query.c revision e605e98f3e4be079f545b26bb53ba02a6d04b0b6
/*
* Copyright (C) 1999, 2000 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
* INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.125 2000/08/09 00:09:29 gson Exp $ */
#include <config.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>
#include <dns/rdatatype.h>
#include <dns/resolver.h>
NS_QUERYATTR_PARTIALANSWER) != 0)
NS_QUERYATTR_CACHEOK) != 0)
NS_QUERYATTR_RECURSIONOK) != 0)
NS_QUERYATTR_RECURSING) != 0)
NS_QUERYATTR_CACHEGLUEOK) != 0)
#if 0
ISC_LOG_DEBUG(3), \
"client %p: %s", client, (m))
ISC_LOG_DEBUG(3), \
"query %p: %s", query, (m))
#else
#define CTRACE(m) ((void)m)
#define QTRACE(m) ((void)m)
#endif
#define DNS_GETDB_NOEXACT 0x01U
#define DNS_GETDB_NOLOG 0x02U
static isc_result_t
static inline void
static void
static inline void
/*
* client->query.qname was dynamically allocated.
*/
}
}
static inline void
unsigned int i;
/*
* Reset the query state of a client to its default state.
*/
/*
* Cancel the fetch if it's running.
*/
}
/*
* Cleanup any active versions.
*/
dbversion = dbversion_next) {
}
/*
* Clean up free versions.
*/
dbversion = dbversion_next, i++) {
/*
* If we're not freeing everything, we keep the first three
* dbversions structures around.
*/
if (i > 3 || everything) {
link);
sizeof *dbversion);
}
}
}
}
}
static void
}
void
}
static inline isc_result_t
CTRACE("query_newnamebuf");
/*
* Allocate a name buffer.
*/
if (result != ISC_R_SUCCESS) {
CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
return (result);
}
CTRACE("query_newnamebuf: done");
return (ISC_R_SUCCESS);
}
static inline isc_buffer_t *
isc_region_t r;
CTRACE("query_getnamebuf");
/*
* Return a name buffer with space for a maximal name, allocating
* a new one if necessary.
*/
if (result != ISC_R_SUCCESS) {
CTRACE("query_getnamebuf: query_newnamebuf failed: done");
return (NULL);
}
}
if (r.length < 255) {
if (result != ISC_R_SUCCESS) {
CTRACE("query_getnamebuf: query_newnamebuf failed: done");
return (NULL);
}
}
CTRACE("query_getnamebuf: done");
return (dbuf);
}
static inline void
isc_region_t r;
CTRACE("query_keepname");
/*
* 'name' is using space in 'dbuf', but 'dbuf' has not yet been
* adjusted to take account of that. We do the adjustment.
*/
dns_name_toregion(name, &r);
}
static inline void
/*
* 'name' is no longer needed. Return it to our pool of temporary
* names. If it is using a name buffer, relinquish its exclusive
* rights on the buffer.
*/
CTRACE("query_releasename");
if (dns_name_hasbuffer(name)) {
!= 0);
}
CTRACE("query_releasename: done");
}
static inline dns_name_t *
{
isc_region_t r;
CTRACE("query_newname");
if (result != ISC_R_SUCCESS) {
CTRACE("query_newname: dns_message_gettempname failed: done");
return (NULL);
}
CTRACE("query_newname: done");
return (name);
}
static inline dns_rdataset_t *
CTRACE("query_newrdataset");
if (result != ISC_R_SUCCESS) {
CTRACE("query_newrdataset: "
"dns_message_gettemprdataset failed: done");
return (NULL);
}
CTRACE("query_newrdataset: done");
return (rdataset);
}
static inline void
CTRACE("query_putrdataset");
}
CTRACE("query_putrdataset: done");
}
static inline isc_result_t
unsigned int i;
for (i = 0; i < n; i++) {
link);
} else {
/*
* We only return ISC_R_NOMEMORY if we couldn't
* allocate anything.
*/
if (i == 0)
return (ISC_R_NOMEMORY);
else
return (ISC_R_SUCCESS);
}
}
return (ISC_R_SUCCESS);
}
static inline ns_dbversion_t *
if (result != ISC_R_SUCCESS)
return (NULL);
}
return (dbversion);
}
if (result != ISC_R_SUCCESS)
return (result);
return (query_newnamebuf(client));
}
static inline ns_dbversion_t *
{
/*
* We may already have done a query related to this
* database. If so, we must be sure to make subsequent
* queries from the same version.
*/
break;
}
/*
* This is a new zone for this query. Add it to
* the active list.
*/
return (NULL);
} else
return (dbversion);
}
static inline isc_result_t
{
unsigned int ztoptions;
/*
* Find a zone database to answer the query.
*/
DNS_ZTFIND_NOEXACT : 0;
&zone);
if (result != ISC_R_SUCCESS)
goto fail;
/*
* If this is the first time we are called (that is, looking up
* the actual name in the query section) remember this database.
*
* If authdb is non-NULL, we have been here before, and the
* found database is always returned.
*
* This limits our searching to the zone where the first name
* (the query target) is found. This prevents following CNAMES
* or DNAMES into other zones and prevents returning additional
* data from other zones.
*/
goto refuse;
} else {
}
}
/*
* If the zone has an ACL, we'll check it, otherwise
* we use the view's "allow-query" ACL. Each ACL is only checked
* once per query.
*
* Also, get the database version to use.
*/
/*
* Get the current version of this database.
*/
goto fail;
}
if (new_zone) {
goto refuse;
} else {
}
NS_QUERYATTR_QUERYOKVALID) != 0) {
/*
* We've evaluated the view's queryacl already. If
* NS_QUERYATTR_QUERYOK is set, then the client is
* allowed to make queries, otherwise the query should
* be refused.
*/
NS_QUERYATTR_QUERYOK) == 0)
goto refuse;
} else {
/*
* We haven't evaluated the view's queryacl yet.
*/
}
}
if (check_acl) {
if (result == ISC_R_SUCCESS) {
/*
* We were allowed by the default
* "allow-query" ACL. Remember this so we
* don't have to check again.
*/
}
/*
* We've now evaluated the view's query ACL, and
* the NS_QUERYATTR_QUERYOK attribute is now valid.
*/
}
if (result != ISC_R_SUCCESS)
goto refuse;
}
/* Approved. */
/*
* Remember the result of the ACL check so we
* don't have to check again.
*/
/* Transfer ownership. */
return (ISC_R_SUCCESS);
fail:
dns_db_detach(&db);
return (result);
}
static inline isc_result_t
{
/*
* Find a cache database to answer the query.
* This may fail with DNS_R_REFUSED if the client
* is not allowed to use the cache.
*/
return (DNS_R_REFUSED);
NS_QUERYATTR_QUERYOKVALID) != 0) {
/*
* We've evaluated the view's queryacl already. If
* NS_QUERYATTR_QUERYOK is set, then the client is
* allowed to make queries, otherwise the query should
* be refused.
*/
NS_QUERYATTR_QUERYOK) == 0)
goto refuse;
} else {
/*
* We haven't evaluated the view's queryacl yet.
*/
}
if (check_acl) {
if (result == ISC_R_SUCCESS) {
/*
* We were allowed by the default
* "allow-query" ACL. Remember this so we
* don't have to check again.
*/
}
/*
* We've now evaluated the view's query ACL, and
* the NS_QUERYATTR_QUERYOK attribute is now valid.
*/
if (result != ISC_R_SUCCESS)
goto refuse;
}
/* Approved. */
/* Transfer ownership. */
return (ISC_R_SUCCESS);
dns_db_detach(&db);
return (result);
}
static inline isc_result_t
{
if (result == ISC_R_SUCCESS) {
} else if (result == ISC_R_NOTFOUND) {
}
return (result);
}
static isc_result_t
{
unsigned int dboptions;
/*
* Find a database to answer the query.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* Now look for an answer in the database.
*/
if (result == DNS_R_DELEGATION ||
result == ISC_R_NOTFOUND) {
if (is_zone) {
/*
* Either the answer is in the cache, or we
* don't know it.
*/
dns_db_detach(&db);
goto db_find;
}
} else {
/*
* We don't have the data in the cache. If we've got
* glue from the zone, use it.
*/
if (dns_rdataset_isassociated(&zrdataset)) {
goto cleanup;
}
}
/*
* We don't know the answer.
*/
} else if (result == DNS_R_GLUE) {
/*
* We found an answer, but the cache may be better.
* Remember what we've got and go look in the cache.
*/
if (dns_rdataset_isassociated(sigrdataset)) {
}
dns_db_detach(&db);
goto db_find;
}
/*
* Otherwise, the glue is the best answer.
*/
} else if (result != ISC_R_SUCCESS) {
}
if (dns_rdataset_isassociated(&zrdataset)) {
}
dns_db_detach(&db);
return (result);
}
static inline isc_boolean_t
{
CTRACE("query_isduplicate");
for (section = DNS_SECTION_ANSWER;
section++) {
if (result == ISC_R_SUCCESS) {
/*
* We've already got this RRset in the response.
*/
CTRACE("query_isduplicate: true: done");
return (ISC_TRUE);
} else if (result == DNS_R_NXRRSET) {
/*
* The name exists, but the rdataset does not.
*/
if (section == DNS_SECTION_ADDITIONAL)
break;
} else
}
/*
* If the dns_name_t we're lookup up is already in the message,
* we don't want to trigger the caller's name replacement logic.
*/
CTRACE("query_isduplicate: false: done");
return (ISC_FALSE);
}
static isc_result_t
isc_buffer_t b;
CTRACE("query_addadditional");
/*
* Initialization.
*/
sigrdataset = NULL;
a6rdataset = NULL;
/*
* We treat type A additional section processing as if it
* were "any address type" additional section processing.
* To avoid multiple lookups, we do an 'any' database
* lookup and iterate over the node.
*/
if (qtype == dns_rdatatype_a)
else
/*
* Get some resources.
*/
goto cleanup;
goto cleanup;
/*
* Look for a zone database that might contain authoritative
* additional data.
*/
if (result != ISC_R_SUCCESS)
goto try_cache;
CTRACE("query_addadditional: db_find");
/*
* Since we are looking for authoritative data, we do not set
* the GLUEOK flag. Glue will be looked for later, but not
* necessarily in the same database.
*/
if (result == ISC_R_SUCCESS)
goto found;
dns_db_detach(&db);
/*
* No authoritative data was found. The cache is our next best bet.
*/
if (result != ISC_R_SUCCESS)
/*
* Most likely the client isn't allowed to query the cache.
*/
goto try_glue;
if (result == ISC_R_SUCCESS)
goto found;
dns_db_detach(&db);
/*
* No cached data was found. Glue is our last chance.
* RFC1035 sayeth:
*
* NS records cause both the usual additional section
* processing to locate a type A record, and, when used
* in a referral, a special search of the zone in which
* they reside for glue information.
*
* This is the "special search". Note that we must search
* the zone where the NS record resides, not the zone it
* points to, and that we only do the search in the delegation
* case (identified by client->query.gluedb being set).
*/
goto cleanup;
if (!(result == ISC_R_SUCCESS ||
result == DNS_R_ZONECUT ||
result == DNS_R_GLUE))
goto cleanup;
/*
* We have found a potential additional data rdataset, or
* at least a node to iterate over.
*/
/*
* If we have an rdataset, add it to the additional data
* section.
*/
if (dns_rdataset_isassociated(rdataset) &&
} else
/*
* Note: we only add SIGs if we've added the type they cover,
* so we do not need to check if the SIG rdataset is already
* in the response.
*/
if (dns_rdataset_isassociated(sigrdataset)) {
sigrdataset = NULL;
}
}
if (qtype == dns_rdatatype_a) {
/*
* We now go looking for A, A6, and AAAA records, along with
* their signatures.
*
* XXXRTH This code could be more efficient.
*/
} else {
goto addname;
}
if (sigrdataset != NULL) {
} else {
if (sigrdataset == NULL)
goto addname;
}
dns_rdatatype_a, 0,
if (result == DNS_R_NCACHENXDOMAIN)
goto addname;
if (result == DNS_R_NCACHENXRRSET) {
/*
* Negative cache entries don't have sigrdatasets.
*/
}
if (result == ISC_R_SUCCESS) {
dns_rdatatype_a, &mname)) {
} else
if (dns_rdataset_isassociated(sigrdataset)) {
sigrdataset, link);
}
goto addname;
} else {
}
}
dns_rdatatype_a6, 0,
if (result == DNS_R_NCACHENXDOMAIN)
goto addname;
if (result == DNS_R_NCACHENXRRSET) {
}
if (result == ISC_R_SUCCESS) {
dns_rdatatype_a6, &mname)) {
} else
if (dns_rdataset_isassociated(sigrdataset)) {
sigrdataset, link);
}
goto addname;
} else
}
if (result == DNS_R_NCACHENXDOMAIN)
goto addname;
if (result == DNS_R_NCACHENXRRSET) {
}
if (result == ISC_R_SUCCESS) {
dns_rdatatype_aaaa, &mname)) {
} else
if (dns_rdataset_isassociated(sigrdataset)) {
sigrdataset, link);
sigrdataset = NULL;
}
}
}
}
CTRACE("query_addadditional: addname");
/*
* If we haven't added anything, then we're done.
*/
if (!added_something)
goto cleanup;
/*
* We may have added our rdatasets to an existing name, if so, then
* need_addname will be ISC_FALSE. Whether we used an existing name
* or a new one, we must set fname to NULL to prevent cleanup.
*/
if (need_addname)
/*
* In a few cases, we want to add additional data for additional
* data. It's simpler to just deal with special cases here than
* to try to create a general purpose mechanism and allow the
* rdata implementations to do it themselves.
*
* This involves recursion, but the depth is limited. The
* most complex case is adding a SRV rdataset, which involves
* recursing to add address records, which in turn can cause
* recursion to add KEYs.
*/
/*
* RFC 2535 section 3.5 says that when A or AAAA records are
* retrieved as additional data, any KEY RRs for the owner name
* should be added to the additional data section. Note: we
* do NOT include A6 in the list of types with such treatment
* in additional data because we'd have to do it for each A6
* in the A6 chain.
*
* XXXRTH We should lower the priority here. Alternatively,
* we could raise the priority of glue records.
*/
/*
* If we're adding SRV records to the additional data
* section, it's helpful if we add the SRV additional data
* as well.
*/
client);
}
/*
* If we added an A6 rdataset, we should also add everything we
* know about the A6 chains. We wait until now to do this so that
* they'll come after any additional data added above.
*/
if (a6rdataset != NULL) {
}
CTRACE("query_addadditional: cleanup");
dns_db_detach(&db);
CTRACE("query_addadditional: done");
return (eresult);
}
static void
{
isc_buffer_t b, *dbuf;
/*
* Add an rrset to the additional data section.
*/
/*
* Get some resources...
*/
csigrdataset = NULL;
goto cleanup;
goto cleanup;
goto cleanup;
goto cleanup;
} else {
}
/*
* Note: we only add SIGs if we've added the type they cover, so
* we do not need to check if the SIG rdataset is already in the
* response.
*/
csigrdataset = NULL;
}
/*
* In spite of RFC 2535 section 3.5, we don't currently try to add
* KEY RRs for the A6 records. It's just too much work.
*/
}
static inline void
{
/*
* Add 'rdataset' and any pertinent additional data to
* 'fname', a name in the response message for 'client'.
*/
CTRACE("query_addrdataset");
/*
* Add additional data.
*
* We don't care if dns_a6_foreach or dns_rdataset_additionaldata()
* fail.
*/
if (type == dns_rdatatype_a6) {
} else
/*
* RFC 2535 section 3.5 says that when NS, SOA, A, or AAAA records
* are retrieved, any KEY RRs for the owner name should be added
* to the additional data section. We treat A6 records the same way.
*
* We don't care if query_addadditional() fails.
*/
type == dns_rdatatype_a6) {
/*
* XXXRTH We should lower the priority here. Alternatively,
* we could raise the priority of glue records.
*/
}
CTRACE("query_addrdataset: done");
}
static void
{
/*
* To the current response for 'client', add the answer RRset
* '*rdatasetp' and an optional signature set '*sigrdatasetp', with
* owner name '*namep', to section 'section', unless they are
* already there. Also add any pertinent additional data.
*
* If 'dbuf' is not NULL, then '*namep' is the name whose data is
* stored in 'dbuf'. In this case, query_addrrset() guarantees that
* when it returns the name will either have been kept or released.
*/
CTRACE("query_addrrset");
if (sigrdatasetp != NULL)
else
sigrdataset = NULL;
if (result == ISC_R_SUCCESS) {
/*
* We've already got an RRset of the given name and type.
* There's nothing else to do;
*/
CTRACE("query_addrrset: dns_message_findname succeeded: done");
return;
} else if (result == DNS_R_NXDOMAIN) {
/*
* The name doesn't exist.
*/
} else {
}
/*
* Note: we only add SIGs if we've added the type they cover, so
* we do not need to check if the SIG rdataset is already in the
* response.
*/
/*
* We have a signature. Add it to the response.
*/
*sigrdatasetp = NULL;
}
CTRACE("query_addrrset: done");
}
static inline isc_result_t
CTRACE("query_addsoa");
/*
* Initialization.
*/
/*
* Get resources and make 'name' be the database origin.
*/
if (result != ISC_R_SUCCESS)
return (result);
goto cleanup;
}
/*
* Find the SOA.
*/
if (result != ISC_R_SUCCESS) {
/*
* This is bad. We tried to get the SOA RR at the zone top
* and it didn't work!
*/
} else {
/*
* Extract the SOA MINIMUM.
*/
/*
* Add the SOA and its SIG to the response, with the
* TTLs adjusted per RFC2308 section 3.
*/
}
return (eresult);
}
static inline isc_result_t
CTRACE("query_addns");
/*
* Initialization.
*/
/*
* Get resources and make 'name' be the database origin.
*/
if (result != ISC_R_SUCCESS) {
CTRACE("query_addns: dns_message_gettempname failed: done");
return (result);
}
CTRACE("query_addns: query_newrdataset failed");
goto cleanup;
}
/*
* Find the NS rdataset.
*/
CTRACE("query_addns: calling dns_db_find");
CTRACE("query_addns: dns_db_find complete");
if (result != ISC_R_SUCCESS) {
CTRACE("query_addns: dns_db_find failed");
/*
* This is bad. We tried to get the NS rdataset at the zone
* top and it didn't work!
*/
} else {
}
CTRACE("query_addns: cleanup");
CTRACE("query_addns: done");
return (eresult);
}
static inline isc_result_t
{
isc_region_t r;
CTRACE("query_addcname");
/*
* We assume the name data referred to by qname and tname won't
* go away.
*/
if (result != ISC_R_SUCCESS)
return (result);
if (result != ISC_R_SUCCESS)
return (result);
if (result != ISC_R_SUCCESS)
return (result);
dns_name_toregion(tname, &r);
}
return (ISC_R_SUCCESS);
}
static void
isc_buffer_t b;
CTRACE("query_addbestns");
sigrdataset = NULL;
zsigrdataset = NULL;
/*
* Find the right database.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
/*
* We'll need some resources...
*/
goto cleanup;
goto cleanup;
/*
* Now look for the zonecut.
*/
if (is_zone) {
if (result != DNS_R_DELEGATION)
goto cleanup;
goto db_find;
}
} else {
if (result == ISC_R_SUCCESS) {
/*
* We found a zonecut in the cache, but our
* zone delegation is better.
*/
}
/*
* We didn't find anything in the cache, but we
* have a zone delegation, so use it.
*/
} else
goto cleanup;
}
if (use_zone) {
/*
* We've already done query_keepname() on
* zfname, so we must set dbuf to NULL to
* prevent query_addrrset() from trying to
* call query_keepname() again.
*/
zsigrdataset = NULL;
}
goto cleanup;
dns_db_detach(&db);
dns_db_detach(&zdb);
}
}
static inline isc_result_t
/*
* XXXRTH OPT still needs to be added.
* Should get help with this from rdata.c
*/
switch (type) {
case dns_rdatatype_tkey:
return (DNS_R_NOTIMP);
case dns_rdatatype_tsig:
return (DNS_R_FORMERR);
case dns_rdatatype_ixfr:
case dns_rdatatype_axfr:
case dns_rdatatype_mailb:
case dns_rdatatype_maila:
return (DNS_R_REFUSED);
default:
break;
}
return (ISC_R_SUCCESS);
}
static void
/*
* Resume a query after recursion.
*/
/*
* This is the fetch we've been waiting for.
*/
/*
* Update client->now.
*/
} else {
/*
* This is a fetch completion event for a cancelled fetch.
* Clean up and don't resume the find.
*/
}
/*
* If this client is shutting down, or this transaction
* has timed out, do not resume the find.
*/
if (fetch_cancelled || client_shuttingdown) {
/*
* This may destroy the client.
*/
} else {
}
}
static isc_result_t
{
/*
* We are about to recurse, which means that this client will
* be unavailable for serving new requests for an indeterminate
* amount of time. If this client is currently responsible
* for handling incoming queries, set up a new client
* object to handle them while we are waiting for a
* response.
*/
&client->recursionquota);
if (result == ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
"no more recursive clients: %s",
return (result);
}
}
/*
* Invoke the resolver.
*/
return (ISC_R_NOMEMORY);
return (ISC_R_NOMEMORY);
}
if (result == ISC_R_SUCCESS) {
/*
* Record that we're waiting for an event. A client which
* is shutting down will not be destroyed until all the
* events have been received.
*/
} else {
}
return (result);
}
static inline isc_result_t
{
/*
* 'name' is at a zone cut. Try to find a KEY for 'name' in
* the deepest ancestor zone of 'name' (if any). If it exists,
* update *zonep, *dbp, *nodep, rdataset, and sigrdataset and
* return ISC_R_SUCCESS. If not, leave them alone and return a
* non-success status.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
if (!is_zone) {
goto cleanup;
}
&prdataset, &psigrdataset);
if (result == ISC_R_SUCCESS) {
}
dns_db_detach(&pdb);
return (result);
}
#define MAX_RESTARTS 16
#define QUERY_ERROR(r) \
do { \
eresult = r; \
want_restart = ISC_FALSE; \
} while (0)
static void
int order;
isc_region_t r;
isc_buffer_t b;
CTRACE("query_find");
/*
* One-time initialization.
*
* It's especially important to initialize anything that the cleanup
* code might cleanup.
*/
sigrdataset = NULL;
zsigrdataset = NULL;
/*
* We're returning from recursion. Restore the query context
* and resume.
*/
if (qtype == dns_rdatatype_sig)
else
/*
* We'll need some resources...
*/
goto cleanup;
}
goto cleanup;
}
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
goto resume;
} else
CTRACE("query_find: restart");
/*
* First we must find the right database.
*/
if (result != ISC_R_SUCCESS) {
if (result == DNS_R_REFUSED)
else
goto cleanup;
}
if (is_zone)
/*
* Find the first unanswered type in the question section.
*/
qtype = 0;
qcount = 0;
}
qcount++;
}
}
/*
* We had better have found something!
*/
/*
* If there's more than one question, we'll eventually retrieve the
* node and iterate it, trying to find answers. For now, we simply
* refuse requests with more than one question.
*/
if (qcount == 1)
else {
CTRACE("find_query: REFUSED: qcount != 1");
goto cleanup;
}
/*
* See if the type is OK.
*/
if (result != ISC_R_SUCCESS) {
CTRACE("find_query: non supported query type");
goto cleanup;
}
/*
* If it's a SIG query, we'll iterate the node.
*/
if (qtype == dns_rdatatype_sig)
CTRACE("query_find: db_find");
/*
* We'll need some resources...
*/
goto cleanup;
}
goto cleanup;
}
/*
* Now look for an answer in the database.
*/
/*
* We interrupt our normal query processing to bring you this special
* case...
*
* RFC 2535 (DNSSEC), section 2.3.4, discusses various special
* cases that can occur at delegation points.
*
* One of these cases is that the NULL KEY for an unsecure zone
* may occur in the delegating zone instead of in the delegated zone.
* If we're authoritative for both zones, we need to look for the
* key in the delegator if we didn't find it in the delegatee. If
* we didn't do this, a client doing DNSSEC validation could fail
* because it couldn't get the NULL KEY.
*/
if (type == dns_rdatatype_key &&
is_zone &&
result == DNS_R_NXRRSET &&
!dns_db_issecure(db) &&
/*
* We're looking for a KEY at the top of an unsecure zone,
* and we didn't find it.
*/
if (result == ISC_R_SUCCESS) {
/*
* We found the parent KEY.
*
* zone, db, version, node, rdataset, and sigrdataset
* have all been updated to refer to the parent's
* data. We will resume query processing as if
* we had looked for the KEY in the parent zone in
* the first place.
*
* We need to set fname correctly. We do this here
* instead of in query_findparentkey() because
* dns_name_concatenate() can fail (though it shouldn't
* ever do so since we should have enough space).
*/
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
} else {
/*
* We couldn't find the KEY in a parent zone.
* Continue with processing of the original
* results of dns_db_find().
*/
}
}
CTRACE("query_find: resume");
switch (result) {
case ISC_R_SUCCESS:
/*
* This case is handled in the main line below.
*/
break;
case DNS_R_GLUE:
case DNS_R_ZONECUT:
/*
* These cases are handled in the main line below.
*/
break;
case ISC_R_NOTFOUND:
/*
* The cache doesn't even have the root NS. Get them from
* the hints DB.
*/
dns_db_detach(&db);
if (result != ISC_R_SUCCESS) {
/*
* We can't even find the hints for the root
* nameservers!
*/
goto cleanup;
}
/*
* XXXRTH We should trigger root server priming here.
*/
/* FALLTHROUGH */
case DNS_R_DELEGATION:
if (is_zone) {
/*
* We're authoritative for an ancestor of QNAME.
*/
/*
* If we don't have a cache, this is the best
* answer.
*
* If the client is making a nonrecursive
* query we always give out the authoritative
* delegation. This way even if we get
* junk in our cache, we won't fail in our
* role as the delegating authority if another
* nameserver asks us about a delegated
* subzone.
*
* We enable the retrieval of glue for this
* database by setting client->query.gluedb.
*/
&sigrdataset, dbuf,
} else {
/*
* We might have a better answer or delegation
* in the cache. We'll remember the current
* values of fname, rdataset, and sigrdataset.
* We'll then go looking for QNAME in the
* cache. If we find something better, we'll
* use it instead.
*/
goto db_find;
}
} else {
/*
* We've already got a delegation from
* authoritative data, and it is better
* than what we found in the cache. Use
* it instead of the cache delegation.
*/
/*
* We've already done query_keepname() on
* zfname, so we must set dbuf to NULL to
* prevent query_addrrset() from trying to
* call query_keepname() again.
*/
zsigrdataset = NULL;
/*
* We don't clean up zdb here because we
* may still need it. It will get cleaned
* up by the main cleanup code.
*/
}
if (RECURSIONOK(client)) {
/*
* Recurse!
*/
if (type == dns_rdatatype_key)
else
if (result == ISC_R_SUCCESS)
else
} else {
/*
* This is the best answer.
*/
&rdataset, &sigrdataset,
}
}
goto cleanup;
case DNS_R_NXRRSET:
if (dns_rdataset_isassociated(rdataset)) {
/*
* If we've got a NXT record, we need to save the
* name now because we're going call query_addsoa()
* below, and it needs to use the name buffer.
*/
/*
* We don't want the cleanup code to try to release
* fname if we fail below, so we set it to NULL.
*/
} else {
/*
* We're not going to use fname, and need to release
* our hold on the name buffer so query_addsoa()
* may use it.
*/
}
/*
* Add SOA.
*/
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* Add NXT record if we found one.
*/
if (dns_rdataset_isassociated(rdataset)) {
&tname);
}
goto cleanup;
case DNS_R_NXDOMAIN:
/*
* We hit a dead end following a CNAME or DNAME.
*/
goto cleanup;
}
if (dns_rdataset_isassociated(rdataset)) {
/*
* If we've got a NXT record, we need to save the
* name now because we're going call query_addsoa()
* below, and it needs to use the name buffer.
*/
/*
* We don't want the cleanup code to try to release
* fname if we fail below, so we set it to NULL.
*/
} else {
/*
* We're not going to use fname, and need to release
* our hold on the name buffer so query_addsoa()
* may use it.
*/
}
/*
* Add SOA.
*/
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* Add NXT record if we found one.
*/
if (dns_rdataset_isassociated(rdataset)) {
&tname);
}
/*
* Set message rcode.
*/
goto cleanup;
case DNS_R_NCACHENXDOMAIN:
case DNS_R_NCACHENXRRSET:
/*
* Set message rcode, if required.
*/
if (result == DNS_R_NCACHENXDOMAIN)
/*
* We don't call query_addrrset() because we don't need any
* of its extra features (and things would probably break!).
*/
goto cleanup;
case DNS_R_CNAME:
/*
* Keep a copy of the rdataset. We have to do this because
* query_addrrset may clear 'rdataset' (to prevent the
* cleanup code from cleaning it up).
*/
/*
* Add the CNAME to the answer section.
*/
/*
* We set the PARTIALANSWER attribute so that if anything goes
* wrong later on, we'll return what we've got so far.
*/
/*
* Reset qname to be the target name of the CNAME and restart
* the query.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
dns_name_fromregion(tname, &r);
goto addauth;
case DNS_R_DNAME:
/*
* Compare the current qname to the found name. We need
* to know how many labels and bits are in common because
* we're going to have to split qname later on.
*/
/*
* Keep a copy of the rdataset. We have to do this because
* query_addrrset may clear 'rdataset' (to prevent the
* cleanup code from cleaning it up).
*/
/*
* Add the DNAME to the answer section.
*/
/*
* We set the PARTIALANSWER attribute so that if anything goes
* wrong later on, we'll return what we've got so far.
*/
/*
* Get the target name of the DNAME.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
if (result != ISC_R_SUCCESS)
goto cleanup;
dns_name_fromregion(tname, &r);
/*
* Construct the new qname.
*/
if (result != ISC_R_SUCCESS)
goto cleanup;
goto cleanup;
goto cleanup;
if (result != ISC_R_SUCCESS) {
if (result == ISC_R_NOSPACE) {
/*
* RFC 2672, section 4.1, subsection 3c says
* we should return YXDOMAIN if the constructed
* name would be too long.
*/
}
goto cleanup;
}
/*
* Synthesize a CNAME for this DNAME.
*
* We want to synthesize a CNAME since if we don't
* then older software that doesn't understand DNAME
* will not chain like it should.
*
* We do not try to synthesize a signature because we hope
* that security aware servers will understand DNAME. Also,
* even if we had an online key, making a signature
* on-the-fly is costly, and not really legitimate anyway
* since the synthesized CNAME is NOT in the zone.
*/
/*
* Switch to the new qname and restart.
*/
goto addauth;
default:
/*
* Something has gone wrong.
*/
goto cleanup;
}
if (type == dns_rdatatype_any) {
/*
* XXXRTH Need to handle zonecuts with special case
* code.
*/
n = 0;
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
/*
* Calling query_addrrset() with a non-NULL dbuf is going
* to either keep or release the name. We don't want it to
* release fname, since we may have to call query_addrrset()
* more than once. That means we have to call query_keepname()
* now, and pass a NULL dbuf to query_addrrset().
*
* Since we've done the keepname, it's important that we
* set fname to NULL before we leave this 'if' block
* otherwise we might try to cleanup fname even though we've
* kept it!
*/
while (result == ISC_R_SUCCESS) {
if ((qtype == dns_rdatatype_any ||
n++;
/*
* We shouldn't ever fail to add 'rdataset'
* because it's already in the answer.
*/
break;
} else {
/*
* We're not interested in this rdataset.
*/
}
}
/*
* As mentioned above, we must now clear fname since we have
* kept it.
*/
if (n == 0) {
/*
* We didn't match any rdatasets.
*/
if (qtype == dns_rdatatype_sig &&
result == ISC_R_NOMORE) {
/*
* XXXRTH If this is a secure zone and we
* didn't find any SIGs, we should generate
* an error unless we were searching for
* glue. Ugh.
*/
/*
* We were searching for SIG records in
* a nonsecure zone. Send a "no error,
* no data" response.
*/
/*
* Add SOA.
*/
if (result == ISC_R_SUCCESS)
} else {
/*
* Something went wrong.
*/
}
}
if (result != ISC_R_NOMORE) {
goto cleanup;
}
} else {
/*
* This is the "normal" case -- an ordinary question to which
* we know the answer.
*/
/*
* We shouldn't ever fail to add 'rdataset'
* because it's already in the answer.
*/
/*
* Remember that we've answered this question.
*/
}
CTRACE("query_find: addauth");
/*
* Add NS records to the authority section (if we haven't already
* added them to the answer section).
*/
if (!want_restart) {
if (is_zone) {
if (!(qtype == dns_rdatatype_ns &&
dns_db_origin(db))))
} else if (qtype != dns_rdatatype_ns) {
}
}
CTRACE("query_find: cleanup");
/*
* General cleanup.
*/
dns_db_detach(&db);
dns_db_detach(&zdb);
}
/*
* AA bit.
*/
/*
* We're not authoritative, so we must ensure the AA bit
* isn't set.
*/
}
/*
* Restart the query?
*/
goto restart;
}
/*
* We are done. Make a final tweak to the AA bit if the
* auth-nxdomain config option says so, then send the
* response.
*/
}
CTRACE("query_find: done");
}
static inline void
isc_buffer_t b;
char namebuf[DNS_NAME_FORMATSIZE];
char text[256];
isc_region_t r;
return;
/* XXXRTH Allow this to be turned off! */
isc_buffer_availableregion(&b, &r);
if (r.length < 1)
return;
*r.base = ' ';
isc_buffer_add(&b, 1);
return;
}
isc_buffer_usedregion(&b, &r);
}
void
CTRACE("ns_query_start");
/*
* Ensure that appropriate cleanups occur.
*/
/*
* We don't have a cache. Turn off cache support and
* recursion.
*/
/*
* If the client isn't allowed to recurse (due to
* "recursion no", the allow-recursion ACL, or the
* lack of a resolver in this view), or if it
* doesn't want recursion, turn recursion off.
*/
}
/*
* Get the question name.
*/
if (result != ISC_R_SUCCESS) {
return;
}
if (result != ISC_R_NOMORE) {
if (result == ISC_R_SUCCESS) {
/*
* There's more than one QNAME in the question
* section.
*/
} else
return;
}
/*
* Check for illegal meta-classes and meta-types in
* multiple question queries (edns1 section 5.1).
*/
return;
}
return;
}
}
}
/*
* Check for meta-queries like IXFR and AXFR.
*/
case dns_rdatatype_any:
break; /* Let query_find handle it. */
case dns_rdatatype_ixfr:
case dns_rdatatype_axfr:
return;
case dns_rdatatype_maila:
case dns_rdatatype_mailb:
return;
case dns_rdatatype_tkey:
if (result == ISC_R_SUCCESS)
else
return;
default: /* TSIG, etc. */
return;
}
}
}
/*
* If the client has requested that DNSSEC checking be disabled,
* allow lookups to return pending data and instruct the resolver
* to return data before validation has completed.
*/
}
/*
* This is an ordinary query.
*/
if (result != ISC_R_SUCCESS) {
return;
}
/*
* Assume authoritative response until it is known to be
* otherwise.
*/
/*
* Set AD. We need only clear it if we add "pending" data to
* a response.
*/
}