* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.218 2001/07/11 01:19:56 halley Exp $ */
+/* $Id: resolver.c,v 1.218.2.1 2001/09/21 18:50:46 gson Exp $ */
#include <config.h>
dns_rdataset_isassociated(event->rdataset) ||
fctx->type == dns_rdatatype_any ||
fctx->type == dns_rdatatype_sig);
+ INSIST((event->result != ISC_R_NCACHENXRRSET &&
+ event->result != ISC_R_NCACHENXDOMAIN) ||
+ dns_rdataset_isassociated(event->rdataset));
isc_task_sendanddetach(&task, (isc_event_t **)&event);
}
isc_event_free(&event);
}
-static void
-resquery_aborted(isc_task_t *task, isc_event_t *event) {
- resquery_t *query = event->ev_arg;
-
- REQUIRE(event->ev_type == DNS_EVENT_QUERYABORTED);
-
- QTRACE("blackholed");
-
- UNUSED(task);
-
- /*
- * Treat this as a "no response" to cause the RTT estimate to go up.
- */
- fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
-
- isc_event_free(&event);
-}
-
static inline isc_result_t
fctx_addopt(dns_message_t *message) {
dns_rdataset_t *rdataset;
isc_buffer_t *buffer;
isc_netaddr_t ipaddr;
dns_tsigkey_t *tsigkey = NULL;
- dns_acl_t *blackhole;
dns_peer_t *peer = NULL;
isc_boolean_t useedns;
- isc_boolean_t bogus;
- isc_boolean_t aborted = ISC_FALSE;
dns_compress_t cctx;
isc_boolean_t cleanup_cctx = ISC_FALSE;
address = &query->addrinfo->sockaddr;
isc_buffer_usedregion(buffer, &r);
-
- blackhole = dns_dispatchmgr_getblackhole(query->dispatchmgr);
- if (blackhole != NULL) {
- int match;
-
- if (dns_acl_match(&ipaddr, NULL, blackhole,
- &fctx->res->view->aclenv,
- &match, NULL) == ISC_R_SUCCESS &&
- match > 0)
- aborted = ISC_TRUE;
- }
-
- if (peer != NULL &&
- dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
- bogus)
- aborted = ISC_TRUE;
-
- if (aborted) {
- isc_event_t *event;
- event = isc_event_allocate(fctx->res->mctx, NULL,
- DNS_EVENT_QUERYABORTED,
- resquery_aborted, query,
- sizeof(isc_event_t));
- if (event == NULL)
- return (ISC_R_NOMEMORY);
- isc_task_send(task, &event);
- result = ISC_R_SUCCESS;
- goto cleanup_message;
- }
-
/*
* XXXRTH Make sure we don't send to ourselves! We should probably
* prune out these addresses when we get them from the ADB.
isc_netaddr_t na;
char buf[ISC_NETADDR_FORMATSIZE];
isc_sockaddr_t *sa;
+ isc_boolean_t aborted = ISC_FALSE;
+ isc_boolean_t bogus;
+ dns_acl_t *blackhole;
+ isc_netaddr_t ipaddr;
+ dns_peer_t *peer = NULL;
+ dns_resolver_t *res;
+ const char *msg = NULL;
sa = &addr->sockaddr;
- if (sa->type.sa.sa_family != AF_INET6)
- return;
+ res = fctx->res;
+ isc_netaddr_fromsockaddr(&ipaddr, sa);
+ blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr);
+ (void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer);
+
+ if (blackhole != NULL) {
+ int match;
+
+ if (dns_acl_match(&ipaddr, NULL, blackhole,
+ &res->view->aclenv,
+ &match, NULL) == ISC_R_SUCCESS &&
+ match > 0)
+ aborted = ISC_TRUE;
+ }
+
+ if (peer != NULL &&
+ dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
+ bogus)
+ aborted = ISC_TRUE;
- if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
- isc_netaddr_fromsockaddr(&na, sa);
- isc_netaddr_format(&na, buf, sizeof buf);
+ if (aborted) {
+ addr->flags |= FCTX_ADDRINFO_MARK;
+ msg = "ignoring backholed / bogus server: ";
+ } else if (sa->type.sa.sa_family != AF_INET6) {
+ return;
+ } else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
addr->flags |= FCTX_ADDRINFO_MARK;
- FCTXTRACE2("ignoring IPv6 mapped IPV4 address: ", buf);
+ msg = "ignoring IPv6 mapped IPV4 address: ";
} else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) {
- isc_netaddr_fromsockaddr(&na, sa);
- isc_netaddr_format(&na, buf, sizeof buf);
addr->flags |= FCTX_ADDRINFO_MARK;
- FCTXTRACE2("ignoring IPv6 compatibility IPV4 address: ", buf);
- }
+ msg = "ignoring IPv6 compatibility IPV4 address: ";
+ } else
+ return;
+
+ if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3)))
+ return;
+
+ isc_netaddr_fromsockaddr(&na, sa);
+ isc_netaddr_format(&na, buf, sizeof buf);
+ FCTXTRACE2(msg, buf);
}
static inline dns_adbaddrinfo_t *
return (result);
}
+/*
+ * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
+ * If bind8_ns_resp is ISC_TRUE, this is a suspected BIND 8
+ * response to an NS query that should be treated as a referral
+ * even though the NS records occur in the answer section
+ * rather than the authority section.
+ */
static isc_result_t
-noanswer_response(fetchctx_t *fctx, dns_name_t *oqname) {
+noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
+ isc_boolean_t bind8_ns_resp)
+{
isc_result_t result;
dns_message_t *message;
dns_name_t *name, *qname, *ns_name, *soa_name;
dns_rdataset_t *rdataset, *ns_rdataset;
isc_boolean_t done, aa, negative_response;
dns_rdatatype_t type;
+ dns_section_t section =
+ bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY;
FCTXTRACE("noanswer_response");
ns_name = NULL;
ns_rdataset = NULL;
soa_name = NULL;
- result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+ result = dns_message_firstname(message, section);
while (!done && result == ISC_R_SUCCESS) {
name = NULL;
- dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+ dns_message_currentname(message, section, &name);
if (dns_name_issubdomain(name, &fctx->domain)) {
for (rdataset = ISC_LIST_HEAD(name->list);
rdataset != NULL;
}
}
}
- result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+ result = dns_message_nextname(message, section);
if (result == ISC_R_NOMORE)
break;
else if (result != ISC_R_SUCCESS)
* If it isn't a noanswer response, no harm will be
* done.
*/
- return (noanswer_response(fctx, qname));
+ return (noanswer_response(fctx, qname, ISC_FALSE));
}
/*
(message->rcode == dns_rcode_noerror ||
message->rcode == dns_rcode_nxdomain)) {
/*
- * We've got answers.
+ * We've got answers. However, if we sent
+ * a BIND 8 server an NS query, it may have
+ * incorrectly responded with a non-authoritative
+ * answer instead of a referral. Since this
+ * answer lacks the SIGs necessary to do DNSSEC
+ * validation, we must invoke the following special
+ * kludge to treat it as a referral.
*/
+ if (fctx->type == dns_rdatatype_ns &&
+ (message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
+ !ISFORWARDER(query->addrinfo))
+ {
+ result = noanswer_response(fctx, NULL, ISC_TRUE);
+ if (result != DNS_R_DELEGATION) {
+ /*
+ * The answer section must have contained
+ * something other than the NS records
+ * we asked for. Since AA is not set
+ * and the server is not a forwarder,
+ * it is technically lame and it's easier
+ * to treat it as such than to figure out
+ * some more elaborate course of action.
+ */
+ broken_server = ISC_TRUE;
+ keep_trying = ISC_TRUE;
+ goto done;
+ }
+ goto force_referral;
+ }
result = answer_response(fctx);
if (result != ISC_R_SUCCESS) {
if (result == DNS_R_FORMERR)
/*
* NXDOMAIN, NXRDATASET, or referral.
*/
- result = noanswer_response(fctx, NULL);
+ result = noanswer_response(fctx, NULL, ISC_FALSE);
if (result == DNS_R_DELEGATION) {
+ force_referral:
/*
* We don't have the answer, but we know a better
* place to look.
projects / thirdparty / bind9.git / commitdiff
