query.c revision 7946047f2d272e400167571b32ff3e7b346924a2
/*
* Copyright (C) 1999-2001 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.174 2001/01/11 20:48:27 gson Exp $ */
#include <config.h>
#include <string.h>
#ifdef DNS_OPT_NEWCODES
#endif /* DNS_OPT_NEWCODES */
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/resolver.h>
#include <named/sortlist.h>
NS_QUERYATTR_PARTIALANSWER) != 0)
NS_QUERYATTR_CACHEOK) != 0)
NS_QUERYATTR_RECURSIONOK) != 0)
NS_QUERYATTR_RECURSING) != 0)
NS_QUERYATTR_CACHEGLUEOK) != 0)
NS_QUERYATTR_WANTRECURSION) != 0)
NS_QUERYATTR_WANTDNSSEC) != 0)
#if 0
ISC_LOG_DEBUG(3), \
"client %p: %s", client, (m))
ISC_LOG_DEBUG(3), \
"query %p: %s", query, (m))
#else
#define CTRACE(m) ((void)m)
#define QTRACE(m) ((void)m)
#endif
#define DNS_GETDB_NOEXACT 0x01U
#define DNS_GETDB_NOLOG 0x02U
static unsigned char ip6int_ndata[] = "\003ip6\003int";
static dns_name_t ip6int_name = {
{(void *)-1, (void *)-1},
};
static isc_result_t
static inline void
static void
static void
static void
static void
static void
static void
static void
static void
static void
static void
/*
* Increment query statistics counters.
*/
static void
{
}
}
static inline void
/*
* client->query.qname was dynamically allocated.
*/
}
}
static inline void
unsigned int i;
/*
* Reset the query state of a client to its default state.
*/
/*
* Cancel the fetch if it's running.
*/
}
/*
* Cleanup any active versions.
*/
dbversion = dbversion_next) {
}
/*
* Clean up free versions.
*/
dbversion = dbversion_next, i++) {
/*
* If we're not freeing everything, we keep the first three
* dbversions structures around.
*/
if (i > 3 || everything) {
link);
sizeof *dbversion);
}
}
}
}
}
static void
}
void
}
static inline isc_result_t
CTRACE("query_newnamebuf");
/*
* Allocate a name buffer.
*/
if (result != ISC_R_SUCCESS) {
CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
return (result);
}
CTRACE("query_newnamebuf: done");
return (ISC_R_SUCCESS);
}
static inline isc_buffer_t *
isc_region_t r;
CTRACE("query_getnamebuf");
/*
* Return a name buffer with space for a maximal name, allocating
* a new one if necessary.
*/
if (result != ISC_R_SUCCESS) {
CTRACE("query_getnamebuf: query_newnamebuf failed: done");
return (NULL);
}
}
if (r.length < 255) {
if (result != ISC_R_SUCCESS) {
CTRACE("query_getnamebuf: query_newnamebuf failed: done");
return (NULL);
}
}
CTRACE("query_getnamebuf: done");
return (dbuf);
}
static inline void
isc_region_t r;
CTRACE("query_keepname");
/*
* 'name' is using space in 'dbuf', but 'dbuf' has not yet been
* adjusted to take account of that. We do the adjustment.
*/
dns_name_toregion(name, &r);
}
static inline void
/*
* 'name' is no longer needed. Return it to our pool of temporary
* names. If it is using a name buffer, relinquish its exclusive
* rights on the buffer.
*/
CTRACE("query_releasename");
if (dns_name_hasbuffer(name)) {
!= 0);
}
CTRACE("query_releasename: done");
}
static inline dns_name_t *
{
isc_region_t r;
CTRACE("query_newname");
if (result != ISC_R_SUCCESS) {
CTRACE("query_newname: dns_message_gettempname failed: done");
return (NULL);
}
CTRACE("query_newname: done");
return (name);
}
static inline dns_rdataset_t *
CTRACE("query_newrdataset");
if (result != ISC_R_SUCCESS) {
CTRACE("query_newrdataset: "
"dns_message_gettemprdataset failed: done");
return (NULL);
}
CTRACE("query_newrdataset: done");
return (rdataset);
}
static inline void
CTRACE("query_putrdataset");
}
CTRACE("query_putrdataset: done");
}
static inline isc_result_t
unsigned int i;
for (i = 0; i < n; i++) {
} else {
/*
* We only return ISC_R_NOMEMORY if we couldn't
* allocate anything.
*/
if (i == 0)
return (ISC_R_NOMEMORY);
else
return (ISC_R_SUCCESS);
}
}
return (ISC_R_SUCCESS);
}
static inline ns_dbversion_t *
if (result != ISC_R_SUCCESS)
return (NULL);
}
return (dbversion);
}
if (result != ISC_R_SUCCESS)
return (result);
return (query_newnamebuf(client));
}
static inline ns_dbversion_t *
{
/*
* We may already have done a query related to this
* database. If so, we must be sure to make subsequent
* queries from the same version.
*/
break;
}
/*
* This is a new zone for this query. Add it to
* the active list.
*/
return (NULL);
} else
return (dbversion);
}
static inline isc_result_t
{
unsigned int ztoptions;
/*
* Find a zone database to answer the query.
*/
DNS_ZTFIND_NOEXACT : 0;
&zone);
if (result != ISC_R_SUCCESS)
goto fail;
/*
* If this is the first time we are called (that is, looking up
* the actual name in the query section) remember this database.
*
* If authdb is non-NULL, we have been here before, and the
* found database is always returned.
*
* This limits our searching to the zone where the first name
* (the query target) is found. This prevents following CNAMES
* or DNAMES into other zones and prevents returning additional
* data from other zones.
*/
goto refuse;
} else {
}
}
/*
* If the zone has an ACL, we'll check it, otherwise
* we use the view's "allow-query" ACL. Each ACL is only checked
* once per query.
*
* Also, get the database version to use.
*/
/*
* Get the current version of this database.
*/
goto fail;
}
if (new_zone) {
goto refuse;
} else {
}
NS_QUERYATTR_QUERYOKVALID) != 0) {
/*
* We've evaluated the view's queryacl already. If
* NS_QUERYATTR_QUERYOK is set, then the client is
* allowed to make queries, otherwise the query should
* be refused.
*/
NS_QUERYATTR_QUERYOK) == 0)
goto refuse;
} else {
/*
* We haven't evaluated the view's queryacl yet.
*/
}
}
if (check_acl) {
if (result == ISC_R_SUCCESS) {
/*
* We were allowed by the default
* "allow-query" ACL. Remember this so we
* don't have to check again.
*/
}
/*
* We've now evaluated the view's query ACL, and
* the NS_QUERYATTR_QUERYOK attribute is now valid.
*/
}
if (result != ISC_R_SUCCESS)
goto refuse;
}
/* Approved. */
/*
* Remember the result of the ACL check so we
* don't have to check again.
*/
/* Transfer ownership. */
return (ISC_R_SUCCESS);
fail:
dns_db_detach(&db);
return (result);
}
static inline isc_result_t
{
/*
* Find a cache database to answer the query.
* This may fail with DNS_R_REFUSED if the client
* is not allowed to use the cache.
*/
return (DNS_R_REFUSED);
NS_QUERYATTR_QUERYOKVALID) != 0) {
/*
* We've evaluated the view's queryacl already. If
* NS_QUERYATTR_QUERYOK is set, then the client is
* allowed to make queries, otherwise the query should
* be refused.
*/
NS_QUERYATTR_QUERYOK) == 0)
goto refuse;
} else {
/*
* We haven't evaluated the view's queryacl yet.
*/
}
if (check_acl) {
if (result == ISC_R_SUCCESS) {
/*
* We were allowed by the default
* "allow-query" ACL. Remember this so we
* don't have to check again.
*/
}
/*
* We've now evaluated the view's query ACL, and
* the NS_QUERYATTR_QUERYOK attribute is now valid.
*/
if (result != ISC_R_SUCCESS)
goto refuse;
}
/* Approved. */
/* Transfer ownership. */
return (ISC_R_SUCCESS);
dns_db_detach(&db);
return (result);
}
static inline isc_result_t
{
#ifdef DNS_OPT_NEWCODES_LIVE
if (result == ISC_R_SUCCESS)
else
} else {
versionp);
if (result == ISC_R_SUCCESS) {
} else if (result == ISC_R_NOTFOUND) {
}
}
#else /* DNS_OPT_NEWCODES_LIVE */
if (result == ISC_R_SUCCESS) {
} else if (result == ISC_R_NOTFOUND) {
}
#endif /* DNS_OPT_NEWCODES_LIVE */
return (result);
}
static isc_result_t
{
unsigned int dboptions;
if (sigrdataset != NULL)
/*
* Find a database to answer the query.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* Now look for an answer in the database.
*/
if (result == DNS_R_DELEGATION ||
result == ISC_R_NOTFOUND) {
if (sigrdataset != NULL &&
if (is_zone) {
/*
* Either the answer is in the cache, or we
* don't know it.
*/
dns_db_detach(&db);
goto db_find;
}
} else {
/*
* We don't have the data in the cache. If we've got
* glue from the zone, use it.
*/
if (dns_rdataset_isassociated(&zrdataset)) {
if (sigrdataset != NULL &&
goto cleanup;
}
}
/*
* We don't know the answer.
*/
} else if (result == DNS_R_GLUE) {
/*
* We found an answer, but the cache may be better.
* Remember what we've got and go look in the cache.
*/
if (sigrdataset != NULL &&
{
}
dns_db_detach(&db);
goto db_find;
}
/*
* Otherwise, the glue is the best answer.
*/
} else if (result != ISC_R_SUCCESS) {
if (sigrdataset != NULL &&
}
/*
* If we get here, the result is ISC_R_SUCCESS, and we found the
* answer we were looking for in the zone. Update the zone's
* query counter.
*/
if (result == ISC_R_SUCCESS)
if (dns_rdataset_isassociated(&zrdataset)) {
if (sigrdataset != NULL &&
}
dns_db_detach(&db);
return (result);
}
static inline isc_boolean_t
{
CTRACE("query_isduplicate");
for (section = DNS_SECTION_ANSWER;
section++) {
if (result == ISC_R_SUCCESS) {
/*
* We've already got this RRset in the response.
*/
CTRACE("query_isduplicate: true: done");
return (ISC_TRUE);
} else if (result == DNS_R_NXRRSET) {
/*
* The name exists, but the rdataset does not.
*/
if (section == DNS_SECTION_ADDITIONAL)
break;
} else
}
/*
* If the dns_name_t we're lookup up is already in the message,
* we don't want to trigger the caller's name replacement logic.
*/
CTRACE("query_isduplicate: false: done");
return (ISC_FALSE);
}
static isc_result_t
isc_buffer_t b;
return (ISC_R_SUCCESS);
CTRACE("query_addadditional");
/*
* Initialization.
*/
sigrdataset = NULL;
a6rdataset = NULL;
/*
* We treat type A additional section processing as if it
* were "any address type" additional section processing.
* To avoid multiple lookups, we do an 'any' database
* lookup and iterate over the node.
*/
if (qtype == dns_rdatatype_a)
else
/*
* Get some resources.
*/
goto cleanup;
goto cleanup;
if (WANTDNSSEC(client)) {
if (sigrdataset == NULL)
goto cleanup;
}
/*
* Look for a zone database that might contain authoritative
* additional data.
*/
if (result != ISC_R_SUCCESS)
goto try_cache;
CTRACE("query_addadditional: db_find");
/*
* Since we are looking for authoritative data, we do not set
* the GLUEOK flag. Glue will be looked for later, but not
* necessarily in the same database.
*/
if (result == ISC_R_SUCCESS)
goto found;
dns_db_detach(&db);
/*
* No authoritative data was found. The cache is our next best bet.
*/
if (result != ISC_R_SUCCESS)
/*
* Most likely the client isn't allowed to query the cache.
*/
goto try_glue;
if (result == ISC_R_SUCCESS)
goto found;
dns_db_detach(&db);
/*
* No cached data was found. Glue is our last chance.
* RFC1035 sayeth:
*
* NS records cause both the usual additional section
* processing to locate a type A record, and, when used
* in a referral, a special search of the zone in which
* they reside for glue information.
*
* This is the "special search". Note that we must search
* the zone where the NS record resides, not the zone it
* points to, and that we only do the search in the delegation
* case (identified by client->query.gluedb being set).
*/
goto cleanup;
if (!(result == ISC_R_SUCCESS ||
result == DNS_R_ZONECUT ||
result == DNS_R_GLUE))
goto cleanup;
/*
* We have found a potential additional data rdataset, or
* at least a node to iterate over.
*/
/*
* If we have an rdataset, add it to the additional data
* section.
*/
if (dns_rdataset_isassociated(rdataset) &&
} else
/*
* Note: we only add SIGs if we've added the type they cover,
* so we do not need to check if the SIG rdataset is already
* in the response.
*/
if (sigrdataset != NULL &&
{
sigrdataset = NULL;
}
}
if (qtype == dns_rdatatype_a) {
/*
* We now go looking for A, A6, and AAAA records, along with
* their signatures.
*
* XXXRTH This code could be more efficient.
*/
} else {
goto addname;
}
if (sigrdataset != NULL) {
} else if (WANTDNSSEC(client)) {
if (sigrdataset == NULL)
goto addname;
}
dns_rdatatype_a, 0,
if (result == DNS_R_NCACHENXDOMAIN)
goto addname;
if (result == DNS_R_NCACHENXRRSET) {
/*
* Negative cache entries don't have sigrdatasets.
*/
}
if (result == ISC_R_SUCCESS) {
dns_rdatatype_a, &mname)) {
} else
if (sigrdataset != NULL &&
{
sigrdataset, link);
}
goto addname;
goto addname;
} else {
if (sigrdataset != NULL &&
}
}
dns_rdatatype_a6, 0,
if (result == DNS_R_NCACHENXDOMAIN)
goto addname;
if (result == DNS_R_NCACHENXRRSET) {
}
if (result == ISC_R_SUCCESS) {
dns_rdatatype_a6, &mname)) {
} else
if (sigrdataset != NULL &&
{
sigrdataset, link);
}
goto addname;
goto addname;
} else {
if (sigrdataset != NULL &&
}
}
if (result == DNS_R_NCACHENXDOMAIN)
goto addname;
if (result == DNS_R_NCACHENXRRSET) {
}
if (result == ISC_R_SUCCESS) {
dns_rdatatype_aaaa, &mname)) {
} else
if (sigrdataset != NULL &&
{
sigrdataset, link);
sigrdataset = NULL;
}
}
}
}
CTRACE("query_addadditional: addname");
/*
* If we haven't added anything, then we're done.
*/
if (!added_something)
goto cleanup;
/*
* We may have added our rdatasets to an existing name, if so, then
* need_addname will be ISC_FALSE. Whether we used an existing name
* or a new one, we must set fname to NULL to prevent cleanup.
*/
if (need_addname)
/*
* In a few cases, we want to add additional data for additional
* data. It's simpler to just deal with special cases here than
* to try to create a general purpose mechanism and allow the
* rdata implementations to do it themselves.
*
* This involves recursion, but the depth is limited. The
* most complex case is adding a SRV rdataset, which involves
* recursing to add address records, which in turn can cause
* recursion to add KEYs.
*/
/*
* RFC 2535 section 3.5 says that when A or AAAA records are
* retrieved as additional data, any KEY RRs for the owner name
* should be added to the additional data section. Note: we
* do NOT include A6 in the list of types with such treatment
* in additional data because we'd have to do it for each A6
* in the A6 chain.
*
* XXXRTH We should lower the priority here. Alternatively,
* we could raise the priority of glue records.
*/
/*
* If we're adding SRV records to the additional data
* section, it's helpful if we add the SRV additional data
* as well.
*/
client);
}
/*
* If we added an A6 rdataset, we should also add everything we
* know about the A6 chains. We wait until now to do this so that
* they'll come after any additional data added above.
*/
if (a6rdataset != NULL) {
}
CTRACE("query_addadditional: cleanup");
if (sigrdataset != NULL)
dns_db_detach(&db);
CTRACE("query_addadditional: done");
return (eresult);
}
static void
{
isc_buffer_t b, *dbuf;
/*
* Add an rrset to the additional data section.
*/
/*
* Get some resources...
*/
csigrdataset = NULL;
goto cleanup;
goto cleanup;
if (sigrdataset != NULL) {
if (csigrdataset == NULL)
goto cleanup;
}
goto cleanup;
goto cleanup;
} else {
}
/*
* Note: we only add SIGs if we've added the type they cover, so
* we do not need to check if the SIG rdataset is already in the
* response.
*/
csigrdataset = NULL;
}
/*
* In spite of RFC 2535 section 3.5, we don't currently try to add
* KEY RRs for the A6 records. It's just too much work.
*/
if (sigrdataset != NULL)
}
static inline void
{
/*
* Add 'rdataset' and any pertinent additional data to
* 'fname', a name in the response message for 'client'.
*/
CTRACE("query_addrdataset");
/*
* Add additional data.
*
* We don't care if dns_a6_foreach or dns_rdataset_additionaldata()
* fail.
*/
if (type == dns_rdatatype_a6) {
} else
/*
* RFC 2535 section 3.5 says that when NS, SOA, A, or AAAA records
* are retrieved, any KEY RRs for the owner name should be added
* to the additional data section. We treat A6 records the same way.
*
* We don't care if query_addadditional() fails.
*/
type == dns_rdatatype_a6) {
/*
* XXXRTH We should lower the priority here. Alternatively,
* we could raise the priority of glue records.
*/
}
CTRACE("query_addrdataset: done");
}
static void
{
/*
* To the current response for 'client', add the answer RRset
* '*rdatasetp' and an optional signature set '*sigrdatasetp', with
* owner name '*namep', to section 'section', unless they are
* already there. Also add any pertinent additional data.
*
* If 'dbuf' is not NULL, then '*namep' is the name whose data is
* stored in 'dbuf'. In this case, query_addrrset() guarantees that
* when it returns the name will either have been kept or released.
*/
CTRACE("query_addrrset");
if (sigrdatasetp != NULL)
else
sigrdataset = NULL;
if (result == ISC_R_SUCCESS) {
/*
* We've already got an RRset of the given name and type.
* There's nothing else to do;
*/
CTRACE("query_addrrset: dns_message_findname succeeded: done");
return;
} else if (result == DNS_R_NXDOMAIN) {
/*
* The name doesn't exist.
*/
} else {
}
/*
* Note: we only add SIGs if we've added the type they cover, so
* we do not need to check if the SIG rdataset is already in the
* response.
*/
/*
* We have a signature. Add it to the response.
*/
*sigrdatasetp = NULL;
}
CTRACE("query_addrrset: done");
}
static inline isc_result_t
CTRACE("query_addsoa");
/*
* Initialization.
*/
/*
* Get resources and make 'name' be the database origin.
*/
if (result != ISC_R_SUCCESS)
return (result);
goto cleanup;
}
if (WANTDNSSEC(client)) {
if (sigrdataset == NULL) {
goto cleanup;
}
}
/*
* Find the SOA.
*/
if (result != ISC_R_SUCCESS) {
/*
* This is bad. We tried to get the SOA RR at the zone top
* and it didn't work!
*/
} else {
/*
* Extract the SOA MINIMUM.
*/
if (zero_ttl) {
if (sigrdataset != NULL)
sigrdataset->ttl = 0;
}
/*
* Add the SOA and its SIG to the response, with the
* TTLs adjusted per RFC2308 section 3.
*/
if (sigrdataset != NULL)
else
sigrdatasetp = NULL;
}
if (sigrdataset != NULL)
return (eresult);
}
static inline isc_result_t
CTRACE("query_addns");
/*
* Initialization.
*/
/*
* Get resources and make 'name' be the database origin.
*/
if (result != ISC_R_SUCCESS) {
CTRACE("query_addns: dns_message_gettempname failed: done");
return (result);
}
CTRACE("query_addns: query_newrdataset failed");
goto cleanup;
}
if (WANTDNSSEC(client)) {
if (sigrdataset == NULL) {
CTRACE("query_addns: query_newrdataset failed");
goto cleanup;
}
}
/*
* Find the NS rdataset.
*/
CTRACE("query_addns: calling dns_db_find");
CTRACE("query_addns: dns_db_find complete");
if (result != ISC_R_SUCCESS) {
CTRACE("query_addns: dns_db_find failed");
/*
* This is bad. We tried to get the NS rdataset at the zone
* top and it didn't work!
*/
} else {
if (sigrdataset != NULL)
else
sigrdatasetp = NULL;
}
CTRACE("query_addns: cleanup");
if (sigrdataset != NULL)
CTRACE("query_addns: done");
return (eresult);
}
static inline isc_result_t
{
isc_region_t r;
/*
* We assume the name data referred to by qname and tname won't
* go away.
*/
if (result != ISC_R_SUCCESS)
return (result);
if (result != ISC_R_SUCCESS)
return (result);
if (result != ISC_R_SUCCESS)
return (result);
dns_name_toregion(tname, &r);
}
return (ISC_R_SUCCESS);
}
static void
isc_buffer_t b;
CTRACE("query_addbestns");
sigrdataset = NULL;
zsigrdataset = NULL;
/*
* Find the right database.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* We'll need some resources...
*/
goto cleanup;
goto cleanup;
if (WANTDNSSEC(client)) {
if (sigrdataset == NULL)
goto cleanup;
}
/*
* Now look for the zonecut.
*/
if (is_zone) {
if (result != DNS_R_DELEGATION)
goto cleanup;
goto db_find;
}
} else {
if (result == ISC_R_SUCCESS) {
/*
* We found a zonecut in the cache, but our
* zone delegation is better.
*/
}
/*
* We didn't find anything in the cache, but we
* have a zone delegation, so use it.
*/
} else
goto cleanup;
}
if (use_zone) {
/*
* We've already done query_keepname() on
* zfname, so we must set dbuf to NULL to
* prevent query_addrrset() from trying to
* call query_keepname() again.
*/
if (sigrdataset != NULL)
zsigrdataset = NULL;
}
goto cleanup;
if (sigrdataset != NULL)
dns_db_detach(&db);
if (zsigrdataset != NULL)
dns_db_detach(&zdb);
}
}
static void
/*
* Resume a query after recursion.
*/
/*
* This is the fetch we've been waiting for.
*/
/*
* Update client->now.
*/
} else {
/*
* This is a fetch completion event for a cancelled fetch.
* Clean up and don't resume the find.
*/
}
/*
* If this client is shutting down, or this transaction
* has timed out, do not resume the find.
*/
if (fetch_cancelled || client_shuttingdown) {
/*
* This may destroy the client.
*/
} else {
}
}
static isc_result_t
{
/*
* We are about to recurse, which means that this client will
* be unavailable for serving new requests for an indeterminate
* amount of time. If this client is currently responsible
* for handling incoming queries, set up a new client
* object to handle them while we are waiting for a
* response.
*/
&client->recursionquota);
if (result == ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
"no more recursive clients: %s",
return (result);
}
}
/*
* Invoke the resolver.
*/
return (ISC_R_NOMEMORY);
if (WANTDNSSEC(client)) {
if (sigrdataset == NULL) {
return (ISC_R_NOMEMORY);
}
} else
sigrdataset = NULL;
if (result == ISC_R_SUCCESS) {
/*
* Record that we're waiting for an event. A client which
* is shutting down will not be destroyed until all the
* events have been received.
*/
} else {
if (sigrdataset != NULL)
}
return (result);
}
static inline isc_result_t
{
/*
* 'name' is at a zone cut. Try to find a KEY for 'name' in
* the deepest ancestor zone of 'name' (if any). If it exists,
* update *zonep, *dbp, *nodep, rdataset, and sigrdataset and
* return ISC_R_SUCCESS. If not, leave them alone and return a
* non-success status.
*/
if (sigrdataset != NULL)
if (result != ISC_R_SUCCESS)
goto cleanup;
if (!is_zone) {
goto cleanup;
}
if (sigrdataset != NULL)
else
if (result == ISC_R_SUCCESS) {
if (sigrdataset != NULL) {
}
}
dns_db_detach(&pdb);
return (result);
}
#define MAX_RESTARTS 16
#define QUERY_ERROR(r) \
do { \
eresult = r; \
want_restart = ISC_FALSE; \
} while (0)
/*
* Extract a network address from the RDATA of an A or AAAA
* record.
*
* Returns:
* ISC_R_SUCCESS
* ISC_R_NOTIMPLEMENTED The rdata is not a known address type.
*/
static isc_result_t
case dns_rdatatype_a:
return (ISC_R_SUCCESS);
case dns_rdatatype_aaaa:
return (ISC_R_SUCCESS);
default:
return (ISC_R_NOTIMPLEMENTED);
}
}
/*
* Find the sort order of 'rdata' in the topology-like
* ACL forming the second element in a 2-element top-level
* sortlist statement.
*/
static int
return (INT_MAX);
}
/*
* Find the sort order of 'rdata' in the matching element
* of a 1-element top-level sortlist statement.
*/
static int
return (INT_MAX);
}
/*
* Find the sortlist statement that applies to 'client' and set up
* the sortlist info in in client->message appropriately.
*/
static void
case NS_SORTLISTTYPE_1ELEMENT:
break;
case NS_SORTLISTTYPE_2ELEMENT:
break;
case NS_SORTLISTTYPE_NONE:
break;
default:
INSIST(0);
break;
}
}
/*
* Do the bulk of query processing for the current query of 'client'.
* If 'event' is non-NULL, we are returning from recursion and 'qtype'
* is ignored. Otherwise, 'qtype' is the query type.
*/
static void
int order;
isc_buffer_t b;
CTRACE("query_find");
/*
* One-time initialization.
*
* It's especially important to initialize anything that the cleanup
* code might cleanup.
*/
sigrdataset = NULL;
zsigrdataset = NULL;
/*
* We're returning from recursion. Restore the query context
* and resume.
*/
if (qtype == dns_rdatatype_sig)
else
/*
* We'll need some resources...
*/
goto cleanup;
}
goto cleanup;
}
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
goto resume;
}
/*
* Not returning from recursion.
*/
/*
* If it's a SIG query, we'll iterate the node.
*/
if (qtype == dns_rdatatype_sig)
else
CTRACE("query_find: restart");
/*
* First we must find the right database.
*/
if (result != ISC_R_SUCCESS) {
if (result == DNS_R_REFUSED)
else
goto cleanup;
}
if (is_zone)
CTRACE("query_find: db_find");
/*
* We'll need some resources...
*/
goto cleanup;
}
goto cleanup;
}
if (WANTDNSSEC(client)) {
if (sigrdataset == NULL) {
goto cleanup;
}
}
/*
* Now look for an answer in the database.
*/
/*
* We interrupt our normal query processing to bring you this special
* case...
*
* RFC 2535 (DNSSEC), section 2.3.4, discusses various special
* cases that can occur at delegation points.
*
* One of these cases is that the NULL KEY for an unsecure zone
* may occur in the delegating zone instead of in the delegated zone.
* If we're authoritative for both zones, we need to look for the
* key in the delegator if we didn't find it in the delegatee. If
* we didn't do this, a client doing DNSSEC validation could fail
* because it couldn't get the NULL KEY.
*/
if (type == dns_rdatatype_key &&
is_zone &&
result == DNS_R_NXRRSET &&
!dns_db_issecure(db) &&
/*
* We're looking for a KEY at the top of an unsecure zone,
* and we didn't find it.
*/
if (result == ISC_R_SUCCESS) {
/*
* We found the parent KEY.
*
* zone, db, version, node, rdataset, and sigrdataset
* have all been updated to refer to the parent's
* data. We will resume query processing as if
* we had looked for the KEY in the parent zone in
* the first place.
*
* We need to set fname correctly. We do this here
* instead of in query_findparentkey() because
* dns_name_concatenate() can fail (though it shouldn't
* ever do so since we should have enough space).
*/
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
} else {
/*
* We couldn't find the KEY in a parent zone.
* Continue with processing of the original
* results of dns_db_find().
*/
}
}
CTRACE("query_find: resume");
switch (result) {
case ISC_R_SUCCESS:
/*
* This case is handled in the main line below.
*/
break;
case DNS_R_GLUE:
#ifdef DNS_OPT_NEWCODES_LIVE
break;
/* Fallthrough if we don't have opt_zone */
#endif /* DNS_OPT_NEWCODES_LIVE */
case DNS_R_ZONECUT:
/*
* These cases are handled in the main line below.
*/
break;
case ISC_R_NOTFOUND:
#ifdef DNS_OPT_NEWCODES_LIVE
/*
* If we've passed in opt_zone, don't try anything more.
*/
break;
#endif /* DNS_OPT_NEWCODES_LIVE */
/*
* The cache doesn't even have the root NS. Get them from
* the hints DB.
*/
dns_db_detach(&db);
if (result != ISC_R_SUCCESS) {
/*
* We can't even find the hints for the root
* nameservers!
*/
goto cleanup;
}
/*
* XXXRTH We should trigger root server priming here.
*/
/* FALLTHROUGH */
case DNS_R_DELEGATION:
#ifdef DNS_OPT_NEWCODES_LIVE
/*
* If we've passed in opt_zone, don't try anything more.
*/
break;
}
#endif /* DNS_OPT_NEWCODES_LIVE */
if (is_zone) {
/*
* We're authoritative for an ancestor of QNAME.
*/
/*
* If we don't have a cache, this is the best
* answer.
*
* If the client is making a nonrecursive
* query we always give out the authoritative
* delegation. This way even if we get
* junk in our cache, we won't fail in our
* role as the delegating authority if another
* nameserver asks us about a delegated
* subzone.
*
* We enable the retrieval of glue for this
* database by setting client->query.gluedb.
*/
if (sigrdataset != NULL)
else
sigrdatasetp = NULL;
} else {
/*
* We might have a better answer or delegation
* in the cache. We'll remember the current
* values of fname, rdataset, and sigrdataset.
* We'll then go looking for QNAME in the
* cache. If we find something better, we'll
* use it instead.
*/
goto db_find;
}
} else {
/*
* We've already got a delegation from
* authoritative data, and it is better
* than what we found in the cache. Use
* it instead of the cache delegation.
*/
/*
* We've already done query_keepname() on
* zfname, so we must set dbuf to NULL to
* prevent query_addrrset() from trying to
* call query_keepname() again.
*/
if (sigrdataset != NULL)
&sigrdataset);
zsigrdataset = NULL;
/*
* We don't clean up zdb here because we
* may still need it. It will get cleaned
* up by the main cleanup code.
*/
}
if (RECURSIONOK(client)) {
/*
* Recurse!
*/
if (type == dns_rdatatype_key)
else
if (result == ISC_R_SUCCESS)
else {
}
} else {
/*
* This is the best answer.
*/
if (sigrdataset != NULL)
else
sigrdatasetp = NULL;
}
}
goto cleanup;
case DNS_R_NXRRSET:
if (dns_rdataset_isassociated(rdataset)) {
/*
* If we've got a NXT record, we need to save the
* name now because we're going call query_addsoa()
* below, and it needs to use the name buffer.
*/
/*
* We don't want the cleanup code to try to release
* fname if we fail below, so we set it to NULL.
*/
} else {
/*
* We're not going to use fname, and need to release
* our hold on the name buffer so query_addsoa()
* may use it.
*/
}
/*
* Add SOA.
*/
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* Add NXT record if we found one.
*/
if (dns_rdataset_isassociated(rdataset)) {
if (WANTDNSSEC(client))
&tname);
}
goto cleanup;
case DNS_R_NXDOMAIN:
/*
* We hit a dead end following a CNAME or DNAME.
*/
goto cleanup;
}
if (dns_rdataset_isassociated(rdataset)) {
/*
* If we've got a NXT record, we need to save the
* name now because we're going call query_addsoa()
* below, and it needs to use the name buffer.
*/
/*
* We don't want the cleanup code to try to release
* fname if we fail below, so we set it to NULL.
*/
} else {
/*
* We're not going to use fname, and need to release
* our hold on the name buffer so query_addsoa()
* may use it.
*/
}
/*
* Add SOA. If the query was for a SOA record force the
* ttl to zero so that it is possible for clients to find
* the containing zone of a arbitary name with a stub
* resolver and not have it cached.
*/
if (qtype == dns_rdatatype_soa)
else
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* Add NXT record if we found one.
*/
if (dns_rdataset_isassociated(rdataset)) {
if (WANTDNSSEC(client))
&tname);
}
/*
* Set message rcode.
*/
goto cleanup;
case DNS_R_NCACHENXDOMAIN:
goto ncachenxrrset;
case DNS_R_NCACHENXRRSET:
/*
* Set message rcode, if required.
*/
if (result == DNS_R_NCACHENXDOMAIN)
/*
* We don't call query_addrrset() because we don't need any
* of its extra features (and things would probably break!).
*/
goto cleanup;
case DNS_R_CNAME:
/*
* Keep a copy of the rdataset. We have to do this because
* query_addrrset may clear 'rdataset' (to prevent the
* cleanup code from cleaning it up).
*/
/*
* Add the CNAME to the answer section.
*/
if (sigrdataset != NULL)
else
sigrdatasetp = NULL;
/*
* We set the PARTIALANSWER attribute so that if anything goes
* wrong later on, we'll return what we've got so far.
*/
/*
* Reset qname to be the target name of the CNAME and restart
* the query.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
if (result != ISC_R_SUCCESS)
goto cleanup;
goto addauth;
case DNS_R_DNAME:
/*
* Compare the current qname to the found name. We need
* to know how many labels and bits are in common because
* we're going to have to split qname later on.
*/
/*
* Keep a copy of the rdataset. We have to do this because
* query_addrrset may clear 'rdataset' (to prevent the
* cleanup code from cleaning it up).
*/
/*
* Add the DNAME to the answer section.
*/
if (sigrdataset != NULL)
else
sigrdatasetp = NULL;
/*
* We set the PARTIALANSWER attribute so that if anything goes
* wrong later on, we'll return what we've got so far.
*/
/*
* Get the target name of the DNAME.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* Construct the new qname.
*/
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
goto cleanup;
}
goto cleanup;
}
if (result != ISC_R_SUCCESS) {
if (result == ISC_R_NOSPACE) {
/*
* RFC 2672, section 4.1, subsection 3c says
* we should return YXDOMAIN if the constructed
* name would be too long.
*/
}
goto cleanup;
}
/*
* Synthesize a CNAME for this DNAME.
*
* We want to synthesize a CNAME since if we don't
* then older software that doesn't understand DNAME
* will not chain like it should.
*
* We do not try to synthesize a signature because we hope
* that security aware servers will understand DNAME. Also,
* even if we had an online key, making a signature
* on-the-fly is costly, and not really legitimate anyway
* since the synthesized CNAME is NOT in the zone.
*/
/*
* Switch to the new qname and restart.
*/
goto addauth;
default:
/*
* Something has gone wrong.
*/
goto cleanup;
}
if (type == dns_rdatatype_any) {
/*
* XXXRTH Need to handle zonecuts with special case
* code.
*/
n = 0;
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* Calling query_addrrset() with a non-NULL dbuf is going
* to either keep or release the name. We don't want it to
* release fname, since we may have to call query_addrrset()
* more than once. That means we have to call query_keepname()
* now, and pass a NULL dbuf to query_addrrset().
*
* Since we've done the keepname, it's important that we
* set fname to NULL before we leave this 'if' block
* otherwise we might try to cleanup fname even though we've
* kept it!
*/
while (result == ISC_R_SUCCESS) {
if ((qtype == dns_rdatatype_any ||
n++;
/*
* We shouldn't ever fail to add 'rdataset'
* because it's already in the answer.
*/
break;
} else {
/*
* We're not interested in this rdataset.
*/
}
}
/*
* As mentioned above, we must now clear fname since we have
* kept it.
*/
if (n == 0) {
/*
* We didn't match any rdatasets.
*/
if (qtype == dns_rdatatype_sig &&
result == ISC_R_NOMORE) {
/*
* XXXRTH If this is a secure zone and we
* didn't find any SIGs, we should generate
* an error unless we were searching for
* glue. Ugh.
*/
/*
* We were searching for SIG records in
* a nonsecure zone. Send a "no error,
* no data" response.
*/
/*
* Add SOA.
*/
if (result == ISC_R_SUCCESS)
} else {
/*
* Something went wrong.
*/
}
}
if (result != ISC_R_NOMORE) {
goto cleanup;
}
} else {
/*
* This is the "normal" case -- an ordinary question to which
* we know the answer.
*/
if (sigrdataset != NULL)
else
sigrdatasetp = NULL;
/*
* We shouldn't ever fail to add 'rdataset'
* because it's already in the answer.
*/
}
CTRACE("query_find: addauth");
/*
* Add NS records to the authority section (if we haven't already
* added them to the answer section).
*/
if (!want_restart) {
if (is_zone) {
if (!(qtype == dns_rdatatype_ns &&
dns_db_origin(db))))
} else if (qtype != dns_rdatatype_ns) {
}
}
CTRACE("query_find: cleanup");
/*
* General cleanup.
*/
if (sigrdataset != NULL)
dns_db_detach(&db);
if (zsigrdataset != NULL)
dns_db_detach(&zdb);
}
/*
* AA bit.
*/
/*
* We're not authoritative, so we must ensure the AA bit
* isn't set.
*/
}
/*
* Restart the query?
*/
goto restart;
}
if (eresult != ISC_R_SUCCESS &&
/*
* If we don't have any answer to give the client,
* or if the client requested recursion and thus wanted
* the complete answer, send an error response.
*/
/*
* We are done. Set up sortlist data for the message
* rendering code, make a final tweak to the AA bit if the
* auth-nxdomain config option says so, then render and
* send the response.
*/
}
CTRACE("query_find: done");
}
static inline void
char namebuf[DNS_NAME_FORMATSIZE];
char typename[DNS_RDATATYPE_FORMATSIZE];
int level = ISC_LOG_INFO;
return;
}
void
CTRACE("ns_query_start");
/*
* Ensure that appropriate cleanups occur.
*/
/*
* We don't have a cache. Turn off cache support and
* recursion.
*/
/*
* If the client isn't allowed to recurse (due to
* "recursion no", the allow-recursion ACL, or the
* lack of a resolver in this view), or if it
* doesn't want recursion, turn recursion off.
*/
}
/*
* Get the question name.
*/
if (result != ISC_R_SUCCESS) {
return;
}
if (result != ISC_R_NOMORE) {
if (result == ISC_R_SUCCESS) {
/*
* There's more than one QNAME in the question
* section.
*/
} else
return;
}
if (ns_g_server->log_queries)
/*
* Check for multiple question queries, since edns1 is dead.
*/
return;
}
/*
* Check for meta-queries like IXFR and AXFR.
*/
if (dns_rdatatype_ismeta(qtype)) {
switch (qtype) {
case dns_rdatatype_any:
break; /* Let query_find handle it. */
case dns_rdatatype_ixfr:
case dns_rdatatype_axfr:
return;
case dns_rdatatype_maila:
case dns_rdatatype_mailb:
return;
case dns_rdatatype_tkey:
if (result == ISC_R_SUCCESS)
else
return;
default: /* TSIG, etc. */
return;
}
}
/*
* If the client has requested that DNSSEC checking be disabled,
* allow lookups to return pending data and instruct the resolver
* to return data before validation has completed.
*/
}
/*
* This is an ordinary query.
*/
if (result != ISC_R_SUCCESS) {
return;
}
/*
* Assume authoritative response until it is known to be
* otherwise.
*/
/*
* Set AD. We must clear it if we add non-validated data to a
* response.
*/
if (WANTDNSSEC(client))
/*
* Synthesize IPv6 responses if appropriate.
*/
if (RECURSIONOK(client) &&
{
if (qtype == dns_rdatatype_aaaa) {
return;
} else if (qtype == dns_rdatatype_ptr &&
/* Must be 32 nibbles + "ip6" + "int" + root */
return;
}
}
}
/*
* Generate a synthetic IPv6 forward mapping response for the current
* query of 'client'.
*/
static void
}
/*
* Start an ADB find to get addresses, or more addresses, for
* a synthetic IPv6 forward mapping response.
*/
static void
if (result == DNS_R_ALIAS) {
isc_buffer_t b;
/*
* Make a persistent copy of the 'target' name data in 'ptarget';
* it will become the new query name.
*/
goto fail;
goto fail;
/*
* Get another temporary name 'tname' for insertion into the
* response message.
*/
if (result != ISC_R_SUCCESS)
goto fail;
0 /* XXX ttl */, &tname,
if (result != ISC_R_SUCCESS)
goto fail;
goto find_again;
} else {
/*
* Probably a CNAME loop. Reply with partial
* CNAME chain.
*/
goto done;
}
} else if (result != ISC_R_SUCCESS) {
goto fail;
}
} else {
}
return;
fail:
done:
}
/*
* Handle an ADB finddone event generated as part of synthetic IPv6
* forward mapping processing.
*/
static void
if (evtype == DNS_EVENT_ADBNOMOREADDRESSES)
else if (evtype == DNS_EVENT_ADBMOREADDRESSES)
else
isc_event_free(&ev);
}
/*
* Generate a synthetic IPv6 forward mapping response based on
* a completed ADB lookup.
*/
static void
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* Could it be useful to return IPv4 addresses as A records?
*/
continue;
if (result != ISC_R_SUCCESS)
goto cleanup;
}
}
}
/*
* Finish synthetic IPv6 forward mapping processing.
*/
static void
if (result == ISC_R_SUCCESS)
else
}
static signed char ascii2hex[256] = {
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, -1, -1, -1, -1, -1, -1,
-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1
};
/*
* Convert label 'i' of 'name' into its hexadecimal value, storing it
* in '*hexp'. If the label is not a valid hex nibble, return ISC_R_FAILURE.
*/
static isc_result_t
int hexval;
return (ISC_R_FAILURE);
if (hexval == -1)
return (ISC_R_FAILURE);
return (ISC_R_SUCCESS);
}
/*
* Convert the ip6.int name 'name' into the corresponding IPv6 address
* in 'na'.
*/
static isc_result_t
int i;
for (i = 0; i < 16; i++) {
if (result != ISC_R_SUCCESS)
return (result);
if (result != ISC_R_SUCCESS)
return (result);
}
return (ISC_R_SUCCESS);
}
/*
* Generate a synthetic IPv6 reverse mapping response for the current
* query of 'client'.
*/
static void
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/* Try IP6.ARPA first. */
client, &byaddr_dummy);
if (result == ISC_R_SUCCESS)
return; /* Wait for completion event. */
}
static void
} else {
/* Try IP6.INT next. */
client, &byaddr_dummy);
if (result != ISC_R_SUCCESS)
}
}
static void
/*
* in some cases, but since there may be any combination
* of NXDOMAIN and NXRRSET results from the IP6.INT
* and IP6.ARPA lookups, it could still be wrong with
* respect to one or the other.
*/
} else {
}
}
static void
{
/*
* Get a temporary name 'tname' for insertion into the
* response message.
*/
if (result != ISC_R_SUCCESS)
goto fail;
name, 0 /* XXX ttl */,
if (result != ISC_R_SUCCESS)
goto fail;
}
fail:
}