Lines Matching refs:client
52 #include <named/client.h>
128 client_trace(ns_client_t *client, int level, const char *message) {
129 if (client != NULL && client->query.qname != NULL) {
133 dns_name_format(client->query.qname,
135 dns_rdatatype_format(client->query.qtype,
140 "query client=%p thread=0x%lx "
142 client,
150 "query client=%p thread=0x%lx "
152 client,
157 #define CTRACE(l,m) client_trace(client, l, m)
186 ns_client_t *client;
191 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
194 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
199 dns_dbversion_t *version, ns_client_t *client,
205 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
208 rpz_st_clear(ns_client_t *client);
211 rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult,
218 inc_stats(ns_client_t *client, isc_statscounter_t counter) {
219 dns_zone_t *zone = client->query.authzone;
244 rdataset = ISC_LIST_HEAD(client->query.qname->list);
254 query_send(ns_client_t *client) {
257 if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
258 inc_stats(client, dns_nsstatscounter_nonauthans);
260 inc_stats(client, dns_nsstatscounter_authans);
262 if (client->message->rcode == dns_rcode_noerror) {
264 if (ISC_LIST_EMPTY(client->message->sections[answer])) {
265 if (client->query.isreferral)
271 } else if (client->message->rcode == dns_rcode_nxdomain)
273 else if (client->message->rcode == dns_rcode_badcookie)
278 inc_stats(client, counter);
279 ns_client_send(client);
283 query_error(ns_client_t *client, isc_result_t result, int line) {
289 inc_stats(client, dns_nsstatscounter_servfail);
292 inc_stats(client, dns_nsstatscounter_formerr);
295 inc_stats(client, dns_nsstatscounter_failure);
302 log_queryerror(client, result, line, loglevel);
304 ns_client_error(client, result);
308 query_next(ns_client_t *client, isc_result_t result) {
310 inc_stats(client, dns_nsstatscounter_duplicate);
312 inc_stats(client, dns_nsstatscounter_dropped);
314 inc_stats(client, dns_nsstatscounter_failure);
315 ns_client_next(client, result);
319 query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
323 for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
333 ISC_LIST_UNLINK(client->query.freeversions, dbversion,
335 isc_mem_put(client->mctx, dbversion,
342 ns_query_cancel(ns_client_t *client) {
343 REQUIRE(NS_CLIENT_VALID(client));
345 LOCK(&client->query.fetchlock);
346 if (client->query.fetch != NULL) {
347 dns_resolver_cancelfetch(client->query.fetch);
349 client->query.fetch = NULL;
351 UNLOCK(&client->query.fetchlock);
355 query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
362 dns_message_puttemprdataset(client->message, rdatasetp);
368 query_reset(ns_client_t *client, isc_boolean_t everything) {
375 * Reset the query state of a client to its default state.
381 ns_query_cancel(client);
386 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
393 ISC_LIST_INITANDAPPEND(client->query.freeversions,
396 ISC_LIST_INIT(client->query.activeversions);
398 if (client->query.authdb != NULL)
399 dns_db_detach(&client->query.authdb);
400 if (client->query.authzone != NULL)
401 dns_zone_detach(&client->query.authzone);
403 if (client->query.dns64_aaaa != NULL)
404 query_putrdataset(client, &client->query.dns64_aaaa);
405 if (client->query.dns64_sigaaaa != NULL)
406 query_putrdataset(client, &client->query.dns64_sigaaaa);
407 if (client->query.dns64_aaaaok != NULL) {
408 isc_mem_put(client->mctx, client->query.dns64_aaaaok,
409 client->query.dns64_aaaaoklen *
411 client->query.dns64_aaaaok = NULL;
412 client->query.dns64_aaaaoklen = 0;
415 query_putrdataset(client, &client->query.redirect.rdataset);
416 query_putrdataset(client, &client->query.redirect.sigrdataset);
417 if (client->query.redirect.db != NULL) {
418 if (client->query.redirect.node != NULL)
419 dns_db_detachnode(client->query.redirect.db,
420 &client->query.redirect.node);
421 dns_db_detach(&client->query.redirect.db);
423 if (client->query.redirect.zone != NULL)
424 dns_zone_detach(&client->query.redirect.zone);
426 query_freefreeversions(client, everything);
428 for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
433 ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
438 if (client->query.restarts > 0) {
440 * client->query.qname was dynamically allocated.
442 dns_message_puttempname(client->message,
443 &client->query.qname);
445 client->query.qname = NULL;
446 client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
449 client->query.restarts = 0;
450 client->query.timerset = ISC_FALSE;
451 if (client->query.rpz_st != NULL) {
452 rpz_st_clear(client);
454 isc_mem_put(client->mctx, client->query.rpz_st,
455 sizeof(*client->query.rpz_st));
456 client->query.rpz_st = NULL;
459 client->query.origqname = NULL;
460 client->query.dboptions = 0;
461 client->query.fetchoptions = 0;
462 client->query.gluedb = NULL;
463 client->query.authdbset = ISC_FALSE;
464 client->query.isreferral = ISC_FALSE;
465 client->query.dns64_options = 0;
466 client->query.dns64_ttl = ISC_UINT32_MAX;
470 query_next_callback(ns_client_t *client) {
471 query_reset(client, ISC_FALSE);
475 ns_query_free(ns_client_t *client) {
476 REQUIRE(NS_CLIENT_VALID(client));
478 query_reset(client, ISC_TRUE);
482 query_newnamebuf(ns_client_t *client) {
492 result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
498 ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
505 query_getnamebuf(ns_client_t *client) {
516 if (ISC_LIST_EMPTY(client->query.namebufs)) {
517 result = query_newnamebuf(client);
525 dbuf = ISC_LIST_TAIL(client->query.namebufs);
529 result = query_newnamebuf(client);
536 dbuf = ISC_LIST_TAIL(client->query.namebufs);
545 query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
554 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
559 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
563 query_releasename(ns_client_t *client, dns_name_t **namep) {
574 INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
576 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
578 dns_message_puttempname(client->message, namep);
583 query_newname(ns_client_t *client, isc_buffer_t *dbuf,
590 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
594 result = dns_message_gettempname(client->message, &name);
604 client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
611 query_newrdataset(ns_client_t *client) {
617 result = dns_message_gettemprdataset(client->message, &rdataset);
630 query_newdbversion(ns_client_t *client, unsigned int n) {
635 dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
639 ISC_LIST_INITANDAPPEND(client->query.freeversions,
657 query_getdbversion(ns_client_t *client) {
661 if (ISC_LIST_EMPTY(client->query.freeversions)) {
662 result = query_newdbversion(client, 1);
666 dbversion = ISC_LIST_HEAD(client->query.freeversions);
668 ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
674 ns_query_init(ns_client_t *client) {
677 REQUIRE(NS_CLIENT_VALID(client));
679 ISC_LIST_INIT(client->query.namebufs);
680 ISC_LIST_INIT(client->query.activeversions);
681 ISC_LIST_INIT(client->query.freeversions);
682 client->query.restarts = 0;
683 client->query.timerset = ISC_FALSE;
684 client->query.rpz_st = NULL;
685 client->query.qname = NULL;
687 * This mutex is destroyed when the client is destroyed in
690 result = isc_mutex_init(&client->query.fetchlock);
693 client->query.fetch = NULL;
694 client->query.prefetch = NULL;
695 client->query.authdb = NULL;
696 client->query.authzone = NULL;
697 client->query.authdbset = ISC_FALSE;
698 client->query.isreferral = ISC_FALSE;
699 client->query.dns64_aaaa = NULL;
700 client->query.dns64_sigaaaa = NULL;
701 client->query.dns64_aaaaok = NULL;
702 client->query.dns64_aaaaoklen = 0;
703 client->query.redirect.db = NULL;
704 client->query.redirect.node = NULL;
705 client->query.redirect.zone = NULL;
706 client->query.redirect.qtype = dns_rdatatype_none;
707 client->query.redirect.result = ISC_R_SUCCESS;
708 client->query.redirect.rdataset = NULL;
709 client->query.redirect.sigrdataset = NULL;
710 client->query.redirect.authoritative = ISC_FALSE;
711 client->query.redirect.is_zone = ISC_FALSE;
712 dns_fixedname_init(&client->query.redirect.fixed);
713 client->query.redirect.fname =
714 dns_fixedname_name(&client->query.redirect.fixed);
715 query_reset(client, ISC_FALSE);
716 result = query_newdbversion(client, 3);
718 DESTROYLOCK(&client->query.fetchlock);
721 result = query_newnamebuf(client);
723 query_freefreeversions(client, ISC_TRUE);
724 DESTROYLOCK(&client->query.fetchlock);
731 query_findversion(ns_client_t *client, dns_db_t *db) {
739 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
751 dbversion = query_getdbversion(client);
758 ISC_LIST_APPEND(client->query.activeversions,
766 query_validatezonedb(ns_client_t *client, dns_name_t *name,
784 if (!client->view->additionalfromauth &&
785 client->query.authdbset &&
786 db != client->query.authdb)
795 !RECURSIONOK(client)) {
810 dbversion = query_findversion(client, db);
826 queryacl = client->view->queryacl;
827 if ((client->query.attributes &
831 * NS_QUERYATTR_QUERYOK is set, then the client is
836 if ((client->query.attributes &
846 result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
852 client->view->rdclass,
854 ns_client_log(client,
862 client->view->rdclass,
864 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
870 if (queryacl == client->view->queryacl) {
877 client->query.attributes |= NS_QUERYATTR_QUERYOK;
883 client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
890 queryonacl = client->view->queryonacl;
892 result = ns_client_checkaclsilent(client, &client->destaddr,
896 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
916 query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
935 result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
946 result = query_validatezonedb(client, name, qtype, options, zone, db,
970 rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
1000 st = client->query.rpz_st;
1004 dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
1012 ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
1020 rpz_log_fail_helper(ns_client_t *client, int level, dns_name_t *p_name,
1054 dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf));
1063 ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS,
1072 rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name,
1075 rpz_log_fail_helper(client, level, p_name,
1083 rpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type,
1093 result = query_getzonedb(client, p_name, dns_rdatatype_any,
1096 dns_rpz_st_t *st = client->query.rpz_st;
1105 dns_name_format(client->query.qname, qnamebuf,
1108 ns_client_log(client, DNS_LOGCATEGORY_RPZ,
1117 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type,
1123 query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
1134 * This may fail with DNS_R_REFUSED if the client
1138 if (!USECACHE(client))
1140 dns_db_attach(client->view->cachedb, &db);
1142 if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) {
1145 * NS_QUERYATTR_CACHEACLOK is set, then the client is
1150 if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0)
1163 result = ns_client_checkaclsilent(client, NULL,
1164 client->view->cacheacl,
1171 client->query.attributes |=
1177 client->view->rdclass,
1179 ns_client_log(client,
1187 client->view->rdclass, msg,
1189 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
1197 client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID;
1220 query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
1238 result = query_getzonedb(client, name, qtype, options, &zone,
1250 !ISC_LIST_EMPTY(client->view->dlz_searched)))
1257 dns_clientinfo_init(&ci, client, NULL);
1260 tresult = dns_view_searchdlz(client->view, name,
1284 dbversion = query_findversion(client, tdbp);
1311 result = query_getcachedb(client, name, qtype, dbp, options);
1318 query_isduplicate(ns_client_t *client, dns_name_t *name,
1330 result = dns_message_findname(client->message, section,
1359 ns_client_t *client = arg;
1375 REQUIRE(NS_CLIENT_VALID(client));
1378 if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
1400 dns_clientinfo_init(&ci, client, NULL);
1416 dbuf = query_getnamebuf(client);
1419 fname = query_newname(client, dbuf, &b);
1420 rdataset = query_newrdataset(client);
1423 if (WANTDNSSEC(client)) {
1424 sigrdataset = query_newrdataset(client);
1433 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1446 client->query.dboptions,
1447 client->now, &node, fname, &cm, &ci,
1471 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
1474 * Most likely the client isn't allowed to query the cache.
1481 sigrdataset = query_newrdataset(client);
1486 client->query.dboptions |
1488 client->now, &node, fname, &cm, &ci,
1491 dns_cache_updatestats(client->view->cache, result);
1492 if (!WANTDNSSEC(client))
1493 query_putrdataset(client, &sigrdataset);
1518 * case (identified by client->query.gluedb being set).
1521 if (client->query.gluedb == NULL)
1527 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
1530 dns_db_attach(client->query.gluedb, &db);
1534 client->query.dboptions | DNS_DBFIND_GLUEOK,
1535 client->now, &node, fname, &cm, &ci,
1547 query_keepname(client, fname, dbuf);
1555 !query_isduplicate(client, fname, type, &mname)) {
1558 query_releasename(client, &fname);
1594 rdataset = query_newrdataset(client);
1601 } else if (WANTDNSSEC(client)) {
1602 sigrdataset = query_newrdataset(client);
1606 if (query_isduplicate(client, fname, dns_rdatatype_a, NULL))
1610 client->now,
1628 !validate(client, db, fname, rdataset, sigrdataset))
1635 } else if (!query_isduplicate(client, fname,
1640 query_releasename(client,
1654 query_newrdataset(client);
1656 rdataset = query_newrdataset(client);
1659 if (WANTDNSSEC(client) && sigrdataset == NULL)
1669 if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
1673 client->now,
1690 (client->filter_aaaa == dns_aaaa_break_dnssec ||
1691 (client->filter_aaaa == dns_aaaa_filter &&
1692 (!WANTDNSSEC(client) || sigrdataset == NULL ||
1699 !validate(client, db, fname, rdataset, sigrdataset))
1706 } else if (!query_isduplicate(client, fname,
1711 query_releasename(client,
1745 dns_message_addname(client->message, fname,
1768 client);
1773 query_putrdataset(client, &rdataset);
1775 query_putrdataset(client, &sigrdataset);
1777 query_releasename(client, &fname);
1790 query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
1800 query_putrdataset(client, &rdataset);
1810 (void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
1845 ns_client_t *client;
1866 client = additionalctx->client;
1867 REQUIRE(NS_CLIENT_VALID(client));
1869 if (qtype != dns_rdatatype_a || client->view->acache == NULL) {
1875 return (query_addadditional(additionalctx->client,
1901 dns_clientinfo_init(&ci, client, NULL);
1919 dbuf = query_getnamebuf(client);
1922 fname = query_newname(client, dbuf, &b);
1929 type, client->view->acache, &zone,
1931 client->message, client->now);
1945 query_discardcache(client, rdataset_base, additionaltype,
1965 result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
1968 query_discardcache(client, rdataset_base, additionaltype,
1981 query_keepname(client, fname, dbuf);
1989 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1994 type, client->view->acache,
2009 client->query.dboptions,
2010 client->now, &node, fname, &cm, &ci,
2017 type, client->view->acache, zone, db,
2031 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
2034 * Most likely the client isn't allowed to query the cache.
2039 client->query.dboptions |
2041 client->now, &node, fname, &cm, &ci,
2063 * case (identified by client->query.gluedb being set).
2065 if (client->query.gluedb == NULL)
2071 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
2077 type, client->view->acache, NULL,
2079 client->message, client->now);
2083 result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
2087 query_discardcache(client, rdataset_base, additionaltype,
2108 query_keepname(client, fname, dbuf);
2112 dns_db_attach(client->query.gluedb, &db);
2114 client->query.dboptions | DNS_DBFIND_GLUEOK,
2115 client->now, &node, fname, &cm, &ci,
2122 type, client->view->acache,
2136 query_keepname(client, fname, dbuf);
2139 rdataset = query_newrdataset(client);
2143 sigrdataset = query_newrdataset(client);
2148 query_isduplicate(client, fname, dns_rdatatype_a, NULL))
2152 * for a client using DNSSEC, we'll continue the process to make a
2158 client->now, rdataset, sigrdataset);
2167 !validate(client, db, fname, rdataset, sigrdataset)) {
2185 sigrdataset = query_newrdataset(client);
2187 rdataset = query_newrdataset(client);
2196 query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
2200 0, client->now, rdataset, sigrdataset);
2209 !validate(client, db, fname, rdataset, sigrdataset)) {
2233 type, client->view->acache,
2251 if (!query_isduplicate(client, fname, crdataset->type,
2265 query_releasename(client, &fname);
2278 need_sigrrset && WANTDNSSEC(client)) {
2300 dns_message_addname(client->message, fname,
2308 query_putrdataset(client, &rdataset);
2310 query_putrdataset(client, &sigrdataset);
2313 query_putrdataset(client, &crdataset);
2316 query_releasename(client, &fname);
2329 query_addrdataset(ns_client_t *client, dns_name_t *fname,
2336 * 'fname', a name in the response message for 'client'.
2343 if (client->view->order != NULL)
2344 rdataset->attributes |= dns_order_find(client->view->order,
2349 if (NOADDITIONAL(client))
2357 additionalctx.client = client;
2365 query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset,
2378 dns_view_t *view = client->view;
2384 * To the current response for 'client', add the answer RRset
2401 result = dns_message_findname(client->message, section,
2413 query_releasename(client, namep);
2420 query_keepname(client, name, dbuf);
2421 dns_message_addname(client->message, name, section);
2427 query_releasename(client, namep);
2433 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2435 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
2437 result = isc_buffer_allocate(client->mctx, &buffer, view->dns64cnt *
2441 result = dns_message_gettemprdataset(client->message, &dns64_rdataset);
2444 result = dns_message_gettemprdatalist(client->message,
2452 if (client->query.dns64_ttl != ISC_UINT32_MAX)
2454 client->query.dns64_ttl);
2458 if (RECURSIONOK(client))
2471 for (dns64 = ISC_LIST_HEAD(client->view->dns64);
2478 client->signer,
2488 result = dns_message_gettemprdata(client->message,
2511 client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
2513 query_addrdataset(client, mname, dns64_rdataset);
2516 dns_message_takebuffer(client->message, &buffer);
2517 inc_stats(client, dns_nsstatscounter_dns64);
2525 dns_message_puttemprdata(client->message, &dns64_rdata);
2528 dns_message_puttemprdataset(client->message, &dns64_rdataset);
2537 dns_message_puttemprdata(client->message, &dns64_rdata);
2539 dns_message_puttemprdatalist(client->message, &dns64_rdatalist);
2547 query_filter64(ns_client_t *client, dns_name_t **namep,
2563 INSIST(client->query.dns64_aaaaok != NULL);
2564 INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset));
2572 result = dns_message_findname(client->message, section,
2584 query_releasename(client, namep);
2592 query_releasename(client, namep);
2599 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2601 result = isc_buffer_allocate(client->mctx, &buffer,
2605 result = dns_message_gettemprdataset(client->message, &myrdataset);
2608 result = dns_message_gettemprdatalist(client->message, &myrdatalist);
2621 if (!client->query.dns64_aaaaok[i++])
2628 result = dns_message_gettemprdata(client->message, &myrdata);
2645 client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
2648 query_keepname(client, name, dbuf);
2649 dns_message_addname(client->message, name, section);
2653 query_addrdataset(client, mname, myrdataset);
2656 dns_message_takebuffer(client->message, &buffer);
2663 dns_message_puttemprdata(client->message, &myrdata);
2666 dns_message_puttemprdataset(client->message, &myrdataset);
2674 dns_message_puttemprdata(client->message, &myrdata);
2676 dns_message_puttemprdatalist(client->message, &myrdatalist);
2679 query_releasename(client, &name);
2685 query_addrrset(ns_client_t *client, dns_name_t **namep,
2694 * To the current response for 'client', add the answer RRset
2712 result = dns_message_findname(client->message, section,
2722 query_releasename(client, namep);
2731 query_keepname(client, name, dbuf);
2732 dns_message_addname(client->message, name, section);
2738 query_releasename(client, namep);
2744 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2750 query_addrdataset(client, mname, rdataset);
2763 query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
2785 dns_clientinfo_init(&ci, client, NULL);
2790 if (ns_g_nosoa && (!WANTDNSSEC(client) || !isassociated))
2796 result = dns_message_gettempname(client->message, &name);
2801 rdataset = query_newrdataset(client);
2807 if (WANTDNSSEC(client) && dns_db_issecure(db)) {
2808 sigrdataset = query_newrdataset(client);
2822 dns_rdatatype_soa, 0, client->now,
2832 client->query.dboptions, 0, &node,
2878 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2883 query_putrdataset(client, &rdataset);
2885 query_putrdataset(client, &sigrdataset);
2887 query_releasename(client, &name);
2895 query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
2916 dns_clientinfo_init(&ci, client, NULL);
2921 result = dns_message_gettempname(client->message, &name);
2929 rdataset = query_newrdataset(client);
2936 if (WANTDNSSEC(client) && dns_db_issecure(db)) {
2937 sigrdataset = query_newrdataset(client);
2952 dns_rdatatype_ns, 0, client->now,
2957 client->query.dboptions, 0, &node,
2975 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2981 query_putrdataset(client, &rdataset);
2983 query_putrdataset(client, &sigrdataset);
2985 query_releasename(client, &name);
2994 query_add_cname(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
3009 result = dns_message_gettempname(client->message, &aname);
3012 result = dns_name_dup(qname, client->mctx, aname);
3014 dns_message_puttempname(client->message, &aname);
3019 result = dns_message_gettemprdatalist(client->message, &rdatalist);
3021 dns_message_puttempname(client->message, &aname);
3025 result = dns_message_gettemprdata(client->message, &rdata);
3027 dns_message_puttempname(client->message, &aname);
3028 dns_message_puttemprdatalist(client->message, &rdatalist);
3032 result = dns_message_gettemprdataset(client->message, &rdataset);
3034 dns_message_puttempname(client->message, &aname);
3035 dns_message_puttemprdatalist(client->message, &rdatalist);
3036 dns_message_puttemprdata(client->message, &rdata);
3040 rdatalist->rdclass = client->message->rdclass;
3046 rdata->rdclass = client->message->rdclass;
3055 query_addrrset(client, &aname, &rdataset, NULL, NULL,
3060 dns_message_puttemprdataset(client->message, &rdataset);
3063 dns_message_puttempname(client->message, &aname);
3073 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
3086 dns_clientinfo_init(&ci, client, NULL);
3097 client->view->acceptexpired);
3099 (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
3101 (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset,
3113 get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
3123 dns_clientinfo_init(&ci, client, NULL);
3133 client->now, keyrdataset, NULL);
3154 client->mctx, keyp);
3170 dns_rdata_t *rdata, ns_client_t *client)
3180 client->view->maxbits, client->mctx,
3182 if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) {
3195 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
3216 if (!dns_resolver_algorithm_supported(client->view->resolver,
3223 if (!get_key(client, db, &rrsig, &keyrdataset, &key))
3225 if (verify(key, name, rdataset, &rdata, client)) {
3228 mark_secure(client, db, name, &rrsig,
3241 query_addbestns(ns_client_t *client) {
3271 dns_clientinfo_init(&ci, client, NULL);
3276 result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
3285 dbuf = query_getnamebuf(client);
3288 fname = query_newname(client, dbuf, &b);
3289 rdataset = query_newrdataset(client);
3293 * Get the RRSIGs if the client requested them or if we may
3296 if (WANTDNSSEC(client) || !is_zone) {
3297 sigrdataset = query_newrdataset(client);
3306 result = dns_db_findext(db, client->query.qname, version,
3308 client->query.dboptions,
3309 client->now, &node, fname,
3313 if (USECACHE(client)) {
3314 query_keepname(client, fname, dbuf);
3321 dns_db_attach(client->view->cachedb, &db);
3326 result = dns_db_findzonecut(db, client->query.qname,
3327 client->query.dboptions,
3328 client->now, &node, fname,
3350 query_releasename(client, &fname);
3358 query_putrdataset(client, &rdataset);
3360 query_putrdataset(client, &sigrdataset);
3377 && !validate(client, db, fname, rdataset, sigrdataset) &&
3378 !PENDINGOK(client->query.dboptions))
3383 !validate(client, db, fname, rdataset, sigrdataset) &&
3384 SECURE(client) && WANTDNSSEC(client))
3389 * when the client may be looking for AD in the response.
3391 if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) &&
3397 * If the client doesn't want DNSSEC we can discard the sigrdataset
3400 if (!WANTDNSSEC(client))
3401 query_putrdataset(client, &sigrdataset);
3402 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
3407 query_putrdataset(client, &rdataset);
3409 query_putrdataset(client, &sigrdataset);
3411 query_releasename(client, &fname);
3419 query_putrdataset(client, &zrdataset);
3421 query_putrdataset(client, &zsigrdataset);
3423 query_releasename(client, &zfname);
3429 fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) {
3431 *rdataset = query_newrdataset(client);
3437 fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf,
3441 *dbuf = query_getnamebuf(client);
3444 *fname = query_newname(client, *dbuf, nbuf);
3449 query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
3468 rdataset = query_newrdataset(client);
3469 sigrdataset = query_newrdataset(client);
3477 client->now, rdataset, sigrdataset);
3483 dns_rdatatype_nsec, 0, client->now,
3496 result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
3501 dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
3519 dbuf = query_getnamebuf(client);
3522 fname = query_newname(client, dbuf, &b);
3528 query_findclosestnsec3(name, db, version, client, rdataset,
3533 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
3544 fixfname(client, &fname, &dbuf, &b);
3545 fixrdataset(client, &rdataset);
3546 fixrdataset(client, &sigrdataset);
3550 client, rdataset, sigrdataset, fname,
3554 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
3560 query_putrdataset(client, &rdataset);
3562 query_putrdataset(client, &sigrdataset);
3564 query_releasename(client, &fname);
3568 query_addwildcardproof(ns_client_t *client, dns_db_t *db,
3597 dns_clientinfo_init(&ci, client, NULL);
3641 options = client->query.dboptions | DNS_DBFIND_NOWILD;
3649 dbuf = query_getnamebuf(client);
3652 fname = query_newname(client, dbuf, &b);
3653 rdataset = query_newrdataset(client);
3654 sigrdataset = query_newrdataset(client);
3690 query_findclosestnsec3(cname, db, version, client, rdataset,
3695 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3702 dbuf = query_getnamebuf(client);
3705 fname = query_newname(client, dbuf, &b);
3709 rdataset = query_newrdataset(client);
3714 sigrdataset = query_newrdataset(client);
3729 query_findclosestnsec3(wname, db, version, client, rdataset,
3733 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3743 dbuf = query_getnamebuf(client);
3746 fname = query_newname(client, dbuf, &b);
3750 rdataset = query_newrdataset(client);
3755 sigrdataset = query_newrdataset(client);
3769 query_findclosestnsec3(wname, db, version, client, rdataset,
3773 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3806 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3810 query_putrdataset(client, &rdataset);
3812 query_putrdataset(client, &sigrdataset);
3814 query_releasename(client, &fname);
3824 query_putrdataset(client, &rdataset);
3826 query_putrdataset(client, &sigrdataset);
3828 query_releasename(client, &fname);
3832 query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db,
3847 query_addrrset(client, namep, rdatasetp, sigrdatasetp,
3872 query_addwildcardproof(client, db, version, client->query.qname,
3878 dbuf = query_getnamebuf(client);
3881 fname = query_newname(client, dbuf, &b);
3888 query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
3893 free_devent(ns_client_t *client, isc_event_t **eventp,
3907 query_putrdataset(client, &devent->rdataset);
3909 query_putrdataset(client, &devent->sigrdataset);
3923 ns_client_t *client;
3936 client = devent->ev_arg;
3937 REQUIRE(NS_CLIENT_VALID(client));
3938 REQUIRE(task == client->task);
3939 REQUIRE(RECURSING(client));
3941 LOCK(&client->query.fetchlock);
3942 if (client->query.fetch != NULL) {
3946 INSIST(devent->fetch == client->query.fetch);
3947 client->query.fetch = NULL;
3950 * Update client->now.
3952 isc_stdtime_get(&client->now);
3960 UNLOCK(&client->query.fetchlock);
3961 INSIST(client->query.fetch == NULL);
3963 client->query.attributes &= ~NS_QUERYATTR_RECURSING;
3967 * If this client is shutting down, or this transaction
3970 client_shuttingdown = ns_client_shuttingdown(client);
3972 free_devent(client, &event, &devent);
3975 query_error(client, DNS_R_SERVFAIL, __LINE__);
3977 query_next(client, ISC_R_CANCELED);
3979 * This may destroy the client.
3981 ns_client_detach(&client);
3983 result = query_find(client, devent, 0);
4004 ns_client_t *client;
4009 client = devent->ev_arg;
4010 REQUIRE(NS_CLIENT_VALID(client));
4011 REQUIRE(task == client->task);
4013 LOCK(&client->query.fetchlock);
4014 if (client->query.prefetch != NULL) {
4015 INSIST(devent->fetch == client->query.prefetch);
4016 client->query.prefetch = NULL;
4018 UNLOCK(&client->query.fetchlock);
4019 free_devent(client, &event, &devent);
4020 ns_client_detach(&client);
4024 query_prefetch(ns_client_t *client, dns_name_t *qname,
4033 if (client->query.prefetch != NULL ||
4034 client->view->prefetch_trigger == 0U ||
4035 rdataset->ttl > client->view->prefetch_trigger ||
4039 if (client->recursionquota == NULL) {
4041 &client->recursionquota);
4042 if (result == ISC_R_SUCCESS && !client->mortal && !TCP(client))
4043 result = ns_client_replace(client);
4050 tmprdataset = query_newrdataset(client);
4053 if (!TCP(client))
4054 peeraddr = &client->peeraddr;
4057 ns_client_attach(client, &dummy);
4058 options = client->query.fetchoptions | DNS_FETCHOPT_PREFETCH;
4059 result = dns_resolver_createfetch3(client->view->resolver,
4061 NULL, peeraddr, client->message->id,
4062 options, 0, NULL, client->task,
4063 prefetch_done, client,
4065 &client->query.prefetch);
4067 query_putrdataset(client, &tmprdataset);
4074 query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
4083 inc_stats(client, dns_nsstatscounter_recursion);
4086 * We are about to recurse, which means that this client will
4088 * amount of time. If this client is currently responsible
4089 * for handling incoming queries, set up a new client
4095 if (client->recursionquota == NULL) {
4097 &client->recursionquota);
4108 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
4114 client->recursionquota->used,
4115 client->recursionquota->soft,
4116 client->recursionquota->max);
4118 ns_client_killoldestquery(client);
4126 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
4136 ns_client_killoldestquery(client);
4138 if (result == ISC_R_SUCCESS && !client->mortal &&
4139 !TCP(client)) {
4140 result = ns_client_replace(client);
4142 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
4147 isc_quota_detach(&client->recursionquota);
4154 ns_client_recursing(client);
4161 REQUIRE(client->query.fetch == NULL);
4163 rdataset = query_newrdataset(client);
4166 if (WANTDNSSEC(client)) {
4167 sigrdataset = query_newrdataset(client);
4169 query_putrdataset(client, &rdataset);
4175 if (client->query.timerset == ISC_FALSE)
4176 ns_client_settimeout(client, 60);
4177 if (!TCP(client))
4178 peeraddr = &client->peeraddr;
4181 result = dns_resolver_createfetch3(client->view->resolver,
4183 NULL, peeraddr, client->message->id,
4184 client->query.fetchoptions, 0, NULL,
4185 client->task, query_resume, client,
4187 &client->query.fetch);
4191 * Record that we're waiting for an event. A client which
4196 query_putrdataset(client, &rdataset);
4198 query_putrdataset(client, &sigrdataset);
4228 rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) {
4234 *rdatasetp = query_newrdataset(client);
4247 rpz_st_clear(ns_client_t *client) {
4248 dns_rpz_st_t *st = client->query.rpz_st;
4253 query_putrdataset(client, &st->m.rdataset);
4258 query_putrdataset(client, &st->r.ns_rdataset);
4260 query_putrdataset(client, &st->r.r_rdataset);
4264 query_putrdataset(client, &st->q.rdataset);
4266 query_putrdataset(client, &st->q.sigrdataset);
4273 rpz_get_zbits(ns_client_t *client,
4279 REQUIRE(client != NULL);
4280 REQUIRE(client->query.rpz_st != NULL);
4282 st = client->query.rpz_st;
4334 * If the client wants recursion, allow only compatible policies.
4336 if (!RECURSIONOK(client))
4343 query_rpzfetch(ns_client_t *client, dns_name_t *qname, dns_rdatatype_t type) {
4350 if (client->query.prefetch != NULL)
4353 if (client->recursionquota == NULL) {
4355 &client->recursionquota);
4356 if (result == ISC_R_SUCCESS && !client->mortal && !TCP(client))
4357 result = ns_client_replace(client);
4364 tmprdataset = query_newrdataset(client);
4367 if (!TCP(client))
4368 peeraddr = &client->peeraddr;
4371 ns_client_attach(client, &dummy);
4372 options = client->query.fetchoptions;
4373 result = dns_resolver_createfetch3(client->view->resolver, qname, type,
4375 client->message->id, options, 0,
4376 NULL, client->task, prefetch_done,
4377 client, tmprdataset, NULL,
4378 &client->query.prefetch);
4380 query_putrdataset(client, &tmprdataset);
4386 * Get an NS, A, or AAAA rrset related to the response for the client
4390 rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
4406 st = client->query.rpz_st;
4415 query_putrdataset(client, rdatasetp);
4420 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
4428 result = rpz_ready(client, rdatasetp);
4440 result = query_getdb(client, name, type, 0, &zone, dbp,
4443 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
4458 dns_clientinfo_init(&ci, client, NULL);
4460 client->now, &node, found,
4462 if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) {
4469 dns_db_attach(client->view->cachedb, dbp);
4471 0, client->now, &node, found,
4483 } else if (!client->view->rpzs->p.nsip_wait_recurse) {
4484 query_rpzfetch(client, name, type);
4488 result = query_recurse(client, type, st->r_name,
4504 rpz_get_p_name(ns_client_t *client, dns_name_t *p_name,
4559 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, suffix,
4567 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, suffix,
4577 * The self-name (usually the client qname or an NS name) is compared with
4584 * If it is best, the caller records it in client->query.rpz_st->m.
4587 rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype,
4604 dns_clientinfo_init(&ci, client, NULL);
4611 result = rpz_ready(client, rdatasetp);
4617 result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp);
4624 client->now, nodep, found, &cm, &ci,
4636 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name,
4654 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
4674 qtype, 0, client->now,
4711 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type,
4757 rpz_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr,
4784 rpzs = client->view->rpzs;
4785 st = client->query.rpz_st;
4815 result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name);
4818 result = rpz_find_p(client, ip_name, qtype,
4847 * client-IP over QNAME over IP over NSDNAME over NSIP,
4883 rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type,
4897 rpz_rewrite_ip_rrset(ns_client_t *client,
4912 zbits = rpz_get_zbits(client, ip_type, rpz_type);
4919 result = rpz_rrset_find(client, name, ip_type, rpz_type, ip_dbp,
4940 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, rpz_type,
4944 if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
4945 client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR;
4946 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name,
4979 result = rpz_rewrite_ip(client, &netaddr, qtype, rpz_type,
4993 rpz_rewrite_ip_rrsets(ns_client_t *client, dns_name_t *name,
5005 st = client->query.rpz_st;
5017 result = rpz_rewrite_ip_rrset(client, name, qtype,
5034 result = rpz_rewrite_ip_rrset(client, name, qtype,
5041 query_putrdataset(client, &p_rdataset);
5049 * in client->query.rpz_st.
5053 rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name,
5073 zbits = rpz_get_zbits(client, qtype, rpz_type);
5078 rpzs = client->view->rpzs;
5097 st = client->query.rpz_st;
5127 result = rpz_get_p_name(client, p_name, rpz, rpz_type,
5131 result = rpz_find_p(client, trig_name, qtype, p_name,
5155 * client-IP over QNAME over IP over NSDNAME over NSIP,
5218 rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type,
5229 rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname,
5236 st = client->query.rpz_st;
5239 rpz_log_fail_helper(client, level, nsname,
5262 rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
5280 rpzs = client->view->rpzs;
5281 st = client->query.rpz_st;
5289 (!RECURSIONOK(client) && rpzs->p.no_rd_ok == 0) ||
5290 !rpz_ck_dnssec(client, qresult, ordataset, osigset))
5301 st = isc_mem_get(client->mctx, sizeof(*st));
5323 client->query.rpz_st = st;
5352 if (RECURSIONOK(client))
5360 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, client->query.qname,
5365 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, client->query.qname,
5393 * Check once for triggers for the client IP address.
5396 zbits = rpz_get_zbits(client, dns_rdatatype_none,
5401 &client->peeraddr);
5402 result = rpz_rewrite_ip(client, &netaddr, qtype,
5416 result = rpz_rewrite_name(client, client->query.qname,
5426 st->r.label = dns_name_countlabels(client->query.qname);
5434 * client-IP trigger before recursion.
5463 rpz_get_zbits(client, qtype, DNS_RPZ_TYPE_IP) != 0) {
5464 result = rpz_rewrite_ip_rrsets(client,
5465 client->query.qname, qtype,
5482 if (rpz_get_zbits(client, dns_rdatatype_any,
5484 rpz_get_zbits(client, dns_rdatatype_any,
5491 dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
5496 if (st->r.label == dns_name_countlabels(client->query.qname)) {
5497 nsname = client->query.qname;
5500 dns_name_split(client->query.qname, st->r.label,
5507 result = rpz_rrset_find(client, nsname,
5537 rpz_rewrite_ns_skip(client, nsname, result,
5543 rpz_rewrite_ns_skip(client, nsname, result,
5548 rpz_rewrite_ns_skip(client, nsname, result,
5566 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
5585 result = rpz_rewrite_name(client, &ns.name,
5599 result = rpz_rewrite_ip_rrsets(client, &ns.name, qtype,
5612 if (rpz_get_zbits(client, dns_rdatatype_any,
5614 rpz_get_zbits(client, dns_rdatatype_any,
5634 rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
5644 query_putrdataset(client, &rdataset);
5653 * by the client in DNSSEC or a lack of signatures.
5656 rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult,
5667 if (client->view->rpzs->p.break_dnssec || !WANTDNSSEC(client))
5724 rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
5736 dns_name_split(client->query.qname, 1,
5745 client->message->rcode = dns_rcode_yxdomain;
5752 query_keepname(client, fname, dbuf);
5753 result = query_add_cname(client, client->query.qname,
5757 rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
5760 ns_client_qnamereplace(client, fname);
5765 client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
5844 * Find the sortlist statement that applies to 'client' and set up
5845 * the sortlist info in in client->message appropriately.
5848 setup_query_sortlist(ns_client_t *client) {
5853 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
5854 switch (ns_sortlist_setup(client->view->sortlist,
5869 dns_message_setsortorder(client->message, order, order_arg);
5873 query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
5885 dbuf = query_getnamebuf(client);
5888 fname = query_newname(client, dbuf, &b);
5889 neg = query_newrdataset(client);
5890 negsig = query_newrdataset(client);
5897 query_addrrset(client, &fname, &neg, &negsig, dbuf,
5904 dbuf = query_getnamebuf(client);
5907 fname = query_newname(client, dbuf, &b);
5910 neg = query_newrdataset(client);
5914 negsig = query_newrdataset(client);
5922 query_addrrset(client, &fname, &neg, &negsig, dbuf,
5927 query_putrdataset(client, &neg);
5929 query_putrdataset(client, &negsig);
5931 query_releasename(client, &fname);
5935 answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
5941 msg = client->message;
5945 if (dns_name_equal(name, client->query.qname)) {
6021 warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
6047 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
6061 dns_dbversion_t *version, ns_client_t *client,
6091 dns_clientinfo_init(&ci, client, NULL);
6107 dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3;
6109 dns_rdatatype_nsec3, dboptions, client->now,
6131 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
6137 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
6145 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
6159 is_v4_client(ns_client_t *client) {
6160 if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
6162 if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
6163 IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
6169 is_v6_client(ns_client_t *client) {
6170 if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
6171 !IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
6214 dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset,
6218 dns_dns64_t *dns64 = ISC_LIST_HEAD(client->view->dns64);
6223 INSIST(client->query.dns64_aaaaok == NULL);
6224 INSIST(client->query.dns64_aaaaoklen == 0);
6225 INSIST(client->query.dns64_aaaa == NULL);
6226 INSIST(client->query.dns64_sigaaaa == NULL);
6231 if (RECURSIONOK(client))
6238 aaaaok = isc_mem_get(client->mctx, sizeof(isc_boolean_t) * count);
6240 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
6241 if (dns_dns64_aaaaok(dns64, &netaddr, client->signer,
6246 SAVE(client->query.dns64_aaaaok, aaaaok);
6247 client->query.dns64_aaaaoklen = count;
6252 isc_mem_put(client->mctx, aaaaok,
6257 isc_mem_put(client->mctx, aaaaok,
6267 * Only perform the update if the client is in the allow query acl and
6271 redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
6288 if (client->view->redirect == NULL)
6296 dns_clientinfo_init(&ci, client, NULL);
6298 if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
6301 if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
6323 result = ns_client_checkaclsilent(client, NULL,
6324 dns_zone_getqueryacl(client->view->redirect),
6329 result = dns_zone_getdb(client->view->redirect, &db);
6333 dbversion = query_findversion(client, db);
6342 result = dns_db_findext(db, client->query.qname, dbversion->version,
6343 qtype, DNS_DBFIND_NOZONECUT, client->now,
6378 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
6385 redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
6406 if (client->view->redirectzone == NULL)
6409 if (dns_name_issubdomain(name, client->view->redirectzone))
6417 dns_clientinfo_init(&ci, client, NULL);
6419 if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
6422 if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
6453 client->view->redirectzone,
6458 dns_name_copy(redirectname, client->view->redirectzone, NULL);
6461 result = query_getdb(client, redirectname, qtype, options, &zone,
6472 qtype, 0, client->now,
6492 if (!REDIRECT(client)) {
6493 result = query_recurse(client, qtype, redirectname,
6496 client->query.attributes |=
6498 client->query.attributes |=
6517 dns_name_split(found, dns_name_countlabels(client->view->redirectzone),
6543 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
6550 * Do the bulk of query processing for the current query of 'client'.
6555 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
6637 dns_clientinfo_init(&ci, client, NULL);
6640 if (client->query.origqname != NULL)
6641 dns_name_format(client->query.origqname, qbuf,
6647 "client attr:0x%x, query attr:0x%X, restarts:%d, "
6649 client->attributes,
6650 client->query.attributes,
6651 client->query.restarts, qbuf,
6652 (int) client->query.timerset,
6653 (int) client->query.authdbset,
6654 (int) client->query.isreferral);
6665 rpz_st = client->query.rpz_st;
6708 query_putrdataset(client, &event->sigrdataset);
6709 } else if (REDIRECT(client)) {
6716 dns_name_format(client->query.redirect.fname,
6718 dns_rdatatype_format(client->query.redirect.qtype,
6723 client->query.redirect.authoritative);
6726 qtype = client->query.redirect.qtype;
6727 INSIST(client->query.redirect.rdataset != NULL);
6728 RESTORE(rdataset, client->query.redirect.rdataset);
6730 client->query.redirect.sigrdataset);
6731 RESTORE(db, client->query.redirect.db);
6732 RESTORE(node, client->query.redirect.node);
6733 RESTORE(zone, client->query.redirect.zone);
6734 authoritative = client->query.redirect.authoritative;
6735 is_zone = client->query.redirect.is_zone;
6740 query_putrdataset(client, &event->rdataset);
6741 query_putrdataset(client, &event->sigrdataset);
6764 if (DNS64(client)) {
6765 client->query.attributes &= ~NS_QUERYATTR_DNS64;
6768 if (DNS64EXCLUDE(client)) {
6769 client->query.attributes &= ~NS_QUERYATTR_DNS64EXCLUDE;
6779 if (rpz_st->rpz_ver != client->view->rpzs->rpz_ver) {
6780 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
6786 client->view->rpzs->rpz_ver,
6796 dbuf = query_getnamebuf(client);
6803 fname = query_newname(client, dbuf, &b);
6813 } else if (REDIRECT(client)) {
6814 tname = client->query.redirect.fname;
6829 free_devent(client, ISC_EVENT_PTR(&event), &event);
6830 } else if (REDIRECT(client)) {
6831 result = client->query.redirect.result;
6832 is_zone = client->query.redirect.is_zone;
6848 if (RECURSIONOK(client)) {
6854 failcache = dns_badcache_find(client->view->failcache,
6855 client->query.qname, qtype,
6856 &flags, &client->tnow);
6859 failcache = dns_badcache_find(client->view->failcache,
6860 client->query.qname, qtype,
6861 &flags, &client->tnow);
6865 ((client->message->flags & DNS_MESSAGEFLAG_CD) == 0)))
6871 dns_name_format(client->query.qname,
6875 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
6884 client->attributes |= NS_CLIENTATTR_NOSETFC;
6907 if (client->view->checknames &&
6908 !dns_rdata_checkowner(client->query.qname,
6909 client->message->rdclass,
6915 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
6917 dns_rdataclass_format(client->message->rdclass, classname,
6919 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
6932 !dns_name_equal(client->query.qname, dns_rootname))
6934 result = query_getdb(client, client->query.qname, qtype, options,
6938 !RECURSIONOK(client) &&
6949 tresult = query_getzonedb(client, client->query.qname, qtype,
6954 query_putrdataset(client, &rdataset);
6974 if (WANTRECURSION(client)) {
6975 inc_stats(client,
6978 inc_stats(client, dns_nsstatscounter_authrej);
6979 if (!PARTIALANSWER(client))
6997 if (event == NULL && client->query.restarts == 0) {
7004 dns_zone_attach(zone, &client->query.authzone);
7006 dns_db_attach(db, &client->query.authdb);
7008 client->query.authdbset = ISC_TRUE;
7011 if (TCP(client))
7012 inc_stats(client, dns_nsstatscounter_tcp);
7014 inc_stats(client, dns_nsstatscounter_udp);
7022 dbuf = query_getnamebuf(client);
7029 fname = query_newname(client, dbuf, &b);
7030 rdataset = query_newrdataset(client);
7037 if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) {
7038 sigrdataset = query_newrdataset(client);
7052 rpzqname = client->query.rpz_st->p_name;
7054 rpzqname = client->query.qname;
7057 client->query.dboptions, client->now,
7065 rresult = dns_name_copy(client->query.qname, fname, NULL);
7073 dns_cache_updatestats(client->view->cache, result);
7079 * Rate limit these responses to this client.
7088 if (client->view->rrl != NULL && !HAVECOOKIE(client) &&
7090 (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) &&
7091 !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) &&
7092 (client->query.rpz_st == NULL ||
7093 (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0)&&
7094 (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0)
7102 client->query.attributes |= NS_QUERYATTR_RRL_CHECKED;
7153 rrl_result = dns_rrl(client->view, &client->peeraddr,
7154 TCP(client), client->message->rdclass,
7155 qtype, tname, resp_result, client->now,
7169 ns_client_log(client, DNS_LOGCATEGORY_RRL,
7174 if (!client->view->rrl->log_only) {
7180 inc_stats(client,
7188 inc_stats(client,
7190 if (WANTCOOKIE(client)) {
7191 client->message->flags &=
7193 client->message->flags &=
7195 client->message->rcode =
7198 client->message->flags |=
7202 client->message->rcode =
7209 } else if (!TCP(client) && client->view->requireservercookie &&
7210 WANTCOOKIE(client) && !HAVECOOKIE(client)) {
7211 client->message->flags &= ~DNS_MESSAGEFLAG_AA;
7212 client->message->flags &= ~DNS_MESSAGEFLAG_AD;
7213 client->message->rcode = dns_rcode_badcookie;
7217 if (!RECURSING(client) &&
7218 !dns_name_equal(client->query.qname, dns_rootname))
7222 rresult = rpz_rewrite(client, qtype, result, resuming,
7224 rpz_st = client->query.rpz_st;
7245 client->query.attributes |= NS_QUERYATTR_RECURSING;
7257 !TCP(client)) &&
7266 rresult = dns_name_copy(client->query.qname,
7271 query_putrdataset(client, &rdataset);
7286 client->message->flags |= DNS_MESSAGEFLAG_TC;
7289 client->message->rcode =
7291 rpz_log_rewrite(client, ISC_FALSE,
7299 rpz_log_rewrite(client, ISC_FALSE,
7343 result = rpz_add_cname(client, rpz_st,
7356 result = rpz_add_cname(client, rpz_st,
7372 client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
7374 client->message->flags &= ~DNS_MESSAGEFLAG_AD;
7375 query_putrdataset(client, &sigrdataset);
7377 rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
7407 if (client->view->hints == NULL) {
7411 dns_db_attach(client->view->hints, &db);
7414 0, client->now, &node,
7435 if (RECURSIONOK(client)) {
7436 INSIST(!REDIRECT(client));
7437 result = query_recurse(client, qtype,
7438 client->query.qname,
7441 client->query.attributes |=
7444 client->query.attributes |=
7447 client->query.attributes |=
7471 if (!RECURSIONOK(client) &&
7477 result = query_getzonedb(client,
7478 client->query.qname,
7485 query_putrdataset(client, &rdataset);
7487 query_putrdataset(client,
7490 query_releasename(client,
7513 if (!USECACHE(client) || !RECURSIONOK(client)) {
7524 * If the client is making a nonrecursive
7533 * database by setting client->query.gluedb.
7536 client->query.gluedb == NULL) {
7538 &client->query.gluedb);
7541 client->query.isreferral = ISC_TRUE;
7548 client->query.attributes &=
7554 query_addrrset(client, &fname,
7558 dns_db_detach(&client->query.gluedb);
7560 if (WANTDNSSEC(client))
7561 query_addds(client, db, node, version,
7572 query_keepname(client, fname, dbuf);
7579 dns_db_attach(client->view->cachedb, &db);
7602 query_releasename(client, &fname);
7610 query_putrdataset(client, &rdataset);
7612 query_putrdataset(client,
7627 if (RECURSIONOK(client)) {
7631 INSIST(!REDIRECT(client));
7633 result = query_recurse(client, qtype,
7634 client->query.qname,
7637 result = query_recurse(client,
7639 client->query.qname,
7642 result = query_recurse(client, qtype,
7643 client->query.qname,
7648 client->query.attributes |=
7651 client->query.attributes |=
7654 client->query.attributes |=
7670 client->query.attributes |=
7672 client->query.isreferral = ISC_TRUE;
7675 client->query.gluedb == NULL) {
7677 &client->query.gluedb);
7687 client->query.attributes &=
7693 query_addrrset(client, &fname,
7696 client->query.attributes &=
7699 dns_db_detach(&client->query.gluedb);
7702 if (WANTDNSSEC(client))
7703 query_addds(client, db, node, version,
7724 query_putrdataset(client, &rdataset);
7726 query_putrdataset(client, &sigrdataset);
7727 RESTORE(rdataset, client->query.dns64_aaaa);
7728 RESTORE(sigrdataset, client->query.dns64_sigaaaa);
7730 dbuf = query_getnamebuf(client);
7738 fname = query_newname(client, dbuf, &b);
7747 dns_name_copy(client->query.qname, fname, NULL);
7757 !ISC_LIST_EMPTY(client->view->dns64) &&
7758 client->message->rdclass == dns_rdataclass_in &&
7765 SAVE(client->query.dns64_aaaa, rdataset);
7766 SAVE(client->query.dns64_sigaaaa, sigrdataset);
7767 client->query.dns64_ttl = dns64_ttl(db, version);
7768 query_releasename(client, &fname);
7782 WANTDNSSEC(client)) {
7789 qname = client->query.qname;
7792 client, rdataset,
7811 query_addrrset(client, &fname,
7824 fixfname(client, &fname, &dbuf, &b);
7825 fixrdataset(client, &rdataset);
7826 fixrdataset(client, &sigrdataset);
7843 client,
7851 query_releasename(client, &fname);
7852 query_addwildcardproof(client, db, version,
7853 client->query.qname,
7863 query_keepname(client, fname, dbuf);
7870 query_releasename(client, &fname);
7881 result = query_addsoa(client, db, version, ISC_UINT32_MAX,
7891 if (WANTDNSSEC(client)) {
7893 query_addnxrrsetnsec(client, db, version,
7904 INSIST(is_zone || REDIRECT(client));
7906 tresult = redirect(client, fname, rdataset, &node,
7909 inc_stats(client,
7922 tresult = redirect2(client, fname, rdataset, &node,
7925 inc_stats(client,
7927 client->query.redirect.qtype = qtype;
7929 SAVE(client->query.redirect.rdataset, rdataset);
7930 SAVE(client->query.redirect.sigrdataset,
7932 SAVE(client->query.redirect.db, db);
7933 SAVE(client->query.redirect.node, node);
7934 SAVE(client->query.redirect.zone, zone);
7935 client->query.redirect.result = DNS_R_NXDOMAIN;
7937 client->query.redirect.fname,
7939 client->query.redirect.authoritative =
7941 client->query.redirect.is_zone = is_zone;
7945 inc_stats(client,
7965 query_keepname(client, fname, dbuf);
7972 query_releasename(client, &fname);
7991 result = query_addsoa(client, db, version, ttl, associated,
7998 if (WANTDNSSEC(client)) {
8003 query_addrrset(client, &fname, &rdataset,
8006 query_addwildcardproof(client, db, version,
8007 client->query.qname, ISC_FALSE,
8015 client->message->rcode = dns_rcode_noerror;
8017 client->message->rcode = dns_rcode_nxdomain;
8021 tresult = redirect(client, fname, rdataset, &node,
8024 inc_stats(client,
8038 tresult = redirect2(client, fname, rdataset, &node,
8041 inc_stats(client,
8043 SAVE(client->query.redirect.db, db);
8044 SAVE(client->query.redirect.node, node);
8045 SAVE(client->query.redirect.zone, zone);
8046 client->query.redirect.qtype = qtype;
8048 SAVE(client->query.redirect.rdataset, rdataset);
8049 SAVE(client->query.redirect.sigrdataset, sigrdataset);
8050 client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
8051 dns_name_copy(fname, client->query.redirect.fname,
8053 client->query.redirect.authoritative = authoritative;
8054 client->query.redirect.is_zone = is_zone;
8058 inc_stats(client,
8082 client->message->rcode = dns_rcode_nxdomain;
8088 client->message->rdclass == dns_rdataclass_in &&
8090 warn_rfc1918(client, fname, rdataset);
8102 query_putrdataset(client, &rdataset);
8104 query_putrdataset(client, &sigrdataset);
8105 RESTORE(rdataset, client->query.dns64_aaaa);
8106 RESTORE(sigrdataset, client->query.dns64_sigaaaa);
8108 dbuf = query_getnamebuf(client);
8116 fname = query_newname(client, dbuf, &b);
8125 dns_name_copy(client->query.qname, fname, NULL);
8132 !ISC_LIST_EMPTY(client->view->dns64) &&
8133 client->message->rdclass == dns_rdataclass_in &&
8147 client->query.dns64_ttl = rdataset->ttl;
8149 client->query.dns64_ttl = 0;
8150 SAVE(client->query.dns64_aaaa, rdataset);
8151 SAVE(client->query.dns64_sigaaaa, sigrdataset);
8152 query_releasename(client, &fname);
8164 query_keepname(client, fname, dbuf);
8165 dns_message_addname(client->message, fname,
8178 RECURSIONOK(client))
8188 INSIST(!REDIRECT(client));
8189 result = query_recurse(client, qtype,
8190 client->query.qname,
8193 client->query.attributes |=
8196 client->query.attributes |=
8199 client->query.attributes |=
8219 if (WANTDNSSEC(client) &&
8227 if (NOQNAME(rdataset) && WANTDNSSEC(client))
8231 if (!is_zone && RECURSIONOK(client))
8232 query_prefetch(client, fname, rdataset);
8233 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
8236 query_addnoqnameproof(client, noqname);
8241 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
8247 result = dns_message_gettempname(client->message, &tname);
8252 dns_message_puttempname(client->message, &tname);
8259 dns_message_puttempname(client->message, &tname);
8263 result = dns_name_dup(&cname.cname, client->mctx, tname);
8265 dns_message_puttempname(client->message, &tname);
8270 ns_client_qnamereplace(client, tname);
8272 if (!WANTRECURSION(client))
8281 namereln = dns_name_fullcompare(client->query.qname, fname,
8297 if (WANTDNSSEC(client) &&
8305 if (!is_zone && RECURSIONOK(client))
8306 query_prefetch(client, fname, rdataset);
8307 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
8313 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
8318 result = dns_message_gettempname(client->message, &tname);
8323 dns_message_puttempname(client->message, &tname);
8330 dns_message_puttempname(client->message, &tname);
8341 dns_name_split(client->query.qname, nlabels, prefix, NULL);
8343 dbuf = query_getnamebuf(client);
8345 dns_message_puttempname(client->message, &tname);
8348 fname = query_newname(client, dbuf, &b);
8350 dns_message_puttempname(client->message, &tname);
8354 dns_message_puttempname(client->message, &tname);
8362 client->message->rcode = dns_rcode_yxdomain;
8366 query_keepname(client, fname, dbuf);
8381 result = query_add_cname(client, client->query.qname, fname,
8388 ns_client_qnamereplace(client, fname);
8391 if (!WANTRECURSION(client))
8406 if (WANTDNSSEC(client) &&
8420 client->filter_aaaa = dns_aaaa_ok;
8421 if (client->view->v4_aaaa != dns_aaaa_ok ||
8422 client->view->v6_aaaa != dns_aaaa_ok)
8424 result = ns_client_checkaclsilent(client, NULL,
8425 client->view->aaaa_acl,
8428 client->view->v4_aaaa != dns_aaaa_ok &&
8429 is_v4_client(client))
8430 client->filter_aaaa = client->view->v4_aaaa;
8432 client->view->v6_aaaa != dns_aaaa_ok &&
8433 is_v6_client(client))
8434 client->filter_aaaa = client->view->v6_aaaa;
8482 query_keepname(client, fname, dbuf);
8492 if (client->filter_aaaa != dns_aaaa_ok) {
8517 } else if (client->view->minimal_any &&
8518 !TCP(client) && !WANTDNSSEC(client) &&
8525 } else if (client->view->minimal_any &&
8526 !TCP(client) && onetype != 0 &&
8538 if (NOQNAME(rdataset) && WANTDNSSEC(client))
8542 rpz_st = client->query.rpz_st;
8546 if (!is_zone && RECURSIONOK(client)) {
8549 query_prefetch(client, name, rdataset);
8560 query_addrrset(client,
8565 query_addnoqnameproof(client, noqname);
8573 query_putrdataset(client, &rdataset);
8574 rdataset = query_newrdataset(client);
8591 if (client->filter_aaaa == dns_aaaa_break_dnssec)
8592 client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
8593 else if (client->filter_aaaa != dns_aaaa_ok &&
8595 (!have_sig || !WANTDNSSEC(client)))
8596 client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
8599 dns_message_puttempname(client->message, &fname);
8613 client->attributes &= ~NS_CLIENTATTR_RA;
8620 dns_name_format(client->query.qname,
8623 ns_client_log(client,
8632 fname = query_newname(client, dbuf, &b);
8659 RECURSIONOK(client))
8669 INSIST(!REDIRECT(client));
8670 result = query_recurse(client, qtype,
8671 client->query.qname,
8674 client->query.attributes |=
8677 client->query.attributes |=
8680 client->query.attributes |=
8696 if (client->filter_aaaa == dns_aaaa_break_dnssec ||
8697 (client->filter_aaaa == dns_aaaa_filter &&
8698 (!WANTDNSSEC(client) || sigrdataset == NULL ||
8702 trdataset = query_newrdataset(client);
8705 client->now,
8709 query_putrdataset(client, &trdataset);
8717 * for this client, although that could be
8725 client->attributes |=
8729 !RECURSIONOK(client) ||
8732 client->attributes &=
8743 INSIST(!REDIRECT(client));
8744 result = query_recurse(client,
8746 client->query.qname,
8749 client->attributes |=
8751 client->query.attributes |=
8757 (client->attributes &
8759 client->attributes &=
8761 client->attributes |=
8775 INSIST(client->query.dns64_aaaaok == NULL);
8778 !ISC_LIST_EMPTY(client->view->dns64) &&
8779 client->message->rdclass == dns_rdataclass_in &&
8780 !dns64_aaaaok(client, rdataset, sigrdataset)) {
8785 client->query.dns64_ttl = rdataset->ttl;
8786 SAVE(client->query.dns64_aaaa, rdataset);
8787 SAVE(client->query.dns64_sigaaaa, sigrdataset);
8788 query_releasename(client, &fname);
8799 if (NOQNAME(rdataset) && WANTDNSSEC(client))
8811 if (dns_name_equal(client->query.qname,
8820 if (dns_name_equal(client->query.qname, dns_rootname)) {
8821 client->query.attributes &=
8830 (client->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0 &&
8831 client->query.restarts == 0) {
8842 if (secs >= client->now &&
8844 client->attributes |=
8846 client->expire = secs - client->now;
8856 client->expire = soa.expire;
8857 client->attributes |= NS_CLIENTATTR_HAVEEXPIRE;
8865 result = query_dns64(client, &fname, rdataset,
8870 dns_message_puttemprdataset(client->message, &rdataset);
8879 (void)query_addsoa(client, db, version,
8893 } else if (client->query.dns64_aaaaok != NULL) {
8894 query_filter64(client, &fname, rdataset, dbuf,
8896 query_putrdataset(client, &rdataset);
8898 if (!is_zone && RECURSIONOK(client))
8899 query_prefetch(client, fname, rdataset);
8900 query_addrrset(client, &fname, &rdataset,
8905 query_addnoqnameproof(client, noqname);
8919 if (!want_restart && !NOAUTHORITY(client)) {
8922 (void)query_addns(client, db, version);
8926 query_releasename(client, &fname);
8928 query_addbestns(client);
8937 query_addwildcardproof(client, db, version,
8945 rpz_st = client->query.rpz_st;
8951 query_putrdataset(client, &rdataset);
8953 query_putrdataset(client, &sigrdataset);
8955 query_releasename(client, &fname);
8963 query_putrdataset(client, &zrdataset);
8965 query_putrdataset(client, &zsigrdataset);
8967 query_releasename(client, &zfname);
8971 free_devent(client, ISC_EVENT_PTR(&event), &event);
8977 if (client->query.restarts == 0 && !authoritative) {
8982 client->message->flags &= ~DNS_MESSAGEFLAG_AA;
8988 if (want_restart && client->query.restarts < MAX_RESTARTS) {
8989 client->query.restarts++;
8994 (!PARTIALANSWER(client) || WANTRECURSION(client)
9003 query_next(client, eresult);
9006 * If we don't have any answer to give the client,
9007 * or if the client requested recursion and thus wanted
9011 query_error(client, eresult, line);
9013 ns_client_detach(&client);
9014 } else if (!RECURSING(client)) {
9021 setup_query_sortlist(client);
9028 if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) &&
9029 client->message->rcode == dns_rcode_noerror &&
9031 answer_in_glue(client, qtype);
9033 if (client->message->rcode == dns_rcode_nxdomain &&
9034 client->view->auth_nxdomain == ISC_TRUE)
9035 client->message->flags |= DNS_MESSAGEFLAG_AA;
9038 * If the response is somehow unexpected for the client and this
9043 (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) ||
9044 client->message->rcode != dns_rcode_noerror))
9047 query_send(client);
9048 ns_client_detach(&client);
9056 log_tat(ns_client_t *client) {
9068 if ((client->query.qtype != dns_rdatatype_null ||
9069 !dns_name_istat(client->query.qname)) &&
9070 (client->keytag == NULL ||
9071 client->query.qtype != dns_rdatatype_dnskey))
9076 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
9077 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
9078 isc_netaddr_format(&client->destaddr, clientbuf, sizeof(clientbuf));
9079 dns_rdataclass_format(client->view->rdclass, classname,
9082 if (client->query.qtype == dns_rdatatype_dnskey) {
9083 isc_uint16_t keytags = client->keytag_len / 2;
9085 char *cp = tags = isc_mem_get(client->mctx, taglen);
9088 INSIST(client->keytag != NULL);
9093 keytag = (client->keytag[i * 2] << 8) |
9094 client->keytag[i * 2 + 1];
9111 isc_mem_put(client->mctx, tags, taglen);
9116 log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
9128 rdataset = ISC_LIST_HEAD(client->query.qname->list);
9130 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
9133 isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf));
9135 if (client->ednsversion >= 0)
9137 client->ednsversion);
9139 ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
9141 classname, typename, WANTRECURSION(client) ? "+" : "-",
9142 (client->signer != NULL) ? "S" : "", ednsbuf,
9143 TCP(client) ? "T" : "",
9146 HAVECOOKIE(client) ? "V" : WANTCOOKIE(client) ? "K" : "",
9151 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) {
9168 if (client->query.origqname != NULL) {
9169 dns_name_format(client->query.origqname, namebuf,
9174 rdataset = ISC_LIST_HEAD(client->query.origqname->list);
9186 ns_client_log(client, NS_LOGCATEGORY_QUERY_ERRORS, NS_LOGMODULE_QUERY,
9193 ns_query_start(ns_client_t *client) {
9195 dns_message_t *message = client->message;
9199 unsigned int saved_extflags = client->extflags;
9200 unsigned int saved_flags = client->message->flags;
9202 REQUIRE(NS_CLIENT_VALID(client));
9209 if (ns_g_clienttest && !TCP(client)) {
9210 result = ns_client_replace(client);
9212 ns_client_next(client, result);
9215 query_error(client, result, __LINE__);
9223 client->next = query_next_callback;
9228 if (!client->view->enablednssec) {
9230 client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
9234 client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
9236 if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
9237 client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
9239 switch (client->view->minimalresponses) {
9243 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
9247 client->query.attributes |= NS_QUERYATTR_NOAUTHORITY;
9251 client->query.attributes |= NS_QUERYATTR_NOAUTHORITY;
9255 if ((client->view->cachedb == NULL)
9256 || (!client->view->additionalfromcache)) {
9261 client->query.attributes &=
9263 client->attributes |= NS_CLIENTATTR_NOSETFC;
9264 } else if ((client->attributes & NS_CLIENTATTR_RA) == 0 ||
9267 * If the client isn't allowed to recurse (due to
9272 client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
9273 client->attributes |= NS_CLIENTATTR_NOSETFC;
9280 query_error(client, DNS_R_FORMERR, __LINE__);
9289 query_error(client, result, __LINE__);
9293 &client->query.qname);
9294 client->query.origqname = client->query.qname;
9302 query_error(client, DNS_R_FORMERR, __LINE__);
9304 query_error(client, result, __LINE__);
9309 log_query(client, saved_flags, saved_extflags);
9314 rdataset = ISC_LIST_HEAD(client->query.qname->list);
9316 client->query.qtype = qtype = rdataset->type;
9319 log_tat(client);
9327 ns_xfr_start(client, rdataset->type);
9331 query_error(client, DNS_R_NOTIMP, __LINE__);
9334 result = dns_tkey_processquery(client->message,
9336 client->view->dynamickeys);
9338 query_send(client);
9340 query_error(client, result, __LINE__);
9343 query_error(client, DNS_R_FORMERR, __LINE__);
9354 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
9362 client->view->minimal_any && !TCP(client))
9363 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
9369 if (client->ednsversion >= 0 && client->udpsize <= 512U && !TCP(client))
9370 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
9374 * If the client has requested that DNSSEC checking be disabled,
9384 client->query.dboptions |= DNS_DBFIND_PENDINGOK;
9385 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
9386 } else if (!client->view->enablevalidation)
9387 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
9394 client->query.attributes &= ~NS_QUERYATTR_SECURE;
9397 * Set NS_CLIENTATTR_WANTDNSSEC if the client has set AD in the query.
9401 client->attributes |= NS_CLIENTATTR_WANTAD;
9408 query_next(client, result);
9426 if (WANTDNSSEC(client) || WANTAD(client))
9430 ns_client_attach(client, &qclient);