]>
Commit | Line | Data |
---|---|---|
86c152f2 | 1 | /* |
6edbf68a PL |
2 | * This file is part of PowerDNS or dnsdist. |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
870a0fe4 AT |
22 | #ifdef HAVE_CONFIG_H |
23 | #include "config.h" | |
24 | #endif | |
fa8fd4d2 | 25 | |
86c152f2 | 26 | #include "arguments.hh" |
6dfff36f | 27 | #include "cachecleaner.hh" |
51e2144e | 28 | #include "dns_random.hh" |
6dfff36f RG |
29 | #include "dnsparser.hh" |
30 | #include "dnsrecords.hh" | |
376effcf | 31 | #include "ednssubnet.hh" |
6dfff36f RG |
32 | #include "logger.hh" |
33 | #include "lua-recursor4.hh" | |
ad42489c | 34 | #include "rec-lua-conf.hh" |
6dfff36f | 35 | #include "syncres.hh" |
1e332f68 | 36 | #include "dnsseckeeper.hh" |
4d2be65d | 37 | #include "validate-recursor.hh" |
6dfff36f | 38 | |
a712cb56 | 39 | thread_local SyncRes::ThreadLocalStorage SyncRes::t_sstorage; |
be9078b3 | 40 | thread_local std::unique_ptr<addrringbuf_t> t_timeouts; |
bb4bdbaf | 41 | |
3337c2f7 RG |
42 | std::unordered_set<DNSName> SyncRes::s_delegationOnly; |
43 | std::unique_ptr<NetmaskGroup> SyncRes::s_dontQuery{nullptr}; | |
2fe3354d CH |
44 | NetmaskGroup SyncRes::s_ednslocalsubnets; |
45 | NetmaskGroup SyncRes::s_ednsremotesubnets; | |
3337c2f7 | 46 | SuffixMatchNode SyncRes::s_ednsdomains; |
8a3a3822 | 47 | EDNSSubnetOpts SyncRes::s_ecsScopeZero; |
3337c2f7 RG |
48 | string SyncRes::s_serverID; |
49 | SyncRes::LogMode SyncRes::s_lm; | |
123da0f8 | 50 | const std::unordered_set<uint16_t> SyncRes::s_redirectionQTypes = {QType::CNAME, QType::DNAME}; |
3337c2f7 | 51 | |
a9af3782 | 52 | unsigned int SyncRes::s_maxnegttl; |
b9473937 | 53 | unsigned int SyncRes::s_maxbogusttl; |
c3e753c7 | 54 | unsigned int SyncRes::s_maxcachettl; |
3337c2f7 RG |
55 | unsigned int SyncRes::s_maxqperq; |
56 | unsigned int SyncRes::s_maxtotusec; | |
57 | unsigned int SyncRes::s_maxdepth; | |
58 | unsigned int SyncRes::s_minimumTTL; | |
5cf4b2e7 | 59 | unsigned int SyncRes::s_minimumECSTTL; |
1051f8a9 BH |
60 | unsigned int SyncRes::s_packetcachettl; |
61 | unsigned int SyncRes::s_packetcacheservfailttl; | |
628e2c7b PA |
62 | unsigned int SyncRes::s_serverdownmaxfails; |
63 | unsigned int SyncRes::s_serverdownthrottletime; | |
e7861cc4 | 64 | unsigned int SyncRes::s_ecscachelimitttl; |
e9a628a2 | 65 | std::atomic<uint64_t> SyncRes::s_authzonequeries; |
aebb81e4 | 66 | std::atomic<uint64_t> SyncRes::s_queries; |
67 | std::atomic<uint64_t> SyncRes::s_outgoingtimeouts; | |
68 | std::atomic<uint64_t> SyncRes::s_outgoing4timeouts; | |
69 | std::atomic<uint64_t> SyncRes::s_outgoing6timeouts; | |
70 | std::atomic<uint64_t> SyncRes::s_outqueries; | |
71 | std::atomic<uint64_t> SyncRes::s_tcpoutqueries; | |
72 | std::atomic<uint64_t> SyncRes::s_throttledqueries; | |
73 | std::atomic<uint64_t> SyncRes::s_dontqueries; | |
c701672a | 74 | std::atomic<uint64_t> SyncRes::s_qnameminfallbacksuccess; |
aebb81e4 | 75 | std::atomic<uint64_t> SyncRes::s_nodelegated; |
76 | std::atomic<uint64_t> SyncRes::s_unreachables; | |
d6923beb | 77 | std::atomic<uint64_t> SyncRes::s_ecsqueries; |
78 | std::atomic<uint64_t> SyncRes::s_ecsresponses; | |
c9783016 RG |
79 | std::map<uint8_t, std::atomic<uint64_t>> SyncRes::s_ecsResponsesBySubnetSize4; |
80 | std::map<uint8_t, std::atomic<uint64_t>> SyncRes::s_ecsResponsesBySubnetSize6; | |
81 | ||
e9f9b8ec RG |
82 | uint8_t SyncRes::s_ecsipv4limit; |
83 | uint8_t SyncRes::s_ecsipv6limit; | |
fd8898fb | 84 | uint8_t SyncRes::s_ecsipv4cachelimit; |
85 | uint8_t SyncRes::s_ecsipv6cachelimit; | |
ed9019c9 | 86 | |
996c89cc | 87 | bool SyncRes::s_doIPv6; |
1051f8a9 | 88 | bool SyncRes::s_nopacketcache; |
01402d56 | 89 | bool SyncRes::s_rootNXTrust; |
3337c2f7 | 90 | bool SyncRes::s_noEDNS; |
116d1288 | 91 | bool SyncRes::s_qnameminimization; |
d40a915b | 92 | SyncRes::HardenNXD SyncRes::s_hardenNXD; |
c836dc19 | 93 | |
e6a9dde5 | 94 | #define LOG(x) if(d_lm == Log) { g_log <<Logger::Warning << x; } else if(d_lm == Store) { d_trace << x; } |
728485ca | 95 | |
69cbdef9 | 96 | static void accountAuthLatency(int usec, int family) |
11adfdd3 | 97 | { |
7b75810e | 98 | if(family == AF_INET) { |
99 | if(usec < 1000) | |
100 | g_stats.auth4Answers0_1++; | |
101 | else if(usec < 10000) | |
102 | g_stats.auth4Answers1_10++; | |
103 | else if(usec < 100000) | |
104 | g_stats.auth4Answers10_100++; | |
105 | else if(usec < 1000000) | |
106 | g_stats.auth4Answers100_1000++; | |
107 | else | |
108 | g_stats.auth4AnswersSlow++; | |
109 | } else { | |
110 | if(usec < 1000) | |
111 | g_stats.auth6Answers0_1++; | |
112 | else if(usec < 10000) | |
113 | g_stats.auth6Answers1_10++; | |
114 | else if(usec < 100000) | |
115 | g_stats.auth6Answers10_100++; | |
116 | else if(usec < 1000000) | |
117 | g_stats.auth6Answers100_1000++; | |
118 | else | |
119 | g_stats.auth6AnswersSlow++; | |
120 | } | |
121 | ||
11adfdd3 | 122 | } |
123 | ||
4465e941 | 124 | |
14d9aade | 125 | SyncRes::SyncRes(const struct timeval& now) : d_authzonequeries(0), d_outqueries(0), d_tcpoutqueries(0), d_throttledqueries(0), d_timeouts(0), d_unreachables(0), |
30ee601a | 126 | d_totUsec(0), d_now(now), |
116d1288 OM |
127 | d_cacheonly(false), d_doDNSSEC(false), d_doEDNS0(false), d_qNameMinimization(s_qnameminimization), d_lm(s_lm) |
128 | ||
129 | { | |
ac0e821b BH |
130 | } |
131 | ||
728485ca | 132 | /** everything begins here - this is the entry point just after receiving a packet */ |
e325f20c | 133 | int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qclass, vector<DNSRecord>&ret) |
728485ca | 134 | { |
4d2be65d | 135 | vState state = Indeterminate; |
c836dc19 | 136 | s_queries++; |
3762e821 | 137 | d_wasVariable=false; |
9fc36e90 | 138 | d_wasOutOfBand=false; |
710af846 | 139 | |
4d2be65d | 140 | if (doSpecialNamesResolve(qname, qtype, qclass, ret)) { |
d04ac108 | 141 | d_queryValidationState = Insecure; // this could fool our stats into thinking a validation took place |
142 | return 0; // so do check before updating counters (we do now) | |
4d2be65d | 143 | } |
db50a7f4 | 144 | |
25e654f7 RG |
145 | auto qtypeCode = qtype.getCode(); |
146 | /* rfc6895 section 3.1 */ | |
147 | if ((qtypeCode >= 128 && qtypeCode <= 254) || qtypeCode == QType::RRSIG || qtypeCode == QType::NSEC3 || qtypeCode == QType::OPT || qtypeCode == 65535) { | |
693dbe65 | 148 | return -1; |
3f8a73d6 | 149 | } |
710af846 | 150 | |
db50a7f4 PL |
151 | if(qclass==QClass::ANY) |
152 | qclass=QClass::IN; | |
153 | else if(qclass!=QClass::IN) | |
154 | return -1; | |
8171ab83 | 155 | |
db50a7f4 | 156 | set<GetBestNSAnswer> beenthere; |
51b6b728 | 157 | int res=doResolve(qname, qtype, ret, 0, beenthere, state); |
4d2be65d | 158 | d_queryValidationState = state; |
0c43f455 | 159 | |
e1636f82 | 160 | if (shouldValidate()) { |
3b54c577 | 161 | if (d_queryValidationState != Indeterminate) { |
162 | g_stats.dnssecValidations++; | |
163 | } | |
0c43f455 RG |
164 | increaseDNSSECStateCounter(d_queryValidationState); |
165 | } | |
166 | ||
db50a7f4 PL |
167 | return res; |
168 | } | |
169 | ||
170 | /*! Handles all special, built-in names | |
171 | * Fills ret with an answer and returns true if it handled the query. | |
172 | * | |
d03c1b70 | 173 | * Handles the following queries (and their ANY variants): |
db50a7f4 PL |
174 | * |
175 | * - localhost. IN A | |
176 | * - localhost. IN AAAA | |
177 | * - 1.0.0.127.in-addr.arpa. IN PTR | |
178 | * - 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. IN PTR | |
179 | * - version.bind. CH TXT | |
180 | * - version.pdns. CH TXT | |
181 | * - id.server. CH TXT | |
c1d92d73 | 182 | * - trustanchor.server CH TXT |
0b7de4d7 | 183 | * - negativetrustanchor.server CH TXT |
db50a7f4 | 184 | */ |
6dfff36f | 185 | bool SyncRes::doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector<DNSRecord> &ret) |
db50a7f4 PL |
186 | { |
187 | static const DNSName arpa("1.0.0.127.in-addr.arpa."), ip6_arpa("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."), | |
0b7de4d7 PL |
188 | localhost("localhost."), versionbind("version.bind."), idserver("id.server."), versionpdns("version.pdns."), trustanchorserver("trustanchor.server."), |
189 | negativetrustanchorserver("negativetrustanchor.server."); | |
db50a7f4 PL |
190 | |
191 | bool handled = false; | |
d03c1b70 | 192 | vector<pair<QType::typeenum, string> > answers; |
db50a7f4 | 193 | |
d03c1b70 PL |
194 | if ((qname == arpa || qname == ip6_arpa) && |
195 | qclass == QClass::IN) { | |
db50a7f4 | 196 | handled = true; |
d03c1b70 PL |
197 | if (qtype == QType::PTR || qtype == QType::ANY) |
198 | answers.push_back({QType::PTR, "localhost."}); | |
db50a7f4 PL |
199 | } |
200 | ||
d03c1b70 PL |
201 | if (qname == localhost && |
202 | qclass == QClass::IN) { | |
db50a7f4 | 203 | handled = true; |
d03c1b70 PL |
204 | if (qtype == QType::A || qtype == QType::ANY) |
205 | answers.push_back({QType::A, "127.0.0.1"}); | |
206 | if (qtype == QType::AAAA || qtype == QType::ANY) | |
207 | answers.push_back({QType::AAAA, "::1"}); | |
db50a7f4 PL |
208 | } |
209 | ||
d03c1b70 PL |
210 | if ((qname == versionbind || qname == idserver || qname == versionpdns) && |
211 | qclass == QClass::CHAOS) { | |
db50a7f4 | 212 | handled = true; |
d03c1b70 PL |
213 | if (qtype == QType::TXT || qtype == QType::ANY) { |
214 | if(qname == versionbind || qname == versionpdns) | |
215 | answers.push_back({QType::TXT, "\""+::arg()["version-string"]+"\""}); | |
950626be | 216 | else if (s_serverID != "disabled") |
d03c1b70 PL |
217 | answers.push_back({QType::TXT, "\""+s_serverID+"\""}); |
218 | } | |
31ad43ab BH |
219 | } |
220 | ||
c1d92d73 PL |
221 | if (qname == trustanchorserver && qclass == QClass::CHAOS && |
222 | ::arg().mustDo("allow-trust-anchor-query")) { | |
223 | handled = true; | |
224 | if (qtype == QType::TXT || qtype == QType::ANY) { | |
225 | auto luaLocal = g_luaconfs.getLocal(); | |
226 | for (auto const &dsAnchor : luaLocal->dsAnchors) { | |
227 | ostringstream ans; | |
228 | ans<<"\""; | |
229 | ans<<dsAnchor.first.toString(); // Explicit toString to have a trailing dot | |
230 | for (auto const &dsRecord : dsAnchor.second) { | |
231 | ans<<" "; | |
232 | ans<<dsRecord.d_tag; | |
233 | } | |
234 | ans << "\""; | |
235 | answers.push_back({QType::TXT, ans.str()}); | |
236 | } | |
237 | } | |
238 | } | |
239 | ||
0b7de4d7 PL |
240 | if (qname == negativetrustanchorserver && qclass == QClass::CHAOS && |
241 | ::arg().mustDo("allow-trust-anchor-query")) { | |
242 | handled = true; | |
243 | if (qtype == QType::TXT || qtype == QType::ANY) { | |
244 | auto luaLocal = g_luaconfs.getLocal(); | |
245 | for (auto const &negAnchor : luaLocal->negAnchors) { | |
246 | ostringstream ans; | |
247 | ans<<"\""; | |
248 | ans<<negAnchor.first.toString(); // Explicit toString to have a trailing dot | |
249 | if (negAnchor.second.length()) | |
250 | ans<<" "<<negAnchor.second; | |
251 | ans << "\""; | |
252 | answers.push_back({QType::TXT, ans.str()}); | |
253 | } | |
254 | } | |
255 | } | |
256 | ||
d03c1b70 | 257 | if (handled && !answers.empty()) { |
a9af3782 | 258 | ret.clear(); |
db50a7f4 PL |
259 | d_wasOutOfBand=true; |
260 | ||
e325f20c | 261 | DNSRecord dr; |
db50a7f4 | 262 | dr.d_name = qname; |
e693ff5a | 263 | dr.d_place = DNSResourceRecord::ANSWER; |
db50a7f4 PL |
264 | dr.d_class = qclass; |
265 | dr.d_ttl = 86400; | |
d03c1b70 PL |
266 | for (const auto& ans : answers) { |
267 | dr.d_type = ans.first; | |
6177a176 | 268 | dr.d_content = DNSRecordContent::mastermake(ans.first, qclass, ans.second); |
d03c1b70 PL |
269 | ret.push_back(dr); |
270 | } | |
a9af3782 | 271 | } |
710af846 | 272 | |
db50a7f4 | 273 | return handled; |
728485ca | 274 | } |
afbe2787 | 275 | |
db50a7f4 | 276 | |
ab5c053d | 277 | //! This is the 'out of band resolver', in other words, the authoritative server |
3337c2f7 | 278 | void SyncRes::AuthDomain::addSOA(std::vector<DNSRecord>& records) const |
e93c956b | 279 | { |
3337c2f7 RG |
280 | SyncRes::AuthDomain::records_t::const_iterator ziter = d_records.find(boost::make_tuple(getName(), QType::SOA)); |
281 | if (ziter != d_records.end()) { | |
282 | DNSRecord dr = *ziter; | |
283 | dr.d_place = DNSResourceRecord::AUTHORITY; | |
284 | records.push_back(dr); | |
5605c067 | 285 | } |
3337c2f7 RG |
286 | else { |
287 | // cerr<<qname<<": can't find SOA record '"<<getName()<<"' in our zone!"<<endl; | |
288 | } | |
289 | } | |
5605c067 | 290 | |
3337c2f7 RG |
291 | int SyncRes::AuthDomain::getRecords(const DNSName& qname, uint16_t qtype, std::vector<DNSRecord>& records) const |
292 | { | |
293 | int result = RCode::NoError; | |
294 | records.clear(); | |
5605c067 | 295 | |
3337c2f7 RG |
296 | // partial lookup |
297 | std::pair<records_t::const_iterator,records_t::const_iterator> range = d_records.equal_range(tie(qname)); | |
298 | ||
299 | SyncRes::AuthDomain::records_t::const_iterator ziter; | |
300 | bool somedata = false; | |
301 | ||
302 | for(ziter = range.first; ziter != range.second; ++ziter) { | |
303 | somedata = true; | |
304 | ||
305 | if(qtype == QType::ANY || ziter->d_type == qtype || ziter->d_type == QType::CNAME) { | |
306 | // let rest of nameserver do the legwork on this one | |
307 | records.push_back(*ziter); | |
308 | } | |
309 | else if (ziter->d_type == QType::NS && ziter->d_name.countLabels() > getName().countLabels()) { | |
310 | // we hit a delegation point! | |
311 | DNSRecord dr = *ziter; | |
39eb8051 | 312 | dr.d_place=DNSResourceRecord::AUTHORITY; |
3337c2f7 | 313 | records.push_back(dr); |
39eb8051 | 314 | } |
5605c067 | 315 | } |
3337c2f7 RG |
316 | |
317 | if (!records.empty()) { | |
318 | /* We have found an exact match, we're done */ | |
319 | // cerr<<qname<<": exact match in zone '"<<getName()<<"'"<<endl; | |
320 | return result; | |
5605c067 | 321 | } |
3337c2f7 RG |
322 | |
323 | if (somedata) { | |
324 | /* We have records for that name, but not of the wanted qtype */ | |
325 | // cerr<<qname<<": found record in '"<<getName()<<"', but nothing of the right type, sending SOA"<<endl; | |
326 | addSOA(records); | |
327 | ||
328 | return result; | |
9e9844e2 | 329 | } |
5605c067 | 330 | |
3337c2f7 | 331 | // cerr<<qname<<": nothing found so far in '"<<getName()<<"', trying wildcards"<<endl; |
c5c066bf | 332 | DNSName wcarddomain(qname); |
3337c2f7 RG |
333 | while(wcarddomain != getName() && wcarddomain.chopOff()) { |
334 | // cerr<<qname<<": trying '*."<<wcarddomain<<"' in "<<getName()<<endl; | |
335 | range = d_records.equal_range(boost::make_tuple(g_wildcarddnsname + wcarddomain)); | |
336 | if (range.first==range.second) | |
0d1e259a BH |
337 | continue; |
338 | ||
3337c2f7 RG |
339 | for(ziter = range.first; ziter != range.second; ++ziter) { |
340 | DNSRecord dr = *ziter; | |
0f05b02b | 341 | // if we hit a CNAME, just answer that - rest of recursor will do the needful & follow |
3337c2f7 | 342 | if(dr.d_type == qtype || qtype == QType::ANY || dr.d_type == QType::CNAME) { |
e325f20c | 343 | dr.d_name = qname; |
3337c2f7 RG |
344 | dr.d_place = DNSResourceRecord::ANSWER; |
345 | records.push_back(dr); | |
0d1e259a BH |
346 | } |
347 | } | |
3337c2f7 RG |
348 | |
349 | if (records.empty()) { | |
350 | addSOA(records); | |
351 | } | |
352 | ||
353 | // cerr<<qname<<": in '"<<getName()<<"', had wildcard match on '*."<<wcarddomain<<"'"<<endl; | |
354 | return result; | |
0d1e259a BH |
355 | } |
356 | ||
3337c2f7 | 357 | /* Nothing for this name, no wildcard, let's see if there is some NS */ |
c5c066bf | 358 | DNSName nsdomain(qname); |
3337c2f7 RG |
359 | while (nsdomain.chopOff() && nsdomain != getName()) { |
360 | range = d_records.equal_range(boost::make_tuple(nsdomain,QType::NS)); | |
361 | if(range.first == range.second) | |
5605c067 BH |
362 | continue; |
363 | ||
3337c2f7 RG |
364 | for(ziter = range.first; ziter != range.second; ++ziter) { |
365 | DNSRecord dr = *ziter; | |
366 | dr.d_place = DNSResourceRecord::AUTHORITY; | |
367 | records.push_back(dr); | |
5605c067 BH |
368 | } |
369 | } | |
3337c2f7 RG |
370 | |
371 | if(records.empty()) { | |
372 | // cerr<<qname<<": no NS match in zone '"<<getName()<<"' either, handing out SOA"<<endl; | |
373 | addSOA(records); | |
374 | result = RCode::NXDomain; | |
5605c067 | 375 | } |
5605c067 | 376 | |
3337c2f7 RG |
377 | return result; |
378 | } | |
379 | ||
f7b8cffa | 380 | bool SyncRes::doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res) |
3337c2f7 | 381 | { |
f7b8cffa | 382 | d_authzonequeries++; |
e9a628a2 | 383 | s_authzonequeries++; |
f7b8cffa | 384 | |
3337c2f7 | 385 | res = domain.getRecords(qname, qtype.getCode(), ret); |
9e9844e2 | 386 | return true; |
e93c956b BH |
387 | } |
388 | ||
3337c2f7 RG |
389 | bool SyncRes::doOOBResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int& res) |
390 | { | |
391 | string prefix; | |
392 | if(doLog()) { | |
393 | prefix=d_prefix; | |
394 | prefix.append(depth, ' '); | |
395 | } | |
396 | ||
397 | DNSName authdomain(qname); | |
398 | domainmap_t::const_iterator iter=getBestAuthZone(&authdomain); | |
399 | if(iter==t_sstorage.domainmap->end() || !iter->second.isAuth()) { | |
400 | LOG(prefix<<qname<<": auth storage has no zone for this query!"<<endl); | |
401 | return false; | |
402 | } | |
403 | ||
404 | LOG(prefix<<qname<<": auth storage has data, zone='"<<authdomain<<"'"<<endl); | |
405 | return doOOBResolve(iter->second, qname, qtype, ret, res); | |
406 | } | |
407 | ||
8949a3e0 OM |
408 | bool SyncRes::isForwardOrAuth(const DNSName &qname) const { |
409 | DNSName authname(qname); | |
410 | domainmap_t::const_iterator iter = getBestAuthZone(&authname); | |
411 | return iter != t_sstorage.domainmap->end(); | |
412 | } | |
413 | ||
addde5c1 | 414 | uint64_t SyncRes::doEDNSDump(int fd) |
ff1872cf | 415 | { |
a3284c1a OM |
416 | int newfd = dup(fd); |
417 | if (newfd == -1) { | |
418 | return 0; | |
419 | } | |
420 | auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(newfd, "w"), fclose); | |
a82f68f0 | 421 | if (!fp) { |
a3284c1a | 422 | close(newfd); |
addde5c1 | 423 | return 0; |
a82f68f0 | 424 | } |
addde5c1 | 425 | uint64_t count = 0; |
426 | ||
5e1f23ca | 427 | fprintf(fp.get(),"; edns from thread follows\n;\n"); |
a712cb56 | 428 | for(const auto& eds : t_sstorage.ednsstatus) { |
addde5c1 | 429 | count++; |
f0dbdd62 | 430 | char tmp[26]; |
b9715061 | 431 | fprintf(fp.get(), "%s\t%d\t%s", eds.address.toString().c_str(), (int)eds.mode, ctime_r(&eds.modeSetAt, tmp)); |
ff1872cf | 432 | } |
addde5c1 | 433 | return count; |
ff1872cf BH |
434 | } |
435 | ||
9065eb05 RG |
436 | uint64_t SyncRes::doDumpNSSpeeds(int fd) |
437 | { | |
a3284c1a OM |
438 | int newfd = dup(fd); |
439 | if (newfd == -1) { | |
9065eb05 | 440 | return 0; |
a3284c1a OM |
441 | } |
442 | auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(newfd, "w"), fclose); | |
443 | if (!fp) { | |
444 | close(newfd); | |
445 | return 0; | |
446 | } | |
5e1f23ca | 447 | fprintf(fp.get(), "; nsspeed dump from thread follows\n;\n"); |
9065eb05 RG |
448 | uint64_t count=0; |
449 | ||
a712cb56 | 450 | for(const auto& i : t_sstorage.nsSpeeds) |
9065eb05 RG |
451 | { |
452 | count++; | |
a2d65f83 | 453 | |
454 | // an <empty> can appear hear in case of authoritative (hosted) zones | |
5e1f23ca | 455 | fprintf(fp.get(), "%s -> ", i.first.toLogString().c_str()); |
9065eb05 RG |
456 | for(const auto& j : i.second.d_collection) |
457 | { | |
458 | // typedef vector<pair<ComboAddress, DecayingEwma> > collection_t; | |
5e1f23ca | 459 | fprintf(fp.get(), "%s/%f ", j.first.toString().c_str(), j.second.peek()); |
9065eb05 | 460 | } |
5e1f23ca | 461 | fprintf(fp.get(), "\n"); |
9065eb05 | 462 | } |
9065eb05 RG |
463 | return count; |
464 | } | |
465 | ||
c1e20fba | 466 | uint64_t SyncRes::doDumpThrottleMap(int fd) |
467 | { | |
a3284c1a OM |
468 | int newfd = dup(fd); |
469 | if (newfd == -1) { | |
470 | return 0; | |
471 | } | |
472 | auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(newfd, "w"), fclose); | |
473 | if (!fp) { | |
474 | close(newfd); | |
c1e20fba | 475 | return 0; |
a3284c1a | 476 | } |
5e1f23ca RG |
477 | fprintf(fp.get(), "; throttle map dump follows\n"); |
478 | fprintf(fp.get(), "; remote IP\tqname\tqtype\tcount\tttd\n"); | |
c1e20fba | 479 | uint64_t count=0; |
480 | ||
96e2f64f | 481 | const auto& throttleMap = t_sstorage.throttle.getThrottleMap(); |
b9715061 | 482 | for(const auto i : throttleMap) |
c1e20fba | 483 | { |
484 | count++; | |
f0dbdd62 | 485 | char tmp[26]; |
96e2f64f | 486 | // remote IP, dns name, qtype, count, ttd |
b9715061 | 487 | fprintf(fp.get(), "%s\t%s\t%d\t%u\t%s", i.thing.get<0>().toString().c_str(), i.thing.get<1>().toLogString().c_str(), i.thing.get<2>(), i.count, ctime_r(&i.ttd, tmp)); |
c1e20fba | 488 | } |
5e1f23ca | 489 | |
c1e20fba | 490 | return count; |
491 | } | |
492 | ||
60e5208a OM |
493 | uint64_t SyncRes::doDumpFailedServers(int fd) |
494 | { | |
a3284c1a OM |
495 | int newfd = dup(fd); |
496 | if (newfd == -1) { | |
60e5208a | 497 | return 0; |
a3284c1a OM |
498 | } |
499 | auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(newfd, "w"), fclose); | |
500 | if (!fp) { | |
501 | close(newfd); | |
502 | return 0; | |
503 | } | |
60e5208a OM |
504 | fprintf(fp.get(), "; failed servers dump follows\n"); |
505 | fprintf(fp.get(), "; remote IP\tcount\ttimestamp\n"); | |
506 | uint64_t count=0; | |
507 | ||
508 | for(const auto& i : t_sstorage.fails.getMap()) | |
509 | { | |
510 | count++; | |
511 | char tmp[26]; | |
b9715061 OM |
512 | ctime_r(&i.last, tmp); |
513 | fprintf(fp.get(), "%s\t%lld\t%s", i.address.toString().c_str(), | |
514 | static_cast<long long>(i.value), tmp); | |
60e5208a OM |
515 | } |
516 | ||
517 | return count; | |
518 | } | |
519 | ||
9d534f2a | 520 | /* so here is the story. First we complete the full resolution process for a domain name. And only THEN do we decide |
521 | to also do DNSSEC validation, which leads to new queries. To make this simple, we *always* ask for DNSSEC records | |
522 | so that if there are RRSIGs for a name, we'll have them. | |
523 | ||
524 | However, some hosts simply can't answer questions which ask for DNSSEC. This can manifest itself as: | |
525 | * No answer | |
526 | * FormErr | |
527 | * Nonsense answer | |
528 | ||
529 | The cause of "No answer" may be fragmentation, and it is tempting to probe if smaller answers would get through. | |
530 | Another cause of "No answer" may simply be a network condition. | |
531 | Nonsense answers are a clearer indication this host won't be able to do DNSSEC evah. | |
532 | ||
533 | Previous implementations have suffered from turning off DNSSEC questions for an authoritative server based on timeouts. | |
534 | A clever idea is to only turn off DNSSEC if we know a domain isn't signed anyhow. The problem with that really | |
535 | clever idea however is that at this point in PowerDNS, we may simply not know that yet. All the DNSSEC thinking happens | |
536 | elsewhere. It may not have happened yet. | |
537 | ||
538 | For now this means we can't be clever, but will turn off DNSSEC if you reply with FormError or gibberish. | |
539 | */ | |
540 | ||
6de48f75 | 541 | int SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, const DNSName& auth, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res, bool* chained) const |
81883dcc BH |
542 | { |
543 | /* what is your QUEST? | |
57769f13 | 544 | the goal is to get as many remotes as possible on the highest level of EDNS support |
81883dcc BH |
545 | The levels are: |
546 | ||
81883dcc | 547 | 0) UNKNOWN Unknown state |
57769f13 | 548 | 1) EDNS: Honors EDNS0 |
549 | 2) EDNSIGNORANT: Ignores EDNS0, gives replies without EDNS0 | |
269ac73d | 550 | 3) NOEDNS: Generates FORMERR on EDNS queries |
81883dcc BH |
551 | |
552 | Everybody starts out assumed to be '0'. | |
57769f13 | 553 | If '0', send out EDNS0 |
554 | If you FORMERR us, go to '3', | |
555 | If no EDNS in response, go to '2' | |
556 | If '1', send out EDNS0 | |
557 | If FORMERR, downgrade to 3 | |
558 | If '2', keep on including EDNS0, see what happens | |
81883dcc | 559 | Same behaviour as 0 |
57769f13 | 560 | If '3', send bare queries |
81883dcc BH |
561 | */ |
562 | ||
b9715061 OM |
563 | auto ednsstatus = t_sstorage.ednsstatus.insert(ip).first; // does this include port? YES |
564 | auto &ind = t_sstorage.ednsstatus.get<ComboAddress>(); | |
90e8ea71 | 565 | if (ednsstatus->modeSetAt && ednsstatus->modeSetAt + 3600 < d_now.tv_sec) { |
b9715061 | 566 | t_sstorage.ednsstatus.reset(ind, ednsstatus); |
77499b05 | 567 | // cerr<<"Resetting EDNS Status for "<<ip.toString()<<endl); |
81883dcc BH |
568 | } |
569 | ||
b9715061 OM |
570 | const SyncRes::EDNSStatus::EDNSMode *mode = &ednsstatus->mode; |
571 | const SyncRes::EDNSStatus::EDNSMode oldmode = *mode; | |
fe61f5d8 | 572 | int EDNSLevel = 0; |
4898a348 RG |
573 | auto luaconfsLocal = g_luaconfs.getLocal(); |
574 | ResolveContext ctx; | |
575 | #ifdef HAVE_PROTOBUF | |
576 | ctx.d_initialRequestId = d_initialRequestId; | |
577 | #endif | |
6de48f75 OM |
578 | #ifdef HAVE_FSTRM |
579 | ctx.d_auth = auth; | |
580 | #endif | |
81883dcc BH |
581 | |
582 | int ret; | |
ff1872cf | 583 | for(int tries = 0; tries < 3; ++tries) { |
e325f20c | 584 | // cerr<<"Remote '"<<ip.toString()<<"' currently in mode "<<mode<<endl; |
57769f13 | 585 | |
90e8ea71 | 586 | if (*mode == EDNSStatus::NOEDNS) { |
81883dcc | 587 | g_stats.noEdnsOutQueries++; |
9d534f2a | 588 | EDNSLevel = 0; // level != mode |
81883dcc | 589 | } |
90e8ea71 | 590 | else if (ednsMANDATORY || *mode == EDNSStatus::UNKNOWN || *mode == EDNSStatus::EDNSOK || *mode == EDNSStatus::EDNSIGNORANT) |
9d534f2a | 591 | EDNSLevel = 1; |
30ee601a | 592 | |
c1c29961 PL |
593 | DNSName sendQname(domain); |
594 | if (g_lowercaseOutgoing) | |
595 | sendQname.makeUsLowerCase(); | |
596 | ||
30ee601a | 597 | if (d_asyncResolve) { |
0bd2e252 | 598 | ret = d_asyncResolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, res, chained); |
30ee601a RG |
599 | } |
600 | else { | |
b9fa43e0 | 601 | ret=asyncresolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, d_outgoingProtobufServers, d_frameStreamServers, luaconfsLocal->outgoingProtobufExportConfig.exportTypes, res, chained); |
30ee601a | 602 | } |
90e8ea71 | 603 | // ednsstatus might be cleared, so do a new lookup |
b9715061 | 604 | ednsstatus = t_sstorage.ednsstatus.insert(ip).first; |
90e8ea71 | 605 | mode = &ednsstatus->mode; |
9d534f2a | 606 | if(ret < 0) { |
607 | return ret; // transport error, nothing to learn here | |
608 | } | |
57769f13 | 609 | |
9d534f2a | 610 | if(ret == 0) { // timeout, not doing anything with it now |
81883dcc BH |
611 | return ret; |
612 | } | |
90e8ea71 | 613 | else if (*mode == EDNSStatus::UNKNOWN || *mode == EDNSStatus::EDNSOK || *mode == EDNSStatus::EDNSIGNORANT ) { |
27ae17df | 614 | if(res->d_validpacket && !res->d_haveEDNS && res->d_rcode == RCode::FormErr) { |
2189085d | 615 | // cerr<<"Downgrading to NOEDNS because of "<<RCode::to_s(res->d_rcode)<<" for query to "<<ip.toString()<<" for '"<<domain<<"'"<<endl; |
b9715061 | 616 | t_sstorage.ednsstatus.setMode(ind, ednsstatus, EDNSStatus::NOEDNS); |
4957a608 | 617 | continue; |
81883dcc | 618 | } |
81883dcc | 619 | else if(!res->d_haveEDNS) { |
90e8ea71 | 620 | if (*mode != EDNSStatus::EDNSIGNORANT) { |
b9715061 | 621 | t_sstorage.ednsstatus.setMode(ind, ednsstatus, EDNSStatus::EDNSIGNORANT); |
269ac73d | 622 | // cerr<<"We find that "<<ip.toString()<<" is an EDNS-ignorer for '"<<domain<<"', moving to mode 2"<<endl; |
57769f13 | 623 | } |
81883dcc | 624 | } |
57769f13 | 625 | else { |
b9715061 | 626 | t_sstorage.ednsstatus.setMode(ind, ednsstatus, EDNSStatus::EDNSOK); |
e325f20c | 627 | // cerr<<"We find that "<<ip.toString()<<" is EDNS OK!"<<endl; |
81883dcc | 628 | } |
57769f13 | 629 | |
81883dcc | 630 | } |
90e8ea71 | 631 | if (oldmode != *mode || !ednsstatus->modeSetAt) |
b9715061 | 632 | t_sstorage.ednsstatus.setTS(ind, ednsstatus, d_now.tv_sec); |
e325f20c | 633 | // cerr<<"Result: ret="<<ret<<", EDNS-level: "<<EDNSLevel<<", haveEDNS: "<<res->d_haveEDNS<<", new mode: "<<mode<<endl; |
81883dcc BH |
634 | return ret; |
635 | } | |
636 | return ret; | |
637 | } | |
638 | ||
116d1288 OM |
639 | #define QLOG(x) LOG(prefix << " child=" << child << ": " << x << endl) |
640 | ||
641 | int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state) { | |
642 | ||
8949a3e0 | 643 | if (!getQNameMinimization() || isForwardOrAuth(qname)) { |
116d1288 OM |
644 | return doResolveNoQNameMinimization(qname, qtype, ret, depth, beenthere, state); |
645 | } | |
646 | ||
647 | // The qname minimization algorithm is a simplified version of the one in RFC 7816 (bis). | |
648 | // It could be simplified because the cache maintenance (both positive and negative) | |
649 | // is already done by doResolveNoQNameMinimization(). | |
650 | // | |
651 | // Sketch of algorithm: | |
652 | // Check cache | |
653 | // If result found: done | |
654 | // Otherwise determine closes ancestor from cache data | |
655 | // Repeat querying A, adding more labels of the original qname | |
656 | // If we get a delegation continue at ancestor determination | |
657 | // Until we have the full name. | |
658 | // | |
659 | // The algorithm starts with adding a single label per iteration, and | |
660 | // moves to three labels per iteration after three iterations. | |
661 | ||
662 | DNSName child; | |
663 | string prefix = d_prefix; | |
664 | prefix.append(depth, ' '); | |
665 | prefix.append(string("QM ") + qname.toString() + "|" + qtype.getName()); | |
666 | ||
667 | QLOG("doResolve"); | |
668 | ||
669 | // Look in cache only | |
670 | vector<DNSRecord> retq; | |
671 | bool old = setCacheOnly(true); | |
672 | bool fromCache = false; | |
673 | int res = doResolveNoQNameMinimization(qname, qtype, retq, depth + 1, beenthere, state, &fromCache); | |
674 | setCacheOnly(old); | |
675 | if (fromCache) { | |
676 | QLOG("Step0 Found in cache"); | |
677 | ret.insert(ret.end(), retq.begin(), retq.end()); | |
678 | return res; | |
679 | } | |
680 | QLOG("Step0 Not cached"); | |
681 | ||
682 | const unsigned int qnamelen = qname.countLabels(); | |
683 | ||
684 | for (unsigned int i = 0; i <= qnamelen; ) { | |
685 | ||
686 | // Step 1 | |
687 | vector<DNSRecord> bestns; | |
688 | // the two retries allow getBestNSFromCache&co to reprime the root | |
689 | // hints, in case they ever go missing | |
690 | for (int tries = 0; tries < 2 && bestns.empty(); ++tries) { | |
691 | bool flawedNSSet = false; | |
692 | set<GetBestNSAnswer> beenthereIgnored; | |
693 | getBestNSFromCache(qname, qtype, bestns, &flawedNSSet, depth + 1, beenthereIgnored); | |
694 | } | |
239c8386 OM |
695 | |
696 | if (bestns.size() == 0) { | |
697 | // Something terrible is wrong | |
116d1288 OM |
698 | QLOG("Step1 No ancestor found return ServFail"); |
699 | return RCode::ServFail; | |
700 | } | |
701 | ||
239c8386 OM |
702 | const DNSName& ancestor(bestns[0].d_name); |
703 | QLOG("Step1 Ancestor from cache is " << ancestor.toString()); | |
116d1288 OM |
704 | child = ancestor; |
705 | ||
706 | unsigned int targetlen = std::min(child.countLabels() + (i > 3 ? 3 : 1), qnamelen); | |
707 | ||
708 | for (; i <= qnamelen; i++) { | |
709 | // Step 2 | |
710 | while (child.countLabels() < targetlen) { | |
711 | child.prependRawLabel(qname.getRawLabel(qnamelen - child.countLabels() - 1)); | |
712 | } | |
713 | targetlen += i > 3 ? 3 : 1; | |
714 | targetlen = std::min(targetlen, qnamelen); | |
715 | ||
716 | QLOG("Step2 New child"); | |
717 | ||
718 | // Step 3 resolve | |
719 | if (child == qname) { | |
720 | QLOG("Step3 Going to do final resolve"); | |
721 | res = doResolveNoQNameMinimization(qname, qtype, ret, depth + 1, beenthere, state); | |
239c8386 | 722 | QLOG("Step3 Final resolve: " << RCode::to_s(res) << "/" << ret.size()); |
116d1288 OM |
723 | return res; |
724 | } | |
725 | ||
726 | // Step 6 | |
727 | QLOG("Step4 Resolve A for child"); | |
728 | retq.resize(0); | |
729 | StopAtDelegation stopAtDelegation = Stop; | |
730 | res = doResolveNoQNameMinimization(child, QType::A, retq, depth + 1, beenthere, state, NULL, &stopAtDelegation); | |
731 | QLOG("Step4 Resolve A result is " << RCode::to_s(res) << "/" << retq.size() << "/" << stopAtDelegation); | |
732 | if (stopAtDelegation == Stopped) { | |
733 | QLOG("Delegation seen, continue at step 1"); | |
734 | break; | |
735 | } | |
124dd1d4 | 736 | |
116d1288 OM |
737 | if (res != RCode::NoError) { |
738 | // Case 5: unexpected answer | |
739 | QLOG("Step5: other rcode, last effort final resolve"); | |
740 | setQNameMinimization(false); | |
741 | res = doResolveNoQNameMinimization(qname, qtype, ret, depth + 1, beenthere, state); | |
c701672a | 742 | |
743 | if(res == RCode::NoError) { | |
744 | s_qnameminfallbacksuccess++; | |
745 | } | |
746 | ||
239c8386 | 747 | QLOG("Step5 End resolve: " << RCode::to_s(res) << "/" << ret.size()); |
116d1288 OM |
748 | return res; |
749 | } | |
750 | } | |
751 | } | |
752 | ||
753 | // Should not be reached | |
754 | QLOG("Max iterations reached, return ServFail"); | |
755 | return RCode::ServFail; | |
756 | } | |
757 | ||
b88526ce PL |
758 | /*! This function will check the cache and go out to the internet if the answer is not in cache |
759 | * | |
760 | * \param qname The name we need an answer for | |
761 | * \param qtype | |
762 | * \param ret The vector of DNSRecords we need to fill with the answers | |
763 | * \param depth The recursion depth we are in | |
764 | * \param beenthere | |
239c8386 OM |
765 | * \param fromCache tells the caller the result came from the cache, may be nullptr |
766 | * \param stopAtDelegation if non-nullptr and pointed-to value is Stop requests the callee to stop at a delegation, if so pointed-to value is set to Stopped | |
0a9fc756 | 767 | * \return DNS RCODE or -1 (Error) |
b88526ce | 768 | */ |
116d1288 | 769 | int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state, bool *fromCache, StopAtDelegation *stopAtDelegation) |
afbe2787 | 770 | { |
ded77b10 | 771 | string prefix; |
77499b05 | 772 | if(doLog()) { |
ded77b10 BH |
773 | prefix=d_prefix; |
774 | prefix.append(depth, ' '); | |
775 | } | |
b8470add | 776 | |
4d2be65d RG |
777 | LOG(prefix<<qname<<": Wants "<< (d_doDNSSEC ? "" : "NO ") << "DNSSEC processing, "<<(d_requireAuthData ? "" : "NO ")<<"auth data in query for "<<qtype.getName()<<endl); |
778 | ||
779 | state = Indeterminate; | |
710af846 | 780 | |
7c3398aa RG |
781 | if(s_maxdepth && depth > s_maxdepth) |
782 | throw ImmediateServFailException("More than "+std::to_string(s_maxdepth)+" (max-recursion-depth) levels of recursion needed while resolving "+qname.toLogString()); | |
783 | ||
f4df5e89 | 784 | int res=0; |
b88526ce PL |
785 | |
786 | // This is a difficult way of expressing "this is a normal query", i.e. not getRootNS. | |
0b29b9c5 | 787 | if(!(d_updatingRootNS && qtype.getCode()==QType::NS && qname.isRoot())) { |
115d07ad | 788 | if(d_cacheonly) { // very limited OOB support |
263f6a5a | 789 | LWResult lwr; |
2189085d | 790 | LOG(prefix<<qname<<": Recursion not requested for '"<<qname<<"|"<<qtype.getName()<<"', peeking at auth/forward zones"<<endl); |
c5c066bf | 791 | DNSName authname(qname); |
115d07ad | 792 | domainmap_t::const_iterator iter=getBestAuthZone(&authname); |
a712cb56 | 793 | if(iter != t_sstorage.domainmap->end()) { |
3337c2f7 | 794 | if(iter->second.isAuth()) { |
4957a608 | 795 | ret.clear(); |
9fc36e90 | 796 | d_wasOutOfBand = doOOBResolve(qname, qtype, ret, depth, res); |
116d1288 OM |
797 | if (fromCache) |
798 | *fromCache = d_wasOutOfBand; | |
4957a608 BH |
799 | return res; |
800 | } | |
801 | else { | |
3337c2f7 | 802 | const vector<ComboAddress>& servers = iter->second.d_servers; |
4957a608 | 803 | const ComboAddress remoteIP = servers.front(); |
2189085d | 804 | LOG(prefix<<qname<<": forwarding query to hardcoded nameserver '"<< remoteIP.toStringWithPort()<<"' for zone '"<<authname<<"'"<<endl); |
4957a608 | 805 | |
6148fa97 | 806 | boost::optional<Netmask> nm; |
deca7d8f | 807 | bool chained = false; |
6de48f75 | 808 | res=asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, authname, qtype.getCode(), false, false, &d_now, nm, &lwr, &chained); |
fabef7e0 | 809 | |
810 | d_totUsec += lwr.d_usec; | |
811 | accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family); | |
116d1288 OM |
812 | if (fromCache) |
813 | *fromCache = true; | |
814 | ||
4957a608 | 815 | // filter out the good stuff from lwr.result() |
ab33a095 RG |
816 | if (res == 1) { |
817 | for(const auto& rec : lwr.d_records) { | |
818 | if(rec.d_place == DNSResourceRecord::ANSWER) | |
819 | ret.push_back(rec); | |
820 | } | |
821 | return 0; | |
822 | } | |
823 | else { | |
824 | return RCode::ServFail; | |
4957a608 | 825 | } |
4957a608 | 826 | } |
115d07ad BH |
827 | } |
828 | } | |
829 | ||
e1636f82 RG |
830 | DNSName authname(qname); |
831 | bool wasForwardedOrAuthZone = false; | |
832 | bool wasAuthZone = false; | |
ad797d94 | 833 | bool wasForwardRecurse = false; |
e1636f82 RG |
834 | domainmap_t::const_iterator iter = getBestAuthZone(&authname); |
835 | if(iter != t_sstorage.domainmap->end()) { | |
ad797d94 | 836 | const auto& domain = iter->second; |
e1636f82 | 837 | wasForwardedOrAuthZone = true; |
ad797d94 RG |
838 | |
839 | if (domain.isAuth()) { | |
e1636f82 | 840 | wasAuthZone = true; |
ad797d94 RG |
841 | } else if (domain.shouldRecurse()) { |
842 | wasForwardRecurse = true; | |
e1636f82 RG |
843 | } |
844 | } | |
845 | ||
ad797d94 | 846 | if(!d_skipCNAMECheck && doCNAMECacheCheck(qname, qtype, ret, depth, res, state, wasAuthZone, wasForwardRecurse)) { // will reroute us if needed |
e1636f82 | 847 | d_wasOutOfBand = wasAuthZone; |
c836dc19 | 848 | return res; |
e1636f82 | 849 | } |
710af846 | 850 | |
ad797d94 | 851 | if(doCacheCheck(qname, authname, wasForwardedOrAuthZone, wasAuthZone, wasForwardRecurse, qtype, ret, depth, res, state)) { |
e1636f82 RG |
852 | // we done |
853 | d_wasOutOfBand = wasAuthZone; | |
116d1288 OM |
854 | if (fromCache) |
855 | *fromCache = true; | |
c836dc19 | 856 | return res; |
e1636f82 | 857 | } |
c836dc19 | 858 | } |
afbe2787 | 859 | |
115d07ad | 860 | if(d_cacheonly) |
c836dc19 | 861 | return 0; |
728485ca | 862 | |
2189085d | 863 | LOG(prefix<<qname<<": No cache hit for '"<<qname<<"|"<<qtype.getName()<<"', trying to find an appropriate NS record"<<endl); |
710af846 | 864 | |
c5c066bf | 865 | DNSName subdomain(qname); |
d8049162 | 866 | if(qtype == QType::DS) subdomain.chopOff(); |
728485ca | 867 | |
fa1b87ff | 868 | NsSet nsset; |
7305df82 | 869 | bool flawedNSSet=false; |
97df07f8 | 870 | |
3cef03e9 RG |
871 | /* we use subdomain here instead of qname because for DS queries we only care about the state of the parent zone */ |
872 | computeZoneCuts(subdomain, g_rootdnsname, depth); | |
70b3fe7a | 873 | |
97df07f8 PD |
874 | // the two retries allow getBestNSNamesFromCache&co to reprime the root |
875 | // hints, in case they ever go missing | |
bdf40704 | 876 | for(int tries=0;tries<2 && nsset.empty();++tries) { |
891fbf88 | 877 | subdomain=getBestNSNamesFromCache(subdomain, qtype, nsset, &flawedNSSet, depth, beenthere); // pass beenthere to both occasions |
bdf40704 BH |
878 | } |
879 | ||
5374b03b | 880 | state = getValidationStatus(qname, false); |
70b3fe7a | 881 | |
5374b03b | 882 | LOG(prefix<<qname<<": initial validation status for "<<qname<<" is "<<vStates[state]<<endl); |
4d2be65d | 883 | |
116d1288 | 884 | if(!(res=doResolveAt(nsset, subdomain, flawedNSSet, qname, qtype, ret, depth, beenthere, state, stopAtDelegation))) |
728485ca | 885 | return 0; |
3ddb9247 | 886 | |
2189085d | 887 | LOG(prefix<<qname<<": failed (res="<<res<<")"<<endl); |
b8470add | 888 | |
20177d1d | 889 | return res<0 ? RCode::ServFail : res; |
afbe2787 BH |
890 | } |
891 | ||
c2567ad1 | 892 | #if 0 |
a67dd0cf | 893 | // for testing purposes |
fdf05fd4 BH |
894 | static bool ipv6First(const ComboAddress& a, const ComboAddress& b) |
895 | { | |
896 | return !(a.sin4.sin_family < a.sin4.sin_family); | |
897 | } | |
c2567ad1 | 898 | #endif |
fdf05fd4 | 899 | |
0e4675a9 RG |
900 | struct speedOrderCA |
901 | { | |
b9715061 | 902 | speedOrderCA(std::map<ComboAddress,float>& speeds): d_speeds(speeds) {} |
0e4675a9 RG |
903 | bool operator()(const ComboAddress& a, const ComboAddress& b) const |
904 | { | |
905 | return d_speeds[a] < d_speeds[b]; | |
906 | } | |
b9715061 | 907 | std::map<ComboAddress, float>& d_speeds; |
0e4675a9 RG |
908 | }; |
909 | ||
21f0f88b | 910 | /** This function explicitly goes out for A or AAAA addresses |
996c89cc | 911 | */ |
b4c8789a | 912 | vector<ComboAddress> SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere, bool cacheOnly) |
75b49099 | 913 | { |
e325f20c | 914 | typedef vector<DNSRecord> res_t; |
996c89cc BH |
915 | typedef vector<ComboAddress> ret_t; |
916 | ret_t ret; | |
75b49099 | 917 | |
116d1288 | 918 | bool oldCacheOnly = setCacheOnly(cacheOnly); |
24bb9b58 | 919 | bool oldRequireAuthData = d_requireAuthData; |
5597f804 | 920 | bool oldValidationRequested = d_DNSSECValidationRequested; |
24bb9b58 | 921 | d_requireAuthData = false; |
5597f804 | 922 | d_DNSSECValidationRequested = false; |
92011b8f | 923 | |
124dd1d4 RG |
924 | try { |
925 | vState newState = Indeterminate; | |
926 | res_t resv4; | |
927 | // If IPv4 ever becomes second class, we should revisit this | |
928 | if (doResolve(qname, QType::A, resv4, depth+1, beenthere, newState) == 0) { // this consults cache, OR goes out | |
929 | for (auto const &i : resv4) { | |
930 | if (i.d_type == QType::A) { | |
931 | if (auto rec = getRR<ARecordContent>(i)) { | |
932 | ret.push_back(rec->getCA(53)); | |
933 | } | |
d96e88da | 934 | } |
42724edf | 935 | } |
f4df5e89 | 936 | } |
124dd1d4 RG |
937 | if (s_doIPv6) { |
938 | if (ret.empty()) { | |
939 | // We did not find IPv4 addresses, try to get IPv6 ones | |
940 | newState = Indeterminate; | |
941 | res_t resv6; | |
942 | if (doResolve(qname, QType::AAAA, resv6, depth+1, beenthere, newState) == 0) { // this consults cache, OR goes out | |
943 | for (const auto &i : resv6) { | |
944 | if (i.d_type == QType::AAAA) { | |
945 | if (auto rec = getRR<AAAARecordContent>(i)) | |
946 | ret.push_back(rec->getCA(53)); | |
947 | } | |
493f5682 OM |
948 | } |
949 | } | |
124dd1d4 RG |
950 | } else { |
951 | // We have some IPv4 records, don't bother with going out to get IPv6, but do consult the cache | |
952 | // Once IPv6 adoption matters, this needs to be revisited | |
953 | res_t cset; | |
954 | if (t_RC->get(d_now.tv_sec, qname, QType(QType::AAAA), false, &cset, d_cacheRemote) > 0) { | |
955 | for (const auto &i : cset) { | |
956 | if (i.d_ttl > (unsigned int)d_now.tv_sec ) { | |
957 | if (auto rec = getRR<AAAARecordContent>(i)) { | |
958 | ret.push_back(rec->getCA(53)); | |
959 | } | |
493f5682 OM |
960 | } |
961 | } | |
962 | } | |
60c9a54f | 963 | } |
60c9a54f | 964 | } |
bfea0d0b | 965 | } |
124dd1d4 RG |
966 | catch (const PolicyHitException& e) { |
967 | /* we ignore a policy hit while trying to retrieve the addresses | |
968 | of a NS and keep processing the current query */ | |
969 | } | |
710af846 | 970 | |
24bb9b58 | 971 | d_requireAuthData = oldRequireAuthData; |
5597f804 | 972 | d_DNSSECValidationRequested = oldValidationRequested; |
116d1288 | 973 | setCacheOnly(oldCacheOnly); |
24bb9b58 | 974 | |
c767798a RG |
975 | /* we need to remove from the nsSpeeds collection the existing IPs |
976 | for this nameserver that are no longer in the set, even if there | |
977 | is only one or none at all in the current set. | |
978 | */ | |
b9715061 | 979 | map<ComboAddress, float> speeds; |
133b4cfc OM |
980 | auto& collection = t_sstorage.nsSpeeds[qname]; |
981 | float factor = collection.getFactor(d_now); | |
c767798a | 982 | for(const auto& val: ret) { |
133b4cfc | 983 | speeds[val] = collection.d_collection[val].get(factor); |
c767798a | 984 | } |
996c89cc | 985 | |
c767798a | 986 | t_sstorage.nsSpeeds[qname].purge(speeds); |
996c89cc | 987 | |
c767798a | 988 | if(ret.size() > 1) { |
feccaf7f | 989 | random_shuffle(ret.begin(), ret.end()); |
0e4675a9 RG |
990 | speedOrderCA so(speeds); |
991 | stable_sort(ret.begin(), ret.end(), so); | |
992 | ||
993 | if(doLog()) { | |
994 | string prefix=d_prefix; | |
995 | prefix.append(depth, ' '); | |
996 | LOG(prefix<<"Nameserver "<<qname<<" IPs: "); | |
997 | bool first = true; | |
998 | for(const auto& addr : ret) { | |
999 | if (first) { | |
1000 | first = false; | |
4957a608 | 1001 | } |
0e4675a9 RG |
1002 | else { |
1003 | LOG(", "); | |
1004 | } | |
1005 | LOG((addr.toString())<<"(" << (boost::format("%0.2f") % (speeds[addr]/1000.0)).str() <<"ms)"); | |
996c89cc | 1006 | } |
0e4675a9 RG |
1007 | LOG(endl); |
1008 | } | |
996c89cc | 1009 | } |
fdf05fd4 | 1010 | |
728485ca | 1011 | return ret; |
75b49099 BH |
1012 | } |
1013 | ||
7c3398aa | 1014 | void SyncRes::getBestNSFromCache(const DNSName &qname, const QType& qtype, vector<DNSRecord>& bestns, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>& beenthere) |
86c152f2 | 1015 | { |
c5c066bf PD |
1016 | string prefix; |
1017 | DNSName subdomain(qname); | |
77499b05 | 1018 | if(doLog()) { |
ded77b10 BH |
1019 | prefix=d_prefix; |
1020 | prefix.append(depth, ' '); | |
1021 | } | |
75b49099 | 1022 | bestns.clear(); |
2b1b4054 | 1023 | bool brokeloop; |
75b49099 | 1024 | do { |
2b1b4054 | 1025 | brokeloop=false; |
2189085d | 1026 | LOG(prefix<<qname<<": Checking if we have NS in cache for '"<<subdomain<<"'"<<endl); |
e325f20c | 1027 | vector<DNSRecord> ns; |
7305df82 | 1028 | *flawedNSSet = false; |
4d2be65d | 1029 | |
2fe3354d | 1030 | if(t_RC->get(d_now.tv_sec, subdomain, QType(QType::NS), false, &ns, d_cacheRemote) > 0) { |
feccaf7f RG |
1031 | bestns.reserve(ns.size()); |
1032 | ||
e325f20c | 1033 | for(auto k=ns.cbegin();k!=ns.cend(); ++k) { |
1034 | if(k->d_ttl > (unsigned int)d_now.tv_sec ) { | |
1035 | vector<DNSRecord> aset; | |
4957a608 | 1036 | |
e325f20c | 1037 | const DNSRecord& dr=*k; |
ba3c54cb RG |
1038 | auto nrr = getRR<NSRecordContent>(dr); |
1039 | if(nrr && (!nrr->getNS().isPartOf(subdomain) || t_RC->get(d_now.tv_sec, nrr->getNS(), s_doIPv6 ? QType(QType::ADDR) : QType(QType::A), | |
2fe3354d | 1040 | false, doLog() ? &aset : 0, d_cacheRemote) > 5)) { |
e325f20c | 1041 | bestns.push_back(dr); |
2189085d PL |
1042 | LOG(prefix<<qname<<": NS (with ip, or non-glue) in cache for '"<<subdomain<<"' -> '"<<nrr->getNS()<<"'"<<endl); |
1043 | LOG(prefix<<qname<<": within bailiwick: "<< nrr->getNS().isPartOf(subdomain)); | |
4957a608 | 1044 | if(!aset.empty()) { |
e325f20c | 1045 | LOG(", in cache, ttl="<<(unsigned int)(((time_t)aset.begin()->d_ttl- d_now.tv_sec ))<<endl); |
4957a608 BH |
1046 | } |
1047 | else { | |
77499b05 | 1048 | LOG(", not in cache / did not look at cache"<<endl); |
4957a608 BH |
1049 | } |
1050 | } | |
1051 | else { | |
1052 | *flawedNSSet=true; | |
e325f20c | 1053 | LOG(prefix<<qname<<": NS in cache for '"<<subdomain<<"', but needs glue ("<<nrr->getNS()<<") which we miss or is expired"<<endl); |
4957a608 BH |
1054 | } |
1055 | } | |
afbe2787 | 1056 | } |
4d2be65d | 1057 | |
75b49099 | 1058 | if(!bestns.empty()) { |
4957a608 | 1059 | GetBestNSAnswer answer; |
891fbf88 | 1060 | answer.qname=qname; |
1061 | answer.qtype=qtype.getCode(); | |
38c2ba02 RG |
1062 | for(const auto& dr : bestns) { |
1063 | if (auto nsContent = getRR<NSRecordContent>(dr)) { | |
1064 | answer.bestns.insert(make_pair(dr.d_name, nsContent->getNS())); | |
1065 | } | |
1066 | } | |
891fbf88 | 1067 | |
6493dfc0 RG |
1068 | auto insertionPair = beenthere.insert(std::move(answer)); |
1069 | if(!insertionPair.second) { | |
2b1b4054 | 1070 | brokeloop=true; |
2189085d | 1071 | LOG(prefix<<qname<<": We have NS in cache for '"<<subdomain<<"' but part of LOOP (already seen "<<answer.qname<<")! Trying less specific NS"<<endl); |
e325f20c | 1072 | ; |
77499b05 BH |
1073 | if(doLog()) |
1074 | for( set<GetBestNSAnswer>::const_iterator j=beenthere.begin();j!=beenthere.end();++j) { | |
6493dfc0 | 1075 | bool neo = (j == insertionPair.first); |
2189085d | 1076 | LOG(prefix<<qname<<": beenthere"<<(neo?"*":"")<<": "<<j->qname<<"|"<<DNSRecordContent::NumberToType(j->qtype)<<" ("<<(unsigned int)j->bestns.size()<<")"<<endl); |
77499b05 | 1077 | } |
4957a608 BH |
1078 | bestns.clear(); |
1079 | } | |
1080 | else { | |
2189085d | 1081 | LOG(prefix<<qname<<": We have NS in cache for '"<<subdomain<<"' (flawedNSSet="<<*flawedNSSet<<")"<<endl); |
4957a608 BH |
1082 | return; |
1083 | } | |
75b49099 | 1084 | } |
afbe2787 | 1085 | } |
2189085d | 1086 | LOG(prefix<<qname<<": no valid/useful NS in cache for '"<<subdomain<<"'"<<endl); |
4d2be65d | 1087 | |
52683ca3 | 1088 | if(subdomain.isRoot() && !brokeloop) { |
7836f7b4 | 1089 | // We lost the root NS records |
3ddb9247 | 1090 | primeHints(); |
159b1242 | 1091 | primeRootNSZones(g_dnssecmode != DNSSECMode::Off); |
2189085d | 1092 | LOG(prefix<<qname<<": reprimed the root"<<endl); |
0b29b9c5 RG |
1093 | /* let's prevent an infinite loop */ |
1094 | if (!d_updatingRootNS) { | |
1095 | getRootNS(d_now, d_asyncResolve); | |
1096 | } | |
6576051d | 1097 | } |
4d2be65d | 1098 | } while(subdomain.chopOff()); |
75b49099 BH |
1099 | } |
1100 | ||
69cbdef9 | 1101 | SyncRes::domainmap_t::const_iterator SyncRes::getBestAuthZone(DNSName* qname) const |
5605c067 | 1102 | { |
6493dfc0 RG |
1103 | if (t_sstorage.domainmap->empty()) { |
1104 | return t_sstorage.domainmap->end(); | |
1105 | } | |
1106 | ||
5605c067 BH |
1107 | SyncRes::domainmap_t::const_iterator ret; |
1108 | do { | |
a712cb56 RG |
1109 | ret=t_sstorage.domainmap->find(*qname); |
1110 | if(ret!=t_sstorage.domainmap->end()) | |
5605c067 | 1111 | break; |
c5c066bf | 1112 | }while(qname->chopOff()); |
5605c067 BH |
1113 | return ret; |
1114 | } | |
288f4aa9 | 1115 | |
7bf26383 | 1116 | /** doesn't actually do the work, leaves that to getBestNSFromCache */ |
7c3398aa | 1117 | DNSName SyncRes::getBestNSNamesFromCache(const DNSName &qname, const QType& qtype, NsSet& nsset, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>&beenthere) |
75b49099 | 1118 | { |
c5c066bf | 1119 | DNSName authdomain(qname); |
3ddb9247 | 1120 | |
5605c067 | 1121 | domainmap_t::const_iterator iter=getBestAuthZone(&authdomain); |
a712cb56 | 1122 | if(iter!=t_sstorage.domainmap->end()) { |
3337c2f7 | 1123 | if( iter->second.isAuth() ) |
fa1b87ff PL |
1124 | // this gets picked up in doResolveAt, the empty DNSName, combined with the |
1125 | // empty vector means 'we are auth for this zone' | |
1126 | nsset.insert({DNSName(), {{}, false}}); | |
2e5ae2b2 | 1127 | else { |
fa1b87ff PL |
1128 | // Again, picked up in doResolveAt. An empty DNSName, combined with a |
1129 | // non-empty vector of ComboAddresses means 'this is a forwarded domain' | |
6dfff36f | 1130 | // This is actually picked up in retrieveAddressesForNS called from doResolveAt. |
3337c2f7 | 1131 | nsset.insert({DNSName(), {iter->second.d_servers, iter->second.shouldRecurse() }}); |
2e5ae2b2 | 1132 | } |
5605c067 BH |
1133 | return authdomain; |
1134 | } | |
1135 | ||
6493dfc0 | 1136 | DNSName subdomain(qname); |
e325f20c | 1137 | vector<DNSRecord> bestns; |
891fbf88 | 1138 | getBestNSFromCache(subdomain, qtype, bestns, flawedNSSet, depth, beenthere); |
75b49099 | 1139 | |
e325f20c | 1140 | for(auto k=bestns.cbegin() ; k != bestns.cend(); ++k) { |
fa1b87ff | 1141 | // The actual resolver code will not even look at the ComboAddress or bool |
38c2ba02 RG |
1142 | const auto nsContent = getRR<NSRecordContent>(*k); |
1143 | if (nsContent) { | |
1144 | nsset.insert({nsContent->getNS(), {{}, false}}); | |
1145 | if(k==bestns.cbegin()) | |
1146 | subdomain=k->d_name; | |
1147 | } | |
86c152f2 | 1148 | } |
75b49099 | 1149 | return subdomain; |
afbe2787 BH |
1150 | } |
1151 | ||
b9473937 RG |
1152 | void SyncRes::updateValidationStatusInCache(const DNSName &qname, const QType& qt, bool aa, vState newState) const |
1153 | { | |
1154 | if (newState == Bogus) { | |
1155 | t_RC->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, aa, newState, s_maxbogusttl + d_now.tv_sec); | |
1156 | } | |
1157 | else { | |
1158 | t_RC->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, aa, newState, boost::none); | |
1159 | } | |
1160 | } | |
1161 | ||
ad797d94 | 1162 | bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>& ret, unsigned int depth, int &res, vState& state, bool wasAuthZone, bool wasForwardRecurse) |
afbe2787 | 1163 | { |
ded77b10 | 1164 | string prefix; |
77499b05 | 1165 | if(doLog()) { |
710af846 | 1166 | prefix=d_prefix; |
ded77b10 BH |
1167 | prefix.append(depth, ' '); |
1168 | } | |
36f5e3db | 1169 | |
40de2910 | 1170 | if((depth>9 && d_outqueries>10 && d_throttledqueries>5) || depth > 15) { |
2189085d | 1171 | LOG(prefix<<qname<<": recursing (CNAME or other indirection) too deep, depth="<<depth<<endl); |
c6644fc5 BH |
1172 | res=RCode::ServFail; |
1173 | return true; | |
1174 | } | |
3ddb9247 | 1175 | |
e325f20c | 1176 | vector<DNSRecord> cset; |
1f77f479 | 1177 | vector<std::shared_ptr<RRSIGRecordContent>> signatures; |
2b984251 | 1178 | vector<std::shared_ptr<DNSRecord>> authorityRecs; |
428f41b7 | 1179 | bool wasAuth; |
b9473937 | 1180 | uint32_t capTTL = std::numeric_limits<uint32_t>::max(); |
d30b5493 PL |
1181 | DNSName foundName; |
1182 | QType foundQT = QType(0); // 0 == QTYPE::ENT | |
1183 | ||
e686a798 | 1184 | LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl); |
ad797d94 | 1185 | /* we don't require auth data for forward-recurse lookups */ |
e686a798 PL |
1186 | if (t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) { |
1187 | foundName = qname; | |
1188 | foundQT = QType(QType::CNAME); | |
1189 | } | |
1190 | ||
1191 | if (foundName.empty() && qname != g_rootdnsname) { | |
d30b5493 PL |
1192 | // look for a DNAME cache hit |
1193 | auto labels = qname.getRawLabels(); | |
1194 | DNSName dnameName(g_rootdnsname); | |
1195 | ||
adbd867b | 1196 | LOG(prefix<<qname<<": Looking for DNAME cache hit of '"<<qname<<"|DNAME' or its ancestors"<<endl); |
d30b5493 PL |
1197 | do { |
1198 | dnameName.prependRawLabel(labels.back()); | |
1199 | labels.pop_back(); | |
71e9cc53 PL |
1200 | if (dnameName == qname && qtype != QType::DNAME) { // The client does not want a DNAME, but we've reached the QNAME already. So there is no match |
1201 | break; | |
1202 | } | |
d30b5493 | 1203 | if (t_RC->get(d_now.tv_sec, dnameName, QType(QType::DNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) { |
71e9cc53 PL |
1204 | foundName = dnameName; |
1205 | foundQT = QType(QType::DNAME); | |
1206 | break; | |
d30b5493 PL |
1207 | } |
1208 | } while(!labels.empty()); | |
1209 | } | |
36c5ee42 | 1210 | |
8d11c508 PL |
1211 | if (foundName.empty()) { |
1212 | LOG(prefix<<qname<<": No CNAME or DNAME cache hit of '"<< qname <<"' found"<<endl); | |
1213 | return false; | |
1214 | } | |
1215 | ||
0de8295b PL |
1216 | for(auto const &record : cset) { |
1217 | if (record.d_class != QClass::IN) { | |
8d11c508 PL |
1218 | continue; |
1219 | } | |
c5310862 | 1220 | |
0de8295b | 1221 | if(record.d_ttl > (unsigned int) d_now.tv_sec) { |
8d11c508 PL |
1222 | |
1223 | if (!wasAuthZone && shouldValidate() && (wasAuth || wasForwardRecurse) && state == Indeterminate && d_requireAuthData) { | |
1224 | /* This means we couldn't figure out the state when this entry was cached, | |
1225 | most likely because we hadn't computed the zone cuts yet. */ | |
1226 | /* make sure they are computed before validating */ | |
1227 | DNSName subdomain(foundName); | |
1228 | /* if we are retrieving a DS, we only care about the state of the parent zone */ | |
1229 | if(qtype == QType::DS) | |
1230 | subdomain.chopOff(); | |
1231 | ||
1232 | computeZoneCuts(subdomain, g_rootdnsname, depth); | |
1233 | ||
1234 | vState recordState = getValidationStatus(foundName, false); | |
1235 | if (recordState == Secure) { | |
1236 | LOG(prefix<<qname<<": got Indeterminate state from the "<<foundQT.getName()<<" cache, validating.."<<endl); | |
1237 | state = SyncRes::validateRecordsWithSigs(depth, foundName, foundQT, foundName, cset, signatures); | |
1238 | if (state != Indeterminate) { | |
1239 | LOG(prefix<<qname<<": got Indeterminate state from the CNAME cache, new validation result is "<<vStates[state]<<endl); | |
1240 | if (state == Bogus) { | |
1241 | capTTL = s_maxbogusttl; | |
787737ae | 1242 | } |
8d11c508 | 1243 | updateValidationStatusInCache(foundName, foundQT, wasAuth, state); |
787737ae | 1244 | } |
428f41b7 | 1245 | } |
8d11c508 | 1246 | } |
428f41b7 | 1247 | |
0de8295b | 1248 | LOG(prefix<<qname<<": Found cache "<<foundQT.getName()<<" hit for '"<< foundName << "|"<<foundQT.getName()<<"' to '"<<record.d_content->getZoneRepresentation()<<"', validation state is "<<vStates[state]<<endl); |
1f77f479 | 1249 | |
0de8295b | 1250 | DNSRecord dr = record; |
8d11c508 PL |
1251 | dr.d_ttl -= d_now.tv_sec; |
1252 | dr.d_ttl = std::min(dr.d_ttl, capTTL); | |
1253 | const uint32_t ttl = dr.d_ttl; | |
1254 | ret.reserve(ret.size() + 2 + signatures.size() + authorityRecs.size()); | |
1255 | ret.push_back(dr); | |
2b984251 | 1256 | |
8d11c508 PL |
1257 | for(const auto& signature : signatures) { |
1258 | DNSRecord sigdr; | |
1259 | sigdr.d_type=QType::RRSIG; | |
1260 | sigdr.d_name=foundName; | |
1261 | sigdr.d_ttl=ttl; | |
1262 | sigdr.d_content=signature; | |
1263 | sigdr.d_place=DNSResourceRecord::ANSWER; | |
1264 | sigdr.d_class=QClass::IN; | |
1265 | ret.push_back(sigdr); | |
1266 | } | |
4d2be65d | 1267 | |
8d11c508 PL |
1268 | for(const auto& rec : authorityRecs) { |
1269 | DNSRecord authDR(*rec); | |
1270 | authDR.d_ttl=ttl; | |
1271 | ret.push_back(authDR); | |
1272 | } | |
d30b5493 | 1273 | |
8d11c508 PL |
1274 | DNSName newTarget; |
1275 | if (foundQT == QType::DNAME) { | |
1276 | if (qtype == QType::DNAME && qname == foundName) { // client wanted the DNAME, no need to synthesize a CNAME | |
d30b5493 PL |
1277 | res = 0; |
1278 | return true; | |
1279 | } | |
8d11c508 | 1280 | // Synthesize a CNAME |
0de8295b | 1281 | auto dnameRR = getRR<DNAMERecordContent>(record); |
8d11c508 PL |
1282 | if (dnameRR == nullptr) { |
1283 | throw ImmediateServFailException("Unable to get record content for "+foundName.toLogString()+"|DNAME cache entry"); | |
1284 | } | |
1285 | const auto& dnameSuffix = dnameRR->getTarget(); | |
1286 | DNSName targetPrefix = qname.makeRelative(foundName); | |
1287 | try { | |
1288 | dr.d_type = QType::CNAME; | |
1289 | dr.d_name = targetPrefix + foundName; | |
1290 | newTarget = targetPrefix + dnameSuffix; | |
1291 | dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newTarget)); | |
1292 | ret.push_back(dr); | |
1293 | } catch (const std::exception &e) { | |
1294 | // We should probably catch an std::range_error here and set the rcode to YXDOMAIN (RFC 6672, section 2.2) | |
1295 | // But this is consistent with processRecords | |
1296 | throw ImmediateServFailException("Unable to perform DNAME substitution(DNAME owner: '" + foundName.toLogString() + | |
1297 | "', DNAME target: '" + dnameSuffix.toLogString() + "', substituted name: '" + | |
1298 | targetPrefix.toLogString() + "." + dnameSuffix.toLogString() + | |
1299 | "' : " + e.what()); | |
4957a608 | 1300 | } |
d30b5493 | 1301 | |
8d11c508 PL |
1302 | LOG(prefix<<qname<<": Synthesized "<<dr.d_name<<"|CNAME "<<newTarget<<endl); |
1303 | } | |
4d2be65d | 1304 | |
8d11c508 PL |
1305 | if(qtype == QType::CNAME) { // perhaps they really wanted a CNAME! |
1306 | res = 0; | |
4957a608 | 1307 | return true; |
ac539791 | 1308 | } |
8d11c508 PL |
1309 | |
1310 | // We have a DNAME _or_ CNAME cache hit and the client wants something else than those two. | |
1311 | // Let's find the answer! | |
1312 | if (foundQT == QType::CNAME) { | |
0de8295b | 1313 | const auto cnameContent = getRR<CNAMERecordContent>(record); |
8d11c508 PL |
1314 | if (cnameContent == nullptr) { |
1315 | throw ImmediateServFailException("Unable to get record content for "+foundName.toLogString()+"|CNAME cache entry"); | |
1316 | } | |
1317 | newTarget = cnameContent->getTarget(); | |
1318 | } | |
1319 | ||
1320 | set<GetBestNSAnswer>beenthere; | |
1321 | vState cnameState = Indeterminate; | |
1322 | res = doResolve(newTarget, qtype, ret, depth+1, beenthere, cnameState); | |
1323 | LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the DNAME/CNAME quest: "<<vStates[cnameState]<<endl); | |
1324 | updateValidationState(state, cnameState); | |
1325 | ||
1326 | return true; | |
ac539791 | 1327 | } |
afbe2787 | 1328 | } |
8d11c508 | 1329 | throw ImmediateServFailException("Could not determine whether or not there was a CNAME or DNAME in cache for '" + qname.toLogString() + "'"); |
75b49099 BH |
1330 | } |
1331 | ||
f984e703 | 1332 | namespace { |
142ab370 RG |
1333 | struct CacheEntry |
1334 | { | |
1335 | vector<DNSRecord> records; | |
1336 | vector<shared_ptr<RRSIGRecordContent>> signatures; | |
1337 | uint32_t signaturesTTL{std::numeric_limits<uint32_t>::max()}; | |
1338 | }; | |
1339 | struct CacheKey | |
1340 | { | |
1341 | DNSName name; | |
1342 | uint16_t type; | |
1343 | DNSResourceRecord::Place place; | |
1344 | bool operator<(const CacheKey& rhs) const { | |
186e99c9 | 1345 | return tie(type, place, name) < tie(rhs.type, rhs.place, rhs.name); |
142ab370 RG |
1346 | } |
1347 | }; | |
1348 | typedef map<CacheKey, CacheEntry> tcache_t; | |
f984e703 | 1349 | } |
142ab370 RG |
1350 | |
1351 | static void reapRecordsFromNegCacheEntryForValidation(tcache_t& tcache, const vector<DNSRecord>& records) | |
1352 | { | |
1353 | for (const auto& rec : records) { | |
1354 | if (rec.d_type == QType::RRSIG) { | |
1355 | auto rrsig = getRR<RRSIGRecordContent>(rec); | |
1356 | if (rrsig) { | |
1357 | tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signatures.push_back(rrsig); | |
1358 | } | |
1359 | } else { | |
1360 | tcache[{rec.d_name,rec.d_type,rec.d_place}].records.push_back(rec); | |
1361 | } | |
1362 | } | |
1363 | } | |
1364 | ||
6909b8c5 PL |
1365 | /*! |
1366 | * Convience function to push the records from records into ret with a new TTL | |
1367 | * | |
1368 | * \param records DNSRecords that need to go into ret | |
1369 | * \param ttl The new TTL for these records | |
1370 | * \param ret The vector of DNSRecords that should contian the records with the modified TTL | |
1371 | */ | |
1372 | static void addTTLModifiedRecords(const vector<DNSRecord>& records, const uint32_t ttl, vector<DNSRecord>& ret) { | |
39ce10b2 PL |
1373 | for (const auto& rec : records) { |
1374 | DNSRecord r(rec); | |
1375 | r.d_ttl = ttl; | |
1376 | ret.push_back(r); | |
1377 | } | |
1378 | } | |
1379 | ||
28364e4b | 1380 | void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry* ne, const DNSName& qname, const QType& qtype, const int res, vState& state, unsigned int depth) |
142ab370 | 1381 | { |
f4de85a3 RG |
1382 | DNSName subdomain(qname); |
1383 | /* if we are retrieving a DS, we only care about the state of the parent zone */ | |
1384 | if(qtype == QType::DS) | |
1385 | subdomain.chopOff(); | |
1386 | ||
1387 | computeZoneCuts(subdomain, g_rootdnsname, depth); | |
142ab370 RG |
1388 | |
1389 | tcache_t tcache; | |
28364e4b RG |
1390 | reapRecordsFromNegCacheEntryForValidation(tcache, ne->authoritySOA.records); |
1391 | reapRecordsFromNegCacheEntryForValidation(tcache, ne->authoritySOA.signatures); | |
1392 | reapRecordsFromNegCacheEntryForValidation(tcache, ne->DNSSECRecords.records); | |
1393 | reapRecordsFromNegCacheEntryForValidation(tcache, ne->DNSSECRecords.signatures); | |
142ab370 RG |
1394 | |
1395 | for (const auto& entry : tcache) { | |
1396 | // this happens when we did store signatures, but passed on the records themselves | |
1397 | if (entry.second.records.empty()) { | |
1398 | continue; | |
1399 | } | |
1400 | ||
1401 | const DNSName& owner = entry.first.name; | |
1402 | ||
1403 | vState recordState = getValidationStatus(owner, false); | |
1404 | if (state == Indeterminate) { | |
1405 | state = recordState; | |
1406 | } | |
1407 | ||
1408 | if (recordState == Secure) { | |
f4de85a3 RG |
1409 | recordState = SyncRes::validateRecordsWithSigs(depth, qname, qtype, owner, entry.second.records, entry.second.signatures); |
1410 | } | |
142ab370 | 1411 | |
f4de85a3 RG |
1412 | if (recordState != Indeterminate && recordState != state) { |
1413 | updateValidationState(state, recordState); | |
1414 | if (state != Secure) { | |
1415 | break; | |
142ab370 RG |
1416 | } |
1417 | } | |
1418 | } | |
1419 | ||
1420 | if (state == Secure) { | |
28364e4b | 1421 | vState neValidationState = ne->d_validationState; |
142ab370 | 1422 | dState expectedState = res == RCode::NXDomain ? NXDOMAIN : NXQTYPE; |
28364e4b | 1423 | dState denialState = getDenialValidationState(*ne, state, expectedState, false); |
18c8faae | 1424 | updateDenialValidationState(neValidationState, ne->d_name, state, denialState, expectedState, qtype == QType::DS || expectedState == NXDOMAIN); |
142ab370 RG |
1425 | } |
1426 | if (state != Indeterminate) { | |
1427 | /* validation succeeded, let's update the cache entry so we don't have to validate again */ | |
b9473937 RG |
1428 | boost::optional<uint32_t> capTTD = boost::none; |
1429 | if (state == Bogus) { | |
1430 | capTTD = d_now.tv_sec + s_maxbogusttl; | |
1431 | } | |
1432 | t_sstorage.negcache.updateValidationStatus(ne->d_name, ne->d_qtype, state, capTTD); | |
142ab370 RG |
1433 | } |
1434 | } | |
e325f20c | 1435 | |
ad797d94 | 1436 | bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool wasForwardedOrAuthZone, bool wasAuthZone, bool wasForwardRecurse, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res, vState& state) |
75b49099 | 1437 | { |
fd8bc993 | 1438 | bool giveNegative=false; |
710af846 | 1439 | |
be718669 | 1440 | string prefix; |
77499b05 | 1441 | if(doLog()) { |
ded77b10 BH |
1442 | prefix=d_prefix; |
1443 | prefix.append(depth, ' '); | |
1444 | } | |
afbe2787 | 1445 | |
30e9bd93 | 1446 | // sqname and sqtype are used contain 'higher' names if we have them (e.g. powerdns.com|SOA when we find a negative entry for doesnotexists.powerdns.com|A) |
c5c066bf | 1447 | DNSName sqname(qname); |
288f4aa9 | 1448 | QType sqt(qtype); |
092f210a | 1449 | uint32_t sttl=0; |
2189085d | 1450 | // cout<<"Lookup for '"<<qname<<"|"<<qtype.getName()<<"' -> "<<getLastLabel(qname)<<endl; |
4d2be65d | 1451 | vState cachedState; |
28364e4b | 1452 | const NegCache::NegCacheEntry* ne = nullptr; |
64a8b6a1 | 1453 | |
710af846 | 1454 | if(s_rootNXTrust && |
157647ec | 1455 | t_sstorage.negcache.getRootNXTrust(qname, d_now, &ne) && |
28364e4b | 1456 | ne->d_auth.isRoot() && |
e1636f82 | 1457 | !(wasForwardedOrAuthZone && !authname.isRoot())) { // when forwarding, the root may only neg-cache if it was forwarded to. |
28364e4b RG |
1458 | sttl = ne->d_ttd - d_now.tv_sec; |
1459 | LOG(prefix<<qname<<": Entire name '"<<qname<<"', is negatively cached via '"<<ne->d_auth<<"' & '"<<ne->d_name<<"' for another "<<sttl<<" seconds"<<endl); | |
3ddb9247 | 1460 | res = RCode::NXDomain; |
39ce10b2 | 1461 | giveNegative = true; |
28364e4b | 1462 | cachedState = ne->d_validationState; |
157647ec | 1463 | } else if (t_sstorage.negcache.get(qname, qtype, d_now, &ne)) { |
b0c164a2 RG |
1464 | /* If we are looking for a DS, discard NXD if auth == qname |
1465 | and ask for a specific denial instead */ | |
28364e4b RG |
1466 | if (qtype != QType::DS || ne->d_qtype.getCode() || ne->d_auth != qname || |
1467 | t_sstorage.negcache.get(qname, qtype, d_now, &ne, true)) | |
b0c164a2 | 1468 | { |
157647ec | 1469 | res = RCode::NXDomain; |
28364e4b | 1470 | sttl = ne->d_ttd - d_now.tv_sec; |
b0c164a2 | 1471 | giveNegative = true; |
28364e4b | 1472 | cachedState = ne->d_validationState; |
157647ec | 1473 | if (ne->d_qtype.getCode()) { |
28364e4b | 1474 | LOG(prefix<<qname<<": "<<qtype.getName()<<" is negatively cached via '"<<ne->d_auth<<"' for another "<<sttl<<" seconds"<<endl); |
b0c164a2 | 1475 | res = RCode::NoError; |
157647ec PL |
1476 | } else { |
1477 | LOG(prefix<<qname<<": Entire name '"<<qname<<" is negatively cached via '"<<ne->d_auth<<"' for another "<<sttl<<" seconds"<<endl); | |
b0c164a2 | 1478 | } |
157647ec | 1479 | } |
d40a915b | 1480 | } else if (s_hardenNXD != HardenNXD::No && !qname.isRoot() && !wasForwardedOrAuthZone) { |
157647ec PL |
1481 | auto labels = qname.getRawLabels(); |
1482 | DNSName negCacheName(g_rootdnsname); | |
1483 | negCacheName.prependRawLabel(labels.back()); | |
1484 | labels.pop_back(); | |
1485 | while(!labels.empty()) { | |
1486 | if (t_sstorage.negcache.get(negCacheName, QType(0), d_now, &ne, true)) { | |
d40a915b OM |
1487 | if (ne->d_validationState == Indeterminate && validationEnabled()) { |
1488 | // LOG(prefix << negCacheName << " negatively cached and Indeterminate, trying to validate NXDOMAIN" << endl); | |
1489 | // ... | |
1490 | // And get the updated ne struct | |
1491 | //t_sstorage.negcache.get(negCacheName, QType(0), d_now, &ne, true); | |
1492 | } | |
7ce0efaa | 1493 | if ((s_hardenNXD == HardenNXD::Yes && ne->d_validationState != Bogus) || ne->d_validationState == Secure) { |
d40a915b OM |
1494 | res = RCode::NXDomain; |
1495 | sttl = ne->d_ttd - d_now.tv_sec; | |
1496 | giveNegative = true; | |
1497 | cachedState = ne->d_validationState; | |
1498 | LOG(prefix<<qname<<": Name '"<<negCacheName<<"' and below, is negatively cached via '"<<ne->d_auth<<"' for another "<<sttl<<" seconds"<<endl); | |
1499 | break; | |
1500 | } | |
b0c164a2 | 1501 | } |
157647ec PL |
1502 | negCacheName.prependRawLabel(labels.back()); |
1503 | labels.pop_back(); | |
39ce10b2 | 1504 | } |
39ce10b2 PL |
1505 | } |
1506 | ||
1507 | if (giveNegative) { | |
142ab370 RG |
1508 | |
1509 | state = cachedState; | |
1510 | ||
e1636f82 | 1511 | if (!wasAuthZone && shouldValidate() && state == Indeterminate) { |
142ab370 RG |
1512 | LOG(prefix<<qname<<": got Indeterminate state for records retrieved from the negative cache, validating.."<<endl); |
1513 | computeNegCacheValidationStatus(ne, qname, qtype, res, state, depth); | |
b9473937 RG |
1514 | |
1515 | if (state != cachedState && state == Bogus) { | |
1516 | sttl = std::min(sttl, s_maxbogusttl); | |
1517 | } | |
142ab370 RG |
1518 | } |
1519 | ||
39ce10b2 | 1520 | // Transplant SOA to the returned packet |
28364e4b | 1521 | addTTLModifiedRecords(ne->authoritySOA.records, sttl, ret); |
4d00b38b | 1522 | if(d_doDNSSEC) { |
28364e4b RG |
1523 | addTTLModifiedRecords(ne->authoritySOA.signatures, sttl, ret); |
1524 | addTTLModifiedRecords(ne->DNSSECRecords.records, sttl, ret); | |
1525 | addTTLModifiedRecords(ne->DNSSECRecords.signatures, sttl, ret); | |
4d00b38b | 1526 | } |
4d2be65d | 1527 | |
142ab370 | 1528 | LOG(prefix<<qname<<": updating validation state with negative cache content for "<<qname<<" to "<<vStates[state]<<endl); |
39ce10b2 | 1529 | return true; |
fd8bc993 | 1530 | } |
39ce10b2 | 1531 | |
e325f20c | 1532 | vector<DNSRecord> cset; |
75b49099 | 1533 | bool found=false, expired=false; |
57769f13 | 1534 | vector<std::shared_ptr<RRSIGRecordContent>> signatures; |
2b984251 | 1535 | vector<std::shared_ptr<DNSRecord>> authorityRecs; |
57769f13 | 1536 | uint32_t ttl=0; |
b9473937 | 1537 | uint32_t capTTL = std::numeric_limits<uint32_t>::max(); |
428f41b7 | 1538 | bool wasCachedAuth; |
ad797d94 | 1539 | if(t_RC->get(d_now.tv_sec, sqname, sqt, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &cachedState, &wasCachedAuth) > 0) { |
428f41b7 | 1540 | |
2189085d | 1541 | LOG(prefix<<sqname<<": Found cache hit for "<<sqt.getName()<<": "); |
428f41b7 | 1542 | |
dff3ef07 | 1543 | if (!wasAuthZone && shouldValidate() && (wasCachedAuth || wasForwardRecurse) && cachedState == Indeterminate && d_requireAuthData) { |
428f41b7 RG |
1544 | |
1545 | /* This means we couldn't figure out the state when this entry was cached, | |
1546 | most likely because we hadn't computed the zone cuts yet. */ | |
aa30ad7e | 1547 | /* make sure they are computed before validating */ |
f4de85a3 RG |
1548 | DNSName subdomain(sqname); |
1549 | /* if we are retrieving a DS, we only care about the state of the parent zone */ | |
1550 | if(qtype == QType::DS) | |
1551 | subdomain.chopOff(); | |
1552 | ||
1553 | computeZoneCuts(subdomain, g_rootdnsname, depth); | |
aa30ad7e | 1554 | |
142ab370 | 1555 | vState recordState = getValidationStatus(qname, false); |
787737ae RG |
1556 | if (recordState == Secure) { |
1557 | LOG(prefix<<sqname<<": got Indeterminate state from the cache, validating.."<<endl); | |
1558 | cachedState = SyncRes::validateRecordsWithSigs(depth, sqname, sqt, sqname, cset, signatures); | |
f4de85a3 RG |
1559 | } |
1560 | else { | |
1561 | cachedState = recordState; | |
1562 | } | |
787737ae | 1563 | |
f4de85a3 RG |
1564 | if (cachedState != Indeterminate) { |
1565 | LOG(prefix<<qname<<": got Indeterminate state from the cache, validation result is "<<vStates[cachedState]<<endl); | |
b9473937 RG |
1566 | if (cachedState == Bogus) { |
1567 | capTTL = s_maxbogusttl; | |
1568 | } | |
1569 | updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState); | |
787737ae | 1570 | } |
428f41b7 RG |
1571 | } |
1572 | ||
e325f20c | 1573 | for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) { |
c5310862 | 1574 | |
e325f20c | 1575 | LOG(j->d_content->getZoneRepresentation()); |
c5310862 RG |
1576 | |
1577 | if (j->d_class != QClass::IN) { | |
1578 | continue; | |
1579 | } | |
1580 | ||
e325f20c | 1581 | if(j->d_ttl>(unsigned int) d_now.tv_sec) { |
1582 | DNSRecord dr=*j; | |
b9473937 RG |
1583 | dr.d_ttl -= d_now.tv_sec; |
1584 | dr.d_ttl = std::min(dr.d_ttl, capTTL); | |
1585 | ttl = dr.d_ttl; | |
e325f20c | 1586 | ret.push_back(dr); |
1587 | LOG("[ttl="<<dr.d_ttl<<"] "); | |
4957a608 | 1588 | found=true; |
ac539791 | 1589 | } |
75b49099 | 1590 | else { |
77499b05 | 1591 | LOG("[expired] "); |
4957a608 | 1592 | expired=true; |
75b49099 | 1593 | } |
afbe2787 | 1594 | } |
57769f13 | 1595 | |
f128d20d RG |
1596 | ret.reserve(ret.size() + signatures.size() + authorityRecs.size()); |
1597 | ||
57769f13 | 1598 | for(const auto& signature : signatures) { |
e325f20c | 1599 | DNSRecord dr; |
1600 | dr.d_type=QType::RRSIG; | |
1601 | dr.d_name=sqname; | |
1602 | dr.d_ttl=ttl; | |
1603 | dr.d_content=signature; | |
39ce10b2 | 1604 | dr.d_place = DNSResourceRecord::ANSWER; |
4d2be65d | 1605 | dr.d_class=QClass::IN; |
e325f20c | 1606 | ret.push_back(dr); |
57769f13 | 1607 | } |
2b984251 RG |
1608 | |
1609 | for(const auto& rec : authorityRecs) { | |
1610 | DNSRecord dr(*rec); | |
1611 | dr.d_ttl=ttl; | |
1612 | ret.push_back(dr); | |
1613 | } | |
1614 | ||
77499b05 | 1615 | LOG(endl); |
f4df5e89 | 1616 | if(found && !expired) { |
4d2be65d | 1617 | if (!giveNegative) |
4957a608 | 1618 | res=0; |
bcb05770 | 1619 | LOG(prefix<<qname<<": updating validation state with cache content for "<<qname<<" to "<<vStates[cachedState]<<endl); |
4d2be65d | 1620 | state = cachedState; |
75b49099 | 1621 | return true; |
f4df5e89 | 1622 | } |
75b49099 | 1623 | else |
2189085d | 1624 | LOG(prefix<<qname<<": cache had only stale entries"<<endl); |
afbe2787 | 1625 | } |
f4df5e89 | 1626 | |
75b49099 BH |
1627 | return false; |
1628 | } | |
afbe2787 | 1629 | |
69cbdef9 | 1630 | bool SyncRes::moreSpecificThan(const DNSName& a, const DNSName &b) const |
75b49099 | 1631 | { |
6a1010f7 | 1632 | return (a.isPartOf(b) && a.countLabels() > b.countLabels()); |
afbe2787 BH |
1633 | } |
1634 | ||
d8d0bb8f | 1635 | struct speedOrder |
eefd15f9 | 1636 | { |
b9715061 | 1637 | bool operator()(const std::pair<DNSName, float> &a, const std::pair<DNSName, float> &b) const |
c3d9d009 | 1638 | { |
feccaf7f | 1639 | return a.second < b.second; |
c3d9d009 | 1640 | } |
c3d9d009 BH |
1641 | }; |
1642 | ||
b9715061 | 1643 | inline std::vector<std::pair<DNSName, float>> SyncRes::shuffleInSpeedOrder(NsSet &tnameservers, const string &prefix) |
afbe2787 | 1644 | { |
b9715061 | 1645 | std::vector<std::pair<DNSName, float>> rnameservers; |
5ea6f7de | 1646 | rnameservers.reserve(tnameservers.size()); |
a2d65f83 | 1647 | for(const auto& tns: tnameservers) { |
b9715061 | 1648 | float speed = t_sstorage.nsSpeeds[tns.first].get(d_now); |
feccaf7f | 1649 | rnameservers.push_back({tns.first, speed}); |
a2d65f83 | 1650 | if(tns.first.empty()) // this was an authoritative OOB zone, don't pollute the nsSpeeds with that |
1651 | return rnameservers; | |
21f0f88b | 1652 | } |
461df9d2 | 1653 | |
feccaf7f RG |
1654 | random_shuffle(rnameservers.begin(),rnameservers.end()); |
1655 | speedOrder so; | |
996c89cc | 1656 | stable_sort(rnameservers.begin(),rnameservers.end(), so); |
710af846 | 1657 | |
77499b05 BH |
1658 | if(doLog()) { |
1659 | LOG(prefix<<"Nameservers: "); | |
feccaf7f RG |
1660 | for(auto i=rnameservers.begin();i!=rnameservers.end();++i) { |
1661 | if(i!=rnameservers.begin()) { | |
77499b05 BH |
1662 | LOG(", "); |
1663 | if(!((i-rnameservers.begin())%3)) { | |
1664 | LOG(endl<<prefix<<" "); | |
1665 | } | |
d8d0bb8f | 1666 | } |
feccaf7f | 1667 | LOG(i->first.toLogString()<<"(" << (boost::format("%0.2f") % (i->second/1000.0)).str() <<"ms)"); |
d8d0bb8f | 1668 | } |
77499b05 | 1669 | LOG(endl); |
d8d0bb8f | 1670 | } |
728485ca | 1671 | return rnameservers; |
afbe2787 BH |
1672 | } |
1673 | ||
cc11d7f4 | 1674 | inline vector<ComboAddress> SyncRes::shuffleForwardSpeed(const vector<ComboAddress> &rnameservers, const string &prefix, const bool wasRd) |
589884b8 | 1675 | { |
cc11d7f4 | 1676 | vector<ComboAddress> nameservers = rnameservers; |
b9715061 | 1677 | map<ComboAddress, float> speeds; |
589884b8 | 1678 | |
cc11d7f4 | 1679 | for(const auto& val: nameservers) { |
b9715061 | 1680 | float speed; |
6ed0c28a | 1681 | DNSName nsName = DNSName(val.toStringWithPort()); |
b9715061 | 1682 | speed=t_sstorage.nsSpeeds[nsName].get(d_now); |
589884b8 | 1683 | speeds[val]=speed; |
1684 | } | |
feccaf7f | 1685 | random_shuffle(nameservers.begin(),nameservers.end()); |
6ed0c28a | 1686 | speedOrderCA so(speeds); |
cc11d7f4 | 1687 | stable_sort(nameservers.begin(),nameservers.end(), so); |
589884b8 | 1688 | |
589884b8 | 1689 | if(doLog()) { |
1690 | LOG(prefix<<"Nameservers: "); | |
cc11d7f4 | 1691 | for(vector<ComboAddress>::const_iterator i=nameservers.cbegin();i!=nameservers.cend();++i) { |
1692 | if(i!=nameservers.cbegin()) { | |
589884b8 | 1693 | LOG(", "); |
cc11d7f4 | 1694 | if(!((i-nameservers.cbegin())%3)) { |
589884b8 | 1695 | LOG(endl<<prefix<<" "); |
1696 | } | |
1697 | } | |
6ed0c28a | 1698 | LOG((wasRd ? string("+") : string("-")) << i->toStringWithPort() <<"(" << (boost::format("%0.2f") % (speeds[*i]/1000.0)).str() <<"ms)"); |
589884b8 | 1699 | } |
1700 | LOG(endl); | |
1701 | } | |
cc11d7f4 | 1702 | return nameservers; |
589884b8 | 1703 | } |
1704 | ||
dbbef467 RG |
1705 | static uint32_t getRRSIGTTL(const time_t now, const std::shared_ptr<RRSIGRecordContent>& rrsig) |
1706 | { | |
1707 | uint32_t res = 0; | |
1708 | if (now < rrsig->d_sigexpire) { | |
1709 | res = static_cast<uint32_t>(rrsig->d_sigexpire) - now; | |
1710 | } | |
1711 | return res; | |
1712 | } | |
1713 | ||
2b984251 RG |
1714 | static const set<uint16_t> nsecTypes = {QType::NSEC, QType::NSEC3}; |
1715 | ||
39ce10b2 PL |
1716 | /* Fills the authoritySOA and DNSSECRecords fields from ne with those found in the records |
1717 | * | |
1718 | * \param records The records to parse for the authority SOA and NSEC(3) records | |
1719 | * \param ne The NegCacheEntry to be filled out (will not be cleared, only appended to | |
1720 | */ | |
dbbef467 | 1721 | static void harvestNXRecords(const vector<DNSRecord>& records, NegCache::NegCacheEntry& ne, const time_t now, uint32_t* lowestTTL) { |
620db2c8 | 1722 | for(const auto& rec : records) { |
39ce10b2 PL |
1723 | if(rec.d_place != DNSResourceRecord::AUTHORITY) |
1724 | // RFC 4035 section 3.1.3. indicates that NSEC records MUST be placed in | |
1725 | // the AUTHORITY section. Section 3.1.1 indicates that that RRSIGs for | |
1726 | // records MUST be in the same section as the records they cover. | |
1727 | // Hence, we ignore all records outside of the AUTHORITY section. | |
1728 | continue; | |
1729 | ||
620db2c8 | 1730 | if(rec.d_type == QType::RRSIG) { |
39ce10b2 PL |
1731 | auto rrsig = getRR<RRSIGRecordContent>(rec); |
1732 | if(rrsig) { | |
1733 | if(rrsig->d_type == QType::SOA) { | |
1734 | ne.authoritySOA.signatures.push_back(rec); | |
dbbef467 RG |
1735 | if (lowestTTL && isRRSIGNotExpired(now, rrsig)) { |
1736 | *lowestTTL = min(*lowestTTL, rec.d_ttl); | |
1737 | *lowestTTL = min(*lowestTTL, getRRSIGTTL(now, rrsig)); | |
1738 | } | |
39ce10b2 PL |
1739 | } |
1740 | if(nsecTypes.count(rrsig->d_type)) { | |
1741 | ne.DNSSECRecords.signatures.push_back(rec); | |
dbbef467 RG |
1742 | if (lowestTTL && isRRSIGNotExpired(now, rrsig)) { |
1743 | *lowestTTL = min(*lowestTTL, rec.d_ttl); | |
1744 | *lowestTTL = min(*lowestTTL, getRRSIGTTL(now, rrsig)); | |
1745 | } | |
39ce10b2 PL |
1746 | } |
1747 | } | |
1748 | continue; | |
1749 | } | |
1750 | if(rec.d_type == QType::SOA) { | |
1751 | ne.authoritySOA.records.push_back(rec); | |
dbbef467 RG |
1752 | if (lowestTTL) { |
1753 | *lowestTTL = min(*lowestTTL, rec.d_ttl); | |
1754 | } | |
39ce10b2 PL |
1755 | continue; |
1756 | } | |
1757 | if(nsecTypes.count(rec.d_type)) { | |
1758 | ne.DNSSECRecords.records.push_back(rec); | |
dbbef467 RG |
1759 | if (lowestTTL) { |
1760 | *lowestTTL = min(*lowestTTL, rec.d_ttl); | |
1761 | } | |
39ce10b2 | 1762 | continue; |
620db2c8 | 1763 | } |
620db2c8 | 1764 | } |
620db2c8 | 1765 | } |
1766 | ||
4d2be65d RG |
1767 | static cspmap_t harvestCSPFromNE(const NegCache::NegCacheEntry& ne) |
1768 | { | |
1769 | cspmap_t cspmap; | |
1770 | for(const auto& rec : ne.DNSSECRecords.signatures) { | |
1771 | if(rec.d_type == QType::RRSIG) { | |
1772 | auto rrc = getRR<RRSIGRecordContent>(rec); | |
1773 | if (rrc) { | |
1774 | cspmap[{rec.d_name,rrc->d_type}].signatures.push_back(rrc); | |
1775 | } | |
1776 | } | |
1777 | } | |
1778 | for(const auto& rec : ne.DNSSECRecords.records) { | |
c1e7b833 | 1779 | cspmap[{rec.d_name, rec.d_type}].records.insert(rec.d_content); |
4d2be65d RG |
1780 | } |
1781 | return cspmap; | |
1782 | } | |
1783 | ||
39ce10b2 PL |
1784 | // TODO remove after processRecords is fixed! |
1785 | // Adds the RRSIG for the SOA and the NSEC(3) + RRSIGs to ret | |
620db2c8 | 1786 | static void addNXNSECS(vector<DNSRecord>&ret, const vector<DNSRecord>& records) |
1787 | { | |
39ce10b2 | 1788 | NegCache::NegCacheEntry ne; |
dbbef467 | 1789 | harvestNXRecords(records, ne, 0, nullptr); |
39ce10b2 PL |
1790 | ret.insert(ret.end(), ne.authoritySOA.signatures.begin(), ne.authoritySOA.signatures.end()); |
1791 | ret.insert(ret.end(), ne.DNSSECRecords.records.begin(), ne.DNSSECRecords.records.end()); | |
1792 | ret.insert(ret.end(), ne.DNSSECRecords.signatures.begin(), ne.DNSSECRecords.signatures.end()); | |
620db2c8 | 1793 | } |
1794 | ||
69cbdef9 | 1795 | bool SyncRes::nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& nameservers) |
26ca3513 | 1796 | { |
124dd1d4 RG |
1797 | /* we skip RPZ processing if: |
1798 | - it was disabled (d_wantsRPZ is false) ; | |
1799 | - we already got a RPZ hit (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) since | |
1800 | the only way we can get back here is that it was a 'pass-thru' (NoAction) meaning that we should not | |
1801 | process any further RPZ rules. | |
1802 | */ | |
1803 | if (d_wantsRPZ && d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None) { | |
26ca3513 | 1804 | for (auto const &ns : nameservers) { |
69cbdef9 | 1805 | d_appliedPolicy = dfe.getProcessingPolicy(ns.first, d_discardedPolicies); |
26ca3513 RG |
1806 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response |
1807 | LOG(", however nameserver "<<ns.first<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl); | |
1808 | return true; | |
1809 | } | |
1810 | ||
1811 | // Traverse all IP addresses for this NS to see if they have an RPN NSIP policy | |
1812 | for (auto const &address : ns.second.first) { | |
69cbdef9 | 1813 | d_appliedPolicy = dfe.getProcessingPolicy(address, d_discardedPolicies); |
26ca3513 RG |
1814 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response |
1815 | LOG(", however nameserver "<<ns.first<<" IP address "<<address.toString()<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl); | |
1816 | return true; | |
1817 | } | |
1818 | } | |
1819 | } | |
1820 | } | |
1821 | return false; | |
1822 | } | |
1823 | ||
69cbdef9 | 1824 | bool SyncRes::nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAddress& remoteIP) |
26ca3513 | 1825 | { |
124dd1d4 RG |
1826 | /* we skip RPZ processing if: |
1827 | - it was disabled (d_wantsRPZ is false) ; | |
1828 | - we already got a RPZ hit (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) since | |
1829 | the only way we can get back here is that it was a 'pass-thru' (NoAction) meaning that we should not | |
1830 | process any further RPZ rules. | |
1831 | */ | |
1832 | if (d_wantsRPZ && d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None) { | |
69cbdef9 | 1833 | d_appliedPolicy = dfe.getProcessingPolicy(remoteIP, d_discardedPolicies); |
26ca3513 RG |
1834 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { |
1835 | LOG(" (blocked by RPZ policy '"+(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")+"')"); | |
1836 | return true; | |
1837 | } | |
1838 | } | |
1839 | return false; | |
1840 | } | |
1841 | ||
b9715061 | 1842 | vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, std::vector<std::pair<DNSName, float>>::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<std::pair<DNSName, float>>& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly) |
26ca3513 RG |
1843 | { |
1844 | vector<ComboAddress> result; | |
1845 | ||
feccaf7f RG |
1846 | if(!tns->first.empty()) { |
1847 | LOG(prefix<<qname<<": Trying to resolve NS '"<<tns->first<< "' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl); | |
1848 | result = getAddrs(tns->first, depth+2, beenthere, cacheOnly); | |
26ca3513 RG |
1849 | pierceDontQuery=false; |
1850 | } | |
1851 | else { | |
1852 | LOG(prefix<<qname<<": Domain has hardcoded nameserver"); | |
1853 | ||
feccaf7f | 1854 | if(nameservers[tns->first].first.size() > 1) { |
26ca3513 RG |
1855 | LOG("s"); |
1856 | } | |
1857 | LOG(endl); | |
1858 | ||
feccaf7f RG |
1859 | sendRDQuery = nameservers[tns->first].second; |
1860 | result = shuffleForwardSpeed(nameservers[tns->first].first, doLog() ? (prefix+qname.toString()+": ") : string(), sendRDQuery); | |
26ca3513 RG |
1861 | pierceDontQuery=true; |
1862 | } | |
1863 | return result; | |
1864 | } | |
1865 | ||
1866 | bool SyncRes::throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery) | |
1867 | { | |
a712cb56 | 1868 | if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(remoteIP, "", 0))) { |
26ca3513 RG |
1869 | LOG(prefix<<qname<<": server throttled "<<endl); |
1870 | s_throttledqueries++; d_throttledqueries++; | |
1871 | return true; | |
1872 | } | |
a712cb56 | 1873 | else if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()))) { |
6dfff36f | 1874 | LOG(prefix<<qname<<": query throttled "<<remoteIP.toString()<<", "<<qname<<"; "<<qtype.getName()<<endl); |
26ca3513 RG |
1875 | s_throttledqueries++; d_throttledqueries++; |
1876 | return true; | |
1877 | } | |
9065eb05 | 1878 | else if(!pierceDontQuery && s_dontQuery && s_dontQuery->match(&remoteIP)) { |
26ca3513 RG |
1879 | LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", blocked by 'dont-query' setting" << endl); |
1880 | s_dontqueries++; | |
1881 | return true; | |
1882 | } | |
1883 | return false; | |
1884 | } | |
1885 | ||
4d2be65d RG |
1886 | bool SyncRes::validationEnabled() const |
1887 | { | |
8455425c | 1888 | return g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate; |
4d2be65d RG |
1889 | } |
1890 | ||
1891 | uint32_t SyncRes::computeLowestTTD(const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, uint32_t signaturesTTL) const | |
26ca3513 | 1892 | { |
4d2be65d RG |
1893 | uint32_t lowestTTD = std::numeric_limits<uint32_t>::max(); |
1894 | for(const auto& record : records) | |
1895 | lowestTTD = min(lowestTTD, record.d_ttl); | |
1896 | ||
0c43f455 RG |
1897 | /* even if it was not requested for that request (Process, and neither AD nor DO set), |
1898 | it might be requested at a later time so we need to be careful with the TTL. */ | |
4d2be65d | 1899 | if (validationEnabled() && !signatures.empty()) { |
3cef03e9 | 1900 | /* if we are validating, we don't want to cache records after their signatures expire. */ |
4d2be65d RG |
1901 | /* records TTL are now TTD, let's add 'now' to the signatures lowest TTL */ |
1902 | lowestTTD = min(lowestTTD, static_cast<uint32_t>(signaturesTTL + d_now.tv_sec)); | |
1903 | ||
1904 | for(const auto& sig : signatures) { | |
dbbef467 RG |
1905 | if (isRRSIGNotExpired(d_now.tv_sec, sig)) { |
1906 | // we don't decerement d_sigexpire by 'now' because we actually want a TTD, not a TTL */ | |
4d2be65d RG |
1907 | lowestTTD = min(lowestTTD, static_cast<uint32_t>(sig->d_sigexpire)); |
1908 | } | |
1909 | } | |
1910 | } | |
1911 | ||
1912 | return lowestTTD; | |
1913 | } | |
1914 | ||
1915 | void SyncRes::updateValidationState(vState& state, const vState stateUpdate) | |
1916 | { | |
f715542c | 1917 | LOG(d_prefix<<"validation state was "<<std::string(vStates[state])<<", state update is "<<std::string(vStates[stateUpdate])); |
4d2be65d | 1918 | |
895449a5 RG |
1919 | if (stateUpdate == TA) { |
1920 | state = Secure; | |
4d2be65d RG |
1921 | } |
1922 | else if (stateUpdate == NTA) { | |
1923 | state = Insecure; | |
1924 | } | |
895449a5 RG |
1925 | else if (stateUpdate == Bogus) { |
1926 | state = Bogus; | |
1927 | } | |
1928 | else if (state == Indeterminate) { | |
1929 | state = stateUpdate; | |
1930 | } | |
4d2be65d RG |
1931 | else if (stateUpdate == Insecure) { |
1932 | if (state != Bogus) { | |
1933 | state = Insecure; | |
1934 | } | |
1935 | } | |
f715542c | 1936 | LOG(", validation state is now "<<std::string(vStates[state])<<endl); |
4d2be65d RG |
1937 | } |
1938 | ||
1939 | vState SyncRes::getTA(const DNSName& zone, dsmap_t& ds) | |
1940 | { | |
1941 | auto luaLocal = g_luaconfs.getLocal(); | |
1942 | ||
1943 | if (luaLocal->dsAnchors.empty()) { | |
e77f01d1 | 1944 | LOG(d_prefix<<": No trust anchors configured, everything is Insecure"<<endl); |
4d2be65d RG |
1945 | /* We have no TA, everything is insecure */ |
1946 | return Insecure; | |
1947 | } | |
1948 | ||
1949 | std::string reason; | |
1950 | if (haveNegativeTrustAnchor(luaLocal->negAnchors, zone, reason)) { | |
e77f01d1 | 1951 | LOG(d_prefix<<": got NTA for '"<<zone<<"'"<<endl); |
4d2be65d RG |
1952 | return NTA; |
1953 | } | |
1954 | ||
1955 | if (getTrustAnchor(luaLocal->dsAnchors, zone, ds)) { | |
e77f01d1 | 1956 | LOG(d_prefix<<": got TA for '"<<zone<<"'"<<endl); |
895449a5 | 1957 | return TA; |
4d2be65d | 1958 | } |
e77f01d1 | 1959 | else { |
1960 | LOG(d_prefix<<": no TA found for '"<<zone<<"' among "<< luaLocal->dsAnchors.size()<<endl); | |
1961 | } | |
4d2be65d RG |
1962 | |
1963 | if (zone.isRoot()) { | |
1964 | /* No TA for the root */ | |
1965 | return Insecure; | |
1966 | } | |
1967 | ||
1968 | return Indeterminate; | |
1969 | } | |
1970 | ||
8455425c RG |
1971 | static size_t countSupportedDS(const dsmap_t& dsmap) |
1972 | { | |
1973 | size_t count = 0; | |
1974 | ||
1975 | for (const auto& ds : dsmap) { | |
1976 | if (isSupportedDS(ds)) { | |
1977 | count++; | |
1978 | } | |
1979 | } | |
1980 | ||
1981 | return count; | |
1982 | } | |
1983 | ||
5374b03b | 1984 | vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsigned int depth, bool bogusOnNXD, bool* foundCut) |
4d2be65d RG |
1985 | { |
1986 | vState result = getTA(zone, ds); | |
1987 | ||
1988 | if (result != Indeterminate || taOnly) { | |
5374b03b RG |
1989 | if (foundCut) { |
1990 | *foundCut = (result != Indeterminate); | |
1991 | } | |
1992 | ||
18159e92 RG |
1993 | if (result == TA) { |
1994 | if (countSupportedDS(ds) == 0) { | |
1995 | ds.clear(); | |
1996 | result = Insecure; | |
1997 | } | |
1998 | else { | |
1999 | result = Secure; | |
2000 | } | |
2001 | } | |
2002 | else if (result == NTA) { | |
8455425c RG |
2003 | result = Insecure; |
2004 | } | |
2005 | ||
4d2be65d RG |
2006 | return result; |
2007 | } | |
2008 | ||
2009 | bool oldSkipCNAME = d_skipCNAMECheck; | |
4d2be65d | 2010 | d_skipCNAMECheck = true; |
4d2be65d RG |
2011 | |
2012 | std::set<GetBestNSAnswer> beenthere; | |
2013 | std::vector<DNSRecord> dsrecords; | |
2014 | ||
2015 | vState state = Indeterminate; | |
51b6b728 | 2016 | int rcode = doResolve(zone, QType(QType::DS), dsrecords, depth + 1, beenthere, state); |
4d2be65d | 2017 | d_skipCNAMECheck = oldSkipCNAME; |
4d2be65d | 2018 | |
3ca6d908 | 2019 | if (rcode == RCode::NoError || (rcode == RCode::NXDomain && !bogusOnNXD)) { |
1e332f68 PL |
2020 | uint8_t bestDigestType = 0; |
2021 | ||
dd359a9f RG |
2022 | bool gotCNAME = false; |
2023 | for (const auto& record : dsrecords) { | |
2024 | if (record.d_type == QType::DS) { | |
2025 | const auto dscontent = getRR<DSRecordContent>(record); | |
2026 | if (dscontent && isSupportedDS(*dscontent)) { | |
2027 | // Make GOST a lower prio than SHA256 | |
690b86b7 | 2028 | if (dscontent->d_digesttype == DNSSECKeeper::DIGEST_GOST && bestDigestType == DNSSECKeeper::DIGEST_SHA256) { |
dd359a9f | 2029 | continue; |
4d2be65d | 2030 | } |
690b86b7 | 2031 | if (dscontent->d_digesttype > bestDigestType || (bestDigestType == DNSSECKeeper::DIGEST_GOST && dscontent->d_digesttype == DNSSECKeeper::DIGEST_SHA256)) { |
dd359a9f RG |
2032 | bestDigestType = dscontent->d_digesttype; |
2033 | } | |
2034 | ds.insert(*dscontent); | |
1c39e884 | 2035 | } |
4d2be65d | 2036 | } |
dd359a9f RG |
2037 | else if (record.d_type == QType::CNAME && record.d_name == zone) { |
2038 | gotCNAME = true; | |
2039 | } | |
2040 | } | |
4d2be65d | 2041 | |
dd359a9f RG |
2042 | /* RFC 4509 section 3: "Validator implementations SHOULD ignore DS RRs containing SHA-1 |
2043 | * digests if DS RRs with SHA-256 digests are present in the DS RRset." | |
2044 | * As SHA348 is specified as well, the spirit of the this line is "use the best algorithm". | |
2045 | */ | |
2046 | for (auto dsrec = ds.begin(); dsrec != ds.end(); ) { | |
2047 | if (dsrec->d_digesttype != bestDigestType) { | |
2048 | dsrec = ds.erase(dsrec); | |
1e332f68 | 2049 | } |
dd359a9f RG |
2050 | else { |
2051 | ++dsrec; | |
2052 | } | |
2053 | } | |
1e332f68 | 2054 | |
dd359a9f RG |
2055 | if (rcode == RCode::NoError) { |
2056 | if (ds.empty()) { | |
46df9251 RG |
2057 | /* we have no DS, it's either: |
2058 | - a delegation to a non-DNSSEC signed zone | |
2059 | - no delegation, we stay in the same zone | |
2060 | */ | |
dd359a9f RG |
2061 | if (gotCNAME || denialProvesNoDelegation(zone, dsrecords)) { |
2062 | /* we are still inside the same zone */ | |
5374b03b | 2063 | |
dd359a9f | 2064 | if (foundCut) { |
5374b03b | 2065 | *foundCut = false; |
5374b03b | 2066 | } |
dd359a9f RG |
2067 | return state; |
2068 | } | |
5374b03b | 2069 | |
dd359a9f RG |
2070 | /* delegation with no DS, might be Secure -> Insecure */ |
2071 | if (foundCut) { | |
5374b03b RG |
2072 | *foundCut = true; |
2073 | } | |
2074 | ||
46df9251 RG |
2075 | /* a delegation with no DS is either: |
2076 | - a signed zone (Secure) to an unsigned one (Insecure) | |
2077 | - an unsigned zone to another unsigned one (Insecure stays Insecure, Bogus stays Bogus) | |
2078 | */ | |
dd359a9f RG |
2079 | return state == Secure ? Insecure : state; |
2080 | } else { | |
2081 | /* we have a DS */ | |
2082 | if (foundCut) { | |
2083 | *foundCut = true; | |
2084 | } | |
b7f378d1 | 2085 | } |
4d2be65d | 2086 | } |
b7f378d1 | 2087 | |
4d2be65d RG |
2088 | return state; |
2089 | } | |
2090 | ||
bcb05770 | 2091 | LOG(d_prefix<<": returning Bogus state from "<<__func__<<"("<<zone<<")"<<endl); |
4d2be65d RG |
2092 | return Bogus; |
2093 | } | |
2094 | ||
0735b60f RG |
2095 | bool SyncRes::haveExactValidationStatus(const DNSName& domain) |
2096 | { | |
e1636f82 | 2097 | if (!shouldValidate()) { |
0735b60f RG |
2098 | return false; |
2099 | } | |
2100 | const auto& it = d_cutStates.find(domain); | |
2101 | if (it != d_cutStates.cend()) { | |
2102 | return true; | |
2103 | } | |
2104 | return false; | |
2105 | } | |
2106 | ||
5374b03b | 2107 | vState SyncRes::getValidationStatus(const DNSName& subdomain, bool allowIndeterminate) |
70b3fe7a RG |
2108 | { |
2109 | vState result = Indeterminate; | |
2110 | ||
e1636f82 | 2111 | if (!shouldValidate()) { |
70b3fe7a RG |
2112 | return result; |
2113 | } | |
2114 | DNSName name(subdomain); | |
2115 | do { | |
51b6b728 RG |
2116 | const auto& it = d_cutStates.find(name); |
2117 | if (it != d_cutStates.cend()) { | |
5374b03b RG |
2118 | if (allowIndeterminate || it->second != Indeterminate) { |
2119 | LOG(d_prefix<<": got status "<<vStates[it->second]<<" for name "<<subdomain<<" (from "<<name<<")"<<endl); | |
2120 | return it->second; | |
2121 | } | |
70b3fe7a RG |
2122 | } |
2123 | } | |
2124 | while (name.chopOff()); | |
2125 | ||
2126 | return result; | |
2127 | } | |
2128 | ||
c405e222 RG |
2129 | bool SyncRes::lookForCut(const DNSName& qname, unsigned int depth, const vState existingState, vState& newState) |
2130 | { | |
2131 | bool foundCut = false; | |
5374b03b RG |
2132 | dsmap_t ds; |
2133 | vState dsState = getDSRecords(qname, ds, newState == Bogus || existingState == Insecure || existingState == Bogus, depth, false, &foundCut); | |
c405e222 | 2134 | |
5374b03b RG |
2135 | if (dsState != Indeterminate) { |
2136 | newState = dsState; | |
2137 | } | |
c405e222 | 2138 | |
c405e222 RG |
2139 | return foundCut; |
2140 | } | |
2141 | ||
51b6b728 | 2142 | void SyncRes::computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth) |
4d2be65d | 2143 | { |
428f41b7 | 2144 | if(!begin.isPartOf(end)) { |
86f1af1c KM |
2145 | LOG(d_prefix<<" "<<begin.toLogString()<<" is not part of "<<end.toLogString()<<endl); |
2146 | throw PDNSException(begin.toLogString() + " is not part of " + end.toLogString()); | |
428f41b7 RG |
2147 | } |
2148 | ||
51b6b728 | 2149 | if (d_cutStates.count(begin) != 0) { |
ad75fdbd | 2150 | return; |
4d2be65d RG |
2151 | } |
2152 | ||
0eb07f3a OM |
2153 | const bool oldCacheOnly = setCacheOnly(false); |
2154 | ||
4d2be65d | 2155 | dsmap_t ds; |
51b6b728 | 2156 | vState cutState = getDSRecords(end, ds, false, depth); |
bcb05770 | 2157 | LOG(d_prefix<<": setting cut state for "<<end<<" to "<<vStates[cutState]<<endl); |
51b6b728 | 2158 | d_cutStates[end] = cutState; |
70b3fe7a | 2159 | |
e1636f82 | 2160 | if (!shouldValidate()) { |
0eb07f3a | 2161 | setCacheOnly(oldCacheOnly); |
ad75fdbd | 2162 | return; |
70b3fe7a RG |
2163 | } |
2164 | ||
70b3fe7a RG |
2165 | DNSName qname(end); |
2166 | std::vector<string> labelsToAdd = begin.makeRelative(end).getRawLabels(); | |
2167 | ||
ad75fdbd | 2168 | bool oldSkipCNAME = d_skipCNAMECheck; |
ad75fdbd | 2169 | d_skipCNAMECheck = true; |
ad75fdbd | 2170 | |
70b3fe7a | 2171 | while(qname != begin) { |
70b3fe7a RG |
2172 | if (labelsToAdd.empty()) |
2173 | break; | |
2174 | ||
2175 | qname.prependRawLabel(labelsToAdd.back()); | |
2176 | labelsToAdd.pop_back(); | |
bcb05770 RG |
2177 | LOG(d_prefix<<": - Looking for a cut at "<<qname<<endl); |
2178 | ||
2179 | const auto cutIt = d_cutStates.find(qname); | |
2180 | if (cutIt != d_cutStates.cend()) { | |
2181 | if (cutIt->second != Indeterminate) { | |
2182 | LOG(d_prefix<<": - Cut already known at "<<qname<<endl); | |
3d4e836e | 2183 | cutState = cutIt->second; |
bcb05770 RG |
2184 | continue; |
2185 | } | |
2186 | } | |
70b3fe7a | 2187 | |
3d4e836e RG |
2188 | /* no need to look for NS and DS if we are already insecure or bogus, |
2189 | just look for (N)TA | |
2190 | */ | |
2191 | if (cutState == Insecure || cutState == Bogus) { | |
2010ac95 RG |
2192 | dsmap_t cutDS; |
2193 | vState newState = getDSRecords(qname, cutDS, true, depth); | |
3d4e836e RG |
2194 | if (newState == Indeterminate) { |
2195 | continue; | |
2196 | } | |
2197 | ||
2198 | LOG(d_prefix<<": New state for "<<qname<<" is "<<vStates[newState]<<endl); | |
3d4e836e RG |
2199 | cutState = newState; |
2200 | ||
2201 | d_cutStates[qname] = cutState; | |
2202 | ||
2203 | continue; | |
2204 | } | |
70b3fe7a | 2205 | |
c405e222 | 2206 | vState newState = Indeterminate; |
428f41b7 RG |
2207 | /* temporarily mark as Indeterminate, so that we won't enter an endless loop |
2208 | trying to determine that zone cut again. */ | |
c405e222 RG |
2209 | d_cutStates[qname] = newState; |
2210 | bool foundCut = lookForCut(qname, depth + 1, cutState, newState); | |
2211 | if (foundCut) { | |
2212 | LOG(d_prefix<<": - Found cut at "<<qname<<endl); | |
2213 | if (newState != Indeterminate) { | |
2214 | cutState = newState; | |
70b3fe7a | 2215 | } |
c405e222 RG |
2216 | LOG(d_prefix<<": New state for "<<qname<<" is "<<vStates[cutState]<<endl); |
2217 | d_cutStates[qname] = cutState; | |
70b3fe7a | 2218 | } |
c405e222 | 2219 | else { |
428f41b7 | 2220 | /* remove the temporary cut */ |
b25712fd | 2221 | LOG(d_prefix<<qname<<": removing cut state for "<<qname<<endl); |
51b6b728 | 2222 | d_cutStates.erase(qname); |
428f41b7 | 2223 | } |
70b3fe7a RG |
2224 | } |
2225 | ||
ad75fdbd | 2226 | d_skipCNAMECheck = oldSkipCNAME; |
ad75fdbd | 2227 | |
bcb05770 | 2228 | LOG(d_prefix<<": list of cuts from "<<begin<<" to "<<end<<endl); |
51b6b728 | 2229 | for (const auto& cut : d_cutStates) { |
bcb05770 | 2230 | if (cut.first.isRoot() || (begin.isPartOf(cut.first) && cut.first.isPartOf(end))) { |
51b6b728 RG |
2231 | LOG(" - "<<cut.first<<": "<<vStates[cut.second]<<endl); |
2232 | } | |
70b3fe7a | 2233 | } |
0eb07f3a | 2234 | setCacheOnly(oldCacheOnly); |
4d2be65d RG |
2235 | } |
2236 | ||
51b6b728 | 2237 | vState SyncRes::validateDNSKeys(const DNSName& zone, const std::vector<DNSRecord>& dnskeys, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, unsigned int depth) |
4d2be65d RG |
2238 | { |
2239 | dsmap_t ds; | |
2240 | if (!signatures.empty()) { | |
2241 | DNSName signer = getSigner(signatures); | |
2242 | ||
8d2e7fa1 | 2243 | if (!signer.empty() && zone.isPartOf(signer)) { |
51b6b728 | 2244 | vState state = getDSRecords(signer, ds, false, depth); |
b7f378d1 | 2245 | |
4d2be65d RG |
2246 | if (state != Secure) { |
2247 | return state; | |
2248 | } | |
2249 | } | |
2250 | } | |
2251 | ||
2252 | skeyset_t tentativeKeys; | |
c1e7b833 | 2253 | sortedRecords_t toSign; |
4d2be65d RG |
2254 | |
2255 | for (const auto& dnskey : dnskeys) { | |
2256 | if (dnskey.d_type == QType::DNSKEY) { | |
2257 | auto content = getRR<DNSKEYRecordContent>(dnskey); | |
2258 | if (content) { | |
2259 | tentativeKeys.insert(content); | |
c1e7b833 | 2260 | toSign.insert(content); |
4d2be65d RG |
2261 | } |
2262 | } | |
2263 | } | |
2264 | ||
bcb05770 | 2265 | LOG(d_prefix<<": trying to validate "<<std::to_string(tentativeKeys.size())<<" DNSKEYs with "<<std::to_string(ds.size())<<" DS"<<endl); |
4d2be65d RG |
2266 | skeyset_t validatedKeys; |
2267 | validateDNSKeysAgainstDS(d_now.tv_sec, zone, ds, tentativeKeys, toSign, signatures, validatedKeys); | |
2268 | ||
bcb05770 | 2269 | LOG(d_prefix<<": we now have "<<std::to_string(validatedKeys.size())<<" DNSKEYs"<<endl); |
4d2be65d | 2270 | |
82fbd934 RG |
2271 | /* if we found at least one valid RRSIG covering the set, |
2272 | all tentative keys are validated keys. Otherwise it means | |
2273 | we haven't found at least one DNSKEY and a matching RRSIG | |
2274 | covering this set, this looks Bogus. */ | |
4d2be65d | 2275 | if (validatedKeys.size() != tentativeKeys.size()) { |
bcb05770 | 2276 | LOG(d_prefix<<": returning Bogus state from "<<__func__<<"("<<zone<<")"<<endl); |
4d2be65d RG |
2277 | return Bogus; |
2278 | } | |
2279 | ||
2280 | return Secure; | |
2281 | } | |
2282 | ||
51b6b728 | 2283 | vState SyncRes::getDNSKeys(const DNSName& signer, skeyset_t& keys, unsigned int depth) |
4d2be65d RG |
2284 | { |
2285 | std::vector<DNSRecord> records; | |
2286 | std::set<GetBestNSAnswer> beenthere; | |
bcb05770 | 2287 | LOG(d_prefix<<"Retrieving DNSKeys for "<<signer<<endl); |
4d2be65d RG |
2288 | |
2289 | vState state = Indeterminate; | |
c7385ddb RG |
2290 | /* following CNAME might lead to us to the wrong DNSKEY */ |
2291 | bool oldSkipCNAME = d_skipCNAMECheck; | |
2292 | d_skipCNAMECheck = true; | |
51b6b728 | 2293 | int rcode = doResolve(signer, QType(QType::DNSKEY), records, depth + 1, beenthere, state); |
c7385ddb | 2294 | d_skipCNAMECheck = oldSkipCNAME; |
4d2be65d RG |
2295 | |
2296 | if (rcode == RCode::NoError) { | |
2297 | if (state == Secure) { | |
2298 | for (const auto& key : records) { | |
2299 | if (key.d_type == QType::DNSKEY) { | |
2300 | auto content = getRR<DNSKEYRecordContent>(key); | |
2301 | if (content) { | |
2302 | keys.insert(content); | |
2303 | } | |
2304 | } | |
2305 | } | |
2306 | } | |
bcb05770 | 2307 | LOG(d_prefix<<"Retrieved "<<keys.size()<<" DNSKeys for "<<signer<<", state is "<<vStates[state]<<endl); |
4d2be65d RG |
2308 | return state; |
2309 | } | |
2310 | ||
bcb05770 | 2311 | LOG(d_prefix<<"Returning Bogus state from "<<__func__<<"("<<signer<<")"<<endl); |
4d2be65d RG |
2312 | return Bogus; |
2313 | } | |
2314 | ||
51b6b728 | 2315 | vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname, const QType& qtype, const DNSName& name, const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures) |
4d2be65d RG |
2316 | { |
2317 | skeyset_t keys; | |
2318 | if (!signatures.empty()) { | |
2319 | const DNSName signer = getSigner(signatures); | |
2320 | if (!signer.empty() && name.isPartOf(signer)) { | |
f715542c | 2321 | if ((qtype == QType::DNSKEY || qtype == QType::DS) && signer == qname) { |
15f44f1d | 2322 | /* we are already retrieving those keys, sorry */ |
dd359a9f RG |
2323 | if (qtype == QType::DS) { |
2324 | /* something is very wrong */ | |
2325 | LOG(d_prefix<<"The DS for "<<qname<<" is signed by itself, going Bogus"<<endl); | |
2326 | return Bogus; | |
2327 | } | |
15f44f1d RG |
2328 | return Indeterminate; |
2329 | } | |
51b6b728 | 2330 | vState state = getDNSKeys(signer, keys, depth); |
4d2be65d RG |
2331 | if (state != Secure) { |
2332 | return state; | |
2333 | } | |
2334 | } | |
2335 | } else { | |
bcb05770 | 2336 | LOG(d_prefix<<"Bogus!"<<endl); |
4d2be65d RG |
2337 | return Bogus; |
2338 | } | |
2339 | ||
c1e7b833 | 2340 | sortedRecords_t recordcontents; |
4d2be65d | 2341 | for (const auto& record : records) { |
c1e7b833 | 2342 | recordcontents.insert(record.d_content); |
4d2be65d RG |
2343 | } |
2344 | ||
bcb05770 | 2345 | LOG(d_prefix<<"Going to validate "<<recordcontents.size()<< " record contents with "<<signatures.size()<<" sigs and "<<keys.size()<<" keys for "<<name<<endl); |
4d2be65d | 2346 | if (validateWithKeySet(d_now.tv_sec, name, recordcontents, signatures, keys, false)) { |
bcb05770 | 2347 | LOG(d_prefix<<"Secure!"<<endl); |
4d2be65d RG |
2348 | return Secure; |
2349 | } | |
2350 | ||
bcb05770 | 2351 | LOG(d_prefix<<"Bogus!"<<endl); |
4d2be65d RG |
2352 | return Bogus; |
2353 | } | |
2354 | ||
7155c3e5 RG |
2355 | static bool allowAdditionalEntry(std::unordered_set<DNSName>& allowedAdditionals, const DNSRecord& rec) |
2356 | { | |
2357 | switch(rec.d_type) { | |
2358 | case QType::MX: | |
2359 | { | |
2360 | if (auto mxContent = getRR<MXRecordContent>(rec)) { | |
2361 | allowedAdditionals.insert(mxContent->d_mxname); | |
2362 | } | |
2363 | return true; | |
2364 | } | |
2365 | case QType::NS: | |
2366 | { | |
2367 | if (auto nsContent = getRR<NSRecordContent>(rec)) { | |
2368 | allowedAdditionals.insert(nsContent->getNS()); | |
2369 | } | |
2370 | return true; | |
2371 | } | |
2372 | case QType::SRV: | |
2373 | { | |
2374 | if (auto srvContent = getRR<SRVRecordContent>(rec)) { | |
2375 | allowedAdditionals.insert(srvContent->d_target); | |
2376 | } | |
2377 | return true; | |
2378 | } | |
2379 | default: | |
2380 | return false; | |
2381 | } | |
2382 | } | |
2383 | ||
2384 | void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, bool rdQuery) | |
2385 | { | |
2386 | const bool wasForwardRecurse = wasForwarded && rdQuery; | |
2387 | /* list of names for which we will allow A and AAAA records in the additional section | |
2388 | to remain */ | |
2389 | std::unordered_set<DNSName> allowedAdditionals = { qname }; | |
2390 | bool haveAnswers = false; | |
2391 | bool isNXDomain = false; | |
2392 | bool isNXQType = false; | |
2393 | ||
2394 | for(auto rec = lwr.d_records.begin(); rec != lwr.d_records.end(); ) { | |
2395 | ||
2396 | if (rec->d_type == QType::OPT) { | |
2397 | ++rec; | |
2398 | continue; | |
2399 | } | |
2400 | ||
2401 | if (rec->d_class != QClass::IN) { | |
2402 | LOG(prefix<<"Removing non internet-classed data received from "<<auth<<endl); | |
2403 | rec = lwr.d_records.erase(rec); | |
2404 | continue; | |
2405 | } | |
2406 | ||
2407 | if (rec->d_type == QType::ANY) { | |
2408 | LOG(prefix<<"Removing 'ANY'-typed data received from "<<auth<<endl); | |
2409 | rec = lwr.d_records.erase(rec); | |
2410 | continue; | |
2411 | } | |
2412 | ||
2413 | if (!rec->d_name.isPartOf(auth)) { | |
2414 | LOG(prefix<<"Removing record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2415 | rec = lwr.d_records.erase(rec); | |
2416 | continue; | |
2417 | } | |
2418 | ||
2419 | /* dealing with the records in answer */ | |
2420 | if (!(lwr.d_aabit || wasForwardRecurse) && rec->d_place == DNSResourceRecord::ANSWER) { | |
9870af40 RG |
2421 | /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, because Amazon DNS servers |
2422 | are sending such responses */ | |
2423 | if (!(rec->d_type == QType::CNAME && qname == rec->d_name)) { | |
2424 | LOG(prefix<<"Removing record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the answer section without the AA bit set received from "<<auth<<endl); | |
2425 | rec = lwr.d_records.erase(rec); | |
2426 | continue; | |
2427 | } | |
7155c3e5 RG |
2428 | } |
2429 | ||
2430 | if (rec->d_type == QType::DNAME && (rec->d_place != DNSResourceRecord::ANSWER || !qname.isPartOf(rec->d_name))) { | |
2431 | LOG(prefix<<"Removing invalid DNAME record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2432 | rec = lwr.d_records.erase(rec); | |
2433 | continue; | |
2434 | } | |
2435 | ||
123da0f8 | 2436 | if (rec->d_place == DNSResourceRecord::ANSWER && (qtype != QType::ANY && rec->d_type != qtype.getCode() && s_redirectionQTypes.count(rec->d_type) == 0 && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG)) { |
7155c3e5 RG |
2437 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); |
2438 | rec = lwr.d_records.erase(rec); | |
2439 | continue; | |
2440 | } | |
2441 | ||
2442 | if (rec->d_place == DNSResourceRecord::ANSWER && !haveAnswers) { | |
2443 | haveAnswers = true; | |
2444 | } | |
2445 | ||
2446 | if (rec->d_place == DNSResourceRecord::ANSWER) { | |
2447 | allowAdditionalEntry(allowedAdditionals, *rec); | |
2448 | } | |
2449 | ||
2450 | /* dealing with the records in authority */ | |
2451 | if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type != QType::NS && rec->d_type != QType::DS && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG && rec->d_type != QType::NSEC && rec->d_type != QType::NSEC3) { | |
2452 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2453 | rec = lwr.d_records.erase(rec); | |
2454 | continue; | |
2455 | } | |
2456 | ||
2457 | if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::SOA) { | |
2458 | if (!qname.isPartOf(rec->d_name)) { | |
2459 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2460 | rec = lwr.d_records.erase(rec); | |
2461 | continue; | |
2462 | } | |
2463 | ||
215c16f9 RG |
2464 | if (!(lwr.d_aabit || wasForwardRecurse)) { |
2465 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2466 | rec = lwr.d_records.erase(rec); | |
2467 | continue; | |
2468 | } | |
2469 | ||
7155c3e5 RG |
2470 | if (!haveAnswers) { |
2471 | if (lwr.d_rcode == RCode::NXDomain) { | |
2472 | isNXDomain = true; | |
2473 | } | |
2474 | else if (lwr.d_rcode == RCode::NoError) { | |
2475 | isNXQType = true; | |
2476 | } | |
2477 | } | |
2478 | } | |
2479 | ||
2480 | if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::NS && (isNXDomain || isNXQType)) { | |
2481 | /* we don't want to pick up NS records in AUTHORITY or ADDITIONAL sections of NXDomain answers | |
2482 | because they are somewhat easy to insert into a large, fragmented UDP response | |
1bb97c02 | 2483 | for an off-path attacker by injecting spoofed UDP fragments. |
7155c3e5 RG |
2484 | */ |
2485 | LOG(prefix<<"Removing NS record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section of a "<<(isNXDomain ? "NXD" : "NXQTYPE")<<" response received from "<<auth<<endl); | |
2486 | rec = lwr.d_records.erase(rec); | |
1bb97c02 | 2487 | continue; |
7155c3e5 RG |
2488 | } |
2489 | ||
2490 | if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::NS) { | |
2491 | allowAdditionalEntry(allowedAdditionals, *rec); | |
2492 | } | |
2493 | ||
2494 | /* dealing with the records in additional */ | |
2495 | if (rec->d_place == DNSResourceRecord::ADDITIONAL && rec->d_type != QType::A && rec->d_type != QType::AAAA && rec->d_type != QType::RRSIG) { | |
2496 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2497 | rec = lwr.d_records.erase(rec); | |
2498 | continue; | |
2499 | } | |
2500 | ||
2501 | if (rec->d_place == DNSResourceRecord::ADDITIONAL && allowedAdditionals.count(rec->d_name) == 0) { | |
2502 | LOG(prefix<<"Removing irrelevant additional record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2503 | rec = lwr.d_records.erase(rec); | |
2504 | continue; | |
2505 | } | |
2506 | ||
2507 | ++rec; | |
2508 | } | |
2509 | } | |
2510 | ||
78cdf520 | 2511 | RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery) |
4d2be65d | 2512 | { |
ba40d3d7 | 2513 | bool wasForwardRecurse = wasForwarded && rdQuery; |
26ca3513 RG |
2514 | tcache_t tcache; |
2515 | ||
4d2be65d RG |
2516 | string prefix; |
2517 | if(doLog()) { | |
2518 | prefix=d_prefix; | |
2519 | prefix.append(depth, ' '); | |
2520 | } | |
2521 | ||
7155c3e5 RG |
2522 | sanitizeRecords(prefix, lwr, qname, qtype, auth, wasForwarded, rdQuery); |
2523 | ||
2b984251 | 2524 | std::vector<std::shared_ptr<DNSRecord>> authorityRecs; |
142ab370 | 2525 | const unsigned int labelCount = qname.countLabels(); |
a82d4e27 | 2526 | bool isCNAMEAnswer = false; |
8838c88f | 2527 | bool isDNAMEAnswer = false; |
26ca3513 | 2528 | for(const auto& rec : lwr.d_records) { |
c5310862 RG |
2529 | if (rec.d_class != QClass::IN) { |
2530 | continue; | |
2531 | } | |
2532 | ||
d30b5493 | 2533 | if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname && !isDNAMEAnswer) { |
a82d4e27 RG |
2534 | isCNAMEAnswer = true; |
2535 | } | |
d30b5493 | 2536 | if(!isDNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::DNAME && qtype != QType(QType::DNAME) && qname.isPartOf(rec.d_name)) { |
8838c88f | 2537 | isDNAMEAnswer = true; |
d30b5493 | 2538 | isCNAMEAnswer = false; |
8838c88f | 2539 | } |
a82d4e27 | 2540 | |
9b061cf5 RG |
2541 | /* if we have a positive answer synthetized from a wildcard, |
2542 | we need to store the corresponding NSEC/NSEC3 records proving | |
2543 | that the exact name did not exist in the negative cache */ | |
78cdf520 | 2544 | if(gatherWildcardProof) { |
2b984251 RG |
2545 | if (nsecTypes.count(rec.d_type)) { |
2546 | authorityRecs.push_back(std::make_shared<DNSRecord>(rec)); | |
2547 | } | |
2548 | else if (rec.d_type == QType::RRSIG) { | |
2549 | auto rrsig = getRR<RRSIGRecordContent>(rec); | |
2550 | if (rrsig && nsecTypes.count(rrsig->d_type)) { | |
2551 | authorityRecs.push_back(std::make_shared<DNSRecord>(rec)); | |
2552 | } | |
2553 | } | |
2554 | } | |
26ca3513 RG |
2555 | if(rec.d_type == QType::RRSIG) { |
2556 | auto rrsig = getRR<RRSIGRecordContent>(rec); | |
2557 | if (rrsig) { | |
bb07ad8e RG |
2558 | /* As illustrated in rfc4035's Appendix B.6, the RRSIG label |
2559 | count can be lower than the name's label count if it was | |
9b061cf5 | 2560 | synthetized from the wildcard. Note that the difference might |
bb07ad8e | 2561 | be > 1. */ |
78cdf520 RG |
2562 | if (rec.d_name == qname && isWildcardExpanded(labelCount, rrsig)) { |
2563 | gatherWildcardProof = true; | |
2564 | if (!isWildcardExpandedOntoItself(rec.d_name, labelCount, rrsig)) { | |
2565 | /* if we have a wildcard expanded onto itself, we don't need to prove | |
2566 | that the exact name doesn't exist because it actually does. | |
2567 | We still want to gather the corresponding NSEC/NSEC3 records | |
2568 | to pass them to our client in case it wants to validate by itself. | |
2569 | */ | |
2570 | LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl); | |
2571 | needWildcardProof = true; | |
2572 | } | |
2573 | else { | |
2574 | LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard expanded onto itself, we need to gather wildcard proof"<<endl); | |
2575 | } | |
e4894ce0 | 2576 | wildcardLabelsCount = rrsig->d_labels; |
2b984251 RG |
2577 | } |
2578 | ||
26ca3513 RG |
2579 | // cerr<<"Got an RRSIG for "<<DNSRecordContent::NumberToType(rrsig->d_type)<<" with name '"<<rec.d_name<<"'"<<endl; |
2580 | tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signatures.push_back(rrsig); | |
4d2be65d | 2581 | tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signaturesTTL = std::min(tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signaturesTTL, rec.d_ttl); |
26ca3513 RG |
2582 | } |
2583 | } | |
2584 | } | |
2585 | ||
2586 | // reap all answers from this packet that are acceptable | |
2587 | for(auto& rec : lwr.d_records) { | |
2588 | if(rec.d_type == QType::OPT) { | |
2589 | LOG(prefix<<qname<<": OPT answer '"<<rec.d_name<<"' from '"<<auth<<"' nameservers" <<endl); | |
2590 | continue; | |
2591 | } | |
e77f01d1 | 2592 | LOG(prefix<<qname<<": accept answer '"<<rec.d_name<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"|"<<rec.d_content->getZoneRepresentation()<<"' from '"<<auth<<"' nameservers? ttl="<<rec.d_ttl<<", place="<<(int)rec.d_place<<" "); |
26ca3513 | 2593 | if(rec.d_type == QType::ANY) { |
c5310862 RG |
2594 | LOG("NO! - we don't accept 'ANY'-typed data"<<endl); |
2595 | continue; | |
2596 | } | |
2597 | ||
2598 | if(rec.d_class != QClass::IN) { | |
2599 | LOG("NO! - we don't accept records for any other class than 'IN'"<<endl); | |
26ca3513 RG |
2600 | continue; |
2601 | } | |
2602 | ||
70ea0c65 | 2603 | if (!(lwr.d_aabit || wasForwardRecurse) && rec.d_place == DNSResourceRecord::ANSWER) { |
9870af40 RG |
2604 | /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, because Amazon DNS servers |
2605 | are sending such responses */ | |
2606 | if (!(rec.d_type == QType::CNAME && rec.d_name == qname)) { | |
2607 | LOG("NO! - we don't accept records in the answers section without the AA bit set"<<endl); | |
2608 | continue; | |
2609 | } | |
70ea0c65 RG |
2610 | } |
2611 | ||
26ca3513 RG |
2612 | if(rec.d_name.isPartOf(auth)) { |
2613 | if(rec.d_type == QType::RRSIG) { | |
2614 | LOG("RRSIG - separate"<<endl); | |
2615 | } | |
4d2be65d | 2616 | else if(lwr.d_aabit && lwr.d_rcode==RCode::NoError && rec.d_place==DNSResourceRecord::ANSWER && ((rec.d_type != QType::DNSKEY && rec.d_type != QType::DS) || rec.d_name != auth) && s_delegationOnly.count(auth)) { |
26ca3513 RG |
2617 | LOG("NO! Is from delegation-only zone"<<endl); |
2618 | s_nodelegated++; | |
2619 | return RCode::NXDomain; | |
2620 | } | |
2621 | else { | |
2622 | bool haveLogged = false; | |
d30b5493 PL |
2623 | if (isDNAMEAnswer && rec.d_type == QType::CNAME) { |
2624 | LOG("NO - we already have a DNAME answer for this domain"); | |
2625 | continue; | |
2626 | } | |
a712cb56 | 2627 | if (!t_sstorage.domainmap->empty()) { |
26ca3513 RG |
2628 | // Check if we are authoritative for a zone in this answer |
2629 | DNSName tmp_qname(rec.d_name); | |
2630 | auto auth_domain_iter=getBestAuthZone(&tmp_qname); | |
a712cb56 | 2631 | if(auth_domain_iter!=t_sstorage.domainmap->end() && |
26ca3513 RG |
2632 | auth.countLabels() <= auth_domain_iter->first.countLabels()) { |
2633 | if (auth_domain_iter->first != auth) { | |
2634 | LOG("NO! - we are authoritative for the zone "<<auth_domain_iter->first<<endl); | |
2635 | continue; | |
2636 | } else { | |
2637 | LOG("YES! - This answer was "); | |
6dfff36f | 2638 | if (!wasForwarded) { |
26ca3513 RG |
2639 | LOG("retrieved from the local auth store."); |
2640 | } else { | |
2641 | LOG("received from a server we forward to."); | |
2642 | } | |
2643 | haveLogged = true; | |
2644 | LOG(endl); | |
2645 | } | |
2646 | } | |
2647 | } | |
2648 | if (!haveLogged) { | |
2649 | LOG("YES!"<<endl); | |
2650 | } | |
2651 | ||
2652 | rec.d_ttl=min(s_maxcachettl, rec.d_ttl); | |
2653 | ||
2654 | DNSRecord dr(rec); | |
26ca3513 | 2655 | dr.d_ttl += d_now.tv_sec; |
2b984251 | 2656 | dr.d_place=DNSResourceRecord::ANSWER; |
26ca3513 RG |
2657 | tcache[{rec.d_name,rec.d_type,rec.d_place}].records.push_back(dr); |
2658 | } | |
2659 | } | |
2660 | else | |
2661 | LOG("NO!"<<endl); | |
2662 | } | |
2663 | ||
2664 | // supplant | |
4d2be65d RG |
2665 | for(tcache_t::iterator i = tcache.begin(); i != tcache.end(); ++i) { |
2666 | if((i->second.records.size() + i->second.signatures.size()) > 1) { // need to group the ttl to be the minimum of the RRSET (RFC 2181, 5.2) | |
2667 | uint32_t lowestTTD=computeLowestTTD(i->second.records, i->second.signatures, i->second.signaturesTTL); | |
26ca3513 RG |
2668 | |
2669 | for(auto& record : i->second.records) | |
4d2be65d | 2670 | record.d_ttl = lowestTTD; // boom |
26ca3513 RG |
2671 | } |
2672 | ||
2673 | // cout<<"Have "<<i->second.records.size()<<" records and "<<i->second.signatures.size()<<" signatures for "<<i->first.name; | |
2674 | // cout<<'|'<<DNSRecordContent::NumberToType(i->first.type)<<endl; | |
4d2be65d RG |
2675 | } |
2676 | ||
2677 | for(tcache_t::iterator i = tcache.begin(); i != tcache.end(); ++i) { | |
4d2be65d | 2678 | |
26ca3513 RG |
2679 | if(i->second.records.empty()) // this happens when we did store signatures, but passed on the records themselves |
2680 | continue; | |
6dfff36f | 2681 | |
405a26bd RG |
2682 | /* Even if the AA bit is set, additional data cannot be considered |
2683 | as authoritative. This is especially important during validation | |
2684 | because keeping records in the additional section is allowed even | |
2685 | if the corresponding RRSIGs are not included, without setting the TC | |
2686 | bit, as stated in rfc4035's section 3.1.1. Including RRSIG RRs in a Response: | |
2687 | "When placing a signed RRset in the Additional section, the name | |
2688 | server MUST also place its RRSIG RRs in the Additional section. | |
2689 | If space does not permit inclusion of both the RRset and its | |
2690 | associated RRSIG RRs, the name server MAY retain the RRset while | |
2691 | dropping the RRSIG RRs. If this happens, the name server MUST NOT | |
2692 | set the TC bit solely because these RRSIG RRs didn't fit." | |
2693 | */ | |
2694 | bool isAA = lwr.d_aabit && i->first.place != DNSResourceRecord::ADDITIONAL; | |
dff3ef07 RG |
2695 | /* if we forwarded the query to a recursor, we can expect the answer to be signed, |
2696 | even if the answer is not AA. Of course that's not only true inside a Secure | |
2697 | zone, but we check that below. */ | |
70ea0c65 | 2698 | bool expectSignature = i->first.place == DNSResourceRecord::ANSWER || ((lwr.d_aabit || wasForwardRecurse) && i->first.place != DNSResourceRecord::ADDITIONAL); |
dff3ef07 | 2699 | if (isCNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i->first.type != QType::CNAME || i->first.name != qname)) { |
a82d4e27 RG |
2700 | /* |
2701 | rfc2181 states: | |
2702 | Note that the answer section of an authoritative answer normally | |
2703 | contains only authoritative data. However when the name sought is an | |
2704 | alias (see section 10.1.1) only the record describing that alias is | |
2705 | necessarily authoritative. Clients should assume that other records | |
2706 | may have come from the server's cache. Where authoritative answers | |
2707 | are required, the client should query again, using the canonical name | |
2708 | associated with the alias. | |
2709 | */ | |
2710 | isAA = false; | |
dff3ef07 | 2711 | expectSignature = false; |
a82d4e27 RG |
2712 | } |
2713 | ||
d9c32b52 RG |
2714 | if (isCNAMEAnswer && i->first.place == DNSResourceRecord::AUTHORITY && i->first.type == QType::NS && auth == i->first.name) { |
2715 | /* These NS can't be authoritative since we have a CNAME answer for which (see above) only the | |
2716 | record describing that alias is necessarily authoritative. | |
2717 | But if we allow the current auth, which might be serving the child zone, to raise the TTL | |
2718 | of non-authoritative NS in the cache, they might be able to keep a "ghost" zone alive forever, | |
2719 | even after the delegation is gone from the parent. | |
2720 | So let's just do nothing with them, we can fetch them directly if we need them. | |
2721 | */ | |
2722 | LOG(d_prefix<<": skipping authority NS from '"<<auth<<"' nameservers in CNAME answer "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl); | |
2723 | continue; | |
2724 | } | |
2725 | ||
5374b03b | 2726 | vState recordState = getValidationStatus(i->first.name, false); |
1a8d6a9e | 2727 | LOG(d_prefix<<": got initial zone status "<<vStates[recordState]<<" for record "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl); |
70b3fe7a | 2728 | |
e1636f82 | 2729 | if (shouldValidate() && recordState == Secure) { |
5374b03b RG |
2730 | vState initialState = recordState; |
2731 | ||
dff3ef07 | 2732 | if (expectSignature) { |
4d2be65d RG |
2733 | if (i->first.place != DNSResourceRecord::ADDITIONAL) { |
2734 | /* the additional entries can be insecure, | |
2735 | like glue: | |
2736 | "Glue address RRsets associated with delegations MUST NOT be signed" | |
2737 | */ | |
2738 | if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) { | |
bcb05770 | 2739 | LOG(d_prefix<<"Validating DNSKEY for "<<i->first.name<<endl); |
51b6b728 | 2740 | recordState = validateDNSKeys(i->first.name, i->second.records, i->second.signatures, depth); |
4d2be65d RG |
2741 | } |
2742 | else { | |
8838c88f PL |
2743 | /* |
2744 | * RFC 6672 section 5.3.1 | |
2745 | * In any response, a signed DNAME RR indicates a non-terminal | |
2746 | * redirection of the query. There might or might not be a server- | |
2747 | * synthesized CNAME in the answer section; if there is, the CNAME will | |
2748 | * never be signed. For a DNSSEC validator, verification of the DNAME | |
2749 | * RR and then that the CNAME was properly synthesized is sufficient | |
2750 | * proof. | |
2751 | * | |
2752 | * We do the synthesis check in processRecords, here we make sure we | |
2753 | * don't validate the CNAME. | |
2754 | */ | |
2755 | if (!(isDNAMEAnswer && i->first.type == QType::CNAME)) { | |
2756 | LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl); | |
2757 | recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures); | |
2758 | /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */ | |
2759 | if (qtype == QType::NS && i->second.signatures.empty() && recordState == Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == Indeterminate) { | |
2760 | recordState = Indeterminate; | |
2761 | } | |
0735b60f | 2762 | } |
4d2be65d RG |
2763 | } |
2764 | } | |
2765 | } | |
2766 | else { | |
933299e8 RG |
2767 | recordState = Indeterminate; |
2768 | ||
a82d4e27 | 2769 | /* in a non authoritative answer, we only care about the DS record (or lack of) */ |
88cb0fe0 | 2770 | if ((i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) { |
bcb05770 | 2771 | LOG(d_prefix<<"Validating DS record for "<<i->first.name<<endl); |
51b6b728 | 2772 | recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures); |
4d2be65d RG |
2773 | } |
2774 | } | |
0735b60f | 2775 | |
dff3ef07 | 2776 | if (initialState == Secure && state != recordState && expectSignature) { |
5374b03b RG |
2777 | updateValidationState(state, recordState); |
2778 | } | |
4d2be65d RG |
2779 | } |
2780 | else { | |
e1636f82 | 2781 | if (shouldValidate()) { |
bcb05770 | 2782 | LOG(d_prefix<<"Skipping validation because the current state is "<<vStates[recordState]<<endl); |
4d2be65d RG |
2783 | } |
2784 | } | |
2785 | ||
b9473937 RG |
2786 | if (recordState == Bogus) { |
2787 | /* this is a TTD by now, be careful */ | |
2788 | for(auto& record : i->second.records) { | |
2789 | record.d_ttl = std::min(record.d_ttl, static_cast<uint32_t>(s_maxbogusttl + d_now.tv_sec)); | |
2790 | } | |
2791 | } | |
2792 | ||
005b4b98 RG |
2793 | /* We don't need to store NSEC3 records in the positive cache because: |
2794 | - we don't allow direct NSEC3 queries | |
2795 | - denial of existence proofs in wildcard expanded positive responses are stored in authorityRecs | |
2796 | - denial of existence proofs for negative responses are stored in the negative cache | |
a321baf9 RG |
2797 | We also don't want to cache non-authoritative data except for: |
2798 | - records coming from non forward-recurse servers (those will never be AA) | |
2799 | - DS (special case) | |
2800 | - NS, A and AAAA (used for infra queries) | |
005b4b98 | 2801 | */ |
a321baf9 | 2802 | if (i->first.type != QType::NSEC3 && (i->first.type == QType::DS || i->first.type == QType::NS || i->first.type == QType::A || i->first.type == QType::AAAA || isAA || wasForwardRecurse)) { |
e7861cc4 | 2803 | |
73d9bf3a OM |
2804 | bool doCache = true; |
2805 | if (i->first.place == DNSResourceRecord::ANSWER && ednsmask) { | |
2806 | // If ednsmask is relevant, we do not want to cache if the scope prefix length is large and TTL is small | |
2807 | if (SyncRes::s_ecscachelimitttl > 0) { | |
d14121a8 | 2808 | bool manyMaskBits = (ednsmask->isIPv4() && ednsmask->getBits() > SyncRes::s_ecsipv4cachelimit) || |
37e35fbc | 2809 | (ednsmask->isIPv6() && ednsmask->getBits() > SyncRes::s_ecsipv6cachelimit); |
e7861cc4 | 2810 | |
e7861cc4 OM |
2811 | if (manyMaskBits) { |
2812 | uint32_t minttl = UINT32_MAX; | |
2813 | for (const auto &it : i->second.records) { | |
2814 | if (it.d_ttl < minttl) | |
2815 | minttl = it.d_ttl; | |
2816 | } | |
2817 | bool ttlIsSmall = minttl < SyncRes::s_ecscachelimitttl + d_now.tv_sec; | |
2818 | if (ttlIsSmall) { | |
2819 | // Case: many bits and ttlIsSmall | |
2820 | doCache = false; | |
2821 | } | |
e7861cc4 | 2822 | } |
ed9019c9 | 2823 | } |
e7861cc4 OM |
2824 | } |
2825 | if (doCache) { | |
2826 | t_RC->replace(d_now.tv_sec, i->first.name, QType(i->first.type), i->second.records, i->second.signatures, authorityRecs, i->first.type == QType::DS ? true : isAA, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, recordState); | |
bdceeb7e | 2827 | } |
005b4b98 | 2828 | } |
6dfff36f | 2829 | |
26ca3513 RG |
2830 | if(i->first.place == DNSResourceRecord::ANSWER && ednsmask) |
2831 | d_wasVariable=true; | |
2832 | } | |
2833 | ||
2834 | return RCode::NoError; | |
2835 | } | |
2836 | ||
28364e4b | 2837 | void SyncRes::updateDenialValidationState(vState& neValidationState, const DNSName& neName, vState& state, const dState denialState, const dState expectedState, bool allowOptOut) |
4d2be65d | 2838 | { |
b25712fd | 2839 | if (denialState == expectedState) { |
28364e4b | 2840 | neValidationState = Secure; |
b25712fd RG |
2841 | } |
2842 | else { | |
142ab370 | 2843 | if (denialState == OPTOUT && allowOptOut) { |
28364e4b | 2844 | LOG(d_prefix<<"OPT-out denial found for "<<neName<<endl); |
18c8faae RG |
2845 | /* rfc5155 states: |
2846 | "The AD bit, as defined by [RFC4035], MUST NOT be set when returning a | |
2847 | response containing a closest (provable) encloser proof in which the | |
2848 | NSEC3 RR that covers the "next closer" name has the Opt-Out bit set. | |
2849 | ||
2850 | This rule is based on what this closest encloser proof actually | |
2851 | proves: names that would be covered by the Opt-Out NSEC3 RR may or | |
2852 | may not exist as insecure delegations. As such, not all the data in | |
2853 | responses containing such closest encloser proofs will have been | |
2854 | cryptographically verified, so the AD bit cannot be set." | |
2855 | ||
2856 | At best the Opt-Out NSEC3 RR proves that there is no signed DS (so no | |
2857 | secure delegation). | |
2858 | */ | |
2859 | neValidationState = Insecure; | |
4d2be65d | 2860 | } |
142ab370 | 2861 | else if (denialState == INSECURE) { |
28364e4b RG |
2862 | LOG(d_prefix<<"Insecure denial found for "<<neName<<", returning Insecure"<<endl); |
2863 | neValidationState = Insecure; | |
4d2be65d | 2864 | } |
142ab370 | 2865 | else { |
28364e4b RG |
2866 | LOG(d_prefix<<"Invalid denial found for "<<neName<<", returning Bogus, res="<<denialState<<", expectedState="<<expectedState<<endl); |
2867 | neValidationState = Bogus; | |
142ab370 | 2868 | } |
28364e4b | 2869 | updateValidationState(state, neValidationState); |
4d2be65d RG |
2870 | } |
2871 | } | |
2872 | ||
28364e4b | 2873 | dState SyncRes::getDenialValidationState(const NegCache::NegCacheEntry& ne, const vState state, const dState expectedState, bool referralToUnsigned) |
142ab370 RG |
2874 | { |
2875 | cspmap_t csp = harvestCSPFromNE(ne); | |
2876 | return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, expectedState == NXQTYPE); | |
2877 | } | |
2878 | ||
78cdf520 | 2879 | bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherWildcardProof, const unsigned int wildcardLabelsCount) |
26ca3513 RG |
2880 | { |
2881 | bool done = false; | |
123da0f8 | 2882 | DNSName dnameTarget, dnameOwner; |
ee936074 | 2883 | uint32_t dnameTTL = 0; |
26ca3513 RG |
2884 | |
2885 | for(auto& rec : lwr.d_records) { | |
2886 | if (rec.d_type!=QType::OPT && rec.d_class!=QClass::IN) | |
2887 | continue; | |
2888 | ||
70ea0c65 | 2889 | if (rec.d_place==DNSResourceRecord::ANSWER && !(lwr.d_aabit || sendRDQuery)) { |
9870af40 RG |
2890 | /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, because Amazon DNS servers |
2891 | are sending such responses */ | |
2892 | if (!(rec.d_type == QType::CNAME && rec.d_name == qname)) { | |
2893 | continue; | |
2894 | } | |
70ea0c65 RG |
2895 | } |
2896 | ||
26ca3513 RG |
2897 | if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::SOA && |
2898 | lwr.d_rcode==RCode::NXDomain && qname.isPartOf(rec.d_name) && rec.d_name.isPartOf(auth)) { | |
2899 | LOG(prefix<<qname<<": got negative caching indication for name '"<<qname<<"' (accept="<<rec.d_name.isPartOf(auth)<<"), newtarget='"<<newtarget<<"'"<<endl); | |
2900 | ||
2901 | rec.d_ttl = min(rec.d_ttl, s_maxnegttl); | |
2902 | if(newtarget.empty()) // only add a SOA if we're not going anywhere after this | |
2903 | ret.push_back(rec); | |
39ce10b2 | 2904 | |
114829cc RG |
2905 | NegCache::NegCacheEntry ne; |
2906 | ||
dbbef467 | 2907 | uint32_t lowestTTL = rec.d_ttl; |
9b061cf5 RG |
2908 | /* if we get an NXDomain answer with a CNAME, the name |
2909 | does exist but the target does not */ | |
2910 | ne.d_name = newtarget.empty() ? qname : newtarget; | |
114829cc RG |
2911 | ne.d_qtype = QType(0); // this encodes 'whole record' |
2912 | ne.d_auth = rec.d_name; | |
dbbef467 | 2913 | harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL); |
dbbef467 | 2914 | |
142ab370 RG |
2915 | if (state == Secure) { |
2916 | dState denialState = getDenialValidationState(ne, state, NXDOMAIN, false); | |
18c8faae | 2917 | updateDenialValidationState(ne.d_validationState, ne.d_name, state, denialState, NXDOMAIN, true); |
142ab370 RG |
2918 | } |
2919 | else { | |
2920 | ne.d_validationState = state; | |
2921 | } | |
114829cc | 2922 | |
b9473937 RG |
2923 | if (ne.d_validationState == Bogus) { |
2924 | lowestTTL = min(lowestTTL, s_maxbogusttl); | |
2925 | } | |
2926 | ||
2927 | ne.d_ttd = d_now.tv_sec + lowestTTL; | |
9b061cf5 RG |
2928 | /* if we get an NXDomain answer with a CNAME, let's not cache the |
2929 | target, even the server was authoritative for it, | |
2930 | and do an additional query for the CNAME target. | |
2931 | We have a regression test making sure we do exactly that. | |
2932 | */ | |
2933 | if(!wasVariable() && newtarget.empty()) { | |
a712cb56 | 2934 | t_sstorage.negcache.add(ne); |
2ef32aec | 2935 | if(s_rootNXTrust && ne.d_auth.isRoot() && auth.isRoot() && lwr.d_aabit) { |
9a1e060b | 2936 | ne.d_name = ne.d_name.getLastLabel(); |
a712cb56 | 2937 | t_sstorage.negcache.add(ne); |
26ca3513 RG |
2938 | } |
2939 | } | |
2940 | ||
2941 | negindic=true; | |
2942 | } | |
123da0f8 PL |
2943 | else if(rec.d_place==DNSResourceRecord::ANSWER && s_redirectionQTypes.count(rec.d_type) > 0 && // CNAME or DNAME answer |
2944 | s_redirectionQTypes.count(qtype.getCode()) == 0) { // But not in response to a CNAME or DNAME query | |
2945 | if (rec.d_type == QType::CNAME && rec.d_name == qname) { | |
ee936074 PL |
2946 | if (!dnameOwner.empty()) { // We synthesize ourselves |
2947 | continue; | |
2948 | } | |
123da0f8 PL |
2949 | ret.push_back(rec); |
2950 | if (auto content = getRR<CNAMERecordContent>(rec)) { | |
2951 | newtarget=content->getTarget(); | |
2952 | } | |
2953 | } else if (rec.d_type == QType::DNAME && qname.isPartOf(rec.d_name)) { // DNAME | |
2954 | ret.push_back(rec); | |
2955 | if (auto content = getRR<DNAMERecordContent>(rec)) { | |
2956 | dnameOwner = rec.d_name; | |
2957 | dnameTarget = content->getTarget(); | |
ee936074 | 2958 | dnameTTL = rec.d_ttl; |
29ec25aa PL |
2959 | if (!newtarget.empty()) { // We had a CNAME before, remove it from ret so we don't cache it |
2960 | ret.erase(std::remove_if( | |
2961 | ret.begin(), | |
2962 | ret.end(), | |
2963 | [&qname](DNSRecord& rr) { | |
2964 | return (rr.d_place == DNSResourceRecord::ANSWER && rr.d_type == QType::CNAME && rr.d_name == qname); | |
2965 | }), | |
2966 | ret.end()); | |
2967 | } | |
ee936074 PL |
2968 | try { |
2969 | newtarget = qname.makeRelative(dnameOwner) + dnameTarget; | |
2970 | } catch (const std::exception &e) { | |
2971 | // We should probably catch an std::range_error here and set the rcode to YXDOMAIN (RFC 6672, section 2.2) | |
2972 | // But there is no way to set the RCODE from this function | |
2973 | throw ImmediateServFailException("Unable to perform DNAME substitution(DNAME owner: '" + dnameOwner.toLogString() + | |
2974 | "', DNAME target: '" + dnameTarget.toLogString() + "', substituted name: '" + | |
2975 | qname.makeRelative(dnameOwner).toLogString() + "." + dnameTarget.toLogString() + | |
2976 | "' : " + e.what()); | |
2977 | } | |
123da0f8 | 2978 | } |
26ca3513 RG |
2979 | } |
2980 | } | |
9b061cf5 RG |
2981 | /* if we have a positive answer synthetized from a wildcard, we need to |
2982 | return the corresponding NSEC/NSEC3 records from the AUTHORITY section | |
2983 | proving that the exact name did not exist */ | |
78cdf520 | 2984 | else if(gatherWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) { |
2b984251 RG |
2985 | ret.push_back(rec); // enjoy your DNSSEC |
2986 | } | |
26ca3513 RG |
2987 | // for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively |
2988 | else if(rec.d_place==DNSResourceRecord::ANSWER && rec.d_name == qname && | |
2989 | ( | |
331222c4 | 2990 | rec.d_type==qtype.getCode() || ((lwr.d_aabit || sendRDQuery) && qtype == QType(QType::ANY)) |
26ca3513 RG |
2991 | ) |
2992 | ) | |
2993 | { | |
2994 | LOG(prefix<<qname<<": answer is in: resolved to '"<< rec.d_content->getZoneRepresentation()<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"'"<<endl); | |
2995 | ||
2996 | done=true; | |
9b061cf5 RG |
2997 | |
2998 | if (state == Secure && needWildcardProof) { | |
2999 | /* We have a positive answer synthetized from a wildcard, we need to check that we have | |
3000 | proof that the exact name doesn't exist so the wildcard can be used, | |
d0d39496 | 3001 | as described in section 5.3.4 of RFC 4035 and 5.3 of RFC 7129. |
9b061cf5 RG |
3002 | */ |
3003 | NegCache::NegCacheEntry ne; | |
3004 | ||
3005 | uint32_t lowestTTL = rec.d_ttl; | |
3006 | ne.d_name = qname; | |
3007 | ne.d_qtype = QType(0); // this encodes 'whole record' | |
3008 | harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL); | |
3009 | ||
3010 | cspmap_t csp = harvestCSPFromNE(ne); | |
e4894ce0 | 3011 | dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false, wildcardLabelsCount); |
9b061cf5 | 3012 | if (res != NXDOMAIN) { |
b7c40613 RG |
3013 | vState st = Bogus; |
3014 | if (res == INSECURE) { | |
3015 | /* Some part could not be validated, for example a NSEC3 record with a too large number of iterations, | |
3016 | this is not enough to warrant a Bogus, but go Insecure. */ | |
3017 | st = Insecure; | |
3018 | LOG(d_prefix<<"Unable to validate denial in wildcard expanded positive response found for "<<qname<<", returning Insecure, res="<<res<<endl); | |
3019 | } | |
3020 | else { | |
3021 | LOG(d_prefix<<"Invalid denial in wildcard expanded positive response found for "<<qname<<", returning Bogus, res="<<res<<endl); | |
b9473937 | 3022 | rec.d_ttl = std::min(rec.d_ttl, s_maxbogusttl); |
b7c40613 RG |
3023 | } |
3024 | ||
3025 | updateValidationState(state, st); | |
3026 | /* we already stored the record with a different validation status, let's fix it */ | |
b9473937 | 3027 | updateValidationStatusInCache(qname, qtype, lwr.d_aabit, st); |
9b061cf5 RG |
3028 | } |
3029 | } | |
b9473937 | 3030 | ret.push_back(rec); |
26ca3513 | 3031 | } |
7030a59b | 3032 | else if((rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::ANSWER) { |
123da0f8 | 3033 | if(rec.d_type != QType::RRSIG || rec.d_name == qname) { |
7030a59b | 3034 | ret.push_back(rec); // enjoy your DNSSEC |
123da0f8 PL |
3035 | } else if(rec.d_type == QType::RRSIG && qname.isPartOf(rec.d_name)) { |
3036 | auto rrsig = getRR<RRSIGRecordContent>(rec); | |
3037 | if (rrsig != nullptr && rrsig->d_type == QType::DNAME) { | |
3038 | ret.push_back(rec); | |
3039 | } | |
3040 | } | |
7030a59b | 3041 | } |
4d2be65d | 3042 | else if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::NS && qname.isPartOf(rec.d_name)) { |
26ca3513 RG |
3043 | if(moreSpecificThan(rec.d_name,auth)) { |
3044 | newauth=rec.d_name; | |
3045 | LOG(prefix<<qname<<": got NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"'"<<endl); | |
3046 | realreferral=true; | |
3047 | } | |
3048 | else { | |
3049 | LOG(prefix<<qname<<": got upwards/level NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"', had '"<<auth<<"'"<<endl); | |
3050 | } | |
3051 | if (auto content = getRR<NSRecordContent>(rec)) { | |
3052 | nsset.insert(content->getNS()); | |
3053 | } | |
3054 | } | |
4d2be65d | 3055 | else if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::DS && qname.isPartOf(rec.d_name)) { |
26ca3513 | 3056 | LOG(prefix<<qname<<": got DS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"'"<<endl); |
26ca3513 | 3057 | } |
860d5e8e | 3058 | else if(realreferral && rec.d_place==DNSResourceRecord::AUTHORITY && (rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && newauth.isPartOf(auth)) { |
4d2be65d RG |
3059 | /* we might have received a denial of the DS, let's check */ |
3060 | if (state == Secure) { | |
3061 | NegCache::NegCacheEntry ne; | |
3062 | ne.d_auth = auth; | |
860d5e8e RG |
3063 | ne.d_name = newauth; |
3064 | ne.d_qtype = QType::DS; | |
dbbef467 RG |
3065 | rec.d_ttl = min(s_maxnegttl, rec.d_ttl); |
3066 | uint32_t lowestTTL = rec.d_ttl; | |
3067 | harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL); | |
3068 | ||
142ab370 RG |
3069 | dState denialState = getDenialValidationState(ne, state, NXQTYPE, true); |
3070 | ||
d377bb54 | 3071 | if (denialState == NXQTYPE || denialState == OPTOUT || denialState == INSECURE) { |
dbbef467 | 3072 | ne.d_ttd = lowestTTL + d_now.tv_sec; |
860d5e8e | 3073 | ne.d_validationState = Secure; |
18c8faae RG |
3074 | if (denialState == OPTOUT) { |
3075 | ne.d_validationState = Insecure; | |
3076 | } | |
812c3a69 | 3077 | LOG(prefix<<qname<<": got negative indication of DS record for '"<<newauth<<"'"<<endl); |
5374b03b | 3078 | |
4d2be65d RG |
3079 | if(!wasVariable()) { |
3080 | t_sstorage.negcache.add(ne); | |
3081 | } | |
5374b03b RG |
3082 | |
3083 | if (qname == newauth && qtype == QType::DS) { | |
3084 | /* we are actually done! */ | |
3085 | negindic=true; | |
3086 | nsset.clear(); | |
3087 | } | |
4d2be65d RG |
3088 | } |
3089 | } | |
3090 | } | |
3091 | else if(!done && rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::SOA && | |
3092 | lwr.d_rcode==RCode::NoError && qname.isPartOf(rec.d_name)) { | |
26ca3513 RG |
3093 | LOG(prefix<<qname<<": got negative caching indication for '"<< qname<<"|"<<qtype.getName()<<"'"<<endl); |
3094 | ||
3095 | if(!newtarget.empty()) { | |
3096 | LOG(prefix<<qname<<": Hang on! Got a redirect to '"<<newtarget<<"' already"<<endl); | |
3097 | } | |
3098 | else { | |
3099 | rec.d_ttl = min(s_maxnegttl, rec.d_ttl); | |
114829cc RG |
3100 | |
3101 | NegCache::NegCacheEntry ne; | |
3102 | ne.d_auth = rec.d_name; | |
dbbef467 | 3103 | uint32_t lowestTTL = rec.d_ttl; |
114829cc RG |
3104 | ne.d_name = qname; |
3105 | ne.d_qtype = qtype; | |
dbbef467 | 3106 | harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL); |
dbbef467 | 3107 | |
142ab370 RG |
3108 | if (state == Secure) { |
3109 | dState denialState = getDenialValidationState(ne, state, NXQTYPE, false); | |
28364e4b | 3110 | updateDenialValidationState(ne.d_validationState, ne.d_name, state, denialState, NXQTYPE, qtype == QType::DS); |
142ab370 RG |
3111 | } else { |
3112 | ne.d_validationState = state; | |
3113 | } | |
114829cc | 3114 | |
b9473937 RG |
3115 | if (ne.d_validationState == Bogus) { |
3116 | lowestTTL = min(lowestTTL, s_maxbogusttl); | |
3117 | rec.d_ttl = min(rec.d_ttl, s_maxbogusttl); | |
3118 | } | |
3119 | ne.d_ttd = d_now.tv_sec + lowestTTL; | |
3120 | ||
26ca3513 | 3121 | if(!wasVariable()) { |
26ca3513 | 3122 | if(qtype.getCode()) { // prevents us from blacking out a whole domain |
a712cb56 | 3123 | t_sstorage.negcache.add(ne); |
26ca3513 RG |
3124 | } |
3125 | } | |
b9473937 RG |
3126 | |
3127 | ret.push_back(rec); | |
26ca3513 RG |
3128 | negindic=true; |
3129 | } | |
3130 | } | |
3131 | } | |
3132 | ||
ee936074 PL |
3133 | if (!dnameTarget.empty()) { |
3134 | // Synthesize a CNAME | |
3135 | auto cnamerec = DNSRecord(); | |
3136 | cnamerec.d_name = qname; | |
3137 | cnamerec.d_type = QType::CNAME; | |
3138 | cnamerec.d_ttl = dnameTTL; | |
3139 | cnamerec.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newtarget)); | |
3140 | ret.push_back(cnamerec); | |
123da0f8 | 3141 | } |
26ca3513 RG |
3142 | return done; |
3143 | } | |
3144 | ||
6dfff36f RG |
3145 | bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname, const QType& qtype, LWResult& lwr, boost::optional<Netmask>& ednsmask, const DNSName& auth, bool const sendRDQuery, const DNSName& nsName, const ComboAddress& remoteIP, bool doTCP, bool* truncated) |
3146 | { | |
deca7d8f | 3147 | bool chained = false; |
17cecc84 | 3148 | int resolveret = RCode::NoError; |
6dfff36f RG |
3149 | s_outqueries++; |
3150 | d_outqueries++; | |
3151 | ||
3152 | if(d_outqueries + d_throttledqueries > s_maxqperq) { | |
3153 | throw ImmediateServFailException("more than "+std::to_string(s_maxqperq)+" (max-qperq) queries sent while resolving "+qname.toLogString()); | |
3154 | } | |
3155 | ||
3156 | if(s_maxtotusec && d_totUsec > s_maxtotusec) { | |
3157 | throw ImmediateServFailException("Too much time waiting for "+qname.toLogString()+"|"+qtype.getName()+", timeouts: "+std::to_string(d_timeouts) +", throttles: "+std::to_string(d_throttledqueries) + ", queries: "+std::to_string(d_outqueries)+", "+std::to_string(d_totUsec/1000)+"msec"); | |
3158 | } | |
3159 | ||
3160 | if(doTCP) { | |
3161 | LOG(prefix<<qname<<": using TCP with "<< remoteIP.toStringWithPort() <<endl); | |
3162 | s_tcpoutqueries++; | |
3163 | d_tcpoutqueries++; | |
3164 | } | |
3165 | ||
3166 | if(d_pdl && d_pdl->preoutquery(remoteIP, d_requestor, qname, qtype, doTCP, lwr.d_records, resolveret)) { | |
3167 | LOG(prefix<<qname<<": query handled by Lua"<<endl); | |
3168 | } | |
3169 | else { | |
2fe3354d | 3170 | ednsmask=getEDNSSubnetMask(qname, remoteIP); |
6dfff36f RG |
3171 | if(ednsmask) { |
3172 | LOG(prefix<<qname<<": Adding EDNS Client Subnet Mask "<<ednsmask->toString()<<" to query"<<endl); | |
d6923beb | 3173 | s_ecsqueries++; |
6dfff36f | 3174 | } |
6de48f75 | 3175 | resolveret = asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, auth, qtype.getCode(), |
deca7d8f | 3176 | doTCP, sendRDQuery, &d_now, ednsmask, &lwr, &chained); // <- we go out on the wire! |
6dfff36f | 3177 | if(ednsmask) { |
d6923beb | 3178 | s_ecsresponses++; |
6dfff36f | 3179 | LOG(prefix<<qname<<": Received EDNS Client Subnet Mask "<<ednsmask->toString()<<" on response"<<endl); |
c9783016 | 3180 | if (ednsmask->getBits() > 0) { |
d14121a8 | 3181 | if (ednsmask->isIPv4()) { |
c9783016 RG |
3182 | ++SyncRes::s_ecsResponsesBySubnetSize4.at(ednsmask->getBits()-1); |
3183 | } | |
3184 | else { | |
3185 | ++SyncRes::s_ecsResponsesBySubnetSize6.at(ednsmask->getBits()-1); | |
3186 | } | |
3187 | } | |
6dfff36f RG |
3188 | } |
3189 | } | |
3190 | ||
3191 | /* preoutquery killed the query by setting dq.rcode to -3 */ | |
3192 | if(resolveret==-3) { | |
3193 | throw ImmediateServFailException("Query killed by policy"); | |
3194 | } | |
3195 | ||
3196 | d_totUsec += lwr.d_usec; | |
3197 | accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family); | |
3198 | ||
5c8c72bf PL |
3199 | bool dontThrottle = false; |
3200 | { | |
3201 | auto dontThrottleNames = g_dontThrottleNames.getLocal(); | |
3202 | auto dontThrottleNetmasks = g_dontThrottleNetmasks.getLocal(); | |
3203 | dontThrottle = dontThrottleNames->check(nsName) || dontThrottleNetmasks->match(remoteIP); | |
3204 | } | |
3205 | ||
6dfff36f RG |
3206 | if(resolveret != 1) { |
3207 | /* Error while resolving */ | |
3208 | if(resolveret == 0) { | |
3209 | /* Time out */ | |
3210 | ||
3211 | LOG(prefix<<qname<<": timeout resolving after "<<lwr.d_usec/1000.0<<"msec "<< (doTCP ? "over TCP" : "")<<endl); | |
3212 | d_timeouts++; | |
3213 | s_outgoingtimeouts++; | |
3214 | ||
3215 | if(remoteIP.sin4.sin_family == AF_INET) | |
3216 | s_outgoing4timeouts++; | |
3217 | else | |
3218 | s_outgoing6timeouts++; | |
be9078b3 | 3219 | |
3220 | if(t_timeouts) | |
3221 | t_timeouts->push_back(remoteIP); | |
6dfff36f RG |
3222 | } |
3223 | else if(resolveret == -2) { | |
3224 | /* OS resource limit reached */ | |
3225 | LOG(prefix<<qname<<": hit a local resource limit resolving"<< (doTCP ? " over TCP" : "")<<", probable error: "<<stringerror()<<endl); | |
3226 | g_stats.resourceLimits++; | |
3227 | } | |
3228 | else { | |
3229 | /* -1 means server unreachable */ | |
3230 | s_unreachables++; | |
3231 | d_unreachables++; | |
a702a96c OM |
3232 | // XXX questionable use of errno |
3233 | LOG(prefix<<qname<<": error resolving from "<<remoteIP.toString()<< (doTCP ? " over TCP" : "") <<", possible error: "<<stringerror()<< endl); | |
6dfff36f RG |
3234 | } |
3235 | ||
5c8c72bf | 3236 | if(resolveret != -2 && !chained && !dontThrottle) { |
559b6c93 PL |
3237 | // don't account for resource limits, they are our own fault |
3238 | // And don't throttle when the IP address is on the dontThrottleNetmasks list or the name is part of dontThrottleNames | |
b9715061 | 3239 | t_sstorage.nsSpeeds[nsName.empty()? DNSName(remoteIP.toStringWithPort()) : nsName].submit(remoteIP, 1000000, d_now); // 1 sec |
6dfff36f RG |
3240 | |
3241 | // code below makes sure we don't filter COM or the root | |
60e5208a | 3242 | if (s_serverdownmaxfails > 0 && (auth != g_rootdnsname) && t_sstorage.fails.incr(remoteIP, d_now) >= s_serverdownmaxfails) { |
6dfff36f RG |
3243 | LOG(prefix<<qname<<": Max fails reached resolving on "<< remoteIP.toString() <<". Going full throttle for "<< s_serverdownthrottletime <<" seconds" <<endl); |
3244 | // mark server as down | |
3245 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, "", 0), s_serverdownthrottletime, 10000); | |
3246 | } | |
3247 | else if (resolveret == -1) { | |
3248 | // unreachable, 1 minute or 100 queries | |
3249 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 100); | |
3250 | } | |
3251 | else { | |
559b6c93 | 3252 | // timeout, 10 seconds or 5 queries |
6dfff36f RG |
3253 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 10, 5); |
3254 | } | |
3255 | } | |
3256 | ||
3257 | return false; | |
3258 | } | |
3259 | ||
3260 | /* we got an answer */ | |
3261 | if(lwr.d_rcode==RCode::ServFail || lwr.d_rcode==RCode::Refused) { | |
3262 | LOG(prefix<<qname<<": "<<nsName<<" ("<<remoteIP.toString()<<") returned a "<< (lwr.d_rcode==RCode::ServFail ? "ServFail" : "Refused") << ", trying sibling IP or NS"<<endl); | |
5c8c72bf | 3263 | if (!chained && !dontThrottle) { |
deca7d8f RG |
3264 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3); |
3265 | } | |
6dfff36f RG |
3266 | return false; |
3267 | } | |
3268 | ||
3269 | /* this server sent a valid answer, mark it backup up if it was down */ | |
3270 | if(s_serverdownmaxfails > 0) { | |
3271 | t_sstorage.fails.clear(remoteIP); | |
3272 | } | |
3273 | ||
3274 | if(lwr.d_tcbit) { | |
3275 | *truncated = true; | |
3276 | ||
4ab4187c | 3277 | if (doTCP) { |
6dfff36f | 3278 | LOG(prefix<<qname<<": truncated bit set, over TCP?"<<endl); |
4ab4187c PD |
3279 | if (!dontThrottle) { |
3280 | /* let's treat that as a ServFail answer from this server */ | |
3281 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3); | |
3282 | } | |
6dfff36f RG |
3283 | return false; |
3284 | } | |
b1f2295b | 3285 | LOG(prefix<<qname<<": truncated bit set, over UDP"<<endl); |
6dfff36f RG |
3286 | |
3287 | return true; | |
3288 | } | |
3289 | ||
3290 | return true; | |
3291 | } | |
3292 | ||
51b6b728 | 3293 | bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, bool sendRDQuery, NsSet &nameservers, std::vector<DNSRecord>& ret, const DNSFilterEngine& dfe, bool* gotNewServers, int* rcode, vState& state) |
6dfff36f RG |
3294 | { |
3295 | string prefix; | |
3296 | if(doLog()) { | |
3297 | prefix=d_prefix; | |
3298 | prefix.append(depth, ' '); | |
3299 | } | |
3300 | ||
3301 | if(s_minimumTTL) { | |
3302 | for(auto& rec : lwr.d_records) { | |
3303 | rec.d_ttl = max(rec.d_ttl, s_minimumTTL); | |
3304 | } | |
3305 | } | |
3306 | ||
5cf4b2e7 RG |
3307 | /* if the answer is ECS-specific, a minimum TTL is set for this kind of answers |
3308 | and it's higher than the global minimum TTL */ | |
3309 | if (ednsmask && s_minimumECSTTL > 0 && (s_minimumTTL == 0 || s_minimumECSTTL > s_minimumTTL)) { | |
3310 | for(auto& rec : lwr.d_records) { | |
3311 | if (rec.d_place == DNSResourceRecord::ANSWER) { | |
3312 | rec.d_ttl = max(rec.d_ttl, s_minimumECSTTL); | |
3313 | } | |
3314 | } | |
3315 | } | |
3316 | ||
2b984251 | 3317 | bool needWildcardProof = false; |
78cdf520 | 3318 | bool gatherWildcardProof = false; |
e4894ce0 | 3319 | unsigned int wildcardLabelsCount; |
78cdf520 | 3320 | *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount, sendRDQuery); |
6dfff36f RG |
3321 | if (*rcode != RCode::NoError) { |
3322 | return true; | |
3323 | } | |
3324 | ||
3325 | LOG(prefix<<qname<<": determining status after receiving this packet"<<endl); | |
3326 | ||
3327 | set<DNSName> nsset; | |
3328 | bool realreferral=false, negindic=false; | |
3329 | DNSName newauth; | |
3330 | DNSName newtarget; | |
3331 | ||
78cdf520 | 3332 | bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount); |
6dfff36f RG |
3333 | |
3334 | if(done){ | |
3335 | LOG(prefix<<qname<<": status=got results, this level of recursion done"<<endl); | |
5374b03b | 3336 | LOG(prefix<<qname<<": validation status is "<<vStates[state]<<endl); |
6dfff36f RG |
3337 | *rcode = RCode::NoError; |
3338 | return true; | |
3339 | } | |
3340 | ||
3341 | if(!newtarget.empty()) { | |
3342 | if(newtarget == qname) { | |
3343 | LOG(prefix<<qname<<": status=got a CNAME referral to self, returning SERVFAIL"<<endl); | |
3344 | *rcode = RCode::ServFail; | |
3345 | return true; | |
3346 | } | |
3347 | ||
3348 | if(depth > 10) { | |
3349 | LOG(prefix<<qname<<": status=got a CNAME referral, but recursing too deep, returning SERVFAIL"<<endl); | |
3350 | *rcode = RCode::ServFail; | |
3351 | return true; | |
3352 | } | |
3353 | ||
5374b03b RG |
3354 | if (qtype == QType::DS) { |
3355 | LOG(prefix<<qname<<": status=got a CNAME referral, but we are looking for a DS"<<endl); | |
6dfff36f | 3356 | |
1c39e884 RG |
3357 | if(d_doDNSSEC) |
3358 | addNXNSECS(ret, lwr.d_records); | |
3359 | ||
3360 | *rcode = RCode::NoError; | |
3361 | return true; | |
5374b03b RG |
3362 | } |
3363 | else { | |
3364 | LOG(prefix<<qname<<": status=got a CNAME referral, starting over with "<<newtarget<<endl); | |
6dfff36f | 3365 | |
5374b03b RG |
3366 | set<GetBestNSAnswer> beenthere2; |
3367 | vState cnameState = Indeterminate; | |
3368 | *rcode = doResolve(newtarget, qtype, ret, depth + 1, beenthere2, cnameState); | |
3369 | LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the CNAME quest: "<<vStates[cnameState]<<endl); | |
3370 | updateValidationState(state, cnameState); | |
3371 | return true; | |
3372 | } | |
6dfff36f RG |
3373 | } |
3374 | ||
3375 | if(lwr.d_rcode == RCode::NXDomain) { | |
3376 | LOG(prefix<<qname<<": status=NXDOMAIN, we are done "<<(negindic ? "(have negative SOA)" : "")<<endl); | |
3377 | ||
3378 | if(d_doDNSSEC) | |
3379 | addNXNSECS(ret, lwr.d_records); | |
3380 | ||
3381 | *rcode = RCode::NXDomain; | |
3382 | return true; | |
3383 | } | |
3384 | ||
3385 | if(nsset.empty() && !lwr.d_rcode && (negindic || lwr.d_aabit || sendRDQuery)) { | |
3386 | LOG(prefix<<qname<<": status=noerror, other types may exist, but we are done "<<(negindic ? "(have negative SOA) " : "")<<(lwr.d_aabit ? "(have aa bit) " : "")<<endl); | |
3387 | ||
6e9d3cae | 3388 | if(state == Secure && (lwr.d_aabit || sendRDQuery) && !negindic) { |
114829cc RG |
3389 | updateValidationState(state, Bogus); |
3390 | } | |
3391 | ||
6dfff36f RG |
3392 | if(d_doDNSSEC) |
3393 | addNXNSECS(ret, lwr.d_records); | |
3394 | ||
3395 | *rcode = RCode::NoError; | |
3396 | return true; | |
3397 | } | |
3398 | ||
3399 | if(realreferral) { | |
3400 | LOG(prefix<<qname<<": status=did not resolve, got "<<(unsigned int)nsset.size()<<" NS, "); | |
6dfff36f RG |
3401 | |
3402 | nameservers.clear(); | |
3403 | for (auto const &nameserver : nsset) { | |
124dd1d4 | 3404 | if (d_wantsRPZ && d_appliedPolicy.d_type == DNSFilterEngine::PolicyType::None) { |
6dfff36f RG |
3405 | d_appliedPolicy = dfe.getProcessingPolicy(nameserver, d_discardedPolicies); |
3406 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response | |
3407 | LOG("however "<<nameserver<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl); | |
124dd1d4 | 3408 | throw PolicyHitException(); |
6dfff36f RG |
3409 | } |
3410 | } | |
3411 | nameservers.insert({nameserver, {{}, false}}); | |
3412 | } | |
3413 | LOG("looping to them"<<endl); | |
3414 | *gotNewServers = true; | |
812c3a69 | 3415 | auth=newauth; |
4d2be65d | 3416 | |
6dfff36f RG |
3417 | return false; |
3418 | } | |
3419 | ||
3420 | return false; | |
3421 | } | |
3422 | ||
b8470add PL |
3423 | /** returns: |
3424 | * -1 in case of no results | |
b8470add PL |
3425 | * rcode otherwise |
3426 | */ | |
fa1b87ff | 3427 | int SyncRes::doResolveAt(NsSet &nameservers, DNSName auth, bool flawedNSSet, const DNSName &qname, const QType &qtype, |
e325f20c | 3428 | vector<DNSRecord>&ret, |
116d1288 | 3429 | unsigned int depth, set<GetBestNSAnswer>&beenthere, vState& state, StopAtDelegation* stopAtDelegation) |
86c152f2 | 3430 | { |
69cbdef9 | 3431 | auto luaconfsLocal = g_luaconfs.getLocal(); |
ded77b10 | 3432 | string prefix; |
77499b05 | 3433 | if(doLog()) { |
ded77b10 BH |
3434 | prefix=d_prefix; |
3435 | prefix.append(depth, ' '); | |
3436 | } | |
3ddb9247 | 3437 | |
b8470add PL |
3438 | LOG(prefix<<qname<<": Cache consultations done, have "<<(unsigned int)nameservers.size()<<" NS to contact"); |
3439 | ||
69cbdef9 | 3440 | if (nameserversBlockedByRPZ(luaconfsLocal->dfe, nameservers)) { |
124dd1d4 RG |
3441 | /* RPZ hit */ |
3442 | throw PolicyHitException(); | |
b8470add PL |
3443 | } |
3444 | ||
3445 | LOG(endl); | |
afbe2787 BH |
3446 | |
3447 | for(;;) { // we may get more specific nameservers | |
feccaf7f | 3448 | auto rnameservers = shuffleInSpeedOrder(nameservers, doLog() ? (prefix+qname.toString()+": ") : string() ); |
3ddb9247 | 3449 | |
26ca3513 RG |
3450 | for(auto tns=rnameservers.cbegin();;++tns) { |
3451 | if(tns==rnameservers.cend()) { | |
2189085d | 3452 | LOG(prefix<<qname<<": Failed to resolve via any of the "<<(unsigned int)rnameservers.size()<<" offered NS at level '"<<auth<<"'"<<endl); |
03c09afe | 3453 | if(!auth.isRoot() && flawedNSSet) { |
2189085d | 3454 | LOG(prefix<<qname<<": Ageing nameservers for level '"<<auth<<"', next query might succeed"<<endl); |
88490c03 | 3455 | |
49a699c4 | 3456 | if(t_RC->doAgeCache(d_now.tv_sec, auth, QType::NS, 10)) |
4957a608 BH |
3457 | g_stats.nsSetInvalidations++; |
3458 | } | |
3459 | return -1; | |
afbe2787 | 3460 | } |
6dfff36f | 3461 | |
b4c8789a RG |
3462 | bool cacheOnly = false; |
3463 | // this line needs to identify the 'self-resolving' behaviour | |
feccaf7f | 3464 | if(qname == tns->first && (qtype.getCode() == QType::A || qtype.getCode() == QType::AAAA)) { |
b4c8789a RG |
3465 | /* we might have a glue entry in cache so let's try this NS |
3466 | but only if we have enough in the cache to know how to reach it */ | |
3467 | LOG(prefix<<qname<<": Using NS to resolve itself, but only using what we have in cache ("<<(1+tns-rnameservers.cbegin())<<"/"<<rnameservers.size()<<")"<<endl); | |
3468 | cacheOnly = true; | |
20177d1d | 3469 | } |
5605c067 | 3470 | |
996c89cc | 3471 | typedef vector<ComboAddress> remoteIPs_t; |
5605c067 | 3472 | remoteIPs_t remoteIPs; |
bfea0d0b | 3473 | remoteIPs_t::const_iterator remoteIP; |
1c21f389 | 3474 | bool pierceDontQuery=false; |
c1d73d94 | 3475 | bool sendRDQuery=false; |
376effcf | 3476 | boost::optional<Netmask> ednsmask; |
263f6a5a | 3477 | LWResult lwr; |
feccaf7f | 3478 | const bool wasForwarded = tns->first.empty() && (!nameservers[tns->first].first.empty()); |
6dfff36f RG |
3479 | int rcode = RCode::NoError; |
3480 | bool gotNewServers = false; | |
3481 | ||
feccaf7f | 3482 | if(tns->first.empty() && !wasForwarded) { |
2189085d | 3483 | LOG(prefix<<qname<<": Domain is out-of-band"<<endl); |
e1636f82 RG |
3484 | /* setting state to indeterminate since validation is disabled for local auth zone, |
3485 | and Insecure would be misleading. */ | |
3486 | state = Indeterminate; | |
9fc36e90 | 3487 | d_wasOutOfBand = doOOBResolve(qname, qtype, lwr.d_records, depth, lwr.d_rcode); |
4957a608 BH |
3488 | lwr.d_tcbit=false; |
3489 | lwr.d_aabit=true; | |
6dfff36f RG |
3490 | |
3491 | /* we have received an answer, are we done ? */ | |
51b6b728 | 3492 | bool done = processAnswer(depth, lwr, qname, qtype, auth, false, ednsmask, sendRDQuery, nameservers, ret, luaconfsLocal->dfe, &gotNewServers, &rcode, state); |
6dfff36f RG |
3493 | if (done) { |
3494 | return rcode; | |
3495 | } | |
3496 | if (gotNewServers) { | |
116d1288 OM |
3497 | if (stopAtDelegation && *stopAtDelegation == Stop) { |
3498 | *stopAtDelegation = Stopped; | |
3499 | return rcode; | |
3500 | } | |
6dfff36f RG |
3501 | break; |
3502 | } | |
5605c067 BH |
3503 | } |
3504 | else { | |
6dfff36f | 3505 | /* if tns is empty, retrieveAddressesForNS() knows we have hardcoded servers (i.e. "forwards") */ |
b4c8789a | 3506 | remoteIPs = retrieveAddressesForNS(prefix, qname, tns, depth, beenthere, rnameservers, nameservers, sendRDQuery, pierceDontQuery, flawedNSSet, cacheOnly); |
4957a608 BH |
3507 | |
3508 | if(remoteIPs.empty()) { | |
feccaf7f | 3509 | LOG(prefix<<qname<<": Failed to get IP for NS "<<tns->first<<", trying next if available"<<endl); |
4957a608 BH |
3510 | flawedNSSet=true; |
3511 | continue; | |
3512 | } | |
3513 | else { | |
b8470add | 3514 | bool hitPolicy{false}; |
feccaf7f | 3515 | LOG(prefix<<qname<<": Resolved '"<<auth<<"' NS "<<tns->first<<" to: "); |
26ca3513 RG |
3516 | for(remoteIP = remoteIPs.cbegin(); remoteIP != remoteIPs.cend(); ++remoteIP) { |
3517 | if(remoteIP != remoteIPs.cbegin()) { | |
77499b05 BH |
3518 | LOG(", "); |
3519 | } | |
3520 | LOG(remoteIP->toString()); | |
69cbdef9 | 3521 | if(nameserverIPBlockedByRPZ(luaconfsLocal->dfe, *remoteIP)) { |
26ca3513 | 3522 | hitPolicy = true; |
b8470add | 3523 | } |
4957a608 | 3524 | } |
77499b05 | 3525 | LOG(endl); |
124dd1d4 RG |
3526 | if (hitPolicy) { //implies d_wantsRPZ |
3527 | /* RPZ hit */ | |
3528 | throw PolicyHitException(); | |
3529 | } | |
4957a608 BH |
3530 | } |
3531 | ||
26ca3513 | 3532 | for(remoteIP = remoteIPs.cbegin(); remoteIP != remoteIPs.cend(); ++remoteIP) { |
2189085d | 3533 | LOG(prefix<<qname<<": Trying IP "<< remoteIP->toStringWithPort() <<", asking '"<<qname<<"|"<<qtype.getName()<<"'"<<endl); |
6dfff36f | 3534 | |
26ca3513 | 3535 | if (throttledOrBlocked(prefix, *remoteIP, qname, qtype, pierceDontQuery)) { |
4957a608 BH |
3536 | continue; |
3537 | } | |
9de3e034 | 3538 | |
6dfff36f RG |
3539 | bool truncated = false; |
3540 | bool gotAnswer = doResolveAtThisIP(prefix, qname, qtype, lwr, ednsmask, auth, sendRDQuery, | |
feccaf7f | 3541 | tns->first, *remoteIP, false, &truncated); |
6dfff36f RG |
3542 | if (gotAnswer && truncated ) { |
3543 | /* retry, over TCP this time */ | |
3544 | gotAnswer = doResolveAtThisIP(prefix, qname, qtype, lwr, ednsmask, auth, sendRDQuery, | |
feccaf7f | 3545 | tns->first, *remoteIP, true, &truncated); |
6dfff36f | 3546 | } |
710af846 | 3547 | |
6dfff36f RG |
3548 | if (!gotAnswer) { |
3549 | continue; | |
3550 | } | |
352b4183 | 3551 | |
feccaf7f | 3552 | LOG(prefix<<qname<<": Got "<<(unsigned int)lwr.d_records.size()<<" answers from "<<tns->first<<" ("<< remoteIP->toString() <<"), rcode="<<lwr.d_rcode<<" ("<<RCode::to_s(lwr.d_rcode)<<"), aa="<<lwr.d_aabit<<", in "<<lwr.d_usec/1000<<"ms"<<endl); |
92011b8f | 3553 | |
6dfff36f RG |
3554 | /* // for you IPv6 fanatics :-) |
3555 | if(remoteIP->sin4.sin_family==AF_INET6) | |
3556 | lwr.d_usec/=3; | |
3557 | */ | |
3558 | // cout<<"msec: "<<lwr.d_usec/1000.0<<", "<<g_avgLatency/1000.0<<'\n'; | |
710af846 | 3559 | |
b9715061 | 3560 | t_sstorage.nsSpeeds[tns->first.empty()? DNSName(remoteIP->toStringWithPort()) : tns->first].submit(*remoteIP, lwr.d_usec, d_now); |
628e2c7b | 3561 | |
6dfff36f | 3562 | /* we have received an answer, are we done ? */ |
51b6b728 | 3563 | bool done = processAnswer(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, sendRDQuery, nameservers, ret, luaconfsLocal->dfe, &gotNewServers, &rcode, state); |
6dfff36f RG |
3564 | if (done) { |
3565 | return rcode; | |
4957a608 | 3566 | } |
6dfff36f | 3567 | if (gotNewServers) { |
116d1288 OM |
3568 | if (stopAtDelegation && *stopAtDelegation == Stop) { |
3569 | *stopAtDelegation = Stopped; | |
3570 | return rcode; | |
3571 | } | |
6dfff36f | 3572 | break; |
4957a608 | 3573 | } |
6dfff36f RG |
3574 | /* was lame */ |
3575 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(*remoteIP, qname, qtype.getCode()), 60, 100); | |
4957a608 | 3576 | } |
aadceba8 | 3577 | |
6dfff36f RG |
3578 | if (gotNewServers) { |
3579 | break; | |
4957a608 | 3580 | } |
620db2c8 | 3581 | |
6dfff36f RG |
3582 | if(remoteIP == remoteIPs.cend()) // we tried all IP addresses, none worked |
3583 | continue; | |
620db2c8 | 3584 | |
86c152f2 BH |
3585 | } |
3586 | } | |
86c152f2 | 3587 | } |
ac539791 | 3588 | return -1; |
86c152f2 BH |
3589 | } |
3590 | ||
2fe3354d | 3591 | void SyncRes::setQuerySource(const ComboAddress& requestor, boost::optional<const EDNSSubnetOpts&> incomingECS) |
8a3a3822 | 3592 | { |
2fe3354d CH |
3593 | d_requestor = requestor; |
3594 | ||
3595 | if (incomingECS && incomingECS->source.getBits() > 0) { | |
3596 | d_cacheRemote = incomingECS->source.getMaskedNetwork(); | |
d14121a8 | 3597 | uint8_t bits = std::min(incomingECS->source.getBits(), (incomingECS->source.isIPv4() ? s_ecsipv4limit : s_ecsipv6limit)); |
2fe3354d CH |
3598 | ComboAddress trunc = incomingECS->source.getNetwork(); |
3599 | trunc.truncate(bits); | |
3600 | d_outgoingECSNetwork = boost::optional<Netmask>(Netmask(trunc, bits)); | |
3601 | } else { | |
3602 | d_cacheRemote = d_requestor; | |
3603 | if(!incomingECS && s_ednslocalsubnets.match(d_requestor)) { | |
3604 | ComboAddress trunc = d_requestor; | |
3605 | uint8_t bits = d_requestor.isIPv4() ? 32 : 128; | |
3606 | bits = std::min(bits, (trunc.isIPv4() ? s_ecsipv4limit : s_ecsipv6limit)); | |
3607 | trunc.truncate(bits); | |
3608 | d_outgoingECSNetwork = boost::optional<Netmask>(Netmask(trunc, bits)); | |
3609 | } else if (s_ecsScopeZero.source.getBits() > 0) { | |
8a3a3822 RG |
3610 | /* RFC7871 says we MUST NOT send any ECS if the source scope is 0. |
3611 | But using an empty ECS in that case would mean inserting | |
3612 | a non ECS-specific entry into the cache, preventing any further | |
3613 | ECS-specific query to be sent. | |
3614 | So instead we use the trick described in section 7.1.2: | |
3615 | "The subsequent Recursive Resolver query to the Authoritative Nameserver | |
3616 | will then either not include an ECS option or MAY optionally include | |
3617 | its own address information, which is what the Authoritative | |
3618 | Nameserver will almost certainly use to generate any Tailored | |
3619 | Response in lieu of an option. This allows the answer to be handled | |
3620 | by the same caching mechanism as other queries, with an explicit | |
3621 | indicator of the applicable scope. Subsequent Stub Resolver queries | |
3622 | for /0 can then be answered from this cached response. | |
3623 | */ | |
2fe3354d CH |
3624 | d_outgoingECSNetwork = boost::optional<Netmask>(s_ecsScopeZero.source.getMaskedNetwork()); |
3625 | d_cacheRemote = s_ecsScopeZero.source.getNetwork(); | |
3626 | } else { | |
3627 | // ECS disabled because no scope-zero address could be derived. | |
3628 | d_outgoingECSNetwork = boost::none; | |
8a3a3822 RG |
3629 | } |
3630 | } | |
8a3a3822 RG |
3631 | } |
3632 | ||
2fe3354d | 3633 | boost::optional<Netmask> SyncRes::getEDNSSubnetMask(const DNSName& dn, const ComboAddress& rem) |
e9f9b8ec | 3634 | { |
2fe3354d CH |
3635 | if(d_outgoingECSNetwork && (s_ednsdomains.check(dn) || s_ednsremotesubnets.match(rem))) { |
3636 | return d_outgoingECSNetwork; | |
e9f9b8ec | 3637 | } |
2fe3354d | 3638 | return boost::none; |
e9f9b8ec | 3639 | } |
bd53ea9d | 3640 | |
9065eb05 RG |
3641 | void SyncRes::parseEDNSSubnetWhitelist(const std::string& wlist) |
3642 | { | |
3643 | vector<string> parts; | |
3644 | stringtok(parts, wlist, ",; "); | |
3645 | for(const auto& a : parts) { | |
3646 | try { | |
2fe3354d | 3647 | s_ednsremotesubnets.addMask(Netmask(a)); |
9065eb05 RG |
3648 | } |
3649 | catch(...) { | |
3650 | s_ednsdomains.add(DNSName(a)); | |
3651 | } | |
3652 | } | |
3653 | } | |
3654 | ||
2fe3354d CH |
3655 | void SyncRes::parseEDNSSubnetAddFor(const std::string& subnetlist) |
3656 | { | |
3657 | vector<string> parts; | |
3658 | stringtok(parts, subnetlist, ",; "); | |
3659 | for(const auto& a : parts) { | |
3660 | s_ednslocalsubnets.addMask(a); | |
3661 | } | |
3662 | } | |
3663 | ||
8ce79a22 | 3664 | // used by PowerDNSLua - note that this neglects to add the packet count & statistics back to pdns_ercursor.cc |
a3e7b735 | 3665 | int directResolve(const DNSName& qname, const QType& qtype, int qclass, vector<DNSRecord>& ret) |
bd53ea9d PD |
3666 | { |
3667 | struct timeval now; | |
3668 | gettimeofday(&now, 0); | |
710af846 | 3669 | |
bd53ea9d | 3670 | SyncRes sr(now); |
13658071 RB |
3671 | int res = -1; |
3672 | try { | |
3673 | res = sr.beginResolve(qname, QType(qtype), qclass, ret); | |
3674 | } | |
3675 | catch(const PDNSException& e) { | |
3676 | g_log<<Logger::Error<<"Failed to resolve "<<qname.toLogString()<<", got pdns exception: "<<e.reason<<endl; | |
3677 | ret.clear(); | |
3678 | } | |
3679 | catch(const ImmediateServFailException& e) { | |
3680 | g_log<<Logger::Error<<"Failed to resolve "<<qname.toLogString()<<", got ImmediateServFailException: "<<e.reason<<endl; | |
3681 | ret.clear(); | |
3682 | } | |
124dd1d4 RG |
3683 | catch(const PolicyHitException& e) { |
3684 | g_log<<Logger::Error<<"Failed to resolve "<<qname.toLogString()<<", got a policy hit"<<endl; | |
3685 | ret.clear(); | |
3686 | } | |
13658071 RB |
3687 | catch(const std::exception& e) { |
3688 | g_log<<Logger::Error<<"Failed to resolve "<<qname.toLogString()<<", got STL error: "<<e.what()<<endl; | |
3689 | ret.clear(); | |
3690 | } | |
3691 | catch(...) { | |
3692 | g_log<<Logger::Error<<"Failed to resolve "<<qname.toLogString()<<", got an exception"<<endl; | |
3693 | ret.clear(); | |
3694 | } | |
e325f20c | 3695 | |
bd53ea9d PD |
3696 | return res; |
3697 | } | |
30ee601a | 3698 | |
30ee601a RG |
3699 | int SyncRes::getRootNS(struct timeval now, asyncresolve_t asyncCallback) { |
3700 | SyncRes sr(now); | |
3701 | sr.setDoEDNS0(true); | |
0b29b9c5 | 3702 | sr.setUpdatingRootNS(); |
30ee601a | 3703 | sr.setDoDNSSEC(g_dnssecmode != DNSSECMode::Off); |
0c43f455 | 3704 | sr.setDNSSECValidationRequested(g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate); |
30ee601a RG |
3705 | sr.setAsyncCallback(asyncCallback); |
3706 | ||
3707 | vector<DNSRecord> ret; | |
3708 | int res=-1; | |
3709 | try { | |
3710 | res=sr.beginResolve(g_rootdnsname, QType(QType::NS), 1, ret); | |
3711 | if (g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate) { | |
4d2be65d | 3712 | auto state = sr.getValidationState(); |
30ee601a RG |
3713 | if (state == Bogus) |
3714 | throw PDNSException("Got Bogus validation result for .|NS"); | |
3715 | } | |
3716 | return res; | |
3717 | } | |
c78ceb39 | 3718 | catch(const PDNSException& e) { |
e6a9dde5 | 3719 | g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.reason<<endl; |
30ee601a | 3720 | } |
c78ceb39 | 3721 | catch(const ImmediateServFailException& e) { |
e6a9dde5 | 3722 | g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.reason<<endl; |
c78ceb39 | 3723 | } |
124dd1d4 RG |
3724 | catch(const PolicyHitException& e) { |
3725 | g_log<<Logger::Error<<"Failed to update . records, got a policy hit"<<endl; | |
3726 | ret.clear(); | |
3727 | } | |
c78ceb39 | 3728 | catch(const std::exception& e) { |
e6a9dde5 | 3729 | g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.what()<<endl; |
30ee601a | 3730 | } |
c78ceb39 | 3731 | catch(...) { |
e6a9dde5 | 3732 | g_log<<Logger::Error<<"Failed to update . records, got an exception"<<endl; |
30ee601a | 3733 | } |
c78ceb39 | 3734 | |
30ee601a | 3735 | if(!res) { |
e6a9dde5 | 3736 | g_log<<Logger::Notice<<"Refreshed . records"<<endl; |
30ee601a RG |
3737 | } |
3738 | else | |
e6a9dde5 | 3739 | g_log<<Logger::Error<<"Failed to update . records, RCODE="<<res<<endl; |
c78ceb39 | 3740 | |
30ee601a RG |
3741 | return res; |
3742 | } |