X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=src%2Fforward.c;h=74e5ab66c423a9d09f48c9cab7a82f258de3576a;hb=86fa1046920dedc8134136a6244ca96e8a37e9d8;hp=073b2c9012d7020e2e41055bc9d3ae645d72d217;hpb=610e782a29958aa2e3d6f0955cb01dab2016e4f6;p=people%2Fms%2Fdnsmasq.git diff --git a/src/forward.c b/src/forward.c index 073b2c9..74e5ab6 100644 --- a/src/forward.c +++ b/src/forward.c @@ -1,4 +1,4 @@ -/* dnsmasq is Copyright (c) 2000-2014 Simon Kelley +/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -22,7 +22,15 @@ static struct frec *lookup_frec_by_sender(unsigned short id, void *hash); static unsigned short get_id(void); static void free_frec(struct frec *f); -static struct randfd *allocate_rfd(int family); + +#ifdef HAVE_DNSSEC +static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, + int class, char *name, char *keyname, struct server *server, int *keycount); +static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname); +static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, + char *name, char *keyname); +#endif + /* Send a UDP packet with its source address set as "source" unless nowild is true, when we just send it with the kernel default */ @@ -95,15 +103,11 @@ int send_from(int fd, int nowild, char *packet, size_t len, #endif } - while (sendmsg(fd, &msg, 0) == -1) + while (retry_send(sendmsg(fd, &msg, 0))); + + /* If interface is still in DAD, EINVAL results - ignore that. */ + if (errno != 0 && errno != EINVAL) { - if (retry_send()) - continue; - - /* If interface is still in DAD, EINVAL results - ignore that. */ - if (errno == EINVAL) - break; - my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno)); return 0; } @@ -234,7 +238,8 @@ static unsigned int search_servers(time_t now, struct all_addr **addrpp, static int forward_query(int udpfd, union mysockaddr *udpaddr, struct all_addr *dst_addr, unsigned int dst_iface, - struct dns_header *header, size_t plen, time_t now, struct frec *forward) + struct dns_header *header, size_t plen, time_t now, + struct frec *forward, int ad_reqd, int do_bit) { char *domain = NULL; int type = 0, norebind = 0; @@ -248,33 +253,46 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, void *hash = &crc; #endif unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); + unsigned char *pheader; + + (void)do_bit; - /* RFC 4035: sect 4.6 para 2 */ - header->hb4 &= ~HB4_AD; - /* may be no servers available. */ if (!daemon->servers) forward = NULL; else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))) { + /* If we didn't get an answer advertising a maximal packet in EDNS, + fall back to 1280, which should work everywhere on IPv6. + If that generates an answer, it will become the new default + for this server */ + forward->flags |= FREC_TEST_PKTSZ; + #ifdef HAVE_DNSSEC - /* If we've already got an answer to this query, but we're awaiting keys for vaildation, + /* If we've already got an answer to this query, but we're awaiting keys for validation, there's no point retrying the query, retry the key query instead...... */ if (forward->blocking_query) { int fd; - + + forward->flags &= ~FREC_TEST_PKTSZ; + while (forward->blocking_query) forward = forward->blocking_query; + + forward->flags |= FREC_TEST_PKTSZ; blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); plen = forward->stash_len; - if (forward->sentto->addr.sa.sa_family) - log_query(F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); + if (find_pseudoheader(header, plen, NULL, &pheader, NULL)) + PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->sentto->edns_pktsz, pheader); + + if (forward->sentto->addr.sa.sa_family == AF_INET) + log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); #ifdef HAVE_IPV6 else - log_query(F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); + log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); #endif if (forward->sentto->sfd) @@ -289,9 +307,9 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, fd = forward->rfd4->fd; } - while (sendto(fd, (char *)header, plen, 0, - &forward->sentto->addr.sa, - sa_len(&forward->sentto->addr)) == -1 && retry_send()); + while (retry_send( sendto(fd, (char *)header, plen, 0, + &forward->sentto->addr.sa, + sa_len(&forward->sentto->addr)))); return 1; } @@ -334,7 +352,14 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, forward->flags |= FREC_NOREBIND; if (header->hb4 & HB4_CD) forward->flags |= FREC_CHECKING_DISABLED; - + if (ad_reqd) + forward->flags |= FREC_AD_QUESTION; +#ifdef HAVE_DNSSEC + forward->work_counter = DNSSEC_WORK; + if (do_bit) + forward->flags |= FREC_DO_QUESTION; +#endif + header->id = htons(forward->new_id); /* In strict_order mode, always try servers in the order @@ -374,6 +399,9 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, struct server *firstsentto = start; int forwarded = 0; + /* If a query is retried, use the log_id for the retry when logging the answer. */ + forward->log_id = daemon->log_id; + if (option_bool(OPT_ADD_MAC)) plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source); @@ -390,14 +418,20 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, #ifdef HAVE_DNSSEC if (option_bool(OPT_DNSSEC_VALID)) { - plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz); + size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz); + /* For debugging, set Checking Disabled, otherwise, have the upstream check too, this allows it to select auth servers when one is returning bad data. */ if (option_bool(OPT_DNSSEC_DEBUG)) header->hb4 |= HB4_CD; + + if (new_plen != plen) + forward->flags |= FREC_ADDED_PHEADER; + + plen = new_plen; } #endif - + while (1) { /* only send to servers dealing with our domain. @@ -406,7 +440,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, if (type == (start->flags & SERV_TYPE) && (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && - !(start->flags & SERV_LITERAL_ADDRESS)) + !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) { int fd; @@ -444,15 +478,16 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, } #endif } + + if (find_pseudoheader(header, plen, NULL, &pheader, NULL)) + PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pktsz, pheader); - if (sendto(fd, (char *)header, plen, 0, - &start->addr.sa, - sa_len(&start->addr)) == -1) - { - if (retry_send()) - continue; - } - else + if (retry_send(sendto(fd, (char *)header, plen, 0, + &start->addr.sa, + sa_len(&start->addr)))) + continue; + + if (errno == 0) { /* Keep info in case we want to re-send this packet */ daemon->srv_save = start; @@ -503,28 +538,36 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, } static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind, - int no_cache, int cache_secure, int check_subnet, union mysockaddr *query_source) + int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader, + int check_subnet, union mysockaddr *query_source) { unsigned char *pheader, *sizep; char **sets = 0; int munged = 0, is_sign; size_t plen; + (void)ad_reqd; + (void)do_bit; + (void)bogusanswer; + #ifdef HAVE_IPSET - /* Similar algorithm to search_servers. */ - struct ipsets *ipset_pos; - unsigned int namelen = strlen(daemon->namebuff); - unsigned int matchlen = 0; - for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next) + if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL)) { - unsigned int domainlen = strlen(ipset_pos->domain); - char *matchstart = daemon->namebuff + namelen - domainlen; - if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) && - (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) && - domainlen >= matchlen) + /* Similar algorithm to search_servers. */ + struct ipsets *ipset_pos; + unsigned int namelen = strlen(daemon->namebuff); + unsigned int matchlen = 0; + for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next) { - matchlen = domainlen; - sets = ipset_pos->sets; + unsigned int domainlen = strlen(ipset_pos->domain); + char *matchstart = daemon->namebuff + namelen - domainlen; + if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) && + (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) && + domainlen >= matchlen) + { + matchlen = domainlen; + sets = ipset_pos->sets; + } } } #endif @@ -535,29 +578,33 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign))) { - if (!is_sign) - { - unsigned short udpsz; - unsigned char *psave = sizep; - - GETSHORT(udpsz, sizep); - if (udpsz > daemon->edns_pktsz) - PUTSHORT(daemon->edns_pktsz, psave); - } + unsigned short udpsz; + unsigned char *psave = sizep; + + GETSHORT(udpsz, sizep); + + if (!is_sign && udpsz > daemon->edns_pktsz) + PUTSHORT(daemon->edns_pktsz, psave); if (check_subnet && !check_source(header, plen, pheader, query_source)) { my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch")); return 0; } - } + if (added_pheader) + { + pheader = 0; + header->arcount = htons(0); + } + } + /* RFC 4035 sect 4.6 para 3 */ if (!is_sign && !option_bool(OPT_DNSSEC_PROXY)) header->hb4 &= ~HB4_AD; if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN)) - return n; + return resize_packet(header, n, pheader, plen); /* Complain loudly if the upstream server is non-recursive. */ if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 && @@ -606,7 +653,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server } #ifdef HAVE_DNSSEC - if (no_cache && !(header->hb4 & HB4_CD)) + if (bogusanswer && !(header->hb4 & HB4_CD)) { if (!option_bool(OPT_DNSSEC_DEBUG)) { @@ -619,8 +666,12 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server if (option_bool(OPT_DNSSEC_VALID)) header->hb4 &= ~HB4_AD; - if (!(header->hb4 & HB4_CD) && cache_secure) + if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure) header->hb4 |= HB4_AD; + + /* If the requestor didn't set the DO bit, don't return DNSSEC info. */ + if (!do_bit) + n = filter_rrsigs(header, n); #endif /* do this after extract_addresses. Ensure NODATA reply and remove @@ -631,6 +682,7 @@ static size_t process_reply(struct dns_header *header, time_t now, struct server header->ancount = htons(0); header->nscount = htons(0); header->arcount = htons(0); + header->hb3 &= ~HB3_TC; } /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide @@ -666,14 +718,20 @@ void reply_query(int fd, int family, time_t now) serveraddr.in6.sin6_flowinfo = 0; #endif + header = (struct dns_header *)daemon->packet; + + if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR)) + return; + /* spoof check: answer must come from known server, */ for (server = daemon->servers; server; server = server->next) if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) && sockaddr_isequal(&server->addr, &serveraddr)) break; - - header = (struct dns_header *)daemon->packet; - + + if (!server) + return; + #ifdef HAVE_DNSSEC hash = hash_questions(header, n, daemon->namebuff); #else @@ -681,12 +739,19 @@ void reply_query(int fd, int family, time_t now) crc = questions_crc(header, n, daemon->namebuff); #endif - if (!server || - n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR) || - !(forward = lookup_frec(ntohs(header->id), hash))) + if (!(forward = lookup_frec(ntohs(header->id), hash))) + return; + + /* log_query gets called indirectly all over the place, so + pass these in global variables - sorry. */ + daemon->log_display_id = forward->log_id; + daemon->log_source_addr = &forward->source; + + if (daemon->ignore_addr && RCODE(header) == NOERROR && + check_for_ignored_address(header, n, daemon->ignore_addr)) return; - if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) && + if (RCODE(header) == REFUSED && !option_bool(OPT_ORDER) && forward->forwardall == 0) /* for broken servers, attempt to send to another one. */ @@ -705,17 +770,16 @@ void reply_query(int fd, int family, time_t now) if ((nn = resize_packet(header, (size_t)n, pheader, plen))) { header->hb3 &= ~(HB3_QR | HB3_TC); - forward_query(-1, NULL, NULL, 0, header, nn, now, forward); + forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0); return; } } } server = forward->sentto; - if ((forward->sentto->flags & SERV_TYPE) == 0) { - if (RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) + if (RCODE(header) == REFUSED) server = NULL; else { @@ -733,15 +797,21 @@ void reply_query(int fd, int family, time_t now) if (!option_bool(OPT_ALL_SERVERS)) daemon->last_server = server; } - + + /* We tried resending to this server with a smaller maximum size and got an answer. + Make that permanent. To avoid reduxing the packet size for an single dropped packet, + only do this when we get a truncated answer, or one larger than the safe size. */ + if (server && (forward->flags & FREC_TEST_PKTSZ) && + ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ)) + server->edns_pktsz = SAFE_PKTSZ; + /* If the answer is an error, keep the forward record in place in case we get a good reply from another server. Kill it when we've had replies from all to avoid filling the forwarding table when everything is broken */ - if (forward->forwardall == 0 || --forward->forwardall == 1 || - (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL)) + if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL) { - int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0; + int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; if (option_bool(OPT_NO_REBIND)) check_rebind = !(forward->flags & FREC_NOREBIND); @@ -752,7 +822,7 @@ void reply_query(int fd, int family, time_t now) no_cache_dnssec = 1; #ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED)) + if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED)) { int status; @@ -772,102 +842,138 @@ void reply_query(int fd, int family, time_t now) else if (forward->flags & FREC_DNSKEY_QUERY) status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); else if (forward->flags & FREC_DS_QUERY) - status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + { + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + /* Provably no DS, everything below is insecure, even if signatures are offered */ + if (status == STAT_NO_DS) + /* We only cache sigs when we've validated a reply. + Avoid caching a reply with sigs if there's a vaildated break in the + DS chain, so we don't return replies from cache missing sigs. */ + status = STAT_INSECURE_DS; + else if (status == STAT_NO_NS) + status = STAT_BOGUS; + } + else if (forward->flags & FREC_CHECK_NOSIGN) + { + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + if (status != STAT_NEED_KEY) + status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); + } else - status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class); - + { + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); + if (status == STAT_NO_SIG) + { + if (option_bool(OPT_DNSSEC_NO_SIGN)) + status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); + else + status = STAT_INSECURE; + } + } /* Can't validate, as we're missing key data. Put this answer aside, whilst we get that. */ - if (status == STAT_NEED_DS || status == STAT_NEED_KEY) + if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY) { - struct frec *new; + struct frec *new, *orig; - if ((new = get_new_frec(now, NULL, 1))) + /* Free any saved query */ + if (forward->stash) + blockdata_free(forward->stash); + + /* Now save reply pending receipt of key data */ + if (!(forward->stash = blockdata_alloc((char *)header, n))) + return; + forward->stash_len = n; + + anotherkey: + /* Find the original query that started it all.... */ + for (orig = forward; orig->dependent; orig = orig->dependent); + + if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1))) + status = STAT_INSECURE; + else { + int fd; struct frec *next = new->next; *new = *forward; /* copy everything, then overwrite */ new->next = next; new->blocking_query = NULL; + new->sentto = server; new->rfd4 = NULL; + new->orig_domain = NULL; #ifdef HAVE_IPV6 new->rfd6 = NULL; #endif - new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY); + new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN); - /* Free any saved query */ - if (forward->stash) - blockdata_free(forward->stash); + new->dependent = forward; /* to find query awaiting new one. */ + forward->blocking_query = new; /* for garbage cleaning */ + /* validate routines leave name of required record in daemon->keyname */ + if (status == STAT_NEED_KEY) + { + new->flags |= FREC_DNSKEY_QUERY; + nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz, + daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz); + } + else + { + if (status == STAT_NEED_DS_NEG) + new->flags |= FREC_CHECK_NOSIGN; + else + new->flags |= FREC_DS_QUERY; + nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz, + daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz); + } + if ((hash = hash_questions(header, nn, daemon->namebuff))) + memcpy(new->hash, hash, HASH_SIZE); + new->new_id = get_id(); + header->id = htons(new->new_id); + /* Save query for retransmission */ + if (!(new->stash = blockdata_alloc((char *)header, nn))) + return; + + new->stash_len = nn; + + /* Don't resend this. */ + daemon->srv_save = NULL; - /* Now save reply pending receipt of key data */ - if (!(forward->stash = blockdata_alloc((char *)header, n))) - free_frec(new); /* malloc failure, unwind */ + if (server->sfd) + fd = server->sfd->fd; else { - int fd; - - forward->stash_len = n; - - new->dependent = forward; /* to find query awaiting new one. */ - forward->blocking_query = new; /* for garbage cleaning */ - /* validate routines leave name of required record in daemon->keyname */ - if (status == STAT_NEED_KEY) - { - new->flags |= FREC_DNSKEY_QUERY; - nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz, - daemon->keyname, forward->class, T_DNSKEY, &server->addr); - } - else + fd = -1; +#ifdef HAVE_IPV6 + if (server->addr.sa.sa_family == AF_INET6) { - new->flags |= FREC_DS_QUERY; - nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz, - daemon->keyname, forward->class, T_DS, &server->addr); + if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) + fd = new->rfd6->fd; } - if ((hash = hash_questions(header, nn, daemon->namebuff))) - memcpy(new->hash, hash, HASH_SIZE); - new->new_id = get_id(); - header->id = htons(new->new_id); - /* Save query for retransmission */ - new->stash = blockdata_alloc((char *)header, nn); - new->stash_len = nn; - - /* Don't resend this. */ - daemon->srv_save = NULL; - - if (server->sfd) - fd = server->sfd->fd; else - { - fd = -1; -#ifdef HAVE_IPV6 - if (server->addr.sa.sa_family == AF_INET6) - { - if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) - fd = new->rfd6->fd; - } - else #endif - { - if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) - fd = new->rfd4->fd; - } - } - - if (fd != -1) { - while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send()); - server->queries++; + if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) + fd = new->rfd4->fd; } } + + if (fd != -1) + { + while (retry_send(sendto(fd, (char *)header, nn, 0, + &server->addr.sa, + sa_len(&server->addr)))); + server->queries++; + } + + return; } - - return; } /* Ok, we reached far enough up the chain-of-trust that we can validate something. Now wind back down, pulling back answers which wouldn't previously validate - and validate them with the new data. Failure to find needed data here is an internal error. - Once we get to the original answer (FREC_DNSSEC_QUERY not set) and it validates, - return it to the original requestor. */ + and validate them with the new data. Note that if an answer needs multiple + keys to validate, we may find another key is needed, in which case we set off + down another branch of the tree. Once we get to the original answer + (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */ while (forward->dependent) { struct frec *prev = forward->dependent; @@ -882,41 +988,90 @@ void reply_query(int fd, int family, time_t now) if (forward->flags & FREC_DNSKEY_QUERY) status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); else if (forward->flags & FREC_DS_QUERY) - status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + { + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + /* Provably no DS, everything below is insecure, even if signatures are offered */ + if (status == STAT_NO_DS) + /* We only cache sigs when we've validated a reply. + Avoid caching a reply with sigs if there's a vaildated break in the + DS chain, so we don't return replies from cache missing sigs. */ + status = STAT_INSECURE_DS; + else if (status == STAT_NO_NS) + status = STAT_BOGUS; + } + else if (forward->flags & FREC_CHECK_NOSIGN) + { + status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); + if (status != STAT_NEED_KEY) + status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname); + } else - status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class); - - if (status == STAT_NEED_DS || status == STAT_NEED_KEY) { - my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation")); - status = STAT_INSECURE; + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL); + if (status == STAT_NO_SIG) + { + if (option_bool(OPT_DNSSEC_NO_SIGN)) + status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname); + else + status = STAT_INSECURE; + } } + + if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY) + goto anotherkey; } } + no_cache_dnssec = 0; + + if (status == STAT_INSECURE_DS) + { + /* We only cache sigs when we've validated a reply. + Avoid caching a reply with sigs if there's a vaildated break in the + DS chain, so we don't return replies from cache missing sigs. */ + status = STAT_INSECURE; + no_cache_dnssec = 1; + } + if (status == STAT_TRUNCATED) header->hb3 |= HB3_TC; else - log_query(F_KEYTAG | F_SECSTAT, "result", NULL, - status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS")); - - no_cache_dnssec = 0; + { + char *result, *domain = "result"; + + if (forward->work_counter == 0) + { + result = "ABANDONED"; + status = STAT_BOGUS; + } + else + result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS")); + + if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL)) + domain = daemon->namebuff; + + log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); + } if (status == STAT_SECURE) cache_secure = 1; else if (status == STAT_BOGUS) - no_cache_dnssec = 1; - - /* restore CD bit to the value in the query */ - if (forward->flags & FREC_CHECKING_DISABLED) - header->hb4 |= HB4_CD; - else - header->hb4 &= ~HB4_CD; + { + no_cache_dnssec = 1; + bogusanswer = 1; + } } -#endif +#endif + + /* restore CD bit to the value in the query */ + if (forward->flags & FREC_CHECKING_DISABLED) + header->hb4 |= HB4_CD; + else + header->hb4 &= ~HB4_CD; - if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, - forward->flags & FREC_HAS_SUBNET, &forward->source))) + if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, + forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, + forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source))) { header->id = htons(forward->orig_id); header->hb4 |= HB4_RA; /* recursion if available */ @@ -969,7 +1124,7 @@ void receive_query(struct listener *listen, time_t now) /* packet buffer overwritten */ daemon->srv_save = NULL; - dst_addr_4.s_addr = 0; + dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0; netmask.s_addr = 0; if (option_bool(OPT_NOWILD) && listen->iface) @@ -978,7 +1133,7 @@ void receive_query(struct listener *listen, time_t now) if (listen->family == AF_INET) { - dst_addr_4 = listen->iface->addr.in.sin_addr; + dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr; netmask = listen->iface->netmask; } } @@ -1003,11 +1158,60 @@ void receive_query(struct listener *listen, time_t now) return; source_addr.sa.sa_family = listen->family; + + if (listen->family == AF_INET) + { + /* Source-port == 0 is an error, we can't send back to that. + http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */ + if (source_addr.in.sin_port == 0) + return; + } #ifdef HAVE_IPV6 - if (listen->family == AF_INET6) - source_addr.in6.sin6_flowinfo = 0; + else + { + /* Source-port == 0 is an error, we can't send back to that. */ + if (source_addr.in6.sin6_port == 0) + return; + source_addr.in6.sin6_flowinfo = 0; + } #endif - + + /* We can be configured to only accept queries from at-most-one-hop-away addresses. */ + if (option_bool(OPT_LOCAL_SERVICE)) + { + struct addrlist *addr; +#ifdef HAVE_IPV6 + if (listen->family == AF_INET6) + { + for (addr = daemon->interface_addrs; addr; addr = addr->next) + if ((addr->flags & ADDRLIST_IPV6) && + is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen)) + break; + } + else +#endif + { + struct in_addr netmask; + for (addr = daemon->interface_addrs; addr; addr = addr->next) + { + netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen)); + if (!(addr->flags & ADDRLIST_IPV6) && + is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask)) + break; + } + } + if (!addr) + { + static int warned = 0; + if (!warned) + { + my_syslog(LOG_WARNING, _("Ignoring query from non-local network")); + warned = 1; + } + return; + } + } + if (check_dst) { struct ifreq ifr; @@ -1114,6 +1318,11 @@ void receive_query(struct listener *listen, time_t now) dst_addr_4.s_addr = 0; } } + + /* log_query gets called indirectly all over the place, so + pass these in global variables - sorry. */ + daemon->log_display_id = ++daemon->log_id; + daemon->log_source_addr = &source_addr; if (extract_request(header, (size_t)n, daemon->namebuff, &type)) { @@ -1142,6 +1351,12 @@ void receive_query(struct listener *listen, time_t now) break; } #endif + +#ifdef HAVE_LOOP + /* Check for forwarding loop */ + if (detect_loop(daemon->namebuff, type)) + return; +#endif } #ifdef HAVE_AUTH @@ -1158,8 +1373,9 @@ void receive_query(struct listener *listen, time_t now) else #endif { + int ad_reqd, do_bit; m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, - dst_addr_4, netmask, now); + dst_addr_4, netmask, now, &ad_reqd, &do_bit); if (m >= 1) { @@ -1168,7 +1384,7 @@ void receive_query(struct listener *listen, time_t now) daemon->local_answer++; } else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index, - header, (size_t)n, now, NULL)) + header, (size_t)n, now, NULL, ad_reqd, do_bit)) daemon->queries_forwarded++; else daemon->local_answer++; @@ -1176,60 +1392,331 @@ void receive_query(struct listener *listen, time_t now) } #ifdef HAVE_DNSSEC -static int tcp_key_recurse(time_t now, int status, int class, char *keyname, struct server *server) + +/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS + and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or + STAT_NEED_DS_NEG and keyname if we need to do the query. */ +static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen, + char *name, char *keyname) { - /* Recurse up the key heirarchy */ - size_t n; - unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)); - unsigned char *payload = &packet[2]; - struct dns_header *header = (struct dns_header *)payload; - u16 *length = (u16 *)packet; - int new_status; - unsigned char c1, c2; + int status = dnssec_chase_cname(now, header, plen, name, keyname); + + if (status != STAT_INSECURE) + return status; + + /* Store the domain we're trying to check. */ + forward->name_start = strlen(name); + forward->name_len = forward->name_start + 1; + if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len))) + return STAT_BOGUS; + + return do_check_sign(forward, 0, now, name, keyname); +} + +/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */ +static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname) +{ + /* get domain we're checking back from blockdata store, it's stored on the original query. */ + while (forward->dependent) + forward = forward->dependent; - n = dnssec_generate_query(header, ((char *) header) + 65536, keyname, class, - status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr); + blockdata_retrieve(forward->orig_domain, forward->name_len, name); - *length = htons(n); + while (1) + { + char *p; + + if (status == 0) + { + struct crec *crecp; + + /* Haven't received answer, see if in cache */ + if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS))) + { + /* put name of DS record we're missing into keyname */ + strcpy(keyname, &name[forward->name_start]); + /* and wait for reply to arrive */ + return STAT_NEED_DS_NEG; + } + + /* F_DNSSECOK misused in DS cache records to non-existance of NS record */ + if (!(crecp->flags & F_NEG)) + status = STAT_SECURE; + else if (crecp->flags & F_DNSSECOK) + status = STAT_NO_DS; + else + status = STAT_NO_NS; + } + + /* Have entered non-signed part of DNS tree. */ + if (status == STAT_NO_DS) + return STAT_INSECURE; + + if (status == STAT_BOGUS) + return STAT_BOGUS; + + /* There's a proven DS record, or we're within a zone, where there doesn't need + to be a DS record. Add a name and try again. + If we've already tried the whole name, then fail */ + + if (forward->name_start == 0) + return STAT_BOGUS; + + for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--); + + if (p != name) + p++; + + forward->name_start = p - name; + status = 0; /* force to cache when we iterate. */ + } +} + +/* Move down from the root, until we find a signed non-existance of a DS, in which case + an unsigned answer is OK, or we find a signed DS, in which case there should be + a signature, and the answer is BOGUS */ +static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name, + char *keyname, struct server *server, int *keycount) +{ + size_t m; + unsigned char *packet, *payload; + u16 *length; + int status, name_len; + struct blockdata *block; + + char *name_start; + + /* Get first insecure entry in CNAME chain */ + status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount); + if (status == STAT_BOGUS) + return STAT_BOGUS; - if (!read_write(server->tcpfd, packet, n + sizeof(u16), 0) || - !read_write(server->tcpfd, &c1, 1, 1) || - !read_write(server->tcpfd, &c2, 1, 1) || - !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) + if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)))) + return STAT_BOGUS; + + payload = &packet[2]; + header = (struct dns_header *)payload; + length = (u16 *)packet; + + /* Stash the name away, since the buffer will be trashed when we recurse */ + name_len = strlen(name) + 1; + name_start = name + name_len - 1; + + if (!(block = blockdata_alloc(name, name_len))) { - close(server->tcpfd); - server->tcpfd = -1; - new_status = STAT_INSECURE; + free(packet); + return STAT_BOGUS; } - else + + while (1) { - n = (c1 << 8) | c2; + unsigned char c1, c2; + struct crec *crecp; + + if (--(*keycount) == 0) + { + free(packet); + blockdata_free(block); + return STAT_BOGUS; + } + + while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS))) + { + if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK)) + { + /* Found a secure denial of DS - delegation is indeed insecure */ + free(packet); + blockdata_free(block); + return STAT_INSECURE; + } + + /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. + Add another label and continue. */ + + if (name_start == name) + { + free(packet); + blockdata_free(block); + return STAT_BOGUS; /* run out of labels */ + } + + name_start -= 2; + while (*name_start != '.' && name_start != name) + name_start--; + if (name_start != name) + name_start++; + } - if (status == STAT_NEED_KEY) - new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class); + /* Can't find it in the cache, have to send a query */ + + m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz); + + *length = htons(m); + + if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) && + read_write(server->tcpfd, &c1, 1, 1) && + read_write(server->tcpfd, &c2, 1, 1) && + read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) + { + m = (c1 << 8) | c2; + + /* Note this trashes all three name workspaces */ + status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount); + + if (status == STAT_NO_DS) + { + /* Found a secure denial of DS - delegation is indeed insecure */ + free(packet); + blockdata_free(block); + return STAT_INSECURE; + } + + if (status == STAT_BOGUS) + { + free(packet); + blockdata_free(block); + return STAT_BOGUS; + } + + /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation. + Add another label and continue. */ + + /* Get name we're checking back. */ + blockdata_retrieve(block, name_len, name); + + if (name_start == name) + { + free(packet); + blockdata_free(block); + return STAT_BOGUS; /* run out of labels */ + } + + name_start -= 2; + while (*name_start != '.' && name_start != name) + name_start--; + if (name_start != name) + name_start++; + } else - new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class); + { + /* IO failure */ + free(packet); + blockdata_free(block); + return STAT_BOGUS; /* run out of labels */ + } + } +} + +static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, + int class, char *name, char *keyname, struct server *server, int *keycount) +{ + /* Recurse up the key heirarchy */ + int new_status; + + /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */ + if (--(*keycount) == 0) + return STAT_INSECURE; + + if (status == STAT_NEED_KEY) + new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); + else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) + { + new_status = dnssec_validate_ds(now, header, n, name, keyname, class); + if (status == STAT_NEED_DS) + { + if (new_status == STAT_NO_DS) + new_status = STAT_INSECURE_DS; + else if (new_status == STAT_NO_NS) + new_status = STAT_BOGUS; + } + } + else if (status == STAT_CHASE_CNAME) + new_status = dnssec_chase_cname(now, header, n, name, keyname); + else + { + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); - if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY) + if (new_status == STAT_NO_SIG) { - if ((new_status = tcp_key_recurse(now, new_status, class, daemon->keyname, server) == STAT_SECURE)) + if (option_bool(OPT_DNSSEC_NO_SIGN)) + new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); + else + new_status = STAT_INSECURE; + } + } + + /* Can't validate because we need a key/DS whose name now in keyname. + Make query for same, and recurse to validate */ + if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY) + { + size_t m; + unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16)); + unsigned char *payload = &packet[2]; + struct dns_header *new_header = (struct dns_header *)payload; + u16 *length = (u16 *)packet; + unsigned char c1, c2; + + if (!packet) + return STAT_INSECURE; + + another_tcp_key: + m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class, + new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz); + + *length = htons(m); + + if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) || + !read_write(server->tcpfd, &c1, 1, 1) || + !read_write(server->tcpfd, &c2, 1, 1) || + !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) + new_status = STAT_INSECURE; + else + { + m = (c1 << 8) | c2; + + new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount); + + if (new_status == STAT_SECURE) { - if (status == STAT_NEED_KEY) - new_status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, class); - else - new_status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, class); + /* Reached a validated record, now try again at this level. + Note that we may get ANOTHER NEED_* if an answer needs more than one key. + If so, go round again. */ - if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY) + if (status == STAT_NEED_KEY) + new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class); + else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG) { - my_syslog(LOG_ERR, _("Unexpected missing data for DNSSEC validation")); - status = STAT_INSECURE; + new_status = dnssec_validate_ds(now, header, n, name, keyname, class); + if (status == STAT_NEED_DS) + { + if (new_status == STAT_NO_DS) + new_status = STAT_INSECURE_DS; + else if (new_status == STAT_NO_NS) + new_status = STAT_BOGUS; /* Validated no DS */ + } } + else if (status == STAT_CHASE_CNAME) + new_status = dnssec_chase_cname(now, header, n, name, keyname); + else + { + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL); + + if (new_status == STAT_NO_SIG) + { + if (option_bool(OPT_DNSSEC_NO_SIGN)) + new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount); + else + new_status = STAT_INSECURE; + } + } + + if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY) + goto another_tcp_key; } } + + free(packet); } - - free(packet); - return new_status; } #endif @@ -1247,7 +1734,8 @@ unsigned char *tcp_request(int confd, time_t now, #ifdef HAVE_AUTH int local_auth = 0; #endif - int checking_disabled, check_subnet, no_cache_dnssec = 0, cache_secure = 0; + int checking_disabled, ad_question, do_bit, added_pheader = 0; + int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; size_t m; unsigned short qtype; unsigned int gotname; @@ -1262,13 +1750,46 @@ unsigned char *tcp_request(int confd, time_t now, struct in_addr dst_addr_4; union mysockaddr peer_addr; socklen_t peer_len = sizeof(union mysockaddr); - + int query_count = 0; + if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1) return packet; + + /* We can be configured to only accept queries from at-most-one-hop-away addresses. */ + if (option_bool(OPT_LOCAL_SERVICE)) + { + struct addrlist *addr; +#ifdef HAVE_IPV6 + if (peer_addr.sa.sa_family == AF_INET6) + { + for (addr = daemon->interface_addrs; addr; addr = addr->next) + if ((addr->flags & ADDRLIST_IPV6) && + is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen)) + break; + } + else +#endif + { + struct in_addr netmask; + for (addr = daemon->interface_addrs; addr; addr = addr->next) + { + netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen)); + if (!(addr->flags & ADDRLIST_IPV6) && + is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask)) + break; + } + } + if (!addr) + { + my_syslog(LOG_WARNING, _("Ignoring query from non-local network")); + return packet; + } + } while (1) { - if (!packet || + if (query_count == TCP_MAX_QUERIES || + !packet || !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) || !(size = c1 << 8 | c2) || !read_write(confd, payload, size, 1)) @@ -1277,15 +1798,19 @@ unsigned char *tcp_request(int confd, time_t now, if (size < (int)sizeof(struct dns_header)) continue; + query_count++; + + /* log_query gets called indirectly all over the place, so + pass these in global variables - sorry. */ + daemon->log_display_id = ++daemon->log_id; + daemon->log_source_addr = &peer_addr; + check_subnet = 0; /* save state of "cd" flag in query */ if ((checking_disabled = header->hb4 & HB4_CD)) no_cache_dnssec = 1; - /* RFC 4035: sect 4.6 para 2 */ - header->hb4 &= ~HB4_AD; - if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype))) { #ifdef HAVE_AUTH @@ -1328,7 +1853,7 @@ unsigned char *tcp_request(int confd, time_t now, { /* m > 0 if answered from cache */ m = answer_request(header, ((char *) header) + 65536, (size_t)size, - dst_addr_4, netmask, now); + dst_addr_4, netmask, now, &ad_question, &do_bit); /* Do this by steam now we're not in the select() loop */ check_log_writer(NULL); @@ -1366,8 +1891,10 @@ unsigned char *tcp_request(int confd, time_t now, struct server *firstsendto = NULL; #ifdef HAVE_DNSSEC unsigned char *newhash, hash[HASH_SIZE]; - if ((newhash = hash_questions(header, (unsigned int)size, daemon->keyname))) + if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff))) memcpy(hash, newhash, HASH_SIZE); + else + memset(hash, 0, HASH_SIZE); #else unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff); #endif @@ -1389,7 +1916,8 @@ unsigned char *tcp_request(int confd, time_t now, /* server for wrong domain */ if (type != (last_server->flags & SERV_TYPE) || - (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain))) + (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) || + (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) continue; if (last_server->tcpfd == -1) @@ -1397,22 +1925,6 @@ unsigned char *tcp_request(int confd, time_t now, if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1) continue; - if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) || - connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1)) - { - close(last_server->tcpfd); - last_server->tcpfd = -1; - continue; - } - -#ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID)) - { - size = add_do_bit(header, size, ((char *) header) + 65536); - header->hb4 |= HB4_CD; - } -#endif - #ifdef HAVE_CONNTRACK /* Copy connection mark of incoming query to outgoing connection. */ if (option_bool(OPT_CONNTRACK)) @@ -1430,9 +1942,38 @@ unsigned char *tcp_request(int confd, time_t now, setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); } #endif + + if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) || + connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1)) + { + close(last_server->tcpfd); + last_server->tcpfd = -1; + continue; + } + +#ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID)) + { + size_t new_size = add_do_bit(header, size, ((char *) header) + 65536); + + /* For debugging, set Checking Disabled, otherwise, have the upstream check too, + this allows it to select auth servers when one is returning bad data. */ + if (option_bool(OPT_DNSSEC_DEBUG)) + header->hb4 |= HB4_CD; + + if (size != new_size) + added_pheader = 1; + + size = new_size; + } +#endif } *length = htons(size); + + /* get query name again for logging - may have been overwritten */ + if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype))) + strcpy(daemon->namebuff, "query"); if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) || !read_write(last_server->tcpfd, &c1, 1, 1) || @@ -1446,8 +1987,6 @@ unsigned char *tcp_request(int confd, time_t now, m = (c1 << 8) | c2; - if (!gotname) - strcpy(daemon->namebuff, "query"); if (last_server->addr.sa.sa_family == AF_INET) log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff, (struct all_addr *)&last_server->addr.in.sin_addr, NULL); @@ -1460,21 +1999,37 @@ unsigned char *tcp_request(int confd, time_t now, #ifdef HAVE_DNSSEC if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled) { - int class, status; - - status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class); + int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */ + int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount); + char *result, *domain = "result"; + + if (status == STAT_INSECURE_DS) + { + /* We only cache sigs when we've validated a reply. + Avoid caching a reply with sigs if there's a vaildated break in the + DS chain, so we don't return replies from cache missing sigs. */ + status = STAT_INSECURE; + no_cache_dnssec = 1; + } - if (status == STAT_NEED_DS || status == STAT_NEED_KEY) + if (keycount == 0) { - if ((status = tcp_key_recurse(now, status, class, daemon->keyname, last_server)) == STAT_SECURE) - status = dnssec_validate_reply(now, header, m, daemon->namebuff, daemon->keyname, &class); + result = "ABANDONED"; + status = STAT_BOGUS; } + else + result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS")); + + if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL)) + domain = daemon->namebuff; - log_query(F_KEYTAG | F_SECSTAT, "result", NULL, - status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS")); - + log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); + if (status == STAT_BOGUS) - no_cache_dnssec = 1; + { + no_cache_dnssec = 1; + bogusanswer = 1; + } if (status == STAT_SECURE) cache_secure = 1; @@ -1509,8 +2064,8 @@ unsigned char *tcp_request(int confd, time_t now, #endif m = process_reply(header, now, last_server, (unsigned int)m, - option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, - cache_secure, check_subnet, &peer_addr); + option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer, + ad_question, do_bit, added_pheader, check_subnet, &peer_addr); break; } @@ -1549,6 +2104,7 @@ static struct frec *allocate_frec(time_t now) f->dependent = NULL; f->blocking_query = NULL; f->stash = NULL; + f->orig_domain = NULL; #endif daemon->frec_list = f; } @@ -1556,7 +2112,7 @@ static struct frec *allocate_frec(time_t now) return f; } -static struct randfd *allocate_rfd(int family) +struct randfd *allocate_rfd(int family) { static int finger = 0; int i; @@ -1591,19 +2147,22 @@ static struct randfd *allocate_rfd(int family) return NULL; /* doom */ } + +void free_rfd(struct randfd *rfd) +{ + if (rfd && --(rfd->refcount) == 0) + close(rfd->fd); +} + static void free_frec(struct frec *f) { - if (f->rfd4 && --(f->rfd4->refcount) == 0) - close(f->rfd4->fd); - + free_rfd(f->rfd4); f->rfd4 = NULL; f->sentto = NULL; f->flags = 0; #ifdef HAVE_IPV6 - if (f->rfd6 && --(f->rfd6->refcount) == 0) - close(f->rfd6->fd); - + free_rfd(f->rfd6); f->rfd6 = NULL; #endif @@ -1614,6 +2173,12 @@ static void free_frec(struct frec *f) f->stash = NULL; } + if (f->orig_domain) + { + blockdata_free(f->orig_domain); + f->orig_domain = NULL; + } + /* Anything we're waiting on is pointless now, too */ if (f->blocking_query) free_frec(f->blocking_query); @@ -1728,6 +2293,26 @@ static struct frec *lookup_frec_by_sender(unsigned short id, return NULL; } + +/* Send query packet again, if we can. */ +void resend_query() +{ + if (daemon->srv_save) + { + int fd; + + if (daemon->srv_save->sfd) + fd = daemon->srv_save->sfd->fd; + else if (daemon->rfd_save && daemon->rfd_save->refcount != 0) + fd = daemon->rfd_save->fd; + else + return; + + while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0, + &daemon->srv_save->addr.sa, + sa_len(&daemon->srv_save->addr)))); + } +} /* A server record is going away, remove references to it */ void server_gone(struct server *server)