#endif
}
- while (sendmsg(fd, &msg, 0) == -1)
+ while (retry_send(sendmsg(fd, &msg, 0)));
+
+ /* If interface is still in DAD, EINVAL results - ignore that. */
+ if (errno != 0 && errno != EINVAL)
{
- if (retry_send())
- continue;
-
- /* If interface is still in DAD, EINVAL results - ignore that. */
- if (errno == EINVAL)
- break;
-
my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno));
return 0;
}
void *hash = &crc;
#endif
unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
+ unsigned char *pheader;
(void)do_bit;
forward = NULL;
else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
{
+ /* If we didn't get an answer advertising a maximal packet in EDNS,
+ fall back to 1280, which should work everywhere on IPv6.
+ If that generates an answer, it will become the new default
+ for this server */
+ forward->flags |= FREC_TEST_PKTSZ;
+
#ifdef HAVE_DNSSEC
/* If we've already got an answer to this query, but we're awaiting keys for validation,
there's no point retrying the query, retry the key query instead...... */
if (forward->blocking_query)
{
int fd;
-
+
+ forward->flags &= ~FREC_TEST_PKTSZ;
+
while (forward->blocking_query)
forward = forward->blocking_query;
+
+ forward->flags |= FREC_TEST_PKTSZ;
blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
plen = forward->stash_len;
+ if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
+ PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : forward->sentto->edns_pktsz, pheader);
+
if (forward->sentto->addr.sa.sa_family == AF_INET)
log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
#ifdef HAVE_IPV6
fd = forward->rfd4->fd;
}
- while (sendto(fd, (char *)header, plen, 0,
- &forward->sentto->addr.sa,
- sa_len(&forward->sentto->addr)) == -1 && retry_send());
+ while (retry_send( sendto(fd, (char *)header, plen, 0,
+ &forward->sentto->addr.sa,
+ sa_len(&forward->sentto->addr))));
return 1;
}
plen = new_plen;
}
#endif
-
+
while (1)
{
/* only send to servers dealing with our domain.
}
#endif
}
+
+ if (find_pseudoheader(header, plen, NULL, &pheader, NULL))
+ PUTSHORT((forward->flags & FREC_TEST_PKTSZ) ? SAFE_PKTSZ : start->edns_pktsz, pheader);
- if (sendto(fd, (char *)header, plen, 0,
- &start->addr.sa,
- sa_len(&start->addr)) == -1)
- {
- if (retry_send())
- continue;
- }
- else
+ if (retry_send(sendto(fd, (char *)header, plen, 0,
+ &start->addr.sa,
+ sa_len(&start->addr))))
+ continue;
+
+ if (errno == 0)
{
/* Keep info in case we want to re-send this packet */
daemon->srv_save = start;
}
static size_t process_reply(struct dns_header *header, time_t now, struct server *server, size_t n, int check_rebind,
- int no_cache, int cache_secure, int ad_reqd, int do_bit, int added_pheader, int check_subnet, union mysockaddr *query_source)
+ int no_cache, int cache_secure, int bogusanswer, int ad_reqd, int do_bit, int added_pheader,
+ int check_subnet, union mysockaddr *query_source)
{
unsigned char *pheader, *sizep;
char **sets = 0;
size_t plen;
(void)ad_reqd;
- (void) do_bit;
+ (void)do_bit;
+ (void)bogusanswer;
#ifdef HAVE_IPSET
if (daemon->ipsets && extract_request(header, n, daemon->namebuff, NULL))
}
#ifdef HAVE_DNSSEC
- if (no_cache && !(header->hb4 & HB4_CD))
+ if (bogusanswer && !(header->hb4 & HB4_CD))
{
if (!option_bool(OPT_DNSSEC_DEBUG))
{
header->ancount = htons(0);
header->nscount = htons(0);
header->arcount = htons(0);
+ header->hb3 &= ~HB3_TC;
}
/* the bogus-nxdomain stuff, doctor and NXDOMAIN->NODATA munging can all elide
}
server = forward->sentto;
-
if ((forward->sentto->flags & SERV_TYPE) == 0)
{
if (RCODE(header) == REFUSED)
if (!option_bool(OPT_ALL_SERVERS))
daemon->last_server = server;
}
-
+
+ /* We tried resending to this server with a smaller maximum size and got an answer.
+ Make that permanent. To avoid reduxing the packet size for an single dropped packet,
+ only do this when we get a truncated answer, or one larger than the safe size. */
+ if (server && (forward->flags & FREC_TEST_PKTSZ) &&
+ ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ))
+ server->edns_pktsz = SAFE_PKTSZ;
+
/* If the answer is an error, keep the forward record in place in case
we get a good reply from another server. Kill it when we've
had replies from all to avoid filling the forwarding table when
everything is broken */
if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
{
- int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
+ int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
if (option_bool(OPT_NO_REBIND))
check_rebind = !(forward->flags & FREC_NOREBIND);
else if (forward->flags & FREC_DS_QUERY)
{
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
- if (status == STAT_NO_DS || status == STAT_NO_NS)
+ /* Provably no DS, everything below is insecure, even if signatures are offered */
+ if (status == STAT_NO_DS)
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE_DS;
+ else if (status == STAT_NO_NS)
status = STAT_BOGUS;
}
else if (forward->flags & FREC_CHECK_NOSIGN)
{
new->flags |= FREC_DNSKEY_QUERY;
nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
- daemon->keyname, forward->class, T_DNSKEY, &server->addr);
+ daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz);
}
else
{
else
new->flags |= FREC_DS_QUERY;
nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
- daemon->keyname, forward->class, T_DS, &server->addr);
+ daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz);
}
if ((hash = hash_questions(header, nn, daemon->namebuff)))
memcpy(new->hash, hash, HASH_SIZE);
if (fd != -1)
{
- while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
+ while (retry_send(sendto(fd, (char *)header, nn, 0,
+ &server->addr.sa,
+ sa_len(&server->addr))));
server->queries++;
}
else if (forward->flags & FREC_DS_QUERY)
{
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
- if (status == STAT_NO_DS || status == STAT_NO_NS)
- status = STAT_BOGUS;
+ /* Provably no DS, everything below is insecure, even if signatures are offered */
+ if (status == STAT_NO_DS)
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE_DS;
+ else if (status == STAT_NO_NS)
+ status = STAT_BOGUS;
}
else if (forward->flags & FREC_CHECK_NOSIGN)
{
}
}
+ no_cache_dnssec = 0;
+
+ if (status == STAT_INSECURE_DS)
+ {
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE;
+ no_cache_dnssec = 1;
+ }
+
if (status == STAT_TRUNCATED)
header->hb3 |= HB3_TC;
else
{
- char *result;
+ char *result, *domain = "result";
if (forward->work_counter == 0)
- result = "ABANDONED";
+ {
+ result = "ABANDONED";
+ status = STAT_BOGUS;
+ }
else
result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
- log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
+ if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL))
+ domain = daemon->namebuff;
+
+ log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
}
- no_cache_dnssec = 0;
-
if (status == STAT_SECURE)
cache_secure = 1;
else if (status == STAT_BOGUS)
- no_cache_dnssec = 1;
+ {
+ no_cache_dnssec = 1;
+ bogusanswer = 1;
+ }
}
#endif
else
header->hb4 &= ~HB4_CD;
- if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
+ if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer,
forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
{
}
}
-/* Move toward the root, until we find a signed non-existance of a DS, in which case
+/* Move down from the root, until we find a signed non-existance of a DS, in which case
an unsigned answer is OK, or we find a signed DS, in which case there should be
a signature, and the answer is BOGUS */
static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
/* Can't find it in the cache, have to send a query */
- m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr);
+ m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr, server->edns_pktsz);
*length = htons(m);
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
{
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
- if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
- new_status = STAT_BOGUS;
+ if (status == STAT_NEED_DS)
+ {
+ if (new_status == STAT_NO_DS)
+ new_status = STAT_INSECURE_DS;
+ else if (new_status == STAT_NO_NS)
+ new_status = STAT_BOGUS;
+ }
}
else if (status == STAT_CHASE_CNAME)
new_status = dnssec_chase_cname(now, header, n, name, keyname);
another_tcp_key:
m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
- new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
+ new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz);
*length = htons(m);
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
{
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
- if (status == STAT_NEED_DS && (new_status == STAT_NO_DS || new_status == STAT_NO_NS))
- new_status = STAT_BOGUS; /* Validated no DS */
+ if (status == STAT_NEED_DS)
+ {
+ if (new_status == STAT_NO_DS)
+ new_status = STAT_INSECURE_DS;
+ else if (new_status == STAT_NO_NS)
+ new_status = STAT_BOGUS; /* Validated no DS */
+ }
}
else if (status == STAT_CHASE_CNAME)
new_status = dnssec_chase_cname(now, header, n, name, keyname);
goto another_tcp_key;
}
}
-
+
free(packet);
}
return new_status;
int local_auth = 0;
#endif
int checking_disabled, ad_question, do_bit, added_pheader = 0;
- int check_subnet, no_cache_dnssec = 0, cache_secure = 0;
+ int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
size_t m;
unsigned short qtype;
unsigned int gotname;
{
int keycount = DNSSEC_WORK; /* Limit to number of DNSSEC questions, to catch loops and avoid filling cache. */
int status = tcp_key_recurse(now, STAT_TRUNCATED, header, m, 0, daemon->namebuff, daemon->keyname, last_server, &keycount);
- char *result;
+ char *result, *domain = "result";
+ if (status == STAT_INSECURE_DS)
+ {
+ /* We only cache sigs when we've validated a reply.
+ Avoid caching a reply with sigs if there's a vaildated break in the
+ DS chain, so we don't return replies from cache missing sigs. */
+ status = STAT_INSECURE;
+ no_cache_dnssec = 1;
+ }
+
if (keycount == 0)
- result = "ABANDONED";
+ {
+ result = "ABANDONED";
+ status = STAT_BOGUS;
+ }
else
result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
- log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
+ if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL))
+ domain = daemon->namebuff;
+
+ log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result);
if (status == STAT_BOGUS)
- no_cache_dnssec = 1;
-
+ {
+ no_cache_dnssec = 1;
+ bogusanswer = 1;
+ }
+
if (status == STAT_SECURE)
cache_secure = 1;
}
#endif
m = process_reply(header, now, last_server, (unsigned int)m,
- option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec,
- cache_secure, ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
+ option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer,
+ ad_question, do_bit, added_pheader, check_subnet, &peer_addr);
break;
}
else
return;
- while(sendto(fd, daemon->packet, daemon->packet_len, 0,
- &daemon->srv_save->addr.sa, sa_len(&daemon->srv_save->addr)) == -1 && retry_send());
+ while(retry_send(sendto(fd, daemon->packet, daemon->packet_len, 0,
+ &daemon->srv_save->addr.sa,
+ sa_len(&daemon->srv_save->addr))));
}
}