#include "config.h"
#endif
+#include "syncres.hh"
#include "arguments.hh"
#include "cachecleaner.hh"
#include "dns_random.hh"
#include "logger.hh"
#include "lua-recursor4.hh"
#include "rec-lua-conf.hh"
-#include "syncres.hh"
+#include "dnsseckeeper.hh"
#include "validate-recursor.hh"
thread_local SyncRes::ThreadLocalStorage SyncRes::t_sstorage;
unsigned int SyncRes::s_packetcacheservfailttl;
unsigned int SyncRes::s_serverdownmaxfails;
unsigned int SyncRes::s_serverdownthrottletime;
+std::atomic<uint64_t> SyncRes::s_authzonequeries;
std::atomic<uint64_t> SyncRes::s_queries;
std::atomic<uint64_t> SyncRes::s_outgoingtimeouts;
std::atomic<uint64_t> SyncRes::s_outgoing4timeouts;
}
-SyncRes::SyncRes(const struct timeval& now) : d_outqueries(0), d_tcpoutqueries(0), d_throttledqueries(0), d_timeouts(0), d_unreachables(0),
+SyncRes::SyncRes(const struct timeval& now) : d_authzonequeries(0), d_outqueries(0), d_tcpoutqueries(0), d_throttledqueries(0), d_timeouts(0), d_unreachables(0),
d_totUsec(0), d_now(now),
d_cacheonly(false), d_doDNSSEC(false), d_doEDNS0(false), d_lm(s_lm)
/** everything begins here - this is the entry point just after receiving a packet */
int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qclass, vector<DNSRecord>&ret)
{
+ /* rfc6895 section 3.1 + RRSIG and NSEC3 */
+ static const std::set<uint16_t> metaTypes = { QType::AXFR, QType::IXFR, QType::RRSIG, QType::NSEC3, QType::OPT, QType::TSIG, QType::TKEY, QType::MAILA, QType::MAILB };
vState state = Indeterminate;
s_queries++;
d_wasVariable=false;
d_wasOutOfBand=false;
if (doSpecialNamesResolve(qname, qtype, qclass, ret)) {
- d_queryValidationState = Insecure;
- return 0;
+ d_queryValidationState = Insecure; // this could fool our stats into thinking a validation took place
+ return 0; // so do check before updating counters (we do now)
}
- if( (qtype.getCode() == QType::AXFR) || (qtype.getCode() == QType::IXFR) || (qtype.getCode() == QType::RRSIG) || (qtype.getCode() == QType::NSEC3))
+ if (metaTypes.count(qtype.getCode())) {
return -1;
+ }
if(qclass==QClass::ANY)
qclass=QClass::IN;
int res=doResolve(qname, qtype, ret, 0, beenthere, state);
d_queryValidationState = state;
- if (d_queryValidationState != Indeterminate) {
- g_stats.dnssecValidations++;
- }
- if (d_DNSSECValidationRequested) {
+ if (shouldValidate()) {
+ if (d_queryValidationState != Indeterminate) {
+ g_stats.dnssecValidations++;
+ }
increaseDNSSECStateCounter(d_queryValidationState);
}
return result;
}
-bool SyncRes::doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res) const
+bool SyncRes::doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res)
{
+ d_authzonequeries++;
+ s_authzonequeries++;
+
res = domain.getRecords(qname, qtype.getCode(), ret);
return true;
}
For now this means we can't be clever, but will turn off DNSSEC if you reply with FormError or gibberish.
*/
-int SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res) const
+int SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res, bool* chained) const
{
/* what is your QUEST?
the goal is to get as many remotes as possible on the highest level of EDNS support
sendQname.makeUsLowerCase();
if (d_asyncResolve) {
- ret = d_asyncResolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, luaconfsLocal->outgoingProtobufServer, res);
+ ret = d_asyncResolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, luaconfsLocal->outgoingProtobufServer, res, chained);
}
else {
- ret=asyncresolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, luaconfsLocal->outgoingProtobufServer, res);
+ ret=asyncresolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, luaconfsLocal->outgoingProtobufServer, res, chained);
}
if(ret < 0) {
return ret; // transport error, nothing to learn here
LOG(prefix<<qname<<": forwarding query to hardcoded nameserver '"<< remoteIP.toStringWithPort()<<"' for zone '"<<authname<<"'"<<endl);
boost::optional<Netmask> nm;
- res=asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, qtype.getCode(), false, false, &d_now, nm, &lwr);
+ bool chained = false;
+ res=asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, qtype.getCode(), false, false, &d_now, nm, &lwr, &chained);
d_totUsec += lwr.d_usec;
accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family);
}
}
- if(!d_skipCNAMECheck && doCNAMECacheCheck(qname,qtype,ret,depth,res,state)) // will reroute us if needed
+ DNSName authname(qname);
+ bool wasForwardedOrAuthZone = false;
+ bool wasAuthZone = false;
+ domainmap_t::const_iterator iter = getBestAuthZone(&authname);
+ if(iter != t_sstorage.domainmap->end()) {
+ wasForwardedOrAuthZone = true;
+ const vector<ComboAddress>& servers = iter->second.d_servers;
+ if(servers.empty()) {
+ wasAuthZone = true;
+ }
+ }
+
+ if(!d_skipCNAMECheck && doCNAMECacheCheck(qname, qtype, ret, depth, res, state, wasAuthZone)) { // will reroute us if needed
+ d_wasOutOfBand = wasAuthZone;
return res;
+ }
- if(doCacheCheck(qname,qtype,ret,depth,res,state)) // we done
+ if(doCacheCheck(qname, authname, wasForwardedOrAuthZone, wasAuthZone, qtype, ret, depth, res, state)) {
+ // we done
+ d_wasOutOfBand = wasAuthZone;
return res;
+ }
}
if(d_cacheonly)
/** This function explicitly goes out for A or AAAA addresses
*/
-vector<ComboAddress> SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere)
+vector<ComboAddress> SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere, bool cacheOnly)
{
typedef vector<DNSRecord> res_t;
res_t res;
ret_t ret;
QType type;
+ bool oldCacheOnly = d_cacheonly;
bool oldRequireAuthData = d_requireAuthData;
bool oldValidationRequested = d_DNSSECValidationRequested;
d_requireAuthData = false;
d_DNSSECValidationRequested = false;
+ d_cacheonly = cacheOnly;
for(int j=1; j<2+s_doIPv6; j++)
{
if(!doResolve(qname, type, res,depth+1, beenthere, newState) && !res.empty()) { // this consults cache, OR goes out
for(res_t::const_iterator i=res.begin(); i!= res.end(); ++i) {
if(i->d_type == QType::A || i->d_type == QType::AAAA) {
- if(auto rec = std::dynamic_pointer_cast<ARecordContent>(i->d_content))
+ if(auto rec = getRR<ARecordContent>(*i))
ret.push_back(rec->getCA(53));
- else if(auto aaaarec = std::dynamic_pointer_cast<AAAARecordContent>(i->d_content))
+ else if(auto aaaarec = getRR<AAAARecordContent>(*i))
ret.push_back(aaaarec->getCA(53));
done=true;
}
if(t_RC->get(d_now.tv_sec, qname, QType(QType::AAAA), false, &cset, d_incomingECSFound ? d_incomingECSNetwork : d_requestor) > 0) {
for(auto k=cset.cbegin();k!=cset.cend();++k) {
if(k->d_ttl > (unsigned int)d_now.tv_sec ) {
- if (auto drc = std::dynamic_pointer_cast<AAAARecordContent>(k->d_content)) {
+ if (auto drc = getRR<AAAARecordContent>(*k)) {
ComboAddress ca=drc->getCA(53);
ret.push_back(ca);
}
d_requireAuthData = oldRequireAuthData;
d_DNSSECValidationRequested = oldValidationRequested;
+ d_cacheonly = oldCacheOnly;
/* we need to remove from the nsSpeeds collection the existing IPs
for this nameserver that are no longer in the set, even if there
GetBestNSAnswer answer;
answer.qname=qname;
answer.qtype=qtype.getCode();
- for(const auto& dr : bestns)
- answer.bestns.insert(make_pair(dr.d_name, getRR<NSRecordContent>(dr)->getNS()));
+ for(const auto& dr : bestns) {
+ if (auto nsContent = getRR<NSRecordContent>(dr)) {
+ answer.bestns.insert(make_pair(dr.d_name, nsContent->getNS()));
+ }
+ }
if(beenthere.count(answer)) {
brokeloop=true;
for(auto k=bestns.cbegin() ; k != bestns.cend(); ++k) {
// The actual resolver code will not even look at the ComboAddress or bool
- nsset.insert({std::dynamic_pointer_cast<NSRecordContent>(k->d_content)->getNS(), {{}, false}});
- if(k==bestns.cbegin())
- subdomain=k->d_name;
+ const auto nsContent = getRR<NSRecordContent>(*k);
+ if (nsContent) {
+ nsset.insert({nsContent->getNS(), {{}, false}});
+ if(k==bestns.cbegin())
+ subdomain=k->d_name;
+ }
}
return subdomain;
}
-bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>& ret, unsigned int depth, int &res, vState& state)
+bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>& ret, unsigned int depth, int &res, vState& state, bool wasAuthZone)
{
string prefix;
if(doLog()) {
if(t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), d_requireAuthData, &cset, d_incomingECSFound ? d_incomingECSNetwork : d_requestor, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) {
+ if (j->d_class != QClass::IN) {
+ continue;
+ }
+
if(j->d_ttl>(unsigned int) d_now.tv_sec) {
- if (d_DNSSECValidationRequested && wasAuth && state == Indeterminate && d_requireAuthData) {
+ if (!wasAuthZone && shouldValidate() && wasAuth && state == Indeterminate && d_requireAuthData) {
/* This means we couldn't figure out the state when this entry was cached,
most likely because we hadn't computed the zone cuts yet. */
/* make sure they are computed before validating */
- computeZoneCuts(qname, g_rootdnsname, depth);
+ DNSName subdomain(qname);
+ /* if we are retrieving a DS, we only care about the state of the parent zone */
+ if(qtype == QType::DS)
+ subdomain.chopOff();
+
+ computeZoneCuts(subdomain, g_rootdnsname, depth);
vState recordState = getValidationStatus(qname, false);
if (recordState == Secure) {
set<GetBestNSAnswer>beenthere;
vState cnameState = Indeterminate;
- res=doResolve(std::dynamic_pointer_cast<CNAMERecordContent>(j->d_content)->getTarget(), qtype, ret, depth+1, beenthere, cnameState);
- LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the CNAME quest: "<<vStates[cnameState]<<endl);
- updateValidationState(state, cnameState);
+ const auto cnameContent = getRR<CNAMERecordContent>(*j);
+ if (cnameContent) {
+ res=doResolve(cnameContent->getTarget(), qtype, ret, depth+1, beenthere, cnameState);
+ LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<vStates[state]<<" with the state from the CNAME quest: "<<vStates[cnameState]<<endl);
+ updateValidationState(state, cnameState);
+ }
}
else
res=0;
void SyncRes::computeNegCacheValidationStatus(NegCache::NegCacheEntry& ne, const DNSName& qname, const QType& qtype, const int res, vState& state, unsigned int depth)
{
- computeZoneCuts(qname, g_rootdnsname, depth);
+ DNSName subdomain(qname);
+ /* if we are retrieving a DS, we only care about the state of the parent zone */
+ if(qtype == QType::DS)
+ subdomain.chopOff();
+
+ computeZoneCuts(subdomain, g_rootdnsname, depth);
tcache_t tcache;
reapRecordsFromNegCacheEntryForValidation(tcache, ne.authoritySOA.records);
}
if (recordState == Secure) {
- vState cachedState = SyncRes::validateRecordsWithSigs(depth, qname, qtype, owner, entry.second.records, entry.second.signatures);
+ recordState = SyncRes::validateRecordsWithSigs(depth, qname, qtype, owner, entry.second.records, entry.second.signatures);
+ }
- if (state == Secure && cachedState != recordState) {
- updateValidationState(state, cachedState);
- if (state != Secure) {
- break;
- }
+ if (recordState != Indeterminate && recordState != state) {
+ updateValidationState(state, recordState);
+ if (state != Secure) {
+ break;
}
}
}
if (state == Secure) {
dState expectedState = res == RCode::NXDomain ? NXDOMAIN : NXQTYPE;
- dState denialState = getDenialValidationState(ne, state, expectedState, qtype == QType::DS);
+ dState denialState = getDenialValidationState(ne, state, expectedState, false);
updateDenialValidationState(ne, state, denialState, expectedState, qtype == QType::DS);
}
if (state != Indeterminate) {
}
}
-bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res, vState& state)
+bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool wasForwardedOrAuthZone, bool wasAuthZone, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res, vState& state)
{
bool giveNegative=false;
QType sqt(qtype);
uint32_t sttl=0;
// cout<<"Lookup for '"<<qname<<"|"<<qtype.getName()<<"' -> "<<getLastLabel(qname)<<endl;
-
- DNSName authname(qname);
vState cachedState;
- bool wasForwardedOrAuth = false;
- bool wasAuth = false;
- domainmap_t::const_iterator iter=getBestAuthZone(&authname);
- if(iter != t_sstorage.domainmap->end()) {
- wasForwardedOrAuth = true;
- const vector<ComboAddress>& servers = iter->second.d_servers;
- if(servers.empty()) {
- wasAuth = true;
- }
- }
NegCache::NegCacheEntry ne;
if(s_rootNXTrust &&
t_sstorage.negcache.getRootNXTrust(qname, d_now, ne) &&
ne.d_auth.isRoot() &&
- !(wasForwardedOrAuth && !authname.isRoot())) { // when forwarding, the root may only neg-cache if it was forwarded to.
+ !(wasForwardedOrAuthZone && !authname.isRoot())) { // when forwarding, the root may only neg-cache if it was forwarded to.
sttl = ne.d_ttd - d_now.tv_sec;
LOG(prefix<<qname<<": Entire name '"<<qname<<"', is negatively cached via '"<<ne.d_auth<<"' & '"<<ne.d_name<<"' for another "<<sttl<<" seconds"<<endl);
res = RCode::NXDomain;
cachedState = ne.d_validationState;
}
else if (t_sstorage.negcache.get(qname, qtype, d_now, ne) &&
- !(wasForwardedOrAuth && ne.d_auth != authname)) { // Only the authname nameserver can neg cache entries
+ !(wasForwardedOrAuthZone && ne.d_auth != authname)) { // Only the authname nameserver can neg cache entries
/* If we are looking for a DS, discard NXD if auth == qname
and ask for a specific denial instead */
state = cachedState;
- if (d_DNSSECValidationRequested && state == Indeterminate) {
+ if (!wasAuthZone && shouldValidate() && state == Indeterminate) {
LOG(prefix<<qname<<": got Indeterminate state for records retrieved from the negative cache, validating.."<<endl);
computeNegCacheValidationStatus(ne, qname, qtype, res, state, depth);
}
LOG(prefix<<sqname<<": Found cache hit for "<<sqt.getName()<<": ");
- if (d_DNSSECValidationRequested && wasCachedAuth && cachedState == Indeterminate && d_requireAuthData) {
+ if (!wasAuthZone && shouldValidate() && wasCachedAuth && cachedState == Indeterminate && d_requireAuthData) {
/* This means we couldn't figure out the state when this entry was cached,
most likely because we hadn't computed the zone cuts yet. */
/* make sure they are computed before validating */
- computeZoneCuts(sqname, g_rootdnsname, depth);
+ DNSName subdomain(sqname);
+ /* if we are retrieving a DS, we only care about the state of the parent zone */
+ if(qtype == QType::DS)
+ subdomain.chopOff();
+
+ computeZoneCuts(subdomain, g_rootdnsname, depth);
vState recordState = getValidationStatus(qname, false);
if (recordState == Secure) {
LOG(prefix<<sqname<<": got Indeterminate state from the cache, validating.."<<endl);
cachedState = SyncRes::validateRecordsWithSigs(depth, sqname, sqt, sqname, cset, signatures);
+ }
+ else {
+ cachedState = recordState;
+ }
- if (cachedState != Indeterminate) {
- LOG(prefix<<qname<<": got Indeterminate state from the cache, validation result is "<<vStates[cachedState]<<endl);
- t_RC->updateValidationStatus(d_now.tv_sec, sqname, sqt, d_incomingECSFound ? d_incomingECSNetwork : d_requestor, d_requireAuthData, cachedState);
- }
+ if (cachedState != Indeterminate) {
+ LOG(prefix<<qname<<": got Indeterminate state from the cache, validation result is "<<vStates[cachedState]<<endl);
+ t_RC->updateValidationStatus(d_now.tv_sec, sqname, sqt, d_incomingECSFound ? d_incomingECSNetwork : d_requestor, d_requireAuthData, cachedState);
}
}
for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) {
+
LOG(j->d_content->getZoneRepresentation());
+
+ if (j->d_class != QClass::IN) {
+ continue;
+ }
+
if(j->d_ttl>(unsigned int) d_now.tv_sec) {
DNSRecord dr=*j;
ttl = (dr.d_ttl-=d_now.tv_sec);
if(found && !expired) {
if (!giveNegative)
res=0;
- d_wasOutOfBand = wasAuth;
LOG(prefix<<qname<<": updating validation state with cache content for "<<qname<<" to "<<vStates[cachedState]<<endl);
state = cachedState;
return true;
return rnameservers;
}
-static bool magicAddrMatch(const QType& query, const QType& answer)
-{
- if(query.getCode() != QType::ADDR)
- return false;
- return answer.getCode() == QType::A || answer.getCode() == QType::AAAA;
-}
-
static uint32_t getRRSIGTTL(const time_t now, const std::shared_ptr<RRSIGRecordContent>& rrsig)
{
uint32_t res = 0;
return false;
}
-vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet)
+vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly)
{
vector<ComboAddress> result;
if(!tns->empty()) {
LOG(prefix<<qname<<": Trying to resolve NS '"<<*tns<< "' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl);
- result = getAddrs(*tns, depth+2, beenthere);
+ result = getAddrs(*tns, depth+2, beenthere, cacheOnly);
pierceDontQuery=false;
}
else {
auto luaLocal = g_luaconfs.getLocal();
if (luaLocal->dsAnchors.empty()) {
+ LOG(d_prefix<<": No trust anchors configured, everything is Insecure"<<endl);
/* We have no TA, everything is insecure */
return Insecure;
}
std::string reason;
if (haveNegativeTrustAnchor(luaLocal->negAnchors, zone, reason)) {
- LOG(d_prefix<<": got NTA for "<<zone<<endl);
+ LOG(d_prefix<<": got NTA for '"<<zone<<"'"<<endl);
return NTA;
}
if (getTrustAnchor(luaLocal->dsAnchors, zone, ds)) {
- LOG(d_prefix<<": got TA for "<<zone<<endl);
+ LOG(d_prefix<<": got TA for '"<<zone<<"'"<<endl);
return TA;
}
+ else {
+ LOG(d_prefix<<": no TA found for '"<<zone<<"' among "<< luaLocal->dsAnchors.size()<<endl);
+ }
if (zone.isRoot()) {
/* No TA for the root */
if (rcode == RCode::NoError || (rcode == RCode::NXDomain && !bogusOnNXD)) {
+ uint8_t bestDigestType = 0;
+
if (state == Secure) {
bool gotCNAME = false;
for (const auto& record : dsrecords) {
if (record.d_type == QType::DS) {
const auto dscontent = getRR<DSRecordContent>(record);
if (dscontent && isSupportedDS(*dscontent)) {
+ // Make GOST a lower prio than SHA256
+ if (dscontent->d_digesttype == DNSSECKeeper::GOST && bestDigestType == DNSSECKeeper::SHA256) {
+ continue;
+ }
+ if (dscontent->d_digesttype > bestDigestType || (bestDigestType == DNSSECKeeper::GOST && dscontent->d_digesttype == DNSSECKeeper::SHA256)) {
+ bestDigestType = dscontent->d_digesttype;
+ }
ds.insert(*dscontent);
}
}
}
}
+ /* RFC 4509 section 3: "Validator implementations SHOULD ignore DS RRs containing SHA-1
+ * digests if DS RRs with SHA-256 digests are present in the DS RRset."
+ * As SHA348 is specified as well, the spirit of the this line is "use the best algorithm".
+ */
+ for (auto dsrec = ds.begin(); dsrec != ds.end(); ) {
+ if (dsrec->d_digesttype != bestDigestType) {
+ dsrec = ds.erase(dsrec);
+ }
+ else {
+ ++dsrec;
+ }
+ }
+
if (rcode == RCode::NoError && ds.empty()) {
if (foundCut) {
if (gotCNAME || denialProvesNoDelegation(zone, dsrecords)) {
bool SyncRes::haveExactValidationStatus(const DNSName& domain)
{
- if (!d_DNSSECValidationRequested) {
+ if (!shouldValidate()) {
return false;
}
const auto& it = d_cutStates.find(domain);
{
vState result = Indeterminate;
- if (!d_DNSSECValidationRequested) {
+ if (!shouldValidate()) {
return result;
}
DNSName name(subdomain);
LOG(d_prefix<<": setting cut state for "<<end<<" to "<<vStates[cutState]<<endl);
d_cutStates[end] = cutState;
- if (!d_DNSSECValidationRequested) {
+ if (!shouldValidate()) {
return;
}
}
else {
/* remove the temporary cut */
- LOG(d_prefix<<qname<<": removing cut state for "<<qname<<", was "<<vStates[d_cutStates[qname]]<<endl);
+ LOG(d_prefix<<qname<<": removing cut state for "<<qname<<endl);
d_cutStates.erase(qname);
}
}
if (!signatures.empty()) {
DNSName signer = getSigner(signatures);
- if (!signer.empty() && signer.isPartOf(zone)) {
+ if (!signer.empty() && zone.isPartOf(signer)) {
vState state = getDSRecords(signer, ds, false, depth);
if (state != Secure) {
return Bogus;
}
-RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof)
+RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount)
{
tcache_t tcache;
const unsigned int labelCount = qname.countLabels();
bool isCNAMEAnswer = false;
for(const auto& rec : lwr.d_records) {
+ if (rec.d_class != QClass::IN) {
+ continue;
+ }
+
if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname) {
isCNAMEAnswer = true;
}
if (rec.d_name == qname && rrsig->d_labels < labelCount) {
LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl);
needWildcardProof = true;
+ wildcardLabelsCount = rrsig->d_labels;
}
// cerr<<"Got an RRSIG for "<<DNSRecordContent::NumberToType(rrsig->d_type)<<" with name '"<<rec.d_name<<"'"<<endl;
LOG(prefix<<qname<<": OPT answer '"<<rec.d_name<<"' from '"<<auth<<"' nameservers" <<endl);
continue;
}
- LOG(prefix<<qname<<": accept answer '"<<rec.d_name<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"|"<<rec.d_content->getZoneRepresentation()<<"' from '"<<auth<<"' nameservers? "<<(int)rec.d_place<<" ");
+ LOG(prefix<<qname<<": accept answer '"<<rec.d_name<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"|"<<rec.d_content->getZoneRepresentation()<<"' from '"<<auth<<"' nameservers? ttl="<<rec.d_ttl<<", place="<<(int)rec.d_place<<" ");
if(rec.d_type == QType::ANY) {
- LOG("NO! - we don't accept 'ANY' data"<<endl);
+ LOG("NO! - we don't accept 'ANY'-typed data"<<endl);
+ continue;
+ }
+
+ if(rec.d_class != QClass::IN) {
+ LOG("NO! - we don't accept records for any other class than 'IN'"<<endl);
continue;
}
if(i->second.records.empty()) // this happens when we did store signatures, but passed on the records themselves
continue;
- bool isAA = lwr.d_aabit;
- if (isAA && isCNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i->first.type != QType::CNAME)) {
+ /* Even if the AA bit is set, additional data cannot be considered
+ as authoritative. This is especially important during validation
+ because keeping records in the additional section is allowed even
+ if the corresponding RRSIGs are not included, without setting the TC
+ bit, as stated in rfc4035's section 3.1.1. Including RRSIG RRs in a Response:
+ "When placing a signed RRset in the Additional section, the name
+ server MUST also place its RRSIG RRs in the Additional section.
+ If space does not permit inclusion of both the RRset and its
+ associated RRSIG RRs, the name server MAY retain the RRset while
+ dropping the RRSIG RRs. If this happens, the name server MUST NOT
+ set the TC bit solely because these RRSIG RRs didn't fit."
+ */
+ bool isAA = lwr.d_aabit && i->first.place != DNSResourceRecord::ADDITIONAL;
+ if (isAA && isCNAMEAnswer && i->first.place == DNSResourceRecord::ANSWER && (i->first.type != QType::CNAME || i->first.name != qname)) {
/*
rfc2181 states:
Note that the answer section of an authoritative answer normally
vState recordState = getValidationStatus(i->first.name, false);
LOG(d_prefix<<": got initial zone status "<<vStates[recordState]<<" for record "<<i->first.name<<endl);
- if (d_DNSSECValidationRequested && recordState == Secure) {
+ if (shouldValidate() && recordState == Secure) {
vState initialState = recordState;
if (isAA) {
}
}
else {
+ recordState = Indeterminate;
+
/* in a non authoritative answer, we only care about the DS record (or lack of) */
if ((i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) {
LOG(d_prefix<<"Validating DS record for "<<i->first.name<<endl);
}
}
- if (initialState == Secure && state != recordState) {
+ if (initialState == Secure && state != recordState && isAA) {
updateValidationState(state, recordState);
}
}
else {
- if (d_DNSSECValidationRequested) {
+ if (shouldValidate()) {
LOG(d_prefix<<"Skipping validation because the current state is "<<vStates[recordState]<<endl);
}
}
void SyncRes::updateDenialValidationState(NegCache::NegCacheEntry& ne, vState& state, const dState denialState, const dState expectedState, bool allowOptOut)
{
- if (denialState != expectedState) {
+ if (denialState == expectedState) {
+ ne.d_validationState = Secure;
+ }
+ else {
if (denialState == OPTOUT && allowOptOut) {
LOG(d_prefix<<"OPT-out denial found for "<<ne.d_name<<endl);
ne.d_validationState = Secure;
return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, expectedState == NXQTYPE);
}
-bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, bool needWildcardProof)
+bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount)
{
bool done = false;
// for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively
else if(rec.d_place==DNSResourceRecord::ANSWER && rec.d_name == qname &&
(
- rec.d_type==qtype.getCode() || (lwr.d_aabit && (qtype==QType(QType::ANY) || magicAddrMatch(qtype, QType(rec.d_type)) ) ) || sendRDQuery
+ rec.d_type==qtype.getCode() || ((lwr.d_aabit || sendRDQuery) && qtype == QType(QType::ANY))
)
)
{
harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL);
cspmap_t csp = harvestCSPFromNE(ne);
- dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false);
+ dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false, wildcardLabelsCount);
if (res != NXDOMAIN) {
- LOG(d_prefix<<"Invalid denial in wildcard expanded positive response found for "<<qname<<", returning Bogus, res="<<res<<endl);
- updateValidationState(state, Bogus);
- /* we already store the record with a different validation status, let's fix it */
- t_RC->updateValidationStatus(d_now.tv_sec, qname, qtype, d_incomingECSFound ? d_incomingECSNetwork : d_requestor, lwr.d_aabit, Bogus);
+ vState st = Bogus;
+ if (res == INSECURE) {
+ /* Some part could not be validated, for example a NSEC3 record with a too large number of iterations,
+ this is not enough to warrant a Bogus, but go Insecure. */
+ st = Insecure;
+ LOG(d_prefix<<"Unable to validate denial in wildcard expanded positive response found for "<<qname<<", returning Insecure, res="<<res<<endl);
+ }
+ else {
+ LOG(d_prefix<<"Invalid denial in wildcard expanded positive response found for "<<qname<<", returning Bogus, res="<<res<<endl);
+ }
+
+ updateValidationState(state, st);
+ /* we already stored the record with a different validation status, let's fix it */
+ t_RC->updateValidationStatus(d_now.tv_sec, qname, qtype, d_incomingECSFound ? d_incomingECSNetwork : d_requestor, lwr.d_aabit, st);
}
}
}
bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname, const QType& qtype, LWResult& lwr, boost::optional<Netmask>& ednsmask, const DNSName& auth, bool const sendRDQuery, const DNSName& nsName, const ComboAddress& remoteIP, bool doTCP, bool* truncated)
{
- int resolveret;
+ bool chained = false;
+ int resolveret = RCode::NoError;
s_outqueries++;
d_outqueries++;
s_ecsqueries++;
}
resolveret = asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, qtype.getCode(),
- doTCP, sendRDQuery, &d_now, ednsmask, &lwr); // <- we go out on the wire!
+ doTCP, sendRDQuery, &d_now, ednsmask, &lwr, &chained); // <- we go out on the wire!
if(ednsmask) {
s_ecsresponses++;
LOG(prefix<<qname<<": Received EDNS Client Subnet Mask "<<ednsmask->toString()<<" on response"<<endl);
LOG(prefix<<qname<<": error resolving from "<<remoteIP.toString()<< (doTCP ? " over TCP" : "") <<", possible error: "<<strerror(errno)<< endl);
}
- if(resolveret != -2) { // don't account for resource limits, they are our own fault
+ if(resolveret != -2 && !chained) { // don't account for resource limits, they are our own fault
t_sstorage.nsSpeeds[nsName].submit(remoteIP, 1000000, &d_now); // 1 sec
// code below makes sure we don't filter COM or the root
/* we got an answer */
if(lwr.d_rcode==RCode::ServFail || lwr.d_rcode==RCode::Refused) {
LOG(prefix<<qname<<": "<<nsName<<" ("<<remoteIP.toString()<<") returned a "<< (lwr.d_rcode==RCode::ServFail ? "ServFail" : "Refused") << ", trying sibling IP or NS"<<endl);
- t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3);
+ if (!chained) {
+ t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3);
+ }
return false;
}
}
bool needWildcardProof = false;
- *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof);
+ unsigned int wildcardLabelsCount;
+ *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, wildcardLabelsCount);
if (*rcode != RCode::NoError) {
return true;
}
DNSName newauth;
DNSName newtarget;
- bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof);
+ bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, wildcardLabelsCount);
if(done){
LOG(prefix<<qname<<": status=got results, this level of recursion done"<<endl);
return -1;
}
- // this line needs to identify the 'self-resolving' behaviour, but we get it wrong now
- if(qname == *tns && qtype.getCode()==QType::A && rnameservers.size() > (size_t)(1+1*s_doIPv6)) {
- LOG(prefix<<qname<<": Not using NS to resolve itself! ("<<(1+tns-rnameservers.cbegin())<<"/"<<rnameservers.size()<<")"<<endl);
- continue;
+ bool cacheOnly = false;
+ // this line needs to identify the 'self-resolving' behaviour
+ if(qname == *tns && (qtype.getCode() == QType::A || qtype.getCode() == QType::AAAA)) {
+ /* we might have a glue entry in cache so let's try this NS
+ but only if we have enough in the cache to know how to reach it */
+ LOG(prefix<<qname<<": Using NS to resolve itself, but only using what we have in cache ("<<(1+tns-rnameservers.cbegin())<<"/"<<rnameservers.size()<<")"<<endl);
+ cacheOnly = true;
}
typedef vector<ComboAddress> remoteIPs_t;
if(tns->empty() && !wasForwarded) {
LOG(prefix<<qname<<": Domain is out-of-band"<<endl);
- state = Insecure;
+ /* setting state to indeterminate since validation is disabled for local auth zone,
+ and Insecure would be misleading. */
+ state = Indeterminate;
d_wasOutOfBand = doOOBResolve(qname, qtype, lwr.d_records, depth, lwr.d_rcode);
lwr.d_tcbit=false;
lwr.d_aabit=true;
}
else {
/* if tns is empty, retrieveAddressesForNS() knows we have hardcoded servers (i.e. "forwards") */
- remoteIPs = retrieveAddressesForNS(prefix, qname, tns, depth, beenthere, rnameservers, nameservers, sendRDQuery, pierceDontQuery, flawedNSSet);
+ remoteIPs = retrieveAddressesForNS(prefix, qname, tns, depth, beenthere, rnameservers, nameservers, sendRDQuery, pierceDontQuery, flawedNSSet, cacheOnly);
if(remoteIPs.empty()) {
LOG(prefix<<qname<<": Failed to get IP for NS "<<*tns<<", trying next if available"<<endl);
projects / thirdparty / pdns.git / blobdiff