]> git.ipfire.org Git - people/ms/dnsmasq.git/blame - src/forward.c
projects / people / ms / dnsmasq.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Return INSECURE, rather than BOGUS when DS proved not to exist.
[people/ms/dnsmasq.git] / src / forward.c
CommitLineData
aff33962 1/* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
9e4abcb5
SK		 2
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
824af85b
SK		 5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
9e4abcb5
SK		 8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
824af85b 12
73a08a24
SK		 13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
9e4abcb5
SK		 15*/
16
9e4abcb5
SK		 17#include "dnsmasq.h"
18
8a9be9e4 19static struct frec *lookup_frec(unsigned short id, void *hash);
9e4abcb5 20static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481 21 union mysockaddr *addr,
8a9be9e4
SK		 22 void *hash);
23static unsigned short get_id(void);
1a6bca81 24static void free_frec(struct frec *f);
9e4abcb5 25
00a5b5d4
SK		 26#ifdef HAVE_DNSSEC
27static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
28 int class, char *name, char *keyname, struct server *server, int *keycount);
97e618a0
SK		 29static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname);
30static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
31 char *name, char *keyname);
00a5b5d4
SK		 32#endif
33
34
824af85b 35/* Send a UDP packet with its source address set as "source"
44a2a316 36 unless nowild is true, when we just send it with the kernel default */
29689cfa
SK		 37int send_from(int fd, int nowild, char *packet, size_t len,
38 union mysockaddr *to, struct all_addr *source,
50303b19 39 unsigned int iface)
9e4abcb5 40{
44a2a316
SK		 41 struct msghdr msg;
42 struct iovec iov[1];
44a2a316
SK		 43 union {
44 struct cmsghdr align; /* this ensures alignment */
5e9e0efb 45#if defined(HAVE_LINUX_NETWORK)
44a2a316
SK		 46 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
47#elif defined(IP_SENDSRCADDR)
48 char control[CMSG_SPACE(sizeof(struct in_addr))];
49#endif
50#ifdef HAVE_IPV6
51 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
52#endif
53 } control_u;
feba5c1d 54
44a2a316
SK		 55 iov[0].iov_base = packet;
56 iov[0].iov_len = len;
57
feba5c1d
SK		 58 msg.msg_control = NULL;
59 msg.msg_controllen = 0;
44a2a316
SK		 60 msg.msg_flags = 0;
61 msg.msg_name = to;
62 msg.msg_namelen = sa_len(to);
63 msg.msg_iov = iov;
64 msg.msg_iovlen = 1;
feba5c1d 65
26128d27 66 if (!nowild)
44a2a316 67 {
26128d27 68 struct cmsghdr *cmptr;
feba5c1d
SK		 69 msg.msg_control = &control_u;
70 msg.msg_controllen = sizeof(control_u);
26128d27
SK		 71 cmptr = CMSG_FIRSTHDR(&msg);
72
73 if (to->sa.sa_family == AF_INET)
74 {
5e9e0efb 75#if defined(HAVE_LINUX_NETWORK)
8ef5ada2
SK		 76 struct in_pktinfo p;
77 p.ipi_ifindex = 0;
78 p.ipi_spec_dst = source->addr.addr4;
79 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 80 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
c72daea8 81 cmptr->cmsg_level = IPPROTO_IP;
26128d27 82 cmptr->cmsg_type = IP_PKTINFO;
44a2a316 83#elif defined(IP_SENDSRCADDR)
8ef5ada2 84 memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4));
26128d27
SK		 85 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr));
86 cmptr->cmsg_level = IPPROTO_IP;
87 cmptr->cmsg_type = IP_SENDSRCADDR;
44a2a316 88#endif
26128d27 89 }
26128d27 90 else
b8187c80 91#ifdef HAVE_IPV6
26128d27 92 {
8ef5ada2
SK		 93 struct in6_pktinfo p;
94 p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */
95 p.ipi6_addr = source->addr.addr6;
96 memcpy(CMSG_DATA(cmptr), &p, sizeof(p));
26128d27 97 msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
316e2730 98 cmptr->cmsg_type = daemon->v6pktinfo;
c72daea8 99 cmptr->cmsg_level = IPPROTO_IPV6;
26128d27 100 }
3d8df260 101#else
c72daea8 102 (void)iface; /* eliminate warning */
44a2a316 103#endif
26128d27 104 }
feba5c1d 105
ff841ebf
SK		 106 while (retry_send(sendmsg(fd, &msg, 0)));
107
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno != 0 && errno != EINVAL)
feba5c1d 110 {
29d28dda 111 my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
29689cfa 112 return 0;
feba5c1d 113 }
29d28dda 114
29689cfa 115 return 1;
9e4abcb5 116}
44a2a316 117
28866e95
SK		 118static unsigned int search_servers(time_t now, struct all_addr **addrpp,
119 unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind)
feba5c1d
SK		 120
121{
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
125
126 unsigned int namelen = strlen(qdomain);
127 unsigned int matchlen = 0;
128 struct server *serv;
28866e95 129 unsigned int flags = 0;
feba5c1d 130
3be34541 131 for (serv = daemon->servers; serv; serv=serv->next)
feba5c1d 132 /* domain matches take priority over NODOTS matches */
3d8df260 133 if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0)
feba5c1d 134 {
28866e95 135 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
feba5c1d 136 *type = SERV_FOR_NODOTS;
feba5c1d 137 if (serv->flags & SERV_NO_ADDR)
36717eee
SK		 138 flags = F_NXDOMAIN;
139 else if (serv->flags & SERV_LITERAL_ADDRESS)
140 {
141 if (sflag & qtype)
142 {
143 flags = sflag;
144 if (serv->addr.sa.sa_family == AF_INET)
145 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 146#ifdef HAVE_IPV6
36717eee
SK		 147 else
148 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 149#endif
36717eee 150 }
824af85b 151 else if (!flags || (flags & F_NXDOMAIN))
36717eee
SK		 152 flags = F_NOERR;
153 }
feba5c1d
SK		 154 }
155 else if (serv->flags & SERV_HAS_DOMAIN)
156 {
157 unsigned int domainlen = strlen(serv->domain);
b8187c80 158 char *matchstart = qdomain + namelen - domainlen;
feba5c1d 159 if (namelen >= domainlen &&
b8187c80 160 hostname_isequal(matchstart, serv->domain) &&
8ef5ada2 161 (domainlen == 0 || namelen == domainlen || *(matchstart-1) == '.' ))
feba5c1d 162 {
8ef5ada2
SK		 163 if (serv->flags & SERV_NO_REBIND)
164 *norebind = 1;
28866e95 165 else
feba5c1d 166 {
28866e95
SK		 167 unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen != 0 && domainlen == matchlen)
36717eee 172 {
28866e95 173 if ((serv->flags & SERV_LITERAL_ADDRESS))
8ef5ada2 174 {
28866e95
SK		 175 if (!(sflag & qtype) && flags == 0)
176 continue;
177 }
178 else
179 {
180 if (flags & (F_IPV4 | F_IPV6))
181 continue;
182 }
183 }
184
185 if (domainlen >= matchlen)
186 {
187 *type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND);
188 *domain = serv->domain;
189 matchlen = domainlen;
190 if (serv->flags & SERV_NO_ADDR)
191 flags = F_NXDOMAIN;
192 else if (serv->flags & SERV_LITERAL_ADDRESS)
193 {
194 if (sflag & qtype)
195 {
196 flags = sflag;
197 if (serv->addr.sa.sa_family == AF_INET)
198 *addrpp = (struct all_addr *)&serv->addr.in.sin_addr;
feba5c1d 199#ifdef HAVE_IPV6
28866e95
SK		 200 else
201 *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr;
feba5c1d 202#endif
28866e95
SK		 203 }
204 else if (!flags || (flags & F_NXDOMAIN))
205 flags = F_NOERR;
8ef5ada2 206 }
28866e95
SK		 207 else
208 flags = 0;
209 }
210 }
8ef5ada2 211 }
feba5c1d 212 }
8ef5ada2 213
7de060b0 214 if (flags == 0 && !(qtype & F_QUERY) &&
28866e95 215 option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0)
7de060b0
SK		 216 /* don't forward A or AAAA queries for simple names, except the empty name */
217 flags = F_NOERR;
8ef5ada2 218
5aabfc78 219 if (flags == F_NXDOMAIN && check_for_local_domain(qdomain, now))
c1bb8504 220 flags = F_NOERR;
feba5c1d 221
824af85b
SK		 222 if (flags)
223 {
224 int logflags = 0;
225
226 if (flags == F_NXDOMAIN || flags == F_NOERR)
227 logflags = F_NEG | qtype;
228
1a6bca81 229 log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL);
824af85b 230 }
8ef5ada2
SK		 231 else if ((*type) & SERV_USE_RESOLV)
232 {
233 *type = 0; /* use normal servers for this domain */
234 *domain = NULL;
235 }
feba5c1d
SK		 236 return flags;
237}
44a2a316 238
824af85b
SK		 239static int forward_query(int udpfd, union mysockaddr *udpaddr,
240 struct all_addr *dst_addr, unsigned int dst_iface,
83349b8a 241 struct dns_header *header, size_t plen, time_t now,
613ad15d 242 struct frec *forward, int ad_reqd, int do_bit)
9e4abcb5 243{
9e4abcb5 244 char *domain = NULL;
8ef5ada2 245 int type = 0, norebind = 0;
9e4abcb5 246 struct all_addr *addrp = NULL;
28866e95 247 unsigned int flags = 0;
de37951c 248 struct server *start = NULL;
8a9be9e4
SK		 249#ifdef HAVE_DNSSEC
250 void *hash = hash_questions(header, plen, daemon->namebuff);
251#else
252 unsigned int crc = questions_crc(header, plen, daemon->namebuff);
253 void *hash = &crc;
254#endif
255 unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
256
00a5b5d4
SK		 257 (void)do_bit;
258
3d8df260
SK		 259 /* may be no servers available. */
260 if (!daemon->servers)
9e4abcb5 261 forward = NULL;
8a9be9e4 262 else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
9e4abcb5 263 {
e0c0ad3b 264#ifdef HAVE_DNSSEC
dac74312 265 /* If we've already got an answer to this query, but we're awaiting keys for validation,
e0c0ad3b
SK		 266 there's no point retrying the query, retry the key query instead...... */
267 if (forward->blocking_query)
268 {
269 int fd;
270
271 while (forward->blocking_query)
272 forward = forward->blocking_query;
273
274 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
275 plen = forward->stash_len;
276
2b29191e 277 if (forward->sentto->addr.sa.sa_family == AF_INET)
25cf5e37 278 log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
e0c0ad3b
SK		 279#ifdef HAVE_IPV6
280 else
25cf5e37 281 log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
e0c0ad3b
SK		 282#endif
283
284 if (forward->sentto->sfd)
285 fd = forward->sentto->sfd->fd;
286 else
287 {
288#ifdef HAVE_IPV6
289 if (forward->sentto->addr.sa.sa_family == AF_INET6)
290 fd = forward->rfd6->fd;
291 else
292#endif
293 fd = forward->rfd4->fd;
294 }
295
ff841ebf
SK		 296 while (retry_send( sendto(fd, (char *)header, plen, 0,
297 &forward->sentto->addr.sa,
298 sa_len(&forward->sentto->addr))));
e0c0ad3b
SK		 299
300 return 1;
301 }
302#endif
303
de37951c 304 /* retry on existing query, send to all available servers */
9e4abcb5 305 domain = forward->sentto->domain;
824af85b 306 forward->sentto->failed_queries++;
28866e95 307 if (!option_bool(OPT_ORDER))
de37951c 308 {
0a852541 309 forward->forwardall = 1;
3be34541 310 daemon->last_server = NULL;
de37951c 311 }
9e4abcb5 312 type = forward->sentto->flags & SERV_TYPE;
de37951c 313 if (!(start = forward->sentto->next))
3be34541 314 start = daemon->servers; /* at end of list, recycle */
9e4abcb5
SK		 315 header->id = htons(forward->new_id);
316 }
317 else
318 {
319 if (gotname)
8ef5ada2 320 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
9e4abcb5 321
3a237152 322 if (!flags && !(forward = get_new_frec(now, NULL, 0)))
feba5c1d
SK		 323 /* table full - server failure. */
324 flags = F_NEG;
9e4abcb5
SK		 325
326 if (forward)
327 {
0a852541
SK		 328 forward->source = *udpaddr;
329 forward->dest = *dst_addr;
330 forward->iface = dst_iface;
0a852541 331 forward->orig_id = ntohs(header->id);
8a9be9e4 332 forward->new_id = get_id();
832af0ba 333 forward->fd = udpfd;
8a9be9e4 334 memcpy(forward->hash, hash, HASH_SIZE);
0a852541 335 forward->forwardall = 0;
ed4c0767 336 forward->flags = 0;
28866e95
SK		 337 if (norebind)
338 forward->flags |= FREC_NOREBIND;
572b41eb 339 if (header->hb4 & HB4_CD)
28866e95 340 forward->flags |= FREC_CHECKING_DISABLED;
83349b8a
SK		 341 if (ad_reqd)
342 forward->flags |= FREC_AD_QUESTION;
7fa836e1
SK		 343#ifdef HAVE_DNSSEC
344 forward->work_counter = DNSSEC_WORK;
613ad15d
SK		 345 if (do_bit)
346 forward->flags |= FREC_DO_QUESTION;
7fa836e1 347#endif
613ad15d 348
28866e95
SK		 349 header->id = htons(forward->new_id);
350
8ef5ada2
SK		 351 /* In strict_order mode, always try servers in the order
352 specified in resolv.conf, if a domain is given
353 always try all the available servers,
9e4abcb5
SK		 354 otherwise, use the one last known to work. */
355
8ef5ada2
SK		 356 if (type == 0)
357 {
28866e95 358 if (option_bool(OPT_ORDER))
8ef5ada2
SK		 359 start = daemon->servers;
360 else if (!(start = daemon->last_server) ||
361 daemon->forwardcount++ > FORWARD_TEST ||
362 difftime(now, daemon->forwardtime) > FORWARD_TIME)
363 {
364 start = daemon->servers;
365 forward->forwardall = 1;
366 daemon->forwardcount = 0;
367 daemon->forwardtime = now;
368 }
369 }
370 else
de37951c 371 {
3be34541 372 start = daemon->servers;
28866e95 373 if (!option_bool(OPT_ORDER))
8ef5ada2 374 forward->forwardall = 1;
de37951c 375 }
9e4abcb5
SK		 376 }
377 }
feba5c1d 378
9e4abcb5
SK		 379 /* check for send errors here (no route to host)
380 if we fail to send to all nameservers, send back an error
381 packet straight away (helps modem users when offline) */
382
383 if (!flags && forward)
384 {
de37951c
SK		 385 struct server *firstsentto = start;
386 int forwarded = 0;
28866e95 387
25cf5e37
SK		 388 /* If a query is retried, use the log_id for the retry when logging the answer. */
389 forward->log_id = daemon->log_id;
390
797a7afb 391 if (option_bool(OPT_ADD_MAC))
60b68069 392 plen = add_mac(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
28866e95 393
ed4c0767
SK		 394 if (option_bool(OPT_CLIENT_SUBNET))
395 {
60b68069 396 size_t new = add_source_addr(header, plen, ((char *) header) + daemon->packet_buff_sz, &forward->source);
ed4c0767
SK		 397 if (new != plen)
398 {
399 plen = new;
400 forward->flags |= FREC_HAS_SUBNET;
401 }
402 }
403
3a237152
SK		 404#ifdef HAVE_DNSSEC
405 if (option_bool(OPT_DNSSEC_VALID))
0fc2f313 406 {
613ad15d
SK		 407 size_t new_plen = add_do_bit(header, plen, ((char *) header) + daemon->packet_buff_sz);
408
5b3bf921
SK		 409 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
410 this allows it to select auth servers when one is returning bad data. */
411 if (option_bool(OPT_DNSSEC_DEBUG))
412 header->hb4 |= HB4_CD;
613ad15d
SK		 413
414 if (new_plen != plen)
415 forward->flags |= FREC_ADDED_PHEADER;
416
417 plen = new_plen;
0fc2f313 418 }
3a237152
SK		 419#endif
420
9e4abcb5
SK		 421 while (1)
422 {
9e4abcb5
SK		 423 /* only send to servers dealing with our domain.
424 domain may be NULL, in which case server->domain
425 must be NULL also. */
426
de37951c 427 if (type == (start->flags & SERV_TYPE) &&
fd9fa481 428 (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) &&
b5ea1cc2 429 !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
9e4abcb5 430 {
1a6bca81
SK		 431 int fd;
432
433 /* find server socket to use, may need to get random one. */
434 if (start->sfd)
435 fd = start->sfd->fd;
436 else
437 {
438#ifdef HAVE_IPV6
439 if (start->addr.sa.sa_family == AF_INET6)
440 {
441 if (!forward->rfd6 &&
442 !(forward->rfd6 = allocate_rfd(AF_INET6)))
443 break;
3927da46 444 daemon->rfd_save = forward->rfd6;
1a6bca81
SK		 445 fd = forward->rfd6->fd;
446 }
447 else
448#endif
449 {
450 if (!forward->rfd4 &&
451 !(forward->rfd4 = allocate_rfd(AF_INET)))
452 break;
3927da46 453 daemon->rfd_save = forward->rfd4;
1a6bca81
SK		 454 fd = forward->rfd4->fd;
455 }
7de060b0
SK		 456
457#ifdef HAVE_CONNTRACK
458 /* Copy connection mark of incoming query to outgoing connection. */
459 if (option_bool(OPT_CONNTRACK))
460 {
461 unsigned int mark;
797a7afb 462 if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark))
7de060b0
SK		 463 setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
464 }
465#endif
1a6bca81
SK		 466 }
467
ff841ebf
SK		 468 if (retry_send(sendto(fd, (char *)header, plen, 0,
469 &start->addr.sa,
470 sa_len(&start->addr))))
471 continue;
472
473 if (errno == 0)
9e4abcb5 474 {
cdeda28f
SK		 475 /* Keep info in case we want to re-send this packet */
476 daemon->srv_save = start;
477 daemon->packet_len = plen;
478
de37951c 479 if (!gotname)
3be34541 480 strcpy(daemon->namebuff, "query");
de37951c 481 if (start->addr.sa.sa_family == AF_INET)
3be34541 482 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 483 (struct all_addr *)&start->addr.in.sin_addr, NULL);
de37951c
SK		 484#ifdef HAVE_IPV6
485 else
3be34541 486 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 487 (struct all_addr *)&start->addr.in6.sin6_addr, NULL);
de37951c 488#endif
824af85b 489 start->queries++;
de37951c
SK		 490 forwarded = 1;
491 forward->sentto = start;
0a852541 492 if (!forward->forwardall)
de37951c 493 break;
0a852541 494 forward->forwardall++;
9e4abcb5
SK		 495 }
496 }
497
de37951c 498 if (!(start = start->next))
3be34541 499 start = daemon->servers;
9e4abcb5 500
de37951c 501 if (start == firstsentto)
9e4abcb5
SK		 502 break;
503 }
504
de37951c 505 if (forwarded)
824af85b 506 return 1;
de37951c 507
9e4abcb5
SK		 508 /* could not send on, prepare to return */
509 header->id = htons(forward->orig_id);
1a6bca81 510 free_frec(forward); /* cancel */
9e4abcb5
SK		 511 }
512
513 /* could not send on, return empty answer or address if known for whole domain */
b8187c80
SK		 514 if (udpfd != -1)
515 {
cdeda28f 516 plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl);
54dd393f 517 send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface);
b8187c80
SK		 518 }
519
824af85b 520 return 0;
9e4abcb5
SK		 521}
522
ed4c0767 523static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
fe3992f9
SK		 524 int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
525 int check_subnet, union mysockaddr *query_source)
feba5c1d 526{
36717eee 527 unsigned char *pheader, *sizep;
13d86c73 528 char **sets = 0;
832af0ba 529 int munged = 0, is_sign;
cdeda28f
SK		 530 size_t plen;
531
83349b8a 532 (void)ad_reqd;
00a5b5d4 533 (void) do_bit;
83349b8a 534
13d86c73 535#ifdef HAVE_IPSET
82a14af5 536 if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
13d86c73 537 {
82a14af5
SK		 538 /* Similar algorithm to search_servers. */
539 struct ipsets *ipset_pos;
540 unsigned int namelen = strlen(daemon->namebuff);
541 unsigned int matchlen = 0;
542 for (ipset_pos = daemon->ipsets; ipset_pos; ipset_pos = ipset_pos->next)
6c0cb858 543 {
82a14af5
SK		 544 unsigned int domainlen = strlen(ipset_pos->domain);
545 char *matchstart = daemon->namebuff + namelen - domainlen;
546 if (namelen >= domainlen && hostname_isequal(matchstart, ipset_pos->domain) &&
547 (domainlen == 0 || namelen == domainlen || *(matchstart - 1) == '.' ) &&
548 domainlen >= matchlen)
549 {
550 matchlen = domainlen;
551 sets = ipset_pos->sets;
552 }
6c0cb858 553 }
13d86c73
JD		 554 }
555#endif
556
feba5c1d 557 /* If upstream is advertising a larger UDP packet size
9009d746
SK		 558 than we allow, trim it so that we don't get overlarge
559 requests for the client. We can't do this for signed packets. */
feba5c1d 560
ed4c0767 561 if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign)))
feba5c1d 562 {
83349b8a
SK		 563 unsigned short udpsz;
564 unsigned char *psave = sizep;
565
566 GETSHORT(udpsz, sizep);
567
568 if (!is_sign && udpsz > daemon->edns_pktsz)
569 PUTSHORT(daemon->edns_pktsz, psave);
feba5c1d 570
ed4c0767
SK		 571 if (check_subnet && !check_source(header, plen, pheader, query_source))
572 {
573 my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch"));
574 return 0;
575 }
613ad15d
SK		 576
577 if (added_pheader)
578 {
579 pheader = 0;
580 header->arcount = htons(0);
581 }
feba5c1d 582 }
83349b8a 583
28866e95 584 /* RFC 4035 sect 4.6 para 3 */
237724c0 585 if (!is_sign && !option_bool(OPT_DNSSEC_PROXY))
795501bc 586 header->hb4 &= ~HB4_AD;
3a237152 587
572b41eb 588 if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN))
8938ae05 589 return resize_packet(header, n, pheader, plen);
0a852541 590
feba5c1d 591 /* Complain loudly if the upstream server is non-recursive. */
572b41eb 592 if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ntohs(header->ancount) == 0 &&
0a852541 593 server && !(server->flags & SERV_WARNED_RECURSIVE))
feba5c1d 594 {
3d8df260 595 prettyprint_addr(&server->addr, daemon->namebuff);
f2621c7f 596 my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff);
28866e95 597 if (!option_bool(OPT_LOG))
0a852541
SK		 598 server->flags |= SERV_WARNED_RECURSIVE;
599 }
e292e93d 600
572b41eb 601 if (daemon->bogus_addr && RCODE(header) != NXDOMAIN &&
fd9fa481 602 check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now))
feba5c1d 603 {
fd9fa481 604 munged = 1;
572b41eb
SK		 605 SET_RCODE(header, NXDOMAIN);
606 header->hb3 &= ~HB3_AA;
6938f347 607 cache_secure = 0;
36717eee 608 }
fd9fa481 609 else
36717eee 610 {
6938f347
SK		 611 int doctored = 0;
612
572b41eb 613 if (RCODE(header) == NXDOMAIN &&
fd9fa481 614 extract_request(header, n, daemon->namebuff, NULL) &&
5aabfc78 615 check_for_local_domain(daemon->namebuff, now))
36717eee
SK		 616 {
617 /* if we forwarded a query for a locally known name (because it was for
618 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
619 since we know that the domain exists, even if upstream doesn't */
fd9fa481 620 munged = 1;
572b41eb
SK		 621 header->hb3 |= HB3_AA;
622 SET_RCODE(header, NOERROR);
6938f347 623 cache_secure = 0;
feba5c1d 624 }
832af0ba 625
6938f347 626 if (extract_addresses(header, n, daemon->namebuff, now, sets, is_sign, check_rebind, no_cache, cache_secure, &doctored))
824af85b 627 {
8ef5ada2 628 my_syslog(LOG_WARNING, _("possible DNS-rebind attack detected: %s"), daemon->namebuff);
824af85b 629 munged = 1;
6938f347 630 cache_secure = 0;
824af85b 631 }
6938f347
SK		 632
633 if (doctored)
634 cache_secure = 0;
feba5c1d 635 }
fd9fa481 636
a25720a3 637#ifdef HAVE_DNSSEC
fe3992f9 638 if (bogusanswer && !(header->hb4 & HB4_CD))
a25720a3 639 {
7d23a66f 640 if (!option_bool(OPT_DNSSEC_DEBUG))
a25720a3
SK		 641 {
642 /* Bogus reply, turn into SERVFAIL */
643 SET_RCODE(header, SERVFAIL);
644 munged = 1;
645 }
646 }
6938f347
SK		 647
648 if (option_bool(OPT_DNSSEC_VALID))
649 header->hb4 &= ~HB4_AD;
650
83349b8a 651 if (!(header->hb4 & HB4_CD) && ad_reqd && cache_secure)
6938f347 652 header->hb4 |= HB4_AD;
613ad15d
SK		 653
654 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
655 if (!do_bit)
656 n = filter_rrsigs(header, n);
a25720a3
SK		 657#endif
658
fd9fa481
SK		 659 /* do this after extract_addresses. Ensure NODATA reply and remove
660 nameserver info. */
661
662 if (munged)
663 {
664 header->ancount = htons(0);
665 header->nscount = htons(0);
666 header->arcount = htons(0);
150162bc 667 header->hb3 &= ~HB3_TC;
fd9fa481
SK		 668 }
669
36717eee
SK		 670 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
671 sections of the packet. Find the new length here and put back pseudoheader
672 if it was removed. */
673 return resize_packet(header, n, pheader, plen);
feba5c1d
SK		 674}
675
3be34541 676/* sets new last_server */
1a6bca81 677void reply_query(int fd, int family, time_t now)
9e4abcb5
SK		 678{
679 /* packet from peer server, extract data for cache, and send to
680 original requester */
572b41eb 681 struct dns_header *header;
de37951c 682 union mysockaddr serveraddr;
832af0ba 683 struct frec *forward;
de37951c 684 socklen_t addrlen = sizeof(serveraddr);
60b68069 685 ssize_t n = recvfrom(fd, daemon->packet, daemon->packet_buff_sz, 0, &serveraddr.sa, &addrlen);
cdeda28f 686 size_t nn;
1a6bca81 687 struct server *server;
8a9be9e4
SK		 688 void *hash;
689#ifndef HAVE_DNSSEC
690 unsigned int crc;
691#endif
692
cdeda28f
SK		 693 /* packet buffer overwritten */
694 daemon->srv_save = NULL;
832af0ba 695
de37951c 696 /* Determine the address of the server replying so that we can mark that as good */
1a6bca81 697 serveraddr.sa.sa_family = family;
de37951c
SK		 698#ifdef HAVE_IPV6
699 if (serveraddr.sa.sa_family == AF_INET6)
5e9e0efb 700 serveraddr.in6.sin6_flowinfo = 0;
de37951c 701#endif
9e4abcb5 702
490f9075
SK		 703 header = (struct dns_header *)daemon->packet;
704
705 if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR))
706 return;
707
1a6bca81
SK		 708 /* spoof check: answer must come from known server, */
709 for (server = daemon->servers; server; server = server->next)
710 if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR)) &&
711 sockaddr_isequal(&server->addr, &serveraddr))
712 break;
490f9075
SK		 713
714 if (!server)
715 return;
716
8a9be9e4
SK		 717#ifdef HAVE_DNSSEC
718 hash = hash_questions(header, n, daemon->namebuff);
719#else
720 hash = &crc;
721 crc = questions_crc(header, n, daemon->namebuff);
722#endif
fd9fa481 723
490f9075 724 if (!(forward = lookup_frec(ntohs(header->id), hash)))
1a6bca81 725 return;
490f9075 726
25cf5e37
SK		 727 /* log_query gets called indirectly all over the place, so
728 pass these in global variables - sorry. */
729 daemon->log_display_id = forward->log_id;
730 daemon->log_source_addr = &forward->source;
731
32fc6dbe
GH		 732 if (daemon->ignore_addr && RCODE(header) == NOERROR &&
733 check_for_ignored_address(header, n, daemon->ignore_addr))
734 return;
735
2ae195f5 736 if (RCODE(header) == REFUSED &&
28866e95 737 !option_bool(OPT_ORDER) &&
1a6bca81
SK		 738 forward->forwardall == 0)
739 /* for broken servers, attempt to send to another one. */
9e4abcb5 740 {
1a6bca81
SK		 741 unsigned char *pheader;
742 size_t plen;
743 int is_sign;
832af0ba 744
1a6bca81
SK		 745 /* recreate query from reply */
746 pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign);
747 if (!is_sign)
832af0ba 748 {
1a6bca81
SK		 749 header->ancount = htons(0);
750 header->nscount = htons(0);
751 header->arcount = htons(0);
752 if ((nn = resize_packet(header, (size_t)n, pheader, plen)))
832af0ba 753 {
572b41eb 754 header->hb3 &= ~(HB3_QR | HB3_TC);
613ad15d 755 forward_query(-1, NULL, NULL, 0, header, nn, now, forward, 0, 0);
1a6bca81 756 return;
832af0ba 757 }
832af0ba 758 }
1a6bca81 759 }
3a237152
SK		 760
761 server = forward->sentto;
1a6bca81
SK		 762
763 if ((forward->sentto->flags & SERV_TYPE) == 0)
764 {
51967f98 765 if (RCODE(header) == REFUSED)
1a6bca81
SK		 766 server = NULL;
767 else
b8187c80 768 {
1a6bca81
SK		 769 struct server *last_server;
770
771 /* find good server by address if possible, otherwise assume the last one we sent to */
772 for (last_server = daemon->servers; last_server; last_server = last_server->next)
773 if (!(last_server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR)) &&
774 sockaddr_isequal(&last_server->addr, &serveraddr))
775 {
776 server = last_server;
777 break;
778 }
779 }
28866e95 780 if (!option_bool(OPT_ALL_SERVERS))
1a6bca81
SK		 781 daemon->last_server = server;
782 }
3a237152 783
1a6bca81
SK		 784 /* If the answer is an error, keep the forward record in place in case
785 we get a good reply from another server. Kill it when we've
786 had replies from all to avoid filling the forwarding table when
787 everything is broken */
51967f98 788 if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
1a6bca81 789 {
fe3992f9 790 int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
3a237152
SK		 791
792 if (option_bool(OPT_NO_REBIND))
793 check_rebind = !(forward->flags & FREC_NOREBIND);
794
795 /* Don't cache replies where DNSSEC validation was turned off, either
796 the upstream server told us so, or the original query specified it. */
797 if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
798 no_cache_dnssec = 1;
799
800#ifdef HAVE_DNSSEC
51967f98 801 if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
3a237152 802 {
9d633048 803 int status;
0fc2f313
SK		 804
805 /* We've had a reply already, which we're validating. Ignore this duplicate */
e0c0ad3b 806 if (forward->blocking_query)
0fc2f313 807 return;
9d633048 808
871417d4
SK		 809 if (header->hb3 & HB3_TC)
810 {
811 /* Truncated answer can't be validated.
5d3b87a4
SK		 812 If this is an answer to a DNSSEC-generated query, we still
813 need to get the client to retry over TCP, so return
814 an answer with the TC bit set, even if the actual answer fits.
815 */
816 status = STAT_TRUNCATED;
871417d4
SK		 817 }
818 else if (forward->flags & FREC_DNSKEY_QUERY)
8d718cbb 819 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
c3e0b9b6 820 else if (forward->flags & FREC_DS_QUERY)
00a5b5d4
SK		 821 {
822 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
fe3992f9
SK		 823 /* Provably no DS, everything below is insecure, even if signatures are offered */
824 if (status == STAT_NO_DS)
825 /* We only cache sigs when we've validated a reply.
826 Avoid caching a reply with sigs if there's a vaildated break in the
827 DS chain, so we don't return replies from cache missing sigs. */
828 status = STAT_INSECURE_DS;
829 else if (status == STAT_NO_NS)
97e618a0 830 status = STAT_BOGUS;
00a5b5d4
SK		 831 }
832 else if (forward->flags & FREC_CHECK_NOSIGN)
97e618a0
SK		 833 {
834 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
835 if (status != STAT_NEED_KEY)
836 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
837 }
9d633048 838 else
00a5b5d4 839 {
97e618a0 840 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
00a5b5d4
SK		 841 if (status == STAT_NO_SIG)
842 {
843 if (option_bool(OPT_DNSSEC_NO_SIGN))
97e618a0 844 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
00a5b5d4
SK		 845 else
846 status = STAT_INSECURE;
847 }
848 }
3a237152
SK		 849 /* Can't validate, as we're missing key data. Put this
850 answer aside, whilst we get that. */
00a5b5d4 851 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
3a237152 852 {
7fa836e1
SK		 853 struct frec *new, *orig;
854
855 /* Free any saved query */
856 if (forward->stash)
857 blockdata_free(forward->stash);
858
859 /* Now save reply pending receipt of key data */
860 if (!(forward->stash = blockdata_alloc((char *)header, n)))
861 return;
862 forward->stash_len = n;
0fc2f313 863
7fa836e1
SK		 864 anotherkey:
865 /* Find the original query that started it all.... */
866 for (orig = forward; orig->dependent; orig = orig->dependent);
867
868 if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
869 status = STAT_INSECURE;
870 else
3a237152 871 {
7fa836e1 872 int fd;
0fc2f313
SK		 873 struct frec *next = new->next;
874 *new = *forward; /* copy everything, then overwrite */
875 new->next = next;
0fc2f313 876 new->blocking_query = NULL;
8a8bbad0 877 new->sentto = server;
f1668d27 878 new->rfd4 = NULL;
97e618a0 879 new->orig_domain = NULL;
f1668d27
SK		 880#ifdef HAVE_IPV6
881 new->rfd6 = NULL;
882#endif
00a5b5d4 883 new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
9d633048 884
7fa836e1
SK		 885 new->dependent = forward; /* to find query awaiting new one. */
886 forward->blocking_query = new; /* for garbage cleaning */
887 /* validate routines leave name of required record in daemon->keyname */
888 if (status == STAT_NEED_KEY)
889 {
890 new->flags |= FREC_DNSKEY_QUERY;
891 nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
892 daemon->keyname, forward->class, T_DNSKEY, &server->addr);
893 }
894 else
895 {
00a5b5d4
SK		 896 if (status == STAT_NEED_DS_NEG)
897 new->flags |= FREC_CHECK_NOSIGN;
898 else
899 new->flags |= FREC_DS_QUERY;
7fa836e1
SK		 900 nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
901 daemon->keyname, forward->class, T_DS, &server->addr);
902 }
903 if ((hash = hash_questions(header, nn, daemon->namebuff)))
904 memcpy(new->hash, hash, HASH_SIZE);
905 new->new_id = get_id();
906 header->id = htons(new->new_id);
907 /* Save query for retransmission */
97e618a0
SK		 908 if (!(new->stash = blockdata_alloc((char *)header, nn)))
909 return;
910
7fa836e1
SK		 911 new->stash_len = nn;
912
913 /* Don't resend this. */
914 daemon->srv_save = NULL;
e0c0ad3b 915
7fa836e1
SK		 916 if (server->sfd)
917 fd = server->sfd->fd;
e0c0ad3b 918 else
3a237152 919 {
7fa836e1
SK		 920 fd = -1;
921#ifdef HAVE_IPV6
922 if (server->addr.sa.sa_family == AF_INET6)
9d633048 923 {
7fa836e1
SK		 924 if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
925 fd = new->rfd6->fd;
9d633048 926 }
3a237152 927 else
3a237152 928#endif
f1668d27 929 {
7fa836e1
SK		 930 if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
931 fd = new->rfd4->fd;
f1668d27 932 }
3a237152 933 }
7fa836e1
SK		 934
935 if (fd != -1)
936 {
ff841ebf
SK		 937 while (retry_send(sendto(fd, (char *)header, nn, 0,
938 &server->addr.sa,
939 sa_len(&server->addr))));
7fa836e1
SK		 940 server->queries++;
941 }
942
943 return;
3a237152 944 }
3a237152
SK		 945 }
946
947 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
948 Now wind back down, pulling back answers which wouldn't previously validate
7fa836e1
SK		 949 and validate them with the new data. Note that if an answer needs multiple
950 keys to validate, we may find another key is needed, in which case we set off
951 down another branch of the tree. Once we get to the original answer
952 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
0744ca66 953 while (forward->dependent)
3a237152 954 {
0744ca66
SK		 955 struct frec *prev = forward->dependent;
956 free_frec(forward);
957 forward = prev;
958 forward->blocking_query = NULL; /* already gone */
959 blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
960 n = forward->stash_len;
961
962 if (status == STAT_SECURE)
3a237152 963 {
0744ca66
SK		 964 if (forward->flags & FREC_DNSKEY_QUERY)
965 status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
966 else if (forward->flags & FREC_DS_QUERY)
00a5b5d4
SK		 967 {
968 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
fe3992f9
SK		 969 /* Provably no DS, everything below is insecure, even if signatures are offered */
970 if (status == STAT_NO_DS)
971 /* We only cache sigs when we've validated a reply.
972 Avoid caching a reply with sigs if there's a vaildated break in the
973 DS chain, so we don't return replies from cache missing sigs. */
974 status = STAT_INSECURE_DS;
975 else if (status == STAT_NO_NS)
976 status = STAT_BOGUS;
00a5b5d4
SK		 977 }
978 else if (forward->flags & FREC_CHECK_NOSIGN)
97e618a0
SK		 979 {
980 status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
981 if (status != STAT_NEED_KEY)
982 status = do_check_sign(forward, status, now, daemon->namebuff, daemon->keyname);
983 }
0744ca66 984 else
00a5b5d4 985 {
97e618a0 986 status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL, NULL);
00a5b5d4
SK		 987 if (status == STAT_NO_SIG)
988 {
989 if (option_bool(OPT_DNSSEC_NO_SIGN))
97e618a0 990 status = send_check_sign(forward, now, header, n, daemon->namebuff, daemon->keyname);
00a5b5d4
SK		 991 else
992 status = STAT_INSECURE;
993 }
994 }
995
996 if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
7fa836e1 997 goto anotherkey;
3a237152
SK		 998 }
999 }
5d3b87a4 1000
fe3992f9
SK		 1001 no_cache_dnssec = 0;
1002
1003 if (status == STAT_INSECURE_DS)
1004 {
1005 /* We only cache sigs when we've validated a reply.
1006 Avoid caching a reply with sigs if there's a vaildated break in the
1007 DS chain, so we don't return replies from cache missing sigs. */
1008 status = STAT_INSECURE;
1009 no_cache_dnssec = 1;
1010 }
1011
5d3b87a4 1012 if (status == STAT_TRUNCATED)
0744ca66 1013 header->hb3 |= HB3_TC;
5d3b87a4 1014 else
7fa836e1
SK		 1015 {
1016 char *result;
1017
1018 if (forward->work_counter == 0)
150162bc
SK		 1019 {
1020 result = "ABANDONED";
1021 status = STAT_BOGUS;
1022 }
7fa836e1
SK		 1023 else
1024 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
1025
1026 log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
1027 }
5d3b87a4 1028
3a237152
SK		 1029 if (status == STAT_SECURE)
1030 cache_secure = 1;
3a237152 1031 else if (status == STAT_BOGUS)
fe3992f9
SK		 1032 {
1033 no_cache_dnssec = 1;
1034 bogusanswer = 1;
1035 }
3a237152 1036 }
83349b8a
SK		 1037#endif
1038
1039 /* restore CD bit to the value in the query */
1040 if (forward->flags & FREC_CHECKING_DISABLED)
1041 header->hb4 |= HB4_CD;
1042 else
1043 header->hb4 &= ~HB4_CD;
8ef5ada2 1044
fe3992f9 1045 if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
613ad15d
SK		 1046 forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
1047 forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
1a6bca81
SK		 1048 {
1049 header->id = htons(forward->orig_id);
572b41eb 1050 header->hb4 |= HB4_RA; /* recursion if available */
54dd393f 1051 send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn,
50303b19 1052 &forward->source, &forward->dest, forward->iface);
b8187c80 1053 }
1a6bca81 1054 free_frec(forward); /* cancel */
9e4abcb5 1055 }
9e4abcb5 1056}
44a2a316 1057
1a6bca81 1058
5aabfc78 1059void receive_query(struct listener *listen, time_t now)
44a2a316 1060{
572b41eb 1061 struct dns_header *header = (struct dns_header *)daemon->packet;
44a2a316 1062 union mysockaddr source_addr;
c1bb8504 1063 unsigned short type;
44a2a316 1064 struct all_addr dst_addr;
f6b7dc47 1065 struct in_addr netmask, dst_addr_4;
cdeda28f
SK		 1066 size_t m;
1067 ssize_t n;
3b195961
VG		 1068 int if_index = 0, auth_dns = 0;
1069#ifdef HAVE_AUTH
1070 int local_auth = 0;
1071#endif
44a2a316
SK		 1072 struct iovec iov[1];
1073 struct msghdr msg;
1074 struct cmsghdr *cmptr;
44a2a316
SK		 1075 union {
1076 struct cmsghdr align; /* this ensures alignment */
1077#ifdef HAVE_IPV6
1078 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
1079#endif
5e9e0efb 1080#if defined(HAVE_LINUX_NETWORK)
44a2a316 1081 char control[CMSG_SPACE(sizeof(struct in_pktinfo))];
824af85b
SK		 1082#elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1083 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1084 CMSG_SPACE(sizeof(unsigned int))];
44a2a316
SK		 1085#elif defined(IP_RECVDSTADDR)
1086 char control[CMSG_SPACE(sizeof(struct in_addr)) +
1087 CMSG_SPACE(sizeof(struct sockaddr_dl))];
1088#endif
1089 } control_u;
2329bef5
SK		 1090#ifdef HAVE_IPV6
1091 /* Can always get recvd interface for IPv6 */
1092 int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6;
1093#else
1094 int check_dst = !option_bool(OPT_NOWILD);
1095#endif
1096
cdeda28f
SK		 1097 /* packet buffer overwritten */
1098 daemon->srv_save = NULL;
1099
98906275 1100 dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0;
4f7b304f
SK		 1101 netmask.s_addr = 0;
1102
7e5664bd 1103 if (option_bool(OPT_NOWILD) && listen->iface)
3d8df260 1104 {
4f7b304f
SK		 1105 auth_dns = listen->iface->dns_auth;
1106
1107 if (listen->family == AF_INET)
1108 {
98906275 1109 dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr;
4f7b304f
SK		 1110 netmask = listen->iface->netmask;
1111 }
3d8df260 1112 }
4f7b304f 1113
3be34541
SK		 1114 iov[0].iov_base = daemon->packet;
1115 iov[0].iov_len = daemon->edns_pktsz;
44a2a316
SK		 1116
1117 msg.msg_control = control_u.control;
1118 msg.msg_controllen = sizeof(control_u);
1119 msg.msg_flags = 0;
1120 msg.msg_name = &source_addr;
1121 msg.msg_namelen = sizeof(source_addr);
1122 msg.msg_iov = iov;
1123 msg.msg_iovlen = 1;
1124
de37951c 1125 if ((n = recvmsg(listen->fd, &msg, 0)) == -1)
3be34541 1126 return;
44a2a316 1127
572b41eb 1128 if (n < (int)sizeof(struct dns_header) ||
5e9e0efb 1129 (msg.msg_flags & MSG_TRUNC) ||
572b41eb 1130 (header->hb3 & HB3_QR))
26128d27
SK		 1131 return;
1132
44a2a316 1133 source_addr.sa.sa_family = listen->family;
2a7a2b84
SK		 1134
1135 if (listen->family == AF_INET)
1136 {
1137 /* Source-port == 0 is an error, we can't send back to that.
1138 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1139 if (source_addr.in.sin_port == 0)
1140 return;
1141 }
44a2a316 1142#ifdef HAVE_IPV6
2a7a2b84
SK		 1143 else
1144 {
1145 /* Source-port == 0 is an error, we can't send back to that. */
1146 if (source_addr.in6.sin6_port == 0)
1147 return;
1148 source_addr.in6.sin6_flowinfo = 0;
1149 }
44a2a316 1150#endif
2a7a2b84 1151
c8a80487
SK		 1152 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1153 if (option_bool(OPT_LOCAL_SERVICE))
1154 {
1155 struct addrlist *addr;
1156#ifdef HAVE_IPV6
1157 if (listen->family == AF_INET6)
1158 {
1159 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1160 if ((addr->flags & ADDRLIST_IPV6) &&
1161 is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen))
1162 break;
1163 }
1164 else
1165#endif
1166 {
1167 struct in_addr netmask;
1168 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1169 {
15b1b7e9 1170 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
c8a80487
SK		 1171 if (!(addr->flags & ADDRLIST_IPV6) &&
1172 is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask))
1173 break;
1174 }
1175 }
1176 if (!addr)
1177 {
0c8584ea
SK		 1178 static int warned = 0;
1179 if (!warned)
1180 {
1181 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1182 warned = 1;
1183 }
c8a80487
SK		 1184 return;
1185 }
1186 }
1187
2329bef5 1188 if (check_dst)
26128d27
SK		 1189 {
1190 struct ifreq ifr;
1191
1192 if (msg.msg_controllen < sizeof(struct cmsghdr))
1193 return;
44a2a316 1194
5e9e0efb 1195#if defined(HAVE_LINUX_NETWORK)
26128d27
SK		 1196 if (listen->family == AF_INET)
1197 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1198 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO)
26128d27 1199 {
8ef5ada2
SK		 1200 union {
1201 unsigned char *c;
1202 struct in_pktinfo *p;
1203 } p;
1204 p.c = CMSG_DATA(cmptr);
1205 dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst;
1206 if_index = p.p->ipi_ifindex;
26128d27
SK		 1207 }
1208#elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1209 if (listen->family == AF_INET)
44a2a316 1210 {
26128d27 1211 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
8ef5ada2
SK		 1212 {
1213 union {
1214 unsigned char *c;
1215 unsigned int *i;
1216 struct in_addr *a;
1217#ifndef HAVE_SOLARIS_NETWORK
1218 struct sockaddr_dl *s;
1219#endif
1220 } p;
1221 p.c = CMSG_DATA(cmptr);
1222 if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR)
1223 dst_addr_4 = dst_addr.addr.addr4 = *(p.a);
1224 else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF)
824af85b 1225#ifdef HAVE_SOLARIS_NETWORK
8ef5ada2 1226 if_index = *(p.i);
824af85b 1227#else
8ef5ada2 1228 if_index = p.s->sdl_index;
824af85b 1229#endif
8ef5ada2 1230 }
44a2a316 1231 }
44a2a316 1232#endif
26128d27 1233
44a2a316 1234#ifdef HAVE_IPV6
26128d27
SK		 1235 if (listen->family == AF_INET6)
1236 {
1237 for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr))
c72daea8 1238 if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo)
26128d27 1239 {
8ef5ada2
SK		 1240 union {
1241 unsigned char *c;
1242 struct in6_pktinfo *p;
1243 } p;
1244 p.c = CMSG_DATA(cmptr);
1245
1246 dst_addr.addr.addr6 = p.p->ipi6_addr;
1247 if_index = p.p->ipi6_ifindex;
26128d27
SK		 1248 }
1249 }
44a2a316 1250#endif
26128d27
SK		 1251
1252 /* enforce available interface configuration */
1253
e25db1f2 1254 if (!indextoname(listen->fd, if_index, ifr.ifr_name))
5e9e0efb 1255 return;
832af0ba 1256
e25db1f2
SK		 1257 if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns))
1258 {
1259 if (!option_bool(OPT_CLEVERBIND))
115ac3e4 1260 enumerate_interfaces(0);
3f2873d4
SK		 1261 if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) &&
1262 !label_exception(if_index, listen->family, &dst_addr))
e25db1f2
SK		 1263 return;
1264 }
1265
552af8b9
SK		 1266 if (listen->family == AF_INET && option_bool(OPT_LOCALISE))
1267 {
1268 struct irec *iface;
1269
1270 /* get the netmask of the interface whch has the address we were sent to.
1271 This is no neccessarily the interface we arrived on. */
1272
1273 for (iface = daemon->interfaces; iface; iface = iface->next)
1274 if (iface->addr.sa.sa_family == AF_INET &&
1275 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1276 break;
1277
1278 /* interface may be new */
e25db1f2 1279 if (!iface && !option_bool(OPT_CLEVERBIND))
115ac3e4 1280 enumerate_interfaces(0);
552af8b9
SK		 1281
1282 for (iface = daemon->interfaces; iface; iface = iface->next)
1283 if (iface->addr.sa.sa_family == AF_INET &&
1284 iface->addr.in.sin_addr.s_addr == dst_addr_4.s_addr)
1285 break;
1286
1287 /* If we failed, abandon localisation */
1288 if (iface)
1289 netmask = iface->netmask;
1290 else
1291 dst_addr_4.s_addr = 0;
1292 }
44a2a316 1293 }
25cf5e37
SK		 1294
1295 /* log_query gets called indirectly all over the place, so
1296 pass these in global variables - sorry. */
1297 daemon->log_display_id = ++daemon->log_id;
1298 daemon->log_source_addr = &source_addr;
44a2a316 1299
cdeda28f 1300 if (extract_request(header, (size_t)n, daemon->namebuff, &type))
44a2a316 1301 {
b485ed97
SK		 1302#ifdef HAVE_AUTH
1303 struct auth_zone *zone;
1304#endif
610e782a
SK		 1305 char *types = querystr(auth_dns ? "auth" : "query", type);
1306
44a2a316 1307 if (listen->family == AF_INET)
3be34541 1308 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1a6bca81 1309 (struct all_addr *)&source_addr.in.sin_addr, types);
44a2a316
SK		 1310#ifdef HAVE_IPV6
1311 else
3be34541 1312 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1a6bca81 1313 (struct all_addr *)&source_addr.in6.sin6_addr, types);
44a2a316 1314#endif
44a2a316 1315
b485ed97
SK		 1316#ifdef HAVE_AUTH
1317 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1318 if (!auth_dns)
1319 for (zone = daemon->auth_zones; zone; zone = zone->next)
1320 if (in_zone(zone, daemon->namebuff, NULL))
1321 {
1322 auth_dns = 1;
1323 local_auth = 1;
1324 break;
1325 }
b485ed97 1326#endif
b5ea1cc2
SK		 1327
1328#ifdef HAVE_LOOP
1329 /* Check for forwarding loop */
1330 if (detect_loop(daemon->namebuff, type))
1331 return;
1332#endif
b485ed97
SK		 1333 }
1334
4820dce9 1335#ifdef HAVE_AUTH
4f7b304f 1336 if (auth_dns)
824af85b 1337 {
60b68069 1338 m = answer_auth(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n, now, &source_addr, local_auth);
4f7b304f 1339 if (m >= 1)
b485ed97
SK		 1340 {
1341 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1342 (char *)header, m, &source_addr, &dst_addr, if_index);
1343 daemon->auth_answer++;
1344 }
824af85b 1345 }
44a2a316 1346 else
4820dce9 1347#endif
4f7b304f 1348 {
613ad15d 1349 int ad_reqd, do_bit;
60b68069 1350 m = answer_request(header, ((char *) header) + daemon->packet_buff_sz, (size_t)n,
613ad15d 1351 dst_addr_4, netmask, now, &ad_reqd, &do_bit);
4f7b304f
SK		 1352
1353 if (m >= 1)
1354 {
1355 send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND),
1356 (char *)header, m, &source_addr, &dst_addr, if_index);
1357 daemon->local_answer++;
1358 }
1359 else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
613ad15d 1360 header, (size_t)n, now, NULL, ad_reqd, do_bit))
4f7b304f
SK		 1361 daemon->queries_forwarded++;
1362 else
1363 daemon->local_answer++;
1364 }
44a2a316
SK		 1365}
1366
7d7b7b31 1367#ifdef HAVE_DNSSEC
00a5b5d4
SK		 1368
1369/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1370 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1371 STAT_NEED_DS_NEG and keyname if we need to do the query. */
97e618a0
SK		 1372static int send_check_sign(struct frec *forward, time_t now, struct dns_header *header, size_t plen,
1373 char *name, char *keyname)
00a5b5d4 1374{
00a5b5d4
SK		 1375 int status = dnssec_chase_cname(now, header, plen, name, keyname);
1376
1377 if (status != STAT_INSECURE)
1378 return status;
1379
97e618a0
SK		 1380 /* Store the domain we're trying to check. */
1381 forward->name_start = strlen(name);
1382 forward->name_len = forward->name_start + 1;
1383 if (!(forward->orig_domain = blockdata_alloc(name, forward->name_len)))
1384 return STAT_BOGUS;
1385
1386 return do_check_sign(forward, 0, now, name, keyname);
1387}
1388
1389/* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1390static int do_check_sign(struct frec *forward, int status, time_t now, char *name, char *keyname)
1391{
1392 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1393 while (forward->dependent)
1394 forward = forward->dependent;
1395
1396 blockdata_retrieve(forward->orig_domain, forward->name_len, name);
1397
00a5b5d4
SK		 1398 while (1)
1399 {
97e618a0
SK		 1400 char *p;
1401
1402 if (status == 0)
00a5b5d4 1403 {
97e618a0
SK		 1404 struct crec *crecp;
1405
1406 /* Haven't received answer, see if in cache */
1407 if (!(crecp = cache_find_by_name(NULL, &name[forward->name_start], now, F_DS)))
1408 {
1409 /* put name of DS record we're missing into keyname */
1410 strcpy(keyname, &name[forward->name_start]);
1411 /* and wait for reply to arrive */
1412 return STAT_NEED_DS_NEG;
1413 }
1414
1415 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1416 if (!(crecp->flags & F_NEG))
1417 status = STAT_SECURE;
1418 else if (crecp->flags & F_DNSSECOK)
1419 status = STAT_NO_DS;
1420 else
1421 status = STAT_NO_NS;
00a5b5d4 1422 }
97e618a0
SK		 1423
1424 /* Have entered non-signed part of DNS tree. */
1425 if (status == STAT_NO_DS)
1426 return STAT_INSECURE;
00a5b5d4 1427
97e618a0 1428 if (status == STAT_BOGUS)
4e1fe444
SK		 1429 return STAT_BOGUS;
1430
97e618a0
SK		 1431 /* There's a proven DS record, or we're within a zone, where there doesn't need
1432 to be a DS record. Add a name and try again.
1433 If we've already tried the whole name, then fail */
00a5b5d4 1434
97e618a0
SK		 1435 if (forward->name_start == 0)
1436 return STAT_BOGUS;
4872aa74 1437
97e618a0
SK		 1438 for (p = &name[forward->name_start-2]; (*p != '.') && (p != name); p--);
1439
1440 if (p != name)
1441 p++;
1442
1443 forward->name_start = p - name;
1444 status = 0; /* force to cache when we iterate. */
00a5b5d4 1445 }
00a5b5d4
SK		 1446}
1447
fe3992f9 1448/* Move down from the root, until we find a signed non-existance of a DS, in which case
00a5b5d4
SK		 1449 an unsigned answer is OK, or we find a signed DS, in which case there should be
1450 a signature, and the answer is BOGUS */
1451static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1452 char *keyname, struct server *server, int *keycount)
1453{
1454 size_t m;
1455 unsigned char *packet, *payload;
1456 u16 *length;
97e618a0
SK		 1457 int status, name_len;
1458 struct blockdata *block;
1459
1460 char *name_start;
00a5b5d4
SK		 1461
1462 /* Get first insecure entry in CNAME chain */
1463 status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1464 if (status == STAT_BOGUS)
1465 return STAT_BOGUS;
1466
1467 if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1468 return STAT_BOGUS;
1469
1470 payload = &packet[2];
1471 header = (struct dns_header *)payload;
1472 length = (u16 *)packet;
97e618a0
SK		 1473
1474 /* Stash the name away, since the buffer will be trashed when we recurse */
1475 name_len = strlen(name) + 1;
1476 name_start = name + name_len - 1;
00a5b5d4 1477
97e618a0
SK		 1478 if (!(block = blockdata_alloc(name, name_len)))
1479 {
1480 free(packet);
1481 return STAT_BOGUS;
1482 }
1483
00a5b5d4
SK		 1484 while (1)
1485 {
00a5b5d4 1486 unsigned char c1, c2;
97e618a0
SK		 1487 struct crec *crecp;
1488
00a5b5d4 1489 if (--(*keycount) == 0)
fc2833f1
TH		 1490 {
1491 free(packet);
97e618a0 1492 blockdata_free(block);
fc2833f1
TH		 1493 return STAT_BOGUS;
1494 }
00a5b5d4 1495
424c4a8a 1496 while ((crecp = cache_find_by_name(NULL, name_start, now, F_DS)))
97e618a0
SK		 1497 {
1498 if ((crecp->flags & F_NEG) && (crecp->flags & F_DNSSECOK))
1499 {
1500 /* Found a secure denial of DS - delegation is indeed insecure */
1501 free(packet);
1502 blockdata_free(block);
1503 return STAT_INSECURE;
1504 }
1505
1506 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1507 Add another label and continue. */
1508
1509 if (name_start == name)
1510 {
1511 free(packet);
1512 blockdata_free(block);
1513 return STAT_BOGUS; /* run out of labels */
1514 }
1515
1516 name_start -= 2;
1517 while (*name_start != '.' && name_start != name)
1518 name_start--;
1519 if (name_start != name)
1520 name_start++;
4e1fe444 1521 }
97e618a0
SK		 1522
1523 /* Can't find it in the cache, have to send a query */
4e1fe444 1524
00a5b5d4
SK		 1525 m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr);
1526
97e618a0 1527 *length = htons(m);
b37f8b99 1528
97e618a0
SK		 1529 if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1530 read_write(server->tcpfd, &c1, 1, 1) &&
1531 read_write(server->tcpfd, &c2, 1, 1) &&
1532 read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1533 {
1534 m = (c1 << 8) | c2;
00a5b5d4 1535
97e618a0
SK		 1536 /* Note this trashes all three name workspaces */
1537 status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1538
1539 if (status == STAT_NO_DS)
00a5b5d4 1540 {
97e618a0
SK		 1541 /* Found a secure denial of DS - delegation is indeed insecure */
1542 free(packet);
1543 blockdata_free(block);
1544 return STAT_INSECURE;
1545 }
1546
1547 if (status == STAT_BOGUS)
1548 {
1549 free(packet);
1550 blockdata_free(block);
1551 return STAT_BOGUS;
1552 }
1553
1554 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1555 Add another label and continue. */
1556
1557 /* Get name we're checking back. */
1558 blockdata_retrieve(block, name_len, name);
1559
1560 if (name_start == name)
1561 {
1562 free(packet);
1563 blockdata_free(block);
1564 return STAT_BOGUS; /* run out of labels */
00a5b5d4 1565 }
97e618a0
SK		 1566
1567 name_start -= 2;
1568 while (*name_start != '.' && name_start != name)
1569 name_start--;
1570 if (name_start != name)
1571 name_start++;
1572 }
1573 else
1574 {
1575 /* IO failure */
1576 free(packet);
1577 blockdata_free(block);
1578 return STAT_BOGUS; /* run out of labels */
00a5b5d4 1579 }
00a5b5d4
SK		 1580 }
1581}
1582
7fa836e1
SK		 1583static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1584 int class, char *name, char *keyname, struct server *server, int *keycount)
7d7b7b31
SK		 1585{
1586 /* Recurse up the key heirarchy */
7d7b7b31 1587 int new_status;
7d7b7b31 1588
7fa836e1
SK		 1589 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1590 if (--(*keycount) == 0)
1591 return STAT_INSECURE;
7d7b7b31 1592
7fa836e1
SK		 1593 if (status == STAT_NEED_KEY)
1594 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
00a5b5d4
SK		 1595 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1596 {
1597 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
fe3992f9
SK		 1598 if (status == STAT_NEED_DS)
1599 {
1600 if (new_status == STAT_NO_DS)
1601 new_status = STAT_INSECURE_DS;
1602 else if (new_status == STAT_NO_NS)
1603 new_status = STAT_BOGUS;
1604 }
00a5b5d4
SK		 1605 }
1606 else if (status == STAT_CHASE_CNAME)
1607 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1608 else
1609 {
97e618a0 1610 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
00a5b5d4
SK		 1611
1612 if (new_status == STAT_NO_SIG)
1613 {
1614 if (option_bool(OPT_DNSSEC_NO_SIGN))
1615 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1616 else
1617 new_status = STAT_INSECURE;
1618 }
1619 }
1620
7fa836e1
SK		 1621 /* Can't validate because we need a key/DS whose name now in keyname.
1622 Make query for same, and recurse to validate */
1623 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
7d7b7b31 1624 {
7fa836e1
SK		 1625 size_t m;
1626 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1627 unsigned char *payload = &packet[2];
1628 struct dns_header *new_header = (struct dns_header *)payload;
1629 u16 *length = (u16 *)packet;
1630 unsigned char c1, c2;
1631
1632 if (!packet)
1633 return STAT_INSECURE;
1634
1635 another_tcp_key:
1636 m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
1637 new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
7d7b7b31 1638
7fa836e1 1639 *length = htons(m);
7d7b7b31 1640
7fa836e1
SK		 1641 if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1642 !read_write(server->tcpfd, &c1, 1, 1) ||
1643 !read_write(server->tcpfd, &c2, 1, 1) ||
1644 !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1645 new_status = STAT_INSECURE;
1646 else
7d7b7b31 1647 {
7fa836e1
SK		 1648 m = (c1 << 8) | c2;
1649
00a5b5d4
SK		 1650 new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1651
1652 if (new_status == STAT_SECURE)
7d7b7b31 1653 {
7fa836e1
SK		 1654 /* Reached a validated record, now try again at this level.
1655 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1656 If so, go round again. */
7d7b7b31 1657
7fa836e1
SK		 1658 if (status == STAT_NEED_KEY)
1659 new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
00a5b5d4
SK		 1660 else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1661 {
1662 new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
fe3992f9
SK		 1663 if (status == STAT_NEED_DS)
1664 {
1665 if (new_status == STAT_NO_DS)
1666 new_status = STAT_INSECURE_DS;
1667 else if (new_status == STAT_NO_NS)
1668 new_status = STAT_BOGUS; /* Validated no DS */
1669 }
00a5b5d4
SK		 1670 }
1671 else if (status == STAT_CHASE_CNAME)
1672 new_status = dnssec_chase_cname(now, header, n, name, keyname);
1673 else
1674 {
97e618a0 1675 new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL, NULL);
00a5b5d4
SK		 1676
1677 if (new_status == STAT_NO_SIG)
1678 {
1679 if (option_bool(OPT_DNSSEC_NO_SIGN))
1680 new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1681 else
1682 new_status = STAT_INSECURE;
1683 }
1684 }
1685
7d7b7b31 1686 if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
7fa836e1 1687 goto another_tcp_key;
7d7b7b31
SK		 1688 }
1689 }
fe3992f9 1690
7fa836e1
SK		 1691 free(packet);
1692 }
7d7b7b31
SK		 1693 return new_status;
1694}
1695#endif
1696
1697
feba5c1d
SK		 1698/* The daemon forks before calling this: it should deal with one connection,
1699 blocking as neccessary, and then return. Note, need to be a bit careful
1700 about resources for debug mode, when the fork is suppressed: that's
1701 done by the caller. */
5aabfc78 1702unsigned char *tcp_request(int confd, time_t now,
4f7b304f 1703 union mysockaddr *local_addr, struct in_addr netmask, int auth_dns)
feba5c1d 1704{
28866e95
SK		 1705 size_t size = 0;
1706 int norebind = 0;
3b195961 1707#ifdef HAVE_AUTH
19b16891 1708 int local_auth = 0;
3b195961 1709#endif
613ad15d 1710 int checking_disabled, ad_question, do_bit, added_pheader = 0;
fe3992f9 1711 int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
cdeda28f 1712 size_t m;
ee86ce68
SK		 1713 unsigned short qtype;
1714 unsigned int gotname;
feba5c1d 1715 unsigned char c1, c2;
4b5ea12e
SK		 1716 /* Max TCP packet + slop + size */
1717 unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1718 unsigned char *payload = &packet[2];
1719 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1720 struct dns_header *header = (struct dns_header *)payload;
1721 u16 *length = (u16 *)packet;
3be34541 1722 struct server *last_server;
7de060b0
SK		 1723 struct in_addr dst_addr_4;
1724 union mysockaddr peer_addr;
1725 socklen_t peer_len = sizeof(union mysockaddr);
25cf5e37
SK		 1726 int query_count = 0;
1727
7de060b0
SK		 1728 if (getpeername(confd, (struct sockaddr *)&peer_addr, &peer_len) == -1)
1729 return packet;
c8a80487
SK		 1730
1731 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1732 if (option_bool(OPT_LOCAL_SERVICE))
1733 {
1734 struct addrlist *addr;
1735#ifdef HAVE_IPV6
1736 if (peer_addr.sa.sa_family == AF_INET6)
1737 {
1738 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1739 if ((addr->flags & ADDRLIST_IPV6) &&
1740 is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen))
1741 break;
1742 }
1743 else
1744#endif
1745 {
1746 struct in_addr netmask;
1747 for (addr = daemon->interface_addrs; addr; addr = addr->next)
1748 {
15b1b7e9 1749 netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen));
c8a80487
SK		 1750 if (!(addr->flags & ADDRLIST_IPV6) &&
1751 is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask))
1752 break;
1753 }
1754 }
1755 if (!addr)
1756 {
1757 my_syslog(LOG_WARNING, _("Ignoring query from non-local network"));
1758 return packet;
1759 }
1760 }
7de060b0 1761
feba5c1d
SK		 1762 while (1)
1763 {
25cf5e37
SK		 1764 if (query_count == TCP_MAX_QUERIES ||
1765 !packet ||
feba5c1d
SK		 1766 !read_write(confd, &c1, 1, 1) || !read_write(confd, &c2, 1, 1) ||
1767 !(size = c1 << 8 | c2) ||
4b5ea12e 1768 !read_write(confd, payload, size, 1))
feba5c1d
SK		 1769 return packet;
1770
572b41eb 1771 if (size < (int)sizeof(struct dns_header))
feba5c1d
SK		 1772 continue;
1773
25cf5e37
SK		 1774 query_count++;
1775
1776 /* log_query gets called indirectly all over the place, so
1777 pass these in global variables - sorry. */
1778 daemon->log_display_id = ++daemon->log_id;
1779 daemon->log_source_addr = &peer_addr;
1780
ed4c0767
SK		 1781 check_subnet = 0;
1782
28866e95 1783 /* save state of "cd" flag in query */
7d7b7b31
SK		 1784 if ((checking_disabled = header->hb4 & HB4_CD))
1785 no_cache_dnssec = 1;
28866e95 1786
3be34541 1787 if ((gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
feba5c1d 1788 {
b485ed97
SK		 1789#ifdef HAVE_AUTH
1790 struct auth_zone *zone;
1791#endif
610e782a 1792 char *types = querystr(auth_dns ? "auth" : "query", qtype);
7de060b0
SK		 1793
1794 if (peer_addr.sa.sa_family == AF_INET)
1795 log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff,
1796 (struct all_addr *)&peer_addr.in.sin_addr, types);
feba5c1d 1797#ifdef HAVE_IPV6
7de060b0
SK		 1798 else
1799 log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff,
1800 (struct all_addr *)&peer_addr.in6.sin6_addr, types);
feba5c1d 1801#endif
b485ed97
SK		 1802
1803#ifdef HAVE_AUTH
1804 /* find queries for zones we're authoritative for, and answer them directly */
6008bdbb
SK		 1805 if (!auth_dns)
1806 for (zone = daemon->auth_zones; zone; zone = zone->next)
1807 if (in_zone(zone, daemon->namebuff, NULL))
1808 {
1809 auth_dns = 1;
1810 local_auth = 1;
1811 break;
1812 }
b485ed97 1813#endif
feba5c1d
SK		 1814 }
1815
7de060b0
SK		 1816 if (local_addr->sa.sa_family == AF_INET)
1817 dst_addr_4 = local_addr->in.sin_addr;
1818 else
1819 dst_addr_4.s_addr = 0;
1820
4820dce9 1821#ifdef HAVE_AUTH
4f7b304f 1822 if (auth_dns)
19b16891 1823 m = answer_auth(header, ((char *) header) + 65536, (size_t)size, now, &peer_addr, local_auth);
4f7b304f 1824 else
4820dce9 1825#endif
feba5c1d 1826 {
4f7b304f
SK		 1827 /* m > 0 if answered from cache */
1828 m = answer_request(header, ((char *) header) + 65536, (size_t)size,
613ad15d 1829 dst_addr_4, netmask, now, &ad_question, &do_bit);
feba5c1d 1830
4f7b304f
SK		 1831 /* Do this by steam now we're not in the select() loop */
1832 check_log_writer(NULL);
1833
1834 if (m == 0)
feba5c1d 1835 {
4f7b304f
SK		 1836 unsigned int flags = 0;
1837 struct all_addr *addrp = NULL;
1838 int type = 0;
1839 char *domain = NULL;
feba5c1d 1840
4f7b304f
SK		 1841 if (option_bool(OPT_ADD_MAC))
1842 size = add_mac(header, size, ((char *) header) + 65536, &peer_addr);
ed4c0767
SK		 1843
1844 if (option_bool(OPT_CLIENT_SUBNET))
1845 {
1846 size_t new = add_source_addr(header, size, ((char *) header) + 65536, &peer_addr);
1847 if (size != new)
1848 {
1849 size = new;
1850 check_subnet = 1;
1851 }
1852 }
1853
4f7b304f
SK		 1854 if (gotname)
1855 flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
1856
1857 if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
1858 last_server = daemon->servers;
1859 else
1860 last_server = daemon->last_server;
1861
1862 if (!flags && last_server)
1863 {
1864 struct server *firstsendto = NULL;
8a9be9e4 1865#ifdef HAVE_DNSSEC
703c7ff4 1866 unsigned char *newhash, hash[HASH_SIZE];
63758384 1867 if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff)))
8a9be9e4 1868 memcpy(hash, newhash, HASH_SIZE);
b37f8b99
TH		 1869 else
1870 memset(hash, 0, HASH_SIZE);
8a9be9e4 1871#else
4f7b304f 1872 unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff);
8a9be9e4 1873#endif
4f7b304f
SK		 1874 /* Loop round available servers until we succeed in connecting to one.
1875 Note that this code subtley ensures that consecutive queries on this connection
1876 which can go to the same server, do so. */
1877 while (1)
feba5c1d 1878 {
4f7b304f
SK		 1879 if (!firstsendto)
1880 firstsendto = last_server;
1881 else
1882 {
1883 if (!(last_server = last_server->next))
1884 last_server = daemon->servers;
1885
1886 if (last_server == firstsendto)
1887 break;
1888 }
1889
1890 /* server for wrong domain */
1891 if (type != (last_server->flags & SERV_TYPE) ||
b5ea1cc2
SK		 1892 (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) ||
1893 (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP)))
7de060b0
SK		 1894 continue;
1895
4f7b304f 1896 if (last_server->tcpfd == -1)
7de060b0 1897 {
4f7b304f
SK		 1898 if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1)
1899 continue;
1900
e9828b6f
KV		 1901#ifdef HAVE_CONNTRACK
1902 /* Copy connection mark of incoming query to outgoing connection. */
1903 if (option_bool(OPT_CONNTRACK))
1904 {
1905 unsigned int mark;
1906 struct all_addr local;
1907#ifdef HAVE_IPV6
1908 if (local_addr->sa.sa_family == AF_INET6)
1909 local.addr.addr6 = local_addr->in6.sin6_addr;
1910 else
1911#endif
1912 local.addr.addr4 = local_addr->in.sin_addr;
1913
1914 if (get_incoming_mark(&peer_addr, &local, 1, &mark))
1915 setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int));
1916 }
1917#endif
1918
4f7b304f
SK		 1919 if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) ||
1920 connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1))
1921 {
1922 close(last_server->tcpfd);
1923 last_server->tcpfd = -1;
1924 continue;
1925 }
1926
7d7b7b31
SK		 1927#ifdef HAVE_DNSSEC
1928 if (option_bool(OPT_DNSSEC_VALID))
1929 {
613ad15d
SK		 1930 size_t new_size = add_do_bit(header, size, ((char *) header) + 65536);
1931
2ecd9bd5
SK		 1932 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1933 this allows it to select auth servers when one is returning bad data. */
1934 if (option_bool(OPT_DNSSEC_DEBUG))
1935 header->hb4 |= HB4_CD;
613ad15d
SK		 1936
1937 if (size != new_size)
1938 added_pheader = 1;
1939
1940 size = new_size;
7d7b7b31
SK		 1941 }
1942#endif
4f7b304f
SK		 1943 }
1944
4b5ea12e 1945 *length = htons(size);
1fc02680
SK		 1946
1947 /* get query name again for logging - may have been overwritten */
1948 if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype)))
1949 strcpy(daemon->namebuff, "query");
4f7b304f 1950
4b5ea12e 1951 if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) ||
4f7b304f 1952 !read_write(last_server->tcpfd, &c1, 1, 1) ||
7d7b7b31
SK		 1953 !read_write(last_server->tcpfd, &c2, 1, 1) ||
1954 !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1))
4f7b304f
SK		 1955 {
1956 close(last_server->tcpfd);
1957 last_server->tcpfd = -1;
1958 continue;
1959 }
1960
1961 m = (c1 << 8) | c2;
4f7b304f 1962
4f7b304f
SK		 1963 if (last_server->addr.sa.sa_family == AF_INET)
1964 log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff,
1965 (struct all_addr *)&last_server->addr.in.sin_addr, NULL);
feba5c1d 1966#ifdef HAVE_IPV6
4f7b304f
SK		 1967 else
1968 log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff,
1969 (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL);
feba5c1d 1970#endif
7d7b7b31
SK		 1971
1972#ifdef HAVE_DNSSEC
1973 if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled)
1974 {
7fa836e1
SK		 1975 int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1976 int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
1977 char *result;
1978
fe3992f9
SK		 1979 if (status == STAT_INSECURE_DS)
1980 {
1981 /* We only cache sigs when we've validated a reply.
1982 Avoid caching a reply with sigs if there's a vaildated break in the
1983 DS chain, so we don't return replies from cache missing sigs. */
1984 status = STAT_INSECURE;
1985 no_cache_dnssec = 1;
1986 }
1987
7fa836e1 1988 if (keycount == 0)
150162bc
SK		 1989 {
1990 result = "ABANDONED";
1991 status = STAT_BOGUS;
1992 }
7fa836e1
SK		 1993 else
1994 result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
7d7b7b31 1995
7fa836e1 1996 log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
7d7b7b31 1997
7d7b7b31 1998 if (status == STAT_BOGUS)
fe3992f9
SK		 1999 {
2000 no_cache_dnssec = 1;
2001 bogusanswer = 1;
2002 }
2003
7d7b7b31
SK		 2004 if (status == STAT_SECURE)
2005 cache_secure = 1;
2006 }
2007#endif
2008
2009 /* restore CD bit to the value in the query */
2010 if (checking_disabled)
2011 header->hb4 |= HB4_CD;
2012 else
2013 header->hb4 &= ~HB4_CD;
4f7b304f
SK		 2014
2015 /* There's no point in updating the cache, since this process will exit and
2016 lose the information after a few queries. We make this call for the alias and
2017 bogus-nxdomain side-effects. */
2018 /* If the crc of the question section doesn't match the crc we sent, then
2019 someone might be attempting to insert bogus values into the cache by
2020 sending replies containing questions and bogus answers. */
8a9be9e4
SK		 2021#ifdef HAVE_DNSSEC
2022 newhash = hash_questions(header, (unsigned int)m, daemon->namebuff);
2023 if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0)
703c7ff4
SK		 2024 {
2025 m = 0;
2026 break;
2027 }
8a9be9e4
SK		 2028#else
2029 if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff))
703c7ff4
SK		 2030 {
2031 m = 0;
2032 break;
2033 }
8a9be9e4
SK		 2034#endif
2035
2036 m = process_reply(header, now, last_server, (unsigned int)m,
fe3992f9 2037 option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, bogusanswer,
613ad15d 2038 cache_secure, ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
4f7b304f
SK		 2039
2040 break;
2041 }
feba5c1d 2042 }
4f7b304f
SK		 2043
2044 /* In case of local answer or no connections made. */
2045 if (m == 0)
2046 m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl);
feba5c1d 2047 }
feba5c1d 2048 }
4f7b304f 2049
5aabfc78 2050 check_log_writer(NULL);
feba5c1d 2051
4b5ea12e
SK		 2052 *length = htons(m);
2053
2054 if (m == 0 || !read_write(confd, packet, m + sizeof(u16), 0))
feba5c1d
SK		 2055 return packet;
2056 }
2057}
2058
1697269c 2059static struct frec *allocate_frec(time_t now)
9e4abcb5 2060{
1697269c
SK		 2061 struct frec *f;
2062
5aabfc78 2063 if ((f = (struct frec *)whine_malloc(sizeof(struct frec))))
9e4abcb5 2064 {
1a6bca81 2065 f->next = daemon->frec_list;
1697269c 2066 f->time = now;
832af0ba 2067 f->sentto = NULL;
1a6bca81 2068 f->rfd4 = NULL;
28866e95 2069 f->flags = 0;
1a6bca81
SK		 2070#ifdef HAVE_IPV6
2071 f->rfd6 = NULL;
3a237152
SK		 2072#endif
2073#ifdef HAVE_DNSSEC
97bc798b 2074 f->dependent = NULL;
3a237152 2075 f->blocking_query = NULL;
4619d946 2076 f->stash = NULL;
97e618a0 2077 f->orig_domain = NULL;
1a6bca81
SK		 2078#endif
2079 daemon->frec_list = f;
1697269c 2080 }
9e4abcb5 2081
1697269c
SK		 2082 return f;
2083}
9e4abcb5 2084
b5ea1cc2 2085struct randfd *allocate_rfd(int family)
1a6bca81
SK		 2086{
2087 static int finger = 0;
2088 int i;
2089
2090 /* limit the number of sockets we have open to avoid starvation of
2091 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2092
2093 for (i = 0; i < RANDOM_SOCKS; i++)
9009d746 2094 if (daemon->randomsocks[i].refcount == 0)
1a6bca81 2095 {
9009d746
SK		 2096 if ((daemon->randomsocks[i].fd = random_sock(family)) == -1)
2097 break;
2098
1a6bca81
SK		 2099 daemon->randomsocks[i].refcount = 1;
2100 daemon->randomsocks[i].family = family;
2101 return &daemon->randomsocks[i];
2102 }
2103
9009d746 2104 /* No free ones or cannot get new socket, grab an existing one */
1a6bca81
SK		 2105 for (i = 0; i < RANDOM_SOCKS; i++)
2106 {
2107 int j = (i+finger) % RANDOM_SOCKS;
9009d746
SK		 2108 if (daemon->randomsocks[j].refcount != 0 &&
2109 daemon->randomsocks[j].family == family &&
2110 daemon->randomsocks[j].refcount != 0xffff)
1a6bca81
SK		 2111 {
2112 finger = j;
2113 daemon->randomsocks[j].refcount++;
2114 return &daemon->randomsocks[j];
2115 }
2116 }
2117
2118 return NULL; /* doom */
2119}
b5ea1cc2
SK		 2120
2121void free_rfd(struct randfd *rfd)
2122{
2123 if (rfd && --(rfd->refcount) == 0)
2124 close(rfd->fd);
2125}
2126
1a6bca81
SK		 2127static void free_frec(struct frec *f)
2128{
b5ea1cc2 2129 free_rfd(f->rfd4);
1a6bca81
SK		 2130 f->rfd4 = NULL;
2131 f->sentto = NULL;
28866e95 2132 f->flags = 0;
1a6bca81
SK		 2133
2134#ifdef HAVE_IPV6
b5ea1cc2 2135 free_rfd(f->rfd6);
1a6bca81
SK		 2136 f->rfd6 = NULL;
2137#endif
3a237152
SK		 2138
2139#ifdef HAVE_DNSSEC
2140 if (f->stash)
0fc2f313
SK		 2141 {
2142 blockdata_free(f->stash);
2143 f->stash = NULL;
2144 }
3a237152 2145
97e618a0
SK		 2146 if (f->orig_domain)
2147 {
2148 blockdata_free(f->orig_domain);
2149 f->orig_domain = NULL;
2150 }
2151
3a237152
SK		 2152 /* Anything we're waiting on is pointless now, too */
2153 if (f->blocking_query)
2154 free_frec(f->blocking_query);
2155 f->blocking_query = NULL;
39048ad1 2156 f->dependent = NULL;
3a237152 2157#endif
1a6bca81
SK		 2158}
2159
1697269c
SK		 2160/* if wait==NULL return a free or older than TIMEOUT record.
2161 else return *wait zero if one available, or *wait is delay to
1a6bca81 2162 when the oldest in-use record will expire. Impose an absolute
3a237152
SK		 2163 limit of 4*TIMEOUT before we wipe things (for random sockets).
2164 If force is set, always return a result, even if we have
2165 to allocate above the limit. */
2166struct frec *get_new_frec(time_t now, int *wait, int force)
1697269c 2167{
1a6bca81 2168 struct frec *f, *oldest, *target;
1697269c
SK		 2169 int count;
2170
2171 if (wait)
2172 *wait = 0;
2173
1a6bca81 2174 for (f = daemon->frec_list, oldest = NULL, target = NULL, count = 0; f; f = f->next, count++)
832af0ba 2175 if (!f->sentto)
1a6bca81
SK		 2176 target = f;
2177 else
1697269c 2178 {
1a6bca81
SK		 2179 if (difftime(now, f->time) >= 4*TIMEOUT)
2180 {
2181 free_frec(f);
2182 target = f;
2183 }
2184
2185 if (!oldest || difftime(f->time, oldest->time) <= 0)
2186 oldest = f;
1697269c 2187 }
1a6bca81
SK		 2188
2189 if (target)
2190 {
2191 target->time = now;
2192 return target;
2193 }
9e4abcb5
SK		 2194
2195 /* can't find empty one, use oldest if there is one
2196 and it's older than timeout */
1697269c 2197 if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT)
9e4abcb5 2198 {
1697269c
SK		 2199 /* keep stuff for twice timeout if we can by allocating a new
2200 record instead */
2201 if (difftime(now, oldest->time) < 2*TIMEOUT &&
2202 count <= daemon->ftabsize &&
2203 (f = allocate_frec(now)))
2204 return f;
2205
2206 if (!wait)
2207 {
1a6bca81 2208 free_frec(oldest);
1697269c
SK		 2209 oldest->time = now;
2210 }
9e4abcb5
SK		 2211 return oldest;
2212 }
2213
1697269c 2214 /* none available, calculate time 'till oldest record expires */
3a237152 2215 if (!force && count > daemon->ftabsize)
1697269c 2216 {
0da5e897
MSB		 2217 static time_t last_log = 0;
2218
1697269c
SK		 2219 if (oldest && wait)
2220 *wait = oldest->time + (time_t)TIMEOUT - now;
0da5e897
MSB		 2221
2222 if ((int)difftime(now, last_log) > 5)
2223 {
2224 last_log = now;
2225 my_syslog(LOG_WARNING, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon->ftabsize);
2226 }
2227
9e4abcb5
SK		 2228 return NULL;
2229 }
1697269c
SK		 2230
2231 if (!(f = allocate_frec(now)) && wait)
2232 /* wait one second on malloc failure */
2233 *wait = 1;
9e4abcb5 2234
9e4abcb5
SK		 2235 return f; /* OK if malloc fails and this is NULL */
2236}
2237
832af0ba 2238/* crc is all-ones if not known. */
8a9be9e4 2239static struct frec *lookup_frec(unsigned short id, void *hash)
9e4abcb5
SK		 2240{
2241 struct frec *f;
2242
1a6bca81 2243 for(f = daemon->frec_list; f; f = f->next)
832af0ba 2244 if (f->sentto && f->new_id == id &&
8a9be9e4 2245 (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0))
9e4abcb5
SK		 2246 return f;
2247
2248 return NULL;
2249}
2250
2251static struct frec *lookup_frec_by_sender(unsigned short id,
fd9fa481 2252 union mysockaddr *addr,
8a9be9e4 2253 void *hash)
9e4abcb5 2254{
feba5c1d
SK		 2255 struct frec *f;
2256
1a6bca81 2257 for(f = daemon->frec_list; f; f = f->next)
832af0ba 2258 if (f->sentto &&
9e4abcb5 2259 f->orig_id == id &&
8a9be9e4 2260 memcmp(hash, f->hash, HASH_SIZE) == 0 &&
9e4abcb5
SK		 2261 sockaddr_isequal(&f->source, addr))
2262 return f;
2263
2264 return NULL;
2265}
47a95169
SK		 2266
2267/* Send query packet again, if we can. */
2268void resend_query()
2269{
2270 if (daemon->srv_save)
2271 {
2272 int fd;
2273
2274 if (daemon->srv_save->sfd)
2275 fd = daemon->srv_save->sfd->fd;
2276 else if (daemon->rfd_save && daemon->rfd_save->refcount != 0)
2277 fd = daemon->rfd_save->fd;
2278 else
2279 return;
2280
ff841ebf
SK		 2281 while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
2282 &daemon->srv_save->addr.sa,
2283 sa_len(&daemon->srv_save->addr))));
47a95169
SK		 2284 }
2285}
9e4abcb5 2286
849a8357 2287/* A server record is going away, remove references to it */
5aabfc78 2288void server_gone(struct server *server)
849a8357
SK		 2289{
2290 struct frec *f;
2291
1a6bca81 2292 for (f = daemon->frec_list; f; f = f->next)
832af0ba 2293 if (f->sentto && f->sentto == server)
1a6bca81 2294 free_frec(f);
849a8357
SK		 2295
2296 if (daemon->last_server == server)
2297 daemon->last_server = NULL;
2298
2299 if (daemon->srv_save == server)
2300 daemon->srv_save = NULL;
2301}
9e4abcb5 2302
316e2730 2303/* return unique random ids. */
8a9be9e4 2304static unsigned short get_id(void)
9e4abcb5
SK		 2305{
2306 unsigned short ret = 0;
832af0ba 2307
316e2730 2308 do
832af0ba 2309 ret = rand16();
8a9be9e4 2310 while (lookup_frec(ret, NULL));
832af0ba 2311
9e4abcb5
SK		 2312 return ret;
2313}
2314
2315
2316
2317
2318
Michael's tree of dnsmasq.