1 /*
2 * query.c -- nsd(8) the resolver.
3 *
4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
5 *
6 * See LICENSE for the license.
7 *
8 */
9
10 #include "config.h"
11
12 #include <sys/types.h>
13 #include <sys/socket.h>
14 #include <netinet/in.h>
15 #include <arpa/inet.h>
16 #include <assert.h>
17 #include <ctype.h>
18 #include <errno.h>
19 #include <limits.h>
20 #include <stddef.h>
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <time.h>
25 #include <unistd.h>
26 #include <netdb.h>
27
28 #include "answer.h"
29 #include "axfr.h"
30 #include "dns.h"
31 #include "dname.h"
32 #include "nsd.h"
33 #include "namedb.h"
34 #include "query.h"
35 #include "util.h"
36 #include "options.h"
37 #include "nsec3.h"
38 #include "tsig.h"
39
40 /* [Bug #253] Adding unnecessary NS RRset may lead to undesired truncation.
41 * This function determines if the final response packet needs the NS RRset
42 * included. Currently, it will only return negative if QTYPE == DNSKEY|DS.
43 * This way, resolvers won't fallback to TCP unnecessarily when priming
44 * trust anchors.
45 */
46 static int answer_needs_ns(struct query *query);
47
48 static int add_rrset(struct query *query,
49 answer_type *answer,
50 rr_section_type section,
51 domain_type *owner,
52 rrset_type *rrset);
53
54 static void answer_authoritative(struct nsd *nsd,
55 struct query *q,
56 answer_type *answer,
57 size_t domain_number,
58 int exact,
59 domain_type *closest_match,
60 domain_type *closest_encloser,
61 const dname_type *qname);
62
63 static void answer_lookup_zone(struct nsd *nsd, struct query *q,
64 answer_type *answer, size_t domain_number,
65 int exact, domain_type *closest_match,
66 domain_type *closest_encloser,
67 const dname_type *qname);
68
69 void
query_put_dname_offset(struct query * q,domain_type * domain,uint16_t offset)70 query_put_dname_offset(struct query *q, domain_type *domain, uint16_t offset)
71 {
72 assert(q);
73 assert(domain);
74 assert(domain->number > 0);
75
76 if (offset > MAX_COMPRESSION_OFFSET)
77 return;
78 if (q->compressed_dname_count >= MAX_COMPRESSED_DNAMES)
79 return;
80
81 q->compressed_dname_offsets[domain->number] = offset;
82 q->compressed_dnames[q->compressed_dname_count] = domain;
83 ++q->compressed_dname_count;
84 }
85
86 void
query_clear_dname_offsets(struct query * q,size_t max_offset)87 query_clear_dname_offsets(struct query *q, size_t max_offset)
88 {
89 while (q->compressed_dname_count > 0
90 && (q->compressed_dname_offsets[q->compressed_dnames[q->compressed_dname_count - 1]->number]
91 >= max_offset))
92 {
93 q->compressed_dname_offsets[q->compressed_dnames[q->compressed_dname_count - 1]->number] = 0;
94 --q->compressed_dname_count;
95 }
96 }
97
98 void
query_clear_compression_tables(struct query * q)99 query_clear_compression_tables(struct query *q)
100 {
101 uint16_t i;
102
103 for (i = 0; i < q->compressed_dname_count; ++i) {
104 assert(q->compressed_dnames);
105 q->compressed_dname_offsets[q->compressed_dnames[i]->number] = 0;
106 }
107 q->compressed_dname_count = 0;
108 }
109
110 void
query_add_compression_domain(struct query * q,domain_type * domain,uint16_t offset)111 query_add_compression_domain(struct query *q, domain_type *domain, uint16_t offset)
112 {
113 while (domain->parent) {
114 DEBUG(DEBUG_NAME_COMPRESSION, 2,
115 (LOG_INFO, "query dname: %s, number: %lu, offset: %u\n",
116 domain_to_string(domain),
117 (unsigned long) domain->number,
118 offset));
119 query_put_dname_offset(q, domain, offset);
120 offset += label_length(dname_name(domain_dname(domain))) + 1;
121 domain = domain->parent;
122 }
123 }
124
125 /*
126 * Generate an error response with the specified RCODE.
127 */
128 query_state_type
query_error(struct query * q,nsd_rc_type rcode)129 query_error (struct query *q, nsd_rc_type rcode)
130 {
131 if (rcode == NSD_RC_DISCARD) {
132 return QUERY_DISCARDED;
133 }
134
135 buffer_clear(q->packet);
136
137 QR_SET(q->packet); /* This is an answer. */
138 AD_CLR(q->packet);
139 RCODE_SET(q->packet, (int) rcode); /* Error code. */
140
141 /* Truncate the question as well... */
142 QDCOUNT_SET(q->packet, 0);
143 ANCOUNT_SET(q->packet, 0);
144 NSCOUNT_SET(q->packet, 0);
145 ARCOUNT_SET(q->packet, 0);
146 buffer_set_position(q->packet, QHEADERSZ);
147 return QUERY_PROCESSED;
148 }
149
150 static int
query_ratelimit_err(nsd_type * nsd)151 query_ratelimit_err(nsd_type* nsd)
152 {
153 time_t now = time(NULL);
154 if(nsd->err_limit_time == now) {
155 /* see if limit is exceeded for this second */
156 if(nsd->err_limit_count++ > ERROR_RATELIMIT)
157 return 1;
158 } else {
159 /* new second, new limits */
160 nsd->err_limit_time = now;
161 nsd->err_limit_count = 1;
162 }
163 return 0;
164 }
165
166 static query_state_type
query_formerr(struct query * query,nsd_type * nsd)167 query_formerr (struct query *query, nsd_type* nsd)
168 {
169 int opcode = OPCODE(query->packet);
170 if(query_ratelimit_err(nsd))
171 return QUERY_DISCARDED;
172 FLAGS_SET(query->packet, FLAGS(query->packet) & 0x0100U);
173 /* Preserve the RD flag. Clear the rest. */
174 OPCODE_SET(query->packet, opcode);
175 return query_error(query, NSD_RC_FORMAT);
176 }
177
178 static void
query_cleanup(void * data)179 query_cleanup(void *data)
180 {
181 query_type *query = (query_type *) data;
182 region_destroy(query->region);
183 }
184
185 query_type *
query_create(region_type * region,uint16_t * compressed_dname_offsets,size_t compressed_dname_size,domain_type ** compressed_dnames)186 query_create(region_type *region, uint16_t *compressed_dname_offsets,
187 size_t compressed_dname_size, domain_type **compressed_dnames)
188 {
189 query_type *query
190 = (query_type *) region_alloc_zero(region, sizeof(query_type));
191 /* create region with large block size, because the initial chunk
192 saves many mallocs in the server */
193 query->region = region_create_custom(xalloc, free, 16384, 16384/8, 32, 0);
194 query->compressed_dname_offsets = compressed_dname_offsets;
195 query->compressed_dnames = compressed_dnames;
196 query->packet = buffer_create(region, QIOBUFSZ);
197 region_add_cleanup(region, query_cleanup, query);
198 query->compressed_dname_offsets_size = compressed_dname_size;
199 tsig_create_record(&query->tsig, region);
200 query->tsig_prepare_it = 1;
201 query->tsig_update_it = 1;
202 query->tsig_sign_it = 1;
203 return query;
204 }
205
206 void
query_reset(query_type * q,size_t maxlen,int is_tcp)207 query_reset(query_type *q, size_t maxlen, int is_tcp)
208 {
209 /*
210 * As long as less than 4Kb (region block size) has been used,
211 * this call to free_all is free, the block is saved for re-use,
212 * so no malloc() or free() calls are done.
213 * at present use of the region is for:
214 * o query qname dname_type (255 max).
215 * o wildcard expansion domain_type (7*ptr+u32+2bytes)+(5*ptr nsec3)
216 * o wildcard expansion for additional section domain_type.
217 * o nsec3 hashed name(s) (3 dnames for a nonexist_proof,
218 * one proof per wildcard and for nx domain).
219 */
220 region_free_all(q->region);
221 q->addrlen = sizeof(q->addr);
222 q->maxlen = maxlen;
223 q->reserved_space = 0;
224 buffer_clear(q->packet);
225 edns_init_record(&q->edns);
226 tsig_init_record(&q->tsig, NULL, NULL);
227 q->tsig_prepare_it = 1;
228 q->tsig_update_it = 1;
229 q->tsig_sign_it = 1;
230 q->tcp = is_tcp;
231 q->qname = NULL;
232 q->qtype = 0;
233 q->qclass = 0;
234 q->zone = NULL;
235 q->opcode = 0;
236 q->cname_count = 0;
237 q->delegation_domain = NULL;
238 q->delegation_rrset = NULL;
239 q->compressed_dname_count = 0;
240 q->number_temporary_domains = 0;
241
242 q->axfr_is_done = 0;
243 q->axfr_zone = NULL;
244 q->axfr_current_domain = NULL;
245 q->axfr_current_rrset = NULL;
246 q->axfr_current_rr = 0;
247
248 q->ixfr_is_done = 0;
249 q->ixfr_data = NULL;
250 q->ixfr_count_newsoa = 0;
251 q->ixfr_count_oldsoa = 0;
252 q->ixfr_count_del = 0;
253 q->ixfr_count_add = 0;
254
255 #ifdef RATELIMIT
256 q->wildcard_domain = NULL;
257 #endif
258 }
259
260 /* get a temporary domain number (or 0=failure) */
261 static domain_type*
query_get_tempdomain(struct query * q)262 query_get_tempdomain(struct query *q)
263 {
264 static domain_type d[EXTRA_DOMAIN_NUMBERS];
265 if(q->number_temporary_domains >= EXTRA_DOMAIN_NUMBERS)
266 return 0;
267 q->number_temporary_domains ++;
268 memset(&d[q->number_temporary_domains-1], 0, sizeof(domain_type));
269 d[q->number_temporary_domains-1].number = q->compressed_dname_offsets_size +
270 q->number_temporary_domains - 1;
271 return &d[q->number_temporary_domains-1];
272 }
273
274 static void
query_addtxt(struct query * q,const uint8_t * dname,uint16_t klass,uint32_t ttl,const char * txt)275 query_addtxt(struct query *q,
276 const uint8_t *dname,
277 uint16_t klass,
278 uint32_t ttl,
279 const char *txt)
280 {
281 size_t txt_length = strlen(txt);
282 uint8_t len = (uint8_t) txt_length;
283
284 assert(txt_length <= UCHAR_MAX);
285
286 /* Add the dname */
287 if (dname >= buffer_begin(q->packet)
288 && dname <= buffer_current(q->packet))
289 {
290 buffer_write_u16(q->packet,
291 0xc000 | (dname - buffer_begin(q->packet)));
292 } else {
293 buffer_write(q->packet, dname + 1, *dname);
294 }
295
296 buffer_write_u16(q->packet, TYPE_TXT);
297 buffer_write_u16(q->packet, klass);
298 buffer_write_u32(q->packet, ttl);
299 buffer_write_u16(q->packet, len + 1);
300 buffer_write_u8(q->packet, len);
301 buffer_write(q->packet, txt, len);
302 }
303
304 /*
305 * Parse the question section of a query. The normalized query name
306 * is stored in QUERY->name, the class in QUERY->klass, and the type
307 * in QUERY->type.
308 */
309 static int
process_query_section(query_type * query)310 process_query_section(query_type *query)
311 {
312 uint8_t qnamebuf[MAXDOMAINLEN];
313
314 buffer_set_position(query->packet, QHEADERSZ);
315 /* Lets parse the query name and convert it to lower case. */
316 if(!packet_read_query_section(query->packet, qnamebuf,
317 &query->qtype, &query->qclass))
318 return 0;
319 query->qname = dname_make(query->region, qnamebuf, 1);
320 return 1;
321 }
322
323
324 /*
325 * Process an optional EDNS OPT record. Sets QUERY->EDNS to 0 if
326 * there was no EDNS record, to -1 if there was an invalid or
327 * unsupported EDNS record, and to 1 otherwise. Updates QUERY->MAXLEN
328 * if the EDNS record specifies a maximum supported response length.
329 *
330 * Return NSD_RC_FORMAT on failure, NSD_RC_OK on success.
331 */
332 static nsd_rc_type
process_edns(nsd_type * nsd,struct query * q)333 process_edns(nsd_type* nsd, struct query *q)
334 {
335 if (q->edns.status == EDNS_ERROR) {
336 /* The only error is VERSION not implemented */
337 return NSD_RC_FORMAT;
338 }
339
340 if (q->edns.status == EDNS_OK) {
341 /* Only care about UDP size larger than normal... */
342 if (!q->tcp && q->edns.maxlen > UDP_MAX_MESSAGE_LEN) {
343 size_t edns_size;
344 #if defined(INET6)
345 if (q->addr.ss_family == AF_INET6) {
346 edns_size = nsd->ipv6_edns_size;
347 } else
348 #endif
349 edns_size = nsd->ipv4_edns_size;
350
351 if (q->edns.maxlen < edns_size) {
352 q->maxlen = q->edns.maxlen;
353 } else {
354 q->maxlen = edns_size;
355 }
356
357 #if defined(INET6) && !defined(IPV6_USE_MIN_MTU) && !defined(IPV6_MTU)
358 /*
359 * Use IPv6 minimum MTU to avoid sending
360 * packets that are too large for some links.
361 * IPv6 will not automatically fragment in
362 * this case (unlike IPv4).
363 */
364 if (q->addr.ss_family == AF_INET6
365 && q->maxlen > IPV6_MIN_MTU)
366 {
367 q->maxlen = IPV6_MIN_MTU;
368 }
369 #endif
370 }
371
372 /* Strip the OPT resource record off... */
373 buffer_set_position(q->packet, q->edns.position);
374 buffer_set_limit(q->packet, q->edns.position);
375 ARCOUNT_SET(q->packet, ARCOUNT(q->packet) - 1);
376 }
377 return NSD_RC_OK;
378 }
379
380 /*
381 * Processes TSIG.
382 * Sets error when tsig does not verify on the query.
383 */
384 static nsd_rc_type
process_tsig(struct query * q)385 process_tsig(struct query* q)
386 {
387 if(q->tsig.status == TSIG_ERROR)
388 return NSD_RC_FORMAT;
389 if(q->tsig.status == TSIG_OK) {
390 if(!tsig_from_query(&q->tsig)) {
391 char a[128];
392 addr2str(&q->addr, a, sizeof(a));
393 log_msg(LOG_ERR, "query: bad tsig (%s) for key %s from %s",
394 tsig_error(q->tsig.error_code),
395 dname_to_string(q->tsig.key_name, NULL), a);
396 return NSD_RC_NOTAUTH;
397 }
398 buffer_set_limit(q->packet, q->tsig.position);
399 ARCOUNT_SET(q->packet, ARCOUNT(q->packet) - 1);
400 tsig_prepare(&q->tsig);
401 tsig_update(&q->tsig, q->packet, buffer_limit(q->packet));
402 if(!tsig_verify(&q->tsig)) {
403 char a[128];
404 addr2str(&q->addr, a, sizeof(a));
405 log_msg(LOG_ERR, "query: bad tsig signature for key %s from %s",
406 dname_to_string(q->tsig.key->name, NULL), a);
407 return NSD_RC_NOTAUTH;
408 }
409 DEBUG(DEBUG_XFRD,1, (LOG_INFO, "query good tsig signature for %s",
410 dname_to_string(q->tsig.key->name, NULL)));
411 }
412 return NSD_RC_OK;
413 }
414
415 /*
416 * Check notify acl and forward to xfrd (or return an error).
417 */
418 static query_state_type
answer_notify(struct nsd * nsd,struct query * query)419 answer_notify(struct nsd* nsd, struct query *query)
420 {
421 int acl_num, acl_num_xfr;
422 struct acl_options *why;
423 nsd_rc_type rc;
424
425 struct zone_options* zone_opt;
426 DEBUG(DEBUG_XFRD,1, (LOG_INFO, "got notify %s processing acl",
427 dname_to_string(query->qname, NULL)));
428
429 zone_opt = zone_options_find(nsd->options, query->qname);
430 if(!zone_opt)
431 return query_error(query, NSD_RC_NXDOMAIN);
432
433 if(!nsd->this_child) /* we are in debug mode or something */
434 return query_error(query, NSD_RC_SERVFAIL);
435
436 if(!tsig_find_rr(&query->tsig, query->packet)) {
437 DEBUG(DEBUG_XFRD,2, (LOG_ERR, "bad tsig RR format"));
438 return query_error(query, NSD_RC_FORMAT);
439 }
440 rc = process_tsig(query);
441 if(rc != NSD_RC_OK)
442 return query_error(query, rc);
443
444 /* check if it passes acl */
445 if((acl_num = acl_check_incoming(zone_opt->pattern->allow_notify, query,
446 &why)) != -1)
447 {
448 sig_atomic_t mode = NSD_PASS_TO_XFRD;
449 int s = nsd->this_child->parent_fd;
450 uint16_t sz;
451 uint32_t acl_send = htonl(acl_num);
452 uint32_t acl_xfr;
453 size_t pos;
454
455 /* Find priority candidate for request XFR. -1 if no match */
456 acl_num_xfr = acl_check_incoming(
457 zone_opt->pattern->request_xfr, query, NULL);
458
459 acl_xfr = htonl(acl_num_xfr);
460
461 assert(why);
462 DEBUG(DEBUG_XFRD,1, (LOG_INFO, "got notify %s passed acl %s %s",
463 dname_to_string(query->qname, NULL),
464 why->ip_address_spec,
465 why->nokey?"NOKEY":
466 (why->blocked?"BLOCKED":why->key_name)));
467 sz = buffer_limit(query->packet);
468 if(buffer_limit(query->packet) > MAX_PACKET_SIZE)
469 return query_error(query, NSD_RC_SERVFAIL);
470 /* forward to xfrd for processing
471 Note. Blocking IPC I/O, but acl is OK. */
472 sz = htons(sz);
473 if(!write_socket(s, &mode, sizeof(mode)) ||
474 !write_socket(s, &sz, sizeof(sz)) ||
475 !write_socket(s, buffer_begin(query->packet),
476 buffer_limit(query->packet)) ||
477 !write_socket(s, &acl_send, sizeof(acl_send)) ||
478 !write_socket(s, &acl_xfr, sizeof(acl_xfr))) {
479 log_msg(LOG_ERR, "error in IPC notify server2main, %s",
480 strerror(errno));
481 return query_error(query, NSD_RC_SERVFAIL);
482 }
483 if(verbosity >= 1) {
484 uint32_t serial = 0;
485 char address[128];
486 addr2str(&query->addr, address, sizeof(address));
487 if(packet_find_notify_serial(query->packet, &serial))
488 VERBOSITY(1, (LOG_INFO, "notify for %s from %s serial %u",
489 dname_to_string(query->qname, NULL), address,
490 (unsigned)serial));
491 else
492 VERBOSITY(1, (LOG_INFO, "notify for %s from %s",
493 dname_to_string(query->qname, NULL), address));
494 }
495
496 /* create notify reply - keep same query contents */
497 QR_SET(query->packet); /* This is an answer. */
498 AA_SET(query->packet); /* we are authoritative. */
499 ANCOUNT_SET(query->packet, 0);
500 NSCOUNT_SET(query->packet, 0);
501 ARCOUNT_SET(query->packet, 0);
502 RCODE_SET(query->packet, RCODE_OK); /* Error code. */
503 /* position is right after the query */
504 pos = buffer_position(query->packet);
505 buffer_clear(query->packet);
506 buffer_set_position(query->packet, pos);
507 /* tsig is added in add_additional later (if needed) */
508 return QUERY_PROCESSED;
509 }
510
511 if (verbosity >= 2) {
512 char address[128];
513 addr2str(&query->addr, address, sizeof(address));
514 VERBOSITY(2, (LOG_INFO, "notify for %s from %s refused, %s%s",
515 dname_to_string(query->qname, NULL),
516 address,
517 why?why->key_name:"no acl matches",
518 why?why->ip_address_spec:"."));
519 }
520
521 return query_error(query, NSD_RC_REFUSE);
522 }
523
524
525 /*
526 * Answer a query in the CHAOS class.
527 */
528 static query_state_type
answer_chaos(struct nsd * nsd,query_type * q)529 answer_chaos(struct nsd *nsd, query_type *q)
530 {
531 AA_CLR(q->packet);
532 switch (q->qtype) {
533 case TYPE_ANY:
534 case TYPE_TXT:
535 if ((q->qname->name_size == 11
536 && memcmp(dname_name(q->qname), "\002id\006server", 11) == 0) ||
537 (q->qname->name_size == 15
538 && memcmp(dname_name(q->qname), "\010hostname\004bind", 15) == 0))
539 {
540 if(!nsd->options->hide_identity) {
541 /* Add ID */
542 query_addtxt(q,
543 buffer_begin(q->packet) + QHEADERSZ,
544 CLASS_CH,
545 0,
546 nsd->identity);
547 ANCOUNT_SET(q->packet, ANCOUNT(q->packet) + 1);
548 } else {
549 RCODE_SET(q->packet, RCODE_REFUSE);
550 /* RFC8914 - Extended DNS Errors
551 * 4.19. Extended DNS Error Code 18 - Prohibited */
552 q->edns.ede = EDE_PROHIBITED;
553 }
554 } else if ((q->qname->name_size == 16
555 && memcmp(dname_name(q->qname), "\007version\006server", 16) == 0) ||
556 (q->qname->name_size == 14
557 && memcmp(dname_name(q->qname), "\007version\004bind", 14) == 0))
558 {
559 if(!nsd->options->hide_version) {
560 /* Add version */
561 query_addtxt(q,
562 buffer_begin(q->packet) + QHEADERSZ,
563 CLASS_CH,
564 0,
565 nsd->version);
566 ANCOUNT_SET(q->packet, ANCOUNT(q->packet) + 1);
567 } else {
568 RCODE_SET(q->packet, RCODE_REFUSE);
569 /* RFC8914 - Extended DNS Errors
570 * 4.19. Extended DNS Error Code 18 - Prohibited */
571 q->edns.ede = EDE_PROHIBITED;
572 }
573 } else {
574 RCODE_SET(q->packet, RCODE_REFUSE);
575 /* RFC8914 - Extended DNS Errors
576 * 4.22. Extended DNS Error Code 21 - Not Supported */
577 q->edns.ede = EDE_NOT_SUPPORTED;
578
579 }
580 break;
581 default:
582 RCODE_SET(q->packet, RCODE_REFUSE);
583 /* RFC8914 - Extended DNS Errors
584 * 4.22. Extended DNS Error Code 21 - Not Supported */
585 q->edns.ede = EDE_NOT_SUPPORTED;
586 break;
587 }
588
589 return QUERY_PROCESSED;
590 }
591
592
593 /*
594 * Find the covering NSEC for a non-existent domain name. Normally
595 * the NSEC will be located at CLOSEST_MATCH, except when it is an
596 * empty non-terminal. In this case the NSEC may be located at the
597 * previous domain name (in canonical ordering).
598 */
599 static domain_type *
find_covering_nsec(domain_type * closest_match,zone_type * zone,rrset_type ** nsec_rrset)600 find_covering_nsec(domain_type *closest_match,
601 zone_type *zone,
602 rrset_type **nsec_rrset)
603 {
604 assert(closest_match);
605 assert(nsec_rrset);
606
607 /* loop away temporary created domains. For real ones it is &RBTREE_NULL */
608 #ifdef USE_RADIX_TREE
609 while (closest_match->rnode == NULL)
610 #else
611 while (closest_match->node.parent == NULL)
612 #endif
613 closest_match = closest_match->parent;
614 while (closest_match) {
615 *nsec_rrset = domain_find_rrset(closest_match, zone, TYPE_NSEC);
616 if (*nsec_rrset) {
617 return closest_match;
618 }
619 if (closest_match == zone->apex) {
620 /* Don't look outside the current zone. */
621 return NULL;
622 }
623 closest_match = domain_previous(closest_match);
624 }
625 return NULL;
626 }
627
628
629 struct additional_rr_types
630 {
631 uint16_t rr_type;
632 rr_section_type rr_section;
633 };
634
635 struct additional_rr_types default_additional_rr_types[] = {
636 { TYPE_A, ADDITIONAL_A_SECTION },
637 { TYPE_AAAA, ADDITIONAL_AAAA_SECTION },
638 { 0, (rr_section_type) 0 }
639 };
640
641 struct additional_rr_types swap_aaaa_additional_rr_types[] = {
642 { TYPE_AAAA, ADDITIONAL_A_SECTION },
643 { TYPE_A, ADDITIONAL_AAAA_SECTION },
644 { 0, (rr_section_type) 0 }
645 };
646
647 struct additional_rr_types rt_additional_rr_types[] = {
648 { TYPE_A, ADDITIONAL_A_SECTION },
649 { TYPE_AAAA, ADDITIONAL_AAAA_SECTION },
650 { TYPE_X25, ADDITIONAL_OTHER_SECTION },
651 { TYPE_ISDN, ADDITIONAL_OTHER_SECTION },
652 { 0, (rr_section_type) 0 }
653 };
654
655 static void
add_additional_rrsets(struct query * query,answer_type * answer,rrset_type * master_rrset,size_t rdata_index,int allow_glue,struct additional_rr_types types[])656 add_additional_rrsets(struct query *query, answer_type *answer,
657 rrset_type *master_rrset, size_t rdata_index,
658 int allow_glue, struct additional_rr_types types[])
659 {
660 size_t i;
661
662 assert(query);
663 assert(answer);
664 assert(master_rrset);
665 assert(rdata_atom_is_domain(rrset_rrtype(master_rrset), rdata_index));
666
667 for (i = 0; i < master_rrset->rr_count; ++i) {
668 int j;
669 domain_type *additional = rdata_atom_domain(master_rrset->rrs[i].rdatas[rdata_index]);
670 domain_type *match = additional;
671
672 assert(additional);
673
674 if (!allow_glue && domain_is_glue(match, query->zone))
675 continue;
676
677 /*
678 * Check to see if we need to generate the dependent
679 * based on a wildcard domain.
680 */
681 while (!match->is_existing) {
682 match = match->parent;
683 }
684 if (additional != match && domain_wildcard_child(match)) {
685 domain_type *wildcard_child = domain_wildcard_child(match);
686 domain_type *temp = (domain_type *) region_alloc(
687 query->region, sizeof(domain_type));
688 #ifdef USE_RADIX_TREE
689 temp->rnode = NULL;
690 temp->dname = additional->dname;
691 #else
692 memcpy(&temp->node, &additional->node, sizeof(rbnode_type));
693 temp->node.parent = NULL;
694 #endif
695 temp->number = additional->number;
696 temp->parent = match;
697 temp->wildcard_child_closest_match = temp;
698 temp->rrsets = wildcard_child->rrsets;
699 temp->is_existing = wildcard_child->is_existing;
700 additional = temp;
701 }
702
703 for (j = 0; types[j].rr_type != 0; ++j) {
704 rrset_type *rrset = domain_find_rrset(
705 additional, query->zone, types[j].rr_type);
706 if (rrset) {
707 answer_add_rrset(answer, types[j].rr_section,
708 additional, rrset);
709 }
710 }
711 }
712 }
713
714 static int
answer_needs_ns(struct query * query)715 answer_needs_ns(struct query* query)
716 {
717 assert(query);
718 /* Currently, only troublesome for DNSKEY and DS,
719 * cuz their RRSETs are quite large. */
720 return (query->qtype != TYPE_DNSKEY && query->qtype != TYPE_DS
721 && query->qtype != TYPE_ANY);
722 }
723
724 static int
add_rrset(struct query * query,answer_type * answer,rr_section_type section,domain_type * owner,rrset_type * rrset)725 add_rrset(struct query *query,
726 answer_type *answer,
727 rr_section_type section,
728 domain_type *owner,
729 rrset_type *rrset)
730 {
731 int result;
732
733 assert(query);
734 assert(answer);
735 assert(owner);
736 assert(rrset);
737 assert(rrset_rrclass(rrset) == CLASS_IN);
738
739 result = answer_add_rrset(answer, section, owner, rrset);
740 if(minimal_responses && section != AUTHORITY_SECTION &&
741 query->qtype != TYPE_NS)
742 return result;
743 switch (rrset_rrtype(rrset)) {
744 case TYPE_NS:
745 #if defined(INET6)
746 /* if query over IPv6, swap A and AAAA; put AAAA first */
747 add_additional_rrsets(query, answer, rrset, 0, 1,
748 (query->addr.ss_family == AF_INET6)?
749 swap_aaaa_additional_rr_types:
750 default_additional_rr_types);
751 #else
752 add_additional_rrsets(query, answer, rrset, 0, 1,
753 default_additional_rr_types);
754 #endif
755 break;
756 case TYPE_MB:
757 add_additional_rrsets(query, answer, rrset, 0, 0,
758 default_additional_rr_types);
759 break;
760 case TYPE_MX:
761 case TYPE_KX:
762 add_additional_rrsets(query, answer, rrset, 1, 0,
763 default_additional_rr_types);
764 break;
765 case TYPE_RT:
766 add_additional_rrsets(query, answer, rrset, 1, 0,
767 rt_additional_rr_types);
768 break;
769 case TYPE_SRV:
770 add_additional_rrsets(query, answer, rrset, 3, 0,
771 default_additional_rr_types);
772 break;
773 default:
774 break;
775 }
776
777 return result;
778 }
779
780
781 /* returns 0 on error, or the domain number for to_name.
782 from_name is changes to to_name by the DNAME rr.
783 DNAME rr is from src to dest.
784 closest encloser encloses the to_name. */
785 static size_t
query_synthesize_cname(struct query * q,struct answer * answer,const dname_type * from_name,const dname_type * to_name,domain_type * src,domain_type * to_closest_encloser,domain_type ** to_closest_match,uint32_t ttl)786 query_synthesize_cname(struct query* q, struct answer* answer, const dname_type* from_name,
787 const dname_type* to_name, domain_type* src, domain_type* to_closest_encloser,
788 domain_type** to_closest_match, uint32_t ttl)
789 {
790 /* add temporary domains for from_name and to_name and all
791 their (not allocated yet) parents */
792 /* any domains below src are not_existing (because of DNAME at src) */
793 int i;
794 size_t j;
795 domain_type* cname_domain;
796 domain_type* cname_dest;
797 rrset_type* rrset;
798
799 domain_type* lastparent = src;
800 assert(q && answer && from_name && to_name && src && to_closest_encloser);
801 assert(to_closest_match);
802
803 /* check for loop by duplicate CNAME rrset synthesized */
804 for(j=0; j<answer->rrset_count; ++j) {
805 if(answer->section[j] == ANSWER_SECTION &&
806 answer->rrsets[j]->rr_count == 1 &&
807 answer->rrsets[j]->rrs[0].type == TYPE_CNAME &&
808 dname_compare(domain_dname(answer->rrsets[j]->rrs[0].owner), from_name) == 0 &&
809 answer->rrsets[j]->rrs[0].rdata_count == 1 &&
810 dname_compare(domain_dname(answer->rrsets[j]->rrs[0].rdatas->domain), to_name) == 0) {
811 DEBUG(DEBUG_QUERY,2, (LOG_INFO, "loop for synthesized CNAME rrset for query %s", dname_to_string(q->qname, NULL)));
812 return 0;
813 }
814 }
815
816 /* allocate source part */
817 for(i=0; i < from_name->label_count - domain_dname(src)->label_count; i++)
818 {
819 domain_type* newdom = query_get_tempdomain(q);
820 if(!newdom)
821 return 0;
822 newdom->is_existing = 1;
823 newdom->parent = lastparent;
824 #ifdef USE_RADIX_TREE
825 newdom->dname
826 #else
827 newdom->node.key
828 #endif
829 = dname_partial_copy(q->region,
830 from_name, domain_dname(src)->label_count + i + 1);
831 if(dname_compare(domain_dname(newdom), q->qname) == 0) {
832 /* 0 good for query name, otherwise new number */
833 newdom->number = 0;
834 }
835 DEBUG(DEBUG_QUERY,2, (LOG_INFO, "created temp domain src %d. %s nr %d", i,
836 domain_to_string(newdom), (int)newdom->number));
837 lastparent = newdom;
838 }
839 cname_domain = lastparent;
840
841 /* allocate dest part */
842 lastparent = to_closest_encloser;
843 for(i=0; i < to_name->label_count - domain_dname(to_closest_encloser)->label_count;
844 i++)
845 {
846 domain_type* newdom = query_get_tempdomain(q);
847 if(!newdom)
848 return 0;
849 newdom->is_existing = 0;
850 newdom->parent = lastparent;
851 #ifdef USE_RADIX_TREE
852 newdom->dname
853 #else
854 newdom->node.key
855 #endif
856 = dname_partial_copy(q->region,
857 to_name, domain_dname(to_closest_encloser)->label_count + i + 1);
858 DEBUG(DEBUG_QUERY,2, (LOG_INFO, "created temp domain dest %d. %s nr %d", i,
859 domain_to_string(newdom), (int)newdom->number));
860 lastparent = newdom;
861 }
862 cname_dest = lastparent;
863 *to_closest_match = cname_dest;
864
865 /* allocate the CNAME RR */
866 rrset = (rrset_type*) region_alloc(q->region, sizeof(rrset_type));
867 memset(rrset, 0, sizeof(rrset_type));
868 rrset->zone = q->zone;
869 rrset->rr_count = 1;
870 rrset->rrs = (rr_type*) region_alloc(q->region, sizeof(rr_type));
871 memset(rrset->rrs, 0, sizeof(rr_type));
872 rrset->rrs->owner = cname_domain;
873 rrset->rrs->ttl = ttl;
874 rrset->rrs->type = TYPE_CNAME;
875 rrset->rrs->klass = CLASS_IN;
876 rrset->rrs->rdata_count = 1;
877 rrset->rrs->rdatas = (rdata_atom_type*)region_alloc(q->region,
878 sizeof(rdata_atom_type));
879 rrset->rrs->rdatas->domain = cname_dest;
880
881 if(!add_rrset(q, answer, ANSWER_SECTION, cname_domain, rrset)) {
882 DEBUG(DEBUG_QUERY,2, (LOG_INFO, "could not add synthesized CNAME rrset to packet for query %s", dname_to_string(q->qname, NULL)));
883 /* failure to add CNAME; likely is a loop, the same twice */
884 return 0;
885 }
886
887 return cname_dest->number;
888 }
889
890 /*
891 * Answer delegation information.
892 *
893 * DNSSEC: Include the DS RRset if present. Otherwise include an NSEC
894 * record proving the DS RRset does not exist.
895 */
896 static void
answer_delegation(query_type * query,answer_type * answer)897 answer_delegation(query_type *query, answer_type *answer)
898 {
899 assert(answer);
900 assert(query->delegation_domain);
901 assert(query->delegation_rrset);
902
903 if (query->cname_count == 0) {
904 AA_CLR(query->packet);
905 } else {
906 AA_SET(query->packet);
907 }
908
909 add_rrset(query,
910 answer,
911 AUTHORITY_SECTION,
912 query->delegation_domain,
913 query->delegation_rrset);
914 if (query->edns.dnssec_ok && zone_is_secure(query->zone)) {
915 rrset_type *rrset;
916 if ((rrset = domain_find_rrset(query->delegation_domain, query->zone, TYPE_DS))) {
917 add_rrset(query, answer, AUTHORITY_SECTION,
918 query->delegation_domain, rrset);
919 #ifdef NSEC3
920 } else if (query->zone->nsec3_param) {
921 nsec3_answer_delegation(query, answer);
922 #endif
923 } else if ((rrset = domain_find_rrset(query->delegation_domain, query->zone, TYPE_NSEC))) {
924 add_rrset(query, answer, AUTHORITY_SECTION,
925 query->delegation_domain, rrset);
926 }
927 }
928 }
929
930
931 /*
932 * Answer SOA information.
933 */
934 static void
answer_soa(struct query * query,answer_type * answer)935 answer_soa(struct query *query, answer_type *answer)
936 {
937 if (query->qclass != CLASS_ANY) {
938 add_rrset(query, answer,
939 AUTHORITY_SECTION,
940 query->zone->apex,
941 query->zone->soa_nx_rrset);
942 }
943 }
944
945
946 /*
947 * Answer that the domain name exists but there is no RRset with the
948 * requested type.
949 *
950 * DNSSEC: Include the correct NSEC record proving that the type does
951 * not exist. In the wildcard no data (3.1.3.4) case the wildcard IS
952 * NOT expanded, so the ORIGINAL parameter must point to the original
953 * wildcard entry, not to the generated entry.
954 */
955 static void
answer_nodata(struct query * query,answer_type * answer,domain_type * original)956 answer_nodata(struct query *query, answer_type *answer, domain_type *original)
957 {
958 answer_soa(query, answer);
959
960 #ifdef NSEC3
961 if (query->edns.dnssec_ok && query->zone->nsec3_param) {
962 nsec3_answer_nodata(query, answer, original);
963 } else
964 #endif
965 if (query->edns.dnssec_ok && zone_is_secure(query->zone)) {
966 domain_type *nsec_domain;
967 rrset_type *nsec_rrset;
968
969 nsec_domain = find_covering_nsec(original, query->zone, &nsec_rrset);
970 if (nsec_domain) {
971 add_rrset(query, answer, AUTHORITY_SECTION, nsec_domain, nsec_rrset);
972 }
973 }
974 }
975
976 static void
answer_nxdomain(query_type * query,answer_type * answer)977 answer_nxdomain(query_type *query, answer_type *answer)
978 {
979 RCODE_SET(query->packet, RCODE_NXDOMAIN);
980 answer_soa(query, answer);
981 }
982
983
984 /*
985 * Answer domain information (or SOA if we do not have an RRset for
986 * the type specified by the query).
987 */
988 static void
answer_domain(struct nsd * nsd,struct query * q,answer_type * answer,domain_type * domain,domain_type * original)989 answer_domain(struct nsd* nsd, struct query *q, answer_type *answer,
990 domain_type *domain, domain_type *original)
991 {
992 rrset_type *rrset;
993
994 if (q->qtype == TYPE_ANY) {
995 rrset_type *preferred_rrset = NULL;
996 rrset_type *normal_rrset = NULL;
997 rrset_type *non_preferred_rrset = NULL;
998
999 /*
1000 * Minimize response size for ANY, with one RRset
1001 * according to RFC 8482(4.1).
1002 * Prefers popular and not large rtypes (A,AAAA,...)
1003 * lowering large ones (DNSKEY,RRSIG,...).
1004 */
1005 for (rrset = domain_find_any_rrset(domain, q->zone); rrset; rrset = rrset->next) {
1006 if (rrset->zone == q->zone
1007 #ifdef NSEC3
1008 && rrset_rrtype(rrset) != TYPE_NSEC3
1009 #endif
1010 /*
1011 * Don't include the RRSIG RRset when
1012 * DNSSEC is used, because it is added
1013 * automatically on an per-RRset basis.
1014 */
1015 && !(q->edns.dnssec_ok
1016 && zone_is_secure(q->zone)
1017 && rrset_rrtype(rrset) == TYPE_RRSIG))
1018 {
1019 switch(rrset_rrtype(rrset)) {
1020 case TYPE_A:
1021 case TYPE_AAAA:
1022 case TYPE_SOA:
1023 case TYPE_MX:
1024 case TYPE_PTR:
1025 preferred_rrset = rrset;
1026 break;
1027 case TYPE_DNSKEY:
1028 case TYPE_RRSIG:
1029 case TYPE_NSEC:
1030 non_preferred_rrset = rrset;
1031 break;
1032 default:
1033 normal_rrset = rrset;
1034 }
1035 if (preferred_rrset) break;
1036 }
1037 }
1038 if (preferred_rrset) {
1039 add_rrset(q, answer, ANSWER_SECTION, domain, preferred_rrset);
1040 } else if (normal_rrset) {
1041 add_rrset(q, answer, ANSWER_SECTION, domain, normal_rrset);
1042 } else if (non_preferred_rrset) {
1043 add_rrset(q, answer, ANSWER_SECTION, domain, non_preferred_rrset);
1044 } else {
1045 answer_nodata(q, answer, original);
1046 return;
1047 }
1048 #ifdef NSEC3
1049 } else if (q->qtype == TYPE_NSEC3) {
1050 answer_nodata(q, answer, original);
1051 return;
1052 #endif
1053 } else if ((rrset = domain_find_rrset(domain, q->zone, q->qtype))) {
1054 add_rrset(q, answer, ANSWER_SECTION, domain, rrset);
1055 } else if ((rrset = domain_find_rrset(domain, q->zone, TYPE_CNAME))) {
1056 int added;
1057
1058 /*
1059 * If the CNAME is not added it is already in the
1060 * answer, so we have a CNAME loop. Don't follow the
1061 * CNAME target in this case.
1062 */
1063 added = add_rrset(q, answer, ANSWER_SECTION, domain, rrset);
1064 assert(rrset->rr_count > 0);
1065 if (added) {
1066 /* only process first CNAME record */
1067 domain_type *closest_match = rdata_atom_domain(rrset->rrs[0].rdatas[0]);
1068 domain_type *closest_encloser = closest_match;
1069 zone_type* origzone = q->zone;
1070 ++q->cname_count;
1071
1072 answer_lookup_zone(nsd, q, answer, closest_match->number,
1073 closest_match == closest_encloser,
1074 closest_match, closest_encloser,
1075 domain_dname(closest_match));
1076 q->zone = origzone;
1077 }
1078 return;
1079 } else {
1080 answer_nodata(q, answer, original);
1081 return;
1082 }
1083
1084 if (q->qclass != CLASS_ANY && q->zone->ns_rrset && answer_needs_ns(q)
1085 && !minimal_responses) {
1086 add_rrset(q, answer, OPTIONAL_AUTHORITY_SECTION, q->zone->apex,
1087 q->zone->ns_rrset);
1088 }
1089 }
1090
1091
1092 /*
1093 * Answer with authoritative data. If a wildcard is matched the owner
1094 * name will be expanded to the domain name specified by
1095 * DOMAIN_NUMBER. DOMAIN_NUMBER 0 (zero) is reserved for the original
1096 * query name.
1097 *
1098 * DNSSEC: Include the necessary NSEC records in case the request
1099 * domain name does not exist and/or a wildcard match does not exist.
1100 */
1101 static void
answer_authoritative(struct nsd * nsd,struct query * q,answer_type * answer,size_t domain_number,int exact,domain_type * closest_match,domain_type * closest_encloser,const dname_type * qname)1102 answer_authoritative(struct nsd *nsd,
1103 struct query *q,
1104 answer_type *answer,
1105 size_t domain_number,
1106 int exact,
1107 domain_type *closest_match,
1108 domain_type *closest_encloser,
1109 const dname_type *qname)
1110 {
1111 domain_type *match;
1112 domain_type *original = closest_match;
1113 domain_type *dname_ce;
1114 domain_type *wildcard_child;
1115 rrset_type *rrset;
1116
1117 #ifdef NSEC3
1118 if(exact && domain_has_only_NSEC3(closest_match, q->zone)) {
1119 exact = 0; /* pretend it does not exist */
1120 if(closest_encloser->parent)
1121 closest_encloser = closest_encloser->parent;
1122 }
1123 #endif /* NSEC3 */
1124 if((dname_ce = find_dname_above(closest_encloser, q->zone)) != NULL) {
1125 /* occlude the found data, the DNAME is closest_encloser */
1126 closest_encloser = dname_ce;
1127 exact = 0;
1128 }
1129
1130 if (exact) {
1131 match = closest_match;
1132 } else if ((rrset=domain_find_rrset(closest_encloser, q->zone, TYPE_DNAME))) {
1133 /* process DNAME */
1134 const dname_type* name = qname;
1135 domain_type* src = closest_encloser;
1136 domain_type *dest = rdata_atom_domain(rrset->rrs[0].rdatas[0]);
1137 const dname_type* newname;
1138 size_t newnum = 0;
1139 zone_type* origzone = q->zone;
1140 assert(rrset->rr_count > 0);
1141 if(domain_number != 0) /* we followed CNAMEs or DNAMEs */
1142 name = domain_dname(closest_match);
1143 DEBUG(DEBUG_QUERY,2, (LOG_INFO, "expanding DNAME for q=%s", dname_to_string(name, NULL)));
1144 DEBUG(DEBUG_QUERY,2, (LOG_INFO, "->src is %s",
1145 domain_to_string(closest_encloser)));
1146 DEBUG(DEBUG_QUERY,2, (LOG_INFO, "->dest is %s",
1147 domain_to_string(dest)));
1148 if(!add_rrset(q, answer, ANSWER_SECTION, closest_encloser, rrset)) {
1149 /* stop if DNAME loops, when added second time */
1150 if(dname_is_subdomain(domain_dname(dest), domain_dname(src))) {
1151 return;
1152 }
1153 }
1154 newname = dname_replace(q->region, name,
1155 domain_dname(src), domain_dname(dest));
1156 ++q->cname_count;
1157 if(!newname) { /* newname too long */
1158 RCODE_SET(q->packet, RCODE_YXDOMAIN);
1159 /* RFC 8914 - Extended DNS Errors
1160 * 4.21. Extended DNS Error Code 0 - Other */
1161 ASSIGN_EDE_CODE_AND_STRING_LITERAL(q->edns.ede,
1162 EDE_OTHER, "DNAME expansion became too large");
1163 return;
1164 }
1165 DEBUG(DEBUG_QUERY,2, (LOG_INFO, "->result is %s", dname_to_string(newname, NULL)));
1166 /* follow the DNAME */
1167 (void)namedb_lookup(nsd->db, newname, &closest_match, &closest_encloser);
1168 /* synthesize CNAME record */
1169 newnum = query_synthesize_cname(q, answer, name, newname,
1170 src, closest_encloser, &closest_match, rrset->rrs[0].ttl);
1171 if(!newnum) {
1172 /* could not synthesize the CNAME. */
1173 /* return previous CNAMEs to make resolver recurse for us */
1174 return;
1175 }
1176 if(q->qtype == TYPE_CNAME) {
1177 /* The synthesized CNAME is the answer to
1178 * that query, same as BIND does for query
1179 * of type CNAME */
1180 return;
1181 }
1182
1183 answer_lookup_zone(nsd, q, answer, newnum,
1184 closest_match == closest_encloser,
1185 closest_match, closest_encloser, newname);
1186 q->zone = origzone;
1187 return;
1188 } else if ((wildcard_child=domain_wildcard_child(closest_encloser))!=NULL &&
1189 wildcard_child->is_existing) {
1190 /* Generate the domain from the wildcard. */
1191 #ifdef RATELIMIT
1192 q->wildcard_domain = wildcard_child;
1193 #endif
1194
1195 match = (domain_type *) region_alloc(q->region,
1196 sizeof(domain_type));
1197 #ifdef USE_RADIX_TREE
1198 match->rnode = NULL;
1199 match->dname = wildcard_child->dname;
1200 #else
1201 memcpy(&match->node, &wildcard_child->node, sizeof(rbnode_type));
1202 match->node.parent = NULL;
1203 #endif
1204 match->parent = closest_encloser;
1205 match->wildcard_child_closest_match = match;
1206 match->number = domain_number;
1207 match->rrsets = wildcard_child->rrsets;
1208 match->is_existing = wildcard_child->is_existing;
1209 #ifdef NSEC3
1210 match->nsec3 = wildcard_child->nsec3;
1211 /* copy over these entries:
1212 match->nsec3_is_exact = wildcard_child->nsec3_is_exact;
1213 match->nsec3_cover = wildcard_child->nsec3_cover;
1214 match->nsec3_wcard_child_cover = wildcard_child->nsec3_wcard_child_cover;
1215 match->nsec3_ds_parent_is_exact = wildcard_child->nsec3_ds_parent_is_exact;
1216 match->nsec3_ds_parent_cover = wildcard_child->nsec3_ds_parent_cover;
1217 */
1218
1219 if (q->edns.dnssec_ok && q->zone->nsec3_param) {
1220 /* Only add nsec3 wildcard data when do bit is set */
1221 nsec3_answer_wildcard(q, answer, wildcard_child, qname);
1222 }
1223 #endif
1224
1225 /*
1226 * Remember the original domain in case a Wildcard No
1227 * Data (3.1.3.4) response needs to be generated. In
1228 * this particular case the wildcard IS NOT
1229 * expanded.
1230 */
1231 original = wildcard_child;
1232 } else {
1233 match = NULL;
1234 }
1235
1236 /* Authoritative zone. */
1237 #ifdef NSEC3
1238 if (q->edns.dnssec_ok && q->zone->nsec3_param) {
1239 nsec3_answer_authoritative(&match, q, answer,
1240 closest_encloser, qname);
1241 } else
1242 #endif
1243 if (q->edns.dnssec_ok && zone_is_secure(q->zone)) {
1244 if (match != closest_encloser) {
1245 domain_type *nsec_domain;
1246 rrset_type *nsec_rrset;
1247
1248 /*
1249 * No match found or generated from wildcard,
1250 * include NSEC record.
1251 */
1252 nsec_domain = find_covering_nsec(closest_match, q->zone, &nsec_rrset);
1253 if (nsec_domain) {
1254 add_rrset(q, answer, AUTHORITY_SECTION, nsec_domain, nsec_rrset);
1255 }
1256 }
1257 if (!match) {
1258 domain_type *nsec_domain;
1259 rrset_type *nsec_rrset;
1260
1261 /*
1262 * No match and no wildcard. Include NSEC
1263 * proving there is no wildcard.
1264 */
1265 if(closest_encloser && (nsec_domain =
1266 find_covering_nsec(closest_encloser->
1267 wildcard_child_closest_match, q->zone,
1268 &nsec_rrset)) != NULL) {
1269 add_rrset(q, answer, AUTHORITY_SECTION, nsec_domain, nsec_rrset);
1270 }
1271 }
1272 }
1273
1274 #ifdef NSEC3
1275 if (RCODE(q->packet)!=RCODE_OK) {
1276 return; /* nsec3 collision failure */
1277 }
1278 #endif
1279 if (match) {
1280 answer_domain(nsd, q, answer, match, original);
1281 } else {
1282 answer_nxdomain(q, answer);
1283 }
1284 }
1285
1286 /*
1287 * qname may be different after CNAMEs have been followed from query->qname.
1288 */
1289 static void
answer_lookup_zone(struct nsd * nsd,struct query * q,answer_type * answer,size_t domain_number,int exact,domain_type * closest_match,domain_type * closest_encloser,const dname_type * qname)1290 answer_lookup_zone(struct nsd *nsd, struct query *q, answer_type *answer,
1291 size_t domain_number, int exact, domain_type *closest_match,
1292 domain_type *closest_encloser, const dname_type *qname)
1293 {
1294 zone_type* origzone = q->zone;
1295 q->zone = domain_find_zone(nsd->db, closest_encloser);
1296 if (!q->zone) {
1297 /* no zone for this */
1298 if(q->cname_count == 0) {
1299 RCODE_SET(q->packet, RCODE_REFUSE);
1300 /* RFC 8914 - Extended DNS Errors
1301 * 4.21. Extended DNS Error Code 20 - Not Authoritative */
1302 q->edns.ede = EDE_NOT_AUTHORITATIVE;
1303 }
1304 return;
1305 }
1306 assert(closest_encloser); /* otherwise, no q->zone would be found */
1307 if(q->zone->opts && q->zone->opts->pattern
1308 && q->zone->opts->pattern->allow_query) {
1309 struct acl_options *why = NULL;
1310
1311 /* check if it passes acl */
1312 if(acl_check_incoming(
1313 q->zone->opts->pattern->allow_query, q, &why) != -1) {
1314 assert(why);
1315 DEBUG(DEBUG_QUERY,1, (LOG_INFO, "query %s passed acl %s %s",
1316 dname_to_string(q->qname, NULL),
1317 why->ip_address_spec,
1318 why->nokey?"NOKEY":
1319 (why->blocked?"BLOCKED":why->key_name)));
1320 } else {
1321 if (verbosity >= 2) {
1322 char address[128];
1323 addr2str(&q->addr, address, sizeof(address));
1324 VERBOSITY(2, (LOG_INFO, "query %s from %s refused, %s %s",
1325 dname_to_string(q->qname, NULL),
1326 address,
1327 why ? ( why->nokey ? "NOKEY"
1328 : why->blocked ? "BLOCKED"
1329 : why->key_name )
1330 : "no acl matches",
1331 why?why->ip_address_spec:"."));
1332 }
1333 /* no zone for this */
1334 if(q->cname_count == 0) {
1335 RCODE_SET(q->packet, RCODE_REFUSE);
1336 /* RFC8914 - Extended DNS Errors
1337 * 4.19. Extended DNS Error Code 18 - Prohibited */
1338 q->edns.ede = EDE_PROHIBITED;
1339 }
1340 return;
1341 }
1342 }
1343 if(!q->zone->apex || !q->zone->soa_rrset) {
1344 /* zone is configured but not loaded */
1345 if(q->cname_count == 0) {
1346 RCODE_SET(q->packet, RCODE_SERVFAIL);
1347 /* RFC 8914 - Extended DNS Errors
1348 * 4.15. Extended DNS Error Code 14 - Not Ready */
1349 q->edns.ede = EDE_NOT_READY;
1350 ASSIGN_EDE_CODE_AND_STRING_LITERAL(q->edns.ede,
1351 EDE_NOT_READY, "Zone is configured but not loaded");
1352 }
1353 return;
1354 }
1355
1356 /*
1357 * If confine-to-zone is set to yes do not return additional
1358 * information for a zone with a different apex from the query zone.
1359 */
1360 if (nsd->options->confine_to_zone &&
1361 (origzone != NULL && dname_compare(domain_dname(origzone->apex), domain_dname(q->zone->apex)) != 0)) {
1362 return;
1363 }
1364
1365 /* now move up the closest encloser until it exists, previous
1366 * (possibly empty) closest encloser was useful to finding the zone
1367 * (for empty zones too), but now we want actual data nodes */
1368 if (closest_encloser && !closest_encloser->is_existing) {
1369 exact = 0;
1370 while (closest_encloser != NULL && !closest_encloser->is_existing)
1371 closest_encloser = closest_encloser->parent;
1372 }
1373
1374 /*
1375 * See RFC 4035 (DNSSEC protocol) section 3.1.4.1 Responding
1376 * to Queries for DS RRs.
1377 */
1378 if (exact && q->qtype == TYPE_DS && closest_encloser == q->zone->apex) {
1379 /*
1380 * Type DS query at a zone cut, use the responsible
1381 * parent zone to generate the answer if we are
1382 * authoritative for the parent zone.
1383 */
1384 zone_type *zone = domain_find_parent_zone(nsd->db, q->zone);
1385 if (zone) {
1386 q->zone = zone;
1387 if(!q->zone->apex || !q->zone->soa_rrset) {
1388 /* zone is configured but not loaded */
1389 if(q->cname_count == 0) {
1390 RCODE_SET(q->packet, RCODE_SERVFAIL);
1391 /* RFC 8914 - Extended DNS Errors
1392 * 4.15. Extended DNS Error Code 14 - Not Ready */
1393 ASSIGN_EDE_CODE_AND_STRING_LITERAL(
1394 q->edns.ede, EDE_NOT_READY,
1395 "Zone is configured but not loaded");
1396 }
1397 return;
1398 }
1399 }
1400 }
1401
1402 /* see if the zone has expired (for secondary zones) */
1403 if(q->zone && q->zone->opts && q->zone->opts->pattern &&
1404 q->zone->opts->pattern->request_xfr != 0 && !q->zone->is_ok) {
1405 if(q->cname_count == 0) {
1406 RCODE_SET(q->packet, RCODE_SERVFAIL);
1407 /* RFC 8914 - Extended DNS Errors
1408 * 4.25. Extended DNS Error Code 24 - Invalid Data */
1409 ASSIGN_EDE_CODE_AND_STRING_LITERAL(q->edns.ede,
1410 EDE_INVALID_DATA, "Zone has expired");
1411 }
1412 return;
1413 }
1414
1415 if (exact && q->qtype == TYPE_DS && closest_encloser == q->zone->apex) {
1416 /*
1417 * Type DS query at the zone apex (and the server is
1418 * not authoritative for the parent zone).
1419 */
1420 if (q->qclass == CLASS_ANY) {
1421 AA_CLR(q->packet);
1422 } else {
1423 AA_SET(q->packet);
1424 }
1425 answer_nodata(q, answer, closest_encloser);
1426 } else {
1427 q->delegation_domain = domain_find_ns_rrsets(
1428 closest_encloser, q->zone, &q->delegation_rrset);
1429 if(q->delegation_domain && find_dname_above(q->delegation_domain, q->zone)) {
1430 q->delegation_domain = NULL; /* use higher DNAME */
1431 }
1432
1433 if (!q->delegation_domain
1434 || !q->delegation_rrset
1435 || (exact && q->qtype == TYPE_DS && closest_encloser == q->delegation_domain))
1436 {
1437 if (q->qclass == CLASS_ANY) {
1438 AA_CLR(q->packet);
1439 } else {
1440 AA_SET(q->packet);
1441 }
1442 answer_authoritative(nsd, q, answer, domain_number, exact,
1443 closest_match, closest_encloser, qname);
1444 }
1445 else {
1446 answer_delegation(q, answer);
1447 }
1448 }
1449 }
1450
1451 static void
answer_query(struct nsd * nsd,struct query * q)1452 answer_query(struct nsd *nsd, struct query *q)
1453 {
1454 domain_type *closest_match;
1455 domain_type *closest_encloser;
1456 int exact;
1457 uint16_t offset;
1458 answer_type answer;
1459
1460 answer_init(&answer);
1461
1462 exact = namedb_lookup(nsd->db, q->qname, &closest_match, &closest_encloser);
1463
1464 answer_lookup_zone(nsd, q, &answer, 0, exact, closest_match,
1465 closest_encloser, q->qname);
1466 ZTATUP2(nsd, q->zone, opcode, q->opcode);
1467 ZTATUP2(nsd, q->zone, qtype, q->qtype);
1468 ZTATUP2(nsd, q->zone, qclass, q->qclass);
1469
1470 offset = dname_label_offsets(q->qname)[domain_dname(closest_encloser)->label_count - 1] + QHEADERSZ;
1471 query_add_compression_domain(q, closest_encloser, offset);
1472 encode_answer(q, &answer);
1473 query_clear_compression_tables(q);
1474 }
1475
1476 void
query_prepare_response(query_type * q)1477 query_prepare_response(query_type *q)
1478 {
1479 uint16_t flags;
1480
1481 /*
1482 * Preserve the data up-to the current packet's limit.
1483 */
1484 buffer_set_position(q->packet, buffer_limit(q->packet));
1485 buffer_set_limit(q->packet, buffer_capacity(q->packet));
1486
1487 /*
1488 * Reserve space for the EDNS records if required.
1489 */
1490 q->reserved_space = edns_reserved_space(&q->edns);
1491 q->reserved_space += tsig_reserved_space(&q->tsig);
1492
1493 /* Update the flags. */
1494 flags = FLAGS(q->packet);
1495 flags &= 0x0100U; /* Preserve the RD flag. */
1496 /* CD flag must be cleared for auth answers */
1497 flags |= 0x8000U; /* Set the QR flag. */
1498 FLAGS_SET(q->packet, flags);
1499 }
1500
1501 /*
1502 * Processes the query.
1503 *
1504 */
1505 query_state_type
query_process(query_type * q,nsd_type * nsd,uint32_t * now_p)1506 query_process(query_type *q, nsd_type *nsd, uint32_t *now_p)
1507 {
1508 /* The query... */
1509 nsd_rc_type rc;
1510 query_state_type query_state;
1511 uint16_t arcount;
1512
1513 /* Sanity checks */
1514 if (buffer_limit(q->packet) < QHEADERSZ) {
1515 /* packet too small to contain DNS header.
1516 Now packet investigation macros will work without problems. */
1517 return QUERY_DISCARDED;
1518 }
1519 if (QR(q->packet)) {
1520 /* Not a query? Drop it on the floor. */
1521 return QUERY_DISCARDED;
1522 }
1523
1524 /* check opcode early on, because new opcodes may have different
1525 * specification of the meaning of the rest of the packet */
1526 q->opcode = OPCODE(q->packet);
1527 if(q->opcode != OPCODE_QUERY && q->opcode != OPCODE_NOTIFY) {
1528 if(query_ratelimit_err(nsd))
1529 return QUERY_DISCARDED;
1530 if(nsd->options->drop_updates && q->opcode == OPCODE_UPDATE)
1531 return QUERY_DISCARDED;
1532 return query_error(q, NSD_RC_IMPL);
1533 }
1534
1535 if (RCODE(q->packet) != RCODE_OK || !process_query_section(q)) {
1536 return query_formerr(q, nsd);
1537 }
1538
1539 /* Update statistics. */
1540 STATUP2(nsd, opcode, q->opcode);
1541 STATUP2(nsd, qtype, q->qtype);
1542 STATUP2(nsd, qclass, q->qclass);
1543
1544 if (q->opcode != OPCODE_QUERY) {
1545 if (q->opcode == OPCODE_NOTIFY) {
1546 return answer_notify(nsd, q);
1547 } else {
1548 if(query_ratelimit_err(nsd))
1549 return QUERY_DISCARDED;
1550 return query_error(q, NSD_RC_IMPL);
1551 }
1552 }
1553
1554 /* Dont bother to answer more than one question at once... */
1555 if (QDCOUNT(q->packet) != 1) {
1556 if(QDCOUNT(q->packet) == 0 && ANCOUNT(q->packet) == 0 &&
1557 NSCOUNT(q->packet) == 0 && ARCOUNT(q->packet) == 1 &&
1558 buffer_limit(q->packet) >= QHEADERSZ+OPT_LEN+
1559 OPT_RDATA) {
1560 /* add edns section to answer */
1561 buffer_set_position(q->packet, QHEADERSZ);
1562 if (edns_parse_record(&q->edns, q->packet, q, nsd)) {
1563 if(process_edns(nsd, q) == NSD_RC_OK) {
1564 int opcode = OPCODE(q->packet);
1565 (void)query_error(q, NSD_RC_FORMAT);
1566 query_add_optional(q, nsd, now_p);
1567 FLAGS_SET(q->packet, FLAGS(q->packet) & 0x0100U);
1568 /* Preserve the RD flag. Clear the rest. */
1569 OPCODE_SET(q->packet, opcode);
1570 QR_SET(q->packet);
1571 return QUERY_PROCESSED;
1572 }
1573 }
1574 }
1575 FLAGS_SET(q->packet, 0);
1576 return query_formerr(q, nsd);
1577 }
1578 /* Ignore settings of flags */
1579
1580 /* Dont allow any records in the answer or authority section...
1581 except for IXFR queries. */
1582 if (ANCOUNT(q->packet) != 0 ||
1583 (q->qtype!=TYPE_IXFR && NSCOUNT(q->packet) != 0)) {
1584 return query_formerr(q, nsd);
1585 }
1586 if(q->qtype==TYPE_IXFR && NSCOUNT(q->packet) > 0) {
1587 unsigned int i; /* skip ixfr soa information data here */
1588 unsigned int nscount = (unsigned)NSCOUNT(q->packet);
1589 /* define a bound on the number of extraneous records allowed,
1590 * we expect 1, a SOA serial record, and no more.
1591 * perhaps RRSIGs (but not needed), otherwise we do not
1592 * understand what this means. We do not want too many
1593 * because the high iteration counts slow down. */
1594 if(nscount > 64) return query_formerr(q, nsd);
1595 for(i=0; i< nscount; i++)
1596 if(!packet_skip_rr(q->packet, 0))
1597 return query_formerr(q, nsd);
1598 }
1599
1600 arcount = ARCOUNT(q->packet);
1601 /* A TSIG RR is not allowed before the EDNS OPT RR.
1602 * In RFC6891 (about EDNS) it says:
1603 * "The placement flexibility for the OPT RR does not
1604 * override the need for the TSIG or SIG(0) RRs to be
1605 * the last in the additional section whenever they are
1606 * present."
1607 * And in RFC8945 (about TSIG) it says:
1608 * "If multiple TSIG records are detected or a TSIG record is
1609 * present in any other position, the DNS message is dropped
1610 * and a response with RCODE 1 (FORMERR) MUST be returned."
1611 */
1612 /* See if there is an OPT RR. */
1613 if (arcount > 0) {
1614 if (edns_parse_record(&q->edns, q->packet, q, nsd))
1615 --arcount;
1616 }
1617 /* See if there is a TSIG RR. */
1618 if (arcount > 0 && q->tsig.status == TSIG_NOT_PRESENT) {
1619 /* see if tsig is after the edns record */
1620 if (!tsig_parse_rr(&q->tsig, q->packet))
1621 return query_formerr(q, nsd);
1622 if(q->tsig.status != TSIG_NOT_PRESENT)
1623 --arcount;
1624 }
1625 /* If more RRs left in Add. Section, FORMERR. */
1626 if (arcount > 0) {
1627 return query_formerr(q, nsd);
1628 }
1629
1630 /* Do we have any trailing garbage? */
1631 #ifdef STRICT_MESSAGE_PARSE
1632 if (buffer_remaining(q->packet) > 0) {
1633 /* If we're strict.... */
1634 return query_formerr(q, nsd);
1635 }
1636 #endif
1637 /* Remove trailing garbage. */
1638 buffer_set_limit(q->packet, buffer_position(q->packet));
1639
1640 rc = process_tsig(q);
1641 if (rc != NSD_RC_OK) {
1642 return query_error(q, rc);
1643 }
1644 rc = process_edns(nsd, q);
1645 if (rc != NSD_RC_OK) {
1646 /* We should not return FORMERR, but BADVERS (=16).
1647 * BADVERS is created with Ext. RCODE, followed by RCODE.
1648 * Ext. RCODE is set to 1, RCODE must be 0 (getting 0x10 = 16).
1649 * Thus RCODE = NOERROR = NSD_RC_OK. */
1650 RCODE_SET(q->packet, NSD_RC_OK);
1651 buffer_clear(q->packet);
1652 buffer_set_position(q->packet,
1653 QHEADERSZ + 4 + q->qname->name_size);
1654 QR_SET(q->packet);
1655 AD_CLR(q->packet);
1656 QDCOUNT_SET(q->packet, 1);
1657 ANCOUNT_SET(q->packet, 0);
1658 NSCOUNT_SET(q->packet, 0);
1659 ARCOUNT_SET(q->packet, 0);
1660 return QUERY_PROCESSED;
1661 }
1662
1663 if (q->edns.cookie_status == COOKIE_UNVERIFIED)
1664 cookie_verify(q, nsd, now_p);
1665
1666 query_prepare_response(q);
1667
1668 if (q->qclass != CLASS_IN && q->qclass != CLASS_ANY) {
1669 if (q->qclass == CLASS_CH) {
1670 return answer_chaos(nsd, q);
1671 } else {
1672 /* RFC8914 - Extended DNS Errors
1673 * 4.22. Extended DNS Error Code 21 - Not Supported */
1674 q->edns.ede = EDE_NOT_SUPPORTED;
1675 return query_error(q, RCODE_REFUSE);
1676 }
1677 }
1678 query_state = answer_axfr_ixfr(nsd, q);
1679 if (query_state == QUERY_PROCESSED || query_state == QUERY_IN_AXFR
1680 || query_state == QUERY_IN_IXFR) {
1681 return query_state;
1682 }
1683 if(q->qtype == TYPE_ANY && nsd->options->refuse_any && !q->tcp) {
1684 TC_SET(q->packet);
1685 return query_error(q, NSD_RC_OK);
1686 }
1687
1688 answer_query(nsd, q);
1689
1690 return QUERY_PROCESSED;
1691 }
1692
1693 void
query_add_optional(query_type * q,nsd_type * nsd,uint32_t * now_p)1694 query_add_optional(query_type *q, nsd_type *nsd, uint32_t *now_p)
1695 {
1696 struct edns_data *edns = &nsd->edns_ipv4;
1697 #if defined(INET6)
1698 if (q->addr.ss_family == AF_INET6) {
1699 edns = &nsd->edns_ipv6;
1700 }
1701 #endif
1702 if (RCODE(q->packet) == RCODE_FORMAT) {
1703 return;
1704 }
1705 switch (q->edns.status) {
1706 case EDNS_NOT_PRESENT:
1707 break;
1708 case EDNS_OK:
1709 if (q->edns.dnssec_ok) edns->ok[7] = 0x80;
1710 else edns->ok[7] = 0x00;
1711 buffer_write(q->packet, edns->ok, OPT_LEN);
1712
1713 /* Add Extended DNS Error (RFC8914)
1714 * to verify that we stay in bounds */
1715 if (q->edns.ede >= 0)
1716 q->edns.opt_reserved_space +=
1717 6 + ( q->edns.ede_text_len
1718 ? q->edns.ede_text_len : 0);
1719
1720 if(q->edns.opt_reserved_space == 0 || !buffer_available(
1721 q->packet, 2+q->edns.opt_reserved_space)) {
1722 /* fill with NULLs */
1723 buffer_write(q->packet, edns->rdata_none, OPT_RDATA);
1724 } else {
1725 /* rdata length */
1726 buffer_write_u16(q->packet, q->edns.opt_reserved_space);
1727 /* edns options */
1728 if(q->edns.nsid) {
1729 /* nsid opt header */
1730 buffer_write(q->packet, edns->nsid, OPT_HDR);
1731 /* nsid payload */
1732 buffer_write(q->packet, nsd->nsid, nsd->nsid_len);
1733 }
1734 if(q->edns.cookie_status != COOKIE_NOT_PRESENT) {
1735 /* cookie opt header */
1736 buffer_write(q->packet, edns->cookie, OPT_HDR);
1737 /* cookie payload */
1738 cookie_create(q, nsd, now_p);
1739 buffer_write(q->packet, q->edns.cookie, 24);
1740 }
1741 /* Append Extended DNS Error (RFC8914) option if needed */
1742 if (q->edns.ede >= 0) { /* < 0 means no EDE */
1743 /* OPTION-CODE */
1744 buffer_write_u16(q->packet, EDE_CODE);
1745 /* OPTION-LENGTH */
1746 buffer_write_u16(q->packet,
1747 2 + ( q->edns.ede_text_len
1748 ? q->edns.ede_text_len : 0));
1749 /* INFO-CODE */
1750 buffer_write_u16(q->packet, q->edns.ede);
1751 /* EXTRA-TEXT */
1752 if (q->edns.ede_text_len)
1753 buffer_write(q->packet,
1754 q->edns.ede_text,
1755 q->edns.ede_text_len);
1756 }
1757 }
1758 ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
1759 STATUP(nsd, edns);
1760 ZTATUP(nsd, q->zone, edns);
1761 break;
1762 case EDNS_ERROR:
1763 if (q->edns.dnssec_ok) edns->error[7] = 0x80;
1764 else edns->error[7] = 0x00;
1765 buffer_write(q->packet, edns->error, OPT_LEN);
1766 buffer_write(q->packet, edns->rdata_none, OPT_RDATA);
1767 ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
1768 STATUP(nsd, ednserr);
1769 ZTATUP(nsd, q->zone, ednserr);
1770 break;
1771 }
1772
1773 if (q->tsig.status != TSIG_NOT_PRESENT) {
1774 if (q->tsig.status == TSIG_ERROR ||
1775 q->tsig.error_code != TSIG_ERROR_NOERROR) {
1776 tsig_error_reply(&q->tsig);
1777 tsig_append_rr(&q->tsig, q->packet);
1778 ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
1779 } else if(q->tsig.status == TSIG_OK &&
1780 q->tsig.error_code == TSIG_ERROR_NOERROR)
1781 {
1782 if(q->tsig_prepare_it)
1783 tsig_prepare(&q->tsig);
1784 if(q->tsig_update_it)
1785 tsig_update(&q->tsig, q->packet, buffer_position(q->packet));
1786 if(q->tsig_sign_it) {
1787 tsig_sign(&q->tsig);
1788 tsig_append_rr(&q->tsig, q->packet);
1789 ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
1790 }
1791 }
1792 }
1793 }
1794