]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * This file is part of PowerDNS or dnsdist. | |
3 | * Copyright -- PowerDNS.COM B.V. and its contributors | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of version 2 of the GNU General Public License as | |
7 | * published by the Free Software Foundation. | |
8 | * | |
9 | * In addition, for the avoidance of any doubt, permission is granted to | |
10 | * link this program with OpenSSL and to (re)distribute the binaries | |
11 | * produced as the result of such linking. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, | |
14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | * GNU General Public License for more details. | |
17 | * | |
18 | * You should have received a copy of the GNU General Public License | |
19 | * along with this program; if not, write to the Free Software | |
20 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
21 | */ | |
22 | #ifdef HAVE_CONFIG_H | |
23 | #include "config.h" | |
24 | #endif | |
25 | ||
26 | #include "arguments.hh" | |
27 | #include "cachecleaner.hh" | |
28 | #include "dns_random.hh" | |
29 | #include "dnsparser.hh" | |
30 | #include "dnsrecords.hh" | |
31 | #include "ednssubnet.hh" | |
32 | #include "logger.hh" | |
33 | #include "lua-recursor4.hh" | |
34 | #include "rec-lua-conf.hh" | |
35 | #include "syncres.hh" | |
36 | #include "dnsseckeeper.hh" | |
37 | #include "validate-recursor.hh" | |
38 | ||
39 | thread_local SyncRes::ThreadLocalStorage SyncRes::t_sstorage; | |
40 | thread_local std::unique_ptr<addrringbuf_t> t_timeouts; | |
41 | ||
42 | std::unordered_set<DNSName> SyncRes::s_delegationOnly; | |
43 | std::unique_ptr<NetmaskGroup> SyncRes::s_dontQuery{nullptr}; | |
44 | NetmaskGroup SyncRes::s_ednslocalsubnets; | |
45 | NetmaskGroup SyncRes::s_ednsremotesubnets; | |
46 | SuffixMatchNode SyncRes::s_ednsdomains; | |
47 | EDNSSubnetOpts SyncRes::s_ecsScopeZero; | |
48 | string SyncRes::s_serverID; | |
49 | SyncRes::LogMode SyncRes::s_lm; | |
50 | ||
51 | unsigned int SyncRes::s_maxnegttl; | |
52 | unsigned int SyncRes::s_maxbogusttl; | |
53 | unsigned int SyncRes::s_maxcachettl; | |
54 | unsigned int SyncRes::s_maxqperq; | |
55 | unsigned int SyncRes::s_maxtotusec; | |
56 | unsigned int SyncRes::s_maxdepth; | |
57 | unsigned int SyncRes::s_minimumTTL; | |
58 | unsigned int SyncRes::s_packetcachettl; | |
59 | unsigned int SyncRes::s_packetcacheservfailttl; | |
60 | unsigned int SyncRes::s_serverdownmaxfails; | |
61 | unsigned int SyncRes::s_serverdownthrottletime; | |
62 | std::atomic<uint64_t> SyncRes::s_authzonequeries; | |
63 | std::atomic<uint64_t> SyncRes::s_queries; | |
64 | std::atomic<uint64_t> SyncRes::s_outgoingtimeouts; | |
65 | std::atomic<uint64_t> SyncRes::s_outgoing4timeouts; | |
66 | std::atomic<uint64_t> SyncRes::s_outgoing6timeouts; | |
67 | std::atomic<uint64_t> SyncRes::s_outqueries; | |
68 | std::atomic<uint64_t> SyncRes::s_tcpoutqueries; | |
69 | std::atomic<uint64_t> SyncRes::s_throttledqueries; | |
70 | std::atomic<uint64_t> SyncRes::s_dontqueries; | |
71 | std::atomic<uint64_t> SyncRes::s_nodelegated; | |
72 | std::atomic<uint64_t> SyncRes::s_unreachables; | |
73 | std::atomic<uint64_t> SyncRes::s_ecsqueries; | |
74 | std::atomic<uint64_t> SyncRes::s_ecsresponses; | |
75 | uint8_t SyncRes::s_ecsipv4limit; | |
76 | uint8_t SyncRes::s_ecsipv6limit; | |
77 | bool SyncRes::s_doIPv6; | |
78 | bool SyncRes::s_nopacketcache; | |
79 | bool SyncRes::s_rootNXTrust; | |
80 | bool SyncRes::s_noEDNS; | |
81 | ||
82 | #define LOG(x) if(d_lm == Log) { g_log <<Logger::Warning << x; } else if(d_lm == Store) { d_trace << x; } | |
83 | ||
84 | static void accountAuthLatency(int usec, int family) | |
85 | { | |
86 | if(family == AF_INET) { | |
87 | if(usec < 1000) | |
88 | g_stats.auth4Answers0_1++; | |
89 | else if(usec < 10000) | |
90 | g_stats.auth4Answers1_10++; | |
91 | else if(usec < 100000) | |
92 | g_stats.auth4Answers10_100++; | |
93 | else if(usec < 1000000) | |
94 | g_stats.auth4Answers100_1000++; | |
95 | else | |
96 | g_stats.auth4AnswersSlow++; | |
97 | } else { | |
98 | if(usec < 1000) | |
99 | g_stats.auth6Answers0_1++; | |
100 | else if(usec < 10000) | |
101 | g_stats.auth6Answers1_10++; | |
102 | else if(usec < 100000) | |
103 | g_stats.auth6Answers10_100++; | |
104 | else if(usec < 1000000) | |
105 | g_stats.auth6Answers100_1000++; | |
106 | else | |
107 | g_stats.auth6AnswersSlow++; | |
108 | } | |
109 | ||
110 | } | |
111 | ||
112 | ||
113 | SyncRes::SyncRes(const struct timeval& now) : d_authzonequeries(0), d_outqueries(0), d_tcpoutqueries(0), d_throttledqueries(0), d_timeouts(0), d_unreachables(0), | |
114 | d_totUsec(0), d_now(now), | |
115 | d_cacheonly(false), d_doDNSSEC(false), d_doEDNS0(false), d_lm(s_lm) | |
116 | ||
117 | { | |
118 | } | |
119 | ||
120 | /** everything begins here - this is the entry point just after receiving a packet */ | |
121 | int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qclass, vector<DNSRecord>&ret) | |
122 | { | |
123 | vState state = Indeterminate; | |
124 | s_queries++; | |
125 | d_wasVariable=false; | |
126 | d_wasOutOfBand=false; | |
127 | ||
128 | if (doSpecialNamesResolve(qname, qtype, qclass, ret)) { | |
129 | d_queryValidationState = Insecure; // this could fool our stats into thinking a validation took place | |
130 | return 0; // so do check before updating counters (we do now) | |
131 | } | |
132 | ||
133 | auto qtypeCode = qtype.getCode(); | |
134 | /* rfc6895 section 3.1 */ | |
135 | if ((qtypeCode >= 128 && qtypeCode <= 254) || qtypeCode == QType::RRSIG || qtypeCode == QType::NSEC3 || qtypeCode == QType::OPT || qtypeCode == 65535) { | |
136 | return -1; | |
137 | } | |
138 | ||
139 | if(qclass==QClass::ANY) | |
140 | qclass=QClass::IN; | |
141 | else if(qclass!=QClass::IN) | |
142 | return -1; | |
143 | ||
144 | set<GetBestNSAnswer> beenthere; | |
145 | int res=doResolve(qname, qtype, ret, 0, beenthere, state); | |
146 | d_queryValidationState = state; | |
147 | ||
148 | if (shouldValidate()) { | |
149 | if (d_queryValidationState != Indeterminate) { | |
150 | g_stats.dnssecValidations++; | |
151 | } | |
152 | increaseDNSSECStateCounter(d_queryValidationState); | |
153 | } | |
154 | ||
155 | return res; | |
156 | } | |
157 | ||
158 | /*! Handles all special, built-in names | |
159 | * Fills ret with an answer and returns true if it handled the query. | |
160 | * | |
161 | * Handles the following queries (and their ANY variants): | |
162 | * | |
163 | * - localhost. IN A | |
164 | * - localhost. IN AAAA | |
165 | * - 1.0.0.127.in-addr.arpa. IN PTR | |
166 | * - 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. IN PTR | |
167 | * - version.bind. CH TXT | |
168 | * - version.pdns. CH TXT | |
169 | * - id.server. CH TXT | |
170 | */ | |
171 | bool SyncRes::doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector<DNSRecord> &ret) | |
172 | { | |
173 | static const DNSName arpa("1.0.0.127.in-addr.arpa."), ip6_arpa("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."), | |
174 | localhost("localhost."), versionbind("version.bind."), idserver("id.server."), versionpdns("version.pdns."); | |
175 | ||
176 | bool handled = false; | |
177 | vector<pair<QType::typeenum, string> > answers; | |
178 | ||
179 | if ((qname == arpa || qname == ip6_arpa) && | |
180 | qclass == QClass::IN) { | |
181 | handled = true; | |
182 | if (qtype == QType::PTR || qtype == QType::ANY) | |
183 | answers.push_back({QType::PTR, "localhost."}); | |
184 | } | |
185 | ||
186 | if (qname == localhost && | |
187 | qclass == QClass::IN) { | |
188 | handled = true; | |
189 | if (qtype == QType::A || qtype == QType::ANY) | |
190 | answers.push_back({QType::A, "127.0.0.1"}); | |
191 | if (qtype == QType::AAAA || qtype == QType::ANY) | |
192 | answers.push_back({QType::AAAA, "::1"}); | |
193 | } | |
194 | ||
195 | if ((qname == versionbind || qname == idserver || qname == versionpdns) && | |
196 | qclass == QClass::CHAOS) { | |
197 | handled = true; | |
198 | if (qtype == QType::TXT || qtype == QType::ANY) { | |
199 | if(qname == versionbind || qname == versionpdns) | |
200 | answers.push_back({QType::TXT, "\""+::arg()["version-string"]+"\""}); | |
201 | else if (s_serverID != "disabled") | |
202 | answers.push_back({QType::TXT, "\""+s_serverID+"\""}); | |
203 | } | |
204 | } | |
205 | ||
206 | if (handled && !answers.empty()) { | |
207 | ret.clear(); | |
208 | d_wasOutOfBand=true; | |
209 | ||
210 | DNSRecord dr; | |
211 | dr.d_name = qname; | |
212 | dr.d_place = DNSResourceRecord::ANSWER; | |
213 | dr.d_class = qclass; | |
214 | dr.d_ttl = 86400; | |
215 | for (const auto& ans : answers) { | |
216 | dr.d_type = ans.first; | |
217 | dr.d_content = DNSRecordContent::mastermake(ans.first, qclass, ans.second); | |
218 | ret.push_back(dr); | |
219 | } | |
220 | } | |
221 | ||
222 | return handled; | |
223 | } | |
224 | ||
225 | ||
226 | //! This is the 'out of band resolver', in other words, the authoritative server | |
227 | void SyncRes::AuthDomain::addSOA(std::vector<DNSRecord>& records) const | |
228 | { | |
229 | SyncRes::AuthDomain::records_t::const_iterator ziter = d_records.find(boost::make_tuple(getName(), QType::SOA)); | |
230 | if (ziter != d_records.end()) { | |
231 | DNSRecord dr = *ziter; | |
232 | dr.d_place = DNSResourceRecord::AUTHORITY; | |
233 | records.push_back(dr); | |
234 | } | |
235 | else { | |
236 | // cerr<<qname<<": can't find SOA record '"<<getName()<<"' in our zone!"<<endl; | |
237 | } | |
238 | } | |
239 | ||
240 | int SyncRes::AuthDomain::getRecords(const DNSName& qname, uint16_t qtype, std::vector<DNSRecord>& records) const | |
241 | { | |
242 | int result = RCode::NoError; | |
243 | records.clear(); | |
244 | ||
245 | // partial lookup | |
246 | std::pair<records_t::const_iterator,records_t::const_iterator> range = d_records.equal_range(tie(qname)); | |
247 | ||
248 | SyncRes::AuthDomain::records_t::const_iterator ziter; | |
249 | bool somedata = false; | |
250 | ||
251 | for(ziter = range.first; ziter != range.second; ++ziter) { | |
252 | somedata = true; | |
253 | ||
254 | if(qtype == QType::ANY || ziter->d_type == qtype || ziter->d_type == QType::CNAME) { | |
255 | // let rest of nameserver do the legwork on this one | |
256 | records.push_back(*ziter); | |
257 | } | |
258 | else if (ziter->d_type == QType::NS && ziter->d_name.countLabels() > getName().countLabels()) { | |
259 | // we hit a delegation point! | |
260 | DNSRecord dr = *ziter; | |
261 | dr.d_place=DNSResourceRecord::AUTHORITY; | |
262 | records.push_back(dr); | |
263 | } | |
264 | } | |
265 | ||
266 | if (!records.empty()) { | |
267 | /* We have found an exact match, we're done */ | |
268 | // cerr<<qname<<": exact match in zone '"<<getName()<<"'"<<endl; | |
269 | return result; | |
270 | } | |
271 | ||
272 | if (somedata) { | |
273 | /* We have records for that name, but not of the wanted qtype */ | |
274 | // cerr<<qname<<": found record in '"<<getName()<<"', but nothing of the right type, sending SOA"<<endl; | |
275 | addSOA(records); | |
276 | ||
277 | return result; | |
278 | } | |
279 | ||
280 | // cerr<<qname<<": nothing found so far in '"<<getName()<<"', trying wildcards"<<endl; | |
281 | DNSName wcarddomain(qname); | |
282 | while(wcarddomain != getName() && wcarddomain.chopOff()) { | |
283 | // cerr<<qname<<": trying '*."<<wcarddomain<<"' in "<<getName()<<endl; | |
284 | range = d_records.equal_range(boost::make_tuple(g_wildcarddnsname + wcarddomain)); | |
285 | if (range.first==range.second) | |
286 | continue; | |
287 | ||
288 | for(ziter = range.first; ziter != range.second; ++ziter) { | |
289 | DNSRecord dr = *ziter; | |
290 | // if we hit a CNAME, just answer that - rest of recursor will do the needful & follow | |
291 | if(dr.d_type == qtype || qtype == QType::ANY || dr.d_type == QType::CNAME) { | |
292 | dr.d_name = qname; | |
293 | dr.d_place = DNSResourceRecord::ANSWER; | |
294 | records.push_back(dr); | |
295 | } | |
296 | } | |
297 | ||
298 | if (records.empty()) { | |
299 | addSOA(records); | |
300 | } | |
301 | ||
302 | // cerr<<qname<<": in '"<<getName()<<"', had wildcard match on '*."<<wcarddomain<<"'"<<endl; | |
303 | return result; | |
304 | } | |
305 | ||
306 | /* Nothing for this name, no wildcard, let's see if there is some NS */ | |
307 | DNSName nsdomain(qname); | |
308 | while (nsdomain.chopOff() && nsdomain != getName()) { | |
309 | range = d_records.equal_range(boost::make_tuple(nsdomain,QType::NS)); | |
310 | if(range.first == range.second) | |
311 | continue; | |
312 | ||
313 | for(ziter = range.first; ziter != range.second; ++ziter) { | |
314 | DNSRecord dr = *ziter; | |
315 | dr.d_place = DNSResourceRecord::AUTHORITY; | |
316 | records.push_back(dr); | |
317 | } | |
318 | } | |
319 | ||
320 | if(records.empty()) { | |
321 | // cerr<<qname<<": no NS match in zone '"<<getName()<<"' either, handing out SOA"<<endl; | |
322 | addSOA(records); | |
323 | result = RCode::NXDomain; | |
324 | } | |
325 | ||
326 | return result; | |
327 | } | |
328 | ||
329 | bool SyncRes::doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res) | |
330 | { | |
331 | d_authzonequeries++; | |
332 | s_authzonequeries++; | |
333 | ||
334 | res = domain.getRecords(qname, qtype.getCode(), ret); | |
335 | return true; | |
336 | } | |
337 | ||
338 | bool SyncRes::doOOBResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int& res) | |
339 | { | |
340 | string prefix; | |
341 | if(doLog()) { | |
342 | prefix=d_prefix; | |
343 | prefix.append(depth, ' '); | |
344 | } | |
345 | ||
346 | DNSName authdomain(qname); | |
347 | domainmap_t::const_iterator iter=getBestAuthZone(&authdomain); | |
348 | if(iter==t_sstorage.domainmap->end() || !iter->second.isAuth()) { | |
349 | LOG(prefix<<qname<<": auth storage has no zone for this query!"<<endl); | |
350 | return false; | |
351 | } | |
352 | ||
353 | LOG(prefix<<qname<<": auth storage has data, zone='"<<authdomain<<"'"<<endl); | |
354 | return doOOBResolve(iter->second, qname, qtype, ret, res); | |
355 | } | |
356 | ||
357 | uint64_t SyncRes::doEDNSDump(int fd) | |
358 | { | |
359 | auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose); | |
360 | if (!fp) { | |
361 | return 0; | |
362 | } | |
363 | uint64_t count = 0; | |
364 | ||
365 | fprintf(fp.get(),"; edns from thread follows\n;\n"); | |
366 | for(const auto& eds : t_sstorage.ednsstatus) { | |
367 | count++; | |
368 | fprintf(fp.get(), "%s\t%d\t%s", eds.first.toString().c_str(), (int)eds.second.mode, ctime(&eds.second.modeSetAt)); | |
369 | } | |
370 | return count; | |
371 | } | |
372 | ||
373 | uint64_t SyncRes::doDumpNSSpeeds(int fd) | |
374 | { | |
375 | auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose); | |
376 | if(!fp) | |
377 | return 0; | |
378 | fprintf(fp.get(), "; nsspeed dump from thread follows\n;\n"); | |
379 | uint64_t count=0; | |
380 | ||
381 | for(const auto& i : t_sstorage.nsSpeeds) | |
382 | { | |
383 | count++; | |
384 | ||
385 | // an <empty> can appear hear in case of authoritative (hosted) zones | |
386 | fprintf(fp.get(), "%s -> ", i.first.toLogString().c_str()); | |
387 | for(const auto& j : i.second.d_collection) | |
388 | { | |
389 | // typedef vector<pair<ComboAddress, DecayingEwma> > collection_t; | |
390 | fprintf(fp.get(), "%s/%f ", j.first.toString().c_str(), j.second.peek()); | |
391 | } | |
392 | fprintf(fp.get(), "\n"); | |
393 | } | |
394 | return count; | |
395 | } | |
396 | ||
397 | uint64_t SyncRes::doDumpThrottleMap(int fd) | |
398 | { | |
399 | auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose); | |
400 | if(!fp) | |
401 | return 0; | |
402 | fprintf(fp.get(), "; throttle map dump follows\n"); | |
403 | fprintf(fp.get(), "; remote IP\tqname\tqtype\tcount\tttd\n"); | |
404 | uint64_t count=0; | |
405 | ||
406 | const auto& throttleMap = t_sstorage.throttle.getThrottleMap(); | |
407 | for(const auto& i : throttleMap) | |
408 | { | |
409 | count++; | |
410 | // remote IP, dns name, qtype, count, ttd | |
411 | fprintf(fp.get(), "%s\t%s\t%d\t%u\t%s", i.first.get<0>().toString().c_str(), i.first.get<1>().toLogString().c_str(), i.first.get<2>(), i.second.count, ctime(&i.second.ttd)); | |
412 | } | |
413 | ||
414 | return count; | |
415 | } | |
416 | ||
417 | /* so here is the story. First we complete the full resolution process for a domain name. And only THEN do we decide | |
418 | to also do DNSSEC validation, which leads to new queries. To make this simple, we *always* ask for DNSSEC records | |
419 | so that if there are RRSIGs for a name, we'll have them. | |
420 | ||
421 | However, some hosts simply can't answer questions which ask for DNSSEC. This can manifest itself as: | |
422 | * No answer | |
423 | * FormErr | |
424 | * Nonsense answer | |
425 | ||
426 | The cause of "No answer" may be fragmentation, and it is tempting to probe if smaller answers would get through. | |
427 | Another cause of "No answer" may simply be a network condition. | |
428 | Nonsense answers are a clearer indication this host won't be able to do DNSSEC evah. | |
429 | ||
430 | Previous implementations have suffered from turning off DNSSEC questions for an authoritative server based on timeouts. | |
431 | A clever idea is to only turn off DNSSEC if we know a domain isn't signed anyhow. The problem with that really | |
432 | clever idea however is that at this point in PowerDNS, we may simply not know that yet. All the DNSSEC thinking happens | |
433 | elsewhere. It may not have happened yet. | |
434 | ||
435 | For now this means we can't be clever, but will turn off DNSSEC if you reply with FormError or gibberish. | |
436 | */ | |
437 | ||
438 | int SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res, bool* chained) const | |
439 | { | |
440 | /* what is your QUEST? | |
441 | the goal is to get as many remotes as possible on the highest level of EDNS support | |
442 | The levels are: | |
443 | ||
444 | 0) UNKNOWN Unknown state | |
445 | 1) EDNS: Honors EDNS0 | |
446 | 2) EDNSIGNORANT: Ignores EDNS0, gives replies without EDNS0 | |
447 | 3) NOEDNS: Generates FORMERR on EDNS queries | |
448 | ||
449 | Everybody starts out assumed to be '0'. | |
450 | If '0', send out EDNS0 | |
451 | If you FORMERR us, go to '3', | |
452 | If no EDNS in response, go to '2' | |
453 | If '1', send out EDNS0 | |
454 | If FORMERR, downgrade to 3 | |
455 | If '2', keep on including EDNS0, see what happens | |
456 | Same behaviour as 0 | |
457 | If '3', send bare queries | |
458 | */ | |
459 | ||
460 | SyncRes::EDNSStatus* ednsstatus; | |
461 | ednsstatus = &t_sstorage.ednsstatus[ip]; // does this include port? YES | |
462 | ||
463 | if(ednsstatus->modeSetAt && ednsstatus->modeSetAt + 3600 < d_now.tv_sec) { | |
464 | *ednsstatus=SyncRes::EDNSStatus(); | |
465 | // cerr<<"Resetting EDNS Status for "<<ip.toString()<<endl); | |
466 | } | |
467 | ||
468 | SyncRes::EDNSStatus::EDNSMode& mode=ednsstatus->mode; | |
469 | SyncRes::EDNSStatus::EDNSMode oldmode = mode; | |
470 | int EDNSLevel = 0; | |
471 | auto luaconfsLocal = g_luaconfs.getLocal(); | |
472 | ResolveContext ctx; | |
473 | #ifdef HAVE_PROTOBUF | |
474 | ctx.d_initialRequestId = d_initialRequestId; | |
475 | #endif | |
476 | ||
477 | int ret; | |
478 | for(int tries = 0; tries < 3; ++tries) { | |
479 | // cerr<<"Remote '"<<ip.toString()<<"' currently in mode "<<mode<<endl; | |
480 | ||
481 | if(mode==EDNSStatus::NOEDNS) { | |
482 | g_stats.noEdnsOutQueries++; | |
483 | EDNSLevel = 0; // level != mode | |
484 | } | |
485 | else if(ednsMANDATORY || mode==EDNSStatus::UNKNOWN || mode==EDNSStatus::EDNSOK || mode==EDNSStatus::EDNSIGNORANT) | |
486 | EDNSLevel = 1; | |
487 | ||
488 | DNSName sendQname(domain); | |
489 | if (g_lowercaseOutgoing) | |
490 | sendQname.makeUsLowerCase(); | |
491 | ||
492 | if (d_asyncResolve) { | |
493 | ret = d_asyncResolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, res, chained); | |
494 | } | |
495 | else { | |
496 | ret=asyncresolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, d_outgoingProtobufServers, luaconfsLocal->outgoingProtobufExportConfig.exportTypes, res, chained); | |
497 | } | |
498 | if(ret < 0) { | |
499 | return ret; // transport error, nothing to learn here | |
500 | } | |
501 | ||
502 | if(ret == 0) { // timeout, not doing anything with it now | |
503 | return ret; | |
504 | } | |
505 | else if(mode==EDNSStatus::UNKNOWN || mode==EDNSStatus::EDNSOK || mode == EDNSStatus::EDNSIGNORANT ) { | |
506 | if(res->d_validpacket && !res->d_haveEDNS && res->d_rcode == RCode::FormErr) { | |
507 | // cerr<<"Downgrading to NOEDNS because of "<<RCode::to_s(res->d_rcode)<<" for query to "<<ip.toString()<<" for '"<<domain<<"'"<<endl; | |
508 | mode = EDNSStatus::NOEDNS; | |
509 | continue; | |
510 | } | |
511 | else if(!res->d_haveEDNS) { | |
512 | if(mode != EDNSStatus::EDNSIGNORANT) { | |
513 | mode = EDNSStatus::EDNSIGNORANT; | |
514 | // cerr<<"We find that "<<ip.toString()<<" is an EDNS-ignorer for '"<<domain<<"', moving to mode 2"<<endl; | |
515 | } | |
516 | } | |
517 | else { | |
518 | mode = EDNSStatus::EDNSOK; | |
519 | // cerr<<"We find that "<<ip.toString()<<" is EDNS OK!"<<endl; | |
520 | } | |
521 | ||
522 | } | |
523 | if(oldmode != mode || !ednsstatus->modeSetAt) | |
524 | ednsstatus->modeSetAt=d_now.tv_sec; | |
525 | // cerr<<"Result: ret="<<ret<<", EDNS-level: "<<EDNSLevel<<", haveEDNS: "<<res->d_haveEDNS<<", new mode: "<<mode<<endl; | |
526 | return ret; | |
527 | } | |
528 | return ret; | |
529 | } | |
530 | ||
531 | /*! This function will check the cache and go out to the internet if the answer is not in cache | |
532 | * | |
533 | * \param qname The name we need an answer for | |
534 | * \param qtype | |
535 | * \param ret The vector of DNSRecords we need to fill with the answers | |
536 | * \param depth The recursion depth we are in | |
537 | * \param beenthere | |
538 | * \return DNS RCODE or -1 (Error) or -2 (RPZ hit) | |
539 | */ | |
540 | int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state) | |
541 | { | |
542 | string prefix; | |
543 | if(doLog()) { | |
544 | prefix=d_prefix; | |
545 | prefix.append(depth, ' '); | |
546 | } | |
547 | ||
548 | LOG(prefix<<qname<<": Wants "<< (d_doDNSSEC ? "" : "NO ") << "DNSSEC processing, "<<(d_requireAuthData ? "" : "NO ")<<"auth data in query for "<<qtype.getName()<<endl); | |
549 | ||
550 | state = Indeterminate; | |
551 | ||
552 | if(s_maxdepth && depth > s_maxdepth) | |
553 | throw ImmediateServFailException("More than "+std::to_string(s_maxdepth)+" (max-recursion-depth) levels of recursion needed while resolving "+qname.toLogString()); | |
554 | ||
555 | int res=0; | |
556 | ||
557 | // This is a difficult way of expressing "this is a normal query", i.e. not getRootNS. | |
558 | if(!(d_updatingRootNS && qtype.getCode()==QType::NS && qname.isRoot())) { | |
559 | if(d_cacheonly) { // very limited OOB support | |
560 | LWResult lwr; | |
561 | LOG(prefix<<qname<<": Recursion not requested for '"<<qname<<"|"<<qtype.getName()<<"', peeking at auth/forward zones"<<endl); | |
562 | DNSName authname(qname); | |
563 | domainmap_t::const_iterator iter=getBestAuthZone(&authname); | |
564 | if(iter != t_sstorage.domainmap->end()) { | |
565 | if(iter->second.isAuth()) { | |
566 | ret.clear(); | |
567 | d_wasOutOfBand = doOOBResolve(qname, qtype, ret, depth, res); | |
568 | return res; | |
569 | } | |
570 | else { | |
571 | const vector<ComboAddress>& servers = iter->second.d_servers; | |
572 | const ComboAddress remoteIP = servers.front(); | |
573 | LOG(prefix<<qname<<": forwarding query to hardcoded nameserver '"<< remoteIP.toStringWithPort()<<"' for zone '"<<authname<<"'"<<endl); | |
574 | ||
575 | boost::optional<Netmask> nm; | |
576 | bool chained = false; | |
577 | res=asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, qtype.getCode(), false, false, &d_now, nm, &lwr, &chained); | |
578 | ||
579 | d_totUsec += lwr.d_usec; | |
580 | accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family); | |
581 | ||
582 | // filter out the good stuff from lwr.result() | |
583 | if (res == 1) { | |
584 | for(const auto& rec : lwr.d_records) { | |
585 | if(rec.d_place == DNSResourceRecord::ANSWER) | |
586 | ret.push_back(rec); | |
587 | } | |
588 | return 0; | |
589 | } | |
590 | else { | |
591 | return RCode::ServFail; | |
592 | } | |
593 | } | |
594 | } | |
595 | } | |
596 | ||
597 | DNSName authname(qname); | |
598 | bool wasForwardedOrAuthZone = false; | |
599 | bool wasAuthZone = false; | |
600 | bool wasForwardRecurse = false; | |
601 | domainmap_t::const_iterator iter = getBestAuthZone(&authname); | |
602 | if(iter != t_sstorage.domainmap->end()) { | |
603 | const auto& domain = iter->second; | |
604 | wasForwardedOrAuthZone = true; | |
605 | ||
606 | if (domain.isAuth()) { | |
607 | wasAuthZone = true; | |
608 | } else if (domain.shouldRecurse()) { | |
609 | wasForwardRecurse = true; | |
610 | } | |
611 | } | |
612 | ||
613 | if(!d_skipCNAMECheck && doCNAMECacheCheck(qname, qtype, ret, depth, res, state, wasAuthZone, wasForwardRecurse)) { // will reroute us if needed | |
614 | d_wasOutOfBand = wasAuthZone; | |
615 | return res; | |
616 | } | |
617 | ||
618 | if(doCacheCheck(qname, authname, wasForwardedOrAuthZone, wasAuthZone, wasForwardRecurse, qtype, ret, depth, res, state)) { | |
619 | // we done | |
620 | d_wasOutOfBand = wasAuthZone; | |
621 | return res; | |
622 | } | |
623 | } | |
624 | ||
625 | if(d_cacheonly) | |
626 | return 0; | |
627 | ||
628 | LOG(prefix<<qname<<": No cache hit for '"<<qname<<"|"<<qtype.getName()<<"', trying to find an appropriate NS record"<<endl); | |
629 | ||
630 | DNSName subdomain(qname); | |
631 | if(qtype == QType::DS) subdomain.chopOff(); | |
632 | ||
633 | NsSet nsset; | |
634 | bool flawedNSSet=false; | |
635 | ||
636 | /* we use subdomain here instead of qname because for DS queries we only care about the state of the parent zone */ | |
637 | computeZoneCuts(subdomain, g_rootdnsname, depth); | |
638 | ||
639 | // the two retries allow getBestNSNamesFromCache&co to reprime the root | |
640 | // hints, in case they ever go missing | |
641 | for(int tries=0;tries<2 && nsset.empty();++tries) { | |
642 | subdomain=getBestNSNamesFromCache(subdomain, qtype, nsset, &flawedNSSet, depth, beenthere); // pass beenthere to both occasions | |
643 | } | |
644 | ||
645 | state = getValidationStatus(qname, false); | |
646 | ||
647 | LOG(prefix<<qname<<": initial validation status for "<<qname<<" is "<<vStates[state]<<endl); | |
648 | ||
649 | if(!(res=doResolveAt(nsset, subdomain, flawedNSSet, qname, qtype, ret, depth, beenthere, state))) | |
650 | return 0; | |
651 | ||
652 | LOG(prefix<<qname<<": failed (res="<<res<<")"<<endl); | |
653 | ||
654 | if (res == -2) | |
655 | return res; | |
656 | ||
657 | return res<0 ? RCode::ServFail : res; | |
658 | } | |
659 | ||
660 | #if 0 | |
661 | // for testing purposes | |
662 | static bool ipv6First(const ComboAddress& a, const ComboAddress& b) | |
663 | { | |
664 | return !(a.sin4.sin_family < a.sin4.sin_family); | |
665 | } | |
666 | #endif | |
667 | ||
668 | struct speedOrderCA | |
669 | { | |
670 | speedOrderCA(std::map<ComboAddress,double>& speeds): d_speeds(speeds) {} | |
671 | bool operator()(const ComboAddress& a, const ComboAddress& b) const | |
672 | { | |
673 | return d_speeds[a] < d_speeds[b]; | |
674 | } | |
675 | std::map<ComboAddress, double>& d_speeds; | |
676 | }; | |
677 | ||
678 | /** This function explicitly goes out for A or AAAA addresses | |
679 | */ | |
680 | vector<ComboAddress> SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere, bool cacheOnly) | |
681 | { | |
682 | typedef vector<DNSRecord> res_t; | |
683 | typedef vector<ComboAddress> ret_t; | |
684 | ret_t ret; | |
685 | ||
686 | bool oldCacheOnly = d_cacheonly; | |
687 | bool oldRequireAuthData = d_requireAuthData; | |
688 | bool oldValidationRequested = d_DNSSECValidationRequested; | |
689 | d_requireAuthData = false; | |
690 | d_DNSSECValidationRequested = false; | |
691 | d_cacheonly = cacheOnly; | |
692 | ||
693 | vState newState = Indeterminate; | |
694 | res_t resv4; | |
695 | // If IPv4 ever becomes second class, we should revisit this | |
696 | if (doResolve(qname, QType::A, resv4, depth+1, beenthere, newState) == 0) { // this consults cache, OR goes out | |
697 | for (auto i = resv4.cbegin(); i != resv4.end(); ++i) { | |
698 | if (i->d_type == QType::A) { | |
699 | if (auto rec = getRR<ARecordContent>(*i)) { | |
700 | ret.push_back(rec->getCA(53)); | |
701 | } | |
702 | } | |
703 | } | |
704 | } | |
705 | if (s_doIPv6) { | |
706 | if (ret.empty()) { | |
707 | // We did not find IPv4 addresses, try to get IPv6 ones | |
708 | newState = Indeterminate; | |
709 | res_t resv6; | |
710 | if (doResolve(qname, QType::AAAA, resv6, depth+1, beenthere, newState) == 0) { // this consults cache, OR goes out | |
711 | for (auto i = resv6.cbegin(); i != resv6.end(); ++i) { | |
712 | if (i->d_type == QType::AAAA) { | |
713 | if (auto rec = getRR<AAAARecordContent>(*i)) | |
714 | ret.push_back(rec->getCA(53)); | |
715 | } | |
716 | } | |
717 | } | |
718 | } else { | |
719 | // We have some IPv4 records, don't bother with going out to get IPv6, but do consult the cache | |
720 | // Once IPv6 adoption matters, this needs to be revisited | |
721 | res_t cset; | |
722 | if (t_RC->get(d_now.tv_sec, qname, QType(QType::AAAA), false, &cset, d_cacheRemote) > 0) { | |
723 | for (auto k = cset.cbegin(); k != cset.cend(); ++k) { | |
724 | if (k->d_ttl > (unsigned int)d_now.tv_sec ) { | |
725 | if (auto rec = getRR<AAAARecordContent>(*k)) { | |
726 | ret.push_back(rec->getCA(53)); | |
727 | } | |
728 | } | |
729 | } | |
730 | } | |
731 | } | |
732 | } | |
733 | ||
734 | d_requireAuthData = oldRequireAuthData; | |
735 | d_DNSSECValidationRequested = oldValidationRequested; | |
736 | d_cacheonly = oldCacheOnly; | |
737 | ||
738 | /* we need to remove from the nsSpeeds collection the existing IPs | |
739 | for this nameserver that are no longer in the set, even if there | |
740 | is only one or none at all in the current set. | |
741 | */ | |
742 | map<ComboAddress, double> speeds; | |
743 | auto& collection = t_sstorage.nsSpeeds[qname].d_collection; | |
744 | for(const auto& val: ret) { | |
745 | speeds[val] = collection[val].get(&d_now); | |
746 | } | |
747 | ||
748 | t_sstorage.nsSpeeds[qname].purge(speeds); | |
749 | ||
750 | if(ret.size() > 1) { | |
751 | random_shuffle(ret.begin(), ret.end(), dns_random); | |
752 | speedOrderCA so(speeds); | |
753 | stable_sort(ret.begin(), ret.end(), so); | |
754 | ||
755 | if(doLog()) { | |
756 | string prefix=d_prefix; | |
757 | prefix.append(depth, ' '); | |
758 | LOG(prefix<<"Nameserver "<<qname<<" IPs: "); | |
759 | bool first = true; | |
760 | for(const auto& addr : ret) { | |
761 | if (first) { | |
762 | first = false; | |
763 | } | |
764 | else { | |
765 | LOG(", "); | |
766 | } | |
767 | LOG((addr.toString())<<"(" << (boost::format("%0.2f") % (speeds[addr]/1000.0)).str() <<"ms)"); | |
768 | } | |
769 | LOG(endl); | |
770 | } | |
771 | } | |
772 | ||
773 | return ret; | |
774 | } | |
775 | ||
776 | void SyncRes::getBestNSFromCache(const DNSName &qname, const QType& qtype, vector<DNSRecord>& bestns, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>& beenthere) | |
777 | { | |
778 | string prefix; | |
779 | DNSName subdomain(qname); | |
780 | if(doLog()) { | |
781 | prefix=d_prefix; | |
782 | prefix.append(depth, ' '); | |
783 | } | |
784 | bestns.clear(); | |
785 | bool brokeloop; | |
786 | do { | |
787 | brokeloop=false; | |
788 | LOG(prefix<<qname<<": Checking if we have NS in cache for '"<<subdomain<<"'"<<endl); | |
789 | vector<DNSRecord> ns; | |
790 | *flawedNSSet = false; | |
791 | ||
792 | if(t_RC->get(d_now.tv_sec, subdomain, QType(QType::NS), false, &ns, d_cacheRemote) > 0) { | |
793 | for(auto k=ns.cbegin();k!=ns.cend(); ++k) { | |
794 | if(k->d_ttl > (unsigned int)d_now.tv_sec ) { | |
795 | vector<DNSRecord> aset; | |
796 | ||
797 | const DNSRecord& dr=*k; | |
798 | auto nrr = getRR<NSRecordContent>(dr); | |
799 | if(nrr && (!nrr->getNS().isPartOf(subdomain) || t_RC->get(d_now.tv_sec, nrr->getNS(), s_doIPv6 ? QType(QType::ADDR) : QType(QType::A), | |
800 | false, doLog() ? &aset : 0, d_cacheRemote) > 5)) { | |
801 | bestns.push_back(dr); | |
802 | LOG(prefix<<qname<<": NS (with ip, or non-glue) in cache for '"<<subdomain<<"' -> '"<<nrr->getNS()<<"'"<<endl); | |
803 | LOG(prefix<<qname<<": within bailiwick: "<< nrr->getNS().isPartOf(subdomain)); | |
804 | if(!aset.empty()) { | |
805 | LOG(", in cache, ttl="<<(unsigned int)(((time_t)aset.begin()->d_ttl- d_now.tv_sec ))<<endl); | |
806 | } | |
807 | else { | |
808 | LOG(", not in cache / did not look at cache"<<endl); | |
809 | } | |
810 | } | |
811 | else { | |
812 | *flawedNSSet=true; | |
813 | LOG(prefix<<qname<<": NS in cache for '"<<subdomain<<"', but needs glue ("<<nrr->getNS()<<") which we miss or is expired"<<endl); | |
814 | } | |
815 | } | |
816 | } | |
817 | ||
818 | if(!bestns.empty()) { | |
819 | GetBestNSAnswer answer; | |
820 | answer.qname=qname; | |
821 | answer.qtype=qtype.getCode(); | |
822 | for(const auto& dr : bestns) { | |
823 | if (auto nsContent = getRR<NSRecordContent>(dr)) { | |
824 | answer.bestns.insert(make_pair(dr.d_name, nsContent->getNS())); | |
825 | } | |
826 | } | |
827 | ||
828 | if(beenthere.count(answer)) { | |
829 | brokeloop=true; | |
830 | LOG(prefix<<qname<<": We have NS in cache for '"<<subdomain<<"' but part of LOOP (already seen "<<answer.qname<<")! Trying less specific NS"<<endl); | |
831 | ; | |
832 | if(doLog()) | |
833 | for( set<GetBestNSAnswer>::const_iterator j=beenthere.begin();j!=beenthere.end();++j) { | |
834 | bool neo = !(*j< answer || answer<*j); | |
835 | LOG(prefix<<qname<<": beenthere"<<(neo?"*":"")<<": "<<j->qname<<"|"<<DNSRecordContent::NumberToType(j->qtype)<<" ("<<(unsigned int)j->bestns.size()<<")"<<endl); | |
836 | } | |
837 | bestns.clear(); | |
838 | } | |
839 | else { | |
840 | beenthere.insert(answer); | |
841 | LOG(prefix<<qname<<": We have NS in cache for '"<<subdomain<<"' (flawedNSSet="<<*flawedNSSet<<")"<<endl); | |
842 | return; | |
843 | } | |
844 | } | |
845 | } | |
846 | LOG(prefix<<qname<<": no valid/useful NS in cache for '"<<subdomain<<"'"<<endl); | |
847 | ||
848 | if(subdomain.isRoot() && !brokeloop) { | |
849 | // We lost the root NS records | |
850 | primeHints(); | |
851 | LOG(prefix<<qname<<": reprimed the root"<<endl); | |
852 | /* let's prevent an infinite loop */ | |
853 | if (!d_updatingRootNS) { | |
854 | getRootNS(d_now, d_asyncResolve); | |
855 | } | |
856 | } | |
857 | } while(subdomain.chopOff()); | |
858 | } | |
859 | ||
860 | SyncRes::domainmap_t::const_iterator SyncRes::getBestAuthZone(DNSName* qname) const | |
861 | { | |
862 | SyncRes::domainmap_t::const_iterator ret; | |
863 | do { | |
864 | ret=t_sstorage.domainmap->find(*qname); | |
865 | if(ret!=t_sstorage.domainmap->end()) | |
866 | break; | |
867 | }while(qname->chopOff()); | |
868 | return ret; | |
869 | } | |
870 | ||
871 | /** doesn't actually do the work, leaves that to getBestNSFromCache */ | |
872 | DNSName SyncRes::getBestNSNamesFromCache(const DNSName &qname, const QType& qtype, NsSet& nsset, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>&beenthere) | |
873 | { | |
874 | DNSName subdomain(qname); | |
875 | DNSName authdomain(qname); | |
876 | ||
877 | domainmap_t::const_iterator iter=getBestAuthZone(&authdomain); | |
878 | if(iter!=t_sstorage.domainmap->end()) { | |
879 | if( iter->second.isAuth() ) | |
880 | // this gets picked up in doResolveAt, the empty DNSName, combined with the | |
881 | // empty vector means 'we are auth for this zone' | |
882 | nsset.insert({DNSName(), {{}, false}}); | |
883 | else { | |
884 | // Again, picked up in doResolveAt. An empty DNSName, combined with a | |
885 | // non-empty vector of ComboAddresses means 'this is a forwarded domain' | |
886 | // This is actually picked up in retrieveAddressesForNS called from doResolveAt. | |
887 | nsset.insert({DNSName(), {iter->second.d_servers, iter->second.shouldRecurse() }}); | |
888 | } | |
889 | return authdomain; | |
890 | } | |
891 | ||
892 | vector<DNSRecord> bestns; | |
893 | getBestNSFromCache(subdomain, qtype, bestns, flawedNSSet, depth, beenthere); | |
894 | ||
895 | for(auto k=bestns.cbegin() ; k != bestns.cend(); ++k) { | |
896 | // The actual resolver code will not even look at the ComboAddress or bool | |
897 | const auto nsContent = getRR<NSRecordContent>(*k); | |
898 | if (nsContent) { | |
899 | nsset.insert({nsContent->getNS(), {{}, false}}); | |
900 | if(k==bestns.cbegin()) | |
901 | subdomain=k->d_name; | |
902 | } | |
903 | } | |
904 | return subdomain; | |
905 | } | |
906 | ||
907 | void SyncRes::updateValidationStatusInCache(const DNSName &qname, const QType& qt, bool aa, vState newState) const | |
908 | { | |
909 | if (newState == Bogus) { | |
910 | t_RC->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, aa, newState, s_maxbogusttl + d_now.tv_sec); | |
911 | } | |
912 | else { | |
913 | t_RC->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, aa, newState, boost::none); | |
914 | } | |
915 | } | |
916 | ||
917 | bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>& ret, unsigned int depth, int &res, vState& state, bool wasAuthZone, bool wasForwardRecurse) | |
918 | { | |
919 | string prefix; | |
920 | if(doLog()) { | |
921 | prefix=d_prefix; | |
922 | prefix.append(depth, ' '); | |
923 | } | |
924 | ||
925 | if((depth>9 && d_outqueries>10 && d_throttledqueries>5) || depth > 15) { | |
926 | LOG(prefix<<qname<<": recursing (CNAME or other indirection) too deep, depth="<<depth<<endl); | |
927 | res=RCode::ServFail; | |
928 | return true; | |
929 | } | |
930 | ||
931 | LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl); | |
932 | vector<DNSRecord> cset; | |
933 | vector<std::shared_ptr<RRSIGRecordContent>> signatures; | |
934 | vector<std::shared_ptr<DNSRecord>> authorityRecs; | |
935 | bool wasAuth; | |
936 | uint32_t capTTL = std::numeric_limits<uint32_t>::max(); | |
937 | /* we don't require auth data for forward-recurse lookups */ | |
938 | if(t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) { | |
939 | ||
940 | for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) { | |
941 | if (j->d_class != QClass::IN) { | |
942 | continue; | |
943 | } | |
944 | ||
945 | if(j->d_ttl>(unsigned int) d_now.tv_sec) { | |
946 | ||
947 | if (!wasAuthZone && shouldValidate() && (wasAuth || wasForwardRecurse) && state == Indeterminate && d_requireAuthData) { | |
948 | /* This means we couldn't figure out the state when this entry was cached, | |
949 | most likely because we hadn't computed the zone cuts yet. */ | |
950 | /* make sure they are computed before validating */ | |
951 | DNSName subdomain(qname); | |
952 | /* if we are retrieving a DS, we only care about the state of the parent zone */ | |
953 | if(qtype == QType::DS) | |
954 | subdomain.chopOff(); | |
955 | ||
956 | computeZoneCuts(subdomain, g_rootdnsname, depth); | |
957 | ||
958 | vState recordState = getValidationStatus(qname, false); | |
959 | if (recordState == Secure) { | |
960 | LOG(prefix<<qname<<": got Indeterminate state from the CNAME cache, validating.."<<endl); | |
961 | state = SyncRes::validateRecordsWithSigs(depth, qname, QType(QType::CNAME), qname, cset, signatures); | |
962 | if (state != Indeterminate) { | |
963 | LOG(prefix<<qname<<": got Indeterminate state from the CNAME cache, new validation result is "<<vStates[state]<<endl); | |
964 | if (state == Bogus) { | |
965 | capTTL = s_maxbogusttl; | |
966 | } | |
967 | updateValidationStatusInCache(qname, QType(QType::CNAME), wasAuth, state); | |
968 | } | |
969 | } | |
970 | } | |
971 | ||
972 | LOG(prefix<<qname<<": Found cache CNAME hit for '"<< qname << "|CNAME" <<"' to '"<<j->d_content->getZoneRepresentation()<<"', validation state is "<<vStates[state]<<endl); | |
973 | ||
974 | DNSRecord dr=*j; | |
975 | dr.d_ttl -= d_now.tv_sec; | |
976 | dr.d_ttl = std::min(dr.d_ttl, capTTL); | |
977 | const uint32_t ttl = dr.d_ttl; | |
978 | ret.reserve(ret.size() + 1 + signatures.size() + authorityRecs.size()); | |
979 | ret.push_back(dr); | |
980 | ||
981 | for(const auto& signature : signatures) { | |
982 | DNSRecord sigdr; | |
983 | sigdr.d_type=QType::RRSIG; | |
984 | sigdr.d_name=qname; | |
985 | sigdr.d_ttl=ttl; | |
986 | sigdr.d_content=signature; | |
987 | sigdr.d_place=DNSResourceRecord::ANSWER; | |
988 | sigdr.d_class=QClass::IN; | |
989 | ret.push_back(sigdr); | |
990 | } | |
991 | ||
992 | for(const auto& rec : authorityRecs) { | |
993 | DNSRecord authDR(*rec); | |
994 | authDR.d_ttl=ttl; | |
995 | ret.push_back(authDR); | |
996 | } | |
997 | ||
998 | if(qtype != QType::CNAME) { // perhaps they really wanted a CNAME! | |
999 | set<GetBestNSAnswer>beenthere; | |
1000 | ||
1001 | vState cnameState = Indeterminate; | |
1002 | const auto cnameContent = getRR<CNAMERecordContent>(*j); | |
1003 | if (cnameContent) { | |
1004 | res=doResolve(cnameContent->getTarget(), qtype, ret, depth+1, beenthere, cnameState); | |
1005 | LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the CNAME quest: "<<vStates[cnameState]<<endl); | |
1006 | updateValidationState(state, cnameState); | |
1007 | } | |
1008 | } | |
1009 | else | |
1010 | res=0; | |
1011 | ||
1012 | return true; | |
1013 | } | |
1014 | } | |
1015 | } | |
1016 | LOG(prefix<<qname<<": No CNAME cache hit of '"<< qname << "|CNAME" <<"' found"<<endl); | |
1017 | return false; | |
1018 | } | |
1019 | ||
1020 | namespace { | |
1021 | struct CacheEntry | |
1022 | { | |
1023 | vector<DNSRecord> records; | |
1024 | vector<shared_ptr<RRSIGRecordContent>> signatures; | |
1025 | uint32_t signaturesTTL{std::numeric_limits<uint32_t>::max()}; | |
1026 | }; | |
1027 | struct CacheKey | |
1028 | { | |
1029 | DNSName name; | |
1030 | uint16_t type; | |
1031 | DNSResourceRecord::Place place; | |
1032 | bool operator<(const CacheKey& rhs) const { | |
1033 | return tie(name, type, place) < tie(rhs.name, rhs.type, rhs.place); | |
1034 | } | |
1035 | }; | |
1036 | typedef map<CacheKey, CacheEntry> tcache_t; | |
1037 | } | |
1038 | ||
1039 | static void reapRecordsFromNegCacheEntryForValidation(tcache_t& tcache, const vector<DNSRecord>& records) | |
1040 | { | |
1041 | for (const auto& rec : records) { | |
1042 | if (rec.d_type == QType::RRSIG) { | |
1043 | auto rrsig = getRR<RRSIGRecordContent>(rec); | |
1044 | if (rrsig) { | |
1045 | tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signatures.push_back(rrsig); | |
1046 | } | |
1047 | } else { | |
1048 | tcache[{rec.d_name,rec.d_type,rec.d_place}].records.push_back(rec); | |
1049 | } | |
1050 | } | |
1051 | } | |
1052 | ||
1053 | /*! | |
1054 | * Convience function to push the records from records into ret with a new TTL | |
1055 | * | |
1056 | * \param records DNSRecords that need to go into ret | |
1057 | * \param ttl The new TTL for these records | |
1058 | * \param ret The vector of DNSRecords that should contian the records with the modified TTL | |
1059 | */ | |
1060 | static void addTTLModifiedRecords(const vector<DNSRecord>& records, const uint32_t ttl, vector<DNSRecord>& ret) { | |
1061 | for (const auto& rec : records) { | |
1062 | DNSRecord r(rec); | |
1063 | r.d_ttl = ttl; | |
1064 | ret.push_back(r); | |
1065 | } | |
1066 | } | |
1067 | ||
1068 | void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry* ne, const DNSName& qname, const QType& qtype, const int res, vState& state, unsigned int depth) | |
1069 | { | |
1070 | DNSName subdomain(qname); | |
1071 | /* if we are retrieving a DS, we only care about the state of the parent zone */ | |
1072 | if(qtype == QType::DS) | |
1073 | subdomain.chopOff(); | |
1074 | ||
1075 | computeZoneCuts(subdomain, g_rootdnsname, depth); | |
1076 | ||
1077 | tcache_t tcache; | |
1078 | reapRecordsFromNegCacheEntryForValidation(tcache, ne->authoritySOA.records); | |
1079 | reapRecordsFromNegCacheEntryForValidation(tcache, ne->authoritySOA.signatures); | |
1080 | reapRecordsFromNegCacheEntryForValidation(tcache, ne->DNSSECRecords.records); | |
1081 | reapRecordsFromNegCacheEntryForValidation(tcache, ne->DNSSECRecords.signatures); | |
1082 | ||
1083 | for (const auto& entry : tcache) { | |
1084 | // this happens when we did store signatures, but passed on the records themselves | |
1085 | if (entry.second.records.empty()) { | |
1086 | continue; | |
1087 | } | |
1088 | ||
1089 | const DNSName& owner = entry.first.name; | |
1090 | ||
1091 | vState recordState = getValidationStatus(owner, false); | |
1092 | if (state == Indeterminate) { | |
1093 | state = recordState; | |
1094 | } | |
1095 | ||
1096 | if (recordState == Secure) { | |
1097 | recordState = SyncRes::validateRecordsWithSigs(depth, qname, qtype, owner, entry.second.records, entry.second.signatures); | |
1098 | } | |
1099 | ||
1100 | if (recordState != Indeterminate && recordState != state) { | |
1101 | updateValidationState(state, recordState); | |
1102 | if (state != Secure) { | |
1103 | break; | |
1104 | } | |
1105 | } | |
1106 | } | |
1107 | ||
1108 | if (state == Secure) { | |
1109 | vState neValidationState = ne->d_validationState; | |
1110 | dState expectedState = res == RCode::NXDomain ? NXDOMAIN : NXQTYPE; | |
1111 | dState denialState = getDenialValidationState(*ne, state, expectedState, false); | |
1112 | updateDenialValidationState(neValidationState, ne->d_name, state, denialState, expectedState, qtype == QType::DS); | |
1113 | } | |
1114 | if (state != Indeterminate) { | |
1115 | /* validation succeeded, let's update the cache entry so we don't have to validate again */ | |
1116 | boost::optional<uint32_t> capTTD = boost::none; | |
1117 | if (state == Bogus) { | |
1118 | capTTD = d_now.tv_sec + s_maxbogusttl; | |
1119 | } | |
1120 | t_sstorage.negcache.updateValidationStatus(ne->d_name, ne->d_qtype, state, capTTD); | |
1121 | } | |
1122 | } | |
1123 | ||
1124 | bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool wasForwardedOrAuthZone, bool wasAuthZone, bool wasForwardRecurse, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res, vState& state) | |
1125 | { | |
1126 | bool giveNegative=false; | |
1127 | ||
1128 | string prefix; | |
1129 | if(doLog()) { | |
1130 | prefix=d_prefix; | |
1131 | prefix.append(depth, ' '); | |
1132 | } | |
1133 | ||
1134 | // sqname and sqtype are used contain 'higher' names if we have them (e.g. powerdns.com|SOA when we find a negative entry for doesnotexists.powerdns.com|A) | |
1135 | DNSName sqname(qname); | |
1136 | QType sqt(qtype); | |
1137 | uint32_t sttl=0; | |
1138 | // cout<<"Lookup for '"<<qname<<"|"<<qtype.getName()<<"' -> "<<getLastLabel(qname)<<endl; | |
1139 | vState cachedState; | |
1140 | const NegCache::NegCacheEntry* ne = nullptr; | |
1141 | ||
1142 | if(s_rootNXTrust && | |
1143 | t_sstorage.negcache.getRootNXTrust(qname, d_now, &ne) && | |
1144 | ne->d_auth.isRoot() && | |
1145 | !(wasForwardedOrAuthZone && !authname.isRoot())) { // when forwarding, the root may only neg-cache if it was forwarded to. | |
1146 | sttl = ne->d_ttd - d_now.tv_sec; | |
1147 | LOG(prefix<<qname<<": Entire name '"<<qname<<"', is negatively cached via '"<<ne->d_auth<<"' & '"<<ne->d_name<<"' for another "<<sttl<<" seconds"<<endl); | |
1148 | res = RCode::NXDomain; | |
1149 | giveNegative = true; | |
1150 | cachedState = ne->d_validationState; | |
1151 | } | |
1152 | else if (t_sstorage.negcache.get(qname, qtype, d_now, &ne)) { | |
1153 | /* If we are looking for a DS, discard NXD if auth == qname | |
1154 | and ask for a specific denial instead */ | |
1155 | if (qtype != QType::DS || ne->d_qtype.getCode() || ne->d_auth != qname || | |
1156 | t_sstorage.negcache.get(qname, qtype, d_now, &ne, true)) | |
1157 | { | |
1158 | res = 0; | |
1159 | sttl = ne->d_ttd - d_now.tv_sec; | |
1160 | giveNegative = true; | |
1161 | cachedState = ne->d_validationState; | |
1162 | if(ne->d_qtype.getCode()) { | |
1163 | LOG(prefix<<qname<<": "<<qtype.getName()<<" is negatively cached via '"<<ne->d_auth<<"' for another "<<sttl<<" seconds"<<endl); | |
1164 | res = RCode::NoError; | |
1165 | } | |
1166 | else { | |
1167 | LOG(prefix<<qname<<": Entire name '"<<qname<<"', is negatively cached via '"<<ne->d_auth<<"' for another "<<sttl<<" seconds"<<endl); | |
1168 | res = RCode::NXDomain; | |
1169 | } | |
1170 | } | |
1171 | } | |
1172 | ||
1173 | if (giveNegative) { | |
1174 | ||
1175 | state = cachedState; | |
1176 | ||
1177 | if (!wasAuthZone && shouldValidate() && state == Indeterminate) { | |
1178 | LOG(prefix<<qname<<": got Indeterminate state for records retrieved from the negative cache, validating.."<<endl); | |
1179 | computeNegCacheValidationStatus(ne, qname, qtype, res, state, depth); | |
1180 | ||
1181 | if (state != cachedState && state == Bogus) { | |
1182 | sttl = std::min(sttl, s_maxbogusttl); | |
1183 | } | |
1184 | } | |
1185 | ||
1186 | // Transplant SOA to the returned packet | |
1187 | addTTLModifiedRecords(ne->authoritySOA.records, sttl, ret); | |
1188 | if(d_doDNSSEC) { | |
1189 | addTTLModifiedRecords(ne->authoritySOA.signatures, sttl, ret); | |
1190 | addTTLModifiedRecords(ne->DNSSECRecords.records, sttl, ret); | |
1191 | addTTLModifiedRecords(ne->DNSSECRecords.signatures, sttl, ret); | |
1192 | } | |
1193 | ||
1194 | LOG(prefix<<qname<<": updating validation state with negative cache content for "<<qname<<" to "<<vStates[state]<<endl); | |
1195 | return true; | |
1196 | } | |
1197 | ||
1198 | vector<DNSRecord> cset; | |
1199 | bool found=false, expired=false; | |
1200 | vector<std::shared_ptr<RRSIGRecordContent>> signatures; | |
1201 | vector<std::shared_ptr<DNSRecord>> authorityRecs; | |
1202 | uint32_t ttl=0; | |
1203 | uint32_t capTTL = std::numeric_limits<uint32_t>::max(); | |
1204 | bool wasCachedAuth; | |
1205 | if(t_RC->get(d_now.tv_sec, sqname, sqt, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &cachedState, &wasCachedAuth) > 0) { | |
1206 | ||
1207 | LOG(prefix<<sqname<<": Found cache hit for "<<sqt.getName()<<": "); | |
1208 | ||
1209 | if (!wasAuthZone && shouldValidate() && (wasCachedAuth || wasForwardRecurse) && cachedState == Indeterminate && d_requireAuthData) { | |
1210 | ||
1211 | /* This means we couldn't figure out the state when this entry was cached, | |
1212 | most likely because we hadn't computed the zone cuts yet. */ | |
1213 | /* make sure they are computed before validating */ | |
1214 | DNSName subdomain(sqname); | |
1215 | /* if we are retrieving a DS, we only care about the state of the parent zone */ | |
1216 | if(qtype == QType::DS) | |
1217 | subdomain.chopOff(); | |
1218 | ||
1219 | computeZoneCuts(subdomain, g_rootdnsname, depth); | |
1220 | ||
1221 | vState recordState = getValidationStatus(qname, false); | |
1222 | if (recordState == Secure) { | |
1223 | LOG(prefix<<sqname<<": got Indeterminate state from the cache, validating.."<<endl); | |
1224 | cachedState = SyncRes::validateRecordsWithSigs(depth, sqname, sqt, sqname, cset, signatures); | |
1225 | } | |
1226 | else { | |
1227 | cachedState = recordState; | |
1228 | } | |
1229 | ||
1230 | if (cachedState != Indeterminate) { | |
1231 | LOG(prefix<<qname<<": got Indeterminate state from the cache, validation result is "<<vStates[cachedState]<<endl); | |
1232 | if (cachedState == Bogus) { | |
1233 | capTTL = s_maxbogusttl; | |
1234 | } | |
1235 | updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState); | |
1236 | } | |
1237 | } | |
1238 | ||
1239 | for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) { | |
1240 | ||
1241 | LOG(j->d_content->getZoneRepresentation()); | |
1242 | ||
1243 | if (j->d_class != QClass::IN) { | |
1244 | continue; | |
1245 | } | |
1246 | ||
1247 | if(j->d_ttl>(unsigned int) d_now.tv_sec) { | |
1248 | DNSRecord dr=*j; | |
1249 | dr.d_ttl -= d_now.tv_sec; | |
1250 | dr.d_ttl = std::min(dr.d_ttl, capTTL); | |
1251 | ttl = dr.d_ttl; | |
1252 | ret.push_back(dr); | |
1253 | LOG("[ttl="<<dr.d_ttl<<"] "); | |
1254 | found=true; | |
1255 | } | |
1256 | else { | |
1257 | LOG("[expired] "); | |
1258 | expired=true; | |
1259 | } | |
1260 | } | |
1261 | ||
1262 | ret.reserve(ret.size() + signatures.size() + authorityRecs.size()); | |
1263 | ||
1264 | for(const auto& signature : signatures) { | |
1265 | DNSRecord dr; | |
1266 | dr.d_type=QType::RRSIG; | |
1267 | dr.d_name=sqname; | |
1268 | dr.d_ttl=ttl; | |
1269 | dr.d_content=signature; | |
1270 | dr.d_place = DNSResourceRecord::ANSWER; | |
1271 | dr.d_class=QClass::IN; | |
1272 | ret.push_back(dr); | |
1273 | } | |
1274 | ||
1275 | for(const auto& rec : authorityRecs) { | |
1276 | DNSRecord dr(*rec); | |
1277 | dr.d_ttl=ttl; | |
1278 | ret.push_back(dr); | |
1279 | } | |
1280 | ||
1281 | LOG(endl); | |
1282 | if(found && !expired) { | |
1283 | if (!giveNegative) | |
1284 | res=0; | |
1285 | LOG(prefix<<qname<<": updating validation state with cache content for "<<qname<<" to "<<vStates[cachedState]<<endl); | |
1286 | state = cachedState; | |
1287 | return true; | |
1288 | } | |
1289 | else | |
1290 | LOG(prefix<<qname<<": cache had only stale entries"<<endl); | |
1291 | } | |
1292 | ||
1293 | return false; | |
1294 | } | |
1295 | ||
1296 | bool SyncRes::moreSpecificThan(const DNSName& a, const DNSName &b) const | |
1297 | { | |
1298 | return (a.isPartOf(b) && a.countLabels() > b.countLabels()); | |
1299 | } | |
1300 | ||
1301 | struct speedOrder | |
1302 | { | |
1303 | speedOrder(map<DNSName,double> &speeds) : d_speeds(speeds) {} | |
1304 | bool operator()(const DNSName &a, const DNSName &b) const | |
1305 | { | |
1306 | return d_speeds[a] < d_speeds[b]; | |
1307 | } | |
1308 | map<DNSName, double>& d_speeds; | |
1309 | }; | |
1310 | ||
1311 | inline vector<DNSName> SyncRes::shuffleInSpeedOrder(NsSet &tnameservers, const string &prefix) | |
1312 | { | |
1313 | vector<DNSName> rnameservers; | |
1314 | rnameservers.reserve(tnameservers.size()); | |
1315 | for(const auto& tns: tnameservers) { | |
1316 | rnameservers.push_back(tns.first); | |
1317 | if(tns.first.empty()) // this was an authoritative OOB zone, don't pollute the nsSpeeds with that | |
1318 | return rnameservers; | |
1319 | } | |
1320 | map<DNSName, double> speeds; | |
1321 | ||
1322 | for(const auto& val: rnameservers) { | |
1323 | double speed; | |
1324 | speed=t_sstorage.nsSpeeds[val].get(&d_now); | |
1325 | speeds[val]=speed; | |
1326 | } | |
1327 | random_shuffle(rnameservers.begin(),rnameservers.end(), dns_random); | |
1328 | speedOrder so(speeds); | |
1329 | stable_sort(rnameservers.begin(),rnameservers.end(), so); | |
1330 | ||
1331 | if(doLog()) { | |
1332 | LOG(prefix<<"Nameservers: "); | |
1333 | for(vector<DNSName>::const_iterator i=rnameservers.begin();i!=rnameservers.end();++i) { | |
1334 | if(i!=rnameservers.begin()) { | |
1335 | LOG(", "); | |
1336 | if(!((i-rnameservers.begin())%3)) { | |
1337 | LOG(endl<<prefix<<" "); | |
1338 | } | |
1339 | } | |
1340 | LOG(i->toLogString()<<"(" << (boost::format("%0.2f") % (speeds[*i]/1000.0)).str() <<"ms)"); | |
1341 | } | |
1342 | LOG(endl); | |
1343 | } | |
1344 | return rnameservers; | |
1345 | } | |
1346 | ||
1347 | inline vector<ComboAddress> SyncRes::shuffleForwardSpeed(const vector<ComboAddress> &rnameservers, const string &prefix, const bool wasRd) | |
1348 | { | |
1349 | vector<ComboAddress> nameservers = rnameservers; | |
1350 | map<ComboAddress, double> speeds; | |
1351 | ||
1352 | for(const auto& val: nameservers) { | |
1353 | double speed; | |
1354 | DNSName nsName = DNSName(val.toStringWithPort()); | |
1355 | speed=t_sstorage.nsSpeeds[nsName].get(&d_now); | |
1356 | speeds[val]=speed; | |
1357 | } | |
1358 | random_shuffle(nameservers.begin(),nameservers.end(), dns_random); | |
1359 | speedOrderCA so(speeds); | |
1360 | stable_sort(nameservers.begin(),nameservers.end(), so); | |
1361 | ||
1362 | if(doLog()) { | |
1363 | LOG(prefix<<"Nameservers: "); | |
1364 | for(vector<ComboAddress>::const_iterator i=nameservers.cbegin();i!=nameservers.cend();++i) { | |
1365 | if(i!=nameservers.cbegin()) { | |
1366 | LOG(", "); | |
1367 | if(!((i-nameservers.cbegin())%3)) { | |
1368 | LOG(endl<<prefix<<" "); | |
1369 | } | |
1370 | } | |
1371 | LOG((wasRd ? string("+") : string("-")) << i->toStringWithPort() <<"(" << (boost::format("%0.2f") % (speeds[*i]/1000.0)).str() <<"ms)"); | |
1372 | } | |
1373 | LOG(endl); | |
1374 | } | |
1375 | return nameservers; | |
1376 | } | |
1377 | ||
1378 | static uint32_t getRRSIGTTL(const time_t now, const std::shared_ptr<RRSIGRecordContent>& rrsig) | |
1379 | { | |
1380 | uint32_t res = 0; | |
1381 | if (now < rrsig->d_sigexpire) { | |
1382 | res = static_cast<uint32_t>(rrsig->d_sigexpire) - now; | |
1383 | } | |
1384 | return res; | |
1385 | } | |
1386 | ||
1387 | static const set<uint16_t> nsecTypes = {QType::NSEC, QType::NSEC3}; | |
1388 | ||
1389 | /* Fills the authoritySOA and DNSSECRecords fields from ne with those found in the records | |
1390 | * | |
1391 | * \param records The records to parse for the authority SOA and NSEC(3) records | |
1392 | * \param ne The NegCacheEntry to be filled out (will not be cleared, only appended to | |
1393 | */ | |
1394 | static void harvestNXRecords(const vector<DNSRecord>& records, NegCache::NegCacheEntry& ne, const time_t now, uint32_t* lowestTTL) { | |
1395 | for(const auto& rec : records) { | |
1396 | if(rec.d_place != DNSResourceRecord::AUTHORITY) | |
1397 | // RFC 4035 section 3.1.3. indicates that NSEC records MUST be placed in | |
1398 | // the AUTHORITY section. Section 3.1.1 indicates that that RRSIGs for | |
1399 | // records MUST be in the same section as the records they cover. | |
1400 | // Hence, we ignore all records outside of the AUTHORITY section. | |
1401 | continue; | |
1402 | ||
1403 | if(rec.d_type == QType::RRSIG) { | |
1404 | auto rrsig = getRR<RRSIGRecordContent>(rec); | |
1405 | if(rrsig) { | |
1406 | if(rrsig->d_type == QType::SOA) { | |
1407 | ne.authoritySOA.signatures.push_back(rec); | |
1408 | if (lowestTTL && isRRSIGNotExpired(now, rrsig)) { | |
1409 | *lowestTTL = min(*lowestTTL, rec.d_ttl); | |
1410 | *lowestTTL = min(*lowestTTL, getRRSIGTTL(now, rrsig)); | |
1411 | } | |
1412 | } | |
1413 | if(nsecTypes.count(rrsig->d_type)) { | |
1414 | ne.DNSSECRecords.signatures.push_back(rec); | |
1415 | if (lowestTTL && isRRSIGNotExpired(now, rrsig)) { | |
1416 | *lowestTTL = min(*lowestTTL, rec.d_ttl); | |
1417 | *lowestTTL = min(*lowestTTL, getRRSIGTTL(now, rrsig)); | |
1418 | } | |
1419 | } | |
1420 | } | |
1421 | continue; | |
1422 | } | |
1423 | if(rec.d_type == QType::SOA) { | |
1424 | ne.authoritySOA.records.push_back(rec); | |
1425 | if (lowestTTL) { | |
1426 | *lowestTTL = min(*lowestTTL, rec.d_ttl); | |
1427 | } | |
1428 | continue; | |
1429 | } | |
1430 | if(nsecTypes.count(rec.d_type)) { | |
1431 | ne.DNSSECRecords.records.push_back(rec); | |
1432 | if (lowestTTL) { | |
1433 | *lowestTTL = min(*lowestTTL, rec.d_ttl); | |
1434 | } | |
1435 | continue; | |
1436 | } | |
1437 | } | |
1438 | } | |
1439 | ||
1440 | static cspmap_t harvestCSPFromNE(const NegCache::NegCacheEntry& ne) | |
1441 | { | |
1442 | cspmap_t cspmap; | |
1443 | for(const auto& rec : ne.DNSSECRecords.signatures) { | |
1444 | if(rec.d_type == QType::RRSIG) { | |
1445 | auto rrc = getRR<RRSIGRecordContent>(rec); | |
1446 | if (rrc) { | |
1447 | cspmap[{rec.d_name,rrc->d_type}].signatures.push_back(rrc); | |
1448 | } | |
1449 | } | |
1450 | } | |
1451 | for(const auto& rec : ne.DNSSECRecords.records) { | |
1452 | cspmap[{rec.d_name, rec.d_type}].records.push_back(rec.d_content); | |
1453 | } | |
1454 | return cspmap; | |
1455 | } | |
1456 | ||
1457 | // TODO remove after processRecords is fixed! | |
1458 | // Adds the RRSIG for the SOA and the NSEC(3) + RRSIGs to ret | |
1459 | static void addNXNSECS(vector<DNSRecord>&ret, const vector<DNSRecord>& records) | |
1460 | { | |
1461 | NegCache::NegCacheEntry ne; | |
1462 | harvestNXRecords(records, ne, 0, nullptr); | |
1463 | ret.insert(ret.end(), ne.authoritySOA.signatures.begin(), ne.authoritySOA.signatures.end()); | |
1464 | ret.insert(ret.end(), ne.DNSSECRecords.records.begin(), ne.DNSSECRecords.records.end()); | |
1465 | ret.insert(ret.end(), ne.DNSSECRecords.signatures.begin(), ne.DNSSECRecords.signatures.end()); | |
1466 | } | |
1467 | ||
1468 | bool SyncRes::nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& nameservers) | |
1469 | { | |
1470 | if(d_wantsRPZ) { | |
1471 | for (auto const &ns : nameservers) { | |
1472 | d_appliedPolicy = dfe.getProcessingPolicy(ns.first, d_discardedPolicies); | |
1473 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response | |
1474 | LOG(", however nameserver "<<ns.first<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl); | |
1475 | return true; | |
1476 | } | |
1477 | ||
1478 | // Traverse all IP addresses for this NS to see if they have an RPN NSIP policy | |
1479 | for (auto const &address : ns.second.first) { | |
1480 | d_appliedPolicy = dfe.getProcessingPolicy(address, d_discardedPolicies); | |
1481 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response | |
1482 | LOG(", however nameserver "<<ns.first<<" IP address "<<address.toString()<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl); | |
1483 | return true; | |
1484 | } | |
1485 | } | |
1486 | } | |
1487 | } | |
1488 | return false; | |
1489 | } | |
1490 | ||
1491 | bool SyncRes::nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAddress& remoteIP) | |
1492 | { | |
1493 | if (d_wantsRPZ) { | |
1494 | d_appliedPolicy = dfe.getProcessingPolicy(remoteIP, d_discardedPolicies); | |
1495 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { | |
1496 | LOG(" (blocked by RPZ policy '"+(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")+"')"); | |
1497 | return true; | |
1498 | } | |
1499 | } | |
1500 | return false; | |
1501 | } | |
1502 | ||
1503 | vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly) | |
1504 | { | |
1505 | vector<ComboAddress> result; | |
1506 | ||
1507 | if(!tns->empty()) { | |
1508 | LOG(prefix<<qname<<": Trying to resolve NS '"<<*tns<< "' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl); | |
1509 | result = getAddrs(*tns, depth+2, beenthere, cacheOnly); | |
1510 | pierceDontQuery=false; | |
1511 | } | |
1512 | else { | |
1513 | LOG(prefix<<qname<<": Domain has hardcoded nameserver"); | |
1514 | ||
1515 | if(nameservers[*tns].first.size() > 1) { | |
1516 | LOG("s"); | |
1517 | } | |
1518 | LOG(endl); | |
1519 | ||
1520 | sendRDQuery = nameservers[*tns].second; | |
1521 | result = shuffleForwardSpeed(nameservers[*tns].first, doLog() ? (prefix+qname.toString()+": ") : string(), sendRDQuery); | |
1522 | pierceDontQuery=true; | |
1523 | } | |
1524 | return result; | |
1525 | } | |
1526 | ||
1527 | bool SyncRes::throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery) | |
1528 | { | |
1529 | if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(remoteIP, "", 0))) { | |
1530 | LOG(prefix<<qname<<": server throttled "<<endl); | |
1531 | s_throttledqueries++; d_throttledqueries++; | |
1532 | return true; | |
1533 | } | |
1534 | else if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()))) { | |
1535 | LOG(prefix<<qname<<": query throttled "<<remoteIP.toString()<<", "<<qname<<"; "<<qtype.getName()<<endl); | |
1536 | s_throttledqueries++; d_throttledqueries++; | |
1537 | return true; | |
1538 | } | |
1539 | else if(!pierceDontQuery && s_dontQuery && s_dontQuery->match(&remoteIP)) { | |
1540 | LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", blocked by 'dont-query' setting" << endl); | |
1541 | s_dontqueries++; | |
1542 | return true; | |
1543 | } | |
1544 | return false; | |
1545 | } | |
1546 | ||
1547 | bool SyncRes::validationEnabled() const | |
1548 | { | |
1549 | return g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate; | |
1550 | } | |
1551 | ||
1552 | uint32_t SyncRes::computeLowestTTD(const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, uint32_t signaturesTTL) const | |
1553 | { | |
1554 | uint32_t lowestTTD = std::numeric_limits<uint32_t>::max(); | |
1555 | for(const auto& record : records) | |
1556 | lowestTTD = min(lowestTTD, record.d_ttl); | |
1557 | ||
1558 | /* even if it was not requested for that request (Process, and neither AD nor DO set), | |
1559 | it might be requested at a later time so we need to be careful with the TTL. */ | |
1560 | if (validationEnabled() && !signatures.empty()) { | |
1561 | /* if we are validating, we don't want to cache records after their signatures expire. */ | |
1562 | /* records TTL are now TTD, let's add 'now' to the signatures lowest TTL */ | |
1563 | lowestTTD = min(lowestTTD, static_cast<uint32_t>(signaturesTTL + d_now.tv_sec)); | |
1564 | ||
1565 | for(const auto& sig : signatures) { | |
1566 | if (isRRSIGNotExpired(d_now.tv_sec, sig)) { | |
1567 | // we don't decerement d_sigexpire by 'now' because we actually want a TTD, not a TTL */ | |
1568 | lowestTTD = min(lowestTTD, static_cast<uint32_t>(sig->d_sigexpire)); | |
1569 | } | |
1570 | } | |
1571 | } | |
1572 | ||
1573 | return lowestTTD; | |
1574 | } | |
1575 | ||
1576 | void SyncRes::updateValidationState(vState& state, const vState stateUpdate) | |
1577 | { | |
1578 | LOG(d_prefix<<"validation state was "<<std::string(vStates[state])<<", state update is "<<std::string(vStates[stateUpdate])); | |
1579 | ||
1580 | if (stateUpdate == TA) { | |
1581 | state = Secure; | |
1582 | } | |
1583 | else if (stateUpdate == NTA) { | |
1584 | state = Insecure; | |
1585 | } | |
1586 | else if (stateUpdate == Bogus) { | |
1587 | state = Bogus; | |
1588 | } | |
1589 | else if (state == Indeterminate) { | |
1590 | state = stateUpdate; | |
1591 | } | |
1592 | else if (stateUpdate == Insecure) { | |
1593 | if (state != Bogus) { | |
1594 | state = Insecure; | |
1595 | } | |
1596 | } | |
1597 | LOG(", validation state is now "<<std::string(vStates[state])<<endl); | |
1598 | } | |
1599 | ||
1600 | vState SyncRes::getTA(const DNSName& zone, dsmap_t& ds) | |
1601 | { | |
1602 | auto luaLocal = g_luaconfs.getLocal(); | |
1603 | ||
1604 | if (luaLocal->dsAnchors.empty()) { | |
1605 | LOG(d_prefix<<": No trust anchors configured, everything is Insecure"<<endl); | |
1606 | /* We have no TA, everything is insecure */ | |
1607 | return Insecure; | |
1608 | } | |
1609 | ||
1610 | std::string reason; | |
1611 | if (haveNegativeTrustAnchor(luaLocal->negAnchors, zone, reason)) { | |
1612 | LOG(d_prefix<<": got NTA for '"<<zone<<"'"<<endl); | |
1613 | return NTA; | |
1614 | } | |
1615 | ||
1616 | if (getTrustAnchor(luaLocal->dsAnchors, zone, ds)) { | |
1617 | LOG(d_prefix<<": got TA for '"<<zone<<"'"<<endl); | |
1618 | return TA; | |
1619 | } | |
1620 | else { | |
1621 | LOG(d_prefix<<": no TA found for '"<<zone<<"' among "<< luaLocal->dsAnchors.size()<<endl); | |
1622 | } | |
1623 | ||
1624 | if (zone.isRoot()) { | |
1625 | /* No TA for the root */ | |
1626 | return Insecure; | |
1627 | } | |
1628 | ||
1629 | return Indeterminate; | |
1630 | } | |
1631 | ||
1632 | static size_t countSupportedDS(const dsmap_t& dsmap) | |
1633 | { | |
1634 | size_t count = 0; | |
1635 | ||
1636 | for (const auto& ds : dsmap) { | |
1637 | if (isSupportedDS(ds)) { | |
1638 | count++; | |
1639 | } | |
1640 | } | |
1641 | ||
1642 | return count; | |
1643 | } | |
1644 | ||
1645 | vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsigned int depth, bool bogusOnNXD, bool* foundCut) | |
1646 | { | |
1647 | vState result = getTA(zone, ds); | |
1648 | ||
1649 | if (result != Indeterminate || taOnly) { | |
1650 | if (foundCut) { | |
1651 | *foundCut = (result != Indeterminate); | |
1652 | } | |
1653 | ||
1654 | if (result == TA) { | |
1655 | if (countSupportedDS(ds) == 0) { | |
1656 | ds.clear(); | |
1657 | result = Insecure; | |
1658 | } | |
1659 | else { | |
1660 | result = Secure; | |
1661 | } | |
1662 | } | |
1663 | else if (result == NTA) { | |
1664 | result = Insecure; | |
1665 | } | |
1666 | ||
1667 | return result; | |
1668 | } | |
1669 | ||
1670 | bool oldSkipCNAME = d_skipCNAMECheck; | |
1671 | d_skipCNAMECheck = true; | |
1672 | ||
1673 | std::set<GetBestNSAnswer> beenthere; | |
1674 | std::vector<DNSRecord> dsrecords; | |
1675 | ||
1676 | vState state = Indeterminate; | |
1677 | int rcode = doResolve(zone, QType(QType::DS), dsrecords, depth + 1, beenthere, state); | |
1678 | d_skipCNAMECheck = oldSkipCNAME; | |
1679 | ||
1680 | if (rcode == RCode::NoError || (rcode == RCode::NXDomain && !bogusOnNXD)) { | |
1681 | ||
1682 | uint8_t bestDigestType = 0; | |
1683 | ||
1684 | if (state == Secure) { | |
1685 | bool gotCNAME = false; | |
1686 | for (const auto& record : dsrecords) { | |
1687 | if (record.d_type == QType::DS) { | |
1688 | const auto dscontent = getRR<DSRecordContent>(record); | |
1689 | if (dscontent && isSupportedDS(*dscontent)) { | |
1690 | // Make GOST a lower prio than SHA256 | |
1691 | if (dscontent->d_digesttype == DNSSECKeeper::GOST && bestDigestType == DNSSECKeeper::SHA256) { | |
1692 | continue; | |
1693 | } | |
1694 | if (dscontent->d_digesttype > bestDigestType || (bestDigestType == DNSSECKeeper::GOST && dscontent->d_digesttype == DNSSECKeeper::SHA256)) { | |
1695 | bestDigestType = dscontent->d_digesttype; | |
1696 | } | |
1697 | ds.insert(*dscontent); | |
1698 | } | |
1699 | } | |
1700 | else if (record.d_type == QType::CNAME && record.d_name == zone) { | |
1701 | gotCNAME = true; | |
1702 | } | |
1703 | } | |
1704 | ||
1705 | /* RFC 4509 section 3: "Validator implementations SHOULD ignore DS RRs containing SHA-1 | |
1706 | * digests if DS RRs with SHA-256 digests are present in the DS RRset." | |
1707 | * As SHA348 is specified as well, the spirit of the this line is "use the best algorithm". | |
1708 | */ | |
1709 | for (auto dsrec = ds.begin(); dsrec != ds.end(); ) { | |
1710 | if (dsrec->d_digesttype != bestDigestType) { | |
1711 | dsrec = ds.erase(dsrec); | |
1712 | } | |
1713 | else { | |
1714 | ++dsrec; | |
1715 | } | |
1716 | } | |
1717 | ||
1718 | if (rcode == RCode::NoError && ds.empty()) { | |
1719 | if (foundCut) { | |
1720 | if (gotCNAME || denialProvesNoDelegation(zone, dsrecords)) { | |
1721 | /* we are still inside the same Secure zone */ | |
1722 | ||
1723 | *foundCut = false; | |
1724 | return Secure; | |
1725 | } | |
1726 | ||
1727 | *foundCut = true; | |
1728 | } | |
1729 | ||
1730 | return Insecure; | |
1731 | } else if (foundCut && rcode == RCode::NoError && !ds.empty()) { | |
1732 | *foundCut = true; | |
1733 | } | |
1734 | } | |
1735 | ||
1736 | return state; | |
1737 | } | |
1738 | ||
1739 | LOG(d_prefix<<": returning Bogus state from "<<__func__<<"("<<zone<<")"<<endl); | |
1740 | return Bogus; | |
1741 | } | |
1742 | ||
1743 | bool SyncRes::haveExactValidationStatus(const DNSName& domain) | |
1744 | { | |
1745 | if (!shouldValidate()) { | |
1746 | return false; | |
1747 | } | |
1748 | const auto& it = d_cutStates.find(domain); | |
1749 | if (it != d_cutStates.cend()) { | |
1750 | return true; | |
1751 | } | |
1752 | return false; | |
1753 | } | |
1754 | ||
1755 | vState SyncRes::getValidationStatus(const DNSName& subdomain, bool allowIndeterminate) | |
1756 | { | |
1757 | vState result = Indeterminate; | |
1758 | ||
1759 | if (!shouldValidate()) { | |
1760 | return result; | |
1761 | } | |
1762 | DNSName name(subdomain); | |
1763 | do { | |
1764 | const auto& it = d_cutStates.find(name); | |
1765 | if (it != d_cutStates.cend()) { | |
1766 | if (allowIndeterminate || it->second != Indeterminate) { | |
1767 | LOG(d_prefix<<": got status "<<vStates[it->second]<<" for name "<<subdomain<<" (from "<<name<<")"<<endl); | |
1768 | return it->second; | |
1769 | } | |
1770 | } | |
1771 | } | |
1772 | while (name.chopOff()); | |
1773 | ||
1774 | return result; | |
1775 | } | |
1776 | ||
1777 | bool SyncRes::lookForCut(const DNSName& qname, unsigned int depth, const vState existingState, vState& newState) | |
1778 | { | |
1779 | bool foundCut = false; | |
1780 | dsmap_t ds; | |
1781 | vState dsState = getDSRecords(qname, ds, newState == Bogus || existingState == Insecure || existingState == Bogus, depth, false, &foundCut); | |
1782 | ||
1783 | if (dsState != Indeterminate) { | |
1784 | newState = dsState; | |
1785 | } | |
1786 | ||
1787 | return foundCut; | |
1788 | } | |
1789 | ||
1790 | void SyncRes::computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth) | |
1791 | { | |
1792 | if(!begin.isPartOf(end)) { | |
1793 | LOG(d_prefix<<" "<<begin.toLogString()<<" is not part of "<<end.toLogString()<<endl); | |
1794 | throw PDNSException(begin.toLogString() + " is not part of " + end.toLogString()); | |
1795 | } | |
1796 | ||
1797 | if (d_cutStates.count(begin) != 0) { | |
1798 | return; | |
1799 | } | |
1800 | ||
1801 | dsmap_t ds; | |
1802 | vState cutState = getDSRecords(end, ds, false, depth); | |
1803 | LOG(d_prefix<<": setting cut state for "<<end<<" to "<<vStates[cutState]<<endl); | |
1804 | d_cutStates[end] = cutState; | |
1805 | ||
1806 | if (!shouldValidate()) { | |
1807 | return; | |
1808 | } | |
1809 | ||
1810 | DNSName qname(end); | |
1811 | std::vector<string> labelsToAdd = begin.makeRelative(end).getRawLabels(); | |
1812 | ||
1813 | bool oldSkipCNAME = d_skipCNAMECheck; | |
1814 | d_skipCNAMECheck = true; | |
1815 | ||
1816 | while(qname != begin) { | |
1817 | if (labelsToAdd.empty()) | |
1818 | break; | |
1819 | ||
1820 | qname.prependRawLabel(labelsToAdd.back()); | |
1821 | labelsToAdd.pop_back(); | |
1822 | LOG(d_prefix<<": - Looking for a cut at "<<qname<<endl); | |
1823 | ||
1824 | const auto cutIt = d_cutStates.find(qname); | |
1825 | if (cutIt != d_cutStates.cend()) { | |
1826 | if (cutIt->second != Indeterminate) { | |
1827 | LOG(d_prefix<<": - Cut already known at "<<qname<<endl); | |
1828 | cutState = cutIt->second; | |
1829 | continue; | |
1830 | } | |
1831 | } | |
1832 | ||
1833 | /* no need to look for NS and DS if we are already insecure or bogus, | |
1834 | just look for (N)TA | |
1835 | */ | |
1836 | if (cutState == Insecure || cutState == Bogus) { | |
1837 | dsmap_t cutDS; | |
1838 | vState newState = getDSRecords(qname, cutDS, true, depth); | |
1839 | if (newState == Indeterminate) { | |
1840 | continue; | |
1841 | } | |
1842 | ||
1843 | LOG(d_prefix<<": New state for "<<qname<<" is "<<vStates[newState]<<endl); | |
1844 | cutState = newState; | |
1845 | ||
1846 | d_cutStates[qname] = cutState; | |
1847 | ||
1848 | continue; | |
1849 | } | |
1850 | ||
1851 | vState newState = Indeterminate; | |
1852 | /* temporarily mark as Indeterminate, so that we won't enter an endless loop | |
1853 | trying to determine that zone cut again. */ | |
1854 | d_cutStates[qname] = newState; | |
1855 | bool foundCut = lookForCut(qname, depth + 1, cutState, newState); | |
1856 | if (foundCut) { | |
1857 | LOG(d_prefix<<": - Found cut at "<<qname<<endl); | |
1858 | if (newState != Indeterminate) { | |
1859 | cutState = newState; | |
1860 | } | |
1861 | LOG(d_prefix<<": New state for "<<qname<<" is "<<vStates[cutState]<<endl); | |
1862 | d_cutStates[qname] = cutState; | |
1863 | } | |
1864 | else { | |
1865 | /* remove the temporary cut */ | |
1866 | LOG(d_prefix<<qname<<": removing cut state for "<<qname<<endl); | |
1867 | d_cutStates.erase(qname); | |
1868 | } | |
1869 | } | |
1870 | ||
1871 | d_skipCNAMECheck = oldSkipCNAME; | |
1872 | ||
1873 | LOG(d_prefix<<": list of cuts from "<<begin<<" to "<<end<<endl); | |
1874 | for (const auto& cut : d_cutStates) { | |
1875 | if (cut.first.isRoot() || (begin.isPartOf(cut.first) && cut.first.isPartOf(end))) { | |
1876 | LOG(" - "<<cut.first<<": "<<vStates[cut.second]<<endl); | |
1877 | } | |
1878 | } | |
1879 | } | |
1880 | ||
1881 | vState SyncRes::validateDNSKeys(const DNSName& zone, const std::vector<DNSRecord>& dnskeys, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, unsigned int depth) | |
1882 | { | |
1883 | dsmap_t ds; | |
1884 | if (!signatures.empty()) { | |
1885 | DNSName signer = getSigner(signatures); | |
1886 | ||
1887 | if (!signer.empty() && zone.isPartOf(signer)) { | |
1888 | vState state = getDSRecords(signer, ds, false, depth); | |
1889 | ||
1890 | if (state != Secure) { | |
1891 | return state; | |
1892 | } | |
1893 | } | |
1894 | } | |
1895 | ||
1896 | skeyset_t tentativeKeys; | |
1897 | std::vector<shared_ptr<DNSRecordContent> > toSign; | |
1898 | ||
1899 | for (const auto& dnskey : dnskeys) { | |
1900 | if (dnskey.d_type == QType::DNSKEY) { | |
1901 | auto content = getRR<DNSKEYRecordContent>(dnskey); | |
1902 | if (content) { | |
1903 | tentativeKeys.insert(content); | |
1904 | toSign.push_back(content); | |
1905 | } | |
1906 | } | |
1907 | } | |
1908 | ||
1909 | LOG(d_prefix<<": trying to validate "<<std::to_string(tentativeKeys.size())<<" DNSKEYs with "<<std::to_string(ds.size())<<" DS"<<endl); | |
1910 | skeyset_t validatedKeys; | |
1911 | validateDNSKeysAgainstDS(d_now.tv_sec, zone, ds, tentativeKeys, toSign, signatures, validatedKeys); | |
1912 | ||
1913 | LOG(d_prefix<<": we now have "<<std::to_string(validatedKeys.size())<<" DNSKEYs"<<endl); | |
1914 | ||
1915 | /* if we found at least one valid RRSIG covering the set, | |
1916 | all tentative keys are validated keys. Otherwise it means | |
1917 | we haven't found at least one DNSKEY and a matching RRSIG | |
1918 | covering this set, this looks Bogus. */ | |
1919 | if (validatedKeys.size() != tentativeKeys.size()) { | |
1920 | LOG(d_prefix<<": returning Bogus state from "<<__func__<<"("<<zone<<")"<<endl); | |
1921 | return Bogus; | |
1922 | } | |
1923 | ||
1924 | return Secure; | |
1925 | } | |
1926 | ||
1927 | vState SyncRes::getDNSKeys(const DNSName& signer, skeyset_t& keys, unsigned int depth) | |
1928 | { | |
1929 | std::vector<DNSRecord> records; | |
1930 | std::set<GetBestNSAnswer> beenthere; | |
1931 | LOG(d_prefix<<"Retrieving DNSKeys for "<<signer<<endl); | |
1932 | ||
1933 | vState state = Indeterminate; | |
1934 | /* following CNAME might lead to us to the wrong DNSKEY */ | |
1935 | bool oldSkipCNAME = d_skipCNAMECheck; | |
1936 | d_skipCNAMECheck = true; | |
1937 | int rcode = doResolve(signer, QType(QType::DNSKEY), records, depth + 1, beenthere, state); | |
1938 | d_skipCNAMECheck = oldSkipCNAME; | |
1939 | ||
1940 | if (rcode == RCode::NoError) { | |
1941 | if (state == Secure) { | |
1942 | for (const auto& key : records) { | |
1943 | if (key.d_type == QType::DNSKEY) { | |
1944 | auto content = getRR<DNSKEYRecordContent>(key); | |
1945 | if (content) { | |
1946 | keys.insert(content); | |
1947 | } | |
1948 | } | |
1949 | } | |
1950 | } | |
1951 | LOG(d_prefix<<"Retrieved "<<keys.size()<<" DNSKeys for "<<signer<<", state is "<<vStates[state]<<endl); | |
1952 | return state; | |
1953 | } | |
1954 | ||
1955 | LOG(d_prefix<<"Returning Bogus state from "<<__func__<<"("<<signer<<")"<<endl); | |
1956 | return Bogus; | |
1957 | } | |
1958 | ||
1959 | vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname, const QType& qtype, const DNSName& name, const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures) | |
1960 | { | |
1961 | skeyset_t keys; | |
1962 | if (!signatures.empty()) { | |
1963 | const DNSName signer = getSigner(signatures); | |
1964 | if (!signer.empty() && name.isPartOf(signer)) { | |
1965 | if ((qtype == QType::DNSKEY || qtype == QType::DS) && signer == qname) { | |
1966 | /* we are already retrieving those keys, sorry */ | |
1967 | return Indeterminate; | |
1968 | } | |
1969 | vState state = getDNSKeys(signer, keys, depth); | |
1970 | if (state != Secure) { | |
1971 | return state; | |
1972 | } | |
1973 | } | |
1974 | } else { | |
1975 | LOG(d_prefix<<"Bogus!"<<endl); | |
1976 | return Bogus; | |
1977 | } | |
1978 | ||
1979 | std::vector<std::shared_ptr<DNSRecordContent> > recordcontents; | |
1980 | for (const auto& record : records) { | |
1981 | recordcontents.push_back(record.d_content); | |
1982 | } | |
1983 | ||
1984 | LOG(d_prefix<<"Going to validate "<<recordcontents.size()<< " record contents with "<<signatures.size()<<" sigs and "<<keys.size()<<" keys for "<<name<<endl); | |
1985 | if (validateWithKeySet(d_now.tv_sec, name, recordcontents, signatures, keys, false)) { | |
1986 | LOG(d_prefix<<"Secure!"<<endl); | |
1987 | return Secure; | |
1988 | } | |
1989 | ||
1990 | LOG(d_prefix<<"Bogus!"<<endl); | |
1991 | return Bogus; | |
1992 | } | |
1993 | ||
1994 | static bool allowAdditionalEntry(std::unordered_set<DNSName>& allowedAdditionals, const DNSRecord& rec) | |
1995 | { | |
1996 | switch(rec.d_type) { | |
1997 | case QType::MX: | |
1998 | { | |
1999 | if (auto mxContent = getRR<MXRecordContent>(rec)) { | |
2000 | allowedAdditionals.insert(mxContent->d_mxname); | |
2001 | } | |
2002 | return true; | |
2003 | } | |
2004 | case QType::NS: | |
2005 | { | |
2006 | if (auto nsContent = getRR<NSRecordContent>(rec)) { | |
2007 | allowedAdditionals.insert(nsContent->getNS()); | |
2008 | } | |
2009 | return true; | |
2010 | } | |
2011 | case QType::SRV: | |
2012 | { | |
2013 | if (auto srvContent = getRR<SRVRecordContent>(rec)) { | |
2014 | allowedAdditionals.insert(srvContent->d_target); | |
2015 | } | |
2016 | return true; | |
2017 | } | |
2018 | default: | |
2019 | return false; | |
2020 | } | |
2021 | } | |
2022 | ||
2023 | void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, bool rdQuery) | |
2024 | { | |
2025 | const bool wasForwardRecurse = wasForwarded && rdQuery; | |
2026 | /* list of names for which we will allow A and AAAA records in the additional section | |
2027 | to remain */ | |
2028 | std::unordered_set<DNSName> allowedAdditionals = { qname }; | |
2029 | bool haveAnswers = false; | |
2030 | bool isNXDomain = false; | |
2031 | bool isNXQType = false; | |
2032 | ||
2033 | for(auto rec = lwr.d_records.begin(); rec != lwr.d_records.end(); ) { | |
2034 | ||
2035 | if (rec->d_type == QType::OPT) { | |
2036 | ++rec; | |
2037 | continue; | |
2038 | } | |
2039 | ||
2040 | if (rec->d_class != QClass::IN) { | |
2041 | LOG(prefix<<"Removing non internet-classed data received from "<<auth<<endl); | |
2042 | rec = lwr.d_records.erase(rec); | |
2043 | continue; | |
2044 | } | |
2045 | ||
2046 | if (rec->d_type == QType::ANY) { | |
2047 | LOG(prefix<<"Removing 'ANY'-typed data received from "<<auth<<endl); | |
2048 | rec = lwr.d_records.erase(rec); | |
2049 | continue; | |
2050 | } | |
2051 | ||
2052 | if (!rec->d_name.isPartOf(auth)) { | |
2053 | LOG(prefix<<"Removing record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2054 | rec = lwr.d_records.erase(rec); | |
2055 | continue; | |
2056 | } | |
2057 | ||
2058 | /* dealing with the records in answer */ | |
2059 | if (!(lwr.d_aabit || wasForwardRecurse) && rec->d_place == DNSResourceRecord::ANSWER) { | |
2060 | /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, because Amazon DNS servers | |
2061 | are sending such responses */ | |
2062 | if (!(rec->d_type == QType::CNAME && qname == rec->d_name)) { | |
2063 | LOG(prefix<<"Removing record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the answer section without the AA bit set received from "<<auth<<endl); | |
2064 | rec = lwr.d_records.erase(rec); | |
2065 | continue; | |
2066 | } | |
2067 | } | |
2068 | ||
2069 | if (rec->d_type == QType::DNAME && (rec->d_place != DNSResourceRecord::ANSWER || !qname.isPartOf(rec->d_name))) { | |
2070 | LOG(prefix<<"Removing invalid DNAME record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2071 | rec = lwr.d_records.erase(rec); | |
2072 | continue; | |
2073 | } | |
2074 | ||
2075 | if (rec->d_place == DNSResourceRecord::ANSWER && (qtype != QType::ANY && rec->d_type != qtype.getCode() && rec->d_type != QType::CNAME && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG)) { | |
2076 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2077 | rec = lwr.d_records.erase(rec); | |
2078 | continue; | |
2079 | } | |
2080 | ||
2081 | if (rec->d_place == DNSResourceRecord::ANSWER && !haveAnswers) { | |
2082 | haveAnswers = true; | |
2083 | } | |
2084 | ||
2085 | if (rec->d_place == DNSResourceRecord::ANSWER) { | |
2086 | allowAdditionalEntry(allowedAdditionals, *rec); | |
2087 | } | |
2088 | ||
2089 | /* dealing with the records in authority */ | |
2090 | if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type != QType::NS && rec->d_type != QType::DS && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG && rec->d_type != QType::NSEC && rec->d_type != QType::NSEC3) { | |
2091 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2092 | rec = lwr.d_records.erase(rec); | |
2093 | continue; | |
2094 | } | |
2095 | ||
2096 | if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::SOA) { | |
2097 | if (!qname.isPartOf(rec->d_name)) { | |
2098 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2099 | rec = lwr.d_records.erase(rec); | |
2100 | continue; | |
2101 | } | |
2102 | ||
2103 | if (!(lwr.d_aabit || wasForwardRecurse)) { | |
2104 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2105 | rec = lwr.d_records.erase(rec); | |
2106 | continue; | |
2107 | } | |
2108 | ||
2109 | if (!haveAnswers) { | |
2110 | if (lwr.d_rcode == RCode::NXDomain) { | |
2111 | isNXDomain = true; | |
2112 | } | |
2113 | else if (lwr.d_rcode == RCode::NoError) { | |
2114 | isNXQType = true; | |
2115 | } | |
2116 | } | |
2117 | } | |
2118 | ||
2119 | if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::NS && (isNXDomain || isNXQType)) { | |
2120 | /* we don't want to pick up NS records in AUTHORITY or ADDITIONAL sections of NXDomain answers | |
2121 | because they are somewhat easy to insert into a large, fragmented UDP response | |
2122 | for an off-path attacker by injecting spoofed UDP fragments. | |
2123 | */ | |
2124 | LOG(prefix<<"Removing NS record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section of a "<<(isNXDomain ? "NXD" : "NXQTYPE")<<" response received from "<<auth<<endl); | |
2125 | rec = lwr.d_records.erase(rec); | |
2126 | continue; | |
2127 | } | |
2128 | ||
2129 | if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::NS) { | |
2130 | allowAdditionalEntry(allowedAdditionals, *rec); | |
2131 | } | |
2132 | ||
2133 | /* dealing with the records in additional */ | |
2134 | if (rec->d_place == DNSResourceRecord::ADDITIONAL && rec->d_type != QType::A && rec->d_type != QType::AAAA && rec->d_type != QType::RRSIG) { | |
2135 | LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2136 | rec = lwr.d_records.erase(rec); | |
2137 | continue; | |
2138 | } | |
2139 | ||
2140 | if (rec->d_place == DNSResourceRecord::ADDITIONAL && allowedAdditionals.count(rec->d_name) == 0) { | |
2141 | LOG(prefix<<"Removing irrelevant additional record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl); | |
2142 | rec = lwr.d_records.erase(rec); | |
2143 | continue; | |
2144 | } | |
2145 | ||
2146 | ++rec; | |
2147 | } | |
2148 | } | |
2149 | ||
2150 | RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery) | |
2151 | { | |
2152 | bool wasForwardRecurse = wasForwarded && rdQuery; | |
2153 | tcache_t tcache; | |
2154 | ||
2155 | string prefix; | |
2156 | if(doLog()) { | |
2157 | prefix=d_prefix; | |
2158 | prefix.append(depth, ' '); | |
2159 | } | |
2160 | ||
2161 | sanitizeRecords(prefix, lwr, qname, qtype, auth, wasForwarded, rdQuery); | |
2162 | ||
2163 | std::vector<std::shared_ptr<DNSRecord>> authorityRecs; | |
2164 | const unsigned int labelCount = qname.countLabels(); | |
2165 | bool isCNAMEAnswer = false; | |
2166 | for(const auto& rec : lwr.d_records) { | |
2167 | if (rec.d_class != QClass::IN) { | |
2168 | continue; | |
2169 | } | |
2170 | ||
2171 | if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname) { | |
2172 | isCNAMEAnswer = true; | |
2173 | } | |
2174 | ||
2175 | /* if we have a positive answer synthetized from a wildcard, | |
2176 | we need to store the corresponding NSEC/NSEC3 records proving | |
2177 | that the exact name did not exist in the negative cache */ | |
2178 | if(needWildcardProof) { | |
2179 | if (nsecTypes.count(rec.d_type)) { | |
2180 | authorityRecs.push_back(std::make_shared<DNSRecord>(rec)); | |
2181 | } | |
2182 | else if (rec.d_type == QType::RRSIG) { | |
2183 | auto rrsig = getRR<RRSIGRecordContent>(rec); | |
2184 | if (rrsig && nsecTypes.count(rrsig->d_type)) { | |
2185 | authorityRecs.push_back(std::make_shared<DNSRecord>(rec)); | |
2186 | } | |
2187 | } | |
2188 | } | |
2189 | if(rec.d_type == QType::RRSIG) { | |
2190 | auto rrsig = getRR<RRSIGRecordContent>(rec); | |
2191 | if (rrsig) { | |
2192 | /* As illustrated in rfc4035's Appendix B.6, the RRSIG label | |
2193 | count can be lower than the name's label count if it was | |
2194 | synthetized from the wildcard. Note that the difference might | |
2195 | be > 1. */ | |
2196 | if (rec.d_name == qname && rrsig->d_labels < labelCount) { | |
2197 | LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl); | |
2198 | needWildcardProof = true; | |
2199 | wildcardLabelsCount = rrsig->d_labels; | |
2200 | } | |
2201 | ||
2202 | // cerr<<"Got an RRSIG for "<<DNSRecordContent::NumberToType(rrsig->d_type)<<" with name '"<<rec.d_name<<"'"<<endl; | |
2203 | tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signatures.push_back(rrsig); | |
2204 | tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signaturesTTL = std::min(tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signaturesTTL, rec.d_ttl); | |
2205 | } | |
2206 | } | |
2207 | } | |
2208 | ||
2209 | // reap all answers from this packet that are acceptable | |
2210 | for(auto& rec : lwr.d_records) { | |
2211 | if(rec.d_type == QType::OPT) { | |
2212 | LOG(prefix<<qname<<": OPT answer '"<<rec.d_name<<"' from '"<<auth<<"' nameservers" <<endl); | |
2213 | continue; | |
2214 | } | |
2215 | LOG(prefix<<qname<<": accept answer '"<<rec.d_name<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"|"<<rec.d_content->getZoneRepresentation()<<"' from '"<<auth<<"' nameservers? ttl="<<rec.d_ttl<<", place="<<(int)rec.d_place<<" "); | |
2216 | if(rec.d_type == QType::ANY) { | |
2217 | LOG("NO! - we don't accept 'ANY'-typed data"<<endl); | |
2218 | continue; | |
2219 | } | |
2220 | ||
2221 | if(rec.d_class != QClass::IN) { | |
2222 | LOG("NO! - we don't accept records for any other class than 'IN'"<<endl); | |
2223 | continue; | |
2224 | } | |
2225 | ||
2226 | if (!(lwr.d_aabit || wasForwardRecurse) && rec.d_place == DNSResourceRecord::ANSWER) { | |
2227 | /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, because Amazon DNS servers | |
2228 | are sending such responses */ | |
2229 | if (!(rec.d_type == QType::CNAME && rec.d_name == qname)) { | |
2230 | LOG("NO! - we don't accept records in the answers section without the AA bit set"<<endl); | |
2231 | continue; | |
2232 | } | |
2233 | } | |
2234 | ||
2235 | if(rec.d_name.isPartOf(auth)) { | |
2236 | if(rec.d_type == QType::RRSIG) { | |
2237 | LOG("RRSIG - separate"<<endl); | |
2238 | } | |
2239 | else if(lwr.d_aabit && lwr.d_rcode==RCode::NoError && rec.d_place==DNSResourceRecord::ANSWER && ((rec.d_type != QType::DNSKEY && rec.d_type != QType::DS) || rec.d_name != auth) && s_delegationOnly.count(auth)) { | |
2240 | LOG("NO! Is from delegation-only zone"<<endl); | |
2241 | s_nodelegated++; | |
2242 | return RCode::NXDomain; | |
2243 | } | |
2244 | else { | |
2245 | bool haveLogged = false; | |
2246 | if (!t_sstorage.domainmap->empty()) { | |
2247 | // Check if we are authoritative for a zone in this answer | |
2248 | DNSName tmp_qname(rec.d_name); | |
2249 | auto auth_domain_iter=getBestAuthZone(&tmp_qname); | |
2250 | if(auth_domain_iter!=t_sstorage.domainmap->end() && | |
2251 | auth.countLabels() <= auth_domain_iter->first.countLabels()) { | |
2252 | if (auth_domain_iter->first != auth) { | |
2253 | LOG("NO! - we are authoritative for the zone "<<auth_domain_iter->first<<endl); | |
2254 | continue; | |
2255 | } else { | |
2256 | LOG("YES! - This answer was "); | |
2257 | if (!wasForwarded) { | |
2258 | LOG("retrieved from the local auth store."); | |
2259 | } else { | |
2260 | LOG("received from a server we forward to."); | |
2261 | } | |
2262 | haveLogged = true; | |
2263 | LOG(endl); | |
2264 | } | |
2265 | } | |
2266 | } | |
2267 | if (!haveLogged) { | |
2268 | LOG("YES!"<<endl); | |
2269 | } | |
2270 | ||
2271 | rec.d_ttl=min(s_maxcachettl, rec.d_ttl); | |
2272 | ||
2273 | DNSRecord dr(rec); | |
2274 | dr.d_ttl += d_now.tv_sec; | |
2275 | dr.d_place=DNSResourceRecord::ANSWER; | |
2276 | tcache[{rec.d_name,rec.d_type,rec.d_place}].records.push_back(dr); | |
2277 | } | |
2278 | } | |
2279 | else | |
2280 | LOG("NO!"<<endl); | |
2281 | } | |
2282 | ||
2283 | // supplant | |
2284 | for(tcache_t::iterator i = tcache.begin(); i != tcache.end(); ++i) { | |
2285 | if((i->second.records.size() + i->second.signatures.size()) > 1) { // need to group the ttl to be the minimum of the RRSET (RFC 2181, 5.2) | |
2286 | uint32_t lowestTTD=computeLowestTTD(i->second.records, i->second.signatures, i->second.signaturesTTL); | |
2287 | ||
2288 | for(auto& record : i->second.records) | |
2289 | record.d_ttl = lowestTTD; // boom | |
2290 | } | |
2291 | ||
2292 | // cout<<"Have "<<i->second.records.size()<<" records and "<<i->second.signatures.size()<<" signatures for "<<i->first.name; | |
2293 | // cout<<'|'<<DNSRecordContent::NumberToType(i->first.type)<<endl; | |
2294 | } | |
2295 | ||
2296 | for(tcache_t::iterator i = tcache.begin(); i != tcache.end(); ++i) { | |
2297 | ||
2298 | if(i->second.records.empty()) // this happens when we did store signatures, but passed on the records themselves | |
2299 | continue; | |
2300 | ||
2301 | /* Even if the AA bit is set, additional data cannot be considered | |
2302 | as authoritative. This is especially important during validation | |
2303 | because keeping records in the additional section is allowed even | |
2304 | if the corresponding RRSIGs are not included, without setting the TC | |
2305 | bit, as stated in rfc4035's section 3.1.1. Including RRSIG RRs in a Response: | |
2306 | "When placing a signed RRset in the Additional section, the name | |
2307 | server MUST also place its RRSIG RRs in the Additional section. | |
2308 | If space does not permit inclusion of both the RRset and its | |
2309 | associated RRSIG RRs, the name server MAY retain the RRset while | |
2310 | dropping the RRSIG RRs. If this happens, the name server MUST NOT | |
2311 | set the TC bit solely because these RRSIG RRs didn't fit." | |
2312 | */ | |
2313 | bool isAA = lwr.d_aabit && i->first.place != DNSResourceRecord::ADDITIONAL; | |
2314 | /* if we forwarded the query to a recursor, we can expect the answer to be signed, | |
2315 | even if the answer is not AA. Of course that's not only true inside a Secure | |
2316 | zone, but we check that below. */ | |
2317 | bool expectSignature = i->first.place == DNSResourceRecord::ANSWER || ((lwr.d_aabit || wasForwardRecurse) && i->first.place != DNSResourceRecord::ADDITIONAL); | |
2318 | if (isCNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i->first.type != QType::CNAME || i->first.name != qname)) { | |
2319 | /* | |
2320 | rfc2181 states: | |
2321 | Note that the answer section of an authoritative answer normally | |
2322 | contains only authoritative data. However when the name sought is an | |
2323 | alias (see section 10.1.1) only the record describing that alias is | |
2324 | necessarily authoritative. Clients should assume that other records | |
2325 | may have come from the server's cache. Where authoritative answers | |
2326 | are required, the client should query again, using the canonical name | |
2327 | associated with the alias. | |
2328 | */ | |
2329 | isAA = false; | |
2330 | expectSignature = false; | |
2331 | } | |
2332 | ||
2333 | if (isCNAMEAnswer && i->first.place == DNSResourceRecord::AUTHORITY && i->first.type == QType::NS && auth == i->first.name) { | |
2334 | /* These NS can't be authoritative since we have a CNAME answer for which (see above) only the | |
2335 | record describing that alias is necessarily authoritative. | |
2336 | But if we allow the current auth, which might be serving the child zone, to raise the TTL | |
2337 | of non-authoritative NS in the cache, they might be able to keep a "ghost" zone alive forever, | |
2338 | even after the delegation is gone from the parent. | |
2339 | So let's just do nothing with them, we can fetch them directly if we need them. | |
2340 | */ | |
2341 | LOG(d_prefix<<": skipping authority NS from '"<<auth<<"' nameservers in CNAME answer "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl); | |
2342 | continue; | |
2343 | } | |
2344 | ||
2345 | vState recordState = getValidationStatus(i->first.name, false); | |
2346 | LOG(d_prefix<<": got initial zone status "<<vStates[recordState]<<" for record "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl); | |
2347 | ||
2348 | if (shouldValidate() && recordState == Secure) { | |
2349 | vState initialState = recordState; | |
2350 | ||
2351 | if (expectSignature) { | |
2352 | if (i->first.place != DNSResourceRecord::ADDITIONAL) { | |
2353 | /* the additional entries can be insecure, | |
2354 | like glue: | |
2355 | "Glue address RRsets associated with delegations MUST NOT be signed" | |
2356 | */ | |
2357 | if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) { | |
2358 | LOG(d_prefix<<"Validating DNSKEY for "<<i->first.name<<endl); | |
2359 | recordState = validateDNSKeys(i->first.name, i->second.records, i->second.signatures, depth); | |
2360 | } | |
2361 | else { | |
2362 | LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl); | |
2363 | recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures); | |
2364 | /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */ | |
2365 | if (qtype == QType::NS && i->second.signatures.empty() && recordState == Bogus && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == Indeterminate) { | |
2366 | recordState = Indeterminate; | |
2367 | } | |
2368 | } | |
2369 | } | |
2370 | } | |
2371 | else { | |
2372 | recordState = Indeterminate; | |
2373 | ||
2374 | /* in a non authoritative answer, we only care about the DS record (or lack of) */ | |
2375 | if ((i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) { | |
2376 | LOG(d_prefix<<"Validating DS record for "<<i->first.name<<endl); | |
2377 | recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, i->second.records, i->second.signatures); | |
2378 | } | |
2379 | } | |
2380 | ||
2381 | if (initialState == Secure && state != recordState && expectSignature) { | |
2382 | updateValidationState(state, recordState); | |
2383 | } | |
2384 | } | |
2385 | else { | |
2386 | if (shouldValidate()) { | |
2387 | LOG(d_prefix<<"Skipping validation because the current state is "<<vStates[recordState]<<endl); | |
2388 | } | |
2389 | } | |
2390 | ||
2391 | if (recordState == Bogus) { | |
2392 | /* this is a TTD by now, be careful */ | |
2393 | for(auto& record : i->second.records) { | |
2394 | record.d_ttl = std::min(record.d_ttl, static_cast<uint32_t>(s_maxbogusttl + d_now.tv_sec)); | |
2395 | } | |
2396 | } | |
2397 | ||
2398 | /* We don't need to store NSEC3 records in the positive cache because: | |
2399 | - we don't allow direct NSEC3 queries | |
2400 | - denial of existence proofs in wildcard expanded positive responses are stored in authorityRecs | |
2401 | - denial of existence proofs for negative responses are stored in the negative cache | |
2402 | We also don't want to cache non-authoritative data except for: | |
2403 | - records coming from non forward-recurse servers (those will never be AA) | |
2404 | - DS (special case) | |
2405 | - NS, A and AAAA (used for infra queries) | |
2406 | */ | |
2407 | if (i->first.type != QType::NSEC3 && (i->first.type == QType::DS || i->first.type == QType::NS || i->first.type == QType::A || i->first.type == QType::AAAA || isAA || wasForwardRecurse)) { | |
2408 | t_RC->replace(d_now.tv_sec, i->first.name, QType(i->first.type), i->second.records, i->second.signatures, authorityRecs, i->first.type == QType::DS ? true : isAA, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, recordState); | |
2409 | } | |
2410 | ||
2411 | if(i->first.place == DNSResourceRecord::ANSWER && ednsmask) | |
2412 | d_wasVariable=true; | |
2413 | } | |
2414 | ||
2415 | return RCode::NoError; | |
2416 | } | |
2417 | ||
2418 | void SyncRes::updateDenialValidationState(vState& neValidationState, const DNSName& neName, vState& state, const dState denialState, const dState expectedState, bool allowOptOut) | |
2419 | { | |
2420 | if (denialState == expectedState) { | |
2421 | neValidationState = Secure; | |
2422 | } | |
2423 | else { | |
2424 | if (denialState == OPTOUT && allowOptOut) { | |
2425 | LOG(d_prefix<<"OPT-out denial found for "<<neName<<endl); | |
2426 | neValidationState = Secure; | |
2427 | return; | |
2428 | } | |
2429 | else if (denialState == INSECURE) { | |
2430 | LOG(d_prefix<<"Insecure denial found for "<<neName<<", returning Insecure"<<endl); | |
2431 | neValidationState = Insecure; | |
2432 | } | |
2433 | else { | |
2434 | LOG(d_prefix<<"Invalid denial found for "<<neName<<", returning Bogus, res="<<denialState<<", expectedState="<<expectedState<<endl); | |
2435 | neValidationState = Bogus; | |
2436 | } | |
2437 | updateValidationState(state, neValidationState); | |
2438 | } | |
2439 | } | |
2440 | ||
2441 | dState SyncRes::getDenialValidationState(const NegCache::NegCacheEntry& ne, const vState state, const dState expectedState, bool referralToUnsigned) | |
2442 | { | |
2443 | cspmap_t csp = harvestCSPFromNE(ne); | |
2444 | return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, expectedState == NXQTYPE); | |
2445 | } | |
2446 | ||
2447 | bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount) | |
2448 | { | |
2449 | bool done = false; | |
2450 | ||
2451 | for(auto& rec : lwr.d_records) { | |
2452 | if (rec.d_type!=QType::OPT && rec.d_class!=QClass::IN) | |
2453 | continue; | |
2454 | ||
2455 | if (rec.d_place==DNSResourceRecord::ANSWER && !(lwr.d_aabit || sendRDQuery)) { | |
2456 | /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, because Amazon DNS servers | |
2457 | are sending such responses */ | |
2458 | if (!(rec.d_type == QType::CNAME && rec.d_name == qname)) { | |
2459 | continue; | |
2460 | } | |
2461 | } | |
2462 | ||
2463 | if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::SOA && | |
2464 | lwr.d_rcode==RCode::NXDomain && qname.isPartOf(rec.d_name) && rec.d_name.isPartOf(auth)) { | |
2465 | LOG(prefix<<qname<<": got negative caching indication for name '"<<qname<<"' (accept="<<rec.d_name.isPartOf(auth)<<"), newtarget='"<<newtarget<<"'"<<endl); | |
2466 | ||
2467 | rec.d_ttl = min(rec.d_ttl, s_maxnegttl); | |
2468 | if(newtarget.empty()) // only add a SOA if we're not going anywhere after this | |
2469 | ret.push_back(rec); | |
2470 | ||
2471 | NegCache::NegCacheEntry ne; | |
2472 | ||
2473 | uint32_t lowestTTL = rec.d_ttl; | |
2474 | /* if we get an NXDomain answer with a CNAME, the name | |
2475 | does exist but the target does not */ | |
2476 | ne.d_name = newtarget.empty() ? qname : newtarget; | |
2477 | ne.d_qtype = QType(0); // this encodes 'whole record' | |
2478 | ne.d_auth = rec.d_name; | |
2479 | harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL); | |
2480 | ||
2481 | if (state == Secure) { | |
2482 | dState denialState = getDenialValidationState(ne, state, NXDOMAIN, false); | |
2483 | updateDenialValidationState(ne.d_validationState, ne.d_name, state, denialState, NXDOMAIN, false); | |
2484 | } | |
2485 | else { | |
2486 | ne.d_validationState = state; | |
2487 | } | |
2488 | ||
2489 | if (ne.d_validationState == Bogus) { | |
2490 | lowestTTL = min(lowestTTL, s_maxbogusttl); | |
2491 | } | |
2492 | ||
2493 | ne.d_ttd = d_now.tv_sec + lowestTTL; | |
2494 | /* if we get an NXDomain answer with a CNAME, let's not cache the | |
2495 | target, even the server was authoritative for it, | |
2496 | and do an additional query for the CNAME target. | |
2497 | We have a regression test making sure we do exactly that. | |
2498 | */ | |
2499 | if(!wasVariable() && newtarget.empty()) { | |
2500 | t_sstorage.negcache.add(ne); | |
2501 | if(s_rootNXTrust && ne.d_auth.isRoot() && auth.isRoot() && lwr.d_aabit) { | |
2502 | ne.d_name = ne.d_name.getLastLabel(); | |
2503 | t_sstorage.negcache.add(ne); | |
2504 | } | |
2505 | } | |
2506 | ||
2507 | negindic=true; | |
2508 | } | |
2509 | else if(rec.d_place==DNSResourceRecord::ANSWER && rec.d_type==QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname) { | |
2510 | ret.push_back(rec); | |
2511 | if (auto content = getRR<CNAMERecordContent>(rec)) { | |
2512 | newtarget=content->getTarget(); | |
2513 | } | |
2514 | } | |
2515 | /* if we have a positive answer synthetized from a wildcard, we need to | |
2516 | return the corresponding NSEC/NSEC3 records from the AUTHORITY section | |
2517 | proving that the exact name did not exist */ | |
2518 | else if(needWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) { | |
2519 | ret.push_back(rec); // enjoy your DNSSEC | |
2520 | } | |
2521 | // for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively | |
2522 | else if(rec.d_place==DNSResourceRecord::ANSWER && rec.d_name == qname && | |
2523 | ( | |
2524 | rec.d_type==qtype.getCode() || ((lwr.d_aabit || sendRDQuery) && qtype == QType(QType::ANY)) | |
2525 | ) | |
2526 | ) | |
2527 | { | |
2528 | LOG(prefix<<qname<<": answer is in: resolved to '"<< rec.d_content->getZoneRepresentation()<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"'"<<endl); | |
2529 | ||
2530 | done=true; | |
2531 | ||
2532 | if (state == Secure && needWildcardProof) { | |
2533 | /* We have a positive answer synthetized from a wildcard, we need to check that we have | |
2534 | proof that the exact name doesn't exist so the wildcard can be used, | |
2535 | as described in section 5.3.4 of RFC 4035 and 5.3 of FRC 7129. | |
2536 | */ | |
2537 | NegCache::NegCacheEntry ne; | |
2538 | ||
2539 | uint32_t lowestTTL = rec.d_ttl; | |
2540 | ne.d_name = qname; | |
2541 | ne.d_qtype = QType(0); // this encodes 'whole record' | |
2542 | harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL); | |
2543 | ||
2544 | cspmap_t csp = harvestCSPFromNE(ne); | |
2545 | dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false, wildcardLabelsCount); | |
2546 | if (res != NXDOMAIN) { | |
2547 | vState st = Bogus; | |
2548 | if (res == INSECURE) { | |
2549 | /* Some part could not be validated, for example a NSEC3 record with a too large number of iterations, | |
2550 | this is not enough to warrant a Bogus, but go Insecure. */ | |
2551 | st = Insecure; | |
2552 | LOG(d_prefix<<"Unable to validate denial in wildcard expanded positive response found for "<<qname<<", returning Insecure, res="<<res<<endl); | |
2553 | } | |
2554 | else { | |
2555 | LOG(d_prefix<<"Invalid denial in wildcard expanded positive response found for "<<qname<<", returning Bogus, res="<<res<<endl); | |
2556 | rec.d_ttl = std::min(rec.d_ttl, s_maxbogusttl); | |
2557 | } | |
2558 | ||
2559 | updateValidationState(state, st); | |
2560 | /* we already stored the record with a different validation status, let's fix it */ | |
2561 | updateValidationStatusInCache(qname, qtype, lwr.d_aabit, st); | |
2562 | } | |
2563 | } | |
2564 | ret.push_back(rec); | |
2565 | } | |
2566 | else if((rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::ANSWER) { | |
2567 | if(rec.d_type != QType::RRSIG || rec.d_name == qname) | |
2568 | ret.push_back(rec); // enjoy your DNSSEC | |
2569 | } | |
2570 | else if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::NS && qname.isPartOf(rec.d_name)) { | |
2571 | if(moreSpecificThan(rec.d_name,auth)) { | |
2572 | newauth=rec.d_name; | |
2573 | LOG(prefix<<qname<<": got NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"'"<<endl); | |
2574 | realreferral=true; | |
2575 | } | |
2576 | else { | |
2577 | LOG(prefix<<qname<<": got upwards/level NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"', had '"<<auth<<"'"<<endl); | |
2578 | } | |
2579 | if (auto content = getRR<NSRecordContent>(rec)) { | |
2580 | nsset.insert(content->getNS()); | |
2581 | } | |
2582 | } | |
2583 | else if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::DS && qname.isPartOf(rec.d_name)) { | |
2584 | LOG(prefix<<qname<<": got DS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"'"<<endl); | |
2585 | } | |
2586 | else if(realreferral && rec.d_place==DNSResourceRecord::AUTHORITY && (rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && newauth.isPartOf(auth)) { | |
2587 | /* we might have received a denial of the DS, let's check */ | |
2588 | if (state == Secure) { | |
2589 | NegCache::NegCacheEntry ne; | |
2590 | ne.d_auth = auth; | |
2591 | ne.d_name = newauth; | |
2592 | ne.d_qtype = QType::DS; | |
2593 | rec.d_ttl = min(s_maxnegttl, rec.d_ttl); | |
2594 | uint32_t lowestTTL = rec.d_ttl; | |
2595 | harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL); | |
2596 | ||
2597 | dState denialState = getDenialValidationState(ne, state, NXQTYPE, true); | |
2598 | ||
2599 | if (denialState == NXQTYPE || denialState == OPTOUT || denialState == INSECURE) { | |
2600 | ne.d_ttd = lowestTTL + d_now.tv_sec; | |
2601 | ne.d_validationState = Secure; | |
2602 | LOG(prefix<<qname<<": got negative indication of DS record for '"<<newauth<<"'"<<endl); | |
2603 | ||
2604 | if(!wasVariable()) { | |
2605 | t_sstorage.negcache.add(ne); | |
2606 | } | |
2607 | ||
2608 | if (qname == newauth && qtype == QType::DS) { | |
2609 | /* we are actually done! */ | |
2610 | negindic=true; | |
2611 | nsset.clear(); | |
2612 | } | |
2613 | } | |
2614 | } | |
2615 | } | |
2616 | else if(!done && rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::SOA && | |
2617 | lwr.d_rcode==RCode::NoError && qname.isPartOf(rec.d_name)) { | |
2618 | LOG(prefix<<qname<<": got negative caching indication for '"<< qname<<"|"<<qtype.getName()<<"'"<<endl); | |
2619 | ||
2620 | if(!newtarget.empty()) { | |
2621 | LOG(prefix<<qname<<": Hang on! Got a redirect to '"<<newtarget<<"' already"<<endl); | |
2622 | } | |
2623 | else { | |
2624 | rec.d_ttl = min(s_maxnegttl, rec.d_ttl); | |
2625 | ||
2626 | NegCache::NegCacheEntry ne; | |
2627 | ne.d_auth = rec.d_name; | |
2628 | uint32_t lowestTTL = rec.d_ttl; | |
2629 | ne.d_name = qname; | |
2630 | ne.d_qtype = qtype; | |
2631 | harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL); | |
2632 | ||
2633 | if (state == Secure) { | |
2634 | dState denialState = getDenialValidationState(ne, state, NXQTYPE, false); | |
2635 | updateDenialValidationState(ne.d_validationState, ne.d_name, state, denialState, NXQTYPE, qtype == QType::DS); | |
2636 | } else { | |
2637 | ne.d_validationState = state; | |
2638 | } | |
2639 | ||
2640 | if (ne.d_validationState == Bogus) { | |
2641 | lowestTTL = min(lowestTTL, s_maxbogusttl); | |
2642 | rec.d_ttl = min(rec.d_ttl, s_maxbogusttl); | |
2643 | } | |
2644 | ne.d_ttd = d_now.tv_sec + lowestTTL; | |
2645 | ||
2646 | if(!wasVariable()) { | |
2647 | if(qtype.getCode()) { // prevents us from blacking out a whole domain | |
2648 | t_sstorage.negcache.add(ne); | |
2649 | } | |
2650 | } | |
2651 | ||
2652 | ret.push_back(rec); | |
2653 | negindic=true; | |
2654 | } | |
2655 | } | |
2656 | } | |
2657 | ||
2658 | return done; | |
2659 | } | |
2660 | ||
2661 | bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname, const QType& qtype, LWResult& lwr, boost::optional<Netmask>& ednsmask, const DNSName& auth, bool const sendRDQuery, const DNSName& nsName, const ComboAddress& remoteIP, bool doTCP, bool* truncated) | |
2662 | { | |
2663 | bool chained = false; | |
2664 | int resolveret = RCode::NoError; | |
2665 | s_outqueries++; | |
2666 | d_outqueries++; | |
2667 | ||
2668 | if(d_outqueries + d_throttledqueries > s_maxqperq) { | |
2669 | throw ImmediateServFailException("more than "+std::to_string(s_maxqperq)+" (max-qperq) queries sent while resolving "+qname.toLogString()); | |
2670 | } | |
2671 | ||
2672 | if(s_maxtotusec && d_totUsec > s_maxtotusec) { | |
2673 | throw ImmediateServFailException("Too much time waiting for "+qname.toLogString()+"|"+qtype.getName()+", timeouts: "+std::to_string(d_timeouts) +", throttles: "+std::to_string(d_throttledqueries) + ", queries: "+std::to_string(d_outqueries)+", "+std::to_string(d_totUsec/1000)+"msec"); | |
2674 | } | |
2675 | ||
2676 | if(doTCP) { | |
2677 | LOG(prefix<<qname<<": using TCP with "<< remoteIP.toStringWithPort() <<endl); | |
2678 | s_tcpoutqueries++; | |
2679 | d_tcpoutqueries++; | |
2680 | } | |
2681 | ||
2682 | if(d_pdl && d_pdl->preoutquery(remoteIP, d_requestor, qname, qtype, doTCP, lwr.d_records, resolveret)) { | |
2683 | LOG(prefix<<qname<<": query handled by Lua"<<endl); | |
2684 | } | |
2685 | else { | |
2686 | ednsmask=getEDNSSubnetMask(qname, remoteIP); | |
2687 | if(ednsmask) { | |
2688 | LOG(prefix<<qname<<": Adding EDNS Client Subnet Mask "<<ednsmask->toString()<<" to query"<<endl); | |
2689 | s_ecsqueries++; | |
2690 | } | |
2691 | resolveret = asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, qtype.getCode(), | |
2692 | doTCP, sendRDQuery, &d_now, ednsmask, &lwr, &chained); // <- we go out on the wire! | |
2693 | if(ednsmask) { | |
2694 | s_ecsresponses++; | |
2695 | LOG(prefix<<qname<<": Received EDNS Client Subnet Mask "<<ednsmask->toString()<<" on response"<<endl); | |
2696 | } | |
2697 | } | |
2698 | ||
2699 | /* preoutquery killed the query by setting dq.rcode to -3 */ | |
2700 | if(resolveret==-3) { | |
2701 | throw ImmediateServFailException("Query killed by policy"); | |
2702 | } | |
2703 | ||
2704 | d_totUsec += lwr.d_usec; | |
2705 | accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family); | |
2706 | ||
2707 | if(resolveret != 1) { | |
2708 | /* Error while resolving */ | |
2709 | if(resolveret == 0) { | |
2710 | /* Time out */ | |
2711 | ||
2712 | LOG(prefix<<qname<<": timeout resolving after "<<lwr.d_usec/1000.0<<"msec "<< (doTCP ? "over TCP" : "")<<endl); | |
2713 | d_timeouts++; | |
2714 | s_outgoingtimeouts++; | |
2715 | ||
2716 | if(remoteIP.sin4.sin_family == AF_INET) | |
2717 | s_outgoing4timeouts++; | |
2718 | else | |
2719 | s_outgoing6timeouts++; | |
2720 | ||
2721 | if(t_timeouts) | |
2722 | t_timeouts->push_back(remoteIP); | |
2723 | } | |
2724 | else if(resolveret == -2) { | |
2725 | /* OS resource limit reached */ | |
2726 | LOG(prefix<<qname<<": hit a local resource limit resolving"<< (doTCP ? " over TCP" : "")<<", probable error: "<<stringerror()<<endl); | |
2727 | g_stats.resourceLimits++; | |
2728 | } | |
2729 | else { | |
2730 | /* -1 means server unreachable */ | |
2731 | s_unreachables++; | |
2732 | d_unreachables++; | |
2733 | LOG(prefix<<qname<<": error resolving from "<<remoteIP.toString()<< (doTCP ? " over TCP" : "") <<", possible error: "<<strerror(errno)<< endl); | |
2734 | } | |
2735 | ||
2736 | if(resolveret != -2 && !chained) { // don't account for resource limits, they are our own fault | |
2737 | t_sstorage.nsSpeeds[nsName.empty()? DNSName(remoteIP.toStringWithPort()) : nsName].submit(remoteIP, 1000000, &d_now); // 1 sec | |
2738 | ||
2739 | // code below makes sure we don't filter COM or the root | |
2740 | if (s_serverdownmaxfails > 0 && (auth != g_rootdnsname) && t_sstorage.fails.incr(remoteIP) >= s_serverdownmaxfails) { | |
2741 | LOG(prefix<<qname<<": Max fails reached resolving on "<< remoteIP.toString() <<". Going full throttle for "<< s_serverdownthrottletime <<" seconds" <<endl); | |
2742 | // mark server as down | |
2743 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, "", 0), s_serverdownthrottletime, 10000); | |
2744 | } | |
2745 | else if (resolveret == -1) { | |
2746 | // unreachable, 1 minute or 100 queries | |
2747 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 100); | |
2748 | } | |
2749 | else { | |
2750 | // timeout | |
2751 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 10, 5); | |
2752 | } | |
2753 | } | |
2754 | ||
2755 | return false; | |
2756 | } | |
2757 | ||
2758 | /* we got an answer */ | |
2759 | if(lwr.d_rcode==RCode::ServFail || lwr.d_rcode==RCode::Refused) { | |
2760 | LOG(prefix<<qname<<": "<<nsName<<" ("<<remoteIP.toString()<<") returned a "<< (lwr.d_rcode==RCode::ServFail ? "ServFail" : "Refused") << ", trying sibling IP or NS"<<endl); | |
2761 | if (!chained) { | |
2762 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3); | |
2763 | } | |
2764 | return false; | |
2765 | } | |
2766 | ||
2767 | /* this server sent a valid answer, mark it backup up if it was down */ | |
2768 | if(s_serverdownmaxfails > 0) { | |
2769 | t_sstorage.fails.clear(remoteIP); | |
2770 | } | |
2771 | ||
2772 | if(lwr.d_tcbit) { | |
2773 | *truncated = true; | |
2774 | ||
2775 | if (doTCP) { | |
2776 | LOG(prefix<<qname<<": truncated bit set, over TCP?"<<endl); | |
2777 | /* let's treat that as a ServFail answer from this server */ | |
2778 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3); | |
2779 | return false; | |
2780 | } | |
2781 | ||
2782 | return true; | |
2783 | } | |
2784 | ||
2785 | return true; | |
2786 | } | |
2787 | ||
2788 | bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, bool sendRDQuery, NsSet &nameservers, std::vector<DNSRecord>& ret, const DNSFilterEngine& dfe, bool* gotNewServers, int* rcode, vState& state) | |
2789 | { | |
2790 | string prefix; | |
2791 | if(doLog()) { | |
2792 | prefix=d_prefix; | |
2793 | prefix.append(depth, ' '); | |
2794 | } | |
2795 | ||
2796 | if(s_minimumTTL) { | |
2797 | for(auto& rec : lwr.d_records) { | |
2798 | rec.d_ttl = max(rec.d_ttl, s_minimumTTL); | |
2799 | } | |
2800 | } | |
2801 | ||
2802 | bool needWildcardProof = false; | |
2803 | unsigned int wildcardLabelsCount; | |
2804 | *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, wildcardLabelsCount, sendRDQuery); | |
2805 | if (*rcode != RCode::NoError) { | |
2806 | return true; | |
2807 | } | |
2808 | ||
2809 | LOG(prefix<<qname<<": determining status after receiving this packet"<<endl); | |
2810 | ||
2811 | set<DNSName> nsset; | |
2812 | bool realreferral=false, negindic=false; | |
2813 | DNSName newauth; | |
2814 | DNSName newtarget; | |
2815 | ||
2816 | bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, wildcardLabelsCount); | |
2817 | ||
2818 | if(done){ | |
2819 | LOG(prefix<<qname<<": status=got results, this level of recursion done"<<endl); | |
2820 | LOG(prefix<<qname<<": validation status is "<<vStates[state]<<endl); | |
2821 | *rcode = RCode::NoError; | |
2822 | return true; | |
2823 | } | |
2824 | ||
2825 | if(!newtarget.empty()) { | |
2826 | if(newtarget == qname) { | |
2827 | LOG(prefix<<qname<<": status=got a CNAME referral to self, returning SERVFAIL"<<endl); | |
2828 | *rcode = RCode::ServFail; | |
2829 | return true; | |
2830 | } | |
2831 | ||
2832 | if(depth > 10) { | |
2833 | LOG(prefix<<qname<<": status=got a CNAME referral, but recursing too deep, returning SERVFAIL"<<endl); | |
2834 | *rcode = RCode::ServFail; | |
2835 | return true; | |
2836 | } | |
2837 | ||
2838 | if (qtype == QType::DS) { | |
2839 | LOG(prefix<<qname<<": status=got a CNAME referral, but we are looking for a DS"<<endl); | |
2840 | ||
2841 | if(d_doDNSSEC) | |
2842 | addNXNSECS(ret, lwr.d_records); | |
2843 | ||
2844 | *rcode = RCode::NoError; | |
2845 | return true; | |
2846 | } | |
2847 | else { | |
2848 | LOG(prefix<<qname<<": status=got a CNAME referral, starting over with "<<newtarget<<endl); | |
2849 | ||
2850 | set<GetBestNSAnswer> beenthere2; | |
2851 | vState cnameState = Indeterminate; | |
2852 | *rcode = doResolve(newtarget, qtype, ret, depth + 1, beenthere2, cnameState); | |
2853 | LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the CNAME quest: "<<vStates[cnameState]<<endl); | |
2854 | updateValidationState(state, cnameState); | |
2855 | return true; | |
2856 | } | |
2857 | } | |
2858 | ||
2859 | if(lwr.d_rcode == RCode::NXDomain) { | |
2860 | LOG(prefix<<qname<<": status=NXDOMAIN, we are done "<<(negindic ? "(have negative SOA)" : "")<<endl); | |
2861 | ||
2862 | if(d_doDNSSEC) | |
2863 | addNXNSECS(ret, lwr.d_records); | |
2864 | ||
2865 | *rcode = RCode::NXDomain; | |
2866 | return true; | |
2867 | } | |
2868 | ||
2869 | if(nsset.empty() && !lwr.d_rcode && (negindic || lwr.d_aabit || sendRDQuery)) { | |
2870 | LOG(prefix<<qname<<": status=noerror, other types may exist, but we are done "<<(negindic ? "(have negative SOA) " : "")<<(lwr.d_aabit ? "(have aa bit) " : "")<<endl); | |
2871 | ||
2872 | if(state == Secure && (lwr.d_aabit || sendRDQuery) && !negindic) { | |
2873 | updateValidationState(state, Bogus); | |
2874 | } | |
2875 | ||
2876 | if(d_doDNSSEC) | |
2877 | addNXNSECS(ret, lwr.d_records); | |
2878 | ||
2879 | *rcode = RCode::NoError; | |
2880 | return true; | |
2881 | } | |
2882 | ||
2883 | if(realreferral) { | |
2884 | LOG(prefix<<qname<<": status=did not resolve, got "<<(unsigned int)nsset.size()<<" NS, "); | |
2885 | ||
2886 | nameservers.clear(); | |
2887 | for (auto const &nameserver : nsset) { | |
2888 | if (d_wantsRPZ) { | |
2889 | d_appliedPolicy = dfe.getProcessingPolicy(nameserver, d_discardedPolicies); | |
2890 | if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response | |
2891 | LOG("however "<<nameserver<<" was blocked by RPZ policy '"<<(d_appliedPolicy.d_name ? *d_appliedPolicy.d_name : "")<<"'"<<endl); | |
2892 | *rcode = -2; | |
2893 | return true; | |
2894 | } | |
2895 | } | |
2896 | nameservers.insert({nameserver, {{}, false}}); | |
2897 | } | |
2898 | LOG("looping to them"<<endl); | |
2899 | *gotNewServers = true; | |
2900 | auth=newauth; | |
2901 | ||
2902 | return false; | |
2903 | } | |
2904 | ||
2905 | return false; | |
2906 | } | |
2907 | ||
2908 | /** returns: | |
2909 | * -1 in case of no results | |
2910 | * -2 when a FilterEngine Policy was hit | |
2911 | * rcode otherwise | |
2912 | */ | |
2913 | int SyncRes::doResolveAt(NsSet &nameservers, DNSName auth, bool flawedNSSet, const DNSName &qname, const QType &qtype, | |
2914 | vector<DNSRecord>&ret, | |
2915 | unsigned int depth, set<GetBestNSAnswer>&beenthere, vState& state) | |
2916 | { | |
2917 | auto luaconfsLocal = g_luaconfs.getLocal(); | |
2918 | string prefix; | |
2919 | if(doLog()) { | |
2920 | prefix=d_prefix; | |
2921 | prefix.append(depth, ' '); | |
2922 | } | |
2923 | ||
2924 | LOG(prefix<<qname<<": Cache consultations done, have "<<(unsigned int)nameservers.size()<<" NS to contact"); | |
2925 | ||
2926 | if (nameserversBlockedByRPZ(luaconfsLocal->dfe, nameservers)) { | |
2927 | return -2; | |
2928 | } | |
2929 | ||
2930 | LOG(endl); | |
2931 | ||
2932 | for(;;) { // we may get more specific nameservers | |
2933 | vector<DNSName > rnameservers = shuffleInSpeedOrder(nameservers, doLog() ? (prefix+qname.toString()+": ") : string() ); | |
2934 | ||
2935 | for(auto tns=rnameservers.cbegin();;++tns) { | |
2936 | if(tns==rnameservers.cend()) { | |
2937 | LOG(prefix<<qname<<": Failed to resolve via any of the "<<(unsigned int)rnameservers.size()<<" offered NS at level '"<<auth<<"'"<<endl); | |
2938 | if(!auth.isRoot() && flawedNSSet) { | |
2939 | LOG(prefix<<qname<<": Ageing nameservers for level '"<<auth<<"', next query might succeed"<<endl); | |
2940 | ||
2941 | if(t_RC->doAgeCache(d_now.tv_sec, auth, QType::NS, 10)) | |
2942 | g_stats.nsSetInvalidations++; | |
2943 | } | |
2944 | return -1; | |
2945 | } | |
2946 | ||
2947 | bool cacheOnly = false; | |
2948 | // this line needs to identify the 'self-resolving' behaviour | |
2949 | if(qname == *tns && (qtype.getCode() == QType::A || qtype.getCode() == QType::AAAA)) { | |
2950 | /* we might have a glue entry in cache so let's try this NS | |
2951 | but only if we have enough in the cache to know how to reach it */ | |
2952 | LOG(prefix<<qname<<": Using NS to resolve itself, but only using what we have in cache ("<<(1+tns-rnameservers.cbegin())<<"/"<<rnameservers.size()<<")"<<endl); | |
2953 | cacheOnly = true; | |
2954 | } | |
2955 | ||
2956 | typedef vector<ComboAddress> remoteIPs_t; | |
2957 | remoteIPs_t remoteIPs; | |
2958 | remoteIPs_t::const_iterator remoteIP; | |
2959 | bool pierceDontQuery=false; | |
2960 | bool sendRDQuery=false; | |
2961 | boost::optional<Netmask> ednsmask; | |
2962 | LWResult lwr; | |
2963 | const bool wasForwarded = tns->empty() && (!nameservers[*tns].first.empty()); | |
2964 | int rcode = RCode::NoError; | |
2965 | bool gotNewServers = false; | |
2966 | ||
2967 | if(tns->empty() && !wasForwarded) { | |
2968 | LOG(prefix<<qname<<": Domain is out-of-band"<<endl); | |
2969 | /* setting state to indeterminate since validation is disabled for local auth zone, | |
2970 | and Insecure would be misleading. */ | |
2971 | state = Indeterminate; | |
2972 | d_wasOutOfBand = doOOBResolve(qname, qtype, lwr.d_records, depth, lwr.d_rcode); | |
2973 | lwr.d_tcbit=false; | |
2974 | lwr.d_aabit=true; | |
2975 | ||
2976 | /* we have received an answer, are we done ? */ | |
2977 | bool done = processAnswer(depth, lwr, qname, qtype, auth, false, ednsmask, sendRDQuery, nameservers, ret, luaconfsLocal->dfe, &gotNewServers, &rcode, state); | |
2978 | if (done) { | |
2979 | return rcode; | |
2980 | } | |
2981 | if (gotNewServers) { | |
2982 | break; | |
2983 | } | |
2984 | } | |
2985 | else { | |
2986 | /* if tns is empty, retrieveAddressesForNS() knows we have hardcoded servers (i.e. "forwards") */ | |
2987 | remoteIPs = retrieveAddressesForNS(prefix, qname, tns, depth, beenthere, rnameservers, nameservers, sendRDQuery, pierceDontQuery, flawedNSSet, cacheOnly); | |
2988 | ||
2989 | if(remoteIPs.empty()) { | |
2990 | LOG(prefix<<qname<<": Failed to get IP for NS "<<*tns<<", trying next if available"<<endl); | |
2991 | flawedNSSet=true; | |
2992 | continue; | |
2993 | } | |
2994 | else { | |
2995 | bool hitPolicy{false}; | |
2996 | LOG(prefix<<qname<<": Resolved '"<<auth<<"' NS "<<*tns<<" to: "); | |
2997 | for(remoteIP = remoteIPs.cbegin(); remoteIP != remoteIPs.cend(); ++remoteIP) { | |
2998 | if(remoteIP != remoteIPs.cbegin()) { | |
2999 | LOG(", "); | |
3000 | } | |
3001 | LOG(remoteIP->toString()); | |
3002 | if(nameserverIPBlockedByRPZ(luaconfsLocal->dfe, *remoteIP)) { | |
3003 | hitPolicy = true; | |
3004 | } | |
3005 | } | |
3006 | LOG(endl); | |
3007 | if (hitPolicy) //implies d_wantsRPZ | |
3008 | return -2; | |
3009 | } | |
3010 | ||
3011 | for(remoteIP = remoteIPs.cbegin(); remoteIP != remoteIPs.cend(); ++remoteIP) { | |
3012 | LOG(prefix<<qname<<": Trying IP "<< remoteIP->toStringWithPort() <<", asking '"<<qname<<"|"<<qtype.getName()<<"'"<<endl); | |
3013 | ||
3014 | if (throttledOrBlocked(prefix, *remoteIP, qname, qtype, pierceDontQuery)) { | |
3015 | continue; | |
3016 | } | |
3017 | ||
3018 | bool truncated = false; | |
3019 | bool gotAnswer = doResolveAtThisIP(prefix, qname, qtype, lwr, ednsmask, auth, sendRDQuery, | |
3020 | *tns, *remoteIP, false, &truncated); | |
3021 | if (gotAnswer && truncated ) { | |
3022 | /* retry, over TCP this time */ | |
3023 | gotAnswer = doResolveAtThisIP(prefix, qname, qtype, lwr, ednsmask, auth, sendRDQuery, | |
3024 | *tns, *remoteIP, true, &truncated); | |
3025 | } | |
3026 | ||
3027 | if (!gotAnswer) { | |
3028 | continue; | |
3029 | } | |
3030 | ||
3031 | LOG(prefix<<qname<<": Got "<<(unsigned int)lwr.d_records.size()<<" answers from "<<*tns<<" ("<< remoteIP->toString() <<"), rcode="<<lwr.d_rcode<<" ("<<RCode::to_s(lwr.d_rcode)<<"), aa="<<lwr.d_aabit<<", in "<<lwr.d_usec/1000<<"ms"<<endl); | |
3032 | ||
3033 | /* // for you IPv6 fanatics :-) | |
3034 | if(remoteIP->sin4.sin_family==AF_INET6) | |
3035 | lwr.d_usec/=3; | |
3036 | */ | |
3037 | // cout<<"msec: "<<lwr.d_usec/1000.0<<", "<<g_avgLatency/1000.0<<'\n'; | |
3038 | ||
3039 | t_sstorage.nsSpeeds[tns->empty()? DNSName(remoteIP->toStringWithPort()) : *tns].submit(*remoteIP, lwr.d_usec, &d_now); | |
3040 | ||
3041 | /* we have received an answer, are we done ? */ | |
3042 | bool done = processAnswer(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, sendRDQuery, nameservers, ret, luaconfsLocal->dfe, &gotNewServers, &rcode, state); | |
3043 | if (done) { | |
3044 | return rcode; | |
3045 | } | |
3046 | if (gotNewServers) { | |
3047 | break; | |
3048 | } | |
3049 | /* was lame */ | |
3050 | t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(*remoteIP, qname, qtype.getCode()), 60, 100); | |
3051 | } | |
3052 | ||
3053 | if (gotNewServers) { | |
3054 | break; | |
3055 | } | |
3056 | ||
3057 | if(remoteIP == remoteIPs.cend()) // we tried all IP addresses, none worked | |
3058 | continue; | |
3059 | ||
3060 | } | |
3061 | } | |
3062 | } | |
3063 | return -1; | |
3064 | } | |
3065 | ||
3066 | void SyncRes::setQuerySource(const ComboAddress& requestor, boost::optional<const EDNSSubnetOpts&> incomingECS) | |
3067 | { | |
3068 | d_requestor = requestor; | |
3069 | ||
3070 | if (incomingECS && incomingECS->source.getBits() > 0) { | |
3071 | d_cacheRemote = incomingECS->source.getMaskedNetwork(); | |
3072 | uint8_t bits = std::min(incomingECS->source.getBits(), (incomingECS->source.isIpv4() ? s_ecsipv4limit : s_ecsipv6limit)); | |
3073 | ComboAddress trunc = incomingECS->source.getNetwork(); | |
3074 | trunc.truncate(bits); | |
3075 | d_outgoingECSNetwork = boost::optional<Netmask>(Netmask(trunc, bits)); | |
3076 | } else { | |
3077 | d_cacheRemote = d_requestor; | |
3078 | if(!incomingECS && s_ednslocalsubnets.match(d_requestor)) { | |
3079 | ComboAddress trunc = d_requestor; | |
3080 | uint8_t bits = d_requestor.isIPv4() ? 32 : 128; | |
3081 | bits = std::min(bits, (trunc.isIPv4() ? s_ecsipv4limit : s_ecsipv6limit)); | |
3082 | trunc.truncate(bits); | |
3083 | d_outgoingECSNetwork = boost::optional<Netmask>(Netmask(trunc, bits)); | |
3084 | } else if (s_ecsScopeZero.source.getBits() > 0) { | |
3085 | /* RFC7871 says we MUST NOT send any ECS if the source scope is 0. | |
3086 | But using an empty ECS in that case would mean inserting | |
3087 | a non ECS-specific entry into the cache, preventing any further | |
3088 | ECS-specific query to be sent. | |
3089 | So instead we use the trick described in section 7.1.2: | |
3090 | "The subsequent Recursive Resolver query to the Authoritative Nameserver | |
3091 | will then either not include an ECS option or MAY optionally include | |
3092 | its own address information, which is what the Authoritative | |
3093 | Nameserver will almost certainly use to generate any Tailored | |
3094 | Response in lieu of an option. This allows the answer to be handled | |
3095 | by the same caching mechanism as other queries, with an explicit | |
3096 | indicator of the applicable scope. Subsequent Stub Resolver queries | |
3097 | for /0 can then be answered from this cached response. | |
3098 | */ | |
3099 | d_outgoingECSNetwork = boost::optional<Netmask>(s_ecsScopeZero.source.getMaskedNetwork()); | |
3100 | d_cacheRemote = s_ecsScopeZero.source.getNetwork(); | |
3101 | } else { | |
3102 | // ECS disabled because no scope-zero address could be derived. | |
3103 | d_outgoingECSNetwork = boost::none; | |
3104 | } | |
3105 | } | |
3106 | } | |
3107 | ||
3108 | boost::optional<Netmask> SyncRes::getEDNSSubnetMask(const DNSName& dn, const ComboAddress& rem) | |
3109 | { | |
3110 | if(d_outgoingECSNetwork && (s_ednsdomains.check(dn) || s_ednsremotesubnets.match(rem))) { | |
3111 | return d_outgoingECSNetwork; | |
3112 | } | |
3113 | return boost::none; | |
3114 | } | |
3115 | ||
3116 | void SyncRes::parseEDNSSubnetWhitelist(const std::string& wlist) | |
3117 | { | |
3118 | vector<string> parts; | |
3119 | stringtok(parts, wlist, ",; "); | |
3120 | for(const auto& a : parts) { | |
3121 | try { | |
3122 | s_ednsremotesubnets.addMask(Netmask(a)); | |
3123 | } | |
3124 | catch(...) { | |
3125 | s_ednsdomains.add(DNSName(a)); | |
3126 | } | |
3127 | } | |
3128 | } | |
3129 | ||
3130 | void SyncRes::parseEDNSSubnetAddFor(const std::string& subnetlist) | |
3131 | { | |
3132 | vector<string> parts; | |
3133 | stringtok(parts, subnetlist, ",; "); | |
3134 | for(const auto& a : parts) { | |
3135 | s_ednslocalsubnets.addMask(a); | |
3136 | } | |
3137 | } | |
3138 | ||
3139 | // used by PowerDNSLua - note that this neglects to add the packet count & statistics back to pdns_ercursor.cc | |
3140 | int directResolve(const DNSName& qname, const QType& qtype, int qclass, vector<DNSRecord>& ret) | |
3141 | { | |
3142 | struct timeval now; | |
3143 | gettimeofday(&now, 0); | |
3144 | ||
3145 | SyncRes sr(now); | |
3146 | int res = -1; | |
3147 | try { | |
3148 | res = sr.beginResolve(qname, QType(qtype), qclass, ret); | |
3149 | } | |
3150 | catch(const PDNSException& e) { | |
3151 | g_log<<Logger::Error<<"Failed to resolve "<<qname.toLogString()<<", got pdns exception: "<<e.reason<<endl; | |
3152 | ret.clear(); | |
3153 | } | |
3154 | catch(const ImmediateServFailException& e) { | |
3155 | g_log<<Logger::Error<<"Failed to resolve "<<qname.toLogString()<<", got ImmediateServFailException: "<<e.reason<<endl; | |
3156 | ret.clear(); | |
3157 | } | |
3158 | catch(const std::exception& e) { | |
3159 | g_log<<Logger::Error<<"Failed to resolve "<<qname.toLogString()<<", got STL error: "<<e.what()<<endl; | |
3160 | ret.clear(); | |
3161 | } | |
3162 | catch(...) { | |
3163 | g_log<<Logger::Error<<"Failed to resolve "<<qname.toLogString()<<", got an exception"<<endl; | |
3164 | ret.clear(); | |
3165 | } | |
3166 | ||
3167 | return res; | |
3168 | } | |
3169 | ||
3170 | int SyncRes::getRootNS(struct timeval now, asyncresolve_t asyncCallback) { | |
3171 | SyncRes sr(now); | |
3172 | sr.setDoEDNS0(true); | |
3173 | sr.setUpdatingRootNS(); | |
3174 | sr.setDoDNSSEC(g_dnssecmode != DNSSECMode::Off); | |
3175 | sr.setDNSSECValidationRequested(g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate); | |
3176 | sr.setAsyncCallback(asyncCallback); | |
3177 | ||
3178 | vector<DNSRecord> ret; | |
3179 | int res=-1; | |
3180 | try { | |
3181 | res=sr.beginResolve(g_rootdnsname, QType(QType::NS), 1, ret); | |
3182 | if (g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate) { | |
3183 | auto state = sr.getValidationState(); | |
3184 | if (state == Bogus) | |
3185 | throw PDNSException("Got Bogus validation result for .|NS"); | |
3186 | } | |
3187 | return res; | |
3188 | } | |
3189 | catch(const PDNSException& e) { | |
3190 | g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.reason<<endl; | |
3191 | } | |
3192 | catch(const ImmediateServFailException& e) { | |
3193 | g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.reason<<endl; | |
3194 | } | |
3195 | catch(const std::exception& e) { | |
3196 | g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.what()<<endl; | |
3197 | } | |
3198 | catch(...) { | |
3199 | g_log<<Logger::Error<<"Failed to update . records, got an exception"<<endl; | |
3200 | } | |
3201 | ||
3202 | if(!res) { | |
3203 | g_log<<Logger::Notice<<"Refreshed . records"<<endl; | |
3204 | } | |
3205 | else | |
3206 | g_log<<Logger::Error<<"Failed to update . records, RCODE="<<res<<endl; | |
3207 | ||
3208 | return res; | |
3209 | } |