/contrib/bind9/bin/named/query.c
https://bitbucket.org/freebsd/freebsd-head/ · C · 7242 lines · 5285 code · 595 blank · 1362 comment · 1873 complexity · 884d102af774a65093406c7039f80ba4 MD5 · raw file
Large files are truncated click here to view the full file
- /*
- * Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003 Internet Software Consortium.
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
- /* $Id: query.c,v 1.353.8.24 2012/02/07 01:14:39 marka Exp $ */
- /*! \file */
- #include <config.h>
- #include <string.h>
- #include <isc/hex.h>
- #include <isc/mem.h>
- #include <isc/stats.h>
- #include <isc/util.h>
- #include <dns/adb.h>
- #include <dns/byaddr.h>
- #include <dns/db.h>
- #include <dns/dlz.h>
- #include <dns/dns64.h>
- #include <dns/dnssec.h>
- #include <dns/events.h>
- #include <dns/message.h>
- #include <dns/ncache.h>
- #include <dns/nsec3.h>
- #include <dns/order.h>
- #include <dns/rdata.h>
- #include <dns/rdataclass.h>
- #include <dns/rdatalist.h>
- #include <dns/rdataset.h>
- #include <dns/rdatasetiter.h>
- #include <dns/rdatastruct.h>
- #include <dns/rdatatype.h>
- #include <dns/resolver.h>
- #include <dns/result.h>
- #include <dns/stats.h>
- #include <dns/tkey.h>
- #include <dns/view.h>
- #include <dns/zone.h>
- #include <dns/zt.h>
- #include <named/client.h>
- #include <named/globals.h>
- #include <named/log.h>
- #include <named/server.h>
- #include <named/sortlist.h>
- #include <named/xfrout.h>
- #if 0
- /*
- * It has been recommended that DNS64 be changed to return excluded
- * AAAA addresses if DNS64 synthesis does not occur. This minimises
- * the impact on the lookup results. While most DNS AAAA lookups are
- * done to send IP packets to a host, not all of them are and filtering
- * excluded addresses has a negative impact on those uses.
- */
- #define dns64_bis_return_excluded_addresses 1
- #endif
- /*% Partial answer? */
- #define PARTIALANSWER(c) (((c)->query.attributes & \
- NS_QUERYATTR_PARTIALANSWER) != 0)
- /*% Use Cache? */
- #define USECACHE(c) (((c)->query.attributes & \
- NS_QUERYATTR_CACHEOK) != 0)
- /*% Recursion OK? */
- #define RECURSIONOK(c) (((c)->query.attributes & \
- NS_QUERYATTR_RECURSIONOK) != 0)
- /*% Recursing? */
- #define RECURSING(c) (((c)->query.attributes & \
- NS_QUERYATTR_RECURSING) != 0)
- /*% Cache glue ok? */
- #define CACHEGLUEOK(c) (((c)->query.attributes & \
- NS_QUERYATTR_CACHEGLUEOK) != 0)
- /*% Want Recursion? */
- #define WANTRECURSION(c) (((c)->query.attributes & \
- NS_QUERYATTR_WANTRECURSION) != 0)
- /*% Want DNSSEC? */
- #define WANTDNSSEC(c) (((c)->attributes & \
- NS_CLIENTATTR_WANTDNSSEC) != 0)
- /*% No authority? */
- #define NOAUTHORITY(c) (((c)->query.attributes & \
- NS_QUERYATTR_NOAUTHORITY) != 0)
- /*% No additional? */
- #define NOADDITIONAL(c) (((c)->query.attributes & \
- NS_QUERYATTR_NOADDITIONAL) != 0)
- /*% Secure? */
- #define SECURE(c) (((c)->query.attributes & \
- NS_QUERYATTR_SECURE) != 0)
- /*% DNS64 A lookup? */
- #define DNS64(c) (((c)->query.attributes & \
- NS_QUERYATTR_DNS64) != 0)
- #define DNS64EXCLUDE(c) (((c)->query.attributes & \
- NS_QUERYATTR_DNS64EXCLUDE) != 0)
- /*% No QNAME Proof? */
- #define NOQNAME(r) (((r)->attributes & \
- DNS_RDATASETATTR_NOQNAME) != 0)
- #if 0
- #define CTRACE(m) isc_log_write(ns_g_lctx, \
- NS_LOGCATEGORY_CLIENT, \
- NS_LOGMODULE_QUERY, \
- ISC_LOG_DEBUG(3), \
- "client %p: %s", client, (m))
- #define QTRACE(m) isc_log_write(ns_g_lctx, \
- NS_LOGCATEGORY_GENERAL, \
- NS_LOGMODULE_QUERY, \
- ISC_LOG_DEBUG(3), \
- "query %p: %s", query, (m))
- #else
- #define CTRACE(m) ((void)m)
- #define QTRACE(m) ((void)m)
- #endif
- #define DNS_GETDB_NOEXACT 0x01U
- #define DNS_GETDB_NOLOG 0x02U
- #define DNS_GETDB_PARTIAL 0x04U
- #define DNS_GETDB_IGNOREACL 0x08U
- #define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0)
- typedef struct client_additionalctx {
- ns_client_t *client;
- dns_rdataset_t *rdataset;
- } client_additionalctx_t;
- static isc_result_t
- query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
- static isc_boolean_t
- validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
- dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
- static void
- query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
- dns_dbversion_t *version, ns_client_t *client,
- dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
- dns_name_t *fname, isc_boolean_t exact,
- dns_name_t *found);
- static inline void
- log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
- static void
- rpz_st_clear(ns_client_t *client);
- /*%
- * Increment query statistics counters.
- */
- static inline void
- inc_stats(ns_client_t *client, isc_statscounter_t counter) {
- dns_zone_t *zone = client->query.authzone;
- isc_stats_increment(ns_g_server->nsstats, counter);
- if (zone != NULL) {
- isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
- if (zonestats != NULL)
- isc_stats_increment(zonestats, counter);
- }
- }
- static void
- query_send(ns_client_t *client) {
- isc_statscounter_t counter;
- if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
- inc_stats(client, dns_nsstatscounter_nonauthans);
- else
- inc_stats(client, dns_nsstatscounter_authans);
- if (client->message->rcode == dns_rcode_noerror) {
- if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) {
- if (client->query.isreferral) {
- counter = dns_nsstatscounter_referral;
- } else {
- counter = dns_nsstatscounter_nxrrset;
- }
- } else {
- counter = dns_nsstatscounter_success;
- }
- } else if (client->message->rcode == dns_rcode_nxdomain) {
- counter = dns_nsstatscounter_nxdomain;
- } else {
- /* We end up here in case of YXDOMAIN, and maybe others */
- counter = dns_nsstatscounter_failure;
- }
- inc_stats(client, counter);
- ns_client_send(client);
- }
- static void
- query_error(ns_client_t *client, isc_result_t result, int line) {
- int loglevel = ISC_LOG_DEBUG(3);
- switch (result) {
- case DNS_R_SERVFAIL:
- loglevel = ISC_LOG_DEBUG(1);
- inc_stats(client, dns_nsstatscounter_servfail);
- break;
- case DNS_R_FORMERR:
- inc_stats(client, dns_nsstatscounter_formerr);
- break;
- default:
- inc_stats(client, dns_nsstatscounter_failure);
- break;
- }
- log_queryerror(client, result, line, loglevel);
- ns_client_error(client, result);
- }
- static void
- query_next(ns_client_t *client, isc_result_t result) {
- if (result == DNS_R_DUPLICATE)
- inc_stats(client, dns_nsstatscounter_duplicate);
- else if (result == DNS_R_DROP)
- inc_stats(client, dns_nsstatscounter_dropped);
- else
- inc_stats(client, dns_nsstatscounter_failure);
- ns_client_next(client, result);
- }
- static inline void
- query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
- ns_dbversion_t *dbversion, *dbversion_next;
- unsigned int i;
- for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
- dbversion != NULL;
- dbversion = dbversion_next, i++)
- {
- dbversion_next = ISC_LIST_NEXT(dbversion, link);
- /*
- * If we're not freeing everything, we keep the first three
- * dbversions structures around.
- */
- if (i > 3 || everything) {
- ISC_LIST_UNLINK(client->query.freeversions, dbversion,
- link);
- isc_mem_put(client->mctx, dbversion,
- sizeof(*dbversion));
- }
- }
- }
- void
- ns_query_cancel(ns_client_t *client) {
- LOCK(&client->query.fetchlock);
- if (client->query.fetch != NULL) {
- dns_resolver_cancelfetch(client->query.fetch);
- client->query.fetch = NULL;
- }
- UNLOCK(&client->query.fetchlock);
- }
- static inline void
- query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
- dns_rdataset_t *rdataset = *rdatasetp;
- CTRACE("query_putrdataset");
- if (rdataset != NULL) {
- if (dns_rdataset_isassociated(rdataset))
- dns_rdataset_disassociate(rdataset);
- dns_message_puttemprdataset(client->message, rdatasetp);
- }
- CTRACE("query_putrdataset: done");
- }
- static inline void
- query_reset(ns_client_t *client, isc_boolean_t everything) {
- isc_buffer_t *dbuf, *dbuf_next;
- ns_dbversion_t *dbversion, *dbversion_next;
- /*%
- * Reset the query state of a client to its default state.
- */
- /*
- * Cancel the fetch if it's running.
- */
- ns_query_cancel(client);
- /*
- * Cleanup any active versions.
- */
- for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
- dbversion != NULL;
- dbversion = dbversion_next) {
- dbversion_next = ISC_LIST_NEXT(dbversion, link);
- dns_db_closeversion(dbversion->db, &dbversion->version,
- ISC_FALSE);
- dns_db_detach(&dbversion->db);
- ISC_LIST_INITANDAPPEND(client->query.freeversions,
- dbversion, link);
- }
- ISC_LIST_INIT(client->query.activeversions);
- if (client->query.authdb != NULL)
- dns_db_detach(&client->query.authdb);
- if (client->query.authzone != NULL)
- dns_zone_detach(&client->query.authzone);
- if (client->query.dns64_aaaa != NULL)
- query_putrdataset(client, &client->query.dns64_aaaa);
- if (client->query.dns64_sigaaaa != NULL)
- query_putrdataset(client, &client->query.dns64_sigaaaa);
- if (client->query.dns64_aaaaok != NULL) {
- isc_mem_put(client->mctx, client->query.dns64_aaaaok,
- client->query.dns64_aaaaoklen *
- sizeof(isc_boolean_t));
- client->query.dns64_aaaaok = NULL;
- client->query.dns64_aaaaoklen = 0;
- }
- query_freefreeversions(client, everything);
- for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
- dbuf != NULL;
- dbuf = dbuf_next) {
- dbuf_next = ISC_LIST_NEXT(dbuf, link);
- if (dbuf_next != NULL || everything) {
- ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
- isc_buffer_free(&dbuf);
- }
- }
- if (client->query.restarts > 0) {
- /*
- * client->query.qname was dynamically allocated.
- */
- dns_message_puttempname(client->message,
- &client->query.qname);
- }
- client->query.qname = NULL;
- client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
- NS_QUERYATTR_CACHEOK |
- NS_QUERYATTR_SECURE);
- client->query.restarts = 0;
- client->query.timerset = ISC_FALSE;
- if (client->query.rpz_st != NULL) {
- rpz_st_clear(client);
- if (everything) {
- isc_mem_put(client->mctx, client->query.rpz_st,
- sizeof(*client->query.rpz_st));
- client->query.rpz_st = NULL;
- }
- }
- client->query.origqname = NULL;
- client->query.dboptions = 0;
- client->query.fetchoptions = 0;
- client->query.gluedb = NULL;
- client->query.authdbset = ISC_FALSE;
- client->query.isreferral = ISC_FALSE;
- client->query.dns64_options = 0;
- client->query.dns64_ttl = ISC_UINT32_MAX;
- }
- static void
- query_next_callback(ns_client_t *client) {
- query_reset(client, ISC_FALSE);
- }
- void
- ns_query_free(ns_client_t *client) {
- query_reset(client, ISC_TRUE);
- }
- static inline isc_result_t
- query_newnamebuf(ns_client_t *client) {
- isc_buffer_t *dbuf;
- isc_result_t result;
- CTRACE("query_newnamebuf");
- /*%
- * Allocate a name buffer.
- */
- dbuf = NULL;
- result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
- if (result != ISC_R_SUCCESS) {
- CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
- return (result);
- }
- ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
- CTRACE("query_newnamebuf: done");
- return (ISC_R_SUCCESS);
- }
- static inline isc_buffer_t *
- query_getnamebuf(ns_client_t *client) {
- isc_buffer_t *dbuf;
- isc_result_t result;
- isc_region_t r;
- CTRACE("query_getnamebuf");
- /*%
- * Return a name buffer with space for a maximal name, allocating
- * a new one if necessary.
- */
- if (ISC_LIST_EMPTY(client->query.namebufs)) {
- result = query_newnamebuf(client);
- if (result != ISC_R_SUCCESS) {
- CTRACE("query_getnamebuf: query_newnamebuf failed: done");
- return (NULL);
- }
- }
- dbuf = ISC_LIST_TAIL(client->query.namebufs);
- INSIST(dbuf != NULL);
- isc_buffer_availableregion(dbuf, &r);
- if (r.length < 255) {
- result = query_newnamebuf(client);
- if (result != ISC_R_SUCCESS) {
- CTRACE("query_getnamebuf: query_newnamebuf failed: done");
- return (NULL);
- }
- dbuf = ISC_LIST_TAIL(client->query.namebufs);
- isc_buffer_availableregion(dbuf, &r);
- INSIST(r.length >= 255);
- }
- CTRACE("query_getnamebuf: done");
- return (dbuf);
- }
- static inline void
- query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
- isc_region_t r;
- CTRACE("query_keepname");
- /*%
- * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
- * adjusted to take account of that. We do the adjustment.
- */
- REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
- dns_name_toregion(name, &r);
- isc_buffer_add(dbuf, r.length);
- dns_name_setbuffer(name, NULL);
- client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
- }
- static inline void
- query_releasename(ns_client_t *client, dns_name_t **namep) {
- dns_name_t *name = *namep;
- /*%
- * 'name' is no longer needed. Return it to our pool of temporary
- * names. If it is using a name buffer, relinquish its exclusive
- * rights on the buffer.
- */
- CTRACE("query_releasename");
- if (dns_name_hasbuffer(name)) {
- INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
- != 0);
- client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
- }
- dns_message_puttempname(client->message, namep);
- CTRACE("query_releasename: done");
- }
- static inline dns_name_t *
- query_newname(ns_client_t *client, isc_buffer_t *dbuf,
- isc_buffer_t *nbuf)
- {
- dns_name_t *name;
- isc_region_t r;
- isc_result_t result;
- REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
- CTRACE("query_newname");
- name = NULL;
- result = dns_message_gettempname(client->message, &name);
- if (result != ISC_R_SUCCESS) {
- CTRACE("query_newname: dns_message_gettempname failed: done");
- return (NULL);
- }
- isc_buffer_availableregion(dbuf, &r);
- isc_buffer_init(nbuf, r.base, r.length);
- dns_name_init(name, NULL);
- dns_name_setbuffer(name, nbuf);
- client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
- CTRACE("query_newname: done");
- return (name);
- }
- static inline dns_rdataset_t *
- query_newrdataset(ns_client_t *client) {
- dns_rdataset_t *rdataset;
- isc_result_t result;
- CTRACE("query_newrdataset");
- rdataset = NULL;
- result = dns_message_gettemprdataset(client->message, &rdataset);
- if (result != ISC_R_SUCCESS) {
- CTRACE("query_newrdataset: "
- "dns_message_gettemprdataset failed: done");
- return (NULL);
- }
- dns_rdataset_init(rdataset);
- CTRACE("query_newrdataset: done");
- return (rdataset);
- }
- static inline isc_result_t
- query_newdbversion(ns_client_t *client, unsigned int n) {
- unsigned int i;
- ns_dbversion_t *dbversion;
- for (i = 0; i < n; i++) {
- dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
- if (dbversion != NULL) {
- dbversion->db = NULL;
- dbversion->version = NULL;
- ISC_LIST_INITANDAPPEND(client->query.freeversions,
- dbversion, link);
- } else {
- /*
- * We only return ISC_R_NOMEMORY if we couldn't
- * allocate anything.
- */
- if (i == 0)
- return (ISC_R_NOMEMORY);
- else
- return (ISC_R_SUCCESS);
- }
- }
- return (ISC_R_SUCCESS);
- }
- static inline ns_dbversion_t *
- query_getdbversion(ns_client_t *client) {
- isc_result_t result;
- ns_dbversion_t *dbversion;
- if (ISC_LIST_EMPTY(client->query.freeversions)) {
- result = query_newdbversion(client, 1);
- if (result != ISC_R_SUCCESS)
- return (NULL);
- }
- dbversion = ISC_LIST_HEAD(client->query.freeversions);
- INSIST(dbversion != NULL);
- ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
- return (dbversion);
- }
- isc_result_t
- ns_query_init(ns_client_t *client) {
- isc_result_t result;
- ISC_LIST_INIT(client->query.namebufs);
- ISC_LIST_INIT(client->query.activeversions);
- ISC_LIST_INIT(client->query.freeversions);
- client->query.restarts = 0;
- client->query.timerset = ISC_FALSE;
- client->query.rpz_st = NULL;
- client->query.qname = NULL;
- result = isc_mutex_init(&client->query.fetchlock);
- if (result != ISC_R_SUCCESS)
- return (result);
- client->query.fetch = NULL;
- client->query.authdb = NULL;
- client->query.authzone = NULL;
- client->query.authdbset = ISC_FALSE;
- client->query.isreferral = ISC_FALSE;
- client->query.dns64_aaaa = NULL;
- client->query.dns64_sigaaaa = NULL;
- client->query.dns64_aaaaok = NULL;
- client->query.dns64_aaaaoklen = 0;
- query_reset(client, ISC_FALSE);
- result = query_newdbversion(client, 3);
- if (result != ISC_R_SUCCESS) {
- DESTROYLOCK(&client->query.fetchlock);
- return (result);
- }
- result = query_newnamebuf(client);
- if (result != ISC_R_SUCCESS)
- query_freefreeversions(client, ISC_TRUE);
- return (result);
- }
- static inline ns_dbversion_t *
- query_findversion(ns_client_t *client, dns_db_t *db)
- {
- ns_dbversion_t *dbversion;
- /*%
- * We may already have done a query related to this
- * database. If so, we must be sure to make subsequent
- * queries from the same version.
- */
- for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
- dbversion != NULL;
- dbversion = ISC_LIST_NEXT(dbversion, link)) {
- if (dbversion->db == db)
- break;
- }
- if (dbversion == NULL) {
- /*
- * This is a new zone for this query. Add it to
- * the active list.
- */
- dbversion = query_getdbversion(client);
- if (dbversion == NULL)
- return (NULL);
- dns_db_attach(db, &dbversion->db);
- dns_db_currentversion(db, &dbversion->version);
- dbversion->acl_checked = ISC_FALSE;
- dbversion->queryok = ISC_FALSE;
- ISC_LIST_APPEND(client->query.activeversions,
- dbversion, link);
- }
- return (dbversion);
- }
- static inline isc_result_t
- query_validatezonedb(ns_client_t *client, dns_name_t *name,
- dns_rdatatype_t qtype, unsigned int options,
- dns_zone_t *zone, dns_db_t *db,
- dns_dbversion_t **versionp)
- {
- isc_result_t result;
- dns_acl_t *queryacl;
- ns_dbversion_t *dbversion;
- REQUIRE(zone != NULL);
- REQUIRE(db != NULL);
- /*
- * This limits our searching to the zone where the first name
- * (the query target) was looked for. This prevents following
- * CNAMES or DNAMES into other zones and prevents returning
- * additional data from other zones.
- */
- if (!client->view->additionalfromauth &&
- client->query.authdbset &&
- db != client->query.authdb)
- return (DNS_R_REFUSED);
- /*
- * Non recursive query to a static-stub zone is prohibited; its
- * zone content is not public data, but a part of local configuration
- * and should not be disclosed.
- */
- if (dns_zone_gettype(zone) == dns_zone_staticstub &&
- !RECURSIONOK(client)) {
- return (DNS_R_REFUSED);
- }
- /*
- * If the zone has an ACL, we'll check it, otherwise
- * we use the view's "allow-query" ACL. Each ACL is only checked
- * once per query.
- *
- * Also, get the database version to use.
- */
- /*
- * Get the current version of this database.
- */
- dbversion = query_findversion(client, db);
- if (dbversion == NULL)
- return (DNS_R_SERVFAIL);
- if ((options & DNS_GETDB_IGNOREACL) != 0)
- goto approved;
- if (dbversion->acl_checked) {
- if (!dbversion->queryok)
- return (DNS_R_REFUSED);
- goto approved;
- }
- queryacl = dns_zone_getqueryacl(zone);
- if (queryacl == NULL) {
- queryacl = client->view->queryacl;
- if ((client->query.attributes &
- NS_QUERYATTR_QUERYOKVALID) != 0) {
- /*
- * We've evaluated the view's queryacl already. If
- * NS_QUERYATTR_QUERYOK is set, then the client is
- * allowed to make queries, otherwise the query should
- * be refused.
- */
- dbversion->acl_checked = ISC_TRUE;
- if ((client->query.attributes &
- NS_QUERYATTR_QUERYOK) == 0) {
- dbversion->queryok = ISC_FALSE;
- return (DNS_R_REFUSED);
- }
- dbversion->queryok = ISC_TRUE;
- goto approved;
- }
- }
- result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
- if ((options & DNS_GETDB_NOLOG) == 0) {
- char msg[NS_CLIENT_ACLMSGSIZE("query")];
- if (result == ISC_R_SUCCESS) {
- if (isc_log_wouldlog(ns_g_lctx, ISC_LOG_DEBUG(3))) {
- ns_client_aclmsg("query", name, qtype,
- client->view->rdclass,
- msg, sizeof(msg));
- ns_client_log(client,
- DNS_LOGCATEGORY_SECURITY,
- NS_LOGMODULE_QUERY,
- ISC_LOG_DEBUG(3),
- "%s approved", msg);
- }
- } else {
- ns_client_aclmsg("query", name, qtype,
- client->view->rdclass,
- msg, sizeof(msg));
- ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
- NS_LOGMODULE_QUERY, ISC_LOG_INFO,
- "%s denied", msg);
- }
- }
- if (queryacl == client->view->queryacl) {
- if (result == ISC_R_SUCCESS) {
- /*
- * We were allowed by the default
- * "allow-query" ACL. Remember this so we
- * don't have to check again.
- */
- client->query.attributes |= NS_QUERYATTR_QUERYOK;
- }
- /*
- * We've now evaluated the view's query ACL, and
- * the NS_QUERYATTR_QUERYOK attribute is now valid.
- */
- client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
- }
- dbversion->acl_checked = ISC_TRUE;
- if (result != ISC_R_SUCCESS) {
- dbversion->queryok = ISC_FALSE;
- return (DNS_R_REFUSED);
- }
- dbversion->queryok = ISC_TRUE;
- approved:
- /* Transfer ownership, if necessary. */
- if (versionp != NULL)
- *versionp = dbversion->version;
- return (ISC_R_SUCCESS);
- }
- static inline isc_result_t
- query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
- unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
- dns_dbversion_t **versionp)
- {
- isc_result_t result;
- unsigned int ztoptions;
- dns_zone_t *zone = NULL;
- dns_db_t *db = NULL;
- isc_boolean_t partial = ISC_FALSE;
- REQUIRE(zonep != NULL && *zonep == NULL);
- REQUIRE(dbp != NULL && *dbp == NULL);
- /*%
- * Find a zone database to answer the query.
- */
- ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
- DNS_ZTFIND_NOEXACT : 0;
- result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
- &zone);
- if (result == DNS_R_PARTIALMATCH)
- partial = ISC_TRUE;
- if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
- result = dns_zone_getdb(zone, &db);
- if (result != ISC_R_SUCCESS)
- goto fail;
- result = query_validatezonedb(client, name, qtype, options, zone, db,
- versionp);
- if (result != ISC_R_SUCCESS)
- goto fail;
- /* Transfer ownership. */
- *zonep = zone;
- *dbp = db;
- if (partial && (options & DNS_GETDB_PARTIAL) != 0)
- return (DNS_R_PARTIALMATCH);
- return (ISC_R_SUCCESS);
- fail:
- if (zone != NULL)
- dns_zone_detach(&zone);
- if (db != NULL)
- dns_db_detach(&db);
- return (result);
- }
- static void
- rpz_log_rewrite(ns_client_t *client, const char *disabled,
- dns_rpz_policy_t policy, dns_rpz_type_t type,
- dns_name_t *rpz_qname) {
- char qname_buf[DNS_NAME_FORMATSIZE];
- char rpz_qname_buf[DNS_NAME_FORMATSIZE];
- if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
- return;
- dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
- dns_name_format(rpz_qname, rpz_qname_buf, sizeof(rpz_qname_buf));
- ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
- DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
- disabled,
- dns_rpz_type2str(type), dns_rpz_policy2str(policy),
- qname_buf, rpz_qname_buf);
- }
- static void
- rpz_log_fail(ns_client_t *client, int level,
- dns_rpz_type_t rpz_type, dns_name_t *name,
- const char *str, isc_result_t result)
- {
- char namebuf1[DNS_NAME_FORMATSIZE];
- char namebuf2[DNS_NAME_FORMATSIZE];
- if (!isc_log_wouldlog(ns_g_lctx, level))
- return;
- dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
- dns_name_format(name, namebuf2, sizeof(namebuf2));
- ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
- NS_LOGMODULE_QUERY, level,
- "rpz %s rewrite %s via %s %sfailed: %s",
- dns_rpz_type2str(rpz_type),
- namebuf1, namebuf2, str, isc_result_totext(result));
- }
- /*
- * Get a policy rewrite zone database.
- */
- static isc_result_t
- rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type, dns_name_t *rpz_qname,
- dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp)
- {
- char namebuf1[DNS_NAME_FORMATSIZE];
- char namebuf2[DNS_NAME_FORMATSIZE];
- dns_dbversion_t *rpz_version = NULL;
- isc_result_t result;
- result = query_getzonedb(client, rpz_qname, dns_rdatatype_any,
- DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version);
- if (result == ISC_R_SUCCESS) {
- if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
- dns_name_format(client->query.qname, namebuf1,
- sizeof(namebuf1));
- dns_name_format(rpz_qname, namebuf2, sizeof(namebuf2));
- ns_client_log(client, DNS_LOGCATEGORY_RPZ,
- NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2,
- "try rpz %s rewrite %s via %s",
- dns_rpz_type2str(rpz_type),
- namebuf1, namebuf2);
- }
- *versionp = rpz_version;
- return (ISC_R_SUCCESS);
- }
- rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname,
- "query_getzonedb() ", result);
- return (result);
- }
- static inline isc_result_t
- query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
- dns_db_t **dbp, unsigned int options)
- {
- isc_result_t result;
- isc_boolean_t check_acl;
- dns_db_t *db = NULL;
- REQUIRE(dbp != NULL && *dbp == NULL);
- /*%
- * Find a cache database to answer the query.
- * This may fail with DNS_R_REFUSED if the client
- * is not allowed to use the cache.
- */
- if (!USECACHE(client))
- return (DNS_R_REFUSED);
- dns_db_attach(client->view->cachedb, &db);
- if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) {
- /*
- * We've evaluated the view's cacheacl already. If
- * NS_QUERYATTR_CACHEACLOK is set, then the client is
- * allowed to make queries, otherwise the query should
- * be refused.
- */
- check_acl = ISC_FALSE;
- if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0)
- goto refuse;
- } else {
- /*
- * We haven't evaluated the view's queryacl yet.
- */
- check_acl = ISC_TRUE;
- }
- if (check_acl) {
- isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
- char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
- result = ns_client_checkaclsilent(client, NULL,
- client->view->cacheacl,
- ISC_TRUE);
- if (result == ISC_R_SUCCESS) {
- /*
- * We were allowed by the "allow-query-cache" ACL.
- * Remember this so we don't have to check again.
- */
- client->query.attributes |=
- NS_QUERYATTR_CACHEACLOK;
- if (log && isc_log_wouldlog(ns_g_lctx,
- ISC_LOG_DEBUG(3)))
- {
- ns_client_aclmsg("query (cache)", name, qtype,
- client->view->rdclass,
- msg, sizeof(msg));
- ns_client_log(client,
- DNS_LOGCATEGORY_SECURITY,
- NS_LOGMODULE_QUERY,
- ISC_LOG_DEBUG(3),
- "%s approved", msg);
- }
- } else if (log) {
- ns_client_aclmsg("query (cache)", name, qtype,
- client->view->rdclass, msg,
- sizeof(msg));
- ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
- NS_LOGMODULE_QUERY, ISC_LOG_INFO,
- "%s denied", msg);
- }
- /*
- * We've now evaluated the view's query ACL, and
- * the NS_QUERYATTR_CACHEACLOKVALID attribute is now valid.
- */
- client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID;
- if (result != ISC_R_SUCCESS)
- goto refuse;
- }
- /* Approved. */
- /* Transfer ownership. */
- *dbp = db;
- return (ISC_R_SUCCESS);
- refuse:
- result = DNS_R_REFUSED;
- if (db != NULL)
- dns_db_detach(&db);
- return (result);
- }
- static inline isc_result_t
- query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
- unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
- dns_dbversion_t **versionp, isc_boolean_t *is_zonep)
- {
- isc_result_t result;
- isc_result_t tresult;
- unsigned int namelabels;
- unsigned int zonelabels;
- dns_zone_t *zone = NULL;
- dns_db_t *tdbp;
- REQUIRE(zonep != NULL && *zonep == NULL);
- tdbp = NULL;
- /* Calculate how many labels are in name. */
- namelabels = dns_name_countlabels(name);
- zonelabels = 0;
- /* Try to find name in bind's standard database. */
- result = query_getzonedb(client, name, qtype, options, &zone,
- dbp, versionp);
- /* See how many labels are in the zone's name. */
- if (result == ISC_R_SUCCESS && zone != NULL)
- zonelabels = dns_name_countlabels(dns_zone_getorigin(zone));
- /*
- * If # zone labels < # name labels, try to find an even better match
- * Only try if a DLZ driver is loaded for this view
- */
- if (zonelabels < namelabels && client->view->dlzdatabase != NULL) {
- tresult = dns_dlzfindzone(client->view, name,
- zonelabels, &tdbp);
- /* If we successful, we found a better match. */
- if (tresult == ISC_R_SUCCESS) {
- /*
- * If the previous search returned a zone, detach it.
- */
- if (zone != NULL)
- dns_zone_detach(&zone);
- /*
- * If the previous search returned a database,
- * detach it.
- */
- if (*dbp != NULL)
- dns_db_detach(dbp);
- /*
- * If the previous search returned a version, clear it.
- */
- *versionp = NULL;
- /*
- * Get our database version.
- */
- dns_db_currentversion(tdbp, versionp);
- /*
- * Be sure to return our database.
- */
- *dbp = tdbp;
- /*
- * We return a null zone, No stats for DLZ zones.
- */
- zone = NULL;
- result = tresult;
- }
- }
- /* If successful, Transfer ownership of zone. */
- if (result == ISC_R_SUCCESS) {
- *zonep = zone;
- /*
- * If neither attempt above succeeded, return the cache instead
- */
- *is_zonep = ISC_TRUE;
- } else if (result == ISC_R_NOTFOUND) {
- result = query_getcachedb(client, name, qtype, dbp, options);
- *is_zonep = ISC_FALSE;
- }
- return (result);
- }
- static inline isc_boolean_t
- query_isduplicate(ns_client_t *client, dns_name_t *name,
- dns_rdatatype_t type, dns_name_t **mnamep)
- {
- dns_section_t section;
- dns_name_t *mname = NULL;
- isc_result_t result;
- CTRACE("query_isduplicate");
- for (section = DNS_SECTION_ANSWER;
- section <= DNS_SECTION_ADDITIONAL;
- section++) {
- result = dns_message_findname(client->message, section,
- name, type, 0, &mname, NULL);
- if (result == ISC_R_SUCCESS) {
- /*
- * We've already got this RRset in the response.
- */
- CTRACE("query_isduplicate: true: done");
- return (ISC_TRUE);
- } else if (result == DNS_R_NXRRSET) {
- /*
- * The name exists, but the rdataset does not.
- */
- if (section == DNS_SECTION_ADDITIONAL)
- break;
- } else
- RUNTIME_CHECK(result == DNS_R_NXDOMAIN);
- mname = NULL;
- }
- if (mnamep != NULL)
- *mnamep = mname;
- CTRACE("query_isduplicate: false: done");
- return (ISC_FALSE);
- }
- static isc_result_t
- query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
- ns_client_t *client = arg;
- isc_result_t result, eresult;
- dns_dbnode_t *node;
- dns_db_t *db;
- dns_name_t *fname, *mname;
- dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
- isc_buffer_t *dbuf;
- isc_buffer_t b;
- dns_dbversion_t *version;
- isc_boolean_t added_something, need_addname;
- dns_zone_t *zone;
- dns_rdatatype_t type;
- REQUIRE(NS_CLIENT_VALID(client));
- REQUIRE(qtype != dns_rdatatype_any);
- if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
- return (ISC_R_SUCCESS);
- CTRACE("query_addadditional");
- /*
- * Initialization.
- */
- eresult = ISC_R_SUCCESS;
- fname = NULL;
- rdataset = NULL;
- sigrdataset = NULL;
- trdataset = NULL;
- db = NULL;
- version = NULL;
- node = NULL;
- added_something = ISC_FALSE;
- need_addname = ISC_FALSE;
- zone = NULL;
- /*
- * We treat type A additional section processing as if it
- * were "any address type" additional section processing.
- * To avoid multiple lookups, we do an 'any' database
- * lookup and iterate over the node.
- */
- if (qtype == dns_rdatatype_a)
- type = dns_rdatatype_any;
- else
- type = qtype;
- /*
- * Get some resources.
- */
- dbuf = query_getnamebuf(client);
- if (dbuf == NULL)
- goto cleanup;
- fname = query_newname(client, dbuf, &b);
- rdataset = query_newrdataset(client);
- if (fname == NULL || rdataset == NULL)
- goto cleanup;
- if (WANTDNSSEC(client)) {
- sigrdataset = query_newrdataset(client);
- if (sigrdataset == NULL)
- goto cleanup;
- }
- /*
- * Look for a zone database that might contain authoritative
- * additional data.
- */
- result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
- &zone, &db, &version);
- if (result != ISC_R_SUCCESS)
- goto try_cache;
- CTRACE("query_addadditional: db_find");
- /*
- * Since we are looking for authoritative data, we do not set
- * the GLUEOK flag. Glue will be looked for later, but not
- * necessarily in the same database.
- */
- node = NULL;
- result = dns_db_find(db, name, version, type, client->query.dboptions,
- client->now, &node, fname, rdataset,
- sigrdataset);
- if (result == ISC_R_SUCCESS) {
- if (sigrdataset != NULL && !dns_db_issecure(db) &&
- dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- goto found;
- }
- if (dns_rdataset_isassociated(rdataset))
- dns_rdataset_disassociate(rdataset);
- if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- if (node != NULL)
- dns_db_detachnode(db, &node);
- version = NULL;
- dns_db_detach(&db);
- /*
- * No authoritative data was found. The cache is our next best bet.
- */
- try_cache:
- result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
- if (result != ISC_R_SUCCESS)
- /*
- * Most likely the client isn't allowed to query the cache.
- */
- goto try_glue;
- /*
- * Attempt to validate glue.
- */
- if (sigrdataset == NULL) {
- sigrdataset = query_newrdataset(client);
- if (sigrdataset == NULL)
- goto cleanup;
- }
- result = dns_db_find(db, name, version, type,
- client->query.dboptions |
- DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
- client->now, &node, fname, rdataset,
- sigrdataset);
- if (result == DNS_R_GLUE &&
- validate(client, db, fname, rdataset, sigrdataset))
- result = ISC_R_SUCCESS;
- if (!WANTDNSSEC(client))
- query_putrdataset(client, &sigrdataset);
- if (result == ISC_R_SUCCESS)
- goto found;
- if (dns_rdataset_isassociated(rdataset))
- dns_rdataset_disassociate(rdataset);
- if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- if (node != NULL)
- dns_db_detachnode(db, &node);
- dns_db_detach(&db);
- try_glue:
- /*
- * No cached data was found. Glue is our last chance.
- * RFC1035 sayeth:
- *
- * NS records cause both the usual additional section
- * processing to locate a type A record, and, when used
- * in a referral, a special search of the zone in which
- * they reside for glue information.
- *
- * This is the "special search". Note that we must search
- * the zone where the NS record resides, not the zone it
- * points to, and that we only do the search in the delegation
- * case (identified by client->query.gluedb being set).
- */
- if (client->query.gluedb == NULL)
- goto cleanup;
- /*
- * Don't poison caches using the bailiwick protection model.
- */
- if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
- goto cleanup;
- dns_db_attach(client->query.gluedb, &db);
- result = dns_db_find(db, name, version, type,
- client->query.dboptions | DNS_DBFIND_GLUEOK,
- client->now, &node, fname, rdataset,
- sigrdataset);
- if (!(result == ISC_R_SUCCESS ||
- result == DNS_R_ZONECUT ||
- result == DNS_R_GLUE))
- goto cleanup;
- found:
- /*
- * We have found a potential additional data rdataset, or
- * at least a node to iterate over.
- */
- query_keepname(client, fname, dbuf);
- /*
- * If we have an rdataset, add it to the additional data
- * section.
- */
- mname = NULL;
- if (dns_rdataset_isassociated(rdataset) &&
- !query_isduplicate(client, fname, type, &mname)) {
- if (mname != NULL) {
- INSIST(mname != fname);
- query_releasename(client, &fname);
- fname = mname;
- } else
- need_addname = ISC_TRUE;
- ISC_LIST_APPEND(fname->list, rdataset, link);
- trdataset = rdataset;
- rdataset = NULL;
- added_something = ISC_TRUE;
- /*
- * Note: we only add SIGs if we've added the type they cover,
- * so we do not need to check if the SIG rdataset is already
- * in the response.
- */
- if (sigrdataset != NULL &&
- dns_rdataset_isassociated(sigrdataset))
- {
- ISC_LIST_APPEND(fname->list, sigrdataset, link);
- sigrdataset = NULL;
- }
- }
- if (qtype == dns_rdatatype_a) {
- #ifdef ALLOW_FILTER_AAAA_ON_V4
- isc_boolean_t have_a = ISC_FALSE;
- #endif
- /*
- * We now go looking for A and AAAA records, along with
- * their signatures.
- *
- * XXXRTH This code could be more efficient.
- */
- if (rdataset != NULL) {
- if (dns_rdataset_isassociated(rdataset))
- dns_rdataset_disassociate(rdataset);
- } else {
- rdataset = query_newrdataset(client);
- if (rdataset == NULL)
- goto addname;
- }
- if (sigrdataset != NULL) {
- if (dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- } else if (WANTDNSSEC(client)) {
- sigrdataset = query_newrdataset(client);
- if (sigrdataset == NULL)
- goto addname;
- }
- if (query_isduplicate(client, fname, dns_rdatatype_a, NULL))
- goto aaaa_lookup;
- result = dns_db_findrdataset(db, node, version,
- dns_rdatatype_a, 0,
- client->now, rdataset,
- sigrdataset);
- if (result == DNS_R_NCACHENXDOMAIN)
- goto addname;
- if (result == DNS_R_NCACHENXRRSET) {
- dns_rdataset_disassociate(rdataset);
- if (sigrdataset != NULL &&
- dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- }
- if (result == ISC_R_SUCCESS) {
- mname = NULL;
- #ifdef ALLOW_FILTER_AAAA_ON_V4
- have_a = ISC_TRUE;
- #endif
- if (!query_isduplicate(client, fname,
- dns_rdatatype_a, &mname)) {
- if (mname != fname) {
- if (mname != NULL) {
- query_releasename(client, &fname);
- fname = mname;
- } else
- need_addname = ISC_TRUE;
- }
- ISC_LIST_APPEND(fname->list, rdataset, link);
- added_something = ISC_TRUE;
- if (sigrdataset != NULL &&
- dns_rdataset_isassociated(sigrdataset))
- {
- ISC_LIST_APPEND(fname->list,
- sigrdataset, link);
- sigrdataset =
- query_newrdataset(client);
- }
- rdataset = query_newrdataset(client);
- if (rdataset == NULL)
- goto addname;
- if (WANTDNSSEC(client) && sigrdataset == NULL)
- goto addname;
- } else {
- dns_rdataset_disassociate(rdataset);
- if (sigrdataset != NULL &&
- dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- }
- }
- aaaa_lookup:
- if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
- goto addname;
- result = dns_db_findrdataset(db, node, version,
- dns_rdatatype_aaaa, 0,
- client->now, rdataset,
- sigrdataset);
- if (result == DNS_R_NCACHENXDOMAIN)
- goto addname;
- if (result == DNS_R_NCACHENXRRSET) {
- dns_rdataset_disassociate(rdataset);
- if (sigrdataset != NULL &&
- dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- }
- if (result == ISC_R_SUCCESS) {
- mname = NULL;
- /*
- * There's an A; check whether we're filtering AAAA
- */
- #ifdef ALLOW_FILTER_AAAA_ON_V4
- if (have_a &&
- (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
- (client->filter_aaaa == dns_v4_aaaa_filter &&
- (!WANTDNSSEC(client) || sigrdataset == NULL ||
- !dns_rdataset_isassociated(sigrdataset)))))
- goto addname;
- #endif
- if (!query_isduplicate(client, fname,
- dns_rdatatype_aaaa, &mname)) {
- if (mname != fname) {
- if (mname != NULL) {
- query_releasename(client, &fname);
- fname = mname;
- } else
- need_addname = ISC_TRUE;
- }
- ISC_LIST_APPEND(fname->list, rdataset, link);
- added_something = ISC_TRUE;
- if (sigrdataset != NULL &&
- dns_rdataset_isassociated(sigrdataset))
- {
- ISC_LIST_APPEND(fname->list,
- sigrdataset, link);
- sigrdataset = NULL;
- }
- rdataset = NULL;
- }
- }
- }
- addname:
- CTRACE("query_addadditional: addname");
- /*
- * If we haven't added anything, then we're done.
- */
- if (!added_something)
- goto cleanup;
- /*
- * We may have added our rdatasets to an existing name, if so, then
- * need_addname will be ISC_FALSE. Whether we used an existing name
- * or a new one, we must set fname to NULL to prevent cleanup.
- */
- if (need_addname)
- dns_message_addname(client->message, fname,
- DNS_SECTION_ADDITIONAL);
- fname = NULL;
- /*
- * In a few cases, we want to add additional data for additional
- * data. It's simpler to just deal with special cases here than
- * to try to create a general purpose mechanism and allow the
- * rdata implementations to do it themselves.
- *
- * This involves recursion, but the depth is limited. The
- * most complex case is adding a SRV rdataset, which involves
- * recursing to add address records, which in turn can cause
- * recursion to add KEYs.
- */
- if (type == dns_rdatatype_srv && trdataset != NULL) {
- /*
- * If we're adding SRV records to the additional data
- * section, it's helpful if we add the SRV additional data
- * as well.
- */
- eresult = dns_rdataset_additionaldata(trdataset,
- query_addadditional,
- client);
- }
- cleanup:
- CTRACE("query_addadditional: cleanup");
- query_putrdataset(client, &rdataset);
- if (sigrdataset != NULL)
- query_putrdataset(client, &sigrdataset);
- if (fname != NULL)
- query_releasename(client, &fname);
- if (node != NULL)
- dns_db_detachnode(db, &node);
- if (db != NULL)
- dns_db_detach(&db);
- if (zone != NULL)
- dns_zone_detach(&zone);
- CTRACE("query_addadditional: done");
- return (eresult);
- }
- static inline void
- query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
- dns_rdatasetadditional_t additionaltype,
- dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp,
- dns_dbversion_t **versionp, dns_dbnode_t **nodep,
- dns_name_t *fname)
- {
- dns_rdataset_t *rdataset;
- while ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
- ISC_LIST_UNLINK(fname->list, rdataset, link);
- query_putrdataset(client, &rdataset);
- }
- if (*versionp != NULL)
- dns_db_closeversion(*dbp, versionp, ISC_FALSE);
- if (*nodep != NULL)
- dns_db_detachnode(*dbp, nodep);
- if (*dbp != NULL)
- dns_db_detach(dbp);
- if (*zonep != NULL)
- dns_zone_detach(zonep);
- (void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
- additionaltype, type);
- }
- static inline isc_result_t
- query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0,
- dns_dbversion_t *version)
- {
- isc_result_t result = ISC_R_SUCCESS;
- dns_dbversion_t *version_current = NULL;
- dns_db_t *db_current = db0;
- if (db_current == NULL) {
- result = dns_zone_getdb(zone, &db_current);
- if (result != ISC_R_SUCCESS)
- return (result);
- }
- dns_db_currentversion(db_current, &version_current);
- if (db_current != db || version_current != version) {
- result = ISC_R_FAILURE;
- goto cleanup;
- }
- cleanup:
- dns_db_closeversion(db_current, &version_current, ISC_FALSE);
- if (db0 == NULL && db_current != NULL)
- dns_db_detach(&db_current);
- return (result);
- }
- static isc_result_t
- query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
- client_additionalctx_t *additionalctx = arg;
- dns_rdataset_t *rdataset_base;
- ns_client_t *client;
- isc_result_t result, eresult;
- dns_dbnode_t *node, *cnode;
- dns_db_t *db, *cdb;
- dns_name_t *fname, *mname0, cfname;
- dns_rdataset_t *rdataset, *sigrdataset;
- dns_rdataset_t *crdataset, *crdataset_next;
- isc_buffer_t *dbuf;
- isc_buffer_t b;
- dns_dbversion_t *version, *cversion;
- isc_boolean_t added_something, need_addname, needadditionalcache;
- isc_boolean_t need_sigrrset;
- dns_zone_t *zone;
- dns_rdatatype_t type;
- dns_rdatasetadditional_t additionaltype;
- /*
- * If we don't have an additional cache call query_addadditional.
- */
- client = additionalctx->client;
- REQUIRE(NS_CLIENT_VALID(client));
- if (qtype != dns_rdatatype_a || client->view->acache == NULL) {
- /*
- * This function is optimized for "address" types. For other
- * types, use a generic routine.
- * XXX: ideally, this function should be generic enough.
- */
- return (query_addadditional(additionalctx->client,
- name, qtype));
- }
- /*
- * Initialization.
- */
- rdataset_base = additionalctx->rdataset;
- eresult = ISC_R_SUCCESS;
- fname = NULL;
- rdataset = NULL;
- sigrdataset = NULL;
- db = NULL;
- cdb = NULL;
- version = NULL;
- cversion = NULL;
- node = NULL;
- cnode = NULL;
- added_something = ISC_FALSE;
- need_addname = ISC_FALSE;
- zone = NULL;
- needadditionalcache = ISC_FALSE;
- POST(needadditionalcache);
- additionaltype = dns_rdatasetadditional_fromauth;
- dns_name_init(&cfname, NULL);
- CTRACE("query_addadditional2");
- /*
- * We treat type A additional section processing as if it
- * were "any address type" additional section processing.
- * To avoid multiple lookups, we do an 'any' database
- * lookup and iterate over the node.
- * XXXJT: this approach can cause a suboptimal result when the cache
- * DB only has partial address types and the glue DB has remaining
- * ones.
- */
- type = dns_rdatatype_any;
- /*
- * Get some resources.
- */
- dbuf = query_getnamebuf(client);
- if (dbuf == NULL)
- goto cleanup;
- fname = query_newname(client, dbuf, &b);
- if (fname == NULL)
- goto cleanup;
- dns_name_setbuffer(&cfname, &b); /* share the buffer */
- /* Check additional cache */
- result = dns_rdataset_getadditional(rdataset_base, additionaltype,
- type, client->view->acache, &zone,
- &cdb, &cversion, &cnode, &cfname,
- client->message, client->now);
- if (result != ISC_R_SUCCESS)
- goto findauthdb;
- if (zone == NULL) {
- CTRACE("query_addadditional2: auth zone not found");
- goto try_cache;
- }
- /* Is the cached DB up-to-date? */
- result = query_iscachevalid(zone, cdb, NULL, cversion);
- if (result != ISC_R_SUCCESS) {
- CTRACE("query_addadditional2: old auth additional cache");
- query_discardcache(client, rdataset_base, additionaltype,
- type, &zone, &cdb, &cversion, &cnode,
- &cfname);
- goto findauthdb;
- }
- if (cnode == NULL) {
- /*
- * We have a negative cache. We don't have to check the zone
- * ACL, since the result (not using this zone) would be same
- * regardless of the result.
- */
- CTRACE("query_addadditional2: negative auth additional cache");
- dns_db_closeversion(cdb, &cversion, ISC_FALSE);
- dns_db_detach(&cdb);
- dns_zone_detach(&zone);
- goto try_cache;
- }
- result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
- zone, cdb, NULL);
- if (result != ISC_R_SUCCESS) {
- query_discardcache(client, rdataset_base, additionaltype,
- type, &zone, &cdb, &cversion, &cnode,
- &cfname);
- goto try_cache;
- }
- /* We've got an active cache. */
- CTRACE("query_addadditional2: auth additional cache");
- dns_db_closeversion(cdb, &cversion, ISC_FALSE);
- db = cdb;
- node = cnode;
- dns_name_clone(&cfname, fname);
- query_keepname(client, fname, dbuf);
- goto foundcache;
- /*
- * Look for a zone database that might contain authoritative
- * additional data.
- */
- findauthdb:
- result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
- &zone, &db, &version);
- if (result != ISC_R_SUCCESS) {
- /* Cache the negative result */
- (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
- type, client->view->acache,
- NULL, NULL, NULL, NULL,
- NULL);
- goto try_cache;
- }
- CTRACE("query_addadditional2: db_find");
- /*
- * Since we are looking for authoritative data, we do not set
- * the GLUEOK flag. Glue will be looked for later, but not
- * necessarily in the same database.
- */
- node = NULL;
- result = dns_db_find(db, name, version, type, client->query.dboptions,
- client->now, &node, fname, NULL, NULL);
- if (result == ISC_R_SUCCESS)
- goto found;
- /* Cache the negative result */
- (void)dns_rdataset_setadditional(rdataset_base, additionaltype,
- type, client->view->acache, zone, db,
- version, NULL, fname);
- if (node != NULL)
- dns_db_detachnode(db, &node);
- version = NULL;
- dns_db_detach(&db);
- /*
- * No authoritative data was found. The cache is our next best bet.
- */
- try_cache:
- additionaltype = dns_rdatasetadditional_fromcache;
- result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
- if (result != ISC_R_SUCCESS)
- /*
- * Most likely the client isn't allowed to query the cache.
- */
- goto try_glue;
- result = dns_db_find(db, name, version, type,
- client->query.dboptions |
- DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
- client->now, &node, fname, NULL, NULL);
- if (result == ISC_R_SUCCESS)
- goto found;
- if (node != NULL)
- dns_db_detachnode(db, &node);
- dns_db_detach(&db);
- try_glue:
- /*
- * No cached data was found. Glue is our last chance.
- * RFC1035 sayeth:
- *
- * NS records cause both the usual additional section
- * processing to locate a type A record, and, when used
- * in a referral, a special search of the zone in which
- * they reside for glue information.
- *
- * This is the "special search". Note that we must search
- * the zone where the NS record resides, not the zone it
- * points to, and that we only do the search in the delegation
- * case (identified by client->query.gluedb being set).
- */
- if (client->query.gluedb == NULL)
- goto cleanup;
- /*
- * Don't poison caches using the bailiwick protection model.
- */
- if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
- goto cleanup;
- /* Check additional cache */
- additionaltype = dns_rdatasetadditional_fromglue;
- result = dns_rdataset_getadditional(rdataset_base, additionaltype,
- type, client->view->acache, NULL,
- &cdb, &cversion, &cnode, &cfname,
- client->message, client->now);
- if (result != ISC_R_SUCCESS)
- goto findglue;
- result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
- if (result != ISC_R_SUCCESS) {
- CTRACE("query_addadditional2: old glue additional cache");
- query_discardcache(client, rdataset_base, additionaltype,
- type, &zone, &cdb, &cversion, &cnode,
- &cfname);
- goto findglue;
- }
- if (cnode == NULL) {
- /* We have a negative cache. */
- CTRACE("query_addadditional2: negative glue additional cache");
- dns_db_closeversi…