]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, void *hash
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(void);
24 static void free_frec(struct frec
*f
);
27 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
28 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
);
29 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
);
30 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
31 char *name
, char *keyname
);
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
38 union mysockaddr
*to
, struct all_addr
*source
,
44 struct cmsghdr align
; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
47 #elif defined(IP_SENDSRCADDR)
48 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
51 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
55 iov
[0].iov_base
= packet
;
58 msg
.msg_control
= NULL
;
59 msg
.msg_controllen
= 0;
62 msg
.msg_namelen
= sa_len(to
);
68 struct cmsghdr
*cmptr
;
69 msg
.msg_control
= &control_u
;
70 msg
.msg_controllen
= sizeof(control_u
);
71 cmptr
= CMSG_FIRSTHDR(&msg
);
73 if (to
->sa
.sa_family
== AF_INET
)
75 #if defined(HAVE_LINUX_NETWORK)
78 p
.ipi_spec_dst
= source
->addr
.addr4
;
79 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
80 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
81 cmptr
->cmsg_level
= IPPROTO_IP
;
82 cmptr
->cmsg_type
= IP_PKTINFO
;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
85 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
86 cmptr
->cmsg_level
= IPPROTO_IP
;
87 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
94 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
95 p
.ipi6_addr
= source
->addr
.addr6
;
96 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
97 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
98 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
99 cmptr
->cmsg_level
= IPPROTO_IPV6
;
102 (void)iface
; /* eliminate warning */
106 while (retry_send(sendmsg(fd
, &msg
, 0)));
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno
!= 0 && errno
!= EINVAL
)
111 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
118 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
119 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
126 unsigned int namelen
= strlen(qdomain
);
127 unsigned int matchlen
= 0;
129 unsigned int flags
= 0;
131 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
132 /* domain matches take priority over NODOTS matches */
133 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
135 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
136 *type
= SERV_FOR_NODOTS
;
137 if (serv
->flags
& SERV_NO_ADDR
)
139 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
144 if (serv
->addr
.sa
.sa_family
== AF_INET
)
145 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
148 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
151 else if (!flags
|| (flags
& F_NXDOMAIN
))
155 else if (serv
->flags
& SERV_HAS_DOMAIN
)
157 unsigned int domainlen
= strlen(serv
->domain
);
158 char *matchstart
= qdomain
+ namelen
- domainlen
;
159 if (namelen
>= domainlen
&&
160 hostname_isequal(matchstart
, serv
->domain
) &&
161 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
163 if (serv
->flags
& SERV_NO_REBIND
)
167 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen
!= 0 && domainlen
== matchlen
)
173 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
175 if (!(sflag
& qtype
) && flags
== 0)
180 if (flags
& (F_IPV4
| F_IPV6
))
185 if (domainlen
>= matchlen
)
187 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
188 *domain
= serv
->domain
;
189 matchlen
= domainlen
;
190 if (serv
->flags
& SERV_NO_ADDR
)
192 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
197 if (serv
->addr
.sa
.sa_family
== AF_INET
)
198 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
201 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
204 else if (!flags
|| (flags
& F_NXDOMAIN
))
214 if (flags
== 0 && !(qtype
& F_QUERY
) &&
215 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
216 /* don't forward A or AAAA queries for simple names, except the empty name */
219 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
226 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
227 logflags
= F_NEG
| qtype
;
229 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
231 else if ((*type
) & SERV_USE_RESOLV
)
233 *type
= 0; /* use normal servers for this domain */
239 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
240 struct all_addr
*dst_addr
, unsigned int dst_iface
,
241 struct dns_header
*header
, size_t plen
, time_t now
,
242 struct frec
*forward
, int ad_reqd
, int do_bit
)
245 int type
= 0, norebind
= 0;
246 struct all_addr
*addrp
= NULL
;
247 unsigned int flags
= 0;
248 struct server
*start
= NULL
;
250 void *hash
= hash_questions(header
, plen
, daemon
->namebuff
);
252 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
255 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
259 /* may be no servers available. */
260 if (!daemon
->servers
)
262 else if (forward
|| (hash
&& (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, hash
))))
265 /* If we've already got an answer to this query, but we're awaiting keys for validation,
266 there's no point retrying the query, retry the key query instead...... */
267 if (forward
->blocking_query
)
271 while (forward
->blocking_query
)
272 forward
= forward
->blocking_query
;
274 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
275 plen
= forward
->stash_len
;
277 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET
)
278 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
281 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
284 if (forward
->sentto
->sfd
)
285 fd
= forward
->sentto
->sfd
->fd
;
289 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
290 fd
= forward
->rfd6
->fd
;
293 fd
= forward
->rfd4
->fd
;
296 while (retry_send( sendto(fd
, (char *)header
, plen
, 0,
297 &forward
->sentto
->addr
.sa
,
298 sa_len(&forward
->sentto
->addr
))));
304 /* retry on existing query, send to all available servers */
305 domain
= forward
->sentto
->domain
;
306 forward
->sentto
->failed_queries
++;
307 if (!option_bool(OPT_ORDER
))
309 forward
->forwardall
= 1;
310 daemon
->last_server
= NULL
;
312 type
= forward
->sentto
->flags
& SERV_TYPE
;
313 if (!(start
= forward
->sentto
->next
))
314 start
= daemon
->servers
; /* at end of list, recycle */
315 header
->id
= htons(forward
->new_id
);
320 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
322 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
323 /* table full - server failure. */
328 forward
->source
= *udpaddr
;
329 forward
->dest
= *dst_addr
;
330 forward
->iface
= dst_iface
;
331 forward
->orig_id
= ntohs(header
->id
);
332 forward
->new_id
= get_id();
334 memcpy(forward
->hash
, hash
, HASH_SIZE
);
335 forward
->forwardall
= 0;
338 forward
->flags
|= FREC_NOREBIND
;
339 if (header
->hb4
& HB4_CD
)
340 forward
->flags
|= FREC_CHECKING_DISABLED
;
342 forward
->flags
|= FREC_AD_QUESTION
;
344 forward
->work_counter
= DNSSEC_WORK
;
346 forward
->flags
|= FREC_DO_QUESTION
;
349 header
->id
= htons(forward
->new_id
);
351 /* In strict_order mode, always try servers in the order
352 specified in resolv.conf, if a domain is given
353 always try all the available servers,
354 otherwise, use the one last known to work. */
358 if (option_bool(OPT_ORDER
))
359 start
= daemon
->servers
;
360 else if (!(start
= daemon
->last_server
) ||
361 daemon
->forwardcount
++ > FORWARD_TEST
||
362 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
364 start
= daemon
->servers
;
365 forward
->forwardall
= 1;
366 daemon
->forwardcount
= 0;
367 daemon
->forwardtime
= now
;
372 start
= daemon
->servers
;
373 if (!option_bool(OPT_ORDER
))
374 forward
->forwardall
= 1;
379 /* check for send errors here (no route to host)
380 if we fail to send to all nameservers, send back an error
381 packet straight away (helps modem users when offline) */
383 if (!flags
&& forward
)
385 struct server
*firstsentto
= start
;
388 /* If a query is retried, use the log_id for the retry when logging the answer. */
389 forward
->log_id
= daemon
->log_id
;
391 if (option_bool(OPT_ADD_MAC
))
392 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
394 if (option_bool(OPT_CLIENT_SUBNET
))
396 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
400 forward
->flags
|= FREC_HAS_SUBNET
;
405 if (option_bool(OPT_DNSSEC_VALID
))
407 size_t new_plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
409 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
410 this allows it to select auth servers when one is returning bad data. */
411 if (option_bool(OPT_DNSSEC_DEBUG
))
412 header
->hb4
|= HB4_CD
;
414 if (new_plen
!= plen
)
415 forward
->flags
|= FREC_ADDED_PHEADER
;
423 /* only send to servers dealing with our domain.
424 domain may be NULL, in which case server->domain
425 must be NULL also. */
427 if (type
== (start
->flags
& SERV_TYPE
) &&
428 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
429 !(start
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
433 /* find server socket to use, may need to get random one. */
439 if (start
->addr
.sa
.sa_family
== AF_INET6
)
441 if (!forward
->rfd6
&&
442 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
444 daemon
->rfd_save
= forward
->rfd6
;
445 fd
= forward
->rfd6
->fd
;
450 if (!forward
->rfd4
&&
451 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
453 daemon
->rfd_save
= forward
->rfd4
;
454 fd
= forward
->rfd4
->fd
;
457 #ifdef HAVE_CONNTRACK
458 /* Copy connection mark of incoming query to outgoing connection. */
459 if (option_bool(OPT_CONNTRACK
))
462 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
463 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
468 if (retry_send(sendto(fd
, (char *)header
, plen
, 0,
470 sa_len(&start
->addr
))))
475 /* Keep info in case we want to re-send this packet */
476 daemon
->srv_save
= start
;
477 daemon
->packet_len
= plen
;
480 strcpy(daemon
->namebuff
, "query");
481 if (start
->addr
.sa
.sa_family
== AF_INET
)
482 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
483 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
486 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
487 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
491 forward
->sentto
= start
;
492 if (!forward
->forwardall
)
494 forward
->forwardall
++;
498 if (!(start
= start
->next
))
499 start
= daemon
->servers
;
501 if (start
== firstsentto
)
508 /* could not send on, prepare to return */
509 header
->id
= htons(forward
->orig_id
);
510 free_frec(forward
); /* cancel */
513 /* could not send on, return empty answer or address if known for whole domain */
516 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
517 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
523 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
524 int no_cache
, int cache_secure
, int bogusanswer
, int ad_reqd
, int do_bit
, int added_pheader
,
525 int check_subnet
, union mysockaddr
*query_source
)
527 unsigned char *pheader
, *sizep
;
529 int munged
= 0, is_sign
;
536 if (daemon
->ipsets
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
538 /* Similar algorithm to search_servers. */
539 struct ipsets
*ipset_pos
;
540 unsigned int namelen
= strlen(daemon
->namebuff
);
541 unsigned int matchlen
= 0;
542 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
544 unsigned int domainlen
= strlen(ipset_pos
->domain
);
545 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
546 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
547 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
548 domainlen
>= matchlen
)
550 matchlen
= domainlen
;
551 sets
= ipset_pos
->sets
;
557 /* If upstream is advertising a larger UDP packet size
558 than we allow, trim it so that we don't get overlarge
559 requests for the client. We can't do this for signed packets. */
561 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
563 unsigned short udpsz
;
564 unsigned char *psave
= sizep
;
566 GETSHORT(udpsz
, sizep
);
568 if (!is_sign
&& udpsz
> daemon
->edns_pktsz
)
569 PUTSHORT(daemon
->edns_pktsz
, psave
);
571 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
573 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
580 header
->arcount
= htons(0);
584 /* RFC 4035 sect 4.6 para 3 */
585 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
586 header
->hb4
&= ~HB4_AD
;
588 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
589 return resize_packet(header
, n
, pheader
, plen
);
591 /* Complain loudly if the upstream server is non-recursive. */
592 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
593 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
595 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
596 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
597 if (!option_bool(OPT_LOG
))
598 server
->flags
|= SERV_WARNED_RECURSIVE
;
601 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
602 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
605 SET_RCODE(header
, NXDOMAIN
);
606 header
->hb3
&= ~HB3_AA
;
613 if (RCODE(header
) == NXDOMAIN
&&
614 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
615 check_for_local_domain(daemon
->namebuff
, now
))
617 /* if we forwarded a query for a locally known name (because it was for
618 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
619 since we know that the domain exists, even if upstream doesn't */
621 header
->hb3
|= HB3_AA
;
622 SET_RCODE(header
, NOERROR
);
626 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
, &doctored
))
628 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
638 if (bogusanswer
&& !(header
->hb4
& HB4_CD
))
640 if (!option_bool(OPT_DNSSEC_DEBUG
))
642 /* Bogus reply, turn into SERVFAIL */
643 SET_RCODE(header
, SERVFAIL
);
648 if (option_bool(OPT_DNSSEC_VALID
))
649 header
->hb4
&= ~HB4_AD
;
651 if (!(header
->hb4
& HB4_CD
) && ad_reqd
&& cache_secure
)
652 header
->hb4
|= HB4_AD
;
654 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
656 n
= filter_rrsigs(header
, n
);
659 /* do this after extract_addresses. Ensure NODATA reply and remove
664 header
->ancount
= htons(0);
665 header
->nscount
= htons(0);
666 header
->arcount
= htons(0);
667 header
->hb3
&= ~HB3_TC
;
670 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
671 sections of the packet. Find the new length here and put back pseudoheader
672 if it was removed. */
673 return resize_packet(header
, n
, pheader
, plen
);
676 /* sets new last_server */
677 void reply_query(int fd
, int family
, time_t now
)
679 /* packet from peer server, extract data for cache, and send to
680 original requester */
681 struct dns_header
*header
;
682 union mysockaddr serveraddr
;
683 struct frec
*forward
;
684 socklen_t addrlen
= sizeof(serveraddr
);
685 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
687 struct server
*server
;
693 /* packet buffer overwritten */
694 daemon
->srv_save
= NULL
;
696 /* Determine the address of the server replying so that we can mark that as good */
697 serveraddr
.sa
.sa_family
= family
;
699 if (serveraddr
.sa
.sa_family
== AF_INET6
)
700 serveraddr
.in6
.sin6_flowinfo
= 0;
703 header
= (struct dns_header
*)daemon
->packet
;
705 if (n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
))
708 /* spoof check: answer must come from known server, */
709 for (server
= daemon
->servers
; server
; server
= server
->next
)
710 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
711 sockaddr_isequal(&server
->addr
, &serveraddr
))
718 hash
= hash_questions(header
, n
, daemon
->namebuff
);
721 crc
= questions_crc(header
, n
, daemon
->namebuff
);
724 if (!(forward
= lookup_frec(ntohs(header
->id
), hash
)))
727 /* log_query gets called indirectly all over the place, so
728 pass these in global variables - sorry. */
729 daemon
->log_display_id
= forward
->log_id
;
730 daemon
->log_source_addr
= &forward
->source
;
732 if (daemon
->ignore_addr
&& RCODE(header
) == NOERROR
&&
733 check_for_ignored_address(header
, n
, daemon
->ignore_addr
))
736 if (RCODE(header
) == REFUSED
&&
737 !option_bool(OPT_ORDER
) &&
738 forward
->forwardall
== 0)
739 /* for broken servers, attempt to send to another one. */
741 unsigned char *pheader
;
745 /* recreate query from reply */
746 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
749 header
->ancount
= htons(0);
750 header
->nscount
= htons(0);
751 header
->arcount
= htons(0);
752 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
754 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
755 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
, 0, 0);
761 server
= forward
->sentto
;
763 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
765 if (RCODE(header
) == REFUSED
)
769 struct server
*last_server
;
771 /* find good server by address if possible, otherwise assume the last one we sent to */
772 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
773 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
774 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
776 server
= last_server
;
780 if (!option_bool(OPT_ALL_SERVERS
))
781 daemon
->last_server
= server
;
784 /* If the answer is an error, keep the forward record in place in case
785 we get a good reply from another server. Kill it when we've
786 had replies from all to avoid filling the forwarding table when
787 everything is broken */
788 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 || RCODE(header
) != SERVFAIL
)
790 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
792 if (option_bool(OPT_NO_REBIND
))
793 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
795 /* Don't cache replies where DNSSEC validation was turned off, either
796 the upstream server told us so, or the original query specified it. */
797 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
801 if (server
&& option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
805 /* We've had a reply already, which we're validating. Ignore this duplicate */
806 if (forward
->blocking_query
)
809 if (header
->hb3
& HB3_TC
)
811 /* Truncated answer can't be validated.
812 If this is an answer to a DNSSEC-generated query, we still
813 need to get the client to retry over TCP, so return
814 an answer with the TC bit set, even if the actual answer fits.
816 status
= STAT_TRUNCATED
;
818 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
819 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
820 else if (forward
->flags
& FREC_DS_QUERY
)
822 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
823 /* Provably no DS, everything below is insecure, even if signatures are offered */
824 if (status
== STAT_NO_DS
)
825 /* We only cache sigs when we've validated a reply.
826 Avoid caching a reply with sigs if there's a vaildated break in the
827 DS chain, so we don't return replies from cache missing sigs. */
828 status
= STAT_INSECURE_DS
;
829 else if (status
== STAT_NO_NS
)
832 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
834 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
835 if (status
!= STAT_NEED_KEY
)
836 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
840 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
841 if (status
== STAT_NO_SIG
)
843 if (option_bool(OPT_DNSSEC_NO_SIGN
))
844 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
846 status
= STAT_INSECURE
;
849 /* Can't validate, as we're missing key data. Put this
850 answer aside, whilst we get that. */
851 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
853 struct frec
*new, *orig
;
855 /* Free any saved query */
857 blockdata_free(forward
->stash
);
859 /* Now save reply pending receipt of key data */
860 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
862 forward
->stash_len
= n
;
865 /* Find the original query that started it all.... */
866 for (orig
= forward
; orig
->dependent
; orig
= orig
->dependent
);
868 if (--orig
->work_counter
== 0 || !(new = get_new_frec(now
, NULL
, 1)))
869 status
= STAT_INSECURE
;
873 struct frec
*next
= new->next
;
874 *new = *forward
; /* copy everything, then overwrite */
876 new->blocking_query
= NULL
;
877 new->sentto
= server
;
879 new->orig_domain
= NULL
;
883 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
| FREC_CHECK_NOSIGN
);
885 new->dependent
= forward
; /* to find query awaiting new one. */
886 forward
->blocking_query
= new; /* for garbage cleaning */
887 /* validate routines leave name of required record in daemon->keyname */
888 if (status
== STAT_NEED_KEY
)
890 new->flags
|= FREC_DNSKEY_QUERY
;
891 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
892 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
896 if (status
== STAT_NEED_DS_NEG
)
897 new->flags
|= FREC_CHECK_NOSIGN
;
899 new->flags
|= FREC_DS_QUERY
;
900 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
901 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
903 if ((hash
= hash_questions(header
, nn
, daemon
->namebuff
)))
904 memcpy(new->hash
, hash
, HASH_SIZE
);
905 new->new_id
= get_id();
906 header
->id
= htons(new->new_id
);
907 /* Save query for retransmission */
908 if (!(new->stash
= blockdata_alloc((char *)header
, nn
)))
913 /* Don't resend this. */
914 daemon
->srv_save
= NULL
;
917 fd
= server
->sfd
->fd
;
922 if (server
->addr
.sa
.sa_family
== AF_INET6
)
924 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
930 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
937 while (retry_send(sendto(fd
, (char *)header
, nn
, 0,
939 sa_len(&server
->addr
))));
947 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
948 Now wind back down, pulling back answers which wouldn't previously validate
949 and validate them with the new data. Note that if an answer needs multiple
950 keys to validate, we may find another key is needed, in which case we set off
951 down another branch of the tree. Once we get to the original answer
952 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
953 while (forward
->dependent
)
955 struct frec
*prev
= forward
->dependent
;
958 forward
->blocking_query
= NULL
; /* already gone */
959 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
960 n
= forward
->stash_len
;
962 if (status
== STAT_SECURE
)
964 if (forward
->flags
& FREC_DNSKEY_QUERY
)
965 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
966 else if (forward
->flags
& FREC_DS_QUERY
)
968 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
969 /* Provably no DS, everything below is insecure, even if signatures are offered */
970 if (status
== STAT_NO_DS
)
971 /* We only cache sigs when we've validated a reply.
972 Avoid caching a reply with sigs if there's a vaildated break in the
973 DS chain, so we don't return replies from cache missing sigs. */
974 status
= STAT_INSECURE_DS
;
975 else if (status
== STAT_NO_NS
)
978 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
980 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
981 if (status
!= STAT_NEED_KEY
)
982 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
986 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
987 if (status
== STAT_NO_SIG
)
989 if (option_bool(OPT_DNSSEC_NO_SIGN
))
990 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
992 status
= STAT_INSECURE
;
996 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
1001 no_cache_dnssec
= 0;
1003 if (status
== STAT_INSECURE_DS
)
1005 /* We only cache sigs when we've validated a reply.
1006 Avoid caching a reply with sigs if there's a vaildated break in the
1007 DS chain, so we don't return replies from cache missing sigs. */
1008 status
= STAT_INSECURE
;
1009 no_cache_dnssec
= 1;
1012 if (status
== STAT_TRUNCATED
)
1013 header
->hb3
|= HB3_TC
;
1018 if (forward
->work_counter
== 0)
1020 result
= "ABANDONED";
1021 status
= STAT_BOGUS
;
1024 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1026 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
1029 if (status
== STAT_SECURE
)
1031 else if (status
== STAT_BOGUS
)
1033 no_cache_dnssec
= 1;
1039 /* restore CD bit to the value in the query */
1040 if (forward
->flags
& FREC_CHECKING_DISABLED
)
1041 header
->hb4
|= HB4_CD
;
1043 header
->hb4
&= ~HB4_CD
;
1045 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
, bogusanswer
,
1046 forward
->flags
& FREC_AD_QUESTION
, forward
->flags
& FREC_DO_QUESTION
,
1047 forward
->flags
& FREC_ADDED_PHEADER
, forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
1049 header
->id
= htons(forward
->orig_id
);
1050 header
->hb4
|= HB4_RA
; /* recursion if available */
1051 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
1052 &forward
->source
, &forward
->dest
, forward
->iface
);
1054 free_frec(forward
); /* cancel */
1059 void receive_query(struct listener
*listen
, time_t now
)
1061 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
1062 union mysockaddr source_addr
;
1063 unsigned short type
;
1064 struct all_addr dst_addr
;
1065 struct in_addr netmask
, dst_addr_4
;
1068 int if_index
= 0, auth_dns
= 0;
1072 struct iovec iov
[1];
1074 struct cmsghdr
*cmptr
;
1076 struct cmsghdr align
; /* this ensures alignment */
1078 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
1080 #if defined(HAVE_LINUX_NETWORK)
1081 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
1082 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1083 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1084 CMSG_SPACE(sizeof(unsigned int))];
1085 #elif defined(IP_RECVDSTADDR)
1086 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1087 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
1091 /* Can always get recvd interface for IPv6 */
1092 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
1094 int check_dst
= !option_bool(OPT_NOWILD
);
1097 /* packet buffer overwritten */
1098 daemon
->srv_save
= NULL
;
1100 dst_addr_4
.s_addr
= dst_addr
.addr
.addr4
.s_addr
= 0;
1103 if (option_bool(OPT_NOWILD
) && listen
->iface
)
1105 auth_dns
= listen
->iface
->dns_auth
;
1107 if (listen
->family
== AF_INET
)
1109 dst_addr_4
= dst_addr
.addr
.addr4
= listen
->iface
->addr
.in
.sin_addr
;
1110 netmask
= listen
->iface
->netmask
;
1114 iov
[0].iov_base
= daemon
->packet
;
1115 iov
[0].iov_len
= daemon
->edns_pktsz
;
1117 msg
.msg_control
= control_u
.control
;
1118 msg
.msg_controllen
= sizeof(control_u
);
1120 msg
.msg_name
= &source_addr
;
1121 msg
.msg_namelen
= sizeof(source_addr
);
1125 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
1128 if (n
< (int)sizeof(struct dns_header
) ||
1129 (msg
.msg_flags
& MSG_TRUNC
) ||
1130 (header
->hb3
& HB3_QR
))
1133 source_addr
.sa
.sa_family
= listen
->family
;
1135 if (listen
->family
== AF_INET
)
1137 /* Source-port == 0 is an error, we can't send back to that.
1138 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1139 if (source_addr
.in
.sin_port
== 0)
1145 /* Source-port == 0 is an error, we can't send back to that. */
1146 if (source_addr
.in6
.sin6_port
== 0)
1148 source_addr
.in6
.sin6_flowinfo
= 0;
1152 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1153 if (option_bool(OPT_LOCAL_SERVICE
))
1155 struct addrlist
*addr
;
1157 if (listen
->family
== AF_INET6
)
1159 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1160 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1161 is_same_net6(&addr
->addr
.addr
.addr6
, &source_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1167 struct in_addr netmask
;
1168 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1170 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1171 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1172 is_same_net(addr
->addr
.addr
.addr4
, source_addr
.in
.sin_addr
, netmask
))
1178 static int warned
= 0;
1181 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1192 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1195 #if defined(HAVE_LINUX_NETWORK)
1196 if (listen
->family
== AF_INET
)
1197 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1198 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1202 struct in_pktinfo
*p
;
1204 p
.c
= CMSG_DATA(cmptr
);
1205 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1206 if_index
= p
.p
->ipi_ifindex
;
1208 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1209 if (listen
->family
== AF_INET
)
1211 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1217 #ifndef HAVE_SOLARIS_NETWORK
1218 struct sockaddr_dl
*s
;
1221 p
.c
= CMSG_DATA(cmptr
);
1222 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1223 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1224 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1225 #ifdef HAVE_SOLARIS_NETWORK
1228 if_index
= p
.s
->sdl_index
;
1235 if (listen
->family
== AF_INET6
)
1237 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1238 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1242 struct in6_pktinfo
*p
;
1244 p
.c
= CMSG_DATA(cmptr
);
1246 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1247 if_index
= p
.p
->ipi6_ifindex
;
1252 /* enforce available interface configuration */
1254 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1257 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1259 if (!option_bool(OPT_CLEVERBIND
))
1260 enumerate_interfaces(0);
1261 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1262 !label_exception(if_index
, listen
->family
, &dst_addr
))
1266 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1270 /* get the netmask of the interface whch has the address we were sent to.
1271 This is no neccessarily the interface we arrived on. */
1273 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1274 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1275 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1278 /* interface may be new */
1279 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1280 enumerate_interfaces(0);
1282 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1283 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1284 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1287 /* If we failed, abandon localisation */
1289 netmask
= iface
->netmask
;
1291 dst_addr_4
.s_addr
= 0;
1295 /* log_query gets called indirectly all over the place, so
1296 pass these in global variables - sorry. */
1297 daemon
->log_display_id
= ++daemon
->log_id
;
1298 daemon
->log_source_addr
= &source_addr
;
1300 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1303 struct auth_zone
*zone
;
1305 char *types
= querystr(auth_dns
? "auth" : "query", type
);
1307 if (listen
->family
== AF_INET
)
1308 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1309 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1312 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1313 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1317 /* find queries for zones we're authoritative for, and answer them directly */
1319 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1320 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1329 /* Check for forwarding loop */
1330 if (detect_loop(daemon
->namebuff
, type
))
1338 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1341 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1342 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1343 daemon
->auth_answer
++;
1349 int ad_reqd
, do_bit
;
1350 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1351 dst_addr_4
, netmask
, now
, &ad_reqd
, &do_bit
);
1355 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1356 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1357 daemon
->local_answer
++;
1359 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1360 header
, (size_t)n
, now
, NULL
, ad_reqd
, do_bit
))
1361 daemon
->queries_forwarded
++;
1363 daemon
->local_answer
++;
1369 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1370 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1371 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1372 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
1373 char *name
, char *keyname
)
1375 int status
= dnssec_chase_cname(now
, header
, plen
, name
, keyname
);
1377 if (status
!= STAT_INSECURE
)
1380 /* Store the domain we're trying to check. */
1381 forward
->name_start
= strlen(name
);
1382 forward
->name_len
= forward
->name_start
+ 1;
1383 if (!(forward
->orig_domain
= blockdata_alloc(name
, forward
->name_len
)))
1386 return do_check_sign(forward
, 0, now
, name
, keyname
);
1389 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1390 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
)
1392 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1393 while (forward
->dependent
)
1394 forward
= forward
->dependent
;
1396 blockdata_retrieve(forward
->orig_domain
, forward
->name_len
, name
);
1406 /* Haven't received answer, see if in cache */
1407 if (!(crecp
= cache_find_by_name(NULL
, &name
[forward
->name_start
], now
, F_DS
)))
1409 /* put name of DS record we're missing into keyname */
1410 strcpy(keyname
, &name
[forward
->name_start
]);
1411 /* and wait for reply to arrive */
1412 return STAT_NEED_DS_NEG
;
1415 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1416 if (!(crecp
->flags
& F_NEG
))
1417 status
= STAT_SECURE
;
1418 else if (crecp
->flags
& F_DNSSECOK
)
1419 status
= STAT_NO_DS
;
1421 status
= STAT_NO_NS
;
1424 /* Have entered non-signed part of DNS tree. */
1425 if (status
== STAT_NO_DS
)
1426 return STAT_INSECURE
;
1428 if (status
== STAT_BOGUS
)
1431 /* There's a proven DS record, or we're within a zone, where there doesn't need
1432 to be a DS record. Add a name and try again.
1433 If we've already tried the whole name, then fail */
1435 if (forward
->name_start
== 0)
1438 for (p
= &name
[forward
->name_start
-2]; (*p
!= '.') && (p
!= name
); p
--);
1443 forward
->name_start
= p
- name
;
1444 status
= 0; /* force to cache when we iterate. */
1448 /* Move down from the root, until we find a signed non-existance of a DS, in which case
1449 an unsigned answer is OK, or we find a signed DS, in which case there should be
1450 a signature, and the answer is BOGUS */
1451 static int tcp_check_for_unsigned_zone(time_t now
, struct dns_header
*header
, size_t plen
, int class, char *name
,
1452 char *keyname
, struct server
*server
, int *keycount
)
1455 unsigned char *packet
, *payload
;
1457 int status
, name_len
;
1458 struct blockdata
*block
;
1462 /* Get first insecure entry in CNAME chain */
1463 status
= tcp_key_recurse(now
, STAT_CHASE_CNAME
, header
, plen
, class, name
, keyname
, server
, keycount
);
1464 if (status
== STAT_BOGUS
)
1467 if (!(packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
))))
1470 payload
= &packet
[2];
1471 header
= (struct dns_header
*)payload
;
1472 length
= (u16
*)packet
;
1474 /* Stash the name away, since the buffer will be trashed when we recurse */
1475 name_len
= strlen(name
) + 1;
1476 name_start
= name
+ name_len
- 1;
1478 if (!(block
= blockdata_alloc(name
, name_len
)))
1486 unsigned char c1
, c2
;
1489 if (--(*keycount
) == 0)
1492 blockdata_free(block
);
1496 while ((crecp
= cache_find_by_name(NULL
, name_start
, now
, F_DS
)))
1498 if ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
))
1500 /* Found a secure denial of DS - delegation is indeed insecure */
1502 blockdata_free(block
);
1503 return STAT_INSECURE
;
1506 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1507 Add another label and continue. */
1509 if (name_start
== name
)
1512 blockdata_free(block
);
1513 return STAT_BOGUS
; /* run out of labels */
1517 while (*name_start
!= '.' && name_start
!= name
)
1519 if (name_start
!= name
)
1523 /* Can't find it in the cache, have to send a query */
1525 m
= dnssec_generate_query(header
, ((char *) header
) + 65536, name_start
, class, T_DS
, &server
->addr
);
1529 if (read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) &&
1530 read_write(server
->tcpfd
, &c1
, 1, 1) &&
1531 read_write(server
->tcpfd
, &c2
, 1, 1) &&
1532 read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1536 /* Note this trashes all three name workspaces */
1537 status
= tcp_key_recurse(now
, STAT_NEED_DS_NEG
, header
, m
, class, name
, keyname
, server
, keycount
);
1539 if (status
== STAT_NO_DS
)
1541 /* Found a secure denial of DS - delegation is indeed insecure */
1543 blockdata_free(block
);
1544 return STAT_INSECURE
;
1547 if (status
== STAT_BOGUS
)
1550 blockdata_free(block
);
1554 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1555 Add another label and continue. */
1557 /* Get name we're checking back. */
1558 blockdata_retrieve(block
, name_len
, name
);
1560 if (name_start
== name
)
1563 blockdata_free(block
);
1564 return STAT_BOGUS
; /* run out of labels */
1568 while (*name_start
!= '.' && name_start
!= name
)
1570 if (name_start
!= name
)
1577 blockdata_free(block
);
1578 return STAT_BOGUS
; /* run out of labels */
1583 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
1584 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
)
1586 /* Recurse up the key heirarchy */
1589 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1590 if (--(*keycount
) == 0)
1591 return STAT_INSECURE
;
1593 if (status
== STAT_NEED_KEY
)
1594 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1595 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1597 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1598 if (status
== STAT_NEED_DS
)
1600 if (new_status
== STAT_NO_DS
)
1601 new_status
= STAT_INSECURE_DS
;
1602 else if (new_status
== STAT_NO_NS
)
1603 new_status
= STAT_BOGUS
;
1606 else if (status
== STAT_CHASE_CNAME
)
1607 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1610 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1612 if (new_status
== STAT_NO_SIG
)
1614 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1615 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1617 new_status
= STAT_INSECURE
;
1621 /* Can't validate because we need a key/DS whose name now in keyname.
1622 Make query for same, and recurse to validate */
1623 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1626 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1627 unsigned char *payload
= &packet
[2];
1628 struct dns_header
*new_header
= (struct dns_header
*)payload
;
1629 u16
*length
= (u16
*)packet
;
1630 unsigned char c1
, c2
;
1633 return STAT_INSECURE
;
1636 m
= dnssec_generate_query(new_header
, ((char *) new_header
) + 65536, keyname
, class,
1637 new_status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1641 if (!read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) ||
1642 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1643 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1644 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1645 new_status
= STAT_INSECURE
;
1650 new_status
= tcp_key_recurse(now
, new_status
, new_header
, m
, class, name
, keyname
, server
, keycount
);
1652 if (new_status
== STAT_SECURE
)
1654 /* Reached a validated record, now try again at this level.
1655 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1656 If so, go round again. */
1658 if (status
== STAT_NEED_KEY
)
1659 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1660 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1662 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1663 if (status
== STAT_NEED_DS
)
1665 if (new_status
== STAT_NO_DS
)
1666 new_status
= STAT_INSECURE_DS
;
1667 else if (new_status
== STAT_NO_NS
)
1668 new_status
= STAT_BOGUS
; /* Validated no DS */
1671 else if (status
== STAT_CHASE_CNAME
)
1672 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1675 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1677 if (new_status
== STAT_NO_SIG
)
1679 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1680 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1682 new_status
= STAT_INSECURE
;
1686 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1687 goto another_tcp_key
;
1698 /* The daemon forks before calling this: it should deal with one connection,
1699 blocking as neccessary, and then return. Note, need to be a bit careful
1700 about resources for debug mode, when the fork is suppressed: that's
1701 done by the caller. */
1702 unsigned char *tcp_request(int confd
, time_t now
,
1703 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1710 int checking_disabled
, ad_question
, do_bit
, added_pheader
= 0;
1711 int check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
1713 unsigned short qtype
;
1714 unsigned int gotname
;
1715 unsigned char c1
, c2
;
1716 /* Max TCP packet + slop + size */
1717 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1718 unsigned char *payload
= &packet
[2];
1719 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1720 struct dns_header
*header
= (struct dns_header
*)payload
;
1721 u16
*length
= (u16
*)packet
;
1722 struct server
*last_server
;
1723 struct in_addr dst_addr_4
;
1724 union mysockaddr peer_addr
;
1725 socklen_t peer_len
= sizeof(union mysockaddr
);
1726 int query_count
= 0;
1728 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1731 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1732 if (option_bool(OPT_LOCAL_SERVICE
))
1734 struct addrlist
*addr
;
1736 if (peer_addr
.sa
.sa_family
== AF_INET6
)
1738 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1739 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1740 is_same_net6(&addr
->addr
.addr
.addr6
, &peer_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1746 struct in_addr netmask
;
1747 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1749 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1750 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1751 is_same_net(addr
->addr
.addr
.addr4
, peer_addr
.in
.sin_addr
, netmask
))
1757 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1764 if (query_count
== TCP_MAX_QUERIES
||
1766 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1767 !(size
= c1
<< 8 | c2
) ||
1768 !read_write(confd
, payload
, size
, 1))
1771 if (size
< (int)sizeof(struct dns_header
))
1776 /* log_query gets called indirectly all over the place, so
1777 pass these in global variables - sorry. */
1778 daemon
->log_display_id
= ++daemon
->log_id
;
1779 daemon
->log_source_addr
= &peer_addr
;
1783 /* save state of "cd" flag in query */
1784 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1785 no_cache_dnssec
= 1;
1787 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1790 struct auth_zone
*zone
;
1792 char *types
= querystr(auth_dns
? "auth" : "query", qtype
);
1794 if (peer_addr
.sa
.sa_family
== AF_INET
)
1795 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1796 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1799 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1800 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1804 /* find queries for zones we're authoritative for, and answer them directly */
1806 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1807 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1816 if (local_addr
->sa
.sa_family
== AF_INET
)
1817 dst_addr_4
= local_addr
->in
.sin_addr
;
1819 dst_addr_4
.s_addr
= 0;
1823 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1827 /* m > 0 if answered from cache */
1828 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1829 dst_addr_4
, netmask
, now
, &ad_question
, &do_bit
);
1831 /* Do this by steam now we're not in the select() loop */
1832 check_log_writer(NULL
);
1836 unsigned int flags
= 0;
1837 struct all_addr
*addrp
= NULL
;
1839 char *domain
= NULL
;
1841 if (option_bool(OPT_ADD_MAC
))
1842 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1844 if (option_bool(OPT_CLIENT_SUBNET
))
1846 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1855 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1857 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1858 last_server
= daemon
->servers
;
1860 last_server
= daemon
->last_server
;
1862 if (!flags
&& last_server
)
1864 struct server
*firstsendto
= NULL
;
1866 unsigned char *newhash
, hash
[HASH_SIZE
];
1867 if ((newhash
= hash_questions(header
, (unsigned int)size
, daemon
->namebuff
)))
1868 memcpy(hash
, newhash
, HASH_SIZE
);
1870 memset(hash
, 0, HASH_SIZE
);
1872 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1874 /* Loop round available servers until we succeed in connecting to one.
1875 Note that this code subtley ensures that consecutive queries on this connection
1876 which can go to the same server, do so. */
1880 firstsendto
= last_server
;
1883 if (!(last_server
= last_server
->next
))
1884 last_server
= daemon
->servers
;
1886 if (last_server
== firstsendto
)
1890 /* server for wrong domain */
1891 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1892 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)) ||
1893 (last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
1896 if (last_server
->tcpfd
== -1)
1898 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1901 #ifdef HAVE_CONNTRACK
1902 /* Copy connection mark of incoming query to outgoing connection. */
1903 if (option_bool(OPT_CONNTRACK
))
1906 struct all_addr local
;
1908 if (local_addr
->sa
.sa_family
== AF_INET6
)
1909 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1912 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1914 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1915 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1919 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1920 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1922 close(last_server
->tcpfd
);
1923 last_server
->tcpfd
= -1;
1928 if (option_bool(OPT_DNSSEC_VALID
))
1930 size_t new_size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1932 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1933 this allows it to select auth servers when one is returning bad data. */
1934 if (option_bool(OPT_DNSSEC_DEBUG
))
1935 header
->hb4
|= HB4_CD
;
1937 if (size
!= new_size
)
1945 *length
= htons(size
);
1947 /* get query name again for logging - may have been overwritten */
1948 if (!(gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1949 strcpy(daemon
->namebuff
, "query");
1951 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1952 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1953 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1954 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1956 close(last_server
->tcpfd
);
1957 last_server
->tcpfd
= -1;
1963 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1964 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1965 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1968 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1969 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1973 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1975 int keycount
= DNSSEC_WORK
; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1976 int status
= tcp_key_recurse(now
, STAT_TRUNCATED
, header
, m
, 0, daemon
->namebuff
, daemon
->keyname
, last_server
, &keycount
);
1979 if (status
== STAT_INSECURE_DS
)
1981 /* We only cache sigs when we've validated a reply.
1982 Avoid caching a reply with sigs if there's a vaildated break in the
1983 DS chain, so we don't return replies from cache missing sigs. */
1984 status
= STAT_INSECURE
;
1985 no_cache_dnssec
= 1;
1990 result
= "ABANDONED";
1991 status
= STAT_BOGUS
;
1994 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1996 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
1998 if (status
== STAT_BOGUS
)
2000 no_cache_dnssec
= 1;
2004 if (status
== STAT_SECURE
)
2009 /* restore CD bit to the value in the query */
2010 if (checking_disabled
)
2011 header
->hb4
|= HB4_CD
;
2013 header
->hb4
&= ~HB4_CD
;
2015 /* There's no point in updating the cache, since this process will exit and
2016 lose the information after a few queries. We make this call for the alias and
2017 bogus-nxdomain side-effects. */
2018 /* If the crc of the question section doesn't match the crc we sent, then
2019 someone might be attempting to insert bogus values into the cache by
2020 sending replies containing questions and bogus answers. */
2022 newhash
= hash_questions(header
, (unsigned int)m
, daemon
->namebuff
);
2023 if (!newhash
|| memcmp(hash
, newhash
, HASH_SIZE
) != 0)
2029 if (crc
!= questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
2036 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
2037 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
, bogusanswer
,
2038 cache_secure
, ad_question
, do_bit
, added_pheader
, check_subnet
, &peer_addr
);
2044 /* In case of local answer or no connections made. */
2046 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
2050 check_log_writer(NULL
);
2054 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
2059 static struct frec
*allocate_frec(time_t now
)
2063 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
2065 f
->next
= daemon
->frec_list
;
2074 f
->dependent
= NULL
;
2075 f
->blocking_query
= NULL
;
2077 f
->orig_domain
= NULL
;
2079 daemon
->frec_list
= f
;
2085 struct randfd
*allocate_rfd(int family
)
2087 static int finger
= 0;
2090 /* limit the number of sockets we have open to avoid starvation of
2091 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2093 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2094 if (daemon
->randomsocks
[i
].refcount
== 0)
2096 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
2099 daemon
->randomsocks
[i
].refcount
= 1;
2100 daemon
->randomsocks
[i
].family
= family
;
2101 return &daemon
->randomsocks
[i
];
2104 /* No free ones or cannot get new socket, grab an existing one */
2105 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2107 int j
= (i
+finger
) % RANDOM_SOCKS
;
2108 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
2109 daemon
->randomsocks
[j
].family
== family
&&
2110 daemon
->randomsocks
[j
].refcount
!= 0xffff)
2113 daemon
->randomsocks
[j
].refcount
++;
2114 return &daemon
->randomsocks
[j
];
2118 return NULL
; /* doom */
2121 void free_rfd(struct randfd
*rfd
)
2123 if (rfd
&& --(rfd
->refcount
) == 0)
2127 static void free_frec(struct frec
*f
)
2142 blockdata_free(f
->stash
);
2148 blockdata_free(f
->orig_domain
);
2149 f
->orig_domain
= NULL
;
2152 /* Anything we're waiting on is pointless now, too */
2153 if (f
->blocking_query
)
2154 free_frec(f
->blocking_query
);
2155 f
->blocking_query
= NULL
;
2156 f
->dependent
= NULL
;
2160 /* if wait==NULL return a free or older than TIMEOUT record.
2161 else return *wait zero if one available, or *wait is delay to
2162 when the oldest in-use record will expire. Impose an absolute
2163 limit of 4*TIMEOUT before we wipe things (for random sockets).
2164 If force is set, always return a result, even if we have
2165 to allocate above the limit. */
2166 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
2168 struct frec
*f
, *oldest
, *target
;
2174 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
2179 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
2185 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
2195 /* can't find empty one, use oldest if there is one
2196 and it's older than timeout */
2197 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
2199 /* keep stuff for twice timeout if we can by allocating a new
2201 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
2202 count
<= daemon
->ftabsize
&&
2203 (f
= allocate_frec(now
)))
2214 /* none available, calculate time 'till oldest record expires */
2215 if (!force
&& count
> daemon
->ftabsize
)
2217 static time_t last_log
= 0;
2220 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
2222 if ((int)difftime(now
, last_log
) > 5)
2225 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
2231 if (!(f
= allocate_frec(now
)) && wait
)
2232 /* wait one second on malloc failure */
2235 return f
; /* OK if malloc fails and this is NULL */
2238 /* crc is all-ones if not known. */
2239 static struct frec
*lookup_frec(unsigned short id
, void *hash
)
2243 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2244 if (f
->sentto
&& f
->new_id
== id
&&
2245 (!hash
|| memcmp(hash
, f
->hash
, HASH_SIZE
) == 0))
2251 static struct frec
*lookup_frec_by_sender(unsigned short id
,
2252 union mysockaddr
*addr
,
2257 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2260 memcmp(hash
, f
->hash
, HASH_SIZE
) == 0 &&
2261 sockaddr_isequal(&f
->source
, addr
))
2267 /* Send query packet again, if we can. */
2270 if (daemon
->srv_save
)
2274 if (daemon
->srv_save
->sfd
)
2275 fd
= daemon
->srv_save
->sfd
->fd
;
2276 else if (daemon
->rfd_save
&& daemon
->rfd_save
->refcount
!= 0)
2277 fd
= daemon
->rfd_save
->fd
;
2281 while(retry_send(sendto(fd
, daemon
->packet
, daemon
->packet_len
, 0,
2282 &daemon
->srv_save
->addr
.sa
,
2283 sa_len(&daemon
->srv_save
->addr
))));
2287 /* A server record is going away, remove references to it */
2288 void server_gone(struct server
*server
)
2292 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
2293 if (f
->sentto
&& f
->sentto
== server
)
2296 if (daemon
->last_server
== server
)
2297 daemon
->last_server
= NULL
;
2299 if (daemon
->srv_save
== server
)
2300 daemon
->srv_save
= NULL
;
2303 /* return unique random ids. */
2304 static unsigned short get_id(void)
2306 unsigned short ret
= 0;
2310 while (lookup_frec(ret
, NULL
));