]>
git.ipfire.org Git - people/ms/dnsmasq.git/blob - src/forward.c
1 /* dnsmasq is Copyright (c) 2000-2015 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 static struct frec
*lookup_frec(unsigned short id
, void *hash
);
20 static struct frec
*lookup_frec_by_sender(unsigned short id
,
21 union mysockaddr
*addr
,
23 static unsigned short get_id(void);
24 static void free_frec(struct frec
*f
);
27 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
28 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
);
29 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
);
30 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
31 char *name
, char *keyname
);
35 /* Send a UDP packet with its source address set as "source"
36 unless nowild is true, when we just send it with the kernel default */
37 int send_from(int fd
, int nowild
, char *packet
, size_t len
,
38 union mysockaddr
*to
, struct all_addr
*source
,
44 struct cmsghdr align
; /* this ensures alignment */
45 #if defined(HAVE_LINUX_NETWORK)
46 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
47 #elif defined(IP_SENDSRCADDR)
48 char control
[CMSG_SPACE(sizeof(struct in_addr
))];
51 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
55 iov
[0].iov_base
= packet
;
58 msg
.msg_control
= NULL
;
59 msg
.msg_controllen
= 0;
62 msg
.msg_namelen
= sa_len(to
);
68 struct cmsghdr
*cmptr
;
69 msg
.msg_control
= &control_u
;
70 msg
.msg_controllen
= sizeof(control_u
);
71 cmptr
= CMSG_FIRSTHDR(&msg
);
73 if (to
->sa
.sa_family
== AF_INET
)
75 #if defined(HAVE_LINUX_NETWORK)
78 p
.ipi_spec_dst
= source
->addr
.addr4
;
79 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
80 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_pktinfo
));
81 cmptr
->cmsg_level
= IPPROTO_IP
;
82 cmptr
->cmsg_type
= IP_PKTINFO
;
83 #elif defined(IP_SENDSRCADDR)
84 memcpy(CMSG_DATA(cmptr
), &(source
->addr
.addr4
), sizeof(source
->addr
.addr4
));
85 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in_addr
));
86 cmptr
->cmsg_level
= IPPROTO_IP
;
87 cmptr
->cmsg_type
= IP_SENDSRCADDR
;
94 p
.ipi6_ifindex
= iface
; /* Need iface for IPv6 to handle link-local addrs */
95 p
.ipi6_addr
= source
->addr
.addr6
;
96 memcpy(CMSG_DATA(cmptr
), &p
, sizeof(p
));
97 msg
.msg_controllen
= cmptr
->cmsg_len
= CMSG_LEN(sizeof(struct in6_pktinfo
));
98 cmptr
->cmsg_type
= daemon
->v6pktinfo
;
99 cmptr
->cmsg_level
= IPPROTO_IPV6
;
102 (void)iface
; /* eliminate warning */
106 while (retry_send(sendmsg(fd
, &msg
, 0)));
108 /* If interface is still in DAD, EINVAL results - ignore that. */
109 if (errno
!= 0 && errno
!= EINVAL
)
111 my_syslog(LOG_ERR
, _("failed to send packet: %s"), strerror(errno
));
118 static unsigned int search_servers(time_t now
, struct all_addr
**addrpp
,
119 unsigned int qtype
, char *qdomain
, int *type
, char **domain
, int *norebind
)
122 /* If the query ends in the domain in one of our servers, set
123 domain to point to that name. We find the largest match to allow both
124 domain.org and sub.domain.org to exist. */
126 unsigned int namelen
= strlen(qdomain
);
127 unsigned int matchlen
= 0;
129 unsigned int flags
= 0;
131 for (serv
= daemon
->servers
; serv
; serv
=serv
->next
)
132 /* domain matches take priority over NODOTS matches */
133 if ((serv
->flags
& SERV_FOR_NODOTS
) && *type
!= SERV_HAS_DOMAIN
&& !strchr(qdomain
, '.') && namelen
!= 0)
135 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
136 *type
= SERV_FOR_NODOTS
;
137 if (serv
->flags
& SERV_NO_ADDR
)
139 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
144 if (serv
->addr
.sa
.sa_family
== AF_INET
)
145 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
148 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
151 else if (!flags
|| (flags
& F_NXDOMAIN
))
155 else if (serv
->flags
& SERV_HAS_DOMAIN
)
157 unsigned int domainlen
= strlen(serv
->domain
);
158 char *matchstart
= qdomain
+ namelen
- domainlen
;
159 if (namelen
>= domainlen
&&
160 hostname_isequal(matchstart
, serv
->domain
) &&
161 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
-1) == '.' ))
163 if (serv
->flags
& SERV_NO_REBIND
)
167 unsigned int sflag
= serv
->addr
.sa
.sa_family
== AF_INET
? F_IPV4
: F_IPV6
;
168 /* implement priority rules for --address and --server for same domain.
169 --address wins if the address is for the correct AF
170 --server wins otherwise. */
171 if (domainlen
!= 0 && domainlen
== matchlen
)
173 if ((serv
->flags
& SERV_LITERAL_ADDRESS
))
175 if (!(sflag
& qtype
) && flags
== 0)
180 if (flags
& (F_IPV4
| F_IPV6
))
185 if (domainlen
>= matchlen
)
187 *type
= serv
->flags
& (SERV_HAS_DOMAIN
| SERV_USE_RESOLV
| SERV_NO_REBIND
);
188 *domain
= serv
->domain
;
189 matchlen
= domainlen
;
190 if (serv
->flags
& SERV_NO_ADDR
)
192 else if (serv
->flags
& SERV_LITERAL_ADDRESS
)
197 if (serv
->addr
.sa
.sa_family
== AF_INET
)
198 *addrpp
= (struct all_addr
*)&serv
->addr
.in
.sin_addr
;
201 *addrpp
= (struct all_addr
*)&serv
->addr
.in6
.sin6_addr
;
204 else if (!flags
|| (flags
& F_NXDOMAIN
))
214 if (flags
== 0 && !(qtype
& F_QUERY
) &&
215 option_bool(OPT_NODOTS_LOCAL
) && !strchr(qdomain
, '.') && namelen
!= 0)
216 /* don't forward A or AAAA queries for simple names, except the empty name */
219 if (flags
== F_NXDOMAIN
&& check_for_local_domain(qdomain
, now
))
226 if (flags
== F_NXDOMAIN
|| flags
== F_NOERR
)
227 logflags
= F_NEG
| qtype
;
229 log_query(logflags
| flags
| F_CONFIG
| F_FORWARD
, qdomain
, *addrpp
, NULL
);
231 else if ((*type
) & SERV_USE_RESOLV
)
233 *type
= 0; /* use normal servers for this domain */
239 static int forward_query(int udpfd
, union mysockaddr
*udpaddr
,
240 struct all_addr
*dst_addr
, unsigned int dst_iface
,
241 struct dns_header
*header
, size_t plen
, time_t now
,
242 struct frec
*forward
, int ad_reqd
, int do_bit
)
245 int type
= 0, norebind
= 0;
246 struct all_addr
*addrp
= NULL
;
247 unsigned int flags
= 0;
248 struct server
*start
= NULL
;
250 void *hash
= hash_questions(header
, plen
, daemon
->namebuff
);
252 unsigned int crc
= questions_crc(header
, plen
, daemon
->namebuff
);
255 unsigned int gotname
= extract_request(header
, plen
, daemon
->namebuff
, NULL
);
259 /* may be no servers available. */
260 if (!daemon
->servers
)
262 else if (forward
|| (hash
&& (forward
= lookup_frec_by_sender(ntohs(header
->id
), udpaddr
, hash
))))
265 /* If we've already got an answer to this query, but we're awaiting keys for validation,
266 there's no point retrying the query, retry the key query instead...... */
267 if (forward
->blocking_query
)
271 while (forward
->blocking_query
)
272 forward
= forward
->blocking_query
;
274 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
275 plen
= forward
->stash_len
;
277 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET
)
278 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV4
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in
.sin_addr
, "dnssec");
281 log_query(F_NOEXTRA
| F_DNSSEC
| F_IPV6
, "retry", (struct all_addr
*)&forward
->sentto
->addr
.in6
.sin6_addr
, "dnssec");
284 if (forward
->sentto
->sfd
)
285 fd
= forward
->sentto
->sfd
->fd
;
289 if (forward
->sentto
->addr
.sa
.sa_family
== AF_INET6
)
290 fd
= forward
->rfd6
->fd
;
293 fd
= forward
->rfd4
->fd
;
296 while (retry_send( sendto(fd
, (char *)header
, plen
, 0,
297 &forward
->sentto
->addr
.sa
,
298 sa_len(&forward
->sentto
->addr
))));
304 /* retry on existing query, send to all available servers */
305 domain
= forward
->sentto
->domain
;
306 forward
->sentto
->failed_queries
++;
307 if (!option_bool(OPT_ORDER
))
309 forward
->forwardall
= 1;
310 daemon
->last_server
= NULL
;
312 type
= forward
->sentto
->flags
& SERV_TYPE
;
313 if (!(start
= forward
->sentto
->next
))
314 start
= daemon
->servers
; /* at end of list, recycle */
315 header
->id
= htons(forward
->new_id
);
320 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
322 if (!flags
&& !(forward
= get_new_frec(now
, NULL
, 0)))
323 /* table full - server failure. */
328 forward
->source
= *udpaddr
;
329 forward
->dest
= *dst_addr
;
330 forward
->iface
= dst_iface
;
331 forward
->orig_id
= ntohs(header
->id
);
332 forward
->new_id
= get_id();
334 memcpy(forward
->hash
, hash
, HASH_SIZE
);
335 forward
->forwardall
= 0;
338 forward
->flags
|= FREC_NOREBIND
;
339 if (header
->hb4
& HB4_CD
)
340 forward
->flags
|= FREC_CHECKING_DISABLED
;
342 forward
->flags
|= FREC_AD_QUESTION
;
344 forward
->work_counter
= DNSSEC_WORK
;
346 forward
->flags
|= FREC_DO_QUESTION
;
349 header
->id
= htons(forward
->new_id
);
351 /* In strict_order mode, always try servers in the order
352 specified in resolv.conf, if a domain is given
353 always try all the available servers,
354 otherwise, use the one last known to work. */
358 if (option_bool(OPT_ORDER
))
359 start
= daemon
->servers
;
360 else if (!(start
= daemon
->last_server
) ||
361 daemon
->forwardcount
++ > FORWARD_TEST
||
362 difftime(now
, daemon
->forwardtime
) > FORWARD_TIME
)
364 start
= daemon
->servers
;
365 forward
->forwardall
= 1;
366 daemon
->forwardcount
= 0;
367 daemon
->forwardtime
= now
;
372 start
= daemon
->servers
;
373 if (!option_bool(OPT_ORDER
))
374 forward
->forwardall
= 1;
379 /* check for send errors here (no route to host)
380 if we fail to send to all nameservers, send back an error
381 packet straight away (helps modem users when offline) */
383 if (!flags
&& forward
)
385 struct server
*firstsentto
= start
;
388 /* If a query is retried, use the log_id for the retry when logging the answer. */
389 forward
->log_id
= daemon
->log_id
;
391 if (option_bool(OPT_ADD_MAC
))
392 plen
= add_mac(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
394 if (option_bool(OPT_CLIENT_SUBNET
))
396 size_t new = add_source_addr(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
, &forward
->source
);
400 forward
->flags
|= FREC_HAS_SUBNET
;
405 if (option_bool(OPT_DNSSEC_VALID
))
407 size_t new_plen
= add_do_bit(header
, plen
, ((char *) header
) + daemon
->packet_buff_sz
);
409 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
410 this allows it to select auth servers when one is returning bad data. */
411 if (option_bool(OPT_DNSSEC_DEBUG
))
412 header
->hb4
|= HB4_CD
;
414 if (new_plen
!= plen
)
415 forward
->flags
|= FREC_ADDED_PHEADER
;
423 /* only send to servers dealing with our domain.
424 domain may be NULL, in which case server->domain
425 must be NULL also. */
427 if (type
== (start
->flags
& SERV_TYPE
) &&
428 (type
!= SERV_HAS_DOMAIN
|| hostname_isequal(domain
, start
->domain
)) &&
429 !(start
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
433 /* find server socket to use, may need to get random one. */
439 if (start
->addr
.sa
.sa_family
== AF_INET6
)
441 if (!forward
->rfd6
&&
442 !(forward
->rfd6
= allocate_rfd(AF_INET6
)))
444 daemon
->rfd_save
= forward
->rfd6
;
445 fd
= forward
->rfd6
->fd
;
450 if (!forward
->rfd4
&&
451 !(forward
->rfd4
= allocate_rfd(AF_INET
)))
453 daemon
->rfd_save
= forward
->rfd4
;
454 fd
= forward
->rfd4
->fd
;
457 #ifdef HAVE_CONNTRACK
458 /* Copy connection mark of incoming query to outgoing connection. */
459 if (option_bool(OPT_CONNTRACK
))
462 if (get_incoming_mark(&forward
->source
, &forward
->dest
, 0, &mark
))
463 setsockopt(fd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
468 if (retry_send(sendto(fd
, (char *)header
, plen
, 0,
470 sa_len(&start
->addr
))))
475 /* Keep info in case we want to re-send this packet */
476 daemon
->srv_save
= start
;
477 daemon
->packet_len
= plen
;
480 strcpy(daemon
->namebuff
, "query");
481 if (start
->addr
.sa
.sa_family
== AF_INET
)
482 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
483 (struct all_addr
*)&start
->addr
.in
.sin_addr
, NULL
);
486 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
487 (struct all_addr
*)&start
->addr
.in6
.sin6_addr
, NULL
);
491 forward
->sentto
= start
;
492 if (!forward
->forwardall
)
494 forward
->forwardall
++;
498 if (!(start
= start
->next
))
499 start
= daemon
->servers
;
501 if (start
== firstsentto
)
508 /* could not send on, prepare to return */
509 header
->id
= htons(forward
->orig_id
);
510 free_frec(forward
); /* cancel */
513 /* could not send on, return empty answer or address if known for whole domain */
516 plen
= setup_reply(header
, plen
, addrp
, flags
, daemon
->local_ttl
);
517 send_from(udpfd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
), (char *)header
, plen
, udpaddr
, dst_addr
, dst_iface
);
523 static size_t process_reply(struct dns_header
*header
, time_t now
, struct server
*server
, size_t n
, int check_rebind
,
524 int no_cache
, int cache_secure
, int bogusanswer
, int ad_reqd
, int do_bit
, int added_pheader
,
525 int check_subnet
, union mysockaddr
*query_source
)
527 unsigned char *pheader
, *sizep
;
529 int munged
= 0, is_sign
;
537 if (daemon
->ipsets
&& extract_request(header
, n
, daemon
->namebuff
, NULL
))
539 /* Similar algorithm to search_servers. */
540 struct ipsets
*ipset_pos
;
541 unsigned int namelen
= strlen(daemon
->namebuff
);
542 unsigned int matchlen
= 0;
543 for (ipset_pos
= daemon
->ipsets
; ipset_pos
; ipset_pos
= ipset_pos
->next
)
545 unsigned int domainlen
= strlen(ipset_pos
->domain
);
546 char *matchstart
= daemon
->namebuff
+ namelen
- domainlen
;
547 if (namelen
>= domainlen
&& hostname_isequal(matchstart
, ipset_pos
->domain
) &&
548 (domainlen
== 0 || namelen
== domainlen
|| *(matchstart
- 1) == '.' ) &&
549 domainlen
>= matchlen
)
551 matchlen
= domainlen
;
552 sets
= ipset_pos
->sets
;
558 /* If upstream is advertising a larger UDP packet size
559 than we allow, trim it so that we don't get overlarge
560 requests for the client. We can't do this for signed packets. */
562 if ((pheader
= find_pseudoheader(header
, n
, &plen
, &sizep
, &is_sign
)))
564 unsigned short udpsz
;
565 unsigned char *psave
= sizep
;
567 GETSHORT(udpsz
, sizep
);
569 if (!is_sign
&& udpsz
> daemon
->edns_pktsz
)
570 PUTSHORT(daemon
->edns_pktsz
, psave
);
572 if (check_subnet
&& !check_source(header
, plen
, pheader
, query_source
))
574 my_syslog(LOG_WARNING
, _("discarding DNS reply: subnet option mismatch"));
581 header
->arcount
= htons(0);
585 /* RFC 4035 sect 4.6 para 3 */
586 if (!is_sign
&& !option_bool(OPT_DNSSEC_PROXY
))
587 header
->hb4
&= ~HB4_AD
;
589 if (OPCODE(header
) != QUERY
|| (RCODE(header
) != NOERROR
&& RCODE(header
) != NXDOMAIN
))
590 return resize_packet(header
, n
, pheader
, plen
);
592 /* Complain loudly if the upstream server is non-recursive. */
593 if (!(header
->hb4
& HB4_RA
) && RCODE(header
) == NOERROR
&& ntohs(header
->ancount
) == 0 &&
594 server
&& !(server
->flags
& SERV_WARNED_RECURSIVE
))
596 prettyprint_addr(&server
->addr
, daemon
->namebuff
);
597 my_syslog(LOG_WARNING
, _("nameserver %s refused to do a recursive query"), daemon
->namebuff
);
598 if (!option_bool(OPT_LOG
))
599 server
->flags
|= SERV_WARNED_RECURSIVE
;
602 if (daemon
->bogus_addr
&& RCODE(header
) != NXDOMAIN
&&
603 check_for_bogus_wildcard(header
, n
, daemon
->namebuff
, daemon
->bogus_addr
, now
))
606 SET_RCODE(header
, NXDOMAIN
);
607 header
->hb3
&= ~HB3_AA
;
614 if (RCODE(header
) == NXDOMAIN
&&
615 extract_request(header
, n
, daemon
->namebuff
, NULL
) &&
616 check_for_local_domain(daemon
->namebuff
, now
))
618 /* if we forwarded a query for a locally known name (because it was for
619 an unknown type) and the answer is NXDOMAIN, convert that to NODATA,
620 since we know that the domain exists, even if upstream doesn't */
622 header
->hb3
|= HB3_AA
;
623 SET_RCODE(header
, NOERROR
);
627 if (extract_addresses(header
, n
, daemon
->namebuff
, now
, sets
, is_sign
, check_rebind
, no_cache
, cache_secure
, &doctored
))
629 my_syslog(LOG_WARNING
, _("possible DNS-rebind attack detected: %s"), daemon
->namebuff
);
639 if (bogusanswer
&& !(header
->hb4
& HB4_CD
))
641 if (!option_bool(OPT_DNSSEC_DEBUG
))
643 /* Bogus reply, turn into SERVFAIL */
644 SET_RCODE(header
, SERVFAIL
);
649 if (option_bool(OPT_DNSSEC_VALID
))
650 header
->hb4
&= ~HB4_AD
;
652 if (!(header
->hb4
& HB4_CD
) && ad_reqd
&& cache_secure
)
653 header
->hb4
|= HB4_AD
;
655 /* If the requestor didn't set the DO bit, don't return DNSSEC info. */
657 n
= filter_rrsigs(header
, n
);
660 /* do this after extract_addresses. Ensure NODATA reply and remove
665 header
->ancount
= htons(0);
666 header
->nscount
= htons(0);
667 header
->arcount
= htons(0);
668 header
->hb3
&= ~HB3_TC
;
671 /* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
672 sections of the packet. Find the new length here and put back pseudoheader
673 if it was removed. */
674 return resize_packet(header
, n
, pheader
, plen
);
677 /* sets new last_server */
678 void reply_query(int fd
, int family
, time_t now
)
680 /* packet from peer server, extract data for cache, and send to
681 original requester */
682 struct dns_header
*header
;
683 union mysockaddr serveraddr
;
684 struct frec
*forward
;
685 socklen_t addrlen
= sizeof(serveraddr
);
686 ssize_t n
= recvfrom(fd
, daemon
->packet
, daemon
->packet_buff_sz
, 0, &serveraddr
.sa
, &addrlen
);
688 struct server
*server
;
694 /* packet buffer overwritten */
695 daemon
->srv_save
= NULL
;
697 /* Determine the address of the server replying so that we can mark that as good */
698 serveraddr
.sa
.sa_family
= family
;
700 if (serveraddr
.sa
.sa_family
== AF_INET6
)
701 serveraddr
.in6
.sin6_flowinfo
= 0;
704 header
= (struct dns_header
*)daemon
->packet
;
706 if (n
< (int)sizeof(struct dns_header
) || !(header
->hb3
& HB3_QR
))
709 /* spoof check: answer must come from known server, */
710 for (server
= daemon
->servers
; server
; server
= server
->next
)
711 if (!(server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_NO_ADDR
)) &&
712 sockaddr_isequal(&server
->addr
, &serveraddr
))
719 hash
= hash_questions(header
, n
, daemon
->namebuff
);
722 crc
= questions_crc(header
, n
, daemon
->namebuff
);
725 if (!(forward
= lookup_frec(ntohs(header
->id
), hash
)))
728 /* log_query gets called indirectly all over the place, so
729 pass these in global variables - sorry. */
730 daemon
->log_display_id
= forward
->log_id
;
731 daemon
->log_source_addr
= &forward
->source
;
733 if (daemon
->ignore_addr
&& RCODE(header
) == NOERROR
&&
734 check_for_ignored_address(header
, n
, daemon
->ignore_addr
))
737 if (RCODE(header
) == REFUSED
&&
738 !option_bool(OPT_ORDER
) &&
739 forward
->forwardall
== 0)
740 /* for broken servers, attempt to send to another one. */
742 unsigned char *pheader
;
746 /* recreate query from reply */
747 pheader
= find_pseudoheader(header
, (size_t)n
, &plen
, NULL
, &is_sign
);
750 header
->ancount
= htons(0);
751 header
->nscount
= htons(0);
752 header
->arcount
= htons(0);
753 if ((nn
= resize_packet(header
, (size_t)n
, pheader
, plen
)))
755 header
->hb3
&= ~(HB3_QR
| HB3_TC
);
756 forward_query(-1, NULL
, NULL
, 0, header
, nn
, now
, forward
, 0, 0);
762 server
= forward
->sentto
;
764 if ((forward
->sentto
->flags
& SERV_TYPE
) == 0)
766 if (RCODE(header
) == REFUSED
)
770 struct server
*last_server
;
772 /* find good server by address if possible, otherwise assume the last one we sent to */
773 for (last_server
= daemon
->servers
; last_server
; last_server
= last_server
->next
)
774 if (!(last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_HAS_DOMAIN
| SERV_FOR_NODOTS
| SERV_NO_ADDR
)) &&
775 sockaddr_isequal(&last_server
->addr
, &serveraddr
))
777 server
= last_server
;
781 if (!option_bool(OPT_ALL_SERVERS
))
782 daemon
->last_server
= server
;
785 /* If the answer is an error, keep the forward record in place in case
786 we get a good reply from another server. Kill it when we've
787 had replies from all to avoid filling the forwarding table when
788 everything is broken */
789 if (forward
->forwardall
== 0 || --forward
->forwardall
== 1 || RCODE(header
) != SERVFAIL
)
791 int check_rebind
= 0, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
793 if (option_bool(OPT_NO_REBIND
))
794 check_rebind
= !(forward
->flags
& FREC_NOREBIND
);
796 /* Don't cache replies where DNSSEC validation was turned off, either
797 the upstream server told us so, or the original query specified it. */
798 if ((header
->hb4
& HB4_CD
) || (forward
->flags
& FREC_CHECKING_DISABLED
))
802 if (server
&& option_bool(OPT_DNSSEC_VALID
) && !(forward
->flags
& FREC_CHECKING_DISABLED
))
806 /* We've had a reply already, which we're validating. Ignore this duplicate */
807 if (forward
->blocking_query
)
810 if (header
->hb3
& HB3_TC
)
812 /* Truncated answer can't be validated.
813 If this is an answer to a DNSSEC-generated query, we still
814 need to get the client to retry over TCP, so return
815 an answer with the TC bit set, even if the actual answer fits.
817 status
= STAT_TRUNCATED
;
819 else if (forward
->flags
& FREC_DNSKEY_QUERY
)
820 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
821 else if (forward
->flags
& FREC_DS_QUERY
)
823 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
824 /* Provably no DS, everything below is insecure, even if signatures are offered */
825 if (status
== STAT_NO_DS
)
826 /* We only cache sigs when we've validated a reply.
827 Avoid caching a reply with sigs if there's a vaildated break in the
828 DS chain, so we don't return replies from cache missing sigs. */
829 status
= STAT_INSECURE_DS
;
830 else if (status
== STAT_NO_NS
)
833 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
835 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
836 if (status
!= STAT_NEED_KEY
)
837 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
841 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
842 if (status
== STAT_NO_SIG
)
844 if (option_bool(OPT_DNSSEC_NO_SIGN
))
845 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
847 status
= STAT_INSECURE
;
850 /* Can't validate, as we're missing key data. Put this
851 answer aside, whilst we get that. */
852 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
854 struct frec
*new, *orig
;
856 /* Free any saved query */
858 blockdata_free(forward
->stash
);
860 /* Now save reply pending receipt of key data */
861 if (!(forward
->stash
= blockdata_alloc((char *)header
, n
)))
863 forward
->stash_len
= n
;
866 /* Find the original query that started it all.... */
867 for (orig
= forward
; orig
->dependent
; orig
= orig
->dependent
);
869 if (--orig
->work_counter
== 0 || !(new = get_new_frec(now
, NULL
, 1)))
870 status
= STAT_INSECURE
;
874 struct frec
*next
= new->next
;
875 *new = *forward
; /* copy everything, then overwrite */
877 new->blocking_query
= NULL
;
878 new->sentto
= server
;
880 new->orig_domain
= NULL
;
884 new->flags
&= ~(FREC_DNSKEY_QUERY
| FREC_DS_QUERY
| FREC_CHECK_NOSIGN
);
886 new->dependent
= forward
; /* to find query awaiting new one. */
887 forward
->blocking_query
= new; /* for garbage cleaning */
888 /* validate routines leave name of required record in daemon->keyname */
889 if (status
== STAT_NEED_KEY
)
891 new->flags
|= FREC_DNSKEY_QUERY
;
892 nn
= dnssec_generate_query(header
, ((char *) header
) + daemon
->packet_buff_sz
,
893 daemon
->keyname
, forward
->class, T_DNSKEY
, &server
->addr
);
897 if (status
== STAT_NEED_DS_NEG
)
898 new->flags
|= FREC_CHECK_NOSIGN
;
900 new->flags
|= FREC_DS_QUERY
;
901 nn
= dnssec_generate_query(header
,((char *) header
) + daemon
->packet_buff_sz
,
902 daemon
->keyname
, forward
->class, T_DS
, &server
->addr
);
904 if ((hash
= hash_questions(header
, nn
, daemon
->namebuff
)))
905 memcpy(new->hash
, hash
, HASH_SIZE
);
906 new->new_id
= get_id();
907 header
->id
= htons(new->new_id
);
908 /* Save query for retransmission */
909 if (!(new->stash
= blockdata_alloc((char *)header
, nn
)))
914 /* Don't resend this. */
915 daemon
->srv_save
= NULL
;
918 fd
= server
->sfd
->fd
;
923 if (server
->addr
.sa
.sa_family
== AF_INET6
)
925 if (new->rfd6
|| (new->rfd6
= allocate_rfd(AF_INET6
)))
931 if (new->rfd4
|| (new->rfd4
= allocate_rfd(AF_INET
)))
938 while (retry_send(sendto(fd
, (char *)header
, nn
, 0,
940 sa_len(&server
->addr
))));
948 /* Ok, we reached far enough up the chain-of-trust that we can validate something.
949 Now wind back down, pulling back answers which wouldn't previously validate
950 and validate them with the new data. Note that if an answer needs multiple
951 keys to validate, we may find another key is needed, in which case we set off
952 down another branch of the tree. Once we get to the original answer
953 (FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
954 while (forward
->dependent
)
956 struct frec
*prev
= forward
->dependent
;
959 forward
->blocking_query
= NULL
; /* already gone */
960 blockdata_retrieve(forward
->stash
, forward
->stash_len
, (void *)header
);
961 n
= forward
->stash_len
;
963 if (status
== STAT_SECURE
)
965 if (forward
->flags
& FREC_DNSKEY_QUERY
)
966 status
= dnssec_validate_by_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
967 else if (forward
->flags
& FREC_DS_QUERY
)
969 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
970 /* Provably no DS, everything below is insecure, even if signatures are offered */
971 if (status
== STAT_NO_DS
)
972 /* We only cache sigs when we've validated a reply.
973 Avoid caching a reply with sigs if there's a vaildated break in the
974 DS chain, so we don't return replies from cache missing sigs. */
975 status
= STAT_INSECURE_DS
;
976 else if (status
== STAT_NO_NS
)
979 else if (forward
->flags
& FREC_CHECK_NOSIGN
)
981 status
= dnssec_validate_ds(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, forward
->class);
982 if (status
!= STAT_NEED_KEY
)
983 status
= do_check_sign(forward
, status
, now
, daemon
->namebuff
, daemon
->keyname
);
987 status
= dnssec_validate_reply(now
, header
, n
, daemon
->namebuff
, daemon
->keyname
, &forward
->class, NULL
, NULL
);
988 if (status
== STAT_NO_SIG
)
990 if (option_bool(OPT_DNSSEC_NO_SIGN
))
991 status
= send_check_sign(forward
, now
, header
, n
, daemon
->namebuff
, daemon
->keyname
);
993 status
= STAT_INSECURE
;
997 if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
|| status
== STAT_NEED_KEY
)
1002 no_cache_dnssec
= 0;
1004 if (status
== STAT_INSECURE_DS
)
1006 /* We only cache sigs when we've validated a reply.
1007 Avoid caching a reply with sigs if there's a vaildated break in the
1008 DS chain, so we don't return replies from cache missing sigs. */
1009 status
= STAT_INSECURE
;
1010 no_cache_dnssec
= 1;
1013 if (status
== STAT_TRUNCATED
)
1014 header
->hb3
|= HB3_TC
;
1019 if (forward
->work_counter
== 0)
1021 result
= "ABANDONED";
1022 status
= STAT_BOGUS
;
1025 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1027 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
1030 if (status
== STAT_SECURE
)
1032 else if (status
== STAT_BOGUS
)
1034 no_cache_dnssec
= 1;
1040 /* restore CD bit to the value in the query */
1041 if (forward
->flags
& FREC_CHECKING_DISABLED
)
1042 header
->hb4
|= HB4_CD
;
1044 header
->hb4
&= ~HB4_CD
;
1046 if ((nn
= process_reply(header
, now
, server
, (size_t)n
, check_rebind
, no_cache_dnssec
, cache_secure
, bogusanswer
,
1047 forward
->flags
& FREC_AD_QUESTION
, forward
->flags
& FREC_DO_QUESTION
,
1048 forward
->flags
& FREC_ADDED_PHEADER
, forward
->flags
& FREC_HAS_SUBNET
, &forward
->source
)))
1050 header
->id
= htons(forward
->orig_id
);
1051 header
->hb4
|= HB4_RA
; /* recursion if available */
1052 send_from(forward
->fd
, option_bool(OPT_NOWILD
) || option_bool (OPT_CLEVERBIND
), daemon
->packet
, nn
,
1053 &forward
->source
, &forward
->dest
, forward
->iface
);
1055 free_frec(forward
); /* cancel */
1060 void receive_query(struct listener
*listen
, time_t now
)
1062 struct dns_header
*header
= (struct dns_header
*)daemon
->packet
;
1063 union mysockaddr source_addr
;
1064 unsigned short type
;
1065 struct all_addr dst_addr
;
1066 struct in_addr netmask
, dst_addr_4
;
1069 int if_index
= 0, auth_dns
= 0;
1073 struct iovec iov
[1];
1075 struct cmsghdr
*cmptr
;
1077 struct cmsghdr align
; /* this ensures alignment */
1079 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
1081 #if defined(HAVE_LINUX_NETWORK)
1082 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
1083 #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK)
1084 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1085 CMSG_SPACE(sizeof(unsigned int))];
1086 #elif defined(IP_RECVDSTADDR)
1087 char control
[CMSG_SPACE(sizeof(struct in_addr
)) +
1088 CMSG_SPACE(sizeof(struct sockaddr_dl
))];
1092 /* Can always get recvd interface for IPv6 */
1093 int check_dst
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
1095 int check_dst
= !option_bool(OPT_NOWILD
);
1098 /* packet buffer overwritten */
1099 daemon
->srv_save
= NULL
;
1101 dst_addr_4
.s_addr
= dst_addr
.addr
.addr4
.s_addr
= 0;
1104 if (option_bool(OPT_NOWILD
) && listen
->iface
)
1106 auth_dns
= listen
->iface
->dns_auth
;
1108 if (listen
->family
== AF_INET
)
1110 dst_addr_4
= dst_addr
.addr
.addr4
= listen
->iface
->addr
.in
.sin_addr
;
1111 netmask
= listen
->iface
->netmask
;
1115 iov
[0].iov_base
= daemon
->packet
;
1116 iov
[0].iov_len
= daemon
->edns_pktsz
;
1118 msg
.msg_control
= control_u
.control
;
1119 msg
.msg_controllen
= sizeof(control_u
);
1121 msg
.msg_name
= &source_addr
;
1122 msg
.msg_namelen
= sizeof(source_addr
);
1126 if ((n
= recvmsg(listen
->fd
, &msg
, 0)) == -1)
1129 if (n
< (int)sizeof(struct dns_header
) ||
1130 (msg
.msg_flags
& MSG_TRUNC
) ||
1131 (header
->hb3
& HB3_QR
))
1134 source_addr
.sa
.sa_family
= listen
->family
;
1136 if (listen
->family
== AF_INET
)
1138 /* Source-port == 0 is an error, we can't send back to that.
1139 http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */
1140 if (source_addr
.in
.sin_port
== 0)
1146 /* Source-port == 0 is an error, we can't send back to that. */
1147 if (source_addr
.in6
.sin6_port
== 0)
1149 source_addr
.in6
.sin6_flowinfo
= 0;
1153 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1154 if (option_bool(OPT_LOCAL_SERVICE
))
1156 struct addrlist
*addr
;
1158 if (listen
->family
== AF_INET6
)
1160 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1161 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1162 is_same_net6(&addr
->addr
.addr
.addr6
, &source_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1168 struct in_addr netmask
;
1169 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1171 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1172 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1173 is_same_net(addr
->addr
.addr
.addr4
, source_addr
.in
.sin_addr
, netmask
))
1179 static int warned
= 0;
1182 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1193 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
1196 #if defined(HAVE_LINUX_NETWORK)
1197 if (listen
->family
== AF_INET
)
1198 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1199 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
1203 struct in_pktinfo
*p
;
1205 p
.c
= CMSG_DATA(cmptr
);
1206 dst_addr_4
= dst_addr
.addr
.addr4
= p
.p
->ipi_spec_dst
;
1207 if_index
= p
.p
->ipi_ifindex
;
1209 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
1210 if (listen
->family
== AF_INET
)
1212 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1218 #ifndef HAVE_SOLARIS_NETWORK
1219 struct sockaddr_dl
*s
;
1222 p
.c
= CMSG_DATA(cmptr
);
1223 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
1224 dst_addr_4
= dst_addr
.addr
.addr4
= *(p
.a
);
1225 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
1226 #ifdef HAVE_SOLARIS_NETWORK
1229 if_index
= p
.s
->sdl_index
;
1236 if (listen
->family
== AF_INET6
)
1238 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
1239 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
1243 struct in6_pktinfo
*p
;
1245 p
.c
= CMSG_DATA(cmptr
);
1247 dst_addr
.addr
.addr6
= p
.p
->ipi6_addr
;
1248 if_index
= p
.p
->ipi6_ifindex
;
1253 /* enforce available interface configuration */
1255 if (!indextoname(listen
->fd
, if_index
, ifr
.ifr_name
))
1258 if (!iface_check(listen
->family
, &dst_addr
, ifr
.ifr_name
, &auth_dns
))
1260 if (!option_bool(OPT_CLEVERBIND
))
1261 enumerate_interfaces(0);
1262 if (!loopback_exception(listen
->fd
, listen
->family
, &dst_addr
, ifr
.ifr_name
) &&
1263 !label_exception(if_index
, listen
->family
, &dst_addr
))
1267 if (listen
->family
== AF_INET
&& option_bool(OPT_LOCALISE
))
1271 /* get the netmask of the interface whch has the address we were sent to.
1272 This is no neccessarily the interface we arrived on. */
1274 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1275 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1276 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1279 /* interface may be new */
1280 if (!iface
&& !option_bool(OPT_CLEVERBIND
))
1281 enumerate_interfaces(0);
1283 for (iface
= daemon
->interfaces
; iface
; iface
= iface
->next
)
1284 if (iface
->addr
.sa
.sa_family
== AF_INET
&&
1285 iface
->addr
.in
.sin_addr
.s_addr
== dst_addr_4
.s_addr
)
1288 /* If we failed, abandon localisation */
1290 netmask
= iface
->netmask
;
1292 dst_addr_4
.s_addr
= 0;
1296 /* log_query gets called indirectly all over the place, so
1297 pass these in global variables - sorry. */
1298 daemon
->log_display_id
= ++daemon
->log_id
;
1299 daemon
->log_source_addr
= &source_addr
;
1301 if (extract_request(header
, (size_t)n
, daemon
->namebuff
, &type
))
1304 struct auth_zone
*zone
;
1306 char *types
= querystr(auth_dns
? "auth" : "query", type
);
1308 if (listen
->family
== AF_INET
)
1309 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1310 (struct all_addr
*)&source_addr
.in
.sin_addr
, types
);
1313 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1314 (struct all_addr
*)&source_addr
.in6
.sin6_addr
, types
);
1318 /* find queries for zones we're authoritative for, and answer them directly */
1320 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1321 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1330 /* Check for forwarding loop */
1331 if (detect_loop(daemon
->namebuff
, type
))
1339 m
= answer_auth(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
, now
, &source_addr
, local_auth
);
1342 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1343 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1344 daemon
->auth_answer
++;
1350 int ad_reqd
, do_bit
;
1351 m
= answer_request(header
, ((char *) header
) + daemon
->packet_buff_sz
, (size_t)n
,
1352 dst_addr_4
, netmask
, now
, &ad_reqd
, &do_bit
);
1356 send_from(listen
->fd
, option_bool(OPT_NOWILD
) || option_bool(OPT_CLEVERBIND
),
1357 (char *)header
, m
, &source_addr
, &dst_addr
, if_index
);
1358 daemon
->local_answer
++;
1360 else if (forward_query(listen
->fd
, &source_addr
, &dst_addr
, if_index
,
1361 header
, (size_t)n
, now
, NULL
, ad_reqd
, do_bit
))
1362 daemon
->queries_forwarded
++;
1364 daemon
->local_answer
++;
1370 /* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1371 and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1372 STAT_NEED_DS_NEG and keyname if we need to do the query. */
1373 static int send_check_sign(struct frec
*forward
, time_t now
, struct dns_header
*header
, size_t plen
,
1374 char *name
, char *keyname
)
1376 int status
= dnssec_chase_cname(now
, header
, plen
, name
, keyname
);
1378 if (status
!= STAT_INSECURE
)
1381 /* Store the domain we're trying to check. */
1382 forward
->name_start
= strlen(name
);
1383 forward
->name_len
= forward
->name_start
+ 1;
1384 if (!(forward
->orig_domain
= blockdata_alloc(name
, forward
->name_len
)))
1387 return do_check_sign(forward
, 0, now
, name
, keyname
);
1390 /* We either have a a reply (header non-NULL, or we need to start by looking in the cache */
1391 static int do_check_sign(struct frec
*forward
, int status
, time_t now
, char *name
, char *keyname
)
1393 /* get domain we're checking back from blockdata store, it's stored on the original query. */
1394 while (forward
->dependent
)
1395 forward
= forward
->dependent
;
1397 blockdata_retrieve(forward
->orig_domain
, forward
->name_len
, name
);
1407 /* Haven't received answer, see if in cache */
1408 if (!(crecp
= cache_find_by_name(NULL
, &name
[forward
->name_start
], now
, F_DS
)))
1410 /* put name of DS record we're missing into keyname */
1411 strcpy(keyname
, &name
[forward
->name_start
]);
1412 /* and wait for reply to arrive */
1413 return STAT_NEED_DS_NEG
;
1416 /* F_DNSSECOK misused in DS cache records to non-existance of NS record */
1417 if (!(crecp
->flags
& F_NEG
))
1418 status
= STAT_SECURE
;
1419 else if (crecp
->flags
& F_DNSSECOK
)
1420 status
= STAT_NO_DS
;
1422 status
= STAT_NO_NS
;
1425 /* Have entered non-signed part of DNS tree. */
1426 if (status
== STAT_NO_DS
)
1427 return STAT_INSECURE
;
1429 if (status
== STAT_BOGUS
)
1432 /* There's a proven DS record, or we're within a zone, where there doesn't need
1433 to be a DS record. Add a name and try again.
1434 If we've already tried the whole name, then fail */
1436 if (forward
->name_start
== 0)
1439 for (p
= &name
[forward
->name_start
-2]; (*p
!= '.') && (p
!= name
); p
--);
1444 forward
->name_start
= p
- name
;
1445 status
= 0; /* force to cache when we iterate. */
1449 /* Move down from the root, until we find a signed non-existance of a DS, in which case
1450 an unsigned answer is OK, or we find a signed DS, in which case there should be
1451 a signature, and the answer is BOGUS */
1452 static int tcp_check_for_unsigned_zone(time_t now
, struct dns_header
*header
, size_t plen
, int class, char *name
,
1453 char *keyname
, struct server
*server
, int *keycount
)
1456 unsigned char *packet
, *payload
;
1458 int status
, name_len
;
1459 struct blockdata
*block
;
1463 /* Get first insecure entry in CNAME chain */
1464 status
= tcp_key_recurse(now
, STAT_CHASE_CNAME
, header
, plen
, class, name
, keyname
, server
, keycount
);
1465 if (status
== STAT_BOGUS
)
1468 if (!(packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
))))
1471 payload
= &packet
[2];
1472 header
= (struct dns_header
*)payload
;
1473 length
= (u16
*)packet
;
1475 /* Stash the name away, since the buffer will be trashed when we recurse */
1476 name_len
= strlen(name
) + 1;
1477 name_start
= name
+ name_len
- 1;
1479 if (!(block
= blockdata_alloc(name
, name_len
)))
1487 unsigned char c1
, c2
;
1490 if (--(*keycount
) == 0)
1493 blockdata_free(block
);
1497 while ((crecp
= cache_find_by_name(NULL
, name_start
, now
, F_DS
)))
1499 if ((crecp
->flags
& F_NEG
) && (crecp
->flags
& F_DNSSECOK
))
1501 /* Found a secure denial of DS - delegation is indeed insecure */
1503 blockdata_free(block
);
1504 return STAT_INSECURE
;
1507 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1508 Add another label and continue. */
1510 if (name_start
== name
)
1513 blockdata_free(block
);
1514 return STAT_BOGUS
; /* run out of labels */
1518 while (*name_start
!= '.' && name_start
!= name
)
1520 if (name_start
!= name
)
1524 /* Can't find it in the cache, have to send a query */
1526 m
= dnssec_generate_query(header
, ((char *) header
) + 65536, name_start
, class, T_DS
, &server
->addr
);
1530 if (read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) &&
1531 read_write(server
->tcpfd
, &c1
, 1, 1) &&
1532 read_write(server
->tcpfd
, &c2
, 1, 1) &&
1533 read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1537 /* Note this trashes all three name workspaces */
1538 status
= tcp_key_recurse(now
, STAT_NEED_DS_NEG
, header
, m
, class, name
, keyname
, server
, keycount
);
1540 if (status
== STAT_NO_DS
)
1542 /* Found a secure denial of DS - delegation is indeed insecure */
1544 blockdata_free(block
);
1545 return STAT_INSECURE
;
1548 if (status
== STAT_BOGUS
)
1551 blockdata_free(block
);
1555 /* Here, either there's a secure DS, or no NS and no DS, and therefore no delegation.
1556 Add another label and continue. */
1558 /* Get name we're checking back. */
1559 blockdata_retrieve(block
, name_len
, name
);
1561 if (name_start
== name
)
1564 blockdata_free(block
);
1565 return STAT_BOGUS
; /* run out of labels */
1569 while (*name_start
!= '.' && name_start
!= name
)
1571 if (name_start
!= name
)
1578 blockdata_free(block
);
1579 return STAT_BOGUS
; /* run out of labels */
1584 static int tcp_key_recurse(time_t now
, int status
, struct dns_header
*header
, size_t n
,
1585 int class, char *name
, char *keyname
, struct server
*server
, int *keycount
)
1587 /* Recurse up the key heirarchy */
1590 /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1591 if (--(*keycount
) == 0)
1592 return STAT_INSECURE
;
1594 if (status
== STAT_NEED_KEY
)
1595 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1596 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1598 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1599 if (status
== STAT_NEED_DS
)
1601 if (new_status
== STAT_NO_DS
)
1602 new_status
= STAT_INSECURE_DS
;
1603 else if (new_status
== STAT_NO_NS
)
1604 new_status
= STAT_BOGUS
;
1607 else if (status
== STAT_CHASE_CNAME
)
1608 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1611 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1613 if (new_status
== STAT_NO_SIG
)
1615 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1616 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1618 new_status
= STAT_INSECURE
;
1622 /* Can't validate because we need a key/DS whose name now in keyname.
1623 Make query for same, and recurse to validate */
1624 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1627 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1628 unsigned char *payload
= &packet
[2];
1629 struct dns_header
*new_header
= (struct dns_header
*)payload
;
1630 u16
*length
= (u16
*)packet
;
1631 unsigned char c1
, c2
;
1634 return STAT_INSECURE
;
1637 m
= dnssec_generate_query(new_header
, ((char *) new_header
) + 65536, keyname
, class,
1638 new_status
== STAT_NEED_KEY
? T_DNSKEY
: T_DS
, &server
->addr
);
1642 if (!read_write(server
->tcpfd
, packet
, m
+ sizeof(u16
), 0) ||
1643 !read_write(server
->tcpfd
, &c1
, 1, 1) ||
1644 !read_write(server
->tcpfd
, &c2
, 1, 1) ||
1645 !read_write(server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1646 new_status
= STAT_INSECURE
;
1651 new_status
= tcp_key_recurse(now
, new_status
, new_header
, m
, class, name
, keyname
, server
, keycount
);
1653 if (new_status
== STAT_SECURE
)
1655 /* Reached a validated record, now try again at this level.
1656 Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1657 If so, go round again. */
1659 if (status
== STAT_NEED_KEY
)
1660 new_status
= dnssec_validate_by_ds(now
, header
, n
, name
, keyname
, class);
1661 else if (status
== STAT_NEED_DS
|| status
== STAT_NEED_DS_NEG
)
1663 new_status
= dnssec_validate_ds(now
, header
, n
, name
, keyname
, class);
1664 if (status
== STAT_NEED_DS
)
1666 if (new_status
== STAT_NO_DS
)
1667 new_status
= STAT_INSECURE_DS
;
1668 else if (new_status
== STAT_NO_NS
)
1669 new_status
= STAT_BOGUS
; /* Validated no DS */
1672 else if (status
== STAT_CHASE_CNAME
)
1673 new_status
= dnssec_chase_cname(now
, header
, n
, name
, keyname
);
1676 new_status
= dnssec_validate_reply(now
, header
, n
, name
, keyname
, &class, NULL
, NULL
);
1678 if (new_status
== STAT_NO_SIG
)
1680 if (option_bool(OPT_DNSSEC_NO_SIGN
))
1681 new_status
= tcp_check_for_unsigned_zone(now
, header
, n
, class, name
, keyname
, server
, keycount
);
1683 new_status
= STAT_INSECURE
;
1687 if (new_status
== STAT_NEED_DS
|| new_status
== STAT_NEED_KEY
)
1688 goto another_tcp_key
;
1699 /* The daemon forks before calling this: it should deal with one connection,
1700 blocking as neccessary, and then return. Note, need to be a bit careful
1701 about resources for debug mode, when the fork is suppressed: that's
1702 done by the caller. */
1703 unsigned char *tcp_request(int confd
, time_t now
,
1704 union mysockaddr
*local_addr
, struct in_addr netmask
, int auth_dns
)
1711 int checking_disabled
, ad_question
, do_bit
, added_pheader
= 0;
1712 int check_subnet
, no_cache_dnssec
= 0, cache_secure
= 0, bogusanswer
= 0;
1714 unsigned short qtype
;
1715 unsigned int gotname
;
1716 unsigned char c1
, c2
;
1717 /* Max TCP packet + slop + size */
1718 unsigned char *packet
= whine_malloc(65536 + MAXDNAME
+ RRFIXEDSZ
+ sizeof(u16
));
1719 unsigned char *payload
= &packet
[2];
1720 /* largest field in header is 16-bits, so this is still sufficiently aligned */
1721 struct dns_header
*header
= (struct dns_header
*)payload
;
1722 u16
*length
= (u16
*)packet
;
1723 struct server
*last_server
;
1724 struct in_addr dst_addr_4
;
1725 union mysockaddr peer_addr
;
1726 socklen_t peer_len
= sizeof(union mysockaddr
);
1727 int query_count
= 0;
1729 if (getpeername(confd
, (struct sockaddr
*)&peer_addr
, &peer_len
) == -1)
1732 /* We can be configured to only accept queries from at-most-one-hop-away addresses. */
1733 if (option_bool(OPT_LOCAL_SERVICE
))
1735 struct addrlist
*addr
;
1737 if (peer_addr
.sa
.sa_family
== AF_INET6
)
1739 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1740 if ((addr
->flags
& ADDRLIST_IPV6
) &&
1741 is_same_net6(&addr
->addr
.addr
.addr6
, &peer_addr
.in6
.sin6_addr
, addr
->prefixlen
))
1747 struct in_addr netmask
;
1748 for (addr
= daemon
->interface_addrs
; addr
; addr
= addr
->next
)
1750 netmask
.s_addr
= htonl(~(in_addr_t
)0 << (32 - addr
->prefixlen
));
1751 if (!(addr
->flags
& ADDRLIST_IPV6
) &&
1752 is_same_net(addr
->addr
.addr
.addr4
, peer_addr
.in
.sin_addr
, netmask
))
1758 my_syslog(LOG_WARNING
, _("Ignoring query from non-local network"));
1765 if (query_count
== TCP_MAX_QUERIES
||
1767 !read_write(confd
, &c1
, 1, 1) || !read_write(confd
, &c2
, 1, 1) ||
1768 !(size
= c1
<< 8 | c2
) ||
1769 !read_write(confd
, payload
, size
, 1))
1772 if (size
< (int)sizeof(struct dns_header
))
1777 /* log_query gets called indirectly all over the place, so
1778 pass these in global variables - sorry. */
1779 daemon
->log_display_id
= ++daemon
->log_id
;
1780 daemon
->log_source_addr
= &peer_addr
;
1784 /* save state of "cd" flag in query */
1785 if ((checking_disabled
= header
->hb4
& HB4_CD
))
1786 no_cache_dnssec
= 1;
1788 if ((gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1791 struct auth_zone
*zone
;
1793 char *types
= querystr(auth_dns
? "auth" : "query", qtype
);
1795 if (peer_addr
.sa
.sa_family
== AF_INET
)
1796 log_query(F_QUERY
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1797 (struct all_addr
*)&peer_addr
.in
.sin_addr
, types
);
1800 log_query(F_QUERY
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1801 (struct all_addr
*)&peer_addr
.in6
.sin6_addr
, types
);
1805 /* find queries for zones we're authoritative for, and answer them directly */
1807 for (zone
= daemon
->auth_zones
; zone
; zone
= zone
->next
)
1808 if (in_zone(zone
, daemon
->namebuff
, NULL
))
1817 if (local_addr
->sa
.sa_family
== AF_INET
)
1818 dst_addr_4
= local_addr
->in
.sin_addr
;
1820 dst_addr_4
.s_addr
= 0;
1824 m
= answer_auth(header
, ((char *) header
) + 65536, (size_t)size
, now
, &peer_addr
, local_auth
);
1828 /* m > 0 if answered from cache */
1829 m
= answer_request(header
, ((char *) header
) + 65536, (size_t)size
,
1830 dst_addr_4
, netmask
, now
, &ad_question
, &do_bit
);
1832 /* Do this by steam now we're not in the select() loop */
1833 check_log_writer(NULL
);
1837 unsigned int flags
= 0;
1838 struct all_addr
*addrp
= NULL
;
1840 char *domain
= NULL
;
1842 if (option_bool(OPT_ADD_MAC
))
1843 size
= add_mac(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1845 if (option_bool(OPT_CLIENT_SUBNET
))
1847 size_t new = add_source_addr(header
, size
, ((char *) header
) + 65536, &peer_addr
);
1856 flags
= search_servers(now
, &addrp
, gotname
, daemon
->namebuff
, &type
, &domain
, &norebind
);
1858 if (type
!= 0 || option_bool(OPT_ORDER
) || !daemon
->last_server
)
1859 last_server
= daemon
->servers
;
1861 last_server
= daemon
->last_server
;
1863 if (!flags
&& last_server
)
1865 struct server
*firstsendto
= NULL
;
1867 unsigned char *newhash
, hash
[HASH_SIZE
];
1868 if ((newhash
= hash_questions(header
, (unsigned int)size
, daemon
->namebuff
)))
1869 memcpy(hash
, newhash
, HASH_SIZE
);
1871 memset(hash
, 0, HASH_SIZE
);
1873 unsigned int crc
= questions_crc(header
, (unsigned int)size
, daemon
->namebuff
);
1875 /* Loop round available servers until we succeed in connecting to one.
1876 Note that this code subtley ensures that consecutive queries on this connection
1877 which can go to the same server, do so. */
1881 firstsendto
= last_server
;
1884 if (!(last_server
= last_server
->next
))
1885 last_server
= daemon
->servers
;
1887 if (last_server
== firstsendto
)
1891 /* server for wrong domain */
1892 if (type
!= (last_server
->flags
& SERV_TYPE
) ||
1893 (type
== SERV_HAS_DOMAIN
&& !hostname_isequal(domain
, last_server
->domain
)) ||
1894 (last_server
->flags
& (SERV_LITERAL_ADDRESS
| SERV_LOOP
)))
1897 if (last_server
->tcpfd
== -1)
1899 if ((last_server
->tcpfd
= socket(last_server
->addr
.sa
.sa_family
, SOCK_STREAM
, 0)) == -1)
1902 #ifdef HAVE_CONNTRACK
1903 /* Copy connection mark of incoming query to outgoing connection. */
1904 if (option_bool(OPT_CONNTRACK
))
1907 struct all_addr local
;
1909 if (local_addr
->sa
.sa_family
== AF_INET6
)
1910 local
.addr
.addr6
= local_addr
->in6
.sin6_addr
;
1913 local
.addr
.addr4
= local_addr
->in
.sin_addr
;
1915 if (get_incoming_mark(&peer_addr
, &local
, 1, &mark
))
1916 setsockopt(last_server
->tcpfd
, SOL_SOCKET
, SO_MARK
, &mark
, sizeof(unsigned int));
1920 if ((!local_bind(last_server
->tcpfd
, &last_server
->source_addr
, last_server
->interface
, 1) ||
1921 connect(last_server
->tcpfd
, &last_server
->addr
.sa
, sa_len(&last_server
->addr
)) == -1))
1923 close(last_server
->tcpfd
);
1924 last_server
->tcpfd
= -1;
1929 if (option_bool(OPT_DNSSEC_VALID
))
1931 size_t new_size
= add_do_bit(header
, size
, ((char *) header
) + 65536);
1933 /* For debugging, set Checking Disabled, otherwise, have the upstream check too,
1934 this allows it to select auth servers when one is returning bad data. */
1935 if (option_bool(OPT_DNSSEC_DEBUG
))
1936 header
->hb4
|= HB4_CD
;
1938 if (size
!= new_size
)
1946 *length
= htons(size
);
1948 /* get query name again for logging - may have been overwritten */
1949 if (!(gotname
= extract_request(header
, (unsigned int)size
, daemon
->namebuff
, &qtype
)))
1950 strcpy(daemon
->namebuff
, "query");
1952 if (!read_write(last_server
->tcpfd
, packet
, size
+ sizeof(u16
), 0) ||
1953 !read_write(last_server
->tcpfd
, &c1
, 1, 1) ||
1954 !read_write(last_server
->tcpfd
, &c2
, 1, 1) ||
1955 !read_write(last_server
->tcpfd
, payload
, (c1
<< 8) | c2
, 1))
1957 close(last_server
->tcpfd
);
1958 last_server
->tcpfd
= -1;
1964 if (last_server
->addr
.sa
.sa_family
== AF_INET
)
1965 log_query(F_SERVER
| F_IPV4
| F_FORWARD
, daemon
->namebuff
,
1966 (struct all_addr
*)&last_server
->addr
.in
.sin_addr
, NULL
);
1969 log_query(F_SERVER
| F_IPV6
| F_FORWARD
, daemon
->namebuff
,
1970 (struct all_addr
*)&last_server
->addr
.in6
.sin6_addr
, NULL
);
1974 if (option_bool(OPT_DNSSEC_VALID
) && !checking_disabled
)
1976 int keycount
= DNSSEC_WORK
; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
1977 int status
= tcp_key_recurse(now
, STAT_TRUNCATED
, header
, m
, 0, daemon
->namebuff
, daemon
->keyname
, last_server
, &keycount
);
1980 if (status
== STAT_INSECURE_DS
)
1982 /* We only cache sigs when we've validated a reply.
1983 Avoid caching a reply with sigs if there's a vaildated break in the
1984 DS chain, so we don't return replies from cache missing sigs. */
1985 status
= STAT_INSECURE
;
1986 no_cache_dnssec
= 1;
1991 result
= "ABANDONED";
1992 status
= STAT_BOGUS
;
1995 result
= (status
== STAT_SECURE
? "SECURE" : (status
== STAT_INSECURE
? "INSECURE" : "BOGUS"));
1997 log_query(F_KEYTAG
| F_SECSTAT
, "result", NULL
, result
);
1999 if (status
== STAT_BOGUS
)
2001 no_cache_dnssec
= 1;
2005 if (status
== STAT_SECURE
)
2010 /* restore CD bit to the value in the query */
2011 if (checking_disabled
)
2012 header
->hb4
|= HB4_CD
;
2014 header
->hb4
&= ~HB4_CD
;
2016 /* There's no point in updating the cache, since this process will exit and
2017 lose the information after a few queries. We make this call for the alias and
2018 bogus-nxdomain side-effects. */
2019 /* If the crc of the question section doesn't match the crc we sent, then
2020 someone might be attempting to insert bogus values into the cache by
2021 sending replies containing questions and bogus answers. */
2023 newhash
= hash_questions(header
, (unsigned int)m
, daemon
->namebuff
);
2024 if (!newhash
|| memcmp(hash
, newhash
, HASH_SIZE
) != 0)
2030 if (crc
!= questions_crc(header
, (unsigned int)m
, daemon
->namebuff
))
2037 m
= process_reply(header
, now
, last_server
, (unsigned int)m
,
2038 option_bool(OPT_NO_REBIND
) && !norebind
, no_cache_dnssec
, bogusanswer
,
2039 cache_secure
, ad_question
, do_bit
, added_pheader
, check_subnet
, &peer_addr
);
2045 /* In case of local answer or no connections made. */
2047 m
= setup_reply(header
, (unsigned int)size
, addrp
, flags
, daemon
->local_ttl
);
2051 check_log_writer(NULL
);
2055 if (m
== 0 || !read_write(confd
, packet
, m
+ sizeof(u16
), 0))
2060 static struct frec
*allocate_frec(time_t now
)
2064 if ((f
= (struct frec
*)whine_malloc(sizeof(struct frec
))))
2066 f
->next
= daemon
->frec_list
;
2075 f
->dependent
= NULL
;
2076 f
->blocking_query
= NULL
;
2078 f
->orig_domain
= NULL
;
2080 daemon
->frec_list
= f
;
2086 struct randfd
*allocate_rfd(int family
)
2088 static int finger
= 0;
2091 /* limit the number of sockets we have open to avoid starvation of
2092 (eg) TFTP. Once we have a reasonable number, randomness should be OK */
2094 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2095 if (daemon
->randomsocks
[i
].refcount
== 0)
2097 if ((daemon
->randomsocks
[i
].fd
= random_sock(family
)) == -1)
2100 daemon
->randomsocks
[i
].refcount
= 1;
2101 daemon
->randomsocks
[i
].family
= family
;
2102 return &daemon
->randomsocks
[i
];
2105 /* No free ones or cannot get new socket, grab an existing one */
2106 for (i
= 0; i
< RANDOM_SOCKS
; i
++)
2108 int j
= (i
+finger
) % RANDOM_SOCKS
;
2109 if (daemon
->randomsocks
[j
].refcount
!= 0 &&
2110 daemon
->randomsocks
[j
].family
== family
&&
2111 daemon
->randomsocks
[j
].refcount
!= 0xffff)
2114 daemon
->randomsocks
[j
].refcount
++;
2115 return &daemon
->randomsocks
[j
];
2119 return NULL
; /* doom */
2122 void free_rfd(struct randfd
*rfd
)
2124 if (rfd
&& --(rfd
->refcount
) == 0)
2128 static void free_frec(struct frec
*f
)
2143 blockdata_free(f
->stash
);
2149 blockdata_free(f
->orig_domain
);
2150 f
->orig_domain
= NULL
;
2153 /* Anything we're waiting on is pointless now, too */
2154 if (f
->blocking_query
)
2155 free_frec(f
->blocking_query
);
2156 f
->blocking_query
= NULL
;
2157 f
->dependent
= NULL
;
2161 /* if wait==NULL return a free or older than TIMEOUT record.
2162 else return *wait zero if one available, or *wait is delay to
2163 when the oldest in-use record will expire. Impose an absolute
2164 limit of 4*TIMEOUT before we wipe things (for random sockets).
2165 If force is set, always return a result, even if we have
2166 to allocate above the limit. */
2167 struct frec
*get_new_frec(time_t now
, int *wait
, int force
)
2169 struct frec
*f
, *oldest
, *target
;
2175 for (f
= daemon
->frec_list
, oldest
= NULL
, target
= NULL
, count
= 0; f
; f
= f
->next
, count
++)
2180 if (difftime(now
, f
->time
) >= 4*TIMEOUT
)
2186 if (!oldest
|| difftime(f
->time
, oldest
->time
) <= 0)
2196 /* can't find empty one, use oldest if there is one
2197 and it's older than timeout */
2198 if (oldest
&& ((int)difftime(now
, oldest
->time
)) >= TIMEOUT
)
2200 /* keep stuff for twice timeout if we can by allocating a new
2202 if (difftime(now
, oldest
->time
) < 2*TIMEOUT
&&
2203 count
<= daemon
->ftabsize
&&
2204 (f
= allocate_frec(now
)))
2215 /* none available, calculate time 'till oldest record expires */
2216 if (!force
&& count
> daemon
->ftabsize
)
2218 static time_t last_log
= 0;
2221 *wait
= oldest
->time
+ (time_t)TIMEOUT
- now
;
2223 if ((int)difftime(now
, last_log
) > 5)
2226 my_syslog(LOG_WARNING
, _("Maximum number of concurrent DNS queries reached (max: %d)"), daemon
->ftabsize
);
2232 if (!(f
= allocate_frec(now
)) && wait
)
2233 /* wait one second on malloc failure */
2236 return f
; /* OK if malloc fails and this is NULL */
2239 /* crc is all-ones if not known. */
2240 static struct frec
*lookup_frec(unsigned short id
, void *hash
)
2244 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2245 if (f
->sentto
&& f
->new_id
== id
&&
2246 (!hash
|| memcmp(hash
, f
->hash
, HASH_SIZE
) == 0))
2252 static struct frec
*lookup_frec_by_sender(unsigned short id
,
2253 union mysockaddr
*addr
,
2258 for(f
= daemon
->frec_list
; f
; f
= f
->next
)
2261 memcmp(hash
, f
->hash
, HASH_SIZE
) == 0 &&
2262 sockaddr_isequal(&f
->source
, addr
))
2268 /* Send query packet again, if we can. */
2271 if (daemon
->srv_save
)
2275 if (daemon
->srv_save
->sfd
)
2276 fd
= daemon
->srv_save
->sfd
->fd
;
2277 else if (daemon
->rfd_save
&& daemon
->rfd_save
->refcount
!= 0)
2278 fd
= daemon
->rfd_save
->fd
;
2282 while(retry_send(sendto(fd
, daemon
->packet
, daemon
->packet_len
, 0,
2283 &daemon
->srv_save
->addr
.sa
,
2284 sa_len(&daemon
->srv_save
->addr
))));
2288 /* A server record is going away, remove references to it */
2289 void server_gone(struct server
*server
)
2293 for (f
= daemon
->frec_list
; f
; f
= f
->next
)
2294 if (f
->sentto
&& f
->sentto
== server
)
2297 if (daemon
->last_server
== server
)
2298 daemon
->last_server
= NULL
;
2300 if (daemon
->srv_save
== server
)
2301 daemon
->srv_save
= NULL
;
2304 /* return unique random ids. */
2305 static unsigned short get_id(void)
2307 unsigned short ret
= 0;
2311 while (lookup_frec(ret
, NULL
));