query.c revision 31f6244cc25ab0f8937edc26dbb26ba4f6a01f19
44863746316be889b13ee5cf893245baa089a75dTinderbox User * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * Copyright (C) 1999-2003 Internet Software Consortium.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * Permission to use, copy, modify, and/or distribute this software for any
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * purpose with or without fee is hereby granted, provided that the above
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * copyright notice and this permission notice appear in all copies.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * PERFORMANCE OF THIS SOFTWARE.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * It has been recommended that DNS64 be changed to return excluded
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * AAAA addresses if DNS64 synthesis does not occur. This minimises
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * the impact on the lookup results. While most DNS AAAA lookups are
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * done to send IP packets to a host, not all of them are and filtering
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt * excluded addresses has a negative impact on those uses.
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt/*% Partial answer? */
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews#define PARTIALANSWER(c) (((c)->query.attributes & \
2fff8b8280779a25fbdb891b2d3d9b435d2084f0Tatuya JINMEI 神明達哉/*% Use Cache? */
2fff8b8280779a25fbdb891b2d3d9b435d2084f0Tatuya JINMEI 神明達哉#define USECACHE(c) (((c)->query.attributes & \
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉/*% Recursion OK? */
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉#define RECURSIONOK(c) (((c)->query.attributes & \
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉/*% Recursing? */
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉#define RECURSING(c) (((c)->query.attributes & \
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt/*% Cache glue ok? */
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉#define CACHEGLUEOK(c) (((c)->query.attributes & \
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Hunt/*% Want Recursion? */
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉#define WANTRECURSION(c) (((c)->query.attributes & \
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉/*% Want DNSSEC? */
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉/*% Want WANTAD? */
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉/*% No authority? */
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉/*% No additional? */
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Hunt#define NOADDITIONAL(c) (((c)->query.attributes & \
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉/*% DNS64 A lookup? */
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉#define DNS64(c) (((c)->query.attributes & \
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉#define DNS64EXCLUDE(c) (((c)->query.attributes & \
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Hunt/*% No QNAME Proof? */
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉#define CTRACE(m) isc_log_write(ns_g_lctx, \
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉#define QTRACE(m) isc_log_write(ns_g_lctx, \
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉#define CTRACE(m) ((void)m)
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉#define QTRACE(m) ((void)m)
dc842cdcb946b3f89448f07a9f024497a50c216aMark Andrews#define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0)
859cfb24bfd7bd7754bb1d9ca68bce861a4b0a40Mark Andrewsquery_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
39a8abdb83d00eb57e2395dbd3931c129391a951Automatic Updaterquery_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dns_dbversion_t *version, ns_client_t *client,
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉static inline void
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * Increment query statistics counters.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉static inline void
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉inc_stats(ns_client_t *client, isc_statscounter_t counter) {
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dns_zone_t *zone = client->query.authzone;
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 isc_stats_increment(ns_g_server->nsstats, counter);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 /* Do regular response type stats */
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 zonestats = dns_zone_getrequeststats(zone);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 /* Do query type statistics
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * We only increment per-type if we're using the authoritative
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * answer counter, preventing double-counting.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 querystats = dns_zone_getrcvquerystats(zone);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 rdataset = ISC_LIST_HEAD(client->query.qname->list);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dns_rdatatypestats_increment(querystats, qtype);
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
4786e693a7c4b41ba4554f06a2f6d16c74017f15Mark Andrews inc_stats(client, dns_nsstatscounter_nonauthans);
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt if (client->message->rcode == dns_rcode_noerror) {
94315060c2b0d9deafabe72d6a0482405fd9d377Evan Hunt if (ISC_LIST_EMPTY(client->message->sections[answer])) {
859cfb24bfd7bd7754bb1d9ca68bce861a4b0a40Mark Andrews } else if (client->message->rcode == dns_rcode_nxdomain)
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉 else /* We end up here in case of YXDOMAIN, and maybe others */
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉query_error(ns_client_t *client, isc_result_t result, int line) {
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 inc_stats(client, dns_nsstatscounter_servfail);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 inc_stats(client, dns_nsstatscounter_formerr);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 inc_stats(client, dns_nsstatscounter_failure);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 log_queryerror(client, result, line, loglevel);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉query_next(ns_client_t *client, isc_result_t result) {
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 inc_stats(client, dns_nsstatscounter_duplicate);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 inc_stats(client, dns_nsstatscounter_dropped);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 inc_stats(client, dns_nsstatscounter_failure);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉static inline void
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 ns_dbversion_t *dbversion, *dbversion_next;
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 unsigned int i;
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dbversion_next = ISC_LIST_NEXT(dbversion, link);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * If we're not freeing everything, we keep the first three
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * dbversions structures around.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 ISC_LIST_UNLINK(client->query.freeversions, dbversion,
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dns_resolver_cancelfetch(client->query.fetch);
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Huntstatic inline void
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Huntquery_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt dns_message_puttemprdataset(client->message, rdatasetp);
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Huntstatic inline void
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Huntquery_reset(ns_client_t *client, isc_boolean_t everything) {
859cfb24bfd7bd7754bb1d9ca68bce861a4b0a40Mark Andrews * Reset the query state of a client to its default state.
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉 * Cancel the fetch if it's running.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * Cleanup any active versions.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dbversion_next = ISC_LIST_NEXT(dbversion, link);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dns_db_closeversion(dbversion->db, &dbversion->version,
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 ISC_LIST_INITANDAPPEND(client->query.freeversions,
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 ISC_LIST_INIT(client->query.activeversions);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 query_putrdataset(client, &client->query.dns64_aaaa);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 query_putrdataset(client, &client->query.dns64_sigaaaa);
859cfb24bfd7bd7754bb1d9ca68bce861a4b0a40Mark Andrews isc_mem_put(client->mctx, client->query.dns64_aaaaok,
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 query_freefreeversions(client, everything);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
39a8abdb83d00eb57e2395dbd3931c129391a951Automatic Updater * client->query.qname was dynamically allocated.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 isc_mem_put(client->mctx, client->query.rpz_st,
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 client->query.dns64_ttl = ISC_UINT32_MAX;
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉query_next_callback(ns_client_t *client) {
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * Allocate a name buffer.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * Return a name buffer with space for a maximal name, allocating
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * a new one if necessary.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 if (ISC_LIST_EMPTY(client->query.namebufs)) {
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 CTRACE("query_getnamebuf: query_newnamebuf failed: done");
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 dbuf = ISC_LIST_TAIL(client->query.namebufs);
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt CTRACE("query_getnamebuf: query_newnamebuf failed: done");
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Huntstatic inline void
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Huntquery_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Hunt * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Hunt * adjusted to take account of that. We do the adjustment.
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Hunt REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Hunt client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉static inline void
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉query_releasename(ns_client_t *client, dns_name_t **namep) {
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt * 'name' is no longer needed. Return it to our pool of temporary
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt * names. If it is using a name buffer, relinquish its exclusive
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉 * rights on the buffer.
26833735d3d95e731a1cfb2a9b12c9bc10ba208aEvan Hunt INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉 dns_message_puttempname(client->message, namep);
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉query_newname(ns_client_t *client, isc_buffer_t *dbuf,
7c60401dbd4dce617dffc685c269fca224c589adTatuya JINMEI 神明達哉 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews result = dns_message_gettempname(client->message, &name);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews CTRACE("query_newname: dns_message_gettempname failed: done");
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = dns_message_gettemprdataset(client->message, &rdataset);
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt "dns_message_gettemprdataset failed: done");
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉query_newdbversion(ns_client_t *client, unsigned int n) {
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews unsigned int i;
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt for (i = 0; i < n; i++) {
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt ISC_LIST_INITANDAPPEND(client->query.freeversions,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We only return ISC_R_NOMEMORY if we couldn't
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 * allocate anything.
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 if (ISC_LIST_EMPTY(client->query.freeversions)) {
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 query_freefreeversions(client, ISC_TRUE);
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Huntstatic inline ns_dbversion_t *
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Huntquery_findversion(ns_client_t *client, dns_db_t *db)
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * We may already have done a query related to this
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * database. If so, we must be sure to make subsequent
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * queries from the same version.
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * This is a new zone for this query. Add it to
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * the active list.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrewsquery_validatezonedb(ns_client_t *client, dns_name_t *name,
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb * This limits our searching to the zone where the first name
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * (the query target) was looked for. This prevents following
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * CNAMES or DNAMES into other zones and prevents returning
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * additional data from other zones.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * Non recursive query to a static-stub zone is prohibited; its
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * zone content is not public data, but a part of local configuration
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * and should not be disclosed.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews if (dns_zone_gettype(zone) == dns_zone_staticstub &&
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb * If the zone has an ACL, we'll check it, otherwise
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb * we use the view's "allow-query" ACL. Each ACL is only checked
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * once per query.
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * Also, get the database version to use.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * Get the current version of this database.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * We've evaluated the view's queryacl already. If
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * NS_QUERYATTR_QUERYOK is set, then the client is
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * allowed to make queries, otherwise the query should
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * be refused.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
80fa3ef8517ff046a72c4cb1e785f30c9ef9ee75Mark Andrews if (isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(3))) {
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We were allowed by the default
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * "allow-query" ACL. Remember this so we
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * don't have to check again.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We've now evaluated the view's query ACL, and
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * the NS_QUERYATTR_QUERYOK attribute is now valid.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews /* If and only if we've gotten this far, check allow-query-on too */
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews result = ns_client_checkaclsilent(client, &client->destaddr,
0874abad14e3e9ecfc3dc1a1a2b9969f2f027724Mark Andrews ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews "query-on denied");
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews /* Transfer ownership, if necessary. */
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrewsquery_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb unsigned int ztoptions;
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * Find a zone database to answer the query.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews result = query_validatezonedb(client, name, qtype, options, zone, db,
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* Transfer ownership. */
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt if (partial && (options & DNS_GETDB_PARTIAL) != 0)
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
40a7e85f3ee3bd66a8f87bf8af674e1e48b05396Evan Hunt * Count enabled rewrites in the global counter.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * Count both enabled and disabled rewrites for each zone.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews dns_name_format(p_name, p_name_buf, sizeof(p_name_buf));
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
3ff75c89eb7b8c4f8c7dd375beec2981d147c791Evan Hunt DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrewsrpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name,
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb dns_rpz_type_t rpz_type, const char *str, isc_result_t result)
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt const char *failed;
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb * bin/tests/system/rpz/tests.sh looks for "rpz.*failed" for problems.
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf));
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb "rpz %s rewrite %s via %s%s%s%s",
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * Get a policy rewrite zone database.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrewsrpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type,
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp)
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt result = query_getzonedb(client, p_name, dns_rdatatype_any,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_name_format(p_name, p_namebuf, sizeof(p_namebuf));
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 "try rpz %s rewrite %s via %s",
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type,
4f9f8fa0528ce843a3bdf7993e94463508d8320eEvan Huntquery_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * Find a cache database to answer the query.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * This may fail with DNS_R_REFUSED if the client
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * is not allowed to use the cache.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) {
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * We've evaluated the view's cacheacl already. If
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * NS_QUERYATTR_CACHEACLOK is set, then the client is
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * allowed to make queries, otherwise the query should
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * be refused.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0)
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * We haven't evaluated the view's queryacl yet.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * We were allowed by the "allow-query-cache" ACL.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * Remember this so we don't have to check again.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt } else if (log) {
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * We've now evaluated the view's query ACL, and
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * the NS_QUERYATTR_CACHEACLOKVALID attribute is now valid.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID;
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* Approved. */
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* Transfer ownership. */
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Huntquery_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt dns_dbversion_t **versionp, isc_boolean_t *is_zonep)
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt unsigned int namelabels;
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt unsigned int zonelabels;
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* Calculate how many labels are in name. */
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* Try to find name in bind's standard database. */
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = query_getzonedb(client, name, qtype, options, &zone,
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* See how many labels are in the zone's name. */
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb * If # zone labels < # name labels, try to find an even better match
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * Only try if DLZ drivers are loaded for this view
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt dns_clientinfomethods_init(&cm, ns_client_sourceip);
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* If we successful, we found a better match. */
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb * If the previous search returned a zone, detach it.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * If the previous search returned a database,
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * detach it.
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb * If the previous search returned a version, clear it.
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb * Get our database version.
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * Be sure to return our database.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * We return a null zone, No stats for DLZ zones.
7781f25078c491a9650dec555bdc86cb0ed49861Tatuya JINMEI 神明達哉 /* If successful, Transfer ownership of zone. */
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * If neither attempt above succeeded, return the cache instead
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews result = query_getcachedb(client, name, qtype, dbp, options);
b748b5e2c2fa40f758e3b35ad4f1fde99ab5e11fEvan Huntquery_isduplicate(ns_client_t *client, dns_name_t *name,
b748b5e2c2fa40f758e3b35ad4f1fde99ab5e11fEvan Hunt result = dns_message_findname(client->message, section,
b748b5e2c2fa40f758e3b35ad4f1fde99ab5e11fEvan Hunt * We've already got this RRset in the response.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * The name exists, but the rdataset does not.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Huntquery_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 isc_boolean_t added_something, need_addname;
aecadaf3b1bbbe0bd58f703989baf38eedd0ffcackb if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * Initialization.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt dns_clientinfomethods_init(&cm, ns_client_sourceip);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * We treat type A additional section processing as if it
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * were "any address type" additional section processing.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * To avoid multiple lookups, we do an 'any' database
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * lookup and iterate over the node.
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews * Get some resources.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * Look for a zone database that might contain authoritative
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * additional data.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * Since we are looking for authoritative data, we do not set
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * the GLUEOK flag. Glue will be looked for later, but not
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * necessarily in the same database.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt if (sigrdataset != NULL && !dns_db_issecure(db) &&
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * No authoritative data was found. The cache is our next best bet.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * Most likely the client isn't allowed to query the cache.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * Attempt to validate glue.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt dns_cache_updatestats(client->view->cache, result);
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt validate(client, db, fname, rdataset, sigrdataset))
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * No cached data was found. Glue is our last chance.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * RFC1035 sayeth:
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * NS records cause both the usual additional section
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * processing to locate a type A record, and, when used
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * in a referral, a special search of the zone in which
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * they reside for glue information.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * This is the "special search". Note that we must search
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * the zone where the NS record resides, not the zone it
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * points to, and that we only do the search in the delegation
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * case (identified by client->query.gluedb being set).
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * Don't poison caches using the bailiwick protection model.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We have found a potential additional data rdataset, or
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * at least a node to iterate over.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * If we have an rdataset, add it to the additional data
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt !query_isduplicate(client, fname, type, &mname)) {
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * Note: we only add SIGs if we've added the type they cover,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * so we do not need to check if the SIG rdataset is already
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * in the response.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We now go looking for A and AAAA records, along with
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * their signatures.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * XXXRTH This code could be more efficient.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt if (query_isduplicate(client, fname, dns_rdatatype_a, NULL))
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * There's an A; check whether we're filtering AAAA
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * If we haven't added anything, then we're done.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We may have added our rdatasets to an existing name, if so, then
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * need_addname will be ISC_FALSE. Whether we used an existing name
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * or a new one, we must set fname to NULL to prevent cleanup.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * In a few cases, we want to add additional data for additional
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * data. It's simpler to just deal with special cases here than
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * to try to create a general purpose mechanism and allow the
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * rdata implementations to do it themselves.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * This involves recursion, but the depth is limited. The
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * most complex case is adding a SRV rdataset, which involves
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * recursing to add address records, which in turn can cause
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * recursion to add KEYs.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt if (type == dns_rdatatype_srv && trdataset != NULL) {
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * If we're adding SRV records to the additional data
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * section, it's helpful if we add the SRV additional data
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Huntstatic inline void
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Huntquery_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt while ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt (void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Huntquery_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt dns_db_currentversion(db_current, &version_current);
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt if (db_current != db || version_current != version) {
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt dns_db_closeversion(db_current, &version_current, ISC_FALSE);
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Huntquery_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt isc_boolean_t added_something, need_addname, needadditionalcache;
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * If we don't have an additional cache call query_addadditional.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt if (qtype != dns_rdatatype_a || client->view->acache == NULL) {
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * This function is optimized for "address" types. For other
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * types, use a generic routine.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * XXX: ideally, this function should be generic enough.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt return (query_addadditional(additionalctx->client,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * Initialization.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt dns_clientinfomethods_init(&cm, ns_client_sourceip);
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We treat type A additional section processing as if it
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * were "any address type" additional section processing.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * To avoid multiple lookups, we do an 'any' database
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * lookup and iterate over the node.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * XXXJT: this approach can cause a suboptimal result when the cache
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * DB only has partial address types and the glue DB has remaining
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * Get some resources.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt dns_name_setbuffer(&cfname, &b); /* share the buffer */
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt /* Check additional cache */
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = dns_rdataset_getadditional(rdataset_base, additionaltype,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt CTRACE("query_addadditional2: auth zone not found");
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt /* Is the cached DB up-to-date? */
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = query_iscachevalid(zone, cdb, NULL, cversion);
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt CTRACE("query_addadditional2: old auth additional cache");
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt query_discardcache(client, rdataset_base, additionaltype,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We have a negative cache. We don't have to check the zone
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * ACL, since the result (not using this zone) would be same
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * regardless of the result.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt CTRACE("query_addadditional2: negative auth additional cache");
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt query_discardcache(client, rdataset_base, additionaltype,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt /* We've got an active cache. */
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt CTRACE("query_addadditional2: auth additional cache");
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * Look for a zone database that might contain authoritative
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * additional data.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt /* Cache the negative result */
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * Since we are looking for authoritative data, we do not set
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * the GLUEOK flag. Glue will be looked for later, but not
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * necessarily in the same database.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt /* Cache the negative result */
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * No authoritative data was found. The cache is our next best bet.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt additionaltype = dns_rdatasetadditional_fromcache;
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * Most likely the client isn't allowed to query the cache.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * No cached data was found. Glue is our last chance.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * RFC1035 sayeth:
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * NS records cause both the usual additional section
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * processing to locate a type A record, and, when used
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * in a referral, a special search of the zone in which
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * they reside for glue information.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * This is the "special search". Note that we must search
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * the zone where the NS record resides, not the zone it
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * points to, and that we only do the search in the delegation
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * case (identified by client->query.gluedb being set).
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * Don't poison caches using the bailiwick protection model.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt /* Check additional cache */
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = dns_rdataset_getadditional(rdataset_base, additionaltype,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt CTRACE("query_addadditional2: old glue additional cache");
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt query_discardcache(client, rdataset_base, additionaltype,
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* We have a negative cache. */
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt CTRACE("query_addadditional2: negative glue additional cache");
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* Cache hit. */
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt CTRACE("query_addadditional2: glue additional cache");
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* cache the negative result */
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We have found a DB node to iterate over from a DB.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * We are going to look for address RRsets (i.e., A and AAAA) in the DB
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * node we've just found. We'll then store the complete information
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * in the additional data cache.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt if (additionaltype == dns_rdatasetadditional_fromcache &&
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt query_isduplicate(client, fname, dns_rdatatype_a, NULL))
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * Find A RRset with sig RRset. Even if we don't find a sig RRset
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * for a client using DNSSEC, we'll continue the process to make a
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * complete list to be cached. However, we need to cancel the
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * caching when something unexpected happens, in order to avoid
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * caching incomplete information.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * If we can't promote glue/pending from the cache to secure
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * then drop it.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt additionaltype == dns_rdatasetadditional_fromcache &&
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt !validate(client, db, fname, rdataset, sigrdataset)) {
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt /* Remember the result as a cache */
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 ISC_LIST_APPEND(cfname.list, sigrdataset, link);
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* do not cache incomplete information */
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 if (additionaltype == dns_rdatasetadditional_fromcache &&
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt /* Find AAAA RRset with sig RRset */
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * If we can't promote glue/pending from the cache to secure
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * then drop it.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt additionaltype == dns_rdatasetadditional_fromcache &&
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt !validate(client, db, fname, rdataset, sigrdataset)) {
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * Set the new result in the cache if required. We do not support
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * caching additional data from a cache DB.
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt (additionaltype == dns_rdatasetadditional_fromauth ||
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 additionaltype == dns_rdatasetadditional_fromglue)) {
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 for (crdataset = ISC_LIST_HEAD(cfname.list);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 crdataset_next = ISC_LIST_NEXT(crdataset, link);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 if (crdataset->type == dns_rdatatype_a ||
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 if (!query_isduplicate(client, fname, crdataset->type,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * A different type of this name is
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * already stored in the additional
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * section. We'll reuse the name.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * Note that this should happen at most
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * once. Otherwise, fname->link could
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 ISC_LIST_UNLINK(cfname.list, crdataset, link);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 ISC_LIST_APPEND(fname->list, crdataset, link);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 } else if (crdataset->type == dns_rdatatype_rrsig &&
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 ISC_LIST_UNLINK(cfname.list, crdataset, link);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 ISC_LIST_APPEND(fname->list, crdataset, link);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 added_something = ISC_TRUE; /* just in case */
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * If we haven't added anything, then we're done.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * We may have added our rdatasets to an existing name, if so, then
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * need_addname will be ISC_FALSE. Whether we used an existing name
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * or a new one, we must set fname to NULL to prevent cleanup.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_message_addname(client->message, fname,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 while ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) {
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 ISC_LIST_UNLINK(cfname.list, crdataset, link);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉static inline void
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉query_addrdataset(ns_client_t *client, dns_name_t *fname,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * Add 'rdataset' and any pertinent additional data to
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * 'fname', a name in the response message for 'client'.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 ISC_LIST_APPEND(fname->list, rdataset, link);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 rdataset->attributes |= dns_order_find(client->view->order,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * Add additional data.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * We don't care if dns_rdataset_additionaldata() fails.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 (void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Huntquery_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset,
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt unsigned int flags = 0;
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * To the current response for 'client', add the answer RRset
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * owner name '*namep', to section 'section', unless they are
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * already there. Also add any pertinent additional data.
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * If 'dbuf' is not NULL, then '*namep' is the name whose data is
789252d55f025db52ee02aa933c9f09a4aadfa97Evan Hunt * stored in 'dbuf'. In this case, query_addrrset() guarantees that
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt * when it returns the name will either have been kept or released.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = dns_message_findname(client->message, section,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * We've already got an RRset of the given name and type.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * There's nothing else to do;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 CTRACE("query_dns64: dns_message_findname succeeded: done");
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * The name doesn't exist.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_message_addname(client->message, name, section);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 if (rdataset->trust != dns_trust_secure &&
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 client->query.attributes &= ~NS_QUERYATTR_SECURE;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = isc_buffer_allocate(client->mctx, &buffer, view->dns64cnt *
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = dns_message_gettemprdataset(client->message, &dns64_rdataset);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = dns_message_gettemprdatalist(client->message,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns64_rdatalist->rdclass = dns_rdataclass_in;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns64_rdatalist->type = dns_rdatatype_aaaa;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 if (client->query.dns64_ttl != ISC_UINT32_MAX)
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns64_rdatalist->ttl = ISC_MIN(rdataset->ttl, 600);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * We use the signatures from the A lookup to set DNS_DNS64_DNSSEC
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * as this provides a easy way to see if the answer was signed.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 for (result = dns_rdataset_first(rdataset);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 for (dns64 = ISC_LIST_HEAD(client->view->dns64);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns64 != NULL; dns64 = dns_dns64_next(dns64)) {
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = dns_dns64_aaaafroma(dns64, &netaddr,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = dns_message_gettemprdata(client->message,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_rdata_fromregion(dns64_rdata, dns_rdataclass_in,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 ISC_LIST_APPEND(dns64_rdatalist->rdata, dns64_rdata,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 if (ISC_LIST_EMPTY(dns64_rdatalist->rdata))
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = dns_rdatalist_tordataset(dns64_rdatalist, dns64_rdataset);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 query_addrdataset(client, mname, dns64_rdataset);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_message_takebuffer(client->message, &buffer);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 inc_stats(client, dns_nsstatscounter_dns64);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_message_puttemprdata(client->message, &dns64_rdata);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_message_puttemprdataset(client->message, &dns64_rdataset);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 for (dns64_rdata = ISC_LIST_HEAD(dns64_rdatalist->rdata);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_message_puttemprdata(client->message, &dns64_rdata);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_message_puttemprdatalist(client->message, &dns64_rdatalist);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉query_filter64(ns_client_t *client, dns_name_t **namep,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 dns_rdataset_t *rdataset, isc_buffer_t *dbuf,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 unsigned int i;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 INSIST(client->query.dns64_aaaaok != NULL);
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset));
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = dns_message_findname(client->message, section,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * We've already got an RRset of the given name and type.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 * There's nothing else to do;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 CTRACE("query_filter64: dns_message_findname succeeded: done");
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 if (rdataset->trust != dns_trust_secure &&
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 client->query.attributes &= ~NS_QUERYATTR_SECURE;
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = isc_buffer_allocate(client->mctx, &buffer,
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 result = dns_message_gettemprdataset(client->message, &myrdataset);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews result = dns_message_gettemprdatalist(client->message, &myrdatalist);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 for (result = dns_rdataset_first(rdataset);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews isc_buffer_putmem(buffer, rdata.data, rdata.length);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews result = dns_message_gettemprdata(client->message, &myrdata);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews dns_rdata_fromregion(myrdata, dns_rdataclass_in,
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews ISC_LIST_APPEND(myrdatalist->rdata, myrdata, link);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews result = dns_rdatalist_tordataset(myrdatalist, myrdataset);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews dns_message_addname(client->message, name, section);
39a8abdb83d00eb57e2395dbd3931c129391a951Automatic Updater dns_message_takebuffer(client->message, &buffer);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews dns_message_puttemprdata(client->message, &myrdata);
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews dns_message_puttemprdataset(client->message, &myrdataset);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews for (myrdata = ISC_LIST_HEAD(myrdatalist->rdata);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews ISC_LIST_UNLINK(myrdatalist->rdata, myrdata, link);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews dns_message_puttemprdata(client->message, &myrdata);
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt dns_message_puttemprdatalist(client->message, &myrdatalist);
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Huntquery_addrrset(ns_client_t *client, dns_name_t **namep,
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt dns_rdataset_t *rdataset, *mrdataset, *sigrdataset;
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt * To the current response for 'client', add the answer RRset
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt * owner name '*namep', to section 'section', unless they are
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * already there. Also add any pertinent additional data.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * If 'dbuf' is not NULL, then '*namep' is the name whose data is
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * stored in 'dbuf'. In this case, query_addrrset() guarantees that
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * when it returns the name will either have been kept or released.
7781f25078c491a9650dec555bdc86cb0ed49861Tatuya JINMEI 神明達哉 result = dns_message_findname(client->message, section,
7781f25078c491a9650dec555bdc86cb0ed49861Tatuya JINMEI 神明達哉 * We've already got an RRset of the given name and type.
7781f25078c491a9650dec555bdc86cb0ed49861Tatuya JINMEI 神明達哉 * There's nothing else to do;
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt CTRACE("query_addrrset: dns_message_findname succeeded: done");
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt * The name doesn't exist.
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt dns_message_addname(client->message, name, section);
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 if (rdataset->trust != dns_trust_secure &&
8ac908b38a2fd9b780ae3a27ff26932a17823ae0Mark Andrews client->query.attributes &= ~NS_QUERYATTR_SECURE;
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * Note: we only add SIGs if we've added the type they cover, so
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * we do not need to check if the SIG rdataset is already in the
d9059b0c38bd630c367d81424d72b1308cd74b04Tatuya JINMEI 神明達哉 if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews * We have a signature. Add it to the response.
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews ISC_LIST_APPEND(mname->list, sigrdataset, link);
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrewsquery_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews unsigned int override_ttl, isc_boolean_t isassociated)
8907d8fa04fdaa65baf0bc6b01230b2ebde93106Mark Andrews dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
return (ISC_R_SUCCESS);
return (result);
goto cleanup;
goto cleanup;
goto cleanup;
return (eresult);
static inline isc_result_t
return (result);
goto cleanup;
goto cleanup;
return (eresult);
static isc_result_t
isc_region_t r;
return (result);
return (result);
return (result);
return (result);
return (result);
== ISC_R_SUCCESS);
return (ISC_R_SUCCESS);
0, NULL);
0, NULL);
static isc_boolean_t
return (ISC_FALSE);
return (ISC_FALSE);
return (ISC_FALSE);
isc_buffer_t b;
return (secure);
static isc_boolean_t
goto again;
return (ISC_TRUE);
return (ISC_FALSE);
static isc_boolean_t
return (ISC_FALSE);
return (ISC_FALSE);
return (ISC_TRUE);
return (ISC_FALSE);
isc_buffer_t b;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
if (is_zone) {
goto cleanup;
goto db_find;
goto cleanup;
if (use_zone) {
goto cleanup;
goto cleanup;
* If the answer is secure only add NS records if they are secure * when the client may be looking for AD in the response.
goto cleanup;
unsigned int count;
goto cleanup;
goto addnsec3;
goto addnsec3;
goto cleanup;
&rname);
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
unsigned int options;
int order;
goto cleanup;
goto cleanup;
if (labels == 0U)
goto cleanup;
goto cleanup;
if (!ispositive)
goto cleanup;
goto cleanup;
goto cleanup;
if (ispositive)
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
if (!ispositive)
&olabels);
&nlabels);
goto cleanup;
if (have_wname) {
goto again;
unsigned int labels;
int errorloglevel;
if (fetch_canceled)
unsigned int options;
static isc_result_t
if (!resuming)
return (result);
return (ISC_R_NOMEMORY);
return (ISC_R_NOMEMORY);
return (result);
static inline isc_result_t
return (DNS_R_SERVFAIL);
return (ISC_R_SUCCESS);
static dns_rpz_zbits_t
switch (rpz_type) {
case DNS_RPZ_TYPE_CLIENT_IP:
case DNS_RPZ_TYPE_QNAME:
case DNS_RPZ_TYPE_IP:
case DNS_RPZ_TYPE_NSDNAME:
case DNS_RPZ_TYPE_NSIP:
INSIST(0);
return (zbits);
static isc_result_t
return (result);
return (result);
return (result);
return (result);
static isc_result_t
switch (rpz_type) {
case DNS_RPZ_TYPE_CLIENT_IP:
case DNS_RPZ_TYPE_QNAME:
case DNS_RPZ_TYPE_IP:
case DNS_RPZ_TYPE_NSDNAME:
case DNS_RPZ_TYPE_NSIP:
INSIST(0);
first = 0;
&prefix);
return (ISC_R_SUCCESS);
return (ISC_R_FAILURE);
if (first == 0) {
++first;
static isc_result_t
return (DNS_R_SERVFAIL);
return (DNS_R_NXDOMAIN);
&rdsiter);
return (DNS_R_SERVFAIL);
return (DNS_R_SERVFAIL);
* Ask again to get the right DNS_R_DNAME/NXRRSET/...
switch (result) {
case ISC_R_SUCCESS:
return (DNS_R_CNAME);
return (ISC_R_SUCCESS);
case DNS_R_NXRRSET:
return (result);
case DNS_R_DNAME:
case DNS_R_NXDOMAIN:
case DNS_R_EMPTYNAME:
return (DNS_R_NXDOMAIN);
return (DNS_R_SERVFAIL);
static isc_result_t
while (zbits != 0) {
switch (result) {
case DNS_R_NXDOMAIN:
case DNS_R_SERVFAIL:
return (DNS_R_SERVFAIL);
return (ISC_R_SUCCESS);
static isc_result_t
if (zbits == 0)
return (ISC_R_SUCCESS);
switch (result) {
case ISC_R_SUCCESS:
case DNS_R_GLUE:
case DNS_R_ZONECUT:
case DNS_R_EMPTYNAME:
case DNS_R_EMPTYWILD:
case DNS_R_NXDOMAIN:
case DNS_R_NCACHENXDOMAIN:
case DNS_R_NXRRSET:
case DNS_R_NCACHENXRRSET:
case ISC_R_NOTFOUND:
return (ISC_R_SUCCESS);
case DNS_R_DELEGATION:
case DNS_R_DUPLICATE:
case DNS_R_DROP:
return (result);
case DNS_R_CNAME:
case DNS_R_DNAME:
return (ISC_R_SUCCESS);
result);
return (DNS_R_SERVFAIL);
case dns_rdatatype_a:
case dns_rdatatype_aaaa:
return (result);
return (ISC_R_SUCCESS);
static isc_result_t
return (result);
static isc_result_t
if (zbits == 0)
return (ISC_R_SUCCESS);
if (zbits == 0)
return (ISC_R_SUCCESS);
for (rpz_num = 0;
zbits != 0;
switch (result) {
case DNS_R_NXDOMAIN:
case DNS_R_SERVFAIL:
return (DNS_R_SERVFAIL);
* st->m.rpz->num > rpz->num or st->m.type >= rpz_type
* could publish "evil.com A 10.2.3.4" and request
* evil.com to get the same information.
unsigned int labels;
return (ISC_R_SUCCESS);
return (ISC_R_SUCCESS);
static isc_result_t
int qresult_type;
return (ISC_R_NOMEMORY);
switch (qresult) {
case ISC_R_SUCCESS:
case DNS_R_GLUE:
case DNS_R_ZONECUT:
qresult_type = 0;
case DNS_R_EMPTYNAME:
case DNS_R_NXRRSET:
case DNS_R_NXDOMAIN:
case DNS_R_EMPTYWILD:
case DNS_R_NCACHENXDOMAIN:
case DNS_R_NCACHENXRRSET:
case DNS_R_CNAME:
case DNS_R_DNAME:
case DNS_R_DELEGATION:
case ISC_R_NOTFOUND:
case ISC_R_FAILURE:
case ISC_R_TIMEDOUT:
case DNS_R_BROKENCHAIN:
return (ISC_R_SUCCESS);
qresult);
return (ISC_R_SUCCESS);
if (allowed == 0)
return (ISC_R_SUCCESS);
if (zbits != 0) {
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
DNS_RPZ_TYPE_NSDNAME) == 0 &&
DNS_RPZ_TYPE_NSIP) == 0) {
goto cleanup;
resuming);
goto cleanup;
switch (result) {
case ISC_R_SUCCESS:
goto cleanup;
case DNS_R_DELEGATION:
goto cleanup;
case DNS_R_EMPTYNAME:
case DNS_R_NXRRSET:
case DNS_R_EMPTYWILD:
case DNS_R_NXDOMAIN:
case DNS_R_NCACHENXDOMAIN:
case DNS_R_NCACHENXRRSET:
case ISC_R_NOTFOUND:
case DNS_R_CNAME:
case DNS_R_DNAME:
0, NULL);
case ISC_R_TIMEDOUT:
case DNS_R_BROKENCHAIN:
case ISC_R_FAILURE:
goto cleanup;
&rdataset);
goto cleanup;
goto cleanup;
DNS_RPZ_TYPE_NSDNAME) == 0 &&
DNS_RPZ_TYPE_NSIP) == 0)
return (result);
static isc_boolean_t
return (ISC_TRUE);
return (ISC_FALSE);
return (ISC_TRUE);
return (ISC_FALSE);
return (ISC_TRUE);
return (ISC_FALSE);
return (ISC_TRUE);
return (ISC_FALSE);
return (ISC_TRUE);
* Add a CNAME to the query response, including translating foo.evil.com and
* foo.evil.com CNAME foo.evil.com.example.com
static isc_result_t
unsigned int labels;
return (result);
return (result);
return (ISC_R_SUCCESS);
#define QUERY_ERROR(r) \
eresult = r; \
#define RECURSE_ERROR(r) \
QUERY_ERROR(r); \
static isc_result_t
case dns_rdatatype_a:
return (ISC_R_SUCCESS);
case dns_rdatatype_aaaa:
return (ISC_R_SUCCESS);
return (ISC_R_NOTIMPLEMENTED);
return (INT_MAX);
return (INT_MAX);
case NS_SORTLISTTYPE_1ELEMENT:
case NS_SORTLISTTYPE_2ELEMENT:
case NS_SORTLISTTYPE_NONE:
INSIST(0);
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
#define NS_NAME_INIT(A,B) \
&rfc1918names[i],
&found);
unsigned int dboptions;
skip++;
&name);
goto again;
if (exact)
} else if (!exact)
if (skip != 0U)
found);
#ifdef ALLOW_FILTER_AAAA
static isc_boolean_t
return (ISC_TRUE);
return (ISC_TRUE);
return (ISC_FALSE);
static isc_boolean_t
return (ISC_TRUE);
return (ISC_FALSE);
static isc_uint32_t
goto cleanup;
goto cleanup;
goto cleanup;
return (ttl);
static isc_boolean_t
unsigned int flags = 0;
unsigned int i, count;
return (ISC_TRUE);
for (i = 0; i < count; i++) {
return (ISC_TRUE);
return (ISC_FALSE);
static isc_boolean_t
return (ISC_FALSE);
return (ISC_FALSE);
return (ISC_FALSE);
return (ISC_FALSE);
return (ISC_FALSE);
ISC_TRUE);
return (ISC_FALSE);
return (ISC_FALSE);
return (ISC_FALSE);
return (ISC_FALSE);
return (ISC_TRUE);
static isc_result_t
unsigned int n, nlabels;
int order;
isc_buffer_t b;
unsigned int options;
options = 0;
goto cleanup;
goto cleanup;
goto cleanup;
goto resume;
sizeof(classname));
goto cleanup;
&tversion);
goto cleanup;
if (is_zone) {
if (is_zone) {
goto cleanup;
goto cleanup;
goto cleanup;
DNS_RDATASETATTR_NEGATIVE) != 0) {
&nc_rdataset);
& NS_CLIENTATTR_TCP) != 0),
if (wouldlog) {
goto cleanup;
switch (rresult) {
case ISC_R_SUCCESS:
case DNS_R_DELEGATION:
goto cleanup;
goto cleanup;
case DNS_RPZ_POLICY_TCP_ONLY:
goto cleanup;
case DNS_RPZ_POLICY_DROP:
goto cleanup;
case DNS_RPZ_POLICY_NXDOMAIN:
case DNS_RPZ_POLICY_NODATA:
case DNS_RPZ_POLICY_RECORD:
case DNS_RPZ_POLICY_WILDCNAME:
NULL);
goto cleanup;
goto cleanup;
case DNS_RPZ_POLICY_CNAME:
* Add overridding CNAME from a named.conf
goto cleanup;
goto cleanup;
INSIST(0);
switch (result) {
case ISC_R_SUCCESS:
case DNS_R_GLUE:
case DNS_R_ZONECUT:
case ISC_R_NOTFOUND:
if (dns64)
if (dns64_exclude)
goto cleanup;
goto cleanup;
case DNS_R_DELEGATION:
if (is_zone) {
&tversion);
&sigrdataset);
&fname);
goto db_find;
goto db_find;
&sigrdataset);
else if (dns64)
resuming);
if (dns64)
if (dns64_exclude)
goto cleanup;
case DNS_R_EMPTYNAME:
case DNS_R_NXRRSET:
if (dns64)
goto cleanup;
goto cleanup;
if (dns64_excluded)
goto db_find;
!(ns_g_nonearest &&
unsigned int count;
unsigned int skip;
dbuf,
found);
goto cleanup;
NULL);
goto cleanup;
&sigrdataset);
goto cleanup;
case DNS_R_EMPTYWILD:
case DNS_R_NXDOMAIN:
if (!empty_wild &&
type))
goto cleanup;
if (empty_wild)
goto cleanup;
case DNS_R_NCACHENXDOMAIN:
type))
case DNS_R_NCACHENXRRSET:
if (dns64)
goto cleanup;
goto cleanup;
if (dns64_excluded)
goto db_find;
goto cleanup;
case DNS_R_CNAME:
NULL);
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto addauth;
case DNS_R_DNAME:
NULL);
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
goto addauth;
goto cleanup;
#ifdef ALLOW_FILTER_AAAA
ISC_TRUE);
#ifdef ALLOW_FILTER_AAAA
goto cleanup;
#ifdef ALLOW_FILTER_AAAA
#ifdef ALLOW_FILTER_AAAA
#ifdef ALLOW_FILTER_AAAA
if (!is_zone) {
goto addauth;
sizeof(namebuf));
goto nxrrset_rrsig;
goto cleanup;
#ifdef ALLOW_FILTER_AAAA
dns_rdatatype_a, 0,
} else if (authoritative ||
NS_CLIENTATTR_FILTER_AAAA_RC) != 0) {
goto cleanup;
goto db_find;
if (dns64) {
if (dns64_exclude) {
if (!is_zone)
goto cleanup;
goto cleanup;
if (is_zone)
goto iszone_nxrrset;
goto ncache_nxrrset;
goto cleanup;
if (is_zone) {
goto restart;
if (resuming &&
return (eresult);
onbuf);
sizeof(namebuf));
sizeof(classname));
sizeof(typename));
switch (qtype) {
case dns_rdatatype_any:
case dns_rdatatype_ixfr:
case dns_rdatatype_axfr:
case dns_rdatatype_maila:
case dns_rdatatype_mailb:
case dns_rdatatype_tkey:
if (!ns_g_noaa)