]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix new poll() code for helper pipe. Removed CPU-spin.
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
aff33962 1/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
8a9be9e4 19static struct frec *lookup_frec(unsigned short id, void *hash);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481 21 union mysockaddr *addr,
8a9be9e4
SK		 22 void *hash);
23static unsigned short get_id(void);
1a6bca81 24static void free_frec(struct frec *f);
9e4abcb5 25
00a5b5d4
SK		 26#ifdef HAVE_DNSSEC
27static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
28 int class, char *name, char *keyname, struct server *server, int *keycount);
97e618a0
SK		 29static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
30static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
31 char *name, char *keyname);
00a5b5d4
SK		 32#endif
33
34
824af85b 35/* Send a UDP packet with its source address set as "source"
44a2a316 36 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 37int send_from(int fd, int nowild, char *packet, size_t len,
38 union mysockaddr *to, struct all_addr *source,
50303b19 39 unsigned int iface)
9e4abcb5 40{
44a2a316
SK		 41 struct msghdr msg;
42 struct iovec iov[1];
44a2a316
SK		 43 union {
44 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 45#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 46 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
47#elif defined(IP_SENDSRCADDR)
48 char control[CMSG_SPACE(sizeof(struct in_addr))];
49#endif
50#ifdef HAVE_IPV6
51 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
52#endif
53 } control_u;
feba5c1d 54
44a2a316
SK		 55 iov[0].iov_base = packet;
56 iov[0].iov_len = len;
57
feba5c1d
SK		 58 msg.msg_control = NULL;
59 msg.msg_controllen = 0;
44a2a316
SK		 60 msg.msg_flags = 0;
61 msg.msg_name = to;
62 msg.msg_namelen = sa_len(to);
63 msg.msg_iov = iov;
64 msg.msg_iovlen = 1;
feba5c1d 65
26128d27 66 if (!nowild)
44a2a316 67 {
26128d27 68 struct cmsghdr *cmptr;
feba5c1d
SK		 69 msg.msg_control = &control_u;
70 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 71 cmptr = CMSG_FIRSTHDR(&msg);
72
73 if (to->sa.sa_family == AF_INET)
74 {
5e9e0efb 75#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 76 struct in_pktinfo p;
77 p.ipi_ifindex = 0;
78 p.ipi_spec_dst = source->addr.addr4;
79 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 80 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 81 cmptr->cmsg_level = IPPROTO_IP;
26128d27 82 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 83#elif defined(IP_SENDSRCADDR)
8ef5ada2 84 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 85 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
86 cmptr->cmsg_level = IPPROTO_IP;
87 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 88#endif
26128d27 89 }
26128d27 90 else
b8187c80 91#ifdef HAVE_IPV6
26128d27 92 {
8ef5ada2
SK		 93 struct in6_pktinfo p;
94 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
95 p.ipi6_addr = source->addr.addr6;
96 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 97 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 98 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 99 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 100 }
3d8df260 101#else
c72daea8 102 (void)iface; /* eliminate warning */
44a2a316 103#endif
26128d27 104 }
feba5c1d 105
ff841ebf
SK		 106 while (retry_send(sendmsg(fd, &msg, 0)));
107
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno != 0 && errno != EINVAL)
feba5c1d 110 {
29d28dda 111 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 112 return 0;
feba5c1d 113 }
29d28dda 114
29689cfa 115 return 1;
9e4abcb5 116}
44a2a316 117
28866e95
SK		 118static unsigned int search_servers(time_t now, struct all_addr **addrpp,
119 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 120
121{
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
125
126 unsigned int namelen = strlen(qdomain);
127 unsigned int matchlen = 0;
128 struct server *serv;
28866e95 129 unsigned int flags = 0;
feba5c1d 130
3be34541 131 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 132 /* domain matches take priority over NODOTS matches */
3d8df260 133 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 134 {
28866e95 135 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 136 *type = SERV_FOR_NODOTS;
feba5c1d 137 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 138 flags = F_NXDOMAIN;
139 else if (serv->flags & SERV_LITERAL_ADDRESS)
140 {
141 if (sflag & qtype)
142 {
143 flags = sflag;
144 if (serv->addr.sa.sa_family == AF_INET)
145 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 146#ifdef HAVE_IPV6
36717eee
SK		 147 else
148 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 149#endif
36717eee 150 }
824af85b 151 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 152 flags = F_NOERR;
153 }
feba5c1d
SK		 154 }
155 else if (serv->flags & SERV_HAS_DOMAIN)
156 {
157 unsigned int domainlen = strlen(serv->domain);
b8187c80 158 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 159 if (namelen >= domainlen &&
b8187c80 160 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 161 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 162 {
8ef5ada2
SK		 163 if (serv->flags & SERV_NO_REBIND)
164 *norebind = 1;
28866e95 165 else
feba5c1d 166 {
28866e95
SK		 167 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen != 0 && domainlen == matchlen)
36717eee 172 {
28866e95 173 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 174 {
28866e95
SK		 175 if (!(sflag & qtype) && flags == 0)
176 continue;
177 }
178 else
179 {
180 if (flags & (F_IPV4 | F_IPV6))
181 continue;
182 }
183 }
184
185 if (domainlen >= matchlen)
186 {
187 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
188 *domain = serv->domain;
189 matchlen = domainlen;
190 if (serv->flags & SERV_NO_ADDR)
191 flags = F_NXDOMAIN;
192 else if (serv->flags & SERV_LITERAL_ADDRESS)
193 {
194 if (sflag & qtype)
195 {
196 flags = sflag;
197 if (serv->addr.sa.sa_family == AF_INET)
198 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 199#ifdef HAVE_IPV6
28866e95
SK		 200 else
201 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 202#endif
28866e95
SK		 203 }
204 else if (!flags || (flags & F_NXDOMAIN))
205 flags = F_NOERR;
8ef5ada2 206 }
28866e95
SK		 207 else
208 flags = 0;
209 }
210 }
8ef5ada2 211 }
feba5c1d 212 }
8ef5ada2 213
7de060b0 214 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 215 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 216 /* don't forward A or AAAA queries for simple names, except the empty name */
217 flags = F_NOERR;
8ef5ada2 218
5aabfc78 219 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 220 flags = F_NOERR;
feba5c1d 221
824af85b
SK		 222 if (flags)
223 {
224 int logflags = 0;
225
226 if (flags == F_NXDOMAIN || flags == F_NOERR)
227 logflags = F_NEG | qtype;
228
1a6bca81 229 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 230 }
8ef5ada2
SK		 231 else if ((*type) & SERV_USE_RESOLV)
232 {
233 *type = 0; /* use normal servers for this domain */
234 *domain = NULL;
235 }
feba5c1d
SK		 236 return flags;
237}
44a2a316 238
824af85b
SK		 239static int forward_query(int udpfd, union mysockaddr *udpaddr,
240 struct all_addr *dst_addr, unsigned int dst_iface,
83349b8a 241 struct dns_header *header, size_t plen, time_t now,
613ad15d 242 struct frec *forward, int ad_reqd, int do_bit)
9e4abcb5 243{
9e4abcb5 244 char *domain = NULL;
8ef5ada2 245 int type = 0, norebind = 0;
9e4abcb5 246 struct all_addr *addrp = NULL;
28866e95 247 unsigned int flags = 0;
de37951c 248 struct server *start = NULL;
8a9be9e4
SK		 249#ifdef HAVE_DNSSEC
250 void *hash = hash_questions(header, plen, daemon->namebuff);
251#else
252 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
253 void *hash = &crc;
254#endif
255 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
a77cec8d 256 unsigned char *pheader;
8a9be9e4 257
00a5b5d4
SK		 258 (void)do_bit;
259
3d8df260
SK		 260 /* may be no servers available. */
261 if (!daemon->servers)
9e4abcb5 262 forward = NULL;
8a9be9e4 263 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
9e4abcb5 264 {
a77cec8d
SK		 265 /* If we didn't get an answer advertising a maximal packet in EDNS,
266 fall back to 1280, which should work everywhere on IPv6.
267 If that generates an answer, it will become the new default
268 for this server */
269 forward->flags |= FREC_TEST_PKTSZ;
270
e0c0ad3b 271#ifdef HAVE_DNSSEC
dac74312 272 /* If we've already got an answer to this query, but we're awaiting keys for validation,
e0c0ad3b
SK		 273 there's no point retrying the query, retry the key query instead...... */
274 if (forward->blocking_query)
275 {
276 int fd;
a77cec8d
SK		 277
278 forward->flags &= ~FREC_TEST_PKTSZ;
279
e0c0ad3b
SK		 280 while (forward->blocking_query)
281 forward = forward->blocking_query;
a77cec8d
SK		 282
283 forward->flags |= FREC_TEST_PKTSZ;
e0c0ad3b
SK		 284
285 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
286 plen = forward->stash_len;
287
a77cec8d
SK		 288 if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
289 PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->sentto->edns_pktsz, pheader);
290
2b29191e 291 if (forward->sentto->addr.sa.sa_family == AF_INET)
25cf5e37 292 log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
e0c0ad3b
SK		 293#ifdef HAVE_IPV6
294 else
25cf5e37 295 log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
e0c0ad3b
SK		 296#endif
297
298 if (forward->sentto->sfd)
299 fd = forward->sentto->sfd->fd;
300 else
301 {
302#ifdef HAVE_IPV6
303 if (forward->sentto->addr.sa.sa_family == AF_INET6)
304 fd = forward->rfd6->fd;
305 else
306#endif
307 fd = forward->rfd4->fd;
308 }
309
ff841ebf
SK		 310 while (retry_send( sendto(fd, (char *)header, plen, 0,
311 &forward->sentto->addr.sa,
312 sa_len(&forward->sentto->addr))));
e0c0ad3b
SK		 313
314 return 1;
315 }
316#endif
317
de37951c 318 /* retry on existing query, send to all available servers */
9e4abcb5 319 domain = forward->sentto->domain;
824af85b 320 forward->sentto->failed_queries++;
28866e95 321 if (!option_bool(OPT_ORDER))
de37951c 322 {
0a852541 323 forward->forwardall = 1;
3be34541 324 daemon->last_server = NULL;
de37951c 325 }
9e4abcb5 326 type = forward->sentto->flags & SERV_TYPE;
de37951c 327 if (!(start = forward->sentto->next))
3be34541 328 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 329 header->id = htons(forward->new_id);
330 }
331 else
332 {
333 if (gotname)
8ef5ada2 334 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 335
3a237152 336 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 337 /* table full - server failure. */
338 flags = F_NEG;
9e4abcb5
SK		 339
340 if (forward)
341 {
0a852541
SK		 342 forward->source = *udpaddr;
343 forward->dest = *dst_addr;
344 forward->iface = dst_iface;
0a852541 345 forward->orig_id = ntohs(header->id);
8a9be9e4 346 forward->new_id = get_id();
832af0ba 347 forward->fd = udpfd;
8a9be9e4 348 memcpy(forward->hash, hash, HASH_SIZE);
0a852541 349 forward->forwardall = 0;
ed4c0767 350 forward->flags = 0;
28866e95
SK		 351 if (norebind)
352 forward->flags |= FREC_NOREBIND;
572b41eb 353 if (header->hb4 & HB4_CD)
28866e95 354 forward->flags |= FREC_CHECKING_DISABLED;
83349b8a
SK		 355 if (ad_reqd)
356 forward->flags |= FREC_AD_QUESTION;
7fa836e1
SK		 357#ifdef HAVE_DNSSEC
358 forward->work_counter = DNSSEC_WORK;
613ad15d
SK		 359 if (do_bit)
360 forward->flags |= FREC_DO_QUESTION;
7fa836e1 361#endif
613ad15d 362
28866e95
SK		 363 header->id = htons(forward->new_id);
364
8ef5ada2
SK		 365 /* In strict_order mode, always try servers in the order
366 specified in resolv.conf, if a domain is given
367 always try all the available servers,
9e4abcb5
SK		 368 otherwise, use the one last known to work. */
369
8ef5ada2
SK		 370 if (type == 0)
371 {
28866e95 372 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 373 start = daemon->servers;
374 else if (!(start = daemon->last_server) ||
375 daemon->forwardcount++ > FORWARD_TEST ||
376 difftime(now, daemon->forwardtime) > FORWARD_TIME)
377 {
378 start = daemon->servers;
379 forward->forwardall = 1;
380 daemon->forwardcount = 0;
381 daemon->forwardtime = now;
382 }
383 }
384 else
de37951c 385 {
3be34541 386 start = daemon->servers;
28866e95 387 if (!option_bool(OPT_ORDER))
8ef5ada2 388 forward->forwardall = 1;
de37951c 389 }
9e4abcb5
SK		 390 }
391 }
feba5c1d 392
9e4abcb5
SK		 393 /* check for send errors here (no route to host)
394 if we fail to send to all nameservers, send back an error
395 packet straight away (helps modem users when offline) */
396
397 if (!flags && forward)
398 {
de37951c
SK		 399 struct server *firstsentto = start;
400 int forwarded = 0;
28866e95 401
25cf5e37
SK		 402 /* If a query is retried, use the log_id for the retry when logging the answer. */
403 forward->log_id = daemon->log_id;
404
797a7afb 405 if (option_bool(OPT_ADD_MAC))
60b68069 406 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
28866e95 407
ed4c0767
SK		 408 if (option_bool(OPT_CLIENT_SUBNET))
409 {
60b68069 410 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
ed4c0767
SK		 411 if (new != plen)
412 {
413 plen = new;
414 forward->flags |= FREC_HAS_SUBNET;
415 }
416 }
417
3a237152
SK		 418#ifdef HAVE_DNSSEC
419 if (option_bool(OPT_DNSSEC_VALID))
0fc2f313 420 {
613ad15d
SK		 421 size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
422
5b3bf921
SK		 423 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
424 this allows it to select auth servers when one is returning bad data. */
425 if (option_bool(OPT_DNSSEC_DEBUG))
426 header->hb4 |= HB4_CD;
613ad15d
SK		 427
428 if (new_plen != plen)
429 forward->flags |= FREC_ADDED_PHEADER;
430
431 plen = new_plen;
0fc2f313 432 }
3a237152 433#endif
a77cec8d 434
9e4abcb5
SK		 435 while (1)
436 {
9e4abcb5
SK		 437 /* only send to servers dealing with our domain.
438 domain may be NULL, in which case server->domain
439 must be NULL also. */
440
de37951c 441 if (type == (start->flags & SERV_TYPE) &&
fd9fa481 442 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
b5ea1cc2 443 !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
9e4abcb5 444 {
1a6bca81
SK		 445 int fd;
446
447 /* find server socket to use, may need to get random one. */
448 if (start->sfd)
449 fd = start->sfd->fd;
450 else
451 {
452#ifdef HAVE_IPV6
453 if (start->addr.sa.sa_family == AF_INET6)
454 {
455 if (!forward->rfd6 &&
456 !(forward->rfd6 = allocate_rfd(AF_INET6)))
457 break;
3927da46 458 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 459 fd = forward->rfd6->fd;
460 }
461 else
462#endif
463 {
464 if (!forward->rfd4 &&
465 !(forward->rfd4 = allocate_rfd(AF_INET)))
466 break;
3927da46 467 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 468 fd = forward->rfd4->fd;
469 }
7de060b0
SK		 470
471#ifdef HAVE_CONNTRACK
472 /* Copy connection mark of incoming query to outgoing connection. */
473 if (option_bool(OPT_CONNTRACK))
474 {
475 unsigned int mark;
797a7afb 476 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 477 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
478 }
479#endif
1a6bca81 480 }
a77cec8d
SK		 481
482 if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
483 PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pktsz, pheader);
1a6bca81 484
ff841ebf
SK		 485 if (retry_send(sendto(fd, (char *)header, plen, 0,
486 &start->addr.sa,
487 sa_len(&start->addr))))
488 continue;
489
490 if (errno == 0)
9e4abcb5 491 {
cdeda28f
SK		 492 /* Keep info in case we want to re-send this packet */
493 daemon->srv_save = start;
494 daemon->packet_len = plen;
495
de37951c 496 if (!gotname)
3be34541 497 strcpy(daemon->namebuff, "query");
de37951c 498 if (start->addr.sa.sa_family == AF_INET)
3be34541 499 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 500 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 501#ifdef HAVE_IPV6
502 else
3be34541 503 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 504 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 505#endif
824af85b 506 start->queries++;
de37951c
SK		 507 forwarded = 1;
508 forward->sentto = start;
0a852541 509 if (!forward->forwardall)
de37951c 510 break;
0a852541 511 forward->forwardall++;
9e4abcb5
SK		 512 }
513 }
514
de37951c 515 if (!(start = start->next))
3be34541 516 start = daemon->servers;
9e4abcb5 517
de37951c 518 if (start == firstsentto)
9e4abcb5
SK		 519 break;
520 }
521
de37951c 522 if (forwarded)
824af85b 523 return 1;
de37951c 524
9e4abcb5
SK		 525 /* could not send on, prepare to return */
526 header->id = htons(forward->orig_id);
1a6bca81 527 free_frec(forward); /* cancel */
9e4abcb5
SK		 528 }
529
530 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 531 if (udpfd != -1)
532 {
cdeda28f 533 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 534 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 535 }
536
824af85b 537 return 0;
9e4abcb5
SK		 538}
539
ed4c0767 540static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
fe3992f9
SK		 541 int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
542 int check_subnet, union mysockaddr *query_source)
feba5c1d 543{
36717eee 544 unsigned char *pheader, *sizep;
13d86c73 545 char **sets = 0;
832af0ba 546 int munged = 0, is_sign;
cdeda28f
SK		 547 size_t plen;
548
83349b8a 549 (void)ad_reqd;
982faf40
SK		 550 (void)do_bit;
551 (void)bogusanswer;
83349b8a 552
13d86c73 553#ifdef HAVE_IPSET
82a14af5 554 if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
13d86c73 555 {
82a14af5
SK		 556 /* Similar algorithm to search_servers. */
557 struct ipsets *ipset_pos;
558 unsigned int namelen = strlen(daemon->namebuff);
559 unsigned int matchlen = 0;
560 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
6c0cb858 561 {
82a14af5
SK		 562 unsigned int domainlen = strlen(ipset_pos->domain);
563 char *matchstart = daemon->namebuff + namelen - domainlen;
564 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
565 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
566 domainlen >= matchlen)
567 {
568 matchlen = domainlen;
569 sets = ipset_pos->sets;
570 }
6c0cb858 571 }
13d86c73
JD		 572 }
573#endif
574
feba5c1d 575 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 576 than we allow, trim it so that we don't get overlarge
577 requests for the client. We can't do this for signed packets. */
feba5c1d 578
ed4c0767 579 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 580 {
83349b8a
SK		 581 unsigned short udpsz;
582 unsigned char *psave = sizep;
583
584 GETSHORT(udpsz, sizep);
585
586 if (!is_sign && udpsz > daemon->edns_pktsz)
587 PUTSHORT(daemon->edns_pktsz, psave);
feba5c1d 588
ed4c0767
SK		 589 if (check_subnet && !check_source(header, plen, pheader, query_source))
590 {
591 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
592 return 0;
593 }
613ad15d
SK		 594
595 if (added_pheader)
596 {
597 pheader = 0;
598 header->arcount = htons(0);
599 }
feba5c1d 600 }
83349b8a 601
28866e95 602 /* RFC 4035 sect 4.6 para 3 */
237724c0 603 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
795501bc 604 header->hb4 &= ~HB4_AD;
3a237152 605
572b41eb 606 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
8938ae05 607 return resize_packet(header, n, pheader, plen);
0a852541 608
feba5c1d 609 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 610 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 611 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 612 {
3d8df260 613 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 614 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 615 if (!option_bool(OPT_LOG))
0a852541
SK		 616 server->flags |= SERV_WARNED_RECURSIVE;
617 }
e292e93d 618
572b41eb 619 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 620 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 621 {
fd9fa481 622 munged = 1;
572b41eb
SK		 623 SET_RCODE(header, NXDOMAIN);
624 header->hb3 &= ~HB3_AA;
6938f347 625 cache_secure = 0;
36717eee 626 }
fd9fa481 627 else
36717eee 628 {
6938f347
SK		 629 int doctored = 0;
630
572b41eb 631 if (RCODE(header) == NXDOMAIN &&
fd9fa481 632 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 633 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 634 {
635 /* if we forwarded a query for a locally known name (because it was for
636 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
637 since we know that the domain exists, even if upstream doesn't */
fd9fa481 638 munged = 1;
572b41eb
SK		 639 header->hb3 |= HB3_AA;
640 SET_RCODE(header, NOERROR);
6938f347 641 cache_secure = 0;
feba5c1d 642 }
832af0ba 643
6938f347 644 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
824af85b 645 {
8ef5ada2 646 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b 647 munged = 1;
6938f347 648 cache_secure = 0;
824af85b 649 }
6938f347
SK		 650
651 if (doctored)
652 cache_secure = 0;
feba5c1d 653 }
fd9fa481 654
a25720a3 655#ifdef HAVE_DNSSEC
fe3992f9 656 if (bogusanswer && !(header->hb4 & HB4_CD))
a25720a3 657 {
7d23a66f 658 if (!option_bool(OPT_DNSSEC_DEBUG))
a25720a3
SK		 659 {
660 /* Bogus reply, turn into SERVFAIL */
661 SET_RCODE(header, SERVFAIL);
662 munged = 1;
663 }
664 }
6938f347
SK		 665
666 if (option_bool(OPT_DNSSEC_VALID))
667 header->hb4 &= ~HB4_AD;
668
83349b8a 669 if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
6938f347 670 header->hb4 |= HB4_AD;
613ad15d
SK		 671
672 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
673 if (!do_bit)
674 n = filter_rrsigs(header, n);
a25720a3
SK		 675#endif
676
fd9fa481
SK		 677 /* do this after extract_addresses. Ensure NODATA reply and remove
678 nameserver info. */
679
680 if (munged)
681 {
682 header->ancount = htons(0);
683 header->nscount = htons(0);
684 header->arcount = htons(0);
150162bc 685 header->hb3 &= ~HB3_TC;
fd9fa481
SK		 686 }
687
36717eee
SK		 688 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
689 sections of the packet. Find the new length here and put back pseudoheader
690 if it was removed. */
691 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 692}
693
3be34541 694/* sets new last_server */
1a6bca81 695void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 696{
697 /* packet from peer server, extract data for cache, and send to
698 original requester */
572b41eb 699 struct dns_header *header;
de37951c 700 union mysockaddr serveraddr;
832af0ba 701 struct frec *forward;
de37951c 702 socklen_t addrlen = sizeof(serveraddr);
60b68069 703 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
cdeda28f 704 size_t nn;
1a6bca81 705 struct server *server;
8a9be9e4
SK		 706 void *hash;
707#ifndef HAVE_DNSSEC
708 unsigned int crc;
709#endif
710
cdeda28f
SK		 711 /* packet buffer overwritten */
712 daemon->srv_save = NULL;
832af0ba 713
de37951c 714 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 715 serveraddr.sa.sa_family = family;
de37951c
SK		 716#ifdef HAVE_IPV6
717 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 718 serveraddr.in6.sin6_flowinfo = 0;
de37951c 719#endif
9e4abcb5 720
490f9075
SK		 721 header = (struct dns_header *)daemon->packet;
722
723 if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
724 return;
725
1a6bca81
SK		 726 /* spoof check: answer must come from known server, */
727 for (server = daemon->servers; server; server = server->next)
728 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
729 sockaddr_isequal(&server->addr, &serveraddr))
730 break;
490f9075
SK		 731
732 if (!server)
733 return;
734
8a9be9e4
SK		 735#ifdef HAVE_DNSSEC
736 hash = hash_questions(header, n, daemon->namebuff);
737#else
738 hash = &crc;
739 crc = questions_crc(header, n, daemon->namebuff);
740#endif
fd9fa481 741
490f9075 742 if (!(forward = lookup_frec(ntohs(header->id), hash)))
1a6bca81 743 return;
490f9075 744
25cf5e37
SK		 745 /* log_query gets called indirectly all over the place, so
746 pass these in global variables - sorry. */
747 daemon->log_display_id = forward->log_id;
748 daemon->log_source_addr = &forward->source;
749
32fc6dbe
GH		 750 if (daemon->ignore_addr && RCODE(header) == NOERROR &&
751 check_for_ignored_address(header, n, daemon->ignore_addr))
752 return;
753
2ae195f5 754 if (RCODE(header) == REFUSED &&
28866e95 755 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 756 forward->forwardall == 0)
757 /* for broken servers, attempt to send to another one. */
9e4abcb5 758 {
1a6bca81
SK		 759 unsigned char *pheader;
760 size_t plen;
761 int is_sign;
832af0ba 762
1a6bca81
SK		 763 /* recreate query from reply */
764 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
765 if (!is_sign)
832af0ba 766 {
1a6bca81
SK		 767 header->ancount = htons(0);
768 header->nscount = htons(0);
769 header->arcount = htons(0);
770 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 771 {
bd7bfa21 772 header->hb3 &= ~(HB3_QR | HB3_AA | HB3_TC);
773 header->hb4 &= ~(HB4_RA | HB4_RCODE);
613ad15d 774 forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
1a6bca81 775 return;
832af0ba 776 }
832af0ba 777 }
1a6bca81 778 }
3a237152
SK		 779
780 server = forward->sentto;
1a6bca81
SK		 781 if ((forward->sentto->flags & SERV_TYPE) == 0)
782 {
51967f98 783 if (RCODE(header) == REFUSED)
1a6bca81
SK		 784 server = NULL;
785 else
b8187c80 786 {
1a6bca81
SK		 787 struct server *last_server;
788
789 /* find good server by address if possible, otherwise assume the last one we sent to */
790 for (last_server = daemon->servers; last_server; last_server = last_server->next)
791 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
792 sockaddr_isequal(&last_server->addr, &serveraddr))
793 {
794 server = last_server;
795 break;
796 }
797 }
28866e95 798 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 799 daemon->last_server = server;
800 }
a77cec8d
SK		 801
802 /* We tried resending to this server with a smaller maximum size and got an answer.
86fa1046
SK		 803 Make that permanent. To avoid reduxing the packet size for an single dropped packet,
804 only do this when we get a truncated answer, or one larger than the safe size. */
805 if (server && (forward->flags & FREC_TEST_PKTSZ) &&
806 ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ))
a77cec8d
SK		 807 server->edns_pktsz = SAFE_PKTSZ;
808
1a6bca81
SK		 809 /* If the answer is an error, keep the forward record in place in case
810 we get a good reply from another server. Kill it when we've
811 had replies from all to avoid filling the forwarding table when
812 everything is broken */
51967f98 813 if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
1a6bca81 814 {
fe3992f9 815 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
3a237152
SK		 816
817 if (option_bool(OPT_NO_REBIND))
818 check_rebind = !(forward->flags & FREC_NOREBIND);
819
820 /* Don't cache replies where DNSSEC validation was turned off, either
821 the upstream server told us so, or the original query specified it. */
822 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
823 no_cache_dnssec = 1;
824
825#ifdef HAVE_DNSSEC
51967f98 826 if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
3a237152 827 {
9d633048 828 int status;
0fc2f313
SK		 829
830 /* We've had a reply already, which we're validating. Ignore this duplicate */
e0c0ad3b 831 if (forward->blocking_query)
0fc2f313 832 return;
9d633048 833
871417d4
SK		 834 if (header->hb3 & HB3_TC)
835 {
836 /* Truncated answer can't be validated.
5d3b87a4
SK		 837 If this is an answer to a DNSSEC-generated query, we still
838 need to get the client to retry over TCP, so return
839 an answer with the TC bit set, even if the actual answer fits.
840 */
841 status = STAT_TRUNCATED;
871417d4
SK		 842 }
843 else if (forward->flags & FREC_DNSKEY_QUERY)
8d718cbb 844 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
c3e0b9b6 845 else if (forward->flags & FREC_DS_QUERY)
00a5b5d4
SK		 846 {
847 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
fe3992f9
SK		 848 /* Provably no DS, everything below is insecure, even if signatures are offered */
849 if (status == STAT_NO_DS)
850 /* We only cache sigs when we've validated a reply.
851 Avoid caching a reply with sigs if there's a vaildated break in the
852 DS chain, so we don't return replies from cache missing sigs. */
d389e019
SK		 853 status = STAT_INSECURE_DS;
854 else if (status == STAT_NO_SIG)
855 {
856 if (option_bool(OPT_DNSSEC_NO_SIGN))
857 {
858 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
859 if (status == STAT_INSECURE)
860 status = STAT_INSECURE_DS;
861 }
862 else
863 status = STAT_INSECURE_DS;
864 }
865 else if (status == STAT_NO_NS)
97e618a0 866 status = STAT_BOGUS;
00a5b5d4
SK		 867 }
868 else if (forward->flags & FREC_CHECK_NOSIGN)
97e618a0
SK		 869 {
870 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
871 if (status != STAT_NEED_KEY)
872 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
873 }
9d633048 874 else
00a5b5d4 875 {
97e618a0 876 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
00a5b5d4
SK		 877 if (status == STAT_NO_SIG)
878 {
879 if (option_bool(OPT_DNSSEC_NO_SIGN))
97e618a0 880 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
00a5b5d4
SK		 881 else
882 status = STAT_INSECURE;
883 }
884 }
3a237152
SK		 885 /* Can't validate, as we're missing key data. Put this
886 answer aside, whilst we get that. */
00a5b5d4 887 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
3a237152 888 {
7fa836e1
SK		 889 struct frec *new, *orig;
890
891 /* Free any saved query */
892 if (forward->stash)
893 blockdata_free(forward->stash);
894
895 /* Now save reply pending receipt of key data */
896 if (!(forward->stash = blockdata_alloc((char *)header, n)))
897 return;
898 forward->stash_len = n;
0fc2f313 899
7fa836e1
SK		 900 anotherkey:
901 /* Find the original query that started it all.... */
902 for (orig = forward; orig->dependent; orig = orig->dependent);
903
904 if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
905 status = STAT_INSECURE;
906 else
3a237152 907 {
7fa836e1 908 int fd;
0fc2f313
SK		 909 struct frec *next = new->next;
910 *new = *forward; /* copy everything, then overwrite */
911 new->next = next;
0fc2f313 912 new->blocking_query = NULL;
8a8bbad0 913 new->sentto = server;
f1668d27 914 new->rfd4 = NULL;
97e618a0 915 new->orig_domain = NULL;
f1668d27
SK		 916#ifdef HAVE_IPV6
917 new->rfd6 = NULL;
918#endif
00a5b5d4 919 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
9d633048 920
7fa836e1
SK		 921 new->dependent = forward; /* to find query awaiting new one. */
922 forward->blocking_query = new; /* for garbage cleaning */
923 /* validate routines leave name of required record in daemon->keyname */
924 if (status == STAT_NEED_KEY)
925 {
926 new->flags |= FREC_DNSKEY_QUERY;
927 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
a77cec8d 928 daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz);
7fa836e1
SK		 929 }
930 else
931 {
00a5b5d4
SK		 932 if (status == STAT_NEED_DS_NEG)
933 new->flags |= FREC_CHECK_NOSIGN;
934 else
935 new->flags |= FREC_DS_QUERY;
7fa836e1 936 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
a77cec8d 937 daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz);
7fa836e1
SK		 938 }
939 if ((hash = hash_questions(header, nn, daemon->namebuff)))
940 memcpy(new->hash, hash, HASH_SIZE);
941 new->new_id = get_id();
942 header->id = htons(new->new_id);
943 /* Save query for retransmission */
97e618a0
SK		 944 if (!(new->stash = blockdata_alloc((char *)header, nn)))
945 return;
946
7fa836e1
SK		 947 new->stash_len = nn;
948
949 /* Don't resend this. */
950 daemon->srv_save = NULL;
e0c0ad3b 951
7fa836e1
SK		 952 if (server->sfd)
953 fd = server->sfd->fd;
e0c0ad3b 954 else
3a237152 955 {
7fa836e1
SK		 956 fd = -1;
957#ifdef HAVE_IPV6
958 if (server->addr.sa.sa_family == AF_INET6)
9d633048 959 {
7fa836e1
SK		 960 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
961 fd = new->rfd6->fd;
9d633048 962 }
3a237152 963 else
3a237152 964#endif
f1668d27 965 {
7fa836e1
SK		 966 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
967 fd = new->rfd4->fd;
f1668d27 968 }
3a237152 969 }
7fa836e1
SK		 970
971 if (fd != -1)
972 {
ff841ebf
SK		 973 while (retry_send(sendto(fd, (char *)header, nn, 0,
974 &server->addr.sa,
975 sa_len(&server->addr))));
7fa836e1
SK		 976 server->queries++;
977 }
978
979 return;
3a237152 980 }
3a237152
SK		 981 }
982
983 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
984 Now wind back down, pulling back answers which wouldn't previously validate
7fa836e1
SK		 985 and validate them with the new data. Note that if an answer needs multiple
986 keys to validate, we may find another key is needed, in which case we set off
987 down another branch of the tree. Once we get to the original answer
988 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
0744ca66 989 while (forward->dependent)
3a237152 990 {
0744ca66
SK		 991 struct frec *prev = forward->dependent;
992 free_frec(forward);
993 forward = prev;
994 forward->blocking_query = NULL; /* already gone */
995 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
996 n = forward->stash_len;
997
998 if (status == STAT_SECURE)
3a237152 999 {
0744ca66
SK		 1000 if (forward->flags & FREC_DNSKEY_QUERY)
1001 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
1002 else if (forward->flags & FREC_DS_QUERY)
00a5b5d4
SK		 1003 {
1004 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
fe3992f9
SK		 1005 /* Provably no DS, everything below is insecure, even if signatures are offered */
1006 if (status == STAT_NO_DS)
1007 /* We only cache sigs when we've validated a reply.
1008 Avoid caching a reply with sigs if there's a vaildated break in the
1009 DS chain, so we don't return replies from cache missing sigs. */
1010 status = STAT_INSECURE_DS;
d389e019
SK		 1011 else if (status == STAT_NO_SIG)
1012 {
1013 if (option_bool(OPT_DNSSEC_NO_SIGN))
1014 {
1015 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
1016 if (status == STAT_INSECURE)
1017 status = STAT_INSECURE_DS;
1018 }
1019 else
1020 status = STAT_INSECURE_DS;
1021 }
1022 else if (status == STAT_NO_NS)
1023 status = STAT_BOGUS;
00a5b5d4
SK		 1024 }
1025 else if (forward->flags & FREC_CHECK_NOSIGN)
97e618a0
SK		 1026 {
1027 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
1028 if (status != STAT_NEED_KEY)
1029 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
1030 }
0744ca66 1031 else
00a5b5d4 1032 {
97e618a0 1033 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
00a5b5d4
SK		 1034 if (status == STAT_NO_SIG)
1035 {
1036 if (option_bool(OPT_DNSSEC_NO_SIGN))
97e618a0 1037 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
00a5b5d4
SK		 1038 else
1039 status = STAT_INSECURE;
1040 }
1041 }
1042
1043 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
7fa836e1 1044 goto anotherkey;
3a237152
SK		 1045 }
1046 }
5d3b87a4 1047
fe3992f9
SK		 1048 no_cache_dnssec = 0;
1049
1050 if (status == STAT_INSECURE_DS)
1051 {
1052 /* We only cache sigs when we've validated a reply.
1053 Avoid caching a reply with sigs if there's a vaildated break in the
1054 DS chain, so we don't return replies from cache missing sigs. */
1055 status = STAT_INSECURE;
1056 no_cache_dnssec = 1;
1057 }
1058
5d3b87a4 1059 if (status == STAT_TRUNCATED)
0744ca66 1060 header->hb3 |= HB3_TC;
5d3b87a4 1061 else
7fa836e1 1062 {
554b580e 1063 char *result, *domain = "result";
7fa836e1
SK		 1064
1065 if (forward->work_counter == 0)
150162bc
SK		 1066 {
1067 result = "ABANDONED";
1068 status = STAT_BOGUS;
1069 }
7fa836e1
SK		 1070 else
1071 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1072
554b580e
SK		 1073 if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
1074 domain = daemon->namebuff;
1075
1076 log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
7fa836e1 1077 }
5d3b87a4 1078
3a237152
SK		 1079 if (status == STAT_SECURE)
1080 cache_secure = 1;
3a237152 1081 else if (status == STAT_BOGUS)
fe3992f9
SK		 1082 {
1083 no_cache_dnssec = 1;
1084 bogusanswer = 1;
1085 }
3a237152 1086 }
83349b8a
SK		 1087#endif
1088
1089 /* restore CD bit to the value in the query */
1090 if (forward->flags & FREC_CHECKING_DISABLED)
1091 header->hb4 |= HB4_CD;
1092 else
1093 header->hb4 &= ~HB4_CD;
8ef5ada2 1094
fe3992f9 1095 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
613ad15d
SK		 1096 forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
1097 forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 1098 {
1099 header->id = htons(forward->orig_id);
572b41eb 1100 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 1101 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 1102 &forward->source, &forward->dest, forward->iface);
b8187c80 1103 }
1a6bca81 1104 free_frec(forward); /* cancel */
9e4abcb5 1105 }
9e4abcb5 1106}
44a2a316 1107
1a6bca81 1108
5aabfc78 1109void receive_query(struct listener *listen, time_t now)
44a2a316 1110{
572b41eb 1111 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 1112 union mysockaddr source_addr;
c1bb8504 1113 unsigned short type;
44a2a316 1114 struct all_addr dst_addr;
f6b7dc47 1115 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 1116 size_t m;
1117 ssize_t n;
3b195961
VG		 1118 int if_index = 0, auth_dns = 0;
1119#ifdef HAVE_AUTH
1120 int local_auth = 0;
1121#endif
44a2a316
SK		 1122 struct iovec iov[1];
1123 struct msghdr msg;
1124 struct cmsghdr *cmptr;
44a2a316
SK		 1125 union {
1126 struct cmsghdr align; /* this ensures alignment */
1127#ifdef HAVE_IPV6
1128 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1129#endif
5e9e0efb 1130#if defined(HAVE_LINUX_NETWORK)
44a2a316 1131 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 1132#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1133 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1134 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 1135#elif defined(IP_RECVDSTADDR)
1136 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1137 CMSG_SPACE(sizeof(struct sockaddr_dl))];
1138#endif
1139 } control_u;
2329bef5
SK		 1140#ifdef HAVE_IPV6
1141 /* Can always get recvd interface for IPv6 */
1142 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
1143#else
1144 int check_dst = !option_bool(OPT_NOWILD);
1145#endif
1146
cdeda28f
SK		 1147 /* packet buffer overwritten */
1148 daemon->srv_save = NULL;
1149
98906275 1150 dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
4f7b304f
SK		 1151 netmask.s_addr = 0;
1152
7e5664bd 1153 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 1154 {
4f7b304f
SK		 1155 auth_dns = listen->iface->dns_auth;
1156
1157 if (listen->family == AF_INET)
1158 {
98906275 1159 dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
4f7b304f
SK		 1160 netmask = listen->iface->netmask;
1161 }
3d8df260 1162 }
4f7b304f 1163
3be34541
SK		 1164 iov[0].iov_base = daemon->packet;
1165 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 1166
1167 msg.msg_control = control_u.control;
1168 msg.msg_controllen = sizeof(control_u);
1169 msg.msg_flags = 0;
1170 msg.msg_name = &source_addr;
1171 msg.msg_namelen = sizeof(source_addr);
1172 msg.msg_iov = iov;
1173 msg.msg_iovlen = 1;
1174
de37951c 1175 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 1176 return;
44a2a316 1177
572b41eb 1178 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 1179 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 1180 (header->hb3 & HB3_QR))
26128d27
SK		 1181 return;
1182
44a2a316 1183 source_addr.sa.sa_family = listen->family;
2a7a2b84
SK		 1184
1185 if (listen->family == AF_INET)
1186 {
1187 /* Source-port == 0 is an error, we can't send back to that.
1188 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1189 if (source_addr.in.sin_port == 0)
1190 return;
1191 }
44a2a316 1192#ifdef HAVE_IPV6
2a7a2b84
SK		 1193 else
1194 {
1195 /* Source-port == 0 is an error, we can't send back to that. */
1196 if (source_addr.in6.sin6_port == 0)
1197 return;
1198 source_addr.in6.sin6_flowinfo = 0;
1199 }
44a2a316 1200#endif
2a7a2b84 1201
c8a80487
SK		 1202 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1203 if (option_bool(OPT_LOCAL_SERVICE))
1204 {
1205 struct addrlist *addr;
1206#ifdef HAVE_IPV6
1207 if (listen->family == AF_INET6)
1208 {
1209 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1210 if ((addr->flags & ADDRLIST_IPV6) &&
1211 is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1212 break;
1213 }
1214 else
1215#endif
1216 {
1217 struct in_addr netmask;
1218 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1219 {
15b1b7e9 1220 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
c8a80487
SK		 1221 if (!(addr->flags & ADDRLIST_IPV6) &&
1222 is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1223 break;
1224 }
1225 }
1226 if (!addr)
1227 {
0c8584ea
SK		 1228 static int warned = 0;
1229 if (!warned)
1230 {
1231 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1232 warned = 1;
1233 }
c8a80487
SK		 1234 return;
1235 }
1236 }
1237
2329bef5 1238 if (check_dst)
26128d27
SK		 1239 {
1240 struct ifreq ifr;
1241
1242 if (msg.msg_controllen < sizeof(struct cmsghdr))
1243 return;
44a2a316 1244
5e9e0efb 1245#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 1246 if (listen->family == AF_INET)
1247 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1248 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 1249 {
8ef5ada2
SK		 1250 union {
1251 unsigned char *c;
1252 struct in_pktinfo *p;
1253 } p;
1254 p.c = CMSG_DATA(cmptr);
1255 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1256 if_index = p.p->ipi_ifindex;
26128d27
SK		 1257 }
1258#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1259 if (listen->family == AF_INET)
44a2a316 1260 {
26128d27 1261 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 1262 {
1263 union {
1264 unsigned char *c;
1265 unsigned int *i;
1266 struct in_addr *a;
1267#ifndef HAVE_SOLARIS_NETWORK
1268 struct sockaddr_dl *s;
1269#endif
1270 } p;
1271 p.c = CMSG_DATA(cmptr);
1272 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1273 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1274 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 1275#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 1276 if_index = *(p.i);
824af85b 1277#else
8ef5ada2 1278 if_index = p.s->sdl_index;
824af85b 1279#endif
8ef5ada2 1280 }
44a2a316 1281 }
44a2a316 1282#endif
26128d27 1283
44a2a316 1284#ifdef HAVE_IPV6
26128d27
SK		 1285 if (listen->family == AF_INET6)
1286 {
1287 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1288 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 1289 {
8ef5ada2
SK		 1290 union {
1291 unsigned char *c;
1292 struct in6_pktinfo *p;
1293 } p;
1294 p.c = CMSG_DATA(cmptr);
1295
1296 dst_addr.addr.addr6 = p.p->ipi6_addr;
1297 if_index = p.p->ipi6_ifindex;
26128d27
SK		 1298 }
1299 }
44a2a316 1300#endif
26128d27
SK		 1301
1302 /* enforce available interface configuration */
1303
e25db1f2 1304 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 1305 return;
832af0ba 1306
e25db1f2
SK		 1307 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1308 {
1309 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 1310 enumerate_interfaces(0);
3f2873d4
SK		 1311 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1312 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 1313 return;
1314 }
1315
552af8b9
SK		 1316 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1317 {
1318 struct irec *iface;
1319
1320 /* get the netmask of the interface whch has the address we were sent to.
1321 This is no neccessarily the interface we arrived on. */
1322
1323 for (iface = daemon->interfaces; iface; iface = iface->next)
1324 if (iface->addr.sa.sa_family == AF_INET &&
1325 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1326 break;
1327
1328 /* interface may be new */
e25db1f2 1329 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 1330 enumerate_interfaces(0);
552af8b9
SK		 1331
1332 for (iface = daemon->interfaces; iface; iface = iface->next)
1333 if (iface->addr.sa.sa_family == AF_INET &&
1334 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1335 break;
1336
1337 /* If we failed, abandon localisation */
1338 if (iface)
1339 netmask = iface->netmask;
1340 else
1341 dst_addr_4.s_addr = 0;
1342 }
44a2a316 1343 }
25cf5e37
SK		 1344
1345 /* log_query gets called indirectly all over the place, so
1346 pass these in global variables - sorry. */
1347 daemon->log_display_id = ++daemon->log_id;
1348 daemon->log_source_addr = &source_addr;
44a2a316 1349
cdeda28f 1350 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 1351 {
b485ed97
SK		 1352#ifdef HAVE_AUTH
1353 struct auth_zone *zone;
1354#endif
610e782a
SK		 1355 char *types = querystr(auth_dns ? "auth" : "query", type);
1356
44a2a316 1357 if (listen->family == AF_INET)
3be34541 1358 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 1359 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 1360#ifdef HAVE_IPV6
1361 else
3be34541 1362 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 1363 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 1364#endif
44a2a316 1365
b485ed97
SK		 1366#ifdef HAVE_AUTH
1367 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1368 if (!auth_dns)
1369 for (zone = daemon->auth_zones; zone; zone = zone->next)
1370 if (in_zone(zone, daemon->namebuff, NULL))
1371 {
1372 auth_dns = 1;
1373 local_auth = 1;
1374 break;
1375 }
b485ed97 1376#endif
b5ea1cc2
SK		 1377
1378#ifdef HAVE_LOOP
1379 /* Check for forwarding loop */
1380 if (detect_loop(daemon->namebuff, type))
1381 return;
1382#endif
b485ed97
SK		 1383 }
1384
4820dce9 1385#ifdef HAVE_AUTH
4f7b304f 1386 if (auth_dns)
824af85b 1387 {
60b68069 1388 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1389 if (m >= 1)
b485ed97
SK		 1390 {
1391 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1392 (char *)header, m, &source_addr, &dst_addr, if_index);
1393 daemon->auth_answer++;
1394 }
824af85b 1395 }
44a2a316 1396 else
4820dce9 1397#endif
4f7b304f 1398 {
613ad15d 1399 int ad_reqd, do_bit;
60b68069 1400 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
613ad15d 1401 dst_addr_4, netmask, now, &ad_reqd, &do_bit);
4f7b304f
SK		 1402
1403 if (m >= 1)
1404 {
1405 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1406 (char *)header, m, &source_addr, &dst_addr, if_index);
1407 daemon->local_answer++;
1408 }
1409 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
613ad15d 1410 header, (size_t)n, now, NULL, ad_reqd, do_bit))
4f7b304f
SK		 1411 daemon->queries_forwarded++;
1412 else
1413 daemon->local_answer++;
1414 }
44a2a316
SK		 1415}
1416
7d7b7b31 1417#ifdef HAVE_DNSSEC
00a5b5d4
SK		 1418
1419/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1420 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1421 STAT_NEED_DS_NEG and keyname if we need to do the query. */
97e618a0
SK		 1422static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
1423 char *name, char *keyname)
00a5b5d4 1424{
00a5b5d4
SK		 1425 int status = dnssec_chase_cname(now, header, plen, name, keyname);
1426
1427 if (status != STAT_INSECURE)
1428 return status;
1429
97e618a0
SK		 1430 /* Store the domain we're trying to check. */
1431 forward->name_start = strlen(name);
1432 forward->name_len = forward->name_start + 1;
1433 if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
1434 return STAT_BOGUS;
1435
1436 return do_check_sign(forward, 0, now, name, keyname);
1437}
1438
1439/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1440static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
1441{
1442 /* get domain we're checking back from blockdata store, it's stored on the original query. */
d389e019 1443 while (forward->dependent && !forward->orig_domain)
97e618a0
SK		 1444 forward = forward->dependent;
1445
1446 blockdata_retrieve(forward->orig_domain, forward->name_len, name);
1447
00a5b5d4
SK		 1448 while (1)
1449 {
97e618a0
SK		 1450 char *p;
1451
1452 if (status == 0)
00a5b5d4 1453 {
97e618a0
SK		 1454 struct crec *crecp;
1455
1456 /* Haven't received answer, see if in cache */
1457 if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
1458 {
1459 /* put name of DS record we're missing into keyname */
1460 strcpy(keyname, &name[forward->name_start]);
1461 /* and wait for reply to arrive */
1462 return STAT_NEED_DS_NEG;
1463 }
1464
1465 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1466 if (!(crecp->flags & F_NEG))
1467 status = STAT_SECURE;
1468 else if (crecp->flags & F_DNSSECOK)
1469 status = STAT_NO_DS;
1470 else
1471 status = STAT_NO_NS;
00a5b5d4 1472 }
97e618a0
SK		 1473
1474 /* Have entered non-signed part of DNS tree. */
1475 if (status == STAT_NO_DS)
d389e019 1476 return forward->dependent ? STAT_INSECURE_DS : STAT_INSECURE;
00a5b5d4 1477
97e618a0 1478 if (status == STAT_BOGUS)
4e1fe444
SK		 1479 return STAT_BOGUS;
1480
e3ec6f0b
SK		 1481 if (status == STAT_NO_SIG && *keyname != 0)
1482 {
1483 /* There is a validated CNAME chain that doesn't end in a DS record. Start
1484 the search again in that domain. */
1485 blockdata_free(forward->orig_domain);
1486 forward->name_start = strlen(keyname);
1487 forward->name_len = forward->name_start + 1;
1488 if (!(forward->orig_domain = blockdata_alloc(keyname, forward->name_len)))
1489 return STAT_BOGUS;
1490
1491 strcpy(name, keyname);
1492 status = 0; /* force to cache when we iterate. */
1493 continue;
1494 }
1495
97e618a0
SK		 1496 /* There's a proven DS record, or we're within a zone, where there doesn't need
1497 to be a DS record. Add a name and try again.
1498 If we've already tried the whole name, then fail */
00a5b5d4 1499
97e618a0
SK		 1500 if (forward->name_start == 0)
1501 return STAT_BOGUS;
4872aa74 1502
97e618a0
SK		 1503 for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
1504
1505 if (p != name)
1506 p++;
1507
1508 forward->name_start = p - name;
1509 status = 0; /* force to cache when we iterate. */
00a5b5d4 1510 }
00a5b5d4
SK		 1511}
1512
fe3992f9 1513/* Move down from the root, until we find a signed non-existance of a DS, in which case
00a5b5d4
SK		 1514 an unsigned answer is OK, or we find a signed DS, in which case there should be
1515 a signature, and the answer is BOGUS */
1516static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1517 char *keyname, struct server *server, int *keycount)
1518{
1519 size_t m;
1520 unsigned char *packet, *payload;
1521 u16 *length;
97e618a0
SK		 1522 int status, name_len;
1523 struct blockdata *block;
1524
1525 char *name_start;
00a5b5d4
SK		 1526
1527 /* Get first insecure entry in CNAME chain */
1528 status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1529 if (status == STAT_BOGUS)
1530 return STAT_BOGUS;
1531
1532 if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1533 return STAT_BOGUS;
1534
1535 payload = &packet[2];
1536 header = (struct dns_header *)payload;
1537 length = (u16 *)packet;
97e618a0
SK		 1538
1539 /* Stash the name away, since the buffer will be trashed when we recurse */
1540 name_len = strlen(name) + 1;
1541 name_start = name + name_len - 1;
00a5b5d4 1542
97e618a0
SK		 1543 if (!(block = blockdata_alloc(name, name_len)))
1544 {
1545 free(packet);
1546 return STAT_BOGUS;
1547 }
1548
00a5b5d4
SK		 1549 while (1)
1550 {
00a5b5d4 1551 unsigned char c1, c2;
97e618a0
SK		 1552 struct crec *crecp;
1553
00a5b5d4 1554 if (--(*keycount) == 0)
fc2833f1
TH		 1555 {
1556 free(packet);
97e618a0 1557 blockdata_free(block);
fc2833f1
TH		 1558 return STAT_BOGUS;
1559 }
00a5b5d4 1560
424c4a8a 1561 while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS)))
97e618a0
SK		 1562 {
1563 if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
1564 {
1565 /* Found a secure denial of DS - delegation is indeed insecure */
1566 free(packet);
1567 blockdata_free(block);
1568 return STAT_INSECURE;
1569 }
1570
1571 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1572 Add another label and continue. */
1573
1574 if (name_start == name)
1575 {
1576 free(packet);
1577 blockdata_free(block);
1578 return STAT_BOGUS; /* run out of labels */
1579 }
1580
1581 name_start -= 2;
1582 while (*name_start != '.' && name_start != name)
1583 name_start--;
1584 if (name_start != name)
1585 name_start++;
4e1fe444 1586 }
97e618a0
SK		 1587
1588 /* Can't find it in the cache, have to send a query */
4e1fe444 1589
a77cec8d 1590 m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz);
00a5b5d4 1591
97e618a0 1592 *length = htons(m);
b37f8b99 1593
97e618a0
SK		 1594 if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1595 read_write(server->tcpfd, &c1, 1, 1) &&
1596 read_write(server->tcpfd, &c2, 1, 1) &&
1597 read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1598 {
1599 m = (c1 << 8) | c2;
00a5b5d4 1600
97e618a0
SK		 1601 /* Note this trashes all three name workspaces */
1602 status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1603
1604 if (status == STAT_NO_DS)
00a5b5d4 1605 {
97e618a0
SK		 1606 /* Found a secure denial of DS - delegation is indeed insecure */
1607 free(packet);
1608 blockdata_free(block);
1609 return STAT_INSECURE;
1610 }
1611
e3ec6f0b
SK		 1612 if (status == STAT_NO_SIG && *keyname != 0)
1613 {
1614 /* There is a validated CNAME chain that doesn't end in a DS record. Start
1615 the search again in that domain. */
1616 blockdata_free(block);
1617 name_len = strlen(keyname) + 1;
1618 name_start = name + name_len - 1;
1619
1620 if (!(block = blockdata_alloc(keyname, name_len)))
1621 return STAT_BOGUS;
1622
1623 strcpy(name, keyname);
1624 continue;
1625 }
1626
97e618a0
SK		 1627 if (status == STAT_BOGUS)
1628 {
1629 free(packet);
1630 blockdata_free(block);
1631 return STAT_BOGUS;
1632 }
1633
1634 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1635 Add another label and continue. */
1636
1637 /* Get name we're checking back. */
1638 blockdata_retrieve(block, name_len, name);
1639
1640 if (name_start == name)
1641 {
1642 free(packet);
1643 blockdata_free(block);
1644 return STAT_BOGUS; /* run out of labels */
00a5b5d4 1645 }
97e618a0
SK		 1646
1647 name_start -= 2;
1648 while (*name_start != '.' && name_start != name)
1649 name_start--;
1650 if (name_start != name)
1651 name_start++;
1652 }
1653 else
1654 {
1655 /* IO failure */
1656 free(packet);
1657 blockdata_free(block);
1658 return STAT_BOGUS; /* run out of labels */
00a5b5d4 1659 }
00a5b5d4
SK		 1660 }
1661}
1662
7fa836e1
SK		 1663static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1664 int class, char *name, char *keyname, struct server *server, int *keycount)
7d7b7b31
SK		 1665{
1666 /* Recurse up the key heirarchy */
7d7b7b31 1667 int new_status;
7d7b7b31 1668
7fa836e1
SK		 1669 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1670 if (--(*keycount) == 0)
1671 return STAT_INSECURE;
7d7b7b31 1672
7fa836e1
SK		 1673 if (status == STAT_NEED_KEY)
1674 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
00a5b5d4
SK		 1675 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1676 {
1677 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
fe3992f9
SK		 1678 if (status == STAT_NEED_DS)
1679 {
1680 if (new_status == STAT_NO_DS)
1681 new_status = STAT_INSECURE_DS;
d389e019
SK		 1682 if (new_status == STAT_NO_SIG)
1683 {
1684 if (option_bool(OPT_DNSSEC_NO_SIGN))
1685 {
1686 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1687 if (new_status == STAT_INSECURE)
1688 new_status = STAT_INSECURE_DS;
1689 }
1690 else
1691 new_status = STAT_INSECURE_DS;
1692 }
1693 else if (new_status == STAT_NO_NS)
fe3992f9
SK		 1694 new_status = STAT_BOGUS;
1695 }
00a5b5d4
SK		 1696 }
1697 else if (status == STAT_CHASE_CNAME)
1698 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1699 else
1700 {
97e618a0 1701 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
00a5b5d4
SK		 1702
1703 if (new_status == STAT_NO_SIG)
1704 {
1705 if (option_bool(OPT_DNSSEC_NO_SIGN))
1706 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1707 else
1708 new_status = STAT_INSECURE;
1709 }
1710 }
1711
7fa836e1
SK		 1712 /* Can't validate because we need a key/DS whose name now in keyname.
1713 Make query for same, and recurse to validate */
1714 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
7d7b7b31 1715 {
7fa836e1
SK		 1716 size_t m;
1717 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1718 unsigned char *payload = &packet[2];
1719 struct dns_header *new_header = (struct dns_header *)payload;
1720 u16 *length = (u16 *)packet;
1721 unsigned char c1, c2;
1722
1723 if (!packet)
1724 return STAT_INSECURE;
1725
1726 another_tcp_key:
1727 m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
a77cec8d 1728 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz);
7d7b7b31 1729
7fa836e1 1730 *length = htons(m);
7d7b7b31 1731
7fa836e1
SK		 1732 if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1733 !read_write(server->tcpfd, &c1, 1, 1) ||
1734 !read_write(server->tcpfd, &c2, 1, 1) ||
1735 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1736 new_status = STAT_INSECURE;
1737 else
7d7b7b31 1738 {
7fa836e1
SK		 1739 m = (c1 << 8) | c2;
1740
00a5b5d4
SK		 1741 new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1742
1743 if (new_status == STAT_SECURE)
7d7b7b31 1744 {
7fa836e1
SK		 1745 /* Reached a validated record, now try again at this level.
1746 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1747 If so, go round again. */
7d7b7b31 1748
7fa836e1
SK		 1749 if (status == STAT_NEED_KEY)
1750 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
00a5b5d4
SK		 1751 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1752 {
1753 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
fe3992f9
SK		 1754 if (status == STAT_NEED_DS)
1755 {
1756 if (new_status == STAT_NO_DS)
1757 new_status = STAT_INSECURE_DS;
d389e019
SK		 1758 else if (new_status == STAT_NO_SIG)
1759 {
1760 if (option_bool(OPT_DNSSEC_NO_SIGN))
1761 {
1762 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1763 if (new_status == STAT_INSECURE)
1764 new_status = STAT_INSECURE_DS;
1765 }
1766 else
1767 new_status = STAT_INSECURE_DS;
1768 }
1769 else if (new_status == STAT_NO_NS)
1770 new_status = STAT_BOGUS;
fe3992f9 1771 }
00a5b5d4
SK		 1772 }
1773 else if (status == STAT_CHASE_CNAME)
1774 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1775 else
1776 {
97e618a0 1777 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
00a5b5d4
SK		 1778
1779 if (new_status == STAT_NO_SIG)
1780 {
1781 if (option_bool(OPT_DNSSEC_NO_SIGN))
1782 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1783 else
1784 new_status = STAT_INSECURE;
1785 }
1786 }
1787
7d7b7b31 1788 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
7fa836e1 1789 goto another_tcp_key;
7d7b7b31
SK		 1790 }
1791 }
fe3992f9 1792
7fa836e1
SK		 1793 free(packet);
1794 }
7d7b7b31
SK		 1795 return new_status;
1796}
1797#endif
1798
1799
feba5c1d
SK		 1800/* The daemon forks before calling this: it should deal with one connection,
1801 blocking as neccessary, and then return. Note, need to be a bit careful
1802 about resources for debug mode, when the fork is suppressed: that's
1803 done by the caller. */
5aabfc78 1804unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1805 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1806{
28866e95
SK		 1807 size_t size = 0;
1808 int norebind = 0;
3b195961 1809#ifdef HAVE_AUTH
19b16891 1810 int local_auth = 0;
3b195961 1811#endif
613ad15d 1812 int checking_disabled, ad_question, do_bit, added_pheader = 0;
fe3992f9 1813 int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
cdeda28f 1814 size_t m;
ee86ce68
SK		 1815 unsigned short qtype;
1816 unsigned int gotname;
feba5c1d 1817 unsigned char c1, c2;
4b5ea12e
SK		 1818 /* Max TCP packet + slop + size */
1819 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1820 unsigned char *payload = &packet[2];
1821 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1822 struct dns_header *header = (struct dns_header *)payload;
1823 u16 *length = (u16 *)packet;
3be34541 1824 struct server *last_server;
7de060b0
SK		 1825 struct in_addr dst_addr_4;
1826 union mysockaddr peer_addr;
1827 socklen_t peer_len = sizeof(union mysockaddr);
25cf5e37
SK		 1828 int query_count = 0;
1829
7de060b0
SK		 1830 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1831 return packet;
c8a80487
SK		 1832
1833 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1834 if (option_bool(OPT_LOCAL_SERVICE))
1835 {
1836 struct addrlist *addr;
1837#ifdef HAVE_IPV6
1838 if (peer_addr.sa.sa_family == AF_INET6)
1839 {
1840 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1841 if ((addr->flags & ADDRLIST_IPV6) &&
1842 is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1843 break;
1844 }
1845 else
1846#endif
1847 {
1848 struct in_addr netmask;
1849 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1850 {
15b1b7e9 1851 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
c8a80487
SK		 1852 if (!(addr->flags & ADDRLIST_IPV6) &&
1853 is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1854 break;
1855 }
1856 }
1857 if (!addr)
1858 {
1859 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1860 return packet;
1861 }
1862 }
7de060b0 1863
feba5c1d
SK		 1864 while (1)
1865 {
25cf5e37
SK		 1866 if (query_count == TCP_MAX_QUERIES ||
1867 !packet ||
feba5c1d
SK		 1868 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1869 !(size = c1 << 8 | c2) ||
4b5ea12e 1870 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1871 return packet;
1872
572b41eb 1873 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1874 continue;
1875
25cf5e37
SK		 1876 query_count++;
1877
1878 /* log_query gets called indirectly all over the place, so
1879 pass these in global variables - sorry. */
1880 daemon->log_display_id = ++daemon->log_id;
1881 daemon->log_source_addr = &peer_addr;
1882
ed4c0767
SK		 1883 check_subnet = 0;
1884
28866e95 1885 /* save state of "cd" flag in query */
7d7b7b31
SK		 1886 if ((checking_disabled = header->hb4 & HB4_CD))
1887 no_cache_dnssec = 1;
28866e95 1888
3be34541 1889 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1890 {
b485ed97
SK		 1891#ifdef HAVE_AUTH
1892 struct auth_zone *zone;
1893#endif
610e782a 1894 char *types = querystr(auth_dns ? "auth" : "query", qtype);
7de060b0
SK		 1895
1896 if (peer_addr.sa.sa_family == AF_INET)
1897 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1898 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1899#ifdef HAVE_IPV6
7de060b0
SK		 1900 else
1901 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1902 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1903#endif
b485ed97
SK		 1904
1905#ifdef HAVE_AUTH
1906 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1907 if (!auth_dns)
1908 for (zone = daemon->auth_zones; zone; zone = zone->next)
1909 if (in_zone(zone, daemon->namebuff, NULL))
1910 {
1911 auth_dns = 1;
1912 local_auth = 1;
1913 break;
1914 }
b485ed97 1915#endif
feba5c1d
SK		 1916 }
1917
7de060b0
SK		 1918 if (local_addr->sa.sa_family == AF_INET)
1919 dst_addr_4 = local_addr->in.sin_addr;
1920 else
1921 dst_addr_4.s_addr = 0;
1922
4820dce9 1923#ifdef HAVE_AUTH
4f7b304f 1924 if (auth_dns)
19b16891 1925 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1926 else
4820dce9 1927#endif
feba5c1d 1928 {
4f7b304f
SK		 1929 /* m > 0 if answered from cache */
1930 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
613ad15d 1931 dst_addr_4, netmask, now, &ad_question, &do_bit);
feba5c1d 1932
4f7b304f 1933 /* Do this by steam now we're not in the select() loop */
b842bc97 1934 check_log_writer(1);
4f7b304f
SK		 1935
1936 if (m == 0)
feba5c1d 1937 {
4f7b304f
SK		 1938 unsigned int flags = 0;
1939 struct all_addr *addrp = NULL;
1940 int type = 0;
1941 char *domain = NULL;
feba5c1d 1942
4f7b304f
SK		 1943 if (option_bool(OPT_ADD_MAC))
1944 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1945
1946 if (option_bool(OPT_CLIENT_SUBNET))
1947 {
1948 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1949 if (size != new)
1950 {
1951 size = new;
1952 check_subnet = 1;
1953 }
1954 }
1955
4f7b304f
SK		 1956 if (gotname)
1957 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1958
1959 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1960 last_server = daemon->servers;
1961 else
1962 last_server = daemon->last_server;
1963
1964 if (!flags && last_server)
1965 {
1966 struct server *firstsendto = NULL;
8a9be9e4 1967#ifdef HAVE_DNSSEC
703c7ff4 1968 unsigned char *newhash, hash[HASH_SIZE];
63758384 1969 if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
8a9be9e4 1970 memcpy(hash, newhash, HASH_SIZE);
b37f8b99
TH		 1971 else
1972 memset(hash, 0, HASH_SIZE);
8a9be9e4 1973#else
4f7b304f 1974 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
8a9be9e4 1975#endif
4f7b304f
SK		 1976 /* Loop round available servers until we succeed in connecting to one.
1977 Note that this code subtley ensures that consecutive queries on this connection
1978 which can go to the same server, do so. */
1979 while (1)
feba5c1d 1980 {
4f7b304f
SK		 1981 if (!firstsendto)
1982 firstsendto = last_server;
1983 else
1984 {
1985 if (!(last_server = last_server->next))
1986 last_server = daemon->servers;
1987
1988 if (last_server == firstsendto)
1989 break;
1990 }
1991
1992 /* server for wrong domain */
1993 if (type != (last_server->flags & SERV_TYPE) ||
b5ea1cc2
SK		 1994 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
1995 (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
7de060b0
SK		 1996 continue;
1997
4f7b304f 1998 if (last_server->tcpfd == -1)
7de060b0 1999 {
4f7b304f
SK		 2000 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
2001 continue;
2002
e9828b6f
KV		 2003#ifdef HAVE_CONNTRACK
2004 /* Copy connection mark of incoming query to outgoing connection. */
2005 if (option_bool(OPT_CONNTRACK))
2006 {
2007 unsigned int mark;
2008 struct all_addr local;
2009#ifdef HAVE_IPV6
2010 if (local_addr->sa.sa_family == AF_INET6)
2011 local.addr.addr6 = local_addr->in6.sin6_addr;
2012 else
2013#endif
2014 local.addr.addr4 = local_addr->in.sin_addr;
2015
2016 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
2017 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
2018 }
2019#endif
2020
4f7b304f
SK		 2021 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
2022 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
2023 {
2024 close(last_server->tcpfd);
2025 last_server->tcpfd = -1;
2026 continue;
2027 }
2028
7d7b7b31
SK		 2029#ifdef HAVE_DNSSEC
2030 if (option_bool(OPT_DNSSEC_VALID))
2031 {
613ad15d
SK		 2032 size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
2033
2ecd9bd5
SK		 2034 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
2035 this allows it to select auth servers when one is returning bad data. */
2036 if (option_bool(OPT_DNSSEC_DEBUG))
2037 header->hb4 |= HB4_CD;
613ad15d
SK		 2038
2039 if (size != new_size)
2040 added_pheader = 1;
2041
2042 size = new_size;
7d7b7b31
SK		 2043 }
2044#endif
4f7b304f
SK		 2045 }
2046
4b5ea12e 2047 *length = htons(size);
1fc02680
SK		 2048
2049 /* get query name again for logging - may have been overwritten */
2050 if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
2051 strcpy(daemon->namebuff, "query");
4f7b304f 2052
4b5ea12e 2053 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f 2054 !read_write(last_server->tcpfd, &c1, 1, 1) ||
7d7b7b31
SK		 2055 !read_write(last_server->tcpfd, &c2, 1, 1) ||
2056 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
4f7b304f
SK		 2057 {
2058 close(last_server->tcpfd);
2059 last_server->tcpfd = -1;
2060 continue;
2061 }
2062
2063 m = (c1 << 8) | c2;
4f7b304f 2064
4f7b304f
SK		 2065 if (last_server->addr.sa.sa_family == AF_INET)
2066 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
2067 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 2068#ifdef HAVE_IPV6
4f7b304f
SK		 2069 else
2070 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
2071 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 2072#endif
7d7b7b31
SK		 2073
2074#ifdef HAVE_DNSSEC
2075 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
2076 {
7fa836e1
SK		 2077 int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
2078 int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
554b580e 2079 char *result, *domain = "result";
7fa836e1 2080
fe3992f9
SK		 2081 if (status == STAT_INSECURE_DS)
2082 {
2083 /* We only cache sigs when we've validated a reply.
2084 Avoid caching a reply with sigs if there's a vaildated break in the
2085 DS chain, so we don't return replies from cache missing sigs. */
2086 status = STAT_INSECURE;
2087 no_cache_dnssec = 1;
2088 }
2089
7fa836e1 2090 if (keycount == 0)
150162bc
SK		 2091 {
2092 result = "ABANDONED";
2093 status = STAT_BOGUS;
2094 }
7fa836e1
SK		 2095 else
2096 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
e66b4dff
SK		 2097
2098 if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
2099 domain = daemon->namebuff;
554b580e
SK		 2100
2101 log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
7d7b7b31 2102
7d7b7b31 2103 if (status == STAT_BOGUS)
fe3992f9
SK		 2104 {
2105 no_cache_dnssec = 1;
2106 bogusanswer = 1;
2107 }
2108
7d7b7b31
SK		 2109 if (status == STAT_SECURE)
2110 cache_secure = 1;
2111 }
2112#endif
2113
2114 /* restore CD bit to the value in the query */
2115 if (checking_disabled)
2116 header->hb4 |= HB4_CD;
2117 else
2118 header->hb4 &= ~HB4_CD;
4f7b304f
SK		 2119
2120 /* There's no point in updating the cache, since this process will exit and
2121 lose the information after a few queries. We make this call for the alias and
2122 bogus-nxdomain side-effects. */
2123 /* If the crc of the question section doesn't match the crc we sent, then
2124 someone might be attempting to insert bogus values into the cache by
2125 sending replies containing questions and bogus answers. */
8a9be9e4
SK		 2126#ifdef HAVE_DNSSEC
2127 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
2128 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
703c7ff4
SK		 2129 {
2130 m = 0;
2131 break;
2132 }
8a9be9e4
SK		 2133#else
2134 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
703c7ff4
SK		 2135 {
2136 m = 0;
2137 break;
2138 }
8a9be9e4
SK		 2139#endif
2140
2141 m = process_reply(header, now, last_server, (unsigned int)m,
e66b4dff
SK		 2142 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
2143 ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
4f7b304f
SK		 2144
2145 break;
2146 }
feba5c1d 2147 }
4f7b304f
SK		 2148
2149 /* In case of local answer or no connections made. */
2150 if (m == 0)
2151 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 2152 }
feba5c1d 2153 }
4f7b304f 2154
b842bc97 2155 check_log_writer(1);
feba5c1d 2156
4b5ea12e
SK		 2157 *length = htons(m);
2158
2159 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 2160 return packet;
2161 }
2162}
2163
1697269c 2164static struct frec *allocate_frec(time_t now)
9e4abcb5 2165{
1697269c
SK		 2166 struct frec *f;
2167
5aabfc78 2168 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 2169 {
1a6bca81 2170 f->next = daemon->frec_list;
1697269c 2171 f->time = now;
832af0ba 2172 f->sentto = NULL;
1a6bca81 2173 f->rfd4 = NULL;
28866e95 2174 f->flags = 0;
1a6bca81
SK		 2175#ifdef HAVE_IPV6
2176 f->rfd6 = NULL;
3a237152
SK		 2177#endif
2178#ifdef HAVE_DNSSEC
97bc798b 2179 f->dependent = NULL;
3a237152 2180 f->blocking_query = NULL;
4619d946 2181 f->stash = NULL;
97e618a0 2182 f->orig_domain = NULL;
1a6bca81
SK		 2183#endif
2184 daemon->frec_list = f;
1697269c 2185 }
9e4abcb5 2186
1697269c
SK		 2187 return f;
2188}
9e4abcb5 2189
b5ea1cc2 2190struct randfd *allocate_rfd(int family)
1a6bca81
SK		 2191{
2192 static int finger = 0;
2193 int i;
2194
2195 /* limit the number of sockets we have open to avoid starvation of
2196 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2197
2198 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 2199 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 2200 {
9009d746
SK		 2201 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
2202 break;
2203
1a6bca81
SK		 2204 daemon->randomsocks[i].refcount = 1;
2205 daemon->randomsocks[i].family = family;
2206 return &daemon->randomsocks[i];
2207 }
2208
9009d746 2209 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 2210 for (i = 0; i < RANDOM_SOCKS; i++)
2211 {
2212 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 2213 if (daemon->randomsocks[j].refcount != 0 &&
2214 daemon->randomsocks[j].family == family &&
2215 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 2216 {
2217 finger = j;
2218 daemon->randomsocks[j].refcount++;
2219 return &daemon->randomsocks[j];
2220 }
2221 }
2222
2223 return NULL; /* doom */
2224}
b5ea1cc2
SK		 2225
2226void free_rfd(struct randfd *rfd)
2227{
2228 if (rfd && --(rfd->refcount) == 0)
2229 close(rfd->fd);
2230}
2231
1a6bca81
SK		 2232static void free_frec(struct frec *f)
2233{
b5ea1cc2 2234 free_rfd(f->rfd4);
1a6bca81
SK		 2235 f->rfd4 = NULL;
2236 f->sentto = NULL;
28866e95 2237 f->flags = 0;
1a6bca81
SK		 2238
2239#ifdef HAVE_IPV6
b5ea1cc2 2240 free_rfd(f->rfd6);
1a6bca81
SK		 2241 f->rfd6 = NULL;
2242#endif
3a237152
SK		 2243
2244#ifdef HAVE_DNSSEC
2245 if (f->stash)
0fc2f313
SK		 2246 {
2247 blockdata_free(f->stash);
2248 f->stash = NULL;
2249 }
3a237152 2250
97e618a0
SK		 2251 if (f->orig_domain)
2252 {
2253 blockdata_free(f->orig_domain);
2254 f->orig_domain = NULL;
2255 }
2256
3a237152
SK		 2257 /* Anything we're waiting on is pointless now, too */
2258 if (f->blocking_query)
2259 free_frec(f->blocking_query);
2260 f->blocking_query = NULL;
39048ad1 2261 f->dependent = NULL;
3a237152 2262#endif
1a6bca81
SK		 2263}
2264
1697269c
SK		 2265/* if wait==NULL return a free or older than TIMEOUT record.
2266 else return *wait zero if one available, or *wait is delay to
1a6bca81 2267 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 2268 limit of 4*TIMEOUT before we wipe things (for random sockets).
2269 If force is set, always return a result, even if we have
2270 to allocate above the limit. */
2271struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 2272{
1a6bca81 2273 struct frec *f, *oldest, *target;
1697269c
SK		 2274 int count;
2275
2276 if (wait)
2277 *wait = 0;
2278
1a6bca81 2279 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 2280 if (!f->sentto)
1a6bca81
SK		 2281 target = f;
2282 else
1697269c 2283 {
1a6bca81
SK		 2284 if (difftime(now, f->time) >= 4*TIMEOUT)
2285 {
2286 free_frec(f);
2287 target = f;
2288 }
2289
2290 if (!oldest || difftime(f->time, oldest->time) <= 0)
2291 oldest = f;
1697269c 2292 }
1a6bca81
SK		 2293
2294 if (target)
2295 {
2296 target->time = now;
2297 return target;
2298 }
9e4abcb5
SK		 2299
2300 /* can't find empty one, use oldest if there is one
2301 and it's older than timeout */
1697269c 2302 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 2303 {
1697269c
SK		 2304 /* keep stuff for twice timeout if we can by allocating a new
2305 record instead */
2306 if (difftime(now, oldest->time) < 2*TIMEOUT &&
2307 count <= daemon->ftabsize &&
2308 (f = allocate_frec(now)))
2309 return f;
2310
2311 if (!wait)
2312 {
1a6bca81 2313 free_frec(oldest);
1697269c
SK		 2314 oldest->time = now;
2315 }
9e4abcb5
SK		 2316 return oldest;
2317 }
2318
1697269c 2319 /* none available, calculate time 'till oldest record expires */
3a237152 2320 if (!force && count > daemon->ftabsize)
1697269c 2321 {
0da5e897
MSB		 2322 static time_t last_log = 0;
2323
1697269c
SK		 2324 if (oldest && wait)
2325 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 2326
2327 if ((int)difftime(now, last_log) > 5)
2328 {
2329 last_log = now;
2330 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
2331 }
2332
9e4abcb5
SK		 2333 return NULL;
2334 }
1697269c
SK		 2335
2336 if (!(f = allocate_frec(now)) && wait)
2337 /* wait one second on malloc failure */
2338 *wait = 1;
9e4abcb5 2339
9e4abcb5
SK		 2340 return f; /* OK if malloc fails and this is NULL */
2341}
2342
832af0ba 2343/* crc is all-ones if not known. */
8a9be9e4 2344static struct frec *lookup_frec(unsigned short id, void *hash)
9e4abcb5
SK		 2345{
2346 struct frec *f;
2347
1a6bca81 2348 for(f = daemon->frec_list; f; f = f->next)
832af0ba 2349 if (f->sentto && f->new_id == id &&
8a9be9e4 2350 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
9e4abcb5
SK		 2351 return f;
2352
2353 return NULL;
2354}
2355
2356static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481 2357 union mysockaddr *addr,
8a9be9e4 2358 void *hash)
9e4abcb5 2359{
feba5c1d
SK		 2360 struct frec *f;
2361
1a6bca81 2362 for(f = daemon->frec_list; f; f = f->next)
832af0ba 2363 if (f->sentto &&
9e4abcb5 2364 f->orig_id == id &&
8a9be9e4 2365 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
9e4abcb5
SK		 2366 sockaddr_isequal(&f->source, addr))
2367 return f;
2368
2369 return NULL;
2370}
47a95169
SK		 2371
2372/* Send query packet again, if we can. */
2373void resend_query()
2374{
2375 if (daemon->srv_save)
2376 {
2377 int fd;
2378
2379 if (daemon->srv_save->sfd)
2380 fd = daemon->srv_save->sfd->fd;
2381 else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
2382 fd = daemon->rfd_save->fd;
2383 else
2384 return;
2385
ff841ebf
SK		 2386 while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
2387 &daemon->srv_save->addr.sa,
2388 sa_len(&daemon->srv_save->addr))));
47a95169
SK		 2389 }
2390}
9e4abcb5 2391
849a8357 2392/* A server record is going away, remove references to it */
5aabfc78 2393void server_gone(struct server *server)
849a8357
SK		 2394{
2395 struct frec *f;
2396
1a6bca81 2397 for (f = daemon->frec_list; f; f = f->next)
832af0ba 2398 if (f->sentto && f->sentto == server)
1a6bca81 2399 free_frec(f);
849a8357
SK		 2400
2401 if (daemon->last_server == server)
2402 daemon->last_server = NULL;
2403
2404 if (daemon->srv_save == server)
2405 daemon->srv_save = NULL;
2406}
9e4abcb5 2407
316e2730 2408/* return unique random ids. */
8a9be9e4 2409static unsigned short get_id(void)
9e4abcb5
SK		 2410{
2411 unsigned short ret = 0;
832af0ba 2412
316e2730 2413 do
832af0ba 2414 ret = rand16();
8a9be9e4 2415 while (lookup_frec(ret, NULL));
832af0ba 2416
9e4abcb5
SK		 2417 return ret;
2418}
2419
2420
2421
2422
2423
Michael's tree of dnsmasq.