXDOMAIN(ardataset))
4292 eresult = DNS_R_NCACHENXDOMAIN;
4294 eresult = DNS_R_NCACHENXRRSET;
4295 } else if (vevent->sigrdataset != NULL) {
4296 result = dns_db_addrdataset(fctx->cache, node, NULL, now,
4297 vevent->sigrdataset, 0,
4299 if (result != ISC_R_SUCCESS &&
4300 result != DNS_R_UNCHANGED)
4301 goto noanswer_response;
4305 isc_boolean_t bucket_empty = ISC_FALSE;
4307 * If we only deferred the destroy because we wanted to cache
4308 * the data, destroy now.
4310 dns_db_detachnode(fctx->cache, &node);
4311 if (SHUTTINGDOWN(fctx))
4312 bucket_empty = maybe_destroy(fctx, ISC_TRUE);
4313 UNLOCK(&res->buckets[fctx->bucketnum].lock);
4319 if (!ISC_LIST_EMPTY(fctx->validators)) {
4321 INSIST(fctx->type == dns_rdatatype_any ||
4322 fctx->type == dns_rdatatype_rrsig ||
4323 fctx->type == dns_rdatatype_sig);
4325 * Don't send a response yet - we have
4326 * more rdatasets that still need to
4329 dns_db_detachnode(fctx->cache, &node);
4330 UNLOCK(&res->buckets[fctx->bucketnum].lock);
4331 dns_validator_send(ISC_LIST_HEAD(fctx->validators));
4337 * Cache any NS/NSEC records that happened to be validated.
4339 result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
4340 while (result == ISC_R_SUCCESS) {
4342 dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
4344 for (rdataset = ISC_LIST_HEAD(name->list);
4346 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4347 if ((rdataset->type != dns_rdatatype_ns &&
4348 rdataset->type != dns_rdatatype_nsec) ||
4349 rdataset->trust != dns_trust_secure)
4351 for (sigrdataset = ISC_LIST_HEAD(name->list);
4352 sigrdataset != NULL;
4353 sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
4354 if (sigrdataset->type != dns_rdatatype_rrsig ||
4355 sigrdataset->covers != rdataset->type)
4359 if (sigrdataset == NULL ||
4360 sigrdataset->trust != dns_trust_secure)
4362 result = dns_db_findnode(fctx->cache, name, ISC_TRUE,
4364 if (result != ISC_R_SUCCESS)
4367 result = dns_db_addrdataset(fctx->cache, nsnode, NULL,
4368 now, rdataset, 0, NULL);
4369 if (result == ISC_R_SUCCESS)
4370 result = dns_db_addrdataset(fctx->cache, nsnode,
4374 dns_db_detachnode(fctx->cache, &nsnode);
4375 if (result != ISC_R_SUCCESS)
4378 result = dns_message_nextname(fctx->rmessage,
4379 DNS_SECTION_AUTHORITY);
4382 result = ISC_R_SUCCESS;
4385 * Respond with an answer, positive or negative,
4386 * as opposed to an error. 'node' must be non-NULL.
4389 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
4391 if (hevent != NULL) {
4393 * Negative results must be indicated in event->result.
4395 if (dns_rdataset_isassociated(hevent->rdataset) &&
4396 NEGATIVE(hevent->rdataset)) {
4397 INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
4398 eresult == DNS_R_NCACHENXRRSET);
4400 hevent->result = eresult;
4401 RUNTIME_CHECK(dns_name_copy(vevent->name,
4402 dns_fixedname_name(&hevent->foundname), NULL)
4404 dns_db_attach(fctx->cache, &hevent->db);
4405 dns_db_transfernode(fctx->cache, &node, &hevent->node);
4406 clone_results(fctx);
4411 dns_db_detachnode(fctx->cache, &node);
4413 UNLOCK(&res->buckets[fctx->bucketnum].lock);
4414 fctx_done(fctx, result, __LINE__); /* Locks bucket. */
4417 INSIST(node == NULL);
4418 isc_event_free(&event);
4422 fctx_log(void *arg, int level, const char *fmt, ...) {
4425 fetchctx_t *fctx = arg;
4427 va_start(args, fmt);
4428 vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
4431 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
4432 DNS_LOGMODULE_RESOLVER, level,
4433 "fctx %p(%s): %s", fctx, fctx->info, msgbuf);
4436 static inline isc_result_t
4437 findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
4438 dns_name_t **noqnamep)
4440 dns_rdataset_t *nrdataset, *next, *sigrdataset;
4441 dns_rdata_rrsig_t rrsig;
4442 isc_result_t result;
4443 unsigned int labels;
4444 dns_section_t section;
4445 dns_name_t *zonename;
4446 dns_fixedname_t fzonename;
4447 dns_name_t *closest;
4448 dns_fixedname_t fclosest;
4449 dns_name_t *nearest;
4450 dns_fixedname_t fnearest;
4451 dns_rdatatype_t found = dns_rdatatype_none;
4452 dns_name_t *noqname = NULL;
4454 FCTXTRACE("findnoqname");
4456 REQUIRE(noqnamep != NULL && *noqnamep == NULL);
4459 * Find the SIG for this rdataset, if we have it.
4461 for (sigrdataset = ISC_LIST_HEAD(name->list);
4462 sigrdataset != NULL;
4463 sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
4464 if (sigrdataset->type == dns_rdatatype_rrsig &&
4465 sigrdataset->covers == type)
4469 if (sigrdataset == NULL)
4470 return (ISC_R_NOTFOUND);
4472 labels = dns_name_countlabels(name);
4474 for (result = dns_rdataset_first(sigrdataset);
4475 result == ISC_R_SUCCESS;
4476 result = dns_rdataset_next(sigrdataset)) {
4477 dns_rdata_t rdata = DNS_RDATA_INIT;
4478 dns_rdataset_current(sigrdataset, &rdata);
4479 result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
4480 RUNTIME_CHECK(result == ISC_R_SUCCESS);
4481 /* Wildcard has rrsig.labels < labels - 1. */
4482 if (rrsig.labels + 1U >= labels)
4487 if (result == ISC_R_NOMORE)
4488 return (ISC_R_NOTFOUND);
4489 if (result != ISC_R_SUCCESS)
4492 dns_fixedname_init(&fzonename);
4493 zonename = dns_fixedname_name(&fzonename);
4494 dns_fixedname_init(&fclosest);
4495 closest = dns_fixedname_name(&fclosest);
4496 dns_fixedname_init(&fnearest);
4497 nearest = dns_fixedname_name(&fnearest);
4499 #define NXND(x) ((x) == ISC_R_SUCCESS)
4501 section = DNS_SECTION_AUTHORITY;
4502 for (result = dns_message_firstname(fctx->rmessage, section);
4503 result == ISC_R_SUCCESS;
4504 result = dns_message_nextname(fctx->rmessage, section)) {
4505 dns_name_t *nsec = NULL;
4506 dns_message_currentname(fctx->rmessage, section, &nsec);
4507 for (nrdataset = ISC_LIST_HEAD(nsec->list);
4508 nrdataset != NULL; nrdataset = next) {
4509 isc_boolean_t data = ISC_FALSE, exists = ISC_FALSE;
4510 isc_boolean_t optout = ISC_FALSE, unknown = ISC_FALSE;
4511 isc_boolean_t setclosest = ISC_FALSE;
4512 isc_boolean_t setnearest = ISC_FALSE;
4514 next = ISC_LIST_NEXT(nrdataset, link);
4515 if (nrdataset->type != dns_rdatatype_nsec &&
4516 nrdataset->type != dns_rdatatype_nsec3)
4519 if (nrdataset->type == dns_rdatatype_nsec &&
4520 NXND(dns_nsec_noexistnodata(type, name, nsec,
4522 &data, NULL, fctx_log,
4527 found = dns_rdatatype_nsec;
4531 if (nrdataset->type == dns_rdatatype_nsec3 &&
4532 NXND(dns_nsec3_noexistnodata(type, name, nsec,
4533 nrdataset, zonename,
4541 if (!exists && setnearest) {
4543 found = dns_rdatatype_nsec3;
4548 if (result == ISC_R_NOMORE)
4549 result = ISC_R_SUCCESS;
4550 if (noqname != NULL) {
4551 for (sigrdataset = ISC_LIST_HEAD(noqname->list);
4552 sigrdataset != NULL;
4553 sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
4554 if (sigrdataset->type == dns_rdatatype_rrsig &&
4555 sigrdataset->covers == found)
4558 if (sigrdataset != NULL)
4559 *noqnamep = noqname;
4564 static inline isc_result_t
4565 cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
4568 dns_rdataset_t *rdataset, *sigrdataset;
4569 dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset;
4570 dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
4571 dns_dbnode_t *node, **anodep;
4574 dns_resolver_t *res;
4575 isc_boolean_t need_validation, secure_domain, have_answer;
4576 isc_result_t result, eresult;
4577 dns_fetchevent_t *event;
4578 unsigned int options;
4581 unsigned int valoptions = 0;
4584 * The appropriate bucket lock must be held.
4588 need_validation = ISC_FALSE;
4589 POST(need_validation);
4590 secure_domain = ISC_FALSE;
4591 have_answer = ISC_FALSE;
4592 eresult = ISC_R_SUCCESS;
4593 task = res->buckets[fctx->bucketnum].task;
4596 * Is DNSSEC validation required for this name?
4598 if (res->view->enablevalidation) {
4599 result = dns_view_issecuredomain(res->view, name,
4601 if (result != ISC_R_SUCCESS)
4604 if (!secure_domain && res->view->dlv != NULL) {
4605 valoptions = DNS_VALIDATOR_DLV;
4606 secure_domain = ISC_TRUE;
4610 if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
4611 need_validation = ISC_FALSE;
4613 need_validation = secure_domain;
4619 asigrdataset = NULL;
4621 if ((name->attributes & DNS_NAMEATTR_ANSWER) != 0 &&
4623 have_answer = ISC_TRUE;
4624 event = ISC_LIST_HEAD(fctx->events);
4625 if (event != NULL) {
4627 aname = dns_fixedname_name(&event->foundname);
4628 result = dns_name_copy(name, aname, NULL);
4629 if (result != ISC_R_SUCCESS)
4631 anodep = &event->node;
4633 * If this is an ANY, SIG or RRSIG query, we're not
4634 * going to return any rdatasets, unless we encountered
4635 * a CNAME or DNAME as "the answer". In this case,
4636 * we're going to return DNS_R_CNAME or DNS_R_DNAME
4637 * and we must set up the rdatasets.
4639 if ((fctx->type != dns_rdatatype_any &&
4640 fctx->type != dns_rdatatype_rrsig &&
4641 fctx->type != dns_rdatatype_sig) ||
4642 (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
4643 ardataset = event->rdataset;
4644 asigrdataset = event->sigrdataset;
4650 * Find or create the cache node.
4653 result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
4654 if (result != ISC_R_SUCCESS)
4658 * Cache or validate each cacheable rdataset.
4660 fail = ISC_TF((fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0);
4661 for (rdataset = ISC_LIST_HEAD(name->list);
4663 rdataset = ISC_LIST_NEXT(rdataset, link)) {
4664 if (!CACHE(rdataset))
4666 if (CHECKNAMES(rdataset)) {
4667 char namebuf[DNS_NAME_FORMATSIZE];
4668 char typebuf[DNS_RDATATYPE_FORMATSIZE];
4669 char classbuf[DNS_RDATATYPE_FORMATSIZE];
4671 dns_name_format(name, namebuf, sizeof(namebuf));
4672 dns_rdatatype_format(rdataset->type, typebuf,
4674 dns_rdataclass_format(rdataset->rdclass, classbuf,
4676 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
4677 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
4678 "check-names %s %s/%s/%s",
4679 fail ? "failure" : "warning",
4680 namebuf, typebuf, classbuf);
4682 if (ANSWER(rdataset)) {
4683 dns_db_detachnode(fctx->cache, &node);
4684 return (DNS_R_BADNAME);
4691 * Enforce the configure maximum cache TTL.
4693 if (rdataset->ttl > res->view->maxcachettl)
4694 rdataset->ttl = res->view->maxcachettl;
4697 * Find the SIG for this rdataset, if we have it.
4699 for (sigrdataset = ISC_LIST_HEAD(name->list);
4700 sigrdataset != NULL;
4701 sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
4702 if (sigrdataset->type == dns_rdatatype_rrsig &&
4703 sigrdataset->covers == rdataset->type)
4708 * If this RRset is in a secure domain, is in bailiwick,
4709 * and is not glue, attempt DNSSEC validation. (We do not
4710 * attempt to validate glue or out-of-bailiwick data--even
4711 * though there might be some performance benefit to doing
4712 * so--because it makes it simpler and safer to ensure that
4713 * records from a secure domain are only cached if validated
4714 * within the context of a query to the domain that owns
4717 if (secure_domain && rdataset->trust != dns_trust_glue &&
4718 !EXTERNAL(rdataset)) {
4722 * RRSIGs are validated as part of validating the
4725 if (rdataset->type == dns_rdatatype_rrsig)
4728 if (sigrdataset == NULL) {
4729 if (!ANSWER(rdataset) && need_validation) {
4731 * Ignore non-answer rdatasets that
4732 * are missing signatures.
4739 * Normalize the rdataset and sigrdataset TTLs.
4741 if (sigrdataset != NULL) {
4742 rdataset->ttl = ISC_MIN(rdataset->ttl,
4744 sigrdataset->ttl = rdataset->ttl;
4748 * Cache this rdataset/sigrdataset pair as
4749 * pending data. Track whether it was additional
4752 if (rdataset->trust == dns_trust_additional)
4753 trust = dns_trust_pending_additional;
4755 trust = dns_trust_pending_answer;
4757 rdataset->trust = trust;
4758 if (sigrdataset != NULL)
4759 sigrdataset->trust = trust;
4760 if (!need_validation || !ANSWER(rdataset)) {
4761 if (ANSWER(rdataset) &&
4762 rdataset->type != dns_rdatatype_rrsig) {
4763 isc_result_t tresult;
4764 dns_name_t *noqname = NULL;
4765 tresult = findnoqname(fctx, name,
4768 if (tresult == ISC_R_SUCCESS &&
4771 dns_rdataset_addnoqname(
4773 RUNTIME_CHECK(tresult ==
4777 addedrdataset = ardataset;
4778 result = dns_db_addrdataset(fctx->cache, node,
4779 NULL, now, rdataset,
4781 if (result == DNS_R_UNCHANGED) {
4782 result = ISC_R_SUCCESS;
4783 if (!need_validation &&
4784 ardataset != NULL &&
4785 NEGATIVE(ardataset)) {
4787 * The answer in the cache is
4788 * better than the answer we
4789 * found, and is a negative
4790 * cache entry, so we must set
4791 * eresult appropriately.
4793 if (NXDOMAIN(ardataset))
4795 DNS_R_NCACHENXDOMAIN;
4798 DNS_R_NCACHENXRRSET;
4800 * We have a negative response
4801 * from the cache so don't
4802 * attempt to add the RRSIG
4808 if (result != ISC_R_SUCCESS)
4810 if (sigrdataset != NULL) {
4811 addedrdataset = asigrdataset;
4812 result = dns_db_addrdataset(fctx->cache,
4816 if (result == DNS_R_UNCHANGED)
4817 result = ISC_R_SUCCESS;
4818 if (result != ISC_R_SUCCESS)
4820 } else if (!ANSWER(rdataset))
4824 if (ANSWER(rdataset) && need_validation) {
4825 if (fctx->type != dns_rdatatype_any &&
4826 fctx->type != dns_rdatatype_rrsig &&
4827 fctx->type != dns_rdatatype_sig) {
4829 * This is The Answer. We will
4830 * validate it, but first we cache
4831 * the rest of the response - it may
4832 * contain useful keys.
4834 INSIST(valrdataset == NULL &&
4835 valsigrdataset == NULL);
4836 valrdataset = rdataset;
4837 valsigrdataset = sigrdataset;
4840 * This is one of (potentially)
4841 * multiple answers to an ANY
4842 * or SIG query. To keep things
4843 * simple, we just start the
4844 * validator right away rather
4845 * than caching first and
4846 * having to remember which
4847 * rdatasets needed validation.
4849 result = valcreate(fctx, addrinfo,
4850 name, rdataset->type,
4855 } else if (CHAINING(rdataset)) {
4856 if (rdataset->type == dns_rdatatype_cname)
4857 eresult = DNS_R_CNAME;
4859 INSIST(rdataset->type ==
4860 dns_rdatatype_dname);
4861 eresult = DNS_R_DNAME;
4864 } else if (!EXTERNAL(rdataset)) {
4866 * It's OK to cache this rdataset now.
4868 if (ANSWER(rdataset))
4869 addedrdataset = ardataset;
4870 else if (ANSWERSIG(rdataset))
4871 addedrdataset = asigrdataset;
4873 addedrdataset = NULL;
4874 if (CHAINING(rdataset)) {
4875 if (rdataset->type == dns_rdatatype_cname)
4876 eresult = DNS_R_CNAME;
4878 INSIST(rdataset->type ==
4879 dns_rdatatype_dname);
4880 eresult = DNS_R_DNAME;
4883 if (rdataset->trust == dns_trust_glue &&
4884 (rdataset->type == dns_rdatatype_ns ||
4885 (rdataset->type == dns_rdatatype_rrsig &&
4886 rdataset->covers == dns_rdatatype_ns))) {
4888 * If the trust level is 'dns_trust_glue'
4889 * then we are adding data from a referral
4890 * we got while executing the search algorithm.
4891 * New referral data always takes precedence
4892 * over the existing cache contents.
4894 options = DNS_DBADD_FORCE;
4898 if (ANSWER(rdataset) &&
4899 rdataset->type != dns_rdatatype_rrsig) {
4900 isc_result_t tresult;
4901 dns_name_t *noqname = NULL;
4902 tresult = findnoqname(fctx, name,
4903 rdataset->type, &noqname);
4904 if (tresult == ISC_R_SUCCESS &&
4906 tresult = dns_rdataset_addnoqname(
4908 RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
4913 * Now we can add the rdataset.
4915 result = dns_db_addrdataset(fctx->cache,
4921 if (result == DNS_R_UNCHANGED) {
4922 if (ANSWER(rdataset) &&
4923 ardataset != NULL &&
4924 NEGATIVE(ardataset)) {
4926 * The answer in the cache is better
4927 * than the answer we found, and is
4928 * a negative cache entry, so we
4929 * must set eresult appropriately.
4931 if (NXDOMAIN(ardataset))
4932 eresult = DNS_R_NCACHENXDOMAIN;
4934 eresult = DNS_R_NCACHENXRRSET;
4936 result = ISC_R_SUCCESS;
4937 } else if (result != ISC_R_SUCCESS)
4942 if (valrdataset != NULL)
4943 result = valcreate(fctx, addrinfo, name, fctx->type,
4944 valrdataset, valsigrdataset, valoptions,
4947 if (result == ISC_R_SUCCESS && have_answer) {
4948 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
4949 if (event != NULL) {
4951 * Negative results must be indicated in event->result.
4953 if (dns_rdataset_isassociated(event->rdataset) &&
4954 NEGATIVE(event->rdataset)) {
4955 INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
4956 eresult == DNS_R_NCACHENXRRSET);
4958 event->result = eresult;
4959 if (adbp != NULL && *adbp != NULL) {
4960 if (anodep != NULL && *anodep != NULL)
4961 dns_db_detachnode(*adbp, anodep);
4962 dns_db_detach(adbp);
4964 dns_db_attach(fctx->cache, adbp);
4965 dns_db_transfernode(fctx->cache, &node, anodep);
4966 clone_results(fctx);
4971 dns_db_detachnode(fctx->cache, &node);
4976 static inline isc_result_t
4977 cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
4979 isc_result_t result;
4980 dns_section_t section;
4983 FCTXTRACE("cache_message");
4985 fctx->attributes &= ~FCTX_ATTR_WANTCACHE;
4987 LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
4989 for (section = DNS_SECTION_ANSWER;
4990 section <= DNS_SECTION_ADDITIONAL;
4992 result = dns_message_firstname(fctx->rmessage, section);
4993 while (result == ISC_R_SUCCESS) {
4995 dns_message_currentname(fctx->rmessage, section,
4997 if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) {
4998 result = cache_name(fctx, name, addrinfo, now);
4999 if (result != ISC_R_SUCCESS)
5002 result = dns_message_nextname(fctx->rmessage, section);
5004 if (result != ISC_R_NOMORE)
5007 if (result == ISC_R_NOMORE)
5008 result = ISC_R_SUCCESS;
5010 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
5016 * Do what dns_ncache_addoptout() does, and then compute an appropriate eresult.
5019 ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
5020 dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
5021 isc_boolean_t optout, isc_boolean_t secure,
5022 dns_rdataset_t *ardataset, isc_result_t *eresultp)
5024 isc_result_t result;
5025 dns_rdataset_t rdataset;
5027 if (ardataset == NULL) {
5028 dns_rdataset_init(&rdataset);
5029 ardataset = &rdataset;
5032 result = dns_ncache_addoptout(message, cache, node, covers,
5033 now, maxttl, optout, ardataset);
5035 result = dns_ncache_add(message, cache, node, covers, now,
5037 if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
5039 * If the cache now contains a negative entry and we
5040 * care about whether it is DNS_R_NCACHENXDOMAIN or
5041 * DNS_R_NCACHENXRRSET then extract it.
5043 if (NEGATIVE(ardataset)) {
5045 * The cache data is a negative cache entry.
5047 if (NXDOMAIN(ardataset))
5048 *eresultp = DNS_R_NCACHENXDOMAIN;
5050 *eresultp = DNS_R_NCACHENXRRSET;
5053 * Either we don't care about the nature of the
5054 * cache rdataset (because no fetch is interested
5055 * in the outcome), or the cache rdataset is not
5056 * a negative cache entry. Whichever case it is,
5057 * we can return success.
5059 * XXXRTH There's a CNAME/DNAME problem here.
5061 *eresultp = ISC_R_SUCCESS;
5063 result = ISC_R_SUCCESS;
5065 if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset))
5066 dns_rdataset_disassociate(ardataset);
5071 static inline isc_result_t
5072 ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
5073 dns_rdatatype_t covers, isc_stdtime_t now)
5075 isc_result_t result, eresult;
5077 dns_resolver_t *res;
5079 dns_dbnode_t *node, **anodep;
5080 dns_rdataset_t *ardataset;
5081 isc_boolean_t need_validation, secure_domain;
5083 dns_fetchevent_t *event;
5085 unsigned int valoptions = 0;
5087 FCTXTRACE("ncache_message");
5089 fctx->attributes &= ~FCTX_ATTR_WANTNCACHE;
5092 need_validation = ISC_FALSE;
5093 POST(need_validation);
5094 secure_domain = ISC_FALSE;
5095 eresult = ISC_R_SUCCESS;
5100 * XXXMPA remove when we follow cnames and adjust the setting
5101 * of FCTX_ATTR_WANTNCACHE in noanswer_response().
5103 INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0);
5106 * Is DNSSEC validation required for this name?
5108 if (fctx->res->view->enablevalidation) {
5109 result = dns_view_issecuredomain(res->view, name,
5111 if (result != ISC_R_SUCCESS)
5114 if (!secure_domain && res->view->dlv != NULL) {
5115 valoptions = DNS_VALIDATOR_DLV;
5116 secure_domain = ISC_TRUE;
5120 if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
5121 need_validation = ISC_FALSE;
5123 need_validation = secure_domain;
5125 if (secure_domain) {
5127 * Mark all rdatasets as pending.
5129 dns_rdataset_t *trdataset;
5132 result = dns_message_firstname(fctx->rmessage,
5133 DNS_SECTION_AUTHORITY);
5134 while (result == ISC_R_SUCCESS) {
5136 dns_message_currentname(fctx->rmessage,
5137 DNS_SECTION_AUTHORITY,
5139 for (trdataset = ISC_LIST_HEAD(tname->list);
5141 trdataset = ISC_LIST_NEXT(trdataset, link))
5142 trdataset->trust = dns_trust_pending_answer;
5143 result = dns_message_nextname(fctx->rmessage,
5144 DNS_SECTION_AUTHORITY);
5146 if (result != ISC_R_NOMORE)
5151 if (need_validation) {
5153 * Do negative response validation.
5155 result = valcreate(fctx, addrinfo, name, fctx->type,
5156 NULL, NULL, valoptions,
5157 res->buckets[fctx->bucketnum].task);
5159 * If validation is necessary, return now. Otherwise continue
5160 * to process the message, letting the validation complete
5161 * in its own good time.
5166 LOCK(&res->buckets[fctx->bucketnum].lock);
5172 if (!HAVE_ANSWER(fctx)) {
5173 event = ISC_LIST_HEAD(fctx->events);
5174 if (event != NULL) {
5176 aname = dns_fixedname_name(&event->foundname);
5177 result = dns_name_copy(name, aname, NULL);
5178 if (result != ISC_R_SUCCESS)
5180 anodep = &event->node;
5181 ardataset = event->rdataset;
5186 result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
5187 if (result != ISC_R_SUCCESS)
5191 * If we are asking for a SOA record set the cache time
5192 * to zero to facilitate locating the containing zone of
5195 ttl = fctx->res->view->maxncachettl;
5196 if (fctx->type == dns_rdatatype_soa &&
5197 covers == dns_rdatatype_any &&
5198 fctx->res->zero_no_soa_ttl)
5201 result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
5202 covers, now, ttl, ISC_FALSE,
5203 ISC_FALSE, ardataset, &eresult);
5204 if (result != ISC_R_SUCCESS)
5207 if (!HAVE_ANSWER(fctx)) {
5208 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
5209 if (event != NULL) {
5210 event->result = eresult;
5211 if (adbp != NULL && *adbp != NULL) {
5212 if (anodep != NULL && *anodep != NULL)
5213 dns_db_detachnode(*adbp, anodep);
5214 dns_db_detach(adbp);
5216 dns_db_attach(fctx->cache, adbp);
5217 dns_db_transfernode(fctx->cache, &node, anodep);
5218 clone_results(fctx);
5223 UNLOCK(&res->buckets[fctx->bucketnum].lock);
5226 dns_db_detachnode(fctx->cache, &node);
5232 mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
5233 isc_boolean_t external, isc_boolean_t gluing)
5235 name->attributes |= DNS_NAMEATTR_CACHE;
5237 rdataset->trust = dns_trust_glue;
5239 * Glue with 0 TTL causes problems. We force the TTL to
5240 * 1 second to prevent this.
5242 if (rdataset->ttl == 0)
5245 rdataset->trust = dns_trust_additional;
5247 * Avoid infinite loops by only marking new rdatasets.
5249 if (!CACHE(rdataset)) {
5250 name->attributes |= DNS_NAMEATTR_CHASE;
5251 rdataset->attributes |= DNS_RDATASETATTR_CHASE;
5253 rdataset->attributes |= DNS_RDATASETATTR_CACHE;
5255 rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
5259 check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
5260 dns_section_t section)
5262 fetchctx_t *fctx = arg;
5263 isc_result_t result;
5265 dns_rdataset_t *rdataset;
5266 isc_boolean_t external;
5267 dns_rdatatype_t rtype;
5268 isc_boolean_t gluing;
5270 REQUIRE(VALID_FCTX(fctx));
5272 #if CHECK_FOR_GLUE_IN_ANSWER
5273 if (section == DNS_SECTION_ANSWER && type != dns_rdatatype_a)
5274 return (ISC_R_SUCCESS);
5283 result = dns_message_findname(fctx->rmessage, section, addname,
5284 dns_rdatatype_any, 0, &name, NULL);
5285 if (result == ISC_R_SUCCESS) {
5286 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
5287 if (type == dns_rdatatype_a) {
5288 for (rdataset = ISC_LIST_HEAD(name->list);
5290 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5291 if (rdataset->type == dns_rdatatype_rrsig)
5292 rtype = rdataset->covers;
5294 rtype = rdataset->type;
5295 if (rtype == dns_rdatatype_a ||
5296 rtype == dns_rdatatype_aaaa)
5297 mark_related(name, rdataset, external,
5301 result = dns_message_findtype(name, type, 0,
5303 if (result == ISC_R_SUCCESS) {
5304 mark_related(name, rdataset, external, gluing);
5306 * Do we have its SIG too?
5309 result = dns_message_findtype(name,
5310 dns_rdatatype_rrsig,
5312 if (result == ISC_R_SUCCESS)
5313 mark_related(name, rdataset, external,
5319 return (ISC_R_SUCCESS);
5323 check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
5324 return (check_section(arg, addname, type, DNS_SECTION_ADDITIONAL));
5327 #ifndef CHECK_FOR_GLUE_IN_ANSWER
5328 #define CHECK_FOR_GLUE_IN_ANSWER 0
5330 #if CHECK_FOR_GLUE_IN_ANSWER
5332 check_answer(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
5333 return (check_section(arg, addname, type, DNS_SECTION_ANSWER));
5338 chase_additional(fetchctx_t *fctx) {
5339 isc_boolean_t rescan;
5340 dns_section_t section = DNS_SECTION_ADDITIONAL;
5341 isc_result_t result;
5346 for (result = dns_message_firstname(fctx->rmessage, section);
5347 result == ISC_R_SUCCESS;
5348 result = dns_message_nextname(fctx->rmessage, section)) {
5349 dns_name_t *name = NULL;
5350 dns_rdataset_t *rdataset;
5351 dns_message_currentname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
5353 if ((name->attributes & DNS_NAMEATTR_CHASE) == 0)
5355 name->attributes &= ~DNS_NAMEATTR_CHASE;
5356 for (rdataset = ISC_LIST_HEAD(name->list);
5358 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5359 if (CHASE(rdataset)) {
5360 rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
5361 (void)dns_rdataset_additionaldata(rdataset,
5372 static inline isc_result_t
5373 cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
5374 isc_result_t result;
5375 dns_rdata_t rdata = DNS_RDATA_INIT;
5376 dns_rdata_cname_t cname;
5378 result = dns_rdataset_first(rdataset);
5379 if (result != ISC_R_SUCCESS)
5381 dns_rdataset_current(rdataset, &rdata);
5382 result = dns_rdata_tostruct(&rdata, &cname, NULL);
5383 if (result != ISC_R_SUCCESS)
5385 dns_name_init(tname, NULL);
5386 dns_name_clone(&cname.cname, tname);
5387 dns_rdata_freestruct(&cname);
5389 return (ISC_R_SUCCESS);
5392 static inline isc_result_t
5393 dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
5394 unsigned int nlabels, dns_fixedname_t *fixeddname)
5396 isc_result_t result;
5397 dns_rdata_t rdata = DNS_RDATA_INIT;
5398 dns_rdata_dname_t dname;
5399 dns_fixedname_t prefix;
5402 * Get the target name of the DNAME.
5404 result = dns_rdataset_first(rdataset);
5405 if (result != ISC_R_SUCCESS)
5407 dns_rdataset_current(rdataset, &rdata);
5408 result = dns_rdata_tostruct(&rdata, &dname, NULL);
5409 if (result != ISC_R_SUCCESS)
5412 dns_fixedname_init(&prefix);
5413 dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
5414 dns_fixedname_init(fixeddname);
5415 result = dns_name_concatenate(dns_fixedname_name(&prefix),
5417 dns_fixedname_name(fixeddname), NULL);
5418 dns_rdata_freestruct(&dname);
5422 static isc_boolean_t
5423 is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
5424 dns_rdataset_t *rdataset)
5426 isc_result_t result;
5427 dns_rdata_t rdata = DNS_RDATA_INIT;
5429 struct in6_addr in6a;
5430 isc_netaddr_t netaddr;
5431 char addrbuf[ISC_NETADDR_FORMATSIZE];
5432 char namebuf[DNS_NAME_FORMATSIZE];
5437 /* By default, we allow any addresses. */
5438 if (view->denyansweracl == NULL)
5442 * If the owner name matches one in the exclusion list, either exactly
5443 * or partially, allow it.
5445 if (view->answeracl_exclude != NULL) {
5446 dns_rbtnode_t *node = NULL;
5448 result = dns_rbt_findnode(view->answeracl_exclude, name, NULL,
5449 &node, NULL, 0, NULL, NULL);
5451 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
5456 * Otherwise, search the filter list for a match for each address
5457 * record. If a match is found, the address should be filtered,
5458 * so should the entire answer.
5460 for (result = dns_rdataset_first(rdataset);
5461 result == ISC_R_SUCCESS;
5462 result = dns_rdataset_next(rdataset)) {
5463 dns_rdata_reset(&rdata);
5464 dns_rdataset_current(rdataset, &rdata);
5465 if (rdataset->type == dns_rdatatype_a) {
5466 INSIST(rdata.length == sizeof(ina.s_addr));
5467 memmove(&ina.s_addr, rdata.data, sizeof(ina.s_addr));
5468 isc_netaddr_fromin(&netaddr, &ina);
5470 INSIST(rdata.length == sizeof(in6a.s6_addr));
5471 memmove(in6a.s6_addr, rdata.data, sizeof(in6a.s6_addr));
5472 isc_netaddr_fromin6(&netaddr, &in6a);
5475 result = dns_acl_match(&netaddr, NULL, view->denyansweracl,
5476 &view->aclenv, &match, NULL);
5478 if (result == ISC_R_SUCCESS && match > 0) {
5479 isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
5480 dns_name_format(name, namebuf, sizeof(namebuf));
5481 dns_rdatatype_format(rdataset->type, typebuf,
5483 dns_rdataclass_format(rdataset->rdclass, classbuf,
5485 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
5486 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
5487 "answer address %s denied for %s/%s/%s",
5488 addrbuf, namebuf, typebuf, classbuf);
5496 static isc_boolean_t
5497 is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
5498 dns_rdatatype_t type, dns_name_t *tname,
5501 isc_result_t result;
5502 dns_rbtnode_t *node = NULL;
5503 char qnamebuf[DNS_NAME_FORMATSIZE];
5504 char tnamebuf[DNS_NAME_FORMATSIZE];
5508 /* By default, we allow any target name. */
5509 if (view->denyanswernames == NULL)
5513 * If the owner name matches one in the exclusion list, either exactly
5514 * or partially, allow it.
5516 if (view->answernames_exclude != NULL) {
5517 result = dns_rbt_findnode(view->answernames_exclude, name, NULL,
5518 &node, NULL, 0, NULL, NULL);
5519 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
5524 * If the target name is a subdomain of the search domain, allow it.
5526 if (dns_name_issubdomain(tname, domain))
5530 * Otherwise, apply filters.
5532 result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
5533 NULL, 0, NULL, NULL);
5534 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
5535 dns_name_format(name, qnamebuf, sizeof(qnamebuf));
5536 dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
5537 dns_rdatatype_format(type, typebuf, sizeof(typebuf));
5538 dns_rdataclass_format(view->rdclass, classbuf,
5540 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
5541 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
5542 "%s target %s denied for %s/%s",
5543 typebuf, tnamebuf, qnamebuf, classbuf);
5551 trim_ns_ttl(fetchctx_t *fctx, dns_name_t *name, dns_rdataset_t *rdataset) {
5552 char ns_namebuf[DNS_NAME_FORMATSIZE];
5553 char namebuf[DNS_NAME_FORMATSIZE];
5554 char tbuf[DNS_RDATATYPE_FORMATSIZE];
5556 if (fctx->ns_ttl_ok && rdataset->ttl > fctx->ns_ttl) {
5557 dns_name_format(name, ns_namebuf, sizeof(ns_namebuf));
5558 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
5559 dns_rdatatype_format(fctx->type, tbuf, sizeof(tbuf));
5561 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
5562 DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(10),
5563 "fctx %p: trimming ttl of %s/NS for %s/%s: "
5564 "%u -> %u", fctx, ns_namebuf, namebuf, tbuf,
5565 rdataset->ttl, fctx->ns_ttl);
5566 rdataset->ttl = fctx->ns_ttl;
5571 * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
5572 * If look_in_options has LOOK_FOR_NS_IN_ANSWER then we look in the answer
5573 * section for the NS RRset if the query type is NS; if it has
5574 * LOOK_FOR_GLUE_IN_ANSWER we look for glue incorrectly returned in the answer
5575 * section for A and AAAA queries.
5577 #define LOOK_FOR_NS_IN_ANSWER 0x1
5578 #define LOOK_FOR_GLUE_IN_ANSWER 0x2
5581 noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
5582 unsigned int look_in_options)
5584 isc_result_t result;
5585 dns_message_t *message;
5586 dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name, *save_name;
5587 dns_rdataset_t *rdataset, *ns_rdataset;
5588 isc_boolean_t aa, negative_response;
5589 dns_rdatatype_t type, save_type;
5590 dns_section_t section;
5592 FCTXTRACE("noanswer_response");
5594 if ((look_in_options & LOOK_FOR_NS_IN_ANSWER) != 0) {
5595 INSIST(fctx->type == dns_rdatatype_ns);
5596 section = DNS_SECTION_ANSWER;
5598 section = DNS_SECTION_AUTHORITY;
5600 message = fctx->rmessage;
5605 if (oqname == NULL) {
5607 * We have a normal, non-chained negative response or
5610 if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
5614 qname = &fctx->name;
5617 * We're being invoked by answer_response() after it has
5618 * followed a CNAME/DNAME chain.
5623 * If the current qname is not a subdomain of the query
5624 * domain, there's no point in looking at the authority
5625 * section without doing DNSSEC validation.
5627 * Until we do that validation, we'll just return success
5630 if (!dns_name_issubdomain(qname, &fctx->domain))
5631 return (ISC_R_SUCCESS);
5635 * We have to figure out if this is a negative response, or a
5640 * Sometimes we can tell if its a negative response by looking at
5641 * the message header.
5643 negative_response = ISC_FALSE;
5644 if (message->rcode == dns_rcode_nxdomain ||
5645 (message->counts[DNS_SECTION_ANSWER] == 0 &&
5646 message->counts[DNS_SECTION_AUTHORITY] == 0))
5647 negative_response = ISC_TRUE;
5650 * Process the authority section.
5657 save_type = dns_rdatatype_none;
5658 result = dns_message_firstname(message, section);
5659 while (result == ISC_R_SUCCESS) {
5661 dns_message_currentname(message, section, &name);
5662 if (dns_name_issubdomain(name, &fctx->domain)) {
5664 * Look for NS/SOA RRsets first.
5666 for (rdataset = ISC_LIST_HEAD(name->list);
5668 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5669 type = rdataset->type;
5670 if (type == dns_rdatatype_rrsig)
5671 type = rdataset->covers;
5672 if (((type == dns_rdatatype_ns ||
5673 type == dns_rdatatype_soa) &&
5674 !dns_name_issubdomain(qname, name))) {
5675 char qbuf[DNS_NAME_FORMATSIZE];
5676 char nbuf[DNS_NAME_FORMATSIZE];
5677 char tbuf[DNS_RDATATYPE_FORMATSIZE];
5678 dns_rdatatype_format(fctx->type, tbuf,
5680 dns_name_format(name, nbuf,
5682 dns_name_format(qname, qbuf,
5685 "unrelated %s %s in "
5686 "%s authority section",
5688 return (DNS_R_FORMERR);
5690 if (type == dns_rdatatype_ns) {
5694 * Only one set of NS RRs is allowed.
5696 if (rdataset->type ==
5698 if (ns_name != NULL &&
5705 return (DNS_R_FORMERR);
5708 ns_rdataset = rdataset;
5712 rdataset->attributes |=
5713 DNS_RDATASETATTR_CACHE;
5714 rdataset->trust = dns_trust_glue;
5716 if (type == dns_rdatatype_soa) {
5718 * SOA, or RRSIG SOA.
5720 * Only one SOA is allowed.
5722 if (rdataset->type ==
5723 dns_rdatatype_soa) {
5724 if (soa_name != NULL &&
5731 return (DNS_R_FORMERR);
5736 DNS_NAMEATTR_NCACHE;
5737 rdataset->attributes |=
5738 DNS_RDATASETATTR_NCACHE;
5741 dns_trust_authauthority;
5742 else if (ISFORWARDER(fctx->addrinfo))
5747 dns_trust_additional;
5751 result = dns_message_nextname(message, section);
5752 if (result == ISC_R_NOMORE)
5754 else if (result != ISC_R_SUCCESS)
5758 log_ns_ttl(fctx, "noanswer_response");
5760 if (ns_rdataset != NULL && dns_name_equal(&fctx->domain, ns_name) &&
5761 !dns_name_equal(ns_name, dns_rootname))
5762 trim_ns_ttl(fctx, ns_name, ns_rdataset);
5765 * A negative response has a SOA record (Type 2)
5766 * and a optional NS RRset (Type 1) or it has neither
5767 * a SOA or a NS RRset (Type 3, handled above) or
5768 * rcode is NXDOMAIN (handled above) in which case
5769 * the NS RRset is allowed (Type 4).
5771 if (soa_name != NULL)
5772 negative_response = ISC_TRUE;
5774 result = dns_message_firstname(message, section);
5775 while (result == ISC_R_SUCCESS) {
5777 dns_message_currentname(message, section, &name);
5778 if (dns_name_issubdomain(name, &fctx->domain)) {
5779 for (rdataset = ISC_LIST_HEAD(name->list);
5781 rdataset = ISC_LIST_NEXT(rdataset, link)) {
5782 type = rdataset->type;
5783 if (type == dns_rdatatype_rrsig)
5784 type = rdataset->covers;
5785 if (type == dns_rdatatype_nsec ||
5786 type == dns_rdatatype_nsec3) {
5788 * NSEC or RRSIG NSEC.
5790 if (negative_response) {
5792 DNS_NAMEATTR_NCACHE;
5793 rdataset->attributes |=
5794 DNS_RDATASETATTR_NCACHE;
5795 } else if (type == dns_rdatatype_nsec) {
5798 rdataset->attributes |=
5799 DNS_RDATASETATTR_CACHE;
5803 dns_trust_authauthority;
5804 else if (ISFORWARDER(fctx->addrinfo))
5809 dns_trust_additional;
5811 * No additional data needs to be
5814 } else if (type == dns_rdatatype_ds) {
5818 * These should only be here if
5819 * this is a referral, and there
5820 * should only be one DS RRset.
5822 if (ns_name == NULL) {
5826 return (DNS_R_FORMERR);
5828 if (rdataset->type ==
5830 if (ds_name != NULL &&
5837 return (DNS_R_FORMERR);
5843 rdataset->attributes |=
5844 DNS_RDATASETATTR_CACHE;
5847 dns_trust_authauthority;
5848 else if (ISFORWARDER(fctx->addrinfo))
5853 dns_trust_additional;
5858 save_type = ISC_LIST_HEAD(name->list)->type;
5860 result = dns_message_nextname(message, section);
5861 if (result == ISC_R_NOMORE)
5863 else if (result != ISC_R_SUCCESS)
5868 * Trigger lookups for DNS nameservers.
5870 if (negative_response && message->rcode == dns_rcode_noerror &&
5871 fctx->type == dns_rdatatype_ds && soa_name != NULL &&
5872 dns_name_equal(soa_name, qname) &&
5873 !dns_name_equal(qname, dns_rootname))
5874 return (DNS_R_CHASEDSSERVERS);
5877 * Did we find anything?
5879 if (!negative_response && ns_name == NULL) {
5883 if (oqname != NULL) {
5885 * We've already got a partial CNAME/DNAME chain,
5886 * and haven't found else anything useful here, but
5887 * no error has occurred since we have an answer.
5889 return (ISC_R_SUCCESS);
5892 * The responder is insane.
5894 if (save_name == NULL) {
5895 log_formerr(fctx, "invalid response");
5896 return (DNS_R_FORMERR);
5898 if (!dns_name_issubdomain(save_name, &fctx->domain)) {
5899 char nbuf[DNS_NAME_FORMATSIZE];
5900 char dbuf[DNS_NAME_FORMATSIZE];
5901 char tbuf[DNS_RDATATYPE_FORMATSIZE];
5903 dns_rdatatype_format(save_type, tbuf,
5905 dns_name_format(save_name, nbuf, sizeof(nbuf));
5906 dns_name_format(&fctx->domain, dbuf,
5909 log_formerr(fctx, "Name %s (%s) not subdomain"
5910 " of zone %s -- invalid response",
5913 log_formerr(fctx, "invalid response");
5915 return (DNS_R_FORMERR);
5920 * If we found both NS and SOA, they should be the same name.
5922 if (ns_name != NULL && soa_name != NULL && ns_name != soa_name) {
5923 log_formerr(fctx, "NS/SOA mismatch");
5924 return (DNS_R_FORMERR);
5928 * Do we have a referral? (We only want to follow a referral if
5929 * we're not following a chain.)
5931 if (!negative_response && ns_name != NULL && oqname == NULL) {
5933 * We already know ns_name is a subdomain of fctx->domain.
5934 * If ns_name is equal to fctx->domain, we're not making
5935 * progress. We return DNS_R_FORMERR so that we'll keep
5936 * trying other servers.
5938 if (dns_name_equal(ns_name, &fctx->domain)) {
5939 log_formerr(fctx, "non-improving referral");
5940 return (DNS_R_FORMERR);
5944 * If the referral name is not a parent of the query
5945 * name, consider the responder insane.
5947 if (! dns_name_issubdomain(&fctx->name, ns_name)) {
5949 log_formerr(fctx, "referral to non-parent");
5950 FCTXTRACE("referral to non-parent");
5951 return (DNS_R_FORMERR);
5955 * Mark any additional data related to this rdataset.
5956 * It's important that we do this before we change the
5959 INSIST(ns_rdataset != NULL);
5960 fctx->attributes |= FCTX_ATTR_GLUING;
5961 (void)dns_rdataset_additionaldata(ns_rdataset, check_related,
5963 #if CHECK_FOR_GLUE_IN_ANSWER
5965 * Look in the answer section for "glue" that is incorrectly
5966 * returned as a answer. This is needed if the server also
5967 * minimizes the response size by not adding records to the
5968 * additional section that are in the answer section or if
5969 * the record gets dropped due to message size constraints.
5971 if ((look_in_options & LOOK_FOR_GLUE_IN_ANSWER) != 0 &&
5972 (fctx->type == dns_rdatatype_aaaa ||
5973 fctx->type == dns_rdatatype_a))
5974 (void)dns_rdataset_additionaldata(ns_rdataset,
5975 check_answer, fctx);
5977 fctx->attributes &= ~FCTX_ATTR_GLUING;
5979 * NS rdatasets with 0 TTL cause problems.
5980 * dns_view_findzonecut() will not find them when we
5981 * try to follow the referral, and we'll SERVFAIL
5982 * because the best nameservers are now above QDOMAIN.
5983 * We force the TTL to 1 second to prevent this.
5985 if (ns_rdataset->ttl == 0)
5986 ns_rdataset->ttl = 1;
5988 * Set the current query domain to the referral name.
5990 * XXXRTH We should check if we're in forward-only mode, and
5991 * if so we should bail out.
5993 INSIST(dns_name_countlabels(&fctx->domain) > 0);
5994 dns_name_free(&fctx->domain, fctx->mctx);
5995 if (dns_rdataset_isassociated(&fctx->nameservers))
5996 dns_rdataset_disassociate(&fctx->nameservers);
5997 dns_name_init(&fctx->domain, NULL);
5998 result = dns_name_dup(ns_name, fctx->mctx, &fctx->domain);
5999 if (result != ISC_R_SUCCESS)
6001 fctx->attributes |= FCTX_ATTR_WANTCACHE;
6002 fctx->ns_ttl_ok = ISC_FALSE;
6003 log_ns_ttl(fctx, "DELEGATION");
6004 return (DNS_R_DELEGATION);
6008 * Since we're not doing a referral, we don't want to cache any
6009 * NS RRs we may have found.
6011 if (ns_name != NULL)
6012 ns_name->attributes &= ~DNS_NAMEATTR_CACHE;
6014 if (negative_response && oqname == NULL)
6015 fctx->attributes |= FCTX_ATTR_WANTNCACHE;
6017 return (ISC_R_SUCCESS);
6021 answer_response(fetchctx_t *fctx) {
6022 isc_result_t result;
6023 dns_message_t *message;
6024 dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
6025 dns_name_t *cname = NULL;
6026 dns_rdataset_t *rdataset, *ns_rdataset;
6027 isc_boolean_t done, external, chaining, aa, found, want_chaining;
6028 isc_boolean_t have_answer, found_cname, found_dname, found_type;
6029 isc_boolean_t wanted_chaining;
6031 dns_rdatatype_t type;
6032 dns_fixedname_t fdname, fqname, fqdname;
6035 FCTXTRACE("answer_response");
6037 message = fctx->rmessage;
6040 * Examine the answer section, marking those rdatasets which are
6041 * part of the answer and should be cached.
6045 found_cname = ISC_FALSE;
6046 found_dname = ISC_FALSE;
6047 found_type = ISC_FALSE;
6048 chaining = ISC_FALSE;
6049 have_answer = ISC_FALSE;
6050 want_chaining = ISC_FALSE;
6051 POST(want_chaining);
6052 if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
6056 dqname = qname = &fctx->name;
6058 view = fctx->res->view;
6059 dns_fixedname_init(&fqdname);
6060 result = dns_message_firstname(message, DNS_SECTION_ANSWER);
6061 while (!done && result == ISC_R_SUCCESS) {
6062 dns_namereln_t namereln, dnamereln;
6064 unsigned int nlabels;
6067 dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
6068 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
6069 namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
6070 dnamereln = dns_name_fullcompare(dqname, name, &order,
6072 if (namereln == dns_namereln_equal) {
6073 wanted_chaining = ISC_FALSE;
6074 for (rdataset = ISC_LIST_HEAD(name->list);
6076 rdataset = ISC_LIST_NEXT(rdataset, link)) {
6078 want_chaining = ISC_FALSE;
6080 if (rdataset->type == dns_rdatatype_nsec3) {
6082 * NSEC3 records are not allowed to
6083 * appear in the answer section.
6085 log_formerr(fctx, "NSEC3 in answer");
6086 return (DNS_R_FORMERR);
6090 * Apply filters, if given, on answers to reject
6091 * a malicious attempt of rebinding.
6093 if ((rdataset->type == dns_rdatatype_a ||
6094 rdataset->type == dns_rdatatype_aaaa) &&
6095 !is_answeraddress_allowed(view, name,
6097 return (DNS_R_SERVFAIL);
6100 if (rdataset->type == type && !found_cname) {
6102 * We've found an ordinary answer.
6105 found_type = ISC_TRUE;
6107 aflag = DNS_RDATASETATTR_ANSWER;
6108 } else if (type == dns_rdatatype_any) {
6110 * We've found an answer matching
6111 * an ANY query. There may be
6115 aflag = DNS_RDATASETATTR_ANSWER;
6116 } else if (rdataset->type == dns_rdatatype_rrsig
6117 && rdataset->covers == type
6120 * We've found a signature that
6121 * covers the type we're looking for.
6124 found_type = ISC_TRUE;
6125 aflag = DNS_RDATASETATTR_ANSWERSIG;
6126 } else if (rdataset->type ==
6130 * We're looking for something else,
6131 * but we found a CNAME.
6133 * Getting a CNAME response for some
6134 * query types is an error, see
6135 * RFC 4035, Section 2.5.
6137 if (type == dns_rdatatype_rrsig ||
6138 type == dns_rdatatype_key ||
6139 type == dns_rdatatype_nsec) {
6140 char buf[DNS_RDATATYPE_FORMATSIZE];
6141 dns_rdatatype_format(fctx->type,
6146 return (DNS_R_FORMERR);
6149 found_cname = ISC_TRUE;
6150 want_chaining = ISC_TRUE;
6151 aflag = DNS_RDATASETATTR_ANSWER;
6152 result = cname_target(rdataset,
6154 if (result != ISC_R_SUCCESS)
6156 /* Apply filters on the target name. */
6157 if (!is_answertarget_allowed(view,
6162 return (DNS_R_SERVFAIL);
6164 } else if (rdataset->type == dns_rdatatype_rrsig
6165 && rdataset->covers ==
6169 * We're looking for something else,
6170 * but we found a SIG CNAME.
6173 found_cname = ISC_TRUE;
6174 aflag = DNS_RDATASETATTR_ANSWERSIG;
6179 * We've found an answer to our
6184 rdataset->attributes |=
6185 DNS_RDATASETATTR_CACHE;
6186 rdataset->trust = dns_trust_answer;
6189 * This data is "the" answer
6190 * to our question only if
6191 * we're not chaining (i.e.
6192 * if we haven't followed
6193 * a CNAME or DNAME).
6196 if ((rdataset->type !=
6197 dns_rdatatype_cname) ||
6200 DNS_RDATASETATTR_ANSWER))
6202 have_answer = ISC_TRUE;
6203 if (rdataset->type ==
6204 dns_rdatatype_cname)
6207 DNS_NAMEATTR_ANSWER;
6209 rdataset->attributes |= aflag;
6212 dns_trust_authanswer;
6213 } else if (external) {
6215 * This data is outside of
6216 * our query domain, and
6217 * may not be cached.
6219 rdataset->attributes |=
6220 DNS_RDATASETATTR_EXTERNAL;
6224 * Mark any additional data related
6227 (void)dns_rdataset_additionaldata(
6235 if (want_chaining) {
6236 wanted_chaining = ISC_TRUE;
6238 DNS_NAMEATTR_CHAINING;
6239 rdataset->attributes |=
6240 DNS_RDATASETATTR_CHAINING;
6245 * We could add an "else" clause here and
6246 * log that we're ignoring this rdataset.
6250 * If wanted_chaining is true, we've done
6251 * some chaining as the result of processing
6252 * this node, and thus we need to set
6255 * We don't set chaining inside of the
6256 * rdataset loop because doing that would
6257 * cause us to ignore the signatures of
6260 if (wanted_chaining)
6261 chaining = ISC_TRUE;
6263 dns_rdataset_t *dnameset = NULL;
6266 * Look for a DNAME (or its SIG). Anything else is
6269 wanted_chaining = ISC_FALSE;
6270 for (rdataset = ISC_LIST_HEAD(name->list);
6272 rdataset = ISC_LIST_NEXT(rdataset, link))
6275 * Only pass DNAME or RRSIG(DNAME).
6277 if (rdataset->type != dns_rdatatype_dname &&
6278 (rdataset->type != dns_rdatatype_rrsig ||
6279 rdataset->covers != dns_rdatatype_dname))
6283 * If we're not chaining, then the DNAME and
6284 * its signature should not be external.
6286 if (!chaining && external) {
6287 char qbuf[DNS_NAME_FORMATSIZE];
6288 char obuf[DNS_NAME_FORMATSIZE];
6290 dns_name_format(name, qbuf,
6292 dns_name_format(&fctx->domain, obuf,
6294 log_formerr(fctx, "external DNAME or "
6295 "RRSIG covering DNAME "
6297 "not in %s", qbuf, obuf);
6298 return (DNS_R_FORMERR);
6301 if (dnamereln != dns_namereln_subdomain) {
6302 char qbuf[DNS_NAME_FORMATSIZE];
6303 char obuf[DNS_NAME_FORMATSIZE];
6305 dns_name_format(dqname, qbuf,
6307 dns_name_format(name, obuf,
6309 log_formerr(fctx, "unrelated DNAME "
6311 "not in %s", qbuf, obuf);
6312 return (DNS_R_FORMERR);
6316 if (rdataset->type == dns_rdatatype_dname) {
6317 want_chaining = ISC_TRUE;
6318 POST(want_chaining);
6319 aflag = DNS_RDATASETATTR_ANSWER;
6320 result = dname_target(rdataset, dqname,
6322 if (result == ISC_R_NOSPACE) {
6324 * We can't construct the
6325 * DNAME target. Do not
6328 want_chaining = ISC_FALSE;
6329 POST(want_chaining);
6330 } else if (result != ISC_R_SUCCESS)
6333 dnameset = rdataset;
6335 dname = dns_fixedname_name(&fdname);
6336 if (!is_answertarget_allowed(view,
6337 dqname, rdataset->type,
6338 dname, &fctx->domain))
6340 return (DNS_R_SERVFAIL);
6342 dqname = dns_fixedname_name(&fqdname);
6343 dns_name_copy(dname, dqname, NULL);
6346 * We've found a signature that
6349 aflag = DNS_RDATASETATTR_ANSWERSIG;
6353 * We've found an answer to our
6356 name->attributes |= DNS_NAMEATTR_CACHE;
6357 rdataset->attributes |= DNS_RDATASETATTR_CACHE;
6358 rdataset->trust = dns_trust_answer;
6361 * This data is "the" answer to
6362 * our question only if we're
6366 if (aflag == DNS_RDATASETATTR_ANSWER) {
6367 have_answer = ISC_TRUE;
6368 found_dname = ISC_TRUE;
6370 cname->attributes &=
6371 ~DNS_NAMEATTR_ANSWER;
6373 DNS_NAMEATTR_ANSWER;
6375 rdataset->attributes |= aflag;
6378 dns_trust_authanswer;
6379 } else if (external) {
6380 rdataset->attributes |=
6381 DNS_RDATASETATTR_EXTERNAL;
6388 if (dnameset != NULL) {
6390 * Copy the dname into the qname fixed name.
6392 * Although we check for failure of the copy
6393 * operation, in practice it should never fail
6394 * since we already know that the result fits
6397 dns_fixedname_init(&fqname);
6398 qname = dns_fixedname_name(&fqname);
6399 result = dns_name_copy(dname, qname, NULL);
6400 if (result != ISC_R_SUCCESS)
6402 wanted_chaining = ISC_TRUE;
6403 name->attributes |= DNS_NAMEATTR_CHAINING;
6404 dnameset->attributes |=
6405 DNS_RDATASETATTR_CHAINING;
6407 if (wanted_chaining)
6408 chaining = ISC_TRUE;
6410 result = dns_message_nextname(message, DNS_SECTION_ANSWER);
6412 if (result == ISC_R_NOMORE)
6413 result = ISC_R_SUCCESS;
6414 if (result != ISC_R_SUCCESS)
6418 * We should have found an answer.
6421 log_formerr(fctx, "reply has no answer");
6422 return (DNS_R_FORMERR);
6426 * This response is now potentially cacheable.
6428 fctx->attributes |= FCTX_ATTR_WANTCACHE;
6431 * Did chaining end before we got the final answer?
6435 * Yes. This may be a negative reply, so hand off
6436 * authority section processing to the noanswer code.
6437 * If it isn't a noanswer response, no harm will be
6440 return (noanswer_response(fctx, qname, 0));
6444 * We didn't end with an incomplete chain, so the rcode should be
6447 if (message->rcode != dns_rcode_noerror) {
6448 log_formerr(fctx, "CNAME/DNAME chain complete, but RCODE "
6450 return (DNS_R_FORMERR);
6454 * Examine the authority section (if there is one).
6456 * We expect there to be only one owner name for all the rdatasets
6457 * in this section, and we expect that it is not external.
6462 result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
6463 while (!done && result == ISC_R_SUCCESS) {
6465 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
6466 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
6469 * We expect to find NS or SIG NS rdatasets, and
6472 for (rdataset = ISC_LIST_HEAD(name->list);
6474 rdataset = ISC_LIST_NEXT(rdataset, link)) {
6475 if (rdataset->type == dns_rdatatype_ns ||
6476 (rdataset->type == dns_rdatatype_rrsig &&
6477 rdataset->covers == dns_rdatatype_ns)) {
6480 rdataset->attributes |=
6481 DNS_RDATASETATTR_CACHE;
6482 if (aa && !chaining)
6484 dns_trust_authauthority;
6487 dns_trust_additional;
6489 if (rdataset->type == dns_rdatatype_ns) {
6491 ns_rdataset = rdataset;
6494 * Mark any additional data related
6497 (void)dns_rdataset_additionaldata(
6505 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
6507 if (result == ISC_R_NOMORE)
6508 result = ISC_R_SUCCESS;
6510 log_ns_ttl(fctx, "answer_response");
6512 if (ns_rdataset != NULL && dns_name_equal(&fctx->domain, ns_name) &&
6513 !dns_name_equal(ns_name, dns_rootname))
6514 trim_ns_ttl(fctx, ns_name, ns_rdataset);
6519 static isc_boolean_t
6520 fctx_decreference(fetchctx_t *fctx) {
6521 isc_boolean_t bucket_empty = ISC_FALSE;
6523 INSIST(fctx->references > 0);
6525 if (fctx->references == 0) {
6527 * No one cares about the result of this fetch anymore.
6529 if (fctx->pending == 0 && fctx->nqueries == 0 &&
6530 ISC_LIST_EMPTY(fctx->validators) && SHUTTINGDOWN(fctx)) {
6532 * This fctx is already shutdown; we were just
6533 * waiting for the last reference to go away.
6535 bucket_empty = fctx_unlink(fctx);
6539 * Initiate shutdown.
6541 fctx_shutdown(fctx);
6544 return (bucket_empty);
6548 resume_dslookup(isc_task_t *task, isc_event_t *event) {
6549 dns_fetchevent_t *fevent;
6550 dns_resolver_t *res;
6552 isc_result_t result;
6553 isc_boolean_t bucket_empty;
6554 isc_boolean_t locked = ISC_FALSE;
6555 unsigned int bucketnum;
6556 dns_rdataset_t nameservers;
6557 dns_fixedname_t fixed;
6560 REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
6561 fevent = (dns_fetchevent_t *)event;
6562 fctx = event->ev_arg;
6563 REQUIRE(VALID_FCTX(fctx));
6567 FCTXTRACE("resume_dslookup");
6569 if (fevent->node != NULL)
6570 dns_db_detachnode(fevent->db, &fevent->node);
6571 if (fevent->db != NULL)
6572 dns_db_detach(&fevent->db);
6574 dns_rdataset_init(&nameservers);
6576 bucketnum = fctx->bucketnum;
6577 if (fevent->result == ISC_R_CANCELED) {
6578 dns_resolver_destroyfetch(&fctx->nsfetch);
6579 fctx_done(fctx, ISC_R_CANCELED, __LINE__);
6580 } else if (fevent->result == ISC_R_SUCCESS) {
6582 FCTXTRACE("resuming DS lookup");
6584 dns_resolver_destroyfetch(&fctx->nsfetch);
6585 if (dns_rdataset_isassociated(&fctx->nameservers))
6586 dns_rdataset_disassociate(&fctx->nameservers);
6587 dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
6588 fctx->ns_ttl = fctx->nameservers.ttl;
6589 fctx->ns_ttl_ok = ISC_TRUE;
6590 log_ns_ttl(fctx, "resume_dslookup");
6591 dns_name_free(&fctx->domain, fctx->mctx);
6592 dns_name_init(&fctx->domain, NULL);
6593 result = dns_name_dup(&fctx->nsname, fctx->mctx, &fctx->domain);
6594 if (result != ISC_R_SUCCESS) {
6595 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
6601 fctx_try(fctx, ISC_TRUE, ISC_FALSE);
6604 dns_rdataset_t *nsrdataset = NULL;
6607 * Retrieve state from fctx->nsfetch before we destroy it.
6609 dns_fixedname_init(&fixed);
6610 domain = dns_fixedname_name(&fixed);
6611 dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
6612 if (dns_name_equal(&fctx->nsname, domain)) {
6613 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
6614 dns_resolver_destroyfetch(&fctx->nsfetch);
6617 if (dns_rdataset_isassociated(
6618 &fctx->nsfetch->private->nameservers)) {
6620 &fctx->nsfetch->private->nameservers,
6622 nsrdataset = &nameservers;
6625 dns_resolver_destroyfetch(&fctx->nsfetch);
6626 n = dns_name_countlabels(&fctx->nsname);
6627 dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
6630 if (dns_rdataset_isassociated(fevent->rdataset))
6631 dns_rdataset_disassociate(fevent->rdataset);
6632 FCTXTRACE("continuing to look for parent's NS records");
6633 result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
6634 dns_rdatatype_ns, domain,
6635 nsrdataset, NULL, 0, task,
6636 resume_dslookup, fctx,
6637 &fctx->nsrrset, NULL,
6639 if (result != ISC_R_SUCCESS)
6640 fctx_done(fctx, result, __LINE__);
6642 LOCK(&res->buckets[bucketnum].lock);
6649 if (dns_rdataset_isassociated(&nameservers))
6650 dns_rdataset_disassociate(&nameservers);
6651 if (dns_rdataset_isassociated(fevent->rdataset))
6652 dns_rdataset_disassociate(fevent->rdataset);
6653 INSIST(fevent->sigrdataset == NULL);
6654 isc_event_free(&event);
6656 LOCK(&res->buckets[bucketnum].lock);
6657 bucket_empty = fctx_decreference(fctx);
6658 UNLOCK(&res->buckets[bucketnum].lock);
6664 checknamessection(dns_message_t *message, dns_section_t section) {
6665 isc_result_t result;
6667 dns_rdata_t rdata = DNS_RDATA_INIT;
6668 dns_rdataset_t *rdataset;
6670 for (result = dns_message_firstname(message, section);
6671 result == ISC_R_SUCCESS;
6672 result = dns_message_nextname(message, section))
6675 dns_message_currentname(message, section, &name);
6676 for (rdataset = ISC_LIST_HEAD(name->list);
6678 rdataset = ISC_LIST_NEXT(rdataset, link)) {
6679 for (result = dns_rdataset_first(rdataset);
6680 result == ISC_R_SUCCESS;
6681 result = dns_rdataset_next(rdataset)) {
6682 dns_rdataset_current(rdataset, &rdata);
6683 if (!dns_rdata_checkowner(name, rdata.rdclass,
6686 !dns_rdata_checknames(&rdata, name, NULL))
6688 rdataset->attributes |=
6689 DNS_RDATASETATTR_CHECKNAMES;
6691 dns_rdata_reset(&rdata);
6698 checknames(dns_message_t *message) {
6700 checknamessection(message, DNS_SECTION_ANSWER);
6701 checknamessection(message, DNS_SECTION_AUTHORITY);
6702 checknamessection(message, DNS_SECTION_ADDITIONAL);
6706 * Log server NSID at log level 'level'
6709 log_nsid(isc_buffer_t *opt, size_t nsid_len, resquery_t *query,
6710 int level, isc_mem_t *mctx)
6712 static const char hex[17] = "0123456789abcdef";
6713 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
6714 isc_uint16_t buflen, i;
6715 unsigned char *p, *buf, *nsid;
6717 /* Allocate buffer for storing hex version of the NSID */
6718 buflen = (isc_uint16_t)nsid_len * 2 + 1;
6719 buf = isc_mem_get(mctx, buflen);
6723 /* Convert to hex */
6725 nsid = isc_buffer_current(opt);
6726 for (i = 0; i < nsid_len; i++) {
6727 *p++ = hex[(nsid[0] >> 4) & 0xf];
6728 *p++ = hex[nsid[0] & 0xf];
6733 isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
6735 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
6736 DNS_LOGMODULE_RESOLVER, level,
6737 "received NSID '%s' from %s", buf, addrbuf);
6740 isc_mem_put(mctx, buf, buflen);
6745 log_packet(dns_message_t *message, int level, isc_mem_t *mctx) {
6746 isc_buffer_t buffer;
6749 isc_result_t result;
6751 if (! isc_log_wouldlog(dns_lctx, level))
6755 * Note that these are multiline debug messages. We want a newline
6756 * to appear in the log after each message.
6760 buf = isc_mem_get(mctx, len);
6763 isc_buffer_init(&buffer, buf, len);
6764 result = dns_message_totext(message, &dns_master_style_debug,
6766 if (result == ISC_R_NOSPACE) {
6767 isc_mem_put(mctx, buf, len);
6769 } else if (result == ISC_R_SUCCESS)
6770 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
6771 DNS_LOGMODULE_RESOLVER, level,
6772 "received packet:\n%.*s",
6773 (int)isc_buffer_usedlength(&buffer),
6775 } while (result == ISC_R_NOSPACE);
6778 isc_mem_put(mctx, buf, len);
6781 static isc_boolean_t
6782 iscname(fetchctx_t *fctx) {
6783 isc_result_t result;
6785 result = dns_message_findname(fctx->rmessage, DNS_SECTION_ANSWER,
6786 &fctx->name, dns_rdatatype_cname, 0,
6788 return (result == ISC_R_SUCCESS ? ISC_TRUE : ISC_FALSE);
6791 static isc_boolean_t
6792 betterreferral(fetchctx_t *fctx) {
6793 isc_result_t result;
6795 dns_rdataset_t *rdataset;
6796 dns_message_t *message = fctx->rmessage;
6798 for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
6799 result == ISC_R_SUCCESS;
6800 result = dns_message_nextname(message, DNS_SECTION_AUTHORITY)) {
6802 dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
6803 if (!isstrictsubdomain(name, &fctx->domain))
6805 for (rdataset = ISC_LIST_HEAD(name->list);
6807 rdataset = ISC_LIST_NEXT(rdataset, link))
6808 if (rdataset->type == dns_rdatatype_ns)
6815 process_opt(resquery_t *query, dns_rdataset_t *opt) {
6817 isc_buffer_t optbuf;
6818 isc_result_t result;
6819 isc_uint16_t optcode;
6820 isc_uint16_t optlen;
6822 result = dns_rdataset_first(opt);
6823 if (result == ISC_R_SUCCESS) {
6824 dns_rdata_init(&rdata);
6825 dns_rdataset_current(opt, &rdata);
6826 isc_buffer_init(&optbuf, rdata.data, rdata.length);
6827 isc_buffer_add(&optbuf, rdata.length);
6828 while (isc_buffer_remaininglength(&optbuf) >= 4) {
6829 optcode = isc_buffer_getuint16(&optbuf);
6830 optlen = isc_buffer_getuint16(&optbuf);
6831 INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
6834 if (query->options & DNS_FETCHOPT_WANTNSID)
6835 log_nsid(&optbuf, optlen, query,
6837 query->fctx->res->mctx);
6838 isc_buffer_forward(&optbuf, optlen);
6841 isc_buffer_forward(&optbuf, optlen);
6845 INSIST(isc_buffer_remaininglength(&optbuf) == 0U);
6850 resquery_response(isc_task_t *task, isc_event_t *event) {
6851 isc_result_t result = ISC_R_SUCCESS;
6852 resquery_t *query = event->ev_arg;
6853 dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
6854 isc_boolean_t keep_trying, get_nameservers, resend;
6855 isc_boolean_t truncated;
6856 dns_message_t *message;
6857 dns_rdataset_t *opt;
6860 dns_fixedname_t foundname;
6862 isc_time_t tnow, *finish;
6863 dns_adbaddrinfo_t *addrinfo;
6864 unsigned int options;
6865 unsigned int findoptions;
6866 isc_result_t broken_server;
6867 badnstype_t broken_type = badns_response;
6868 isc_boolean_t no_response;
6870 REQUIRE(VALID_QUERY(query));
6872 options = query->options;
6873 REQUIRE(VALID_FCTX(fctx));
6874 REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
6878 if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET)
6879 inc_stats(fctx->res, dns_resstatscounter_responsev4);
6881 inc_stats(fctx->res, dns_resstatscounter_responsev6);
6883 (void)isc_timer_touch(fctx->timer);
6885 keep_trying = ISC_FALSE;
6886 broken_server = ISC_R_SUCCESS;
6887 get_nameservers = ISC_FALSE;
6889 truncated = ISC_FALSE;
6891 no_response = ISC_FALSE;
6893 if (fctx->res->exiting) {
6894 result = ISC_R_SHUTTINGDOWN;
6899 fctx->timeout = ISC_FALSE;
6900 fctx->addrinfo = query->addrinfo;
6903 * XXXRTH We should really get the current time just once. We
6904 * need a routine to convert from an isc_time_t to an
6909 isc_stdtime_get(&now);
6912 * Did the dispatcher have a problem?
6914 if (devent->result != ISC_R_SUCCESS) {
6915 if (devent->result == ISC_R_EOF &&
6916 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
6918 * The problem might be that they
6919 * don't understand EDNS0. Turn it
6920 * off and try again.
6922 options |= DNS_FETCHOPT_NOEDNS0;
6924 add_bad_edns(fctx, &query->addrinfo->sockaddr);
6927 * There's no hope for this query.
6929 keep_trying = ISC_TRUE;
6932 * If this is a network error on an exclusive query
6933 * socket, mark the server as bad so that we won't try
6934 * it for this fetch again. Also adjust finish and
6935 * no_response so that we penalize this address in SRTT
6938 if (query->exclusivesocket &&
6939 (devent->result == ISC_R_HOSTUNREACH ||
6940 devent->result == ISC_R_NETUNREACH ||
6941 devent->result == ISC_R_CONNREFUSED ||
6942 devent->result == ISC_R_CANCELED)) {
6943 broken_server = devent->result;
6944 broken_type = badns_unreachable;
6946 no_response = ISC_TRUE;
6952 message = fctx->rmessage;
6954 if (query->tsig != NULL) {
6955 result = dns_message_setquerytsig(message, query->tsig);
6956 if (result != ISC_R_SUCCESS)
6960 if (query->tsigkey) {
6961 result = dns_message_settsigkey(message, query->tsigkey);
6962 if (result != ISC_R_SUCCESS)
6966 dns_message_setclass(message, fctx->res->rdclass);
6968 result = dns_message_parse(message, &devent->buffer, 0);
6969 if (result != ISC_R_SUCCESS) {
6971 case ISC_R_UNEXPECTEDEND:
6972 if (!message->question_ok ||
6973 (message->flags & DNS_MESSAGEFLAG_TC) == 0 ||
6974 (options & DNS_FETCHOPT_TCP) != 0) {
6976 * Either the message ended prematurely,
6977 * and/or wasn't marked as being truncated,
6978 * and/or this is a response to a query we
6979 * sent over TCP. In all of these cases,
6980 * something is wrong with the remote
6981 * server and we don't want to retry using
6984 if ((query->options & DNS_FETCHOPT_NOEDNS0)
6987 * The problem might be that they
6988 * don't understand EDNS0. Turn it
6989 * off and try again.
6991 options |= DNS_FETCHOPT_NOEDNS0;
6994 &query->addrinfo->sockaddr);
6995 inc_stats(fctx->res,
6996 dns_resstatscounter_edns0fail);
6998 broken_server = result;
6999 keep_trying = ISC_TRUE;
7004 * We defer retrying via TCP for a bit so we can
7005 * check out this message further.
7007 truncated = ISC_TRUE;
7010 if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
7012 * The problem might be that they
7013 * don't understand EDNS0. Turn it
7014 * off and try again.
7016 options |= DNS_FETCHOPT_NOEDNS0;
7018 add_bad_edns(fctx, &query->addrinfo->sockaddr);
7019 inc_stats(fctx->res,
7020 dns_resstatscounter_edns0fail);
7022 broken_server = DNS_R_UNEXPECTEDRCODE;
7023 keep_trying = ISC_TRUE;
7028 * Something bad has happened.
7036 * Log the incoming packet.
7038 log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
7040 if (message->rdclass != fctx->res->rdclass) {
7042 FCTXTRACE("bad class");
7047 * Process receive opt record.
7049 opt = dns_message_getopt(message);
7051 process_opt(query, opt);
7054 * If the message is signed, check the signature. If not, this
7055 * returns success anyway.
7057 result = dns_message_checksig(message, fctx->res->view);
7058 if (result != ISC_R_SUCCESS)
7062 * The dispatcher should ensure we only get responses with QR set.
7064 INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0);
7066 * INSIST() that the message comes from the place we sent it to,
7067 * since the dispatch code should ensure this.
7069 * INSIST() that the message id is correct (this should also be
7070 * ensured by the dispatch code).
7074 * We have an affirmative response to the query and we have
7075 * previously got a response from this server which indicated
7076 * EDNS may not be supported so we can now cache the lack of
7080 (message->rcode == dns_rcode_noerror ||
7081 message->rcode == dns_rcode_nxdomain ||
7082 message->rcode == dns_rcode_refused ||
7083 message->rcode == dns_rcode_yxdomain) &&
7084 bad_edns(fctx, &query->addrinfo->sockaddr)) {
7085 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
7086 isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
7088 dns_adb_changeflags(fctx->adb, query->addrinfo,
7089 DNS_FETCHOPT_NOEDNS0,
7090 DNS_FETCHOPT_NOEDNS0);
7094 * Deal with truncated responses by retrying using TCP.
7096 if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
7097 truncated = ISC_TRUE;
7100 inc_stats(fctx->res, dns_resstatscounter_truncated);
7101 if ((options & DNS_FETCHOPT_TCP) != 0) {
7102 broken_server = DNS_R_TRUNCATEDTCP;
7103 keep_trying = ISC_TRUE;
7105 options |= DNS_FETCHOPT_TCP;
7112 * Is it a query response?
7114 if (message->opcode != dns_opcode_query) {
7116 broken_server = DNS_R_UNEXPECTEDOPCODE;
7117 keep_trying = ISC_TRUE;
7122 * Update statistics about erroneous responses.
7124 if (message->rcode != dns_rcode_noerror) {
7125 switch (message->rcode) {
7126 case dns_rcode_nxdomain:
7127 inc_stats(fctx->res, dns_resstatscounter_nxdomain);
7129 case dns_rcode_servfail:
7130 inc_stats(fctx->res, dns_resstatscounter_servfail);
7132 case dns_rcode_formerr:
7133 inc_stats(fctx->res, dns_resstatscounter_formerr);
7136 inc_stats(fctx->res, dns_resstatscounter_othererror);
7142 * Is the remote server broken, or does it dislike us?
7144 if (message->rcode != dns_rcode_noerror &&
7145 message->rcode != dns_rcode_nxdomain) {
7146 if (((message->rcode == dns_rcode_formerr ||
7147 message->rcode == dns_rcode_notimp) ||
7148 (message->rcode == dns_rcode_servfail &&
7149 dns_message_getopt(message) == NULL)) &&
7150 (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
7152 * It's very likely they don't like EDNS0.
7153 * If the response code is SERVFAIL, also check if the
7154 * response contains an OPT RR and don't cache the
7155 * failure since it can be returned for various other
7158 * XXXRTH We should check if the question
7159 * we're asking requires EDNS0, and
7160 * if so, we should bail out.
7162 options |= DNS_FETCHOPT_NOEDNS0;
7165 * Remember that they may not like EDNS0.
7167 add_bad_edns(fctx, &query->addrinfo->sockaddr);
7168 inc_stats(fctx->res, dns_resstatscounter_edns0fail);
7169 } else if (message->rcode == dns_rcode_formerr) {
7170 if (ISFORWARDER(query->addrinfo)) {
7172 * This forwarder doesn't understand us,
7173 * but other forwarders might. Keep trying.
7175 broken_server = DNS_R_REMOTEFORMERR;
7176 keep_trying = ISC_TRUE;
7179 * The server doesn't understand us. Since
7180 * all servers for a zone need similar
7181 * capabilities, we assume that we will get
7182 * FORMERR from all servers, and thus we
7183 * cannot make any more progress with this
7186 log_formerr(fctx, "server sent FORMERR");
7187 result = DNS_R_FORMERR;
7189 } else if (message->rcode == dns_rcode_yxdomain) {
7191 * DNAME mapping failed because the new name
7192 * was too long. There's no chance of success
7195 result = DNS_R_YXDOMAIN;
7196 } else if (message->rcode == dns_rcode_badvers) {
7197 unsigned int flags, mask;
7198 unsigned int version;
7201 INSIST(opt != NULL);
7202 version = (opt->ttl >> 16) & 0xff;
7203 flags = (version << DNS_FETCHOPT_EDNSVERSIONSHIFT) |
7204 DNS_FETCHOPT_EDNSVERSIONSET;
7205 mask = DNS_FETCHOPT_EDNSVERSIONMASK |
7206 DNS_FETCHOPT_EDNSVERSIONSET;
7209 dns_adb_changeflags(fctx->adb, query->addrinfo,
7213 broken_server = DNS_R_BADVERS;
7214 keep_trying = ISC_TRUE;
7221 broken_server = DNS_R_UNEXPECTEDRCODE;
7222 INSIST(broken_server != ISC_R_SUCCESS);
7223 keep_trying = ISC_TRUE;
7229 * Is the question the same as the one we asked?
7231 result = same_question(fctx);
7232 if (result != ISC_R_SUCCESS) {
7234 if (result == DNS_R_FORMERR)
7235 keep_trying = ISC_TRUE;
7240 * Is the server lame?
7242 if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
7244 inc_stats(fctx->res, dns_resstatscounter_lame);
7245 log_lame(fctx, query->addrinfo);
7246 result = dns_adb_marklame(fctx->adb, query->addrinfo,
7247 &fctx->name, fctx->type,
7248 now + fctx->res->lame_ttl);
7249 if (result != ISC_R_SUCCESS)
7250 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
7251 DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
7252 "could not mark server as lame: %s",
7253 isc_result_totext(result));
7254 broken_server = DNS_R_LAME;
7255 keep_trying = ISC_TRUE;
7260 * Enforce delegations only zones like NET and COM.
7262 if (!ISFORWARDER(query->addrinfo) &&
7263 dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
7264 !dns_name_equal(&fctx->domain, &fctx->name) &&
7265 fix_mustbedelegationornxdomain(message, fctx)) {
7266 char namebuf[DNS_NAME_FORMATSIZE];
7267 char domainbuf[DNS_NAME_FORMATSIZE];
7268 char addrbuf[ISC_SOCKADDR_FORMATSIZE];
7272 dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
7273 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
7274 dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
7275 dns_rdataclass_format(fctx->res->rdclass, classbuf,
7277 isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
7280 isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
7281 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
7282 "enforced delegation-only for '%s' (%s/%s/%s) "
7284 domainbuf, namebuf, typebuf, classbuf, addrbuf);
7287 if ((fctx->res->options & DNS_RESOLVER_CHECKNAMES) != 0)
7288 checknames(message);
7293 fctx->attributes &= ~(FCTX_ATTR_WANTNCACHE | FCTX_ATTR_WANTCACHE);
7296 * Did we get any answers?
7298 if (message->counts[DNS_SECTION_ANSWER] > 0 &&
7299 (message->rcode == dns_rcode_noerror ||
7300 message->rcode == dns_rcode_nxdomain)) {
7303 * We've got answers. If it has an authoritative answer or an
7304 * answer from a forwarder, we're done.
7306 if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 ||
7307 ISFORWARDER(query->addrinfo))
7308 result = answer_response(fctx);
7309 else if (iscname(fctx) &&
7310 fctx->type != dns_rdatatype_any &&
7311 fctx->type != dns_rdatatype_cname) {
7313 * A BIND8 server could return a non-authoritative
7314 * answer when a CNAME is followed. We should treat
7315 * it as a valid answer.
7317 result = answer_response(fctx);
7318 } else if (fctx->type != dns_rdatatype_ns &&
7319 !betterreferral(fctx)) {
7321 * Lame response !!!.
7323 result = answer_response(fctx);
7325 if (fctx->type == dns_rdatatype_ns) {
7327 * A BIND 8 server could incorrectly return a
7328 * non-authoritative answer to an NS query
7329 * instead of a referral. Since this answer
7330 * lacks the SIGs necessary to do DNSSEC
7331 * validation, we must invoke the following
7332 * special kludge to treat it as a referral.
7334 result = noanswer_response(fctx, NULL,
7335 LOOK_FOR_NS_IN_ANSWER);
7338 * Some other servers may still somehow include
7339 * an answer when it should return a referral
7340 * with an empty answer. Check to see if we can
7341 * treat this as a referral by ignoring the
7342 * answer. Further more, there may be an
7343 * implementation that moves A/AAAA glue records
7344 * to the answer section for that type of
7345 * delegation when the query is for that glue
7346 * record. LOOK_FOR_GLUE_IN_ANSWER will handle
7347 * such a corner case.
7349 result = noanswer_response(fctx, NULL,
7350 LOOK_FOR_GLUE_IN_ANSWER);
7352 if (result != DNS_R_DELEGATION) {
7354 * At this point, AA is not set, the response
7355 * is not a referral, and the server is not a
7356 * forwarder. It is technically lame and it's
7357 * easier to treat it as such than to figure out
7358 * some more elaborate course of action.
7360 broken_server = DNS_R_LAME;
7361 keep_trying = ISC_TRUE;
7364 goto force_referral;
7366 if (result != ISC_R_SUCCESS) {
7367 if (result == DNS_R_FORMERR)
7368 keep_trying = ISC_TRUE;
7371 } else if (message->counts[DNS_SECTION_AUTHORITY] > 0 ||
7372 message->rcode == dns_rcode_noerror ||
7373 message->rcode == dns_rcode_nxdomain) {
7375 * NXDOMAIN, NXRDATASET, or referral.
7377 result = noanswer_response(fctx, NULL, 0);
7380 case DNS_R_CHASEDSSERVERS:
7382 case DNS_R_DELEGATION:
7385 * We don't have the answer, but we know a better
7388 get_nameservers = ISC_TRUE;
7389 keep_trying = ISC_TRUE;
7391 * We have a new set of name servers, and it
7392 * has not experienced any restarts yet.
7397 * Update local statistics counters collected for each
7401 fctx->querysent = 0;
7402 fctx->lamecount = 0;
7407 result = ISC_R_SUCCESS;
7411 * Something has gone wrong.
7413 if (result == DNS_R_FORMERR)
7414 keep_trying = ISC_TRUE;
7419 * The server is insane.
7422 broken_server = DNS_R_UNEXPECTEDRCODE;
7423 keep_trying = ISC_TRUE;
7428 * Follow additional section data chains.
7430 chase_additional(fctx);
7433 * Cache the cacheable parts of the message. This may also cause
7434 * work to be queued to the DNSSEC validator.
7436 if (WANTCACHE(fctx)) {
7437 result = cache_message(fctx, query->addrinfo, now);
7438 if (result != ISC_R_SUCCESS)
7443 * Ncache the negatively cacheable parts of the message. This may
7444 * also cause work to be queued to the DNSSEC validator.
7446 if (WANTNCACHE(fctx)) {
7447 dns_rdatatype_t covers;
7448 if (message->rcode == dns_rcode_nxdomain)
7449 covers = dns_rdatatype_any;
7451 covers = fctx->type;
7454 * Cache any negative cache entries in the message.
7456 result = ncache_message(fctx, query->addrinfo, covers, now);
7461 * Remember the query's addrinfo, in case we need to mark the
7464 addrinfo = query->addrinfo;
7469 * XXXRTH Don't cancel the query if waiting for validation?
7471 fctx_cancelquery(&query, &devent, finish, no_response);
7474 if (result == DNS_R_FORMERR)
7475 broken_server = DNS_R_FORMERR;
7476 if (broken_server != ISC_R_SUCCESS) {
7478 * Add this server to the list of bad servers for
7481 add_bad(fctx, addrinfo, broken_server, broken_type);
7484 if (get_nameservers) {
7486 dns_fixedname_init(&foundname);
7487 fname = dns_fixedname_name(&foundname);
7488 if (result != ISC_R_SUCCESS) {
7489 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
7493 if (dns_rdatatype_atparent(fctx->type))
7494 findoptions |= DNS_DBFIND_NOEXACT;
7495 if ((options & DNS_FETCHOPT_UNSHARED) == 0)
7498 name = &fctx->domain;
7499 result = dns_view_findzonecut(fctx->res->view,
7505 if (result != ISC_R_SUCCESS) {
7506 FCTXTRACE("couldn't find a zonecut");
7507 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
7510 if (!dns_name_issubdomain(fname, &fctx->domain)) {
7512 * The best nameservers are now above our
7515 FCTXTRACE("nameservers now above QDOMAIN");
7516 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
7519 dns_name_free(&fctx->domain, fctx->mctx);
7520 dns_name_init(&fctx->domain, NULL);
7521 result = dns_name_dup(fname, fctx->mctx, &fctx->domain);
7522 if (result != ISC_R_SUCCESS) {
7523 fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
7526 fctx->ns_ttl = fctx->nameservers.ttl;
7527 fctx->ns_ttl_ok = ISC_TRUE;
7528 fctx_cancelqueries(fctx, ISC_TRUE);
7529 fctx_cleanupfinds(fctx);
7530 fctx_cleanupaltfinds(fctx);
7531 fctx_cleanupforwaddrs(fctx);
7532 fctx_cleanupaltaddrs(fctx);
7537 fctx_try(fctx, !get_nameservers, ISC_FALSE);
7538 } else if (resend) {
7540 * Resend (probably with changed options).
7542 FCTXTRACE("resend");
7543 inc_stats(fctx->res, dns_resstatscounter_retry);
7544 result = fctx_query(fctx, addrinfo, options);
7545 if (result != ISC_R_SUCCESS)
7546 fctx_done(fctx, result, __LINE__);
7547 } else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
7549 * All has gone well so far, but we are waiting for the
7550 * DNSSEC validator to validate the answer.
7552 FCTXTRACE("wait for validator");
7553 fctx_cancelqueries(fctx, ISC_TRUE);
7555 * We must not retransmit while the validator is working;
7556 * it has references to the current rmessage.
7558 result = fctx_stopidletimer(fctx);
7559 if (result != ISC_R_SUCCESS)
7560 fctx_done(fctx, result, __LINE__);
7561 } else if (result == DNS_R_CHASEDSSERVERS) {
7563 add_bad(fctx, addrinfo, result, broken_type);
7564 fctx_cancelqueries(fctx, ISC_TRUE);
7565 fctx_cleanupfinds(fctx);
7566 fctx_cleanupforwaddrs(fctx);
7568 n = dns_name_countlabels(&fctx->name);
7569 dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
7571 FCTXTRACE("suspending DS lookup to find parent's NS records");
7573 result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
7575 NULL, NULL, NULL, 0, task,
7576 resume_dslookup, fctx,
7577 &fctx->nsrrset, NULL,
7579 if (result != ISC_R_SUCCESS)
7580 fctx_done(fctx, result, __LINE__);
7582 LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
7584 UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
7585 result = fctx_stopidletimer(fctx);
7586 if (result != ISC_R_SUCCESS)
7587 fctx_done(fctx, result, __LINE__);
7593 fctx_done(fctx, result, __LINE__);
7599 *** Resolver Methods
7602 destroy_badcache(dns_resolver_t *res) {
7603 dns_badcache_t *bad, *next;
7606 if (res->badcache != NULL) {
7607 for (i = 0; i < res->badhash; i++)
7608 for (bad = res->badcache[i]; bad != NULL;
7611 isc_mem_put(res->mctx, bad, sizeof(*bad) +
7615 isc_mem_put(res->mctx, res->badcache,
7616 sizeof(*res->badcache) * res->badhash);
7617 res->badcache = NULL;
7619 INSIST(res->badcount == 0);
7624 destroy(dns_resolver_t *res) {
7628 REQUIRE(res->references == 0);
7629 REQUIRE(!res->priming);
7630 REQUIRE(res->primefetch == NULL);
7634 INSIST(res->nfctx == 0);
7636 DESTROYLOCK(&res->primelock);
7637 DESTROYLOCK(&res->nlock);
7638 DESTROYLOCK(&res->lock);
7639 for (i = 0; i < res->nbuckets; i++) {
7640 INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs));
7641 isc_task_shutdown(res->buckets[i].task);
7642 isc_task_detach(&res->buckets[i].task);
7643 DESTROYLOCK(&res->buckets[i].lock);
7644 isc_mem_detach(&res->buckets[i].mctx);
7646 isc_mem_put(res->mctx, res->buckets,
7647 res->nbuckets * sizeof(fctxbucket_t));
7648 if (res->dispatches4 != NULL)
7649 dns_dispatchset_destroy(&res->dispatches4);
7650 if (res->dispatches6 != NULL)
7651 dns_dispatchset_destroy(&res->dispatches6);
7652 while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
7653 ISC_LIST_UNLINK(res->alternates, a, link);
7655 dns_name_free(&a->_u._n.name, res->mctx);
7656 isc_mem_put(res->mctx, a, sizeof(*a));
7658 dns_resolver_reset_algorithms(res);
7659 destroy_badcache(res);
7660 dns_resolver_resetmustbesecure(res);
7662 isc_rwlock_destroy(&res->alglock);
7665 isc_rwlock_destroy(&res->mbslock);
7667 isc_timer_detach(&res->spillattimer);
7669 isc_mem_put(res->mctx, res, sizeof(*res));
7673 send_shutdown_events(dns_resolver_t *res) {
7674 isc_event_t *event, *next_event;
7678 * Caller must be holding the resolver lock.
7681 for (event = ISC_LIST_HEAD(res->whenshutdown);
7683 event = next_event) {
7684 next_event = ISC_LIST_NEXT(event, ev_link);
7685 ISC_LIST_UNLINK(res->whenshutdown, event, ev_link);
7686 etask = event->ev_sender;
7687 event->ev_sender = res;
7688 isc_task_sendanddetach(&etask, &event);
7693 empty_bucket(dns_resolver_t *res) {
7694 RTRACE("empty_bucket");
7698 INSIST(res->activebuckets > 0);
7699 res->activebuckets--;
7700 if (res->activebuckets == 0)
7701 send_shutdown_events(res);
7707 spillattimer_countdown(isc_task_t *task, isc_event_t *event) {
7708 dns_resolver_t *res = event->ev_arg;
7709 isc_result_t result;
7711 isc_boolean_t logit = ISC_FALSE;
7713 REQUIRE(VALID_RESOLVER(res));
7718 INSIST(!res->exiting);
7719 if (res->spillat > res->spillatmin) {
7723 if (res->spillat <= res->spillatmin) {
7724 result = isc_timer_reset(res->spillattimer,
7725 isc_timertype_inactive, NULL,
7727 RUNTIME_CHECK(result == ISC_R_SUCCESS);
7729 count = res->spillat;
7732 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
7733 DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
7734 "clients-per-query decreased to %u", count);
7736 isc_event_free(&event);
7740 dns_resolver_create(dns_view_t *view,
7741 isc_taskmgr_t *taskmgr,
7742 unsigned int ntasks, unsigned int ndisp,
7743 isc_socketmgr_t *socketmgr,
7744 isc_timermgr_t *timermgr,
7745 unsigned int options,
7746 dns_dispatchmgr_t *dispatchmgr,
7747 dns_dispatch_t *dispatchv4,
7748 dns_dispatch_t *dispatchv6,
7749 dns_resolver_t **resp)
7751 dns_resolver_t *res;
7752 isc_result_t result = ISC_R_SUCCESS;
7753 unsigned int i, buckets_created = 0;
7754 isc_task_t *task = NULL;
7759 * Create a resolver.
7762 REQUIRE(DNS_VIEW_VALID(view));
7763 REQUIRE(ntasks > 0);
7765 REQUIRE(resp != NULL && *resp == NULL);
7766 REQUIRE(dispatchmgr != NULL);
7767 REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
7769 res = isc_mem_get(view->mctx, sizeof(*res));
7771 return (ISC_R_NOMEMORY);
7773 res->mctx = view->mctx;
7774 res->rdclass = view->rdclass;
7775 res->socketmgr = socketmgr;
7776 res->timermgr = timermgr;
7777 res->taskmgr = taskmgr;
7778 res->dispatchmgr = dispatchmgr;
7780 res->options = options;
7782 ISC_LIST_INIT(res->alternates);
7783 res->udpsize = RECV_BUFFER_SIZE;
7784 res->algorithms = NULL;
7785 res->badcache = NULL;
7789 res->mustbesecure = NULL;
7790 res->spillatmin = res->spillat = 10;
7791 res->spillatmax = 100;
7792 res->spillattimer = NULL;
7793 res->zero_no_soa_ttl = ISC_FALSE;
7794 res->query_timeout = DEFAULT_QUERY_TIMEOUT;
7795 res->maxdepth = DEFAULT_RECURSION_DEPTH;
7796 res->nbuckets = ntasks;
7797 res->activebuckets = ntasks;
7798 res->buckets = isc_mem_get(view->mctx,
7799 ntasks * sizeof(fctxbucket_t));
7800 if (res->buckets == NULL) {
7801 result = ISC_R_NOMEMORY;
7804 for (i = 0; i < ntasks; i++) {
7805 result = isc_mutex_init(&res->buckets[i].lock);
7806 if (result != ISC_R_SUCCESS)
7807 goto cleanup_buckets;
7808 res->buckets[i].task = NULL;
7809 result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
7810 if (result != ISC_R_SUCCESS) {
7811 DESTROYLOCK(&res->buckets[i].lock);
7812 goto cleanup_buckets;
7814 res->buckets[i].mctx = NULL;
7815 snprintf(name, sizeof(name), "res%u", i);
7816 #ifdef ISC_PLATFORM_USETHREADS
7818 * Use a separate memory context for each bucket to reduce
7819 * contention among multiple threads. Do this only when
7820 * enabling threads because it will be require more memory.
7822 result = isc_mem_create(0, 0, &res->buckets[i].mctx);
7823 if (result != ISC_R_SUCCESS) {
7824 isc_task_detach(&res->buckets[i].task);
7825 DESTROYLOCK(&res->buckets[i].lock);
7826 goto cleanup_buckets;
7828 isc_mem_setname(res->buckets[i].mctx, name, NULL);
7830 isc_mem_attach(view->mctx, &res->buckets[i].mctx);
7832 isc_task_setname(res->buckets[i].task, name, res);
7833 ISC_LIST_INIT(res->buckets[i].fctxs);
7834 res->buckets[i].exiting = ISC_FALSE;
7838 res->dispatches4 = NULL;
7839 if (dispatchv4 != NULL) {
7840 dns_dispatchset_create(view->mctx, socketmgr, taskmgr,
7841 dispatchv4, &res->dispatches4, ndisp);
7842 dispattr = dns_dispatch_getattributes(dispatchv4);
7844 ISC_TF((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0);
7847 res->dispatches6 = NULL;
7848 if (dispatchv6 != NULL) {
7849 dns_dispatchset_create(view->mctx, socketmgr, taskmgr,
7850 dispatchv6, &res->dispatches6, ndisp);
7851 dispattr = dns_dispatch_getattributes(dispatchv6);
7853 ISC_TF((dispattr & DNS_DISPATCHATTR_EXCLUSIVE) != 0);
7856 res->references = 1;
7857 res->exiting = ISC_FALSE;
7858 res->frozen = ISC_FALSE;
7859 ISC_LIST_INIT(res->whenshutdown);
7860 res->priming = ISC_FALSE;
7861 res->primefetch = NULL;
7864 result = isc_mutex_init(&res->lock);
7865 if (result != ISC_R_SUCCESS)
7866 goto cleanup_dispatches;
7868 result = isc_mutex_init(&res->nlock);
7869 if (result != ISC_R_SUCCESS)
7872 result = isc_mutex_init(&res->primelock);
7873 if (result != ISC_R_SUCCESS)
7877 result = isc_task_create(taskmgr, 0, &task);
7878 if (result != ISC_R_SUCCESS)
7879 goto cleanup_primelock;
7881 result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
7882 task, spillattimer_countdown, res,
7883 &res->spillattimer);
7884 isc_task_detach(&task);
7885 if (result != ISC_R_SUCCESS)
7886 goto cleanup_primelock;
7889 result = isc_rwlock_init(&res->alglock, 0, 0);
7890 if (result != ISC_R_SUCCESS)
7891 goto cleanup_spillattimer;
7894 result = isc_rwlock_init(&res->mbslock, 0, 0);
7895 if (result != ISC_R_SUCCESS)
7896 goto cleanup_alglock;
7899 res->magic = RES_MAGIC;
7903 return (ISC_R_SUCCESS);
7908 isc_rwlock_destroy(&res->alglock);
7911 #if USE_ALGLOCK || USE_MBSLOCK
7912 cleanup_spillattimer:
7913 isc_timer_detach(&res->spillattimer);
7917 DESTROYLOCK(&res->primelock);
7920 DESTROYLOCK(&res->nlock);
7923 DESTROYLOCK(&res->lock);
7926 if (res->dispatches6 != NULL)
7927 dns_dispatchset_destroy(&res->dispatches6);
7928 if (res->dispatches4 != NULL)
7929 dns_dispatchset_destroy(&res->dispatches4);
7932 for (i = 0; i < buckets_created; i++) {
7933 isc_mem_detach(&res->buckets[i].mctx);
7934 DESTROYLOCK(&res->buckets[i].lock);
7935 isc_task_shutdown(res->buckets[i].task);
7936 isc_task_detach(&res->buckets[i].task);
7938 isc_mem_put(view->mctx, res->buckets,
7939 res->nbuckets * sizeof(fctxbucket_t));
7942 isc_mem_put(view->mctx, res, sizeof(*res));
7949 prime_done(isc_task_t *task, isc_event_t *event) {
7950 dns_resolver_t *res;
7951 dns_fetchevent_t *fevent;
7953 dns_db_t *db = NULL;
7955 REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
7956 fevent = (dns_fetchevent_t *)event;
7957 res = event->ev_arg;
7958 REQUIRE(VALID_RESOLVER(res));
7964 INSIST(res->priming);
7965 res->priming = ISC_FALSE;
7966 LOCK(&res->primelock);
7967 fetch = res->primefetch;
7968 res->primefetch = NULL;
7969 UNLOCK(&res->primelock);
7973 if (fevent->result == ISC_R_SUCCESS &&
7974 res->view->cache != NULL && res->view->hints != NULL) {
7975 dns_cache_attachdb(res->view->cache, &db);
7976 dns_root_checkhints(res->view, res->view->hints, db);
7980 if (fevent->node != NULL)
7981 dns_db_detachnode(fevent->db, &fevent->node);
7982 if (fevent->db != NULL)
7983 dns_db_detach(&fevent->db);
7984 if (dns_rdataset_isassociated(fevent->rdataset))
7985 dns_rdataset_disassociate(fevent->rdataset);
7986 INSIST(fevent->sigrdataset == NULL);
7988 isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset));
7990 isc_event_free(&event);
7991 dns_resolver_destroyfetch(&fetch);
7995 dns_resolver_prime(dns_resolver_t *res) {
7996 isc_boolean_t want_priming = ISC_FALSE;
7997 dns_rdataset_t *rdataset;
7998 isc_result_t result;
8000 REQUIRE(VALID_RESOLVER(res));
8001 REQUIRE(res->frozen);
8003 RTRACE("dns_resolver_prime");
8007 if (!res->exiting && !res->priming) {
8008 INSIST(res->primefetch == NULL);
8009 res->priming = ISC_TRUE;
8010 want_priming = ISC_TRUE;
8017 * To avoid any possible recursive locking problems, we
8018 * start the priming fetch like any other fetch, and holding
8019 * no resolver locks. No one else will try to start it
8020 * because we're the ones who set res->priming to true.
8021 * Any other callers of dns_resolver_prime() while we're
8022 * running will see that res->priming is already true and
8026 rdataset = isc_mem_get(res->mctx, sizeof(*rdataset));
8027 if (rdataset == NULL) {
8029 INSIST(res->priming);
8030 INSIST(res->primefetch == NULL);
8031 res->priming = ISC_FALSE;
8035 dns_rdataset_init(rdataset);
8036 LOCK(&res->primelock);
8037 result = dns_resolver_createfetch(res, dns_rootname,
8039 NULL, NULL, NULL, 0,
8040 res->buckets[0].task,
8042 res, rdataset, NULL,
8044 UNLOCK(&res->primelock);
8045 if (result != ISC_R_SUCCESS) {
8047 INSIST(res->priming);
8048 res->priming = ISC_FALSE;
8056 dns_resolver_freeze(dns_resolver_t *res) {
8061 REQUIRE(VALID_RESOLVER(res));
8063 res->frozen = ISC_TRUE;
8067 dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) {
8068 REQUIRE(VALID_RESOLVER(source));
8069 REQUIRE(targetp != NULL && *targetp == NULL);
8071 RRTRACE(source, "attach");
8072 LOCK(&source->lock);
8073 REQUIRE(!source->exiting);
8075 INSIST(source->references > 0);
8076 source->references++;
8077 INSIST(source->references != 0);
8078 UNLOCK(&source->lock);
8084 dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
8085 isc_event_t **eventp)
8090 REQUIRE(VALID_RESOLVER(res));
8091 REQUIRE(eventp != NULL);
8098 if (res->exiting && res->activebuckets == 0) {
8100 * We're already shutdown. Send the event.
8102 event->ev_sender = res;
8103 isc_task_send(task, &event);
8106 isc_task_attach(task, &clone);
8107 event->ev_sender = clone;
8108 ISC_LIST_APPEND(res->whenshutdown, event, ev_link);
8115 dns_resolver_shutdown(dns_resolver_t *res) {
8118 isc_result_t result;
8120 REQUIRE(VALID_RESOLVER(res));
8126 if (!res->exiting) {
8128 res->exiting = ISC_TRUE;
8130 for (i = 0; i < res->nbuckets; i++) {
8131 LOCK(&res->buckets[i].lock);
8132 for (fctx = ISC_LIST_HEAD(res->buckets[i].fctxs);
8134 fctx = ISC_LIST_NEXT(fctx, link))
8135 fctx_shutdown(fctx);
8136 if (res->dispatches4 != NULL && !res->exclusivev4) {
8137 dns_dispatchset_cancelall(res->dispatches4,
8138 res->buckets[i].task);
8140 if (res->dispatches6 != NULL && !res->exclusivev6) {
8141 dns_dispatchset_cancelall(res->dispatches6,
8142 res->buckets[i].task);
8144 res->buckets[i].exiting = ISC_TRUE;
8145 if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) {
8146 INSIST(res->activebuckets > 0);
8147 res->activebuckets--;
8149 UNLOCK(&res->buckets[i].lock);
8151 if (res->activebuckets == 0)
8152 send_shutdown_events(res);
8153 result = isc_timer_reset(res->spillattimer,
8154 isc_timertype_inactive, NULL,
8156 RUNTIME_CHECK(result == ISC_R_SUCCESS);
8163 dns_resolver_detach(dns_resolver_t **resp) {
8164 dns_resolver_t *res;
8165 isc_boolean_t need_destroy = ISC_FALSE;
8167 REQUIRE(resp != NULL);
8169 REQUIRE(VALID_RESOLVER(res));
8175 INSIST(res->references > 0);
8177 if (res->references == 0) {
8178 INSIST(res->exiting && res->activebuckets == 0);
8179 need_destroy = ISC_TRUE;
8190 static inline isc_boolean_t
8191 fctx_match(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
8192 unsigned int options)
8195 * Don't match fetch contexts that are shutting down.
8197 if (fctx->cloned || fctx->state == fetchstate_done ||
8198 ISC_LIST_EMPTY(fctx->events))
8201 if (fctx->type != type || fctx->options != options)
8203 return (dns_name_equal(&fctx->name, name));
8207 log_fetch(dns_name_t *name, dns_rdatatype_t type) {
8208 char namebuf[DNS_NAME_FORMATSIZE];
8209 char typebuf[DNS_RDATATYPE_FORMATSIZE];
8210 int level = ISC_LOG_DEBUG(1);
8212 if (! isc_log_wouldlog(dns_lctx, level))
8215 dns_name_format(name, namebuf, sizeof(namebuf));
8216 dns_rdatatype_format(type, typebuf, sizeof(typebuf));
8218 isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
8219 DNS_LOGMODULE_RESOLVER, level,
8220 "createfetch: %s %s", namebuf, typebuf);
8224 dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
8225 dns_rdatatype_t type,
8226 dns_name_t *domain, dns_rdataset_t *nameservers,
8227 dns_forwarders_t *forwarders,
8228 unsigned int options, isc_task_t *task,
8229 isc_taskaction_t action, void *arg,
8230 dns_rdataset_t *rdataset,
8231 dns_rdataset_t *sigrdataset,
8232 dns_fetch_t **fetchp)
8234 return (dns_resolver_createfetch3(res, name, type, domain,
8235 nameservers, forwarders, NULL, 0,
8236 options, 0, task, action, arg,
8237 rdataset, sigrdataset, fetchp));
8241 dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
8242 dns_rdatatype_t type,
8243 dns_name_t *domain, dns_rdataset_t *nameservers,
8244 dns_forwarders_t *forwarders,
8245 isc_sockaddr_t *client, dns_messageid_t id,
8246 unsigned int options, isc_task_t *task,
8247 isc_taskaction_t action, void *arg,
8248 dns_rdataset_t *rdataset,
8249 dns_rdataset_t *sigrdataset,
8250 dns_fetch_t **fetchp)
8252 return (dns_resolver_createfetch3(res, name, type, domain,
8253 nameservers, forwarders, client, id,
8254 options, 0, task, action, arg,
8255 rdataset, sigrdataset, fetchp));
8259 dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
8260 dns_rdatatype_t type,
8261 dns_name_t *domain, dns_rdataset_t *nameservers,
8262 dns_forwarders_t *forwarders,
8263 isc_sockaddr_t *client, dns_messageid_t id,
8264 unsigned int options, unsigned int depth,
8266 isc_taskaction_t action, void *arg,
8267 dns_rdataset_t *rdataset,
8268 dns_rdataset_t *sigrdataset,
8269 dns_fetch_t **fetchp)
8272 fetchctx_t *fctx = NULL;
8273 isc_result_t result = ISC_R_SUCCESS;
8274 unsigned int bucketnum;
8275 isc_boolean_t new_fctx = ISC_FALSE;
8277 unsigned int count = 0;
8278 unsigned int spillat;
8279 unsigned int spillatmin;
8280 isc_boolean_t destroy = ISC_FALSE;
8284 REQUIRE(VALID_RESOLVER(res));
8285 REQUIRE(res->frozen);
8286 /* XXXRTH Check for meta type */
8287 if (domain != NULL) {
8288 REQUIRE(DNS_RDATASET_VALID(nameservers));
8289 REQUIRE(nameservers->type == dns_rdatatype_ns);
8291 REQUIRE(nameservers == NULL);
8292 REQUIRE(forwarders == NULL);
8293 REQUIRE(!dns_rdataset_isassociated(rdataset));
8294 REQUIRE(sigrdataset == NULL ||
8295 !dns_rdataset_isassociated(sigrdataset));
8296 REQUIRE(fetchp != NULL && *fetchp == NULL);
8298 log_fetch(name, type);
8301 * XXXRTH use a mempool?
8303 fetch = isc_mem_get(res->mctx, sizeof(*fetch));
8305 return (ISC_R_NOMEMORY);
8307 bucketnum = dns_name_fullhash(name, ISC_FALSE) % res->nbuckets;
8310 spillat = res->spillat;
8311 spillatmin = res->spillatmin;
8313 LOCK(&res->buckets[bucketnum].lock);
8315 if (res->buckets[bucketnum].exiting) {
8316 result = ISC_R_SHUTTINGDOWN;
8320 if ((options & DNS_FETCHOPT_UNSHARED) == 0) {
8321 for (fctx = ISC_LIST_HEAD(res->buckets[bucketnum].fctxs);
8323 fctx = ISC_LIST_NEXT(fctx, link)) {
8324 if (fctx_match(fctx, name, type, options))
8330 * Is this a duplicate?
8332 if (fctx != NULL && client != NULL) {
8333 dns_fetchevent_t *fevent;
8334 for (fevent = ISC_LIST_HEAD(fctx->events);
8336 fevent = ISC_LIST_NEXT(fevent, ev_link)) {
8337 if (fevent->client != NULL && fevent->id == id &&
8338 isc_sockaddr_equal(fevent->client, client)) {
8339 result = DNS_R_DUPLICATE;
8345 if (count >= spillatmin && spillatmin != 0) {
8346 INSIST(fctx != NULL);
8347 if (count >= spillat)
8348 fctx->spilled = ISC_TRUE;
8349 if (fctx->spilled) {
8350 result = DNS_R_DROP;
8356 result = fctx_create(res, name, type, domain, nameservers,
8357 options, bucketnum, depth, &fctx);
8358 if (result != ISC_R_SUCCESS)
8360 new_fctx = ISC_TRUE;
8361 } else if (fctx->depth > depth)
8362 fctx->depth = depth;
8364 result = fctx_join(fctx, task, client, id, action, arg,
8365 rdataset, sigrdataset, fetch);
8367 if (result == ISC_R_SUCCESS) {
8371 event = &fctx->control_event;
8372 ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
8373 DNS_EVENT_FETCHCONTROL,
8374 fctx_start, fctx, NULL,
8376 isc_task_send(res->buckets[bucketnum].task, &event);
8379 * We don't care about the result of fctx_unlink()
8380 * since we know we're not exiting.
8382 (void)fctx_unlink(fctx);
8388 UNLOCK(&res->buckets[bucketnum].lock);
8393 if (result == ISC_R_SUCCESS) {
8397 isc_mem_put(res->mctx, fetch, sizeof(*fetch));
8403 dns_resolver_cancelfetch(dns_fetch_t *fetch) {
8405 dns_resolver_t *res;
8406 dns_fetchevent_t *event, *next_event;
8409 REQUIRE(DNS_FETCH_VALID(fetch));
8410 fctx = fetch->private;
8411 REQUIRE(VALID_FCTX(fctx));
8414 FTRACE("cancelfetch");
8416 LOCK(&res->buckets[fctx->bucketnum].lock);
8419 * Find the completion event for this fetch (as opposed
8420 * to those for other fetches that have joined the same
8421 * fctx) and send it with result = ISC_R_CANCELED.
8424 if (fctx->state != fetchstate_done) {
8425 for (event = ISC_LIST_HEAD(fctx->events);
8427 event = next_event) {
8428 next_event = ISC_LIST_NEXT(event, ev_link);
8429 if (event->fetch == fetch) {
8430 ISC_LIST_UNLINK(fctx->events, event, ev_link);
8435 if (event != NULL) {
8436 etask = event->ev_sender;
8437 event->ev_sender = fctx;
8438 event->result = ISC_R_CANCELED;
8439 isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
8442 * The fctx continues running even if no fetches remain;
8443 * the answer is still cached.
8446 UNLOCK(&res->buckets[fctx->bucketnum].lock);
8450 dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
8452 dns_resolver_t *res;
8453 dns_fetchevent_t *event, *next_event;
8455 unsigned int bucketnum;
8456 isc_boolean_t bucket_empty;
8458 REQUIRE(fetchp != NULL);
8460 REQUIRE(DNS_FETCH_VALID(fetch));
8461 fctx = fetch->private;
8462 REQUIRE(VALID_FCTX(fctx));
8465 FTRACE("destroyfetch");
8467 bucketnum = fctx->bucketnum;
8468 LOCK(&res->buckets[bucketnum].lock);
8471 * Sanity check: the caller should have gotten its event before
8472 * trying to destroy the fetch.
8475 if (fctx->state != fetchstate_done) {
8476 for (event = ISC_LIST_HEAD(fctx->events);
8478 event = next_event) {
8479 next_event = ISC_LIST_NEXT(event, ev_link);
8480 RUNTIME_CHECK(event->fetch != fetch);
8484 bucket_empty = fctx_decreference(fctx);
8486 UNLOCK(&res->buckets[bucketnum].lock);
8488 isc_mem_put(res->mctx, fetch, sizeof(*fetch));
8496 dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
8497 isc_logcategory_t *category, isc_logmodule_t *module,
8498 int level, isc_boolean_t duplicateok)
8501 dns_resolver_t *res;
8502 char domainbuf[DNS_NAME_FORMATSIZE];
8504 REQUIRE(DNS_FETCH_VALID(fetch));
8505 fctx = fetch->private;
8506 REQUIRE(VALID_FCTX(fctx));
8509 LOCK(&res->buckets[fctx->bucketnum].lock);
8511 INSIST(fctx->exitline >= 0);
8512 if (!fctx->logged || duplicateok) {
8513 dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
8514 isc_log_write(lctx, category, module, level,
8515 "fetch completed at %s:%d for %s in "
8516 "%" ISC_PRINT_QUADFORMAT "u."
8517 "%06" ISC_PRINT_QUADFORMAT "u: %s/%s "
8518 "[domain:%s,referral:%u,restart:%u,qrysent:%u,"
8519 "timeout:%u,lame:%u,neterr:%u,badresp:%u,"
8520 "adberr:%u,findfail:%u,valfail:%u]",
8521 __FILE__, fctx->exitline, fctx->info,
8522 fctx->duration / US_PER_SEC,
8523 fctx->duration % US_PER_SEC,
8524 isc_result_totext(fctx->result),
8525 isc_result_totext(fctx->vresult), domainbuf,
8526 fctx->referrals, fctx->restarts,
8527 fctx->querysent, fctx->timeouts, fctx->lamecount,
8528 fctx->neterr, fctx->badresp, fctx->adberr,
8529 fctx->findfail, fctx->valfail);
8530 fctx->logged = ISC_TRUE;
8533 UNLOCK(&res->buckets[fctx->bucketnum].lock);
8537 dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
8538 REQUIRE(VALID_RESOLVER(resolver));
8539 return (resolver->dispatchmgr);
8543 dns_resolver_dispatchv4(dns_resolver_t *resolver) {
8544 REQUIRE(VALID_RESOLVER(resolver));
8545 return (dns_dispatchset_get(resolver->dispatches4));
8549 dns_resolver_dispatchv6(dns_resolver_t *resolver) {
8550 REQUIRE(VALID_RESOLVER(resolver));
8551 return (dns_dispatchset_get(resolver->dispatches6));
8555 dns_resolver_socketmgr(dns_resolver_t *resolver) {
8556 REQUIRE(VALID_RESOLVER(resolver));
8557 return (resolver->socketmgr);
8561 dns_resolver_taskmgr(dns_resolver_t *resolver) {
8562 REQUIRE(VALID_RESOLVER(resolver));
8563 return (resolver->taskmgr);
8567 dns_resolver_getlamettl(dns_resolver_t *resolver) {
8568 REQUIRE(VALID_RESOLVER(resolver));
8569 return (resolver->lame_ttl);
8573 dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl) {
8574 REQUIRE(VALID_RESOLVER(resolver));
8575 resolver->lame_ttl = lame_ttl;
8579 dns_resolver_nrunning(dns_resolver_t *resolver) {
8581 LOCK(&resolver->nlock);
8582 n = resolver->nfctx;
8583 UNLOCK(&resolver->nlock);
8588 dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
8589 dns_name_t *name, in_port_t port) {
8591 isc_result_t result;
8593 REQUIRE(VALID_RESOLVER(resolver));
8594 REQUIRE(!resolver->frozen);
8595 REQUIRE((alt == NULL) ^ (name == NULL));
8597 a = isc_mem_get(resolver->mctx, sizeof(*a));
8599 return (ISC_R_NOMEMORY);
8601 a->isaddress = ISC_TRUE;
8604 a->isaddress = ISC_FALSE;
8605 a->_u._n.port = port;
8606 dns_name_init(&a->_u._n.name, NULL);
8607 result = dns_name_dup(name, resolver->mctx, &a->_u._n.name);
8608 if (result != ISC_R_SUCCESS) {
8609 isc_mem_put(resolver->mctx, a, sizeof(*a));
8613 ISC_LINK_INIT(a, link);
8614 ISC_LIST_APPEND(resolver->alternates, a, link);
8616 return (ISC_R_SUCCESS);
8620 dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize) {
8621 REQUIRE(VALID_RESOLVER(resolver));
8622 resolver->udpsize = udpsize;
8626 dns_resolver_getudpsize(dns_resolver_t *resolver) {
8627 REQUIRE(VALID_RESOLVER(resolver));
8628 return (resolver->udpsize);
8632 dns_resolver_flushbadcache(dns_resolver_t *resolver, dns_name_t *name) {
8634 dns_badcache_t *bad, *prev, *next;
8636 REQUIRE(VALID_RESOLVER(resolver));
8638 LOCK(&resolver->lock);
8639 if (resolver->badcache == NULL)
8644 isc_result_t result;
8645 result = isc_time_now(&now);
8646 if (result != ISC_R_SUCCESS)
8647 isc_time_settoepoch(&now);
8648 i = dns_name_hash(name, ISC_FALSE) % resolver->badhash;
8650 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8653 n = isc_time_compare(&bad->expire, &now);
8654 if (n < 0 || dns_name_equal(name, &bad->name)) {
8656 resolver->badcache[i] = bad->next;
8658 prev->next = bad->next;
8659 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8661 resolver->badcount--;
8666 destroy_badcache(resolver);
8669 UNLOCK(&resolver->lock);
8674 resizehash(dns_resolver_t *resolver, isc_time_t *now, isc_boolean_t grow) {
8675 unsigned int newsize;
8676 dns_badcache_t **new, *bad, *next;
8680 newsize = resolver->badhash * 2 + 1;
8682 newsize = (resolver->badhash - 1) / 2;
8684 new = isc_mem_get(resolver->mctx,
8685 sizeof(*resolver->badcache) * newsize);
8688 memset(new, 0, sizeof(*resolver->badcache) * newsize);
8689 for (i = 0; i < resolver->badhash; i++) {
8690 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8692 if (isc_time_compare(&bad->expire, now) < 0) {
8693 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8695 resolver->badcount--;
8697 bad->next = new[bad->hashval % newsize];
8698 new[bad->hashval % newsize] = bad;
8702 isc_mem_put(resolver->mctx, resolver->badcache,
8703 sizeof(*resolver->badcache) * resolver->badhash);
8704 resolver->badhash = newsize;
8705 resolver->badcache = new;
8709 dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name,
8710 dns_rdatatype_t type, isc_time_t *expire)
8713 isc_result_t result = ISC_R_SUCCESS;
8714 unsigned int i, hashval;
8715 dns_badcache_t *bad, *prev, *next;
8717 REQUIRE(VALID_RESOLVER(resolver));
8719 LOCK(&resolver->lock);
8720 if (resolver->badcache == NULL) {
8721 resolver->badcache = isc_mem_get(resolver->mctx,
8722 sizeof(*resolver->badcache) *
8724 if (resolver->badcache == NULL)
8726 resolver->badhash = DNS_BADCACHE_SIZE;
8727 memset(resolver->badcache, 0, sizeof(*resolver->badcache) *
8731 result = isc_time_now(&now);
8732 if (result != ISC_R_SUCCESS)
8733 isc_time_settoepoch(&now);
8734 hashval = dns_name_hash(name, ISC_FALSE);
8735 i = hashval % resolver->badhash;
8737 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8739 if (bad->type == type && dns_name_equal(name, &bad->name))
8741 if (isc_time_compare(&bad->expire, &now) < 0) {
8743 resolver->badcache[i] = bad->next;
8745 prev->next = bad->next;
8746 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8748 resolver->badcount--;
8753 isc_buffer_t buffer;
8754 bad = isc_mem_get(resolver->mctx, sizeof(*bad) + name->length);
8758 bad->hashval = hashval;
8759 bad->expire = *expire;
8760 isc_buffer_init(&buffer, bad + 1, name->length);
8761 dns_name_init(&bad->name, NULL);
8762 dns_name_copy(name, &bad->name, &buffer);
8763 bad->next = resolver->badcache[i];
8764 resolver->badcache[i] = bad;
8765 resolver->badcount++;
8766 if (resolver->badcount > resolver->badhash * 8)
8767 resizehash(resolver, &now, ISC_TRUE);
8768 if (resolver->badcount < resolver->badhash * 2 &&
8769 resolver->badhash > DNS_BADCACHE_SIZE)
8770 resizehash(resolver, &now, ISC_FALSE);
8772 bad->expire = *expire;
8774 UNLOCK(&resolver->lock);
8778 dns_resolver_getbadcache(dns_resolver_t *resolver, dns_name_t *name,
8779 dns_rdatatype_t type, isc_time_t *now)
8781 dns_badcache_t *bad, *prev, *next;
8782 isc_boolean_t answer = ISC_FALSE;
8785 REQUIRE(VALID_RESOLVER(resolver));
8787 LOCK(&resolver->lock);
8788 if (resolver->badcache == NULL)
8791 i = dns_name_hash(name, ISC_FALSE) % resolver->badhash;
8793 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8796 * Search the hash list. Clean out expired records as we go.
8798 if (isc_time_compare(&bad->expire, now) < 0) {
8800 prev->next = bad->next;
8802 resolver->badcache[i] = bad->next;
8803 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8805 resolver->badcount--;
8808 if (bad->type == type && dns_name_equal(name, &bad->name)) {
8816 * Slow sweep to clean out stale records.
8818 i = resolver->badsweep++ % resolver->badhash;
8819 bad = resolver->badcache[i];
8820 if (bad != NULL && isc_time_compare(&bad->expire, now) < 0) {
8821 resolver->badcache[i] = bad->next;
8822 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8824 resolver->badcount--;
8828 UNLOCK(&resolver->lock);
8833 dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp) {
8834 char namebuf[DNS_NAME_FORMATSIZE];
8835 char typebuf[DNS_RDATATYPE_FORMATSIZE];
8836 dns_badcache_t *bad, *next, *prev;
8841 LOCK(&resolver->lock);
8842 fprintf(fp, ";\n; Bad cache\n;\n");
8844 if (resolver->badcache == NULL)
8848 for (i = 0; i < resolver->badhash; i++) {
8850 for (bad = resolver->badcache[i]; bad != NULL; bad = next) {
8852 if (isc_time_compare(&bad->expire, &now) < 0) {
8854 prev->next = bad->next;
8856 resolver->badcache[i] = bad->next;
8857 isc_mem_put(resolver->mctx, bad, sizeof(*bad) +
8859 resolver->badcount--;
8863 dns_name_format(&bad->name, namebuf, sizeof(namebuf));
8864 dns_rdatatype_format(bad->type, typebuf,
8866 t = isc_time_microdiff(&bad->expire, &now);
8868 fprintf(fp, "; %s/%s [ttl "
8869 "%" ISC_PLATFORM_QUADFORMAT "u]\n",
8870 namebuf, typebuf, t);
8875 UNLOCK(&resolver->lock);
8879 free_algorithm(void *node, void *arg) {
8880 unsigned char *algorithms = node;
8881 isc_mem_t *mctx = arg;
8883 isc_mem_put(mctx, algorithms, *algorithms);
8887 dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
8889 REQUIRE(VALID_RESOLVER(resolver));
8892 RWLOCK(&resolver->alglock, isc_rwlocktype_write);
8894 if (resolver->algorithms != NULL)
8895 dns_rbt_destroy(&resolver->algorithms);
8897 RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
8902 dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
8905 unsigned int len, mask;
8907 unsigned char *algorithms;
8908 isc_result_t result;
8909 dns_rbtnode_t *node = NULL;
8911 REQUIRE(VALID_RESOLVER(resolver));
8913 return (ISC_R_RANGE);
8916 RWLOCK(&resolver->alglock, isc_rwlocktype_write);
8918 if (resolver->algorithms == NULL) {
8919 result = dns_rbt_create(resolver->mctx, free_algorithm,
8920 resolver->mctx, &resolver->algorithms);
8921 if (result != ISC_R_SUCCESS)
8926 mask = 1 << (alg%8);
8928 result = dns_rbt_addnode(resolver->algorithms, name, &node);
8930 if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
8931 algorithms = node->data;
8932 if (algorithms == NULL || len > *algorithms) {
8933 new = isc_mem_get(resolver->mctx, len);
8935 result = ISC_R_NOMEMORY;
8938 memset(new, 0, len);
8939 if (algorithms != NULL)
8940 memmove(new, algorithms, *algorithms);
8944 if (algorithms != NULL)
8945 isc_mem_put(resolver->mctx, algorithms,
8948 algorithms[len-1] |= mask;
8950 result = ISC_R_SUCCESS;
8953 RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
8959 dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
8962 unsigned int len, mask;
8963 unsigned char *algorithms;
8965 isc_result_t result;
8966 isc_boolean_t found = ISC_FALSE;
8968 REQUIRE(VALID_RESOLVER(resolver));
8971 * DH is unsupported for DNSKEYs, see RFC 4034 sec. A.1.
8973 if ((alg == DST_ALG_DH) || (alg == DST_ALG_INDIRECT))
8977 RWLOCK(&resolver->alglock, isc_rwlocktype_read);
8979 if (resolver->algorithms == NULL)
8981 result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data);
8982 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
8984 mask = 1 << (alg%8);
8986 if (len <= *algorithms && (algorithms[len-1] & mask) != 0)
8991 RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
8996 return (dst_algorithm_supported(alg));
9000 dns_resolver_digest_supported(dns_resolver_t *resolver, unsigned int digest) {
9003 return (dns_ds_digest_supported(digest));
9007 dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
9009 REQUIRE(VALID_RESOLVER(resolver));
9012 RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
9014 if (resolver->mustbesecure != NULL)
9015 dns_rbt_destroy(&resolver->mustbesecure);
9017 RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
9021 static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE;
9024 dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
9025 isc_boolean_t value)
9027 isc_result_t result;
9029 REQUIRE(VALID_RESOLVER(resolver));
9032 RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
9034 if (resolver->mustbesecure == NULL) {
9035 result = dns_rbt_create(resolver->mctx, NULL, NULL,
9036 &resolver->mustbesecure);
9037 if (result != ISC_R_SUCCESS)
9040 result = dns_rbt_addname(resolver->mustbesecure, name,
9041 value ? &yes : &no);
9044 RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
9050 dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) {
9052 isc_boolean_t value = ISC_FALSE;
9053 isc_result_t result;
9055 REQUIRE(VALID_RESOLVER(resolver));
9058 RWLOCK(&resolver->mbslock, isc_rwlocktype_read);
9060 if (resolver->mustbesecure == NULL)
9062 result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data);
9063 if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
9064 value = *(isc_boolean_t*)data;
9067 RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read);
9073 dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur,
9074 isc_uint32_t *min, isc_uint32_t *max)
9076 REQUIRE(VALID_RESOLVER(resolver));
9078 LOCK(&resolver->lock);
9080 *cur = resolver->spillat;
9082 *min = resolver->spillatmin;
9084 *max = resolver->spillatmax;
9085 UNLOCK(&resolver->lock);
9089 dns_resolver_setclientsperquery(dns_resolver_t *resolver, isc_uint32_t min,
9092 REQUIRE(VALID_RESOLVER(resolver));
9094 LOCK(&resolver->lock);
9095 resolver->spillatmin = resolver->spillat = min;
9096 resolver->spillatmax = max;
9097 UNLOCK(&resolver->lock);
9101 dns_resolver_getzeronosoattl(dns_resolver_t *resolver) {
9102 REQUIRE(VALID_RESOLVER(resolver));
9104 return (resolver->zero_no_soa_ttl);
9108 dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state) {
9109 REQUIRE(VALID_RESOLVER(resolver));
9111 resolver->zero_no_soa_ttl = state;
9115 dns_resolver_getoptions(dns_resolver_t *resolver) {
9116 REQUIRE(VALID_RESOLVER(resolver));
9118 return (resolver->options);
9122 dns_resolver_gettimeout(dns_resolver_t *resolver) {
9123 REQUIRE(VALID_RESOLVER(resolver));
9125 return (resolver->query_timeout);
9129 dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
9130 REQUIRE(VALID_RESOLVER(resolver));
9133 seconds = DEFAULT_QUERY_TIMEOUT;
9134 if (seconds > MAXIMUM_QUERY_TIMEOUT)
9135 seconds = MAXIMUM_QUERY_TIMEOUT;
9136 if (seconds < MINIMUM_QUERY_TIMEOUT)
9137 seconds = MINIMUM_QUERY_TIMEOUT;
9139 resolver->query_timeout = seconds;
9143 dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) {
9144 REQUIRE(VALID_RESOLVER(resolver));
9145 resolver->maxdepth = maxdepth;
9149 dns_resolver_getmaxdepth(dns_resolver_t *resolver) {
9150 REQUIRE(VALID_RESOLVER(resolver));
9151 return (resolver->maxdepth);
projects / FreeBSD / releng / 9.3.git / blob