1 /* $OpenBSD: resolver.c,v 1.143 2021/02/07 13:35:41 florian Exp $ */ 2 3 /* 4 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 5 * Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org> 6 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 7 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 8 * 9 * Permission to use, copy, modify, and distribute this software for any 10 * purpose with or without fee is hereby granted, provided that the above 11 * copyright notice and this permission notice appear in all copies. 12 * 13 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 14 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 15 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 16 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 17 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 18 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 19 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 20 */ 21 22 #include <sys/types.h> 23 #include <sys/queue.h> 24 #include <sys/socket.h> 25 #include <sys/syslog.h> 26 #include <sys/time.h> 27 28 #include <net/route.h> 29 30 #include <errno.h> 31 #include <event.h> 32 #include <imsg.h> 33 #include <limits.h> 34 #include <netdb.h> 35 #include <asr.h> 36 #include <pwd.h> 37 #include <signal.h> 38 #include <stdio.h> 39 #include <stdlib.h> 40 #include <string.h> 41 #include <time.h> 42 #include <tls.h> 43 #include <unistd.h> 44 45 #include "libunbound/config.h" 46 #include "libunbound/libunbound/context.h" 47 #include "libunbound/libunbound/libworker.h" 48 #include "libunbound/libunbound/unbound.h" 49 #include "libunbound/libunbound/unbound-event.h" 50 #include "libunbound/services/cache/rrset.h" 51 #include "libunbound/sldns/sbuffer.h" 52 #include "libunbound/sldns/rrdef.h" 53 #include "libunbound/sldns/pkthdr.h" 54 #include "libunbound/sldns/wire2str.h" 55 #include "libunbound/util/config_file.h" 56 #include "libunbound/util/module.h" 57 #include "libunbound/util/regional.h" 58 #include "libunbound/util/storage/slabhash.h" 59 #include "libunbound/validator/validator.h" 60 #include "libunbound/validator/val_kcache.h" 61 #include "libunbound/validator/val_neg.h" 62 63 #include <openssl/crypto.h> 64 65 #include "log.h" 66 #include "frontend.h" 67 #include "unwind.h" 68 #include "resolver.h" 69 70 #define TLS_DEFAULT_CA_CERT_FILE "/etc/ssl/cert.pem" 71 #define UB_LOG_VERBOSE 4 72 #define UB_LOG_BRIEF 0 73 74 /* maximum size of a libunbound forwarder definition: IP@PORT#AUTHNAME */ 75 #define FWD_MAX (INET6_ADDRSTRLEN + NI_MAXHOST + 2 + 5) 76 77 /* 78 * The prefered resolver type can be this many ms slower than the next 79 * best and still be picked 80 */ 81 #define PREF_RESOLVER_MEDIAN_SKEW 200 /* 200 ms */ 82 #define NEXT_RES_MAX 2000 /* 2000 ms */ 83 84 #define DOUBT_NXDOMAIN_SEC (5 * 60) /* 5 minutes */ 85 86 #define RESOLVER_CHECK_SEC 1 87 #define RESOLVER_CHECK_MAXSEC 1024 /* ~17 minutes */ 88 #define DECAY_PERIOD 60 89 #define DECAY_NOMINATOR 9 90 #define DECAY_DENOMINATOR 10 91 92 #define TRUST_ANCHOR_RETRY_INTERVAL 8640 93 #define TRUST_ANCHOR_QUERY_INTERVAL 43200 94 95 /* in libworker_event_done_cb() enum sec_status gets mapped to 0, 1 and 2 */ 96 #define INSECURE 0 97 #define BOGUS 1 98 #define SECURE 2 99 100 #define WKA1_FOUND 1 101 #define WKA2_FOUND 2 102 103 struct uw_resolver { 104 struct event check_ev; 105 struct event free_ev; 106 struct ub_ctx *ctx; 107 void *asr_ctx; 108 struct timeval check_tv; 109 int ref_cnt; 110 int stop; 111 enum uw_resolver_state state; 112 enum uw_resolver_type type; 113 int check_running; 114 int64_t median; 115 int64_t histogram[nitems(histogram_limits)]; 116 int64_t latest_histogram[nitems(histogram_limits)]; 117 }; 118 119 struct running_query { 120 TAILQ_ENTRY(running_query) entry; 121 struct query_imsg *query_imsg; 122 struct event timer_ev; 123 struct timespec tp; 124 struct resolver_preference res_pref; 125 int next_resolver; 126 int running; 127 }; 128 129 TAILQ_HEAD(, running_query) running_queries; 130 131 typedef void (*resolve_cb_t)(struct uw_resolver *, void *, int, void *, int, 132 int, char *); 133 134 struct resolver_cb_data { 135 resolve_cb_t cb; 136 void *data; 137 struct uw_resolver *res; 138 }; 139 140 __dead void resolver_shutdown(void); 141 void resolver_sig_handler(int sig, short, void *); 142 void resolver_dispatch_frontend(int, short, void *); 143 void resolver_dispatch_main(int, short, void *); 144 int sort_resolver_types(struct resolver_preference *); 145 void setup_query(struct query_imsg *); 146 struct running_query *find_running_query(uint64_t); 147 void try_resolver_timo(int, short, void *); 148 int try_next_resolver(struct running_query *); 149 150 int resolve(struct uw_resolver *, const char*, int, int, 151 void*, resolve_cb_t); 152 void resolve_done(struct uw_resolver *, void *, int, void *, 153 int, int, char *); 154 void ub_resolve_done(void *, int, void *, int, int, char *, 155 int); 156 void asr_resolve_done(struct asr_result *, void *); 157 void new_resolver(enum uw_resolver_type, 158 enum uw_resolver_state); 159 struct uw_resolver *create_resolver(enum uw_resolver_type); 160 void setup_unified_caches(void); 161 void set_unified_cache(struct uw_resolver *); 162 void free_resolver(struct uw_resolver *); 163 void set_forwarders(struct uw_resolver *, 164 struct uw_forwarder_head *, int); 165 void resolver_check_timo(int, short, void *); 166 void resolver_free_timo(int, short, void *); 167 void check_resolver(struct uw_resolver *); 168 void check_resolver_done(struct uw_resolver *, void *, int, 169 void *, int, int, char *); 170 void schedule_recheck_all_resolvers(void); 171 int check_forwarders_changed(struct uw_forwarder_head *, 172 struct uw_forwarder_head *); 173 void replace_forwarders(struct uw_forwarder_head *, 174 struct uw_forwarder_head *); 175 void resolver_ref(struct uw_resolver *); 176 void resolver_unref(struct uw_resolver *); 177 int resolver_cmp(const void *, const void *); 178 void restart_ub_resolvers(int); 179 void show_status(pid_t); 180 void show_autoconf(pid_t); 181 void show_mem(pid_t); 182 void send_resolver_info(struct uw_resolver *, pid_t); 183 void send_detailed_resolver_info(struct uw_resolver *, 184 pid_t); 185 void trust_anchor_resolve(void); 186 void trust_anchor_timo(int, short, void *); 187 void trust_anchor_resolve_done(struct uw_resolver *, void *, 188 int, void *, int, int, char *); 189 void replace_autoconf_forwarders(struct 190 imsg_rdns_proposal *); 191 int force_tree_cmp(struct force_tree_entry *, 192 struct force_tree_entry *); 193 int find_force(struct force_tree *, char *, 194 struct uw_resolver **); 195 int64_t histogram_median(int64_t *); 196 void decay_latest_histograms(int, short, void *); 197 int running_query_cnt(void); 198 int *resolvers_to_restart(struct uw_conf *, 199 struct uw_conf *); 200 const char *query_imsg2str(struct query_imsg *); 201 char *gen_resolv_conf(void); 202 void check_dns64(void); 203 void check_dns64_done(struct asr_result *, void *); 204 int dns64_prefixlen(const struct in6_addr *, 205 const uint8_t *); 206 void add_dns64_prefix(const struct in6_addr *, int, 207 struct dns64_prefix *, int, int); 208 209 struct uw_conf *resolver_conf; 210 static struct imsgev *iev_frontend; 211 static struct imsgev *iev_main; 212 struct uw_forwarder_head autoconf_forwarder_list; 213 struct uw_resolver *resolvers[UW_RES_NONE]; 214 int enabled_resolvers[UW_RES_NONE]; 215 struct timespec last_network_change; 216 217 struct event trust_anchor_timer; 218 struct event decay_timer; 219 220 static struct trust_anchor_head trust_anchors, new_trust_anchors; 221 222 struct event_base *ev_base; 223 224 RB_GENERATE(force_tree, force_tree_entry, entry, force_tree_cmp) 225 226 int val_id = -1; 227 struct slabhash *unified_msg_cache; 228 struct rrset_cache *unified_rrset_cache; 229 struct key_cache *unified_key_cache; 230 struct val_neg_cache *unified_neg_cache; 231 232 int dns64_present; 233 int available_afs = HAVE_IPV4 | HAVE_IPV6; 234 235 static const char * const as112_zones[] = { 236 /* RFC1918 */ 237 "10.in-addr.arpa. transparent", 238 "16.172.in-addr.arpa. transparent", 239 "31.172.in-addr.arpa. transparent", 240 "168.192.in-addr.arpa. transparent", 241 242 /* RFC3330 */ 243 "0.in-addr.arpa. transparent", 244 "254.169.in-addr.arpa. transparent", 245 "2.0.192.in-addr.arpa. transparent", 246 "100.51.198.in-addr.arpa. transparent", 247 "113.0.203.in-addr.arpa. transparent", 248 "255.255.255.255.in-addr.arpa. transparent", 249 250 /* RFC6598 */ 251 "64.100.in-addr.arpa. transparent", 252 "65.100.in-addr.arpa. transparent", 253 "66.100.in-addr.arpa. transparent", 254 "67.100.in-addr.arpa. transparent", 255 "68.100.in-addr.arpa. transparent", 256 "69.100.in-addr.arpa. transparent", 257 "70.100.in-addr.arpa. transparent", 258 "71.100.in-addr.arpa. transparent", 259 "72.100.in-addr.arpa. transparent", 260 "73.100.in-addr.arpa. transparent", 261 "74.100.in-addr.arpa. transparent", 262 "75.100.in-addr.arpa. transparent", 263 "76.100.in-addr.arpa. transparent", 264 "77.100.in-addr.arpa. transparent", 265 "78.100.in-addr.arpa. transparent", 266 "79.100.in-addr.arpa. transparent", 267 "80.100.in-addr.arpa. transparent", 268 "81.100.in-addr.arpa. transparent", 269 "82.100.in-addr.arpa. transparent", 270 "83.100.in-addr.arpa. transparent", 271 "84.100.in-addr.arpa. transparent", 272 "85.100.in-addr.arpa. transparent", 273 "86.100.in-addr.arpa. transparent", 274 "87.100.in-addr.arpa. transparent", 275 "88.100.in-addr.arpa. transparent", 276 "89.100.in-addr.arpa. transparent", 277 "90.100.in-addr.arpa. transparent", 278 "91.100.in-addr.arpa. transparent", 279 "92.100.in-addr.arpa. transparent", 280 "93.100.in-addr.arpa. transparent", 281 "94.100.in-addr.arpa. transparent", 282 "95.100.in-addr.arpa. transparent", 283 "96.100.in-addr.arpa. transparent", 284 "97.100.in-addr.arpa. transparent", 285 "98.100.in-addr.arpa. transparent", 286 "99.100.in-addr.arpa. transparent", 287 "100.100.in-addr.arpa. transparent", 288 "101.100.in-addr.arpa. transparent", 289 "102.100.in-addr.arpa. transparent", 290 "103.100.in-addr.arpa. transparent", 291 "104.100.in-addr.arpa. transparent", 292 "105.100.in-addr.arpa. transparent", 293 "106.100.in-addr.arpa. transparent", 294 "107.100.in-addr.arpa. transparent", 295 "108.100.in-addr.arpa. transparent", 296 "109.100.in-addr.arpa. transparent", 297 "110.100.in-addr.arpa. transparent", 298 "111.100.in-addr.arpa. transparent", 299 "112.100.in-addr.arpa. transparent", 300 "113.100.in-addr.arpa. transparent", 301 "114.100.in-addr.arpa. transparent", 302 "115.100.in-addr.arpa. transparent", 303 "116.100.in-addr.arpa. transparent", 304 "117.100.in-addr.arpa. transparent", 305 "118.100.in-addr.arpa. transparent", 306 "119.100.in-addr.arpa. transparent", 307 "120.100.in-addr.arpa. transparent", 308 "121.100.in-addr.arpa. transparent", 309 "122.100.in-addr.arpa. transparent", 310 "123.100.in-addr.arpa. transparent", 311 "124.100.in-addr.arpa. transparent", 312 "125.100.in-addr.arpa. transparent", 313 "126.100.in-addr.arpa. transparent", 314 "127.100.in-addr.arpa. transparent", 315 316 /* RFC4291 */ 317 "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0." 318 "ip6.arpa. transparent", 319 320 /* RFC4193 */ 321 "D.F.ip6.arpa. transparent", 322 323 /* RFC4291 */ 324 "8.E.F.ip6.arpa. transparent", 325 "9.E.F.ip6.arpa. transparent", 326 "A.E.F.ip6.arpa. transparent", 327 "B.E.F.ip6.arpa. transparent", 328 329 /* RFC3849 */ 330 "8.B.D.0.1.0.0.2.ip6.arpa. transparent" 331 }; 332 333 const char bogus_past[] = "validation failure <. NS IN>: signature " 334 "expired"; 335 const char bogus_future[] = "validation failure <. NS IN>: signature " 336 "before inception date"; 337 338 void 339 resolver_sig_handler(int sig, short event, void *arg) 340 { 341 /* 342 * Normal signal handler rules don't apply because libevent 343 * decouples for us. 344 */ 345 346 switch (sig) { 347 case SIGINT: 348 case SIGTERM: 349 resolver_shutdown(); 350 default: 351 fatalx("unexpected signal"); 352 } 353 } 354 355 void 356 resolver(int debug, int verbose) 357 { 358 struct event ev_sigint, ev_sigterm; 359 struct passwd *pw; 360 struct timeval tv = {DECAY_PERIOD, 0}; 361 struct alloc_cache cache_alloc_test; 362 363 resolver_conf = config_new_empty(); 364 365 log_init(debug, LOG_DAEMON); 366 log_setverbose(verbose); 367 368 if ((pw = getpwnam(UNWIND_USER)) == NULL) 369 fatal("getpwnam"); 370 371 setproctitle("%s", "resolver"); 372 log_procinit("resolver"); 373 374 if (setgroups(1, &pw->pw_gid) || 375 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 376 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 377 fatal("can't drop privileges"); 378 379 if (unveil(TLS_DEFAULT_CA_CERT_FILE, "r") == -1) 380 fatal("unveil"); 381 382 if (pledge("stdio inet dns rpath recvfd", NULL) == -1) 383 fatal("pledge"); 384 385 ev_base = event_init(); 386 387 /* Setup signal handler(s). */ 388 signal_set(&ev_sigint, SIGINT, resolver_sig_handler, NULL); 389 signal_set(&ev_sigterm, SIGTERM, resolver_sig_handler, NULL); 390 signal_add(&ev_sigint, NULL); 391 signal_add(&ev_sigterm, NULL); 392 signal(SIGPIPE, SIG_IGN); 393 signal(SIGHUP, SIG_IGN); 394 395 /* Setup pipe and event handler to the main process. */ 396 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 397 fatal(NULL); 398 399 imsg_init(&iev_main->ibuf, 3); 400 iev_main->handler = resolver_dispatch_main; 401 402 /* Setup event handlers. */ 403 iev_main->events = EV_READ; 404 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 405 iev_main->handler, iev_main); 406 event_add(&iev_main->ev, NULL); 407 408 evtimer_set(&trust_anchor_timer, trust_anchor_timo, NULL); 409 evtimer_set(&decay_timer, decay_latest_histograms, NULL); 410 evtimer_add(&decay_timer, &tv); 411 412 clock_gettime(CLOCK_MONOTONIC, &last_network_change); 413 414 alloc_init(&cache_alloc_test, NULL, 0); 415 if (cache_alloc_test.max_reg_blocks != 10) 416 fatalx("local libunbound/util/alloc.c diff lost"); 417 alloc_clear(&cache_alloc_test); 418 419 setup_unified_caches(); 420 421 TAILQ_INIT(&autoconf_forwarder_list); 422 TAILQ_INIT(&trust_anchors); 423 TAILQ_INIT(&new_trust_anchors); 424 TAILQ_INIT(&running_queries); 425 426 event_dispatch(); 427 428 resolver_shutdown(); 429 } 430 431 __dead void 432 resolver_shutdown(void) 433 { 434 /* Close pipes. */ 435 msgbuf_clear(&iev_frontend->ibuf.w); 436 close(iev_frontend->ibuf.fd); 437 msgbuf_clear(&iev_main->ibuf.w); 438 close(iev_main->ibuf.fd); 439 440 config_clear(resolver_conf); 441 442 free(iev_frontend); 443 free(iev_main); 444 445 log_info("resolver exiting"); 446 exit(0); 447 } 448 449 int 450 resolver_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 451 { 452 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 453 } 454 455 int 456 resolver_imsg_compose_frontend(int type, pid_t pid, void *data, 457 uint16_t datalen) 458 { 459 return (imsg_compose_event(iev_frontend, type, 0, pid, -1, 460 data, datalen)); 461 } 462 463 void 464 resolver_dispatch_frontend(int fd, short event, void *bula) 465 { 466 struct imsgev *iev = bula; 467 struct imsgbuf *ibuf; 468 struct imsg imsg; 469 struct query_imsg *query_imsg; 470 ssize_t n; 471 int shut = 0, verbose, i, new_available_afs; 472 char *ta; 473 474 ibuf = &iev->ibuf; 475 476 if (event & EV_READ) { 477 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 478 fatal("imsg_read error"); 479 if (n == 0) /* Connection closed. */ 480 shut = 1; 481 } 482 if (event & EV_WRITE) { 483 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 484 fatal("msgbuf_write"); 485 if (n == 0) /* Connection closed. */ 486 shut = 1; 487 } 488 489 for (;;) { 490 if ((n = imsg_get(ibuf, &imsg)) == -1) 491 fatal("%s: imsg_get error", __func__); 492 if (n == 0) /* No more messages. */ 493 break; 494 495 switch (imsg.hdr.type) { 496 case IMSG_CTL_LOG_VERBOSE: 497 if (IMSG_DATA_SIZE(imsg) != sizeof(verbose)) 498 fatalx("%s: IMSG_CTL_LOG_VERBOSE wrong length: " 499 "%lu", __func__, 500 IMSG_DATA_SIZE(imsg)); 501 memcpy(&verbose, imsg.data, sizeof(verbose)); 502 if (log_getdebug() && (log_getverbose() & OPT_VERBOSE3) 503 != (verbose & OPT_VERBOSE3)) 504 restart_ub_resolvers(0); 505 log_setverbose(verbose); 506 break; 507 case IMSG_QUERY: 508 if (IMSG_DATA_SIZE(imsg) != sizeof(*query_imsg)) 509 fatalx("%s: IMSG_QUERY wrong length: %lu", 510 __func__, IMSG_DATA_SIZE(imsg)); 511 if ((query_imsg = malloc(sizeof(*query_imsg))) == 512 NULL) { 513 log_warn("cannot allocate query"); 514 break; 515 } 516 memcpy(query_imsg, imsg.data, sizeof(*query_imsg)); 517 setup_query(query_imsg); 518 break; 519 case IMSG_CTL_STATUS: 520 if (IMSG_DATA_SIZE(imsg) != 0) 521 fatalx("%s: IMSG_CTL_STATUS wrong length: %lu", 522 __func__, IMSG_DATA_SIZE(imsg)); 523 show_status(imsg.hdr.pid); 524 break; 525 case IMSG_CTL_AUTOCONF: 526 if (IMSG_DATA_SIZE(imsg) != 0) 527 fatalx("%s: IMSG_CTL_AUTOCONF wrong length: " 528 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 529 show_autoconf(imsg.hdr.pid); 530 break; 531 case IMSG_CTL_MEM: 532 if (IMSG_DATA_SIZE(imsg) != 0) 533 fatalx("%s: IMSG_CTL_AUTOCONF wrong length: " 534 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 535 show_mem(imsg.hdr.pid); 536 break; 537 case IMSG_NEW_TA: 538 /* make sure this is a string */ 539 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0'; 540 ta = imsg.data; 541 add_new_ta(&new_trust_anchors, ta); 542 break; 543 case IMSG_NEW_TAS_ABORT: 544 free_tas(&new_trust_anchors); 545 break; 546 case IMSG_NEW_TAS_DONE: 547 if (merge_tas(&new_trust_anchors, &trust_anchors)) 548 restart_ub_resolvers(1); 549 break; 550 case IMSG_NETWORK_CHANGED: 551 clock_gettime(CLOCK_MONOTONIC, &last_network_change); 552 schedule_recheck_all_resolvers(); 553 for (i = 0; i < UW_RES_NONE; i++) { 554 if (resolvers[i] == NULL) 555 continue; 556 memset(resolvers[i]->latest_histogram, 0, 557 sizeof(resolvers[i]->latest_histogram)); 558 resolvers[i]->median = histogram_median( 559 resolvers[i]->latest_histogram); 560 } 561 562 break; 563 case IMSG_REPLACE_DNS: 564 if (IMSG_DATA_SIZE(imsg) != 565 sizeof(struct imsg_rdns_proposal)) 566 fatalx("%s: IMSG_ADD_DNS wrong length: %lu", 567 __func__, IMSG_DATA_SIZE(imsg)); 568 replace_autoconf_forwarders((struct 569 imsg_rdns_proposal *)imsg.data); 570 break; 571 case IMSG_CHANGE_AFS: 572 if (IMSG_DATA_SIZE(imsg) != 573 sizeof(new_available_afs)) 574 fatalx("%s: IMSG_CHANGE_AFS wrong length: %lu", 575 __func__, IMSG_DATA_SIZE(imsg)); 576 memcpy(&new_available_afs, imsg.data, 577 sizeof(new_available_afs)); 578 if (new_available_afs != available_afs) { 579 available_afs = new_available_afs; 580 restart_ub_resolvers(1); 581 } 582 break; 583 default: 584 log_debug("%s: unexpected imsg %d", __func__, 585 imsg.hdr.type); 586 break; 587 } 588 imsg_free(&imsg); 589 } 590 if (!shut) 591 imsg_event_add(iev); 592 else { 593 /* This pipe is dead. Remove its event handler. */ 594 event_del(&iev->ev); 595 event_loopexit(NULL); 596 } 597 } 598 599 void 600 resolver_dispatch_main(int fd, short event, void *bula) 601 { 602 static struct uw_conf *nconf; 603 struct imsg imsg; 604 struct imsgev *iev = bula; 605 struct imsgbuf *ibuf; 606 ssize_t n; 607 int shut = 0, i, *restart; 608 609 ibuf = &iev->ibuf; 610 611 if (event & EV_READ) { 612 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 613 fatal("imsg_read error"); 614 if (n == 0) /* Connection closed. */ 615 shut = 1; 616 } 617 if (event & EV_WRITE) { 618 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 619 fatal("msgbuf_write"); 620 if (n == 0) /* Connection closed. */ 621 shut = 1; 622 } 623 624 for (;;) { 625 if ((n = imsg_get(ibuf, &imsg)) == -1) 626 fatal("%s: imsg_get error", __func__); 627 if (n == 0) /* No more messages. */ 628 break; 629 630 switch (imsg.hdr.type) { 631 case IMSG_SOCKET_IPC_FRONTEND: 632 /* 633 * Setup pipe and event handler to the frontend 634 * process. 635 */ 636 if (iev_frontend) 637 fatalx("%s: received unexpected imsg fd " 638 "to resolver", __func__); 639 640 if ((fd = imsg.fd) == -1) 641 fatalx("%s: expected to receive imsg fd to " 642 "resolver but didn't receive any", __func__); 643 644 iev_frontend = malloc(sizeof(struct imsgev)); 645 if (iev_frontend == NULL) 646 fatal(NULL); 647 648 imsg_init(&iev_frontend->ibuf, fd); 649 iev_frontend->handler = resolver_dispatch_frontend; 650 iev_frontend->events = EV_READ; 651 652 event_set(&iev_frontend->ev, iev_frontend->ibuf.fd, 653 iev_frontend->events, iev_frontend->handler, 654 iev_frontend); 655 event_add(&iev_frontend->ev, NULL); 656 break; 657 658 case IMSG_STARTUP: 659 if (pledge("stdio inet dns rpath", NULL) == -1) 660 fatal("pledge"); 661 break; 662 case IMSG_RECONF_CONF: 663 case IMSG_RECONF_BLOCKLIST_FILE: 664 case IMSG_RECONF_FORWARDER: 665 case IMSG_RECONF_DOT_FORWARDER: 666 case IMSG_RECONF_FORCE: 667 imsg_receive_config(&imsg, &nconf); 668 break; 669 case IMSG_RECONF_END: 670 if (nconf == NULL) 671 fatalx("%s: IMSG_RECONF_END without " 672 "IMSG_RECONF_CONF", __func__); 673 restart = resolvers_to_restart(resolver_conf, nconf); 674 merge_config(resolver_conf, nconf); 675 memset(enabled_resolvers, 0, sizeof(enabled_resolvers)); 676 for (i = 0; i < resolver_conf->res_pref.len; i++) 677 enabled_resolvers[ 678 resolver_conf->res_pref.types[i]] = 1; 679 nconf = NULL; 680 for (i = 0; i < UW_RES_NONE; i++) 681 if (restart[i]) 682 new_resolver(i, UNKNOWN); 683 break; 684 default: 685 log_debug("%s: unexpected imsg %d", __func__, 686 imsg.hdr.type); 687 break; 688 } 689 imsg_free(&imsg); 690 } 691 if (!shut) 692 imsg_event_add(iev); 693 else { 694 /* This pipe is dead. Remove its event handler. */ 695 event_del(&iev->ev); 696 event_loopexit(NULL); 697 } 698 } 699 700 int 701 sort_resolver_types(struct resolver_preference *dst) 702 { 703 memcpy(dst, &resolver_conf->res_pref, sizeof(*dst)); 704 705 /* 706 * Sort by resolver quality, validating > resolving etc. 707 * mergesort is stable and keeps the configured preference order 708 */ 709 return mergesort(dst->types, dst->len, sizeof(dst->types[0]), 710 resolver_cmp); 711 } 712 713 void 714 setup_query(struct query_imsg *query_imsg) 715 { 716 struct running_query *rq; 717 struct uw_resolver *res; 718 719 if (find_running_query(query_imsg->id) != NULL) { 720 free(query_imsg); 721 return; 722 } 723 724 if ((rq = calloc(1, sizeof(*rq))) == NULL) { 725 log_warnx(NULL); 726 free(query_imsg); 727 return; 728 } 729 730 clock_gettime(CLOCK_MONOTONIC, &rq->tp); 731 rq->query_imsg = query_imsg; 732 rq->next_resolver = 0; 733 734 find_force(&resolver_conf->force, query_imsg->qname, &res); 735 736 if (res != NULL && res->state != DEAD && res->state != UNKNOWN) { 737 rq->res_pref.len = 1; 738 rq->res_pref.types[0] = res->type; 739 } else if (sort_resolver_types(&rq->res_pref) == -1) { 740 log_warn("mergesort"); 741 free(rq->query_imsg); 742 free(rq); 743 return; 744 } 745 746 evtimer_set(&rq->timer_ev, try_resolver_timo, rq); 747 748 TAILQ_INSERT_TAIL(&running_queries, rq, entry); 749 try_next_resolver(rq); 750 } 751 752 struct running_query * 753 find_running_query(uint64_t id) 754 { 755 struct running_query *rq; 756 757 TAILQ_FOREACH(rq, &running_queries, entry) { 758 if (rq->query_imsg->id == id) 759 return rq; 760 } 761 return NULL; 762 } 763 764 void 765 try_resolver_timo(int fd, short events, void *arg) 766 { 767 struct running_query *rq = arg; 768 769 try_next_resolver(rq); 770 } 771 772 int 773 try_next_resolver(struct running_query *rq) 774 { 775 struct uw_resolver *res = NULL; 776 struct query_imsg *query_imsg = NULL; 777 struct timespec tp, elapsed; 778 struct timeval tv = {0, 0}; 779 int64_t ms; 780 781 while(rq->next_resolver < rq->res_pref.len && 782 ((res = resolvers[rq->res_pref.types[rq->next_resolver]]) == NULL || 783 res->state == DEAD || res->state == UNKNOWN)) 784 rq->next_resolver++; 785 786 if (res == NULL) { 787 evtimer_del(&rq->timer_ev); /* we are not going to find one */ 788 log_debug("%s: could not find (any more) working resolvers", 789 __func__); 790 goto err; 791 } 792 793 rq->next_resolver++; 794 clock_gettime(CLOCK_MONOTONIC, &tp); 795 timespecsub(&tp, &rq->tp, &elapsed); 796 ms = elapsed.tv_sec * 1000 + elapsed.tv_nsec / 1000000; 797 798 log_debug("%s[+%lldms]: %s[%s] %s", __func__, ms, 799 uw_resolver_type_str[res->type], uw_resolver_state_str[res->state], 800 query_imsg2str(rq->query_imsg)); 801 802 if ((query_imsg = malloc(sizeof(*query_imsg))) == NULL) { 803 log_warnx("%s", __func__); 804 goto err; 805 } 806 memcpy(query_imsg, rq->query_imsg, sizeof(*query_imsg)); 807 clock_gettime(CLOCK_MONOTONIC, &query_imsg->tp); 808 809 ms = res->median; 810 if (ms > NEXT_RES_MAX) 811 ms = NEXT_RES_MAX; 812 if (res->type == resolver_conf->res_pref.types[0]) 813 tv.tv_usec = 1000 * (PREF_RESOLVER_MEDIAN_SKEW + ms); 814 else 815 tv.tv_usec = 1000 * ms; 816 817 while (tv.tv_usec >= 1000000) { 818 tv.tv_sec++; 819 tv.tv_usec -= 1000000; 820 } 821 evtimer_add(&rq->timer_ev, &tv); 822 823 rq->running++; 824 if (resolve(res, query_imsg->qname, query_imsg->t, 825 query_imsg->c, query_imsg, resolve_done) != 0) { 826 rq->running--; 827 goto err; 828 } 829 830 return 0; 831 832 err: 833 free(query_imsg); 834 if (rq->running == 0) { 835 TAILQ_REMOVE(&running_queries, rq, entry); 836 evtimer_del(&rq->timer_ev); 837 free(rq->query_imsg); 838 free(rq); 839 } 840 return 1; 841 } 842 843 int 844 resolve(struct uw_resolver *res, const char* name, int rrtype, int rrclass, 845 void *mydata, resolve_cb_t cb) 846 { 847 struct resolver_cb_data *cb_data = NULL; 848 struct asr_query *aq = NULL; 849 int err; 850 851 resolver_ref(res); 852 853 if ((cb_data = malloc(sizeof(*cb_data))) == NULL) 854 goto err; 855 cb_data->cb = cb; 856 cb_data->data = mydata; 857 cb_data->res = res; 858 859 switch(res->type) { 860 case UW_RES_ASR: 861 if ((aq = res_query_async(name, rrclass, rrtype, res->asr_ctx)) 862 == NULL) { 863 log_warn("%s: res_query_async", __func__); 864 goto err; 865 } 866 if (event_asr_run(aq, asr_resolve_done, cb_data) == NULL) { 867 log_warn("%s: res_query_async", __func__); 868 goto err; 869 } 870 break; 871 case UW_RES_RECURSOR: 872 case UW_RES_DHCP: 873 case UW_RES_ODOT_DHCP: 874 case UW_RES_FORWARDER: 875 case UW_RES_ODOT_FORWARDER: 876 case UW_RES_DOT: 877 if ((err = ub_resolve_event(res->ctx, name, rrtype, rrclass, 878 cb_data, ub_resolve_done, NULL)) != 0) { 879 log_warn("%s: ub_resolve_event: err: %d, %s", __func__, 880 err, ub_strerror(err)); 881 goto err; 882 } 883 break; 884 default: 885 fatalx("unknown resolver type %d", res->type); 886 break; 887 } 888 889 return 0; 890 err: 891 free(cb_data); 892 free(aq); 893 resolver_unref(res); 894 return 1; 895 } 896 897 void 898 resolve_done(struct uw_resolver *res, void *arg, int rcode, 899 void *answer_packet, int answer_len, int sec, char *why_bogus) 900 { 901 struct uw_resolver *tmp_res; 902 struct ub_result *result = NULL; 903 sldns_buffer *buf = NULL; 904 struct regional *region = NULL; 905 struct query_imsg *query_imsg; 906 struct answer_header *answer_header; 907 struct running_query *rq; 908 struct timespec tp, elapsed; 909 int64_t ms; 910 size_t i; 911 int running_res, asr_pref_pos, force_acceptbogus; 912 char *str; 913 char rcode_buf[16]; 914 uint8_t *p, *data; 915 uint8_t answer_imsg[MAX_IMSGSIZE - IMSG_HEADER_SIZE]; 916 917 clock_gettime(CLOCK_MONOTONIC, &tp); 918 919 query_imsg = (struct query_imsg *)arg; 920 921 answer_header = (struct answer_header *)answer_imsg; 922 data = answer_imsg + sizeof(*answer_header); 923 answer_header->id = query_imsg->id; 924 answer_header->srvfail = 0; 925 answer_header->answer_len = 0; 926 927 timespecsub(&tp, &query_imsg->tp, &elapsed); 928 929 ms = elapsed.tv_sec * 1000 + elapsed.tv_nsec / 1000000; 930 931 for (i = 0; i < nitems(histogram_limits); i++) { 932 if (ms < histogram_limits[i]) 933 break; 934 } 935 if (i == nitems(histogram_limits)) 936 log_debug("histogram bucket error"); 937 else { 938 res->histogram[i]++; 939 /* latest_histogram is in units of 1000 to avoid rounding 940 down when decaying */ 941 res->latest_histogram[i] += 1000; 942 res->median = histogram_median(res->latest_histogram); 943 } 944 945 if ((rq = find_running_query(query_imsg->id)) == NULL) 946 goto out; 947 948 running_res = --rq->running; 949 950 if (answer_len < LDNS_HEADER_SIZE) { 951 log_warnx("bad packet: too short"); 952 goto servfail; 953 } 954 955 if (answer_len > UINT16_MAX) { 956 log_warnx("bad packet: too large: %d - %s", answer_len, 957 query_imsg2str(query_imsg)); 958 goto servfail; 959 } 960 answer_header->answer_len = answer_len; 961 962 if (rcode == LDNS_RCODE_SERVFAIL) { 963 if (res->stop != 1) 964 check_resolver(res); 965 goto servfail; 966 } 967 968 if ((result = calloc(1, sizeof(*result))) == NULL) 969 goto servfail; 970 if ((buf = sldns_buffer_new(answer_len)) == NULL) 971 goto servfail; 972 if ((region = regional_create()) == NULL) 973 goto servfail; 974 975 result->rcode = LDNS_RCODE_SERVFAIL; 976 977 sldns_buffer_clear(buf); 978 sldns_buffer_write(buf, answer_packet, answer_len); 979 sldns_buffer_flip(buf); 980 libworker_enter_result(result, buf, region, sec); 981 result->answer_packet = NULL; 982 result->answer_len = 0; 983 984 sldns_wire2str_rcode_buf(result->rcode, rcode_buf, sizeof(rcode_buf)); 985 log_debug("%s[%s]: %s rcode: %s[%d], elapsed: %lldms, running: %d", 986 __func__, uw_resolver_type_str[res->type], 987 query_imsg2str(query_imsg), rcode_buf, result->rcode, ms, 988 running_query_cnt()); 989 990 force_acceptbogus = find_force(&resolver_conf->force, query_imsg->qname, 991 &tmp_res); 992 if (tmp_res != NULL && tmp_res->type != res->type) 993 force_acceptbogus = 0; 994 995 timespecsub(&tp, &last_network_change, &elapsed); 996 if ((result->rcode == LDNS_RCODE_NXDOMAIN || sec == BOGUS) && 997 !force_acceptbogus && res->type != UW_RES_ASR && elapsed.tv_sec < 998 DOUBT_NXDOMAIN_SEC) { 999 /* 1000 * Doubt NXDOMAIN or BOGUS if we just switched networks, we 1001 * might be behind a captive portal. 1002 */ 1003 log_debug("%s: doubt NXDOMAIN or BOGUS from %s, network change" 1004 " %llds ago", __func__, uw_resolver_type_str[res->type], 1005 elapsed.tv_sec); 1006 1007 /* search for ASR */ 1008 asr_pref_pos = -1; 1009 for (i = 0; i < (size_t)rq->res_pref.len; i++) 1010 if (rq->res_pref.types[i] == UW_RES_ASR) { 1011 asr_pref_pos = i; 1012 break; 1013 } 1014 1015 if (asr_pref_pos != -1 && resolvers[UW_RES_ASR] != NULL) { 1016 /* go to ASR if not yet scheduled */ 1017 if (asr_pref_pos >= rq->next_resolver) { 1018 rq->next_resolver = asr_pref_pos; 1019 try_next_resolver(rq); 1020 } 1021 goto out; 1022 } 1023 log_debug("%s: using NXDOMAIN or BOGUS, couldn't find working " 1024 "ASR", __func__); 1025 } 1026 1027 if (log_getverbose() & OPT_VERBOSE2 && (str = 1028 sldns_wire2str_pkt(answer_packet, answer_len)) != NULL) { 1029 log_debug("%s", str); 1030 free(str); 1031 } 1032 1033 if (result->rcode == LDNS_RCODE_SERVFAIL) 1034 goto servfail; 1035 1036 if (sec == SECURE && res->state != VALIDATING && res->stop != -1) 1037 check_resolver(res); 1038 1039 if (res->state == VALIDATING && sec == BOGUS) { 1040 answer_header->bogus = !force_acceptbogus; 1041 if (answer_header->bogus && why_bogus != NULL) 1042 log_warnx("%s", why_bogus); 1043 } else 1044 answer_header->bogus = 0; 1045 1046 p = answer_packet; 1047 do { 1048 int len; 1049 1050 if ((size_t)answer_len > sizeof(answer_imsg) - 1051 sizeof(*answer_header)) 1052 len = sizeof(answer_imsg) - sizeof(*answer_header); 1053 else 1054 len = answer_len; 1055 memcpy(data, p, len); 1056 if (resolver_imsg_compose_frontend(IMSG_ANSWER, 0, 1057 &answer_imsg, sizeof(*answer_header) + len) == -1) 1058 fatalx("IMSG_ANSWER failed for \"%s\"", 1059 query_imsg2str(query_imsg)); 1060 answer_len -= len; 1061 p += len; 1062 } while (answer_len > 0); 1063 1064 TAILQ_REMOVE(&running_queries, rq, entry); 1065 evtimer_del(&rq->timer_ev); 1066 free(rq->query_imsg); 1067 free(rq); 1068 goto out; 1069 1070 servfail: 1071 /* try_next_resolver() might free rq */ 1072 if (try_next_resolver(rq) != 0 && running_res == 0) { 1073 /* we are the last one, send SERVFAIL */ 1074 answer_header->srvfail = 1; 1075 resolver_imsg_compose_frontend(IMSG_ANSWER, 0, 1076 answer_imsg, sizeof(*answer_header)); 1077 } 1078 out: 1079 free(query_imsg); 1080 sldns_buffer_free(buf); 1081 regional_destroy(region); 1082 ub_resolve_free(result); 1083 } 1084 1085 void 1086 new_resolver(enum uw_resolver_type type, enum uw_resolver_state state) 1087 { 1088 free_resolver(resolvers[type]); 1089 resolvers[type] = NULL; 1090 1091 if (!enabled_resolvers[type]) 1092 return; 1093 1094 switch (type) { 1095 case UW_RES_ASR: 1096 case UW_RES_DHCP: 1097 case UW_RES_ODOT_DHCP: 1098 if (TAILQ_EMPTY(&autoconf_forwarder_list)) 1099 return; 1100 break; 1101 case UW_RES_RECURSOR: 1102 break; 1103 case UW_RES_FORWARDER: 1104 case UW_RES_ODOT_FORWARDER: 1105 if (TAILQ_EMPTY(&resolver_conf->uw_forwarder_list)) 1106 return; 1107 break; 1108 case UW_RES_DOT: 1109 if (TAILQ_EMPTY(&resolver_conf->uw_dot_forwarder_list)) 1110 return; 1111 break; 1112 case UW_RES_NONE: 1113 fatalx("cannot create UW_RES_NONE resolver"); 1114 } 1115 1116 switch (type) { 1117 case UW_RES_RECURSOR: 1118 case UW_RES_DHCP: 1119 case UW_RES_ODOT_DHCP: 1120 case UW_RES_FORWARDER: 1121 case UW_RES_ODOT_FORWARDER: 1122 case UW_RES_DOT: 1123 if (TAILQ_EMPTY(&trust_anchors)) 1124 return; 1125 break; 1126 case UW_RES_ASR: 1127 break; 1128 case UW_RES_NONE: 1129 fatalx("cannot create UW_RES_NONE resolver"); 1130 } 1131 1132 if ((resolvers[type] = create_resolver(type)) == NULL) 1133 return; 1134 1135 switch (state) { 1136 case DEAD: 1137 case UNKNOWN: 1138 check_resolver(resolvers[type]); 1139 break; 1140 case VALIDATING: 1141 set_unified_cache(resolvers[type]); 1142 /* FALLTHROUGH */ 1143 case RESOLVING: 1144 resolvers[type]->state = state; 1145 if (type == UW_RES_ASR) 1146 check_dns64(); 1147 break; 1148 } 1149 } 1150 1151 void 1152 set_unified_cache(struct uw_resolver *res) 1153 { 1154 if (res == NULL || res->ctx == NULL) 1155 return; 1156 1157 if (res->ctx->env->msg_cache != NULL) { 1158 /* XXX we are currently not using this */ 1159 if (res->ctx->env->msg_cache != unified_msg_cache || 1160 res->ctx->env->rrset_cache != unified_rrset_cache || 1161 res->ctx->env->key_cache != unified_key_cache || 1162 res->ctx->env->neg_cache != unified_neg_cache) 1163 fatalx("wrong unified cache set on resolver"); 1164 else 1165 /* we are upgrading from UNKNOWN back to VALIDATING */ 1166 return; 1167 } 1168 1169 res->ctx->env->msg_cache = unified_msg_cache; 1170 res->ctx->env->rrset_cache = unified_rrset_cache; 1171 res->ctx->env->key_cache = unified_key_cache; 1172 res->ctx->env->neg_cache = unified_neg_cache; 1173 1174 context_finalize(res->ctx); 1175 1176 if (res->ctx->env->msg_cache != unified_msg_cache || 1177 res->ctx->env->rrset_cache != unified_rrset_cache || 1178 res->ctx->env->key_cache != unified_key_cache || 1179 res->ctx->env->neg_cache != unified_neg_cache) 1180 fatalx("failed to set unified caches, libunbound/validator/" 1181 "validator.c diff lost"); 1182 } 1183 1184 static const struct { 1185 const char *name; 1186 const char *value; 1187 } options[] = { 1188 { "aggressive-nsec:", "yes" }, 1189 { "fast-server-permil:", "950" }, 1190 { "edns-buffer-size:", "1232" }, 1191 { "target-fetch-policy:", "0 0 0 0 0" }, 1192 { "outgoing-range:", "64" } 1193 }; 1194 1195 struct uw_resolver * 1196 create_resolver(enum uw_resolver_type type) 1197 { 1198 struct uw_resolver *res; 1199 struct trust_anchor *ta; 1200 size_t i; 1201 int err; 1202 char *resolv_conf; 1203 1204 if ((res = calloc(1, sizeof(*res))) == NULL) { 1205 log_warn("%s", __func__); 1206 return (NULL); 1207 } 1208 1209 res->type = type; 1210 res->state = UNKNOWN; 1211 res->check_tv.tv_sec = RESOLVER_CHECK_SEC; 1212 res->check_tv.tv_usec = arc4random() % 1000000; /* modulo bias is ok */ 1213 1214 switch (type) { 1215 case UW_RES_ASR: 1216 if (TAILQ_EMPTY(&autoconf_forwarder_list)) { 1217 free(res); 1218 return (NULL); 1219 } 1220 if ((resolv_conf = gen_resolv_conf()) == NULL) { 1221 free(res); 1222 log_warnx("could not create asr context"); 1223 return (NULL); 1224 } 1225 if ((res->asr_ctx = asr_resolver_from_string(resolv_conf)) == 1226 NULL) { 1227 free(res); 1228 free(resolv_conf); 1229 log_warnx("could not create asr context"); 1230 return (NULL); 1231 } 1232 free(resolv_conf); 1233 break; 1234 case UW_RES_RECURSOR: 1235 case UW_RES_DHCP: 1236 case UW_RES_ODOT_DHCP: 1237 case UW_RES_FORWARDER: 1238 case UW_RES_ODOT_FORWARDER: 1239 case UW_RES_DOT: 1240 if ((res->ctx = ub_ctx_create_event(ev_base)) == NULL) { 1241 free(res); 1242 log_warnx("could not create unbound context"); 1243 return (NULL); 1244 } 1245 1246 ub_ctx_debuglevel(res->ctx, log_getverbose() & OPT_VERBOSE3 ? 1247 UB_LOG_VERBOSE : UB_LOG_BRIEF); 1248 1249 TAILQ_FOREACH(ta, &trust_anchors, entry) { 1250 if ((err = ub_ctx_add_ta(res->ctx, ta->ta)) != 0) { 1251 ub_ctx_delete(res->ctx); 1252 free(res); 1253 log_warnx("error adding trust anchor: %s", 1254 ub_strerror(err)); 1255 return (NULL); 1256 } 1257 } 1258 1259 for (i = 0; i < nitems(options); i++) { 1260 if ((err = ub_ctx_set_option(res->ctx, options[i].name, 1261 options[i].value)) != 0) { 1262 ub_ctx_delete(res->ctx); 1263 free(res); 1264 log_warnx("error setting %s: %s: %s", 1265 options[i].name, options[i].value, 1266 ub_strerror(err)); 1267 return (NULL); 1268 } 1269 } 1270 1271 if (!(available_afs & HAVE_IPV4)) { 1272 if((err = ub_ctx_set_option(res->ctx, "do-ip4:", 1273 "no")) != 0) { 1274 ub_ctx_delete(res->ctx); 1275 free(res); 1276 log_warnx("error setting do-ip4: no: %s", 1277 ub_strerror(err)); 1278 return (NULL); 1279 } 1280 } 1281 1282 if (!(available_afs & HAVE_IPV6)) { 1283 if((err = ub_ctx_set_option(res->ctx, "do-ip6:", 1284 "no")) != 0) { 1285 ub_ctx_delete(res->ctx); 1286 free(res); 1287 log_warnx("error setting do-ip6: no: %s", 1288 ub_strerror(err)); 1289 return (NULL); 1290 } 1291 } 1292 1293 if (!log_getdebug()) { 1294 if((err = ub_ctx_set_option(res->ctx, "use-syslog:", 1295 "no")) != 0) { 1296 ub_ctx_delete(res->ctx); 1297 free(res); 1298 log_warnx("error setting use-syslog: no: %s", 1299 ub_strerror(err)); 1300 return (NULL); 1301 } 1302 ub_ctx_debugout(res->ctx, NULL); 1303 } 1304 1305 break; 1306 default: 1307 fatalx("unknown resolver type %d", type); 1308 break; 1309 } 1310 1311 evtimer_set(&res->check_ev, resolver_check_timo, res); 1312 1313 switch(res->type) { 1314 case UW_RES_ASR: 1315 break; 1316 case UW_RES_RECURSOR: 1317 break; 1318 case UW_RES_DHCP: 1319 set_forwarders(res, &autoconf_forwarder_list, 0); 1320 break; 1321 case UW_RES_ODOT_DHCP: 1322 set_forwarders(res, &autoconf_forwarder_list, 853); 1323 ub_ctx_set_option(res->ctx, "tls-cert-bundle:", 1324 TLS_DEFAULT_CA_CERT_FILE); 1325 ub_ctx_set_tls(res->ctx, 1); 1326 break; 1327 case UW_RES_FORWARDER: 1328 set_forwarders(res, &resolver_conf->uw_forwarder_list, 0); 1329 break; 1330 case UW_RES_ODOT_FORWARDER: 1331 set_forwarders(res, &resolver_conf->uw_forwarder_list, 853); 1332 ub_ctx_set_option(res->ctx, "tls-cert-bundle:", 1333 TLS_DEFAULT_CA_CERT_FILE); 1334 ub_ctx_set_tls(res->ctx, 1); 1335 break; 1336 case UW_RES_DOT: 1337 set_forwarders(res, &resolver_conf->uw_dot_forwarder_list, 0); 1338 ub_ctx_set_option(res->ctx, "tls-cert-bundle:", 1339 TLS_DEFAULT_CA_CERT_FILE); 1340 ub_ctx_set_tls(res->ctx, 1); 1341 break; 1342 default: 1343 fatalx("unknown resolver type %d", type); 1344 break; 1345 } 1346 1347 /* for the forwarder cases allow AS112 zones */ 1348 switch(res->type) { 1349 case UW_RES_DHCP: 1350 case UW_RES_ODOT_DHCP: 1351 case UW_RES_FORWARDER: 1352 case UW_RES_ODOT_FORWARDER: 1353 case UW_RES_DOT: 1354 for (i = 0; i < nitems(as112_zones); i++) { 1355 if((err = ub_ctx_set_option(res->ctx, "local-zone:", 1356 as112_zones[i])) != 0) { 1357 ub_ctx_delete(res->ctx); 1358 free(res); 1359 log_warnx("error setting local-zone: %s: %s", 1360 as112_zones[i], ub_strerror(err)); 1361 return (NULL); 1362 } 1363 } 1364 break; 1365 default: 1366 break; 1367 } 1368 1369 return (res); 1370 } 1371 1372 void 1373 free_resolver(struct uw_resolver *res) 1374 { 1375 struct val_env *val_env; 1376 1377 if (res == NULL) 1378 return; 1379 1380 if (res->ref_cnt > 0) 1381 res->stop = 1; 1382 else { 1383 evtimer_del(&res->check_ev); 1384 if (res->ctx != NULL) { 1385 if (res->ctx->env->msg_cache == unified_msg_cache) { 1386 val_env = (struct val_env*) 1387 res->ctx->env->modinfo[val_id]; 1388 res->ctx->env->msg_cache = NULL; 1389 res->ctx->env->rrset_cache = NULL; 1390 val_env->kcache = NULL; 1391 res->ctx->env->key_cache = NULL; 1392 val_env->neg_cache = NULL; 1393 res->ctx->env->neg_cache = NULL; 1394 } 1395 } 1396 ub_ctx_delete(res->ctx); 1397 asr_resolver_free(res->asr_ctx); 1398 free(res); 1399 } 1400 } 1401 1402 void 1403 setup_unified_caches(void) 1404 { 1405 struct ub_ctx *ctx; 1406 struct val_env *val_env; 1407 size_t i; 1408 int err, j; 1409 1410 if ((ctx = ub_ctx_create_event(ev_base)) == NULL) 1411 fatalx("could not create unbound context"); 1412 1413 for (i = 0; i < nitems(options); i++) { 1414 if ((err = ub_ctx_set_option(ctx, options[i].name, 1415 options[i].value)) != 0) { 1416 fatalx("error setting %s: %s: %s", options[i].name, 1417 options[i].value, ub_strerror(err)); 1418 } 1419 } 1420 1421 context_finalize(ctx); 1422 1423 if (ctx->env->msg_cache == NULL || ctx->env->rrset_cache == NULL || 1424 ctx->env->key_cache == NULL || ctx->env->neg_cache == NULL) 1425 fatalx("could not setup unified caches"); 1426 1427 unified_msg_cache = ctx->env->msg_cache; 1428 unified_rrset_cache = ctx->env->rrset_cache; 1429 unified_key_cache = ctx->env->key_cache; 1430 unified_neg_cache = ctx->env->neg_cache; 1431 1432 if (val_id == -1) { 1433 for (j = 0; j < ctx->mods.num; j++) { 1434 if (strcmp(ctx->mods.mod[j]->name, "validator") == 0) { 1435 val_id = j; 1436 break; 1437 } 1438 } 1439 if (val_id == -1) 1440 fatalx("cannot find validator module"); 1441 } 1442 1443 val_env = (struct val_env*)ctx->env->modinfo[val_id]; 1444 ctx->env->msg_cache = NULL; 1445 ctx->env->rrset_cache = NULL; 1446 ctx->env->key_cache = NULL; 1447 val_env->kcache = NULL; 1448 ctx->env->neg_cache = NULL; 1449 val_env->neg_cache = NULL; 1450 ub_ctx_delete(ctx); 1451 } 1452 1453 void 1454 set_forwarders(struct uw_resolver *res, struct uw_forwarder_head 1455 *uw_forwarder_list, int port_override) 1456 { 1457 struct uw_forwarder *uw_forwarder; 1458 int ret; 1459 char fwd[FWD_MAX]; 1460 1461 TAILQ_FOREACH(uw_forwarder, uw_forwarder_list, entry) { 1462 if (uw_forwarder->auth_name[0] != '\0') 1463 ret = snprintf(fwd, sizeof(fwd), "%s@%d#%s", 1464 uw_forwarder->ip, port_override ? port_override : 1465 uw_forwarder->port, uw_forwarder->auth_name); 1466 else 1467 ret = snprintf(fwd, sizeof(fwd), "%s@%d", 1468 uw_forwarder->ip, port_override ? port_override : 1469 uw_forwarder->port); 1470 1471 if (ret < 0 || (size_t)ret >= sizeof(fwd)) { 1472 log_warnx("forwarder too long"); 1473 continue; 1474 } 1475 1476 ub_ctx_set_fwd(res->ctx, fwd); 1477 } 1478 } 1479 1480 void 1481 resolver_check_timo(int fd, short events, void *arg) 1482 { 1483 check_resolver((struct uw_resolver *)arg); 1484 } 1485 1486 void 1487 resolver_free_timo(int fd, short events, void *arg) 1488 { 1489 free_resolver((struct uw_resolver *)arg); 1490 } 1491 1492 void 1493 check_resolver(struct uw_resolver *resolver_to_check) 1494 { 1495 struct uw_resolver *res; 1496 1497 if (resolver_to_check == NULL) 1498 return; 1499 1500 if (resolver_to_check->check_running) 1501 return; 1502 1503 if ((res = create_resolver(resolver_to_check->type)) == NULL) 1504 return; 1505 1506 resolver_ref(resolver_to_check); 1507 1508 resolver_to_check->check_running++; 1509 if (resolve(res, ".", LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN, 1510 resolver_to_check, check_resolver_done) != 0) { 1511 resolver_to_check->check_running--; 1512 resolver_to_check->state = UNKNOWN; 1513 resolver_unref(resolver_to_check); 1514 resolver_to_check->check_tv.tv_sec = RESOLVER_CHECK_SEC; 1515 evtimer_add(&resolver_to_check->check_ev, 1516 &resolver_to_check->check_tv); 1517 } 1518 } 1519 1520 void 1521 check_resolver_done(struct uw_resolver *res, void *arg, int rcode, 1522 void *answer_packet, int answer_len, int sec, char *why_bogus) 1523 { 1524 struct uw_resolver *checked_resolver = arg; 1525 struct timeval tv = {0, 1}; 1526 enum uw_resolver_state prev_state; 1527 int bogus_time = 0; 1528 char *str; 1529 1530 checked_resolver->check_running--; 1531 1532 if (checked_resolver != resolvers[checked_resolver->type]) { 1533 log_debug("%s: %s: ignoring late check result", __func__, 1534 uw_resolver_type_str[checked_resolver->type]); 1535 goto out; 1536 } 1537 1538 prev_state = checked_resolver->state; 1539 1540 if (answer_len < LDNS_HEADER_SIZE) { 1541 checked_resolver->state = DEAD; 1542 log_warnx("%s: bad packet: too short", __func__); 1543 goto out; 1544 } 1545 1546 if (rcode == LDNS_RCODE_SERVFAIL) { 1547 log_debug("%s: %s rcode: SERVFAIL", __func__, 1548 uw_resolver_type_str[checked_resolver->type]); 1549 1550 checked_resolver->state = DEAD; 1551 goto out; 1552 } 1553 1554 if (sec == SECURE) { 1555 if (dns64_present && (res->type == UW_RES_DHCP || 1556 res->type == UW_RES_ODOT_DHCP)) { 1557 /* do not upgrade to validating, DNS64 breaks DNSSEC */ 1558 if (prev_state != RESOLVING) 1559 new_resolver(checked_resolver->type, 1560 RESOLVING); 1561 } else { 1562 if (prev_state != VALIDATING) 1563 new_resolver(checked_resolver->type, 1564 VALIDATING); 1565 if (!(evtimer_pending(&trust_anchor_timer, NULL))) 1566 evtimer_add(&trust_anchor_timer, &tv); 1567 } 1568 } else if (rcode == LDNS_RCODE_NOERROR && 1569 LDNS_RCODE_WIRE((uint8_t*)answer_packet) == LDNS_RCODE_NOERROR) { 1570 if (why_bogus) { 1571 bogus_time = strncmp(why_bogus, bogus_past, 1572 sizeof(bogus_past) - 1) == 0 || strncmp(why_bogus, 1573 bogus_future, sizeof(bogus_future) - 1) == 0; 1574 1575 log_warnx("%s: %s", uw_resolver_type_str[ 1576 checked_resolver->type], why_bogus); 1577 } 1578 if (prev_state != RESOLVING) 1579 new_resolver(checked_resolver->type, RESOLVING); 1580 } else 1581 checked_resolver->state = DEAD; /* we know the root exists */ 1582 1583 log_debug("%s: %s: %s", __func__, 1584 uw_resolver_type_str[checked_resolver->type], 1585 uw_resolver_state_str[checked_resolver->state]); 1586 1587 if (log_getverbose() & OPT_VERBOSE2 && (str = 1588 sldns_wire2str_pkt(answer_packet, answer_len)) != NULL) { 1589 log_debug("%s", str); 1590 free(str); 1591 } 1592 1593 out: 1594 if (!checked_resolver->stop && (checked_resolver->state == DEAD || 1595 bogus_time)) { 1596 if (prev_state == DEAD || bogus_time) 1597 checked_resolver->check_tv.tv_sec *= 2; 1598 else 1599 checked_resolver->check_tv.tv_sec = RESOLVER_CHECK_SEC; 1600 1601 if (checked_resolver->check_tv.tv_sec > RESOLVER_CHECK_MAXSEC) 1602 checked_resolver->check_tv.tv_sec = 1603 RESOLVER_CHECK_MAXSEC; 1604 1605 evtimer_add(&checked_resolver->check_ev, 1606 &checked_resolver->check_tv); 1607 } 1608 1609 resolver_unref(checked_resolver); 1610 res->stop = 1; /* do not free in callback */ 1611 } 1612 1613 void 1614 asr_resolve_done(struct asr_result *ar, void *arg) 1615 { 1616 struct resolver_cb_data *cb_data = arg; 1617 cb_data->cb(cb_data->res, cb_data->data, ar->ar_rcode, ar->ar_data, 1618 ar->ar_datalen, 0, NULL); 1619 free(ar->ar_data); 1620 resolver_unref(cb_data->res); 1621 free(cb_data); 1622 } 1623 1624 void 1625 ub_resolve_done(void *arg, int rcode, void *answer_packet, int answer_len, 1626 int sec, char *why_bogus, int was_ratelimited) 1627 { 1628 struct resolver_cb_data *cb_data = arg; 1629 cb_data->cb(cb_data->res, cb_data->data, rcode, answer_packet, 1630 answer_len, sec, why_bogus); 1631 resolver_unref(cb_data->res); 1632 free(cb_data); 1633 } 1634 1635 void 1636 schedule_recheck_all_resolvers(void) 1637 { 1638 struct timeval tv; 1639 int i; 1640 1641 tv.tv_sec = 0; 1642 1643 for (i = 0; i < UW_RES_NONE; i++) { 1644 if (resolvers[i] == NULL) 1645 continue; 1646 tv.tv_usec = arc4random() % 1000000; /* modulo bias is ok */ 1647 resolvers[i]->state = UNKNOWN; 1648 evtimer_add(&resolvers[i]->check_ev, &tv); 1649 } 1650 } 1651 1652 int 1653 check_forwarders_changed(struct uw_forwarder_head *list_a, 1654 struct uw_forwarder_head *list_b) 1655 { 1656 struct uw_forwarder *a, *b; 1657 1658 a = TAILQ_FIRST(list_a); 1659 b = TAILQ_FIRST(list_b); 1660 1661 while(a != NULL && b != NULL) { 1662 if (strcmp(a->ip, b->ip) != 0) 1663 return 1; 1664 if (a->port != b->port) 1665 return 1; 1666 if (strcmp(a->auth_name, b->auth_name) != 0) 1667 return 1; 1668 a = TAILQ_NEXT(a, entry); 1669 b = TAILQ_NEXT(b, entry); 1670 } 1671 1672 if (a != NULL || b != NULL) 1673 return 1; 1674 return 0; 1675 } 1676 1677 void 1678 resolver_ref(struct uw_resolver *res) 1679 { 1680 if (res->ref_cnt == INT_MAX) 1681 fatalx("%s: INT_MAX references", __func__); 1682 res->ref_cnt++; 1683 } 1684 1685 void 1686 resolver_unref(struct uw_resolver *res) 1687 { 1688 struct timeval tv = { 0, 1}; 1689 1690 if (res->ref_cnt == 0) 1691 fatalx("%s: unreferenced resolver", __func__); 1692 1693 res->ref_cnt--; 1694 1695 /* 1696 * Decouple from libunbound event callback. 1697 * If we free the ctx inside of resolve_done or check_resovler_done 1698 * we are cutting of the branch we are sitting on and hit a 1699 * user-after-free 1700 */ 1701 if (res->stop && res->ref_cnt == 0) { 1702 evtimer_set(&res->free_ev, resolver_free_timo, res); 1703 evtimer_add(&res->free_ev, &tv); 1704 } 1705 } 1706 1707 void 1708 replace_forwarders(struct uw_forwarder_head *new_list, struct 1709 uw_forwarder_head *old_list) 1710 { 1711 struct uw_forwarder *uw_forwarder; 1712 1713 while ((uw_forwarder = 1714 TAILQ_FIRST(old_list)) != NULL) { 1715 TAILQ_REMOVE(old_list, uw_forwarder, entry); 1716 free(uw_forwarder); 1717 } 1718 1719 TAILQ_CONCAT(old_list, new_list, entry); 1720 } 1721 1722 int 1723 resolver_cmp(const void *_a, const void *_b) 1724 { 1725 const enum uw_resolver_type a = *(const enum uw_resolver_type *)_a; 1726 const enum uw_resolver_type b = *(const enum uw_resolver_type *)_b; 1727 int64_t a_median, b_median; 1728 1729 if (resolvers[a] == NULL && resolvers[b] == NULL) 1730 return 0; 1731 1732 if (resolvers[b] == NULL) 1733 return -1; 1734 1735 if (resolvers[a] == NULL) 1736 return 1; 1737 1738 if (resolvers[a]->state < resolvers[b]->state) 1739 return 1; 1740 else if (resolvers[a]->state > resolvers[b]->state) 1741 return -1; 1742 else { 1743 a_median = resolvers[a]->median; 1744 b_median = resolvers[b]->median; 1745 if (resolvers[a]->type == resolver_conf->res_pref.types[0]) 1746 a_median -= PREF_RESOLVER_MEDIAN_SKEW; 1747 else if (resolvers[b]->type == resolver_conf->res_pref.types[0]) 1748 b_median -= PREF_RESOLVER_MEDIAN_SKEW; 1749 if (a_median < b_median) 1750 return -1; 1751 else if (a_median > b_median) 1752 return 1; 1753 else 1754 return 0; 1755 } 1756 } 1757 1758 void 1759 restart_ub_resolvers(int recheck) 1760 { 1761 int i; 1762 enum uw_resolver_state state; 1763 1764 for (i = 0; i < UW_RES_NONE; i++) { 1765 if (i == UW_RES_ASR) 1766 continue; 1767 if (recheck || resolvers[i] == NULL) 1768 state = UNKNOWN; 1769 else 1770 state = resolvers[i]->state; 1771 new_resolver(i, state); 1772 } 1773 } 1774 1775 void 1776 show_status(pid_t pid) 1777 { 1778 struct resolver_preference res_pref; 1779 int i; 1780 1781 if (sort_resolver_types(&res_pref) == -1) 1782 log_warn("mergesort"); 1783 1784 for (i = 0; i < resolver_conf->res_pref.len; i++) 1785 send_resolver_info(resolvers[res_pref.types[i]], pid); 1786 1787 resolver_imsg_compose_frontend(IMSG_CTL_END, pid, NULL, 0); 1788 } 1789 1790 void 1791 show_autoconf(pid_t pid) 1792 { 1793 struct uw_forwarder *uw_forwarder; 1794 struct ctl_forwarder_info cfi; 1795 1796 TAILQ_FOREACH(uw_forwarder, &autoconf_forwarder_list, entry) { 1797 memset(&cfi, 0, sizeof(cfi)); 1798 cfi.if_index = uw_forwarder->if_index; 1799 cfi.src = uw_forwarder->src; 1800 /* no truncation, structs are in sync */ 1801 memcpy(cfi.ip, uw_forwarder->ip, sizeof(cfi.ip)); 1802 resolver_imsg_compose_frontend( 1803 IMSG_CTL_AUTOCONF_RESOLVER_INFO, 1804 pid, &cfi, sizeof(cfi)); 1805 } 1806 1807 resolver_imsg_compose_frontend(IMSG_CTL_END, pid, NULL, 0); 1808 } 1809 1810 void 1811 show_mem(pid_t pid) 1812 { 1813 struct ctl_mem_info cmi; 1814 1815 memset(&cmi, 0, sizeof(cmi)); 1816 cmi.msg_cache_used = slabhash_get_mem(unified_msg_cache); 1817 cmi.msg_cache_max = slabhash_get_size(unified_msg_cache); 1818 cmi.rrset_cache_used = slabhash_get_mem(&unified_rrset_cache->table); 1819 cmi.rrset_cache_max = slabhash_get_size(&unified_rrset_cache->table); 1820 cmi.key_cache_used = slabhash_get_mem(unified_key_cache->slab); 1821 cmi.key_cache_max = slabhash_get_size(unified_key_cache->slab); 1822 cmi.neg_cache_used = unified_neg_cache->use; 1823 cmi.neg_cache_max = unified_neg_cache->max; 1824 resolver_imsg_compose_frontend(IMSG_CTL_MEM_INFO, pid, &cmi, 1825 sizeof(cmi)); 1826 1827 } 1828 1829 void 1830 send_resolver_info(struct uw_resolver *res, pid_t pid) 1831 { 1832 struct ctl_resolver_info cri; 1833 size_t i; 1834 1835 if (res == NULL) 1836 return; 1837 1838 cri.state = res->state; 1839 cri.type = res->type; 1840 cri.median = res->median; 1841 1842 memcpy(cri.histogram, res->histogram, sizeof(cri.histogram)); 1843 memcpy(cri.latest_histogram, res->latest_histogram, 1844 sizeof(cri.latest_histogram)); 1845 for (i = 0; i < nitems(histogram_limits); i++) 1846 cri.latest_histogram[i] = 1847 (cri.latest_histogram[i] + 500) / 1000; 1848 1849 resolver_imsg_compose_frontend(IMSG_CTL_RESOLVER_INFO, pid, &cri, 1850 sizeof(cri)); 1851 } 1852 1853 void 1854 trust_anchor_resolve(void) 1855 { 1856 struct resolver_preference res_pref; 1857 struct uw_resolver *res; 1858 struct timeval tv = {TRUST_ANCHOR_RETRY_INTERVAL, 0}; 1859 1860 if (sort_resolver_types(&res_pref) == -1) 1861 log_warn("mergesort"); 1862 1863 res = resolvers[res_pref.types[0]]; 1864 1865 if (res == NULL || res->state < VALIDATING) 1866 goto err; 1867 1868 if (resolve(res, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, NULL, 1869 trust_anchor_resolve_done) != 0) 1870 goto err; 1871 1872 return; 1873 err: 1874 evtimer_add(&trust_anchor_timer, &tv); 1875 } 1876 1877 void 1878 trust_anchor_timo(int fd, short events, void *arg) 1879 { 1880 trust_anchor_resolve(); 1881 } 1882 1883 void 1884 trust_anchor_resolve_done(struct uw_resolver *res, void *arg, int rcode, 1885 void *answer_packet, int answer_len, int sec, char *why_bogus) 1886 { 1887 struct ub_result *result = NULL; 1888 sldns_buffer *buf = NULL; 1889 struct regional *region = NULL; 1890 struct timeval tv = {TRUST_ANCHOR_RETRY_INTERVAL, 0}; 1891 int i, tas, n; 1892 uint16_t dnskey_flags; 1893 char rdata_buf[1024], *ta; 1894 1895 if (answer_len < LDNS_HEADER_SIZE) { 1896 log_warnx("bad packet: too short"); 1897 goto out; 1898 } 1899 1900 if ((result = calloc(1, sizeof(*result))) == NULL) 1901 goto out; 1902 1903 if (sec != SECURE) 1904 goto out; 1905 1906 if ((buf = sldns_buffer_new(answer_len)) == NULL) 1907 goto out; 1908 if ((region = regional_create()) == NULL) 1909 goto out; 1910 result->rcode = LDNS_RCODE_SERVFAIL; 1911 1912 sldns_buffer_clear(buf); 1913 sldns_buffer_write(buf, answer_packet, answer_len); 1914 sldns_buffer_flip(buf); 1915 libworker_enter_result(result, buf, region, sec); 1916 result->answer_packet = NULL; 1917 result->answer_len = 0; 1918 1919 if (result->rcode != LDNS_RCODE_NOERROR) 1920 goto out; 1921 1922 i = 0; 1923 tas = 0; 1924 while(result->data[i] != NULL) { 1925 if (result->len[i] < 2) { 1926 if (tas > 0) 1927 resolver_imsg_compose_frontend( 1928 IMSG_NEW_TAS_ABORT, 0, NULL, 0); 1929 goto out; 1930 } 1931 n = sldns_wire2str_rdata_buf(result->data[i], result->len[i], 1932 rdata_buf, sizeof(rdata_buf), LDNS_RR_TYPE_DNSKEY); 1933 1934 if (n < 0 || (size_t)n >= sizeof(rdata_buf)) { 1935 log_warnx("trust anchor buffer to small"); 1936 resolver_imsg_compose_frontend(IMSG_NEW_TAS_ABORT, 0, 1937 NULL, 0); 1938 goto out; 1939 } 1940 1941 memcpy(&dnskey_flags, result->data[i], 2); 1942 dnskey_flags = ntohs(dnskey_flags); 1943 if ((dnskey_flags & LDNS_KEY_SEP_KEY) && !(dnskey_flags & 1944 LDNS_KEY_REVOKE_KEY)) { 1945 asprintf(&ta, ".\t%d\tIN\tDNSKEY\t%s", ROOT_DNSKEY_TTL, 1946 rdata_buf); 1947 resolver_imsg_compose_frontend(IMSG_NEW_TA, 0, ta, 1948 strlen(ta) + 1); 1949 tas++; 1950 free(ta); 1951 } 1952 i++; 1953 } 1954 if (tas > 0) { 1955 resolver_imsg_compose_frontend(IMSG_NEW_TAS_DONE, 0, NULL, 0); 1956 tv.tv_sec = TRUST_ANCHOR_QUERY_INTERVAL; 1957 } 1958 out: 1959 sldns_buffer_free(buf); 1960 regional_destroy(region); 1961 ub_resolve_free(result); 1962 evtimer_add(&trust_anchor_timer, &tv); 1963 } 1964 1965 void 1966 replace_autoconf_forwarders(struct imsg_rdns_proposal *rdns_proposal) 1967 { 1968 struct uw_forwarder_head new_forwarder_list; 1969 struct uw_forwarder *uw_forwarder, *tmp; 1970 int i, rdns_count, af, changed = 0; 1971 char ntopbuf[INET6_ADDRSTRLEN], *src; 1972 const char *ns; 1973 1974 TAILQ_INIT(&new_forwarder_list); 1975 af = rdns_proposal->rtdns.sr_family; 1976 src = rdns_proposal->rtdns.sr_dns; 1977 1978 switch (af) { 1979 case AF_INET: 1980 rdns_count = (rdns_proposal->rtdns.sr_len - 1981 offsetof(struct sockaddr_rtdns, sr_dns)) / 1982 sizeof(struct in_addr); 1983 break; 1984 case AF_INET6: 1985 rdns_count = (rdns_proposal->rtdns.sr_len - 1986 offsetof(struct sockaddr_rtdns, sr_dns)) / 1987 sizeof(struct in6_addr); 1988 break; 1989 default: 1990 log_warnx("%s: unsupported address family: %d", __func__, af); 1991 return; 1992 } 1993 1994 for (i = 0; i < rdns_count; i++) { 1995 struct in_addr addr4; 1996 struct in6_addr addr6; 1997 1998 switch (af) { 1999 case AF_INET: 2000 memcpy(&addr4, src, sizeof(struct in_addr)); 2001 src += sizeof(struct in_addr); 2002 if (addr4.s_addr == INADDR_LOOPBACK) 2003 continue; 2004 ns = inet_ntop(af, &addr4, ntopbuf, 2005 INET6_ADDRSTRLEN); 2006 break; 2007 case AF_INET6: 2008 memcpy(&addr6, src, sizeof(struct in6_addr)); 2009 src += sizeof(struct in6_addr); 2010 if (IN6_IS_ADDR_LOOPBACK(&addr6)) 2011 continue; 2012 ns = inet_ntop(af, &addr6, ntopbuf, 2013 INET6_ADDRSTRLEN); 2014 } 2015 2016 if ((uw_forwarder = calloc(1, sizeof(struct uw_forwarder))) == 2017 NULL) 2018 fatal(NULL); 2019 if (strlcpy(uw_forwarder->ip, ns, sizeof(uw_forwarder->ip)) 2020 >= sizeof(uw_forwarder->ip)) 2021 fatalx("strlcpy"); 2022 uw_forwarder->port = 53; 2023 uw_forwarder->if_index = rdns_proposal->if_index; 2024 uw_forwarder->src = rdns_proposal->src; 2025 TAILQ_INSERT_TAIL(&new_forwarder_list, uw_forwarder, entry); 2026 } 2027 2028 TAILQ_FOREACH(tmp, &autoconf_forwarder_list, entry) { 2029 /* 2030 * if_index of zero signals to clear all proposals 2031 * src of zero signals interface gone 2032 */ 2033 if ((rdns_proposal->src == 0 || rdns_proposal->src == 2034 tmp->src) && (rdns_proposal->if_index == 0 || 2035 rdns_proposal->if_index == tmp->if_index)) 2036 continue; 2037 if ((uw_forwarder = calloc(1, sizeof(struct uw_forwarder))) == 2038 NULL) 2039 fatal(NULL); 2040 if (strlcpy(uw_forwarder->ip, tmp->ip, 2041 sizeof(uw_forwarder->ip)) >= sizeof(uw_forwarder->ip)) 2042 fatalx("strlcpy"); 2043 uw_forwarder->port = tmp->port; 2044 uw_forwarder->src = tmp->src; 2045 uw_forwarder->if_index = tmp->if_index; 2046 TAILQ_INSERT_TAIL(&new_forwarder_list, uw_forwarder, entry); 2047 } 2048 2049 changed = check_forwarders_changed(&new_forwarder_list, 2050 &autoconf_forwarder_list); 2051 2052 if (changed) { 2053 replace_forwarders(&new_forwarder_list, 2054 &autoconf_forwarder_list); 2055 new_resolver(UW_RES_ASR, UNKNOWN); 2056 new_resolver(UW_RES_DHCP, UNKNOWN); 2057 new_resolver(UW_RES_ODOT_DHCP, UNKNOWN); 2058 } else { 2059 while ((tmp = TAILQ_FIRST(&new_forwarder_list)) != NULL) { 2060 TAILQ_REMOVE(&new_forwarder_list, tmp, entry); 2061 free(tmp); 2062 } 2063 } 2064 } 2065 2066 int 2067 force_tree_cmp(struct force_tree_entry *a, struct force_tree_entry *b) 2068 { 2069 return strcasecmp(a->domain, b->domain); 2070 } 2071 2072 int 2073 find_force(struct force_tree *tree, char *qname, struct uw_resolver **res) 2074 { 2075 struct force_tree_entry *n, e; 2076 char *p; 2077 2078 if (res) 2079 *res = NULL; 2080 if (RB_EMPTY(tree)) 2081 return 0; 2082 2083 p = qname; 2084 do { 2085 if (strlcpy(e.domain, p, sizeof(e.domain)) >= sizeof(e.domain)) 2086 fatal("qname too large"); 2087 n = RB_FIND(force_tree, tree, &e); 2088 if (n != NULL) { 2089 log_debug("%s: %s -> %s[%s]", __func__, qname, p, 2090 uw_resolver_type_str[n->type]); 2091 if (res) 2092 *res = resolvers[n->type]; 2093 return n->acceptbogus; 2094 } 2095 if (*p == '.') 2096 p++; 2097 p = strchr(p, '.'); 2098 if (p != NULL && p[1] != '\0') 2099 p++; 2100 } while (p != NULL); 2101 return 0; 2102 2103 } 2104 2105 int64_t 2106 histogram_median(int64_t *histogram) 2107 { 2108 size_t i; 2109 int64_t sample_count = 0, running_count = 0; 2110 2111 /* skip first bucket, it contains cache hits */ 2112 for (i = 1; i < nitems(histogram_limits); i++) 2113 sample_count += histogram[i]; 2114 2115 if (sample_count == 0) 2116 return 0; 2117 2118 for (i = 1; i < nitems(histogram_limits); i++) { 2119 running_count += histogram[i]; 2120 if (running_count >= sample_count / 2) 2121 break; 2122 } 2123 2124 if (i >= nitems(histogram_limits) - 1) 2125 return INT64_MAX; 2126 return (histogram_limits[i - 1] + histogram_limits[i]) / 2; 2127 } 2128 2129 void 2130 decay_latest_histograms(int fd, short events, void *arg) 2131 { 2132 enum uw_resolver_type i; 2133 size_t j; 2134 struct uw_resolver *res; 2135 struct timeval tv = {DECAY_PERIOD, 0}; 2136 2137 for (i = 0; i < UW_RES_NONE; i++) { 2138 res = resolvers[i]; 2139 if (res == NULL) 2140 continue; 2141 for (j = 0; j < nitems(res->latest_histogram); j++) 2142 /* multiply then divide, avoiding truncating to 0 */ 2143 res->latest_histogram[j] = res->latest_histogram[j] * 2144 DECAY_NOMINATOR / DECAY_DENOMINATOR; 2145 res->median = histogram_median(res->latest_histogram); 2146 } 2147 evtimer_add(&decay_timer, &tv); 2148 } 2149 2150 int 2151 running_query_cnt(void) 2152 { 2153 struct running_query *e; 2154 int cnt = 0; 2155 2156 TAILQ_FOREACH(e, &running_queries, entry) 2157 cnt++; 2158 return cnt; 2159 } 2160 2161 int * 2162 resolvers_to_restart(struct uw_conf *oconf, struct uw_conf *nconf) 2163 { 2164 static int restart[UW_RES_NONE]; 2165 int o_enabled[UW_RES_NONE]; 2166 int n_enabled[UW_RES_NONE]; 2167 int i; 2168 2169 memset(&restart, 0, sizeof(restart)); 2170 if (check_forwarders_changed(&oconf->uw_forwarder_list, 2171 &nconf->uw_forwarder_list)) { 2172 restart[UW_RES_FORWARDER] = 1; 2173 restart[UW_RES_ODOT_FORWARDER] = 1; 2174 } 2175 if (check_forwarders_changed(&oconf->uw_dot_forwarder_list, 2176 &nconf->uw_dot_forwarder_list)) { 2177 restart[UW_RES_DOT] = 1; 2178 } 2179 memset(o_enabled, 0, sizeof(o_enabled)); 2180 memset(n_enabled, 0, sizeof(n_enabled)); 2181 for (i = 0; i < oconf->res_pref.len; i++) 2182 o_enabled[oconf->res_pref.types[i]] = 1; 2183 2184 for (i = 0; i < nconf->res_pref.len; i++) 2185 n_enabled[nconf->res_pref.types[i]] = 1; 2186 2187 for (i = 0; i < UW_RES_NONE; i++) { 2188 if (n_enabled[i] != o_enabled[i]) 2189 restart[i] = 1; 2190 } 2191 return restart; 2192 } 2193 2194 const char * 2195 query_imsg2str(struct query_imsg *query_imsg) 2196 { 2197 static char buf[sizeof(query_imsg->qname) + 1 + 16 + 1 + 16]; 2198 char qclass_buf[16]; 2199 char qtype_buf[16]; 2200 2201 sldns_wire2str_class_buf(query_imsg->c, qclass_buf, sizeof(qclass_buf)); 2202 sldns_wire2str_type_buf(query_imsg->t, qtype_buf, sizeof(qtype_buf)); 2203 2204 snprintf(buf, sizeof(buf), "%s %s %s", query_imsg->qname, qclass_buf, 2205 qtype_buf); 2206 return buf; 2207 } 2208 2209 char * 2210 gen_resolv_conf() 2211 { 2212 struct uw_forwarder *uw_forwarder; 2213 char *resolv_conf = NULL, *tmp = NULL; 2214 2215 TAILQ_FOREACH(uw_forwarder, &autoconf_forwarder_list, entry) { 2216 tmp = resolv_conf; 2217 if (asprintf(&resolv_conf, "%snameserver %s\n", tmp == 2218 NULL ? "" : tmp, uw_forwarder->ip) == -1) { 2219 free(tmp); 2220 return (NULL); 2221 } 2222 free(tmp); 2223 } 2224 return resolv_conf; 2225 } 2226 2227 void 2228 check_dns64(void) 2229 { 2230 struct asr_query *aq = NULL; 2231 char *resolv_conf; 2232 void *asr_ctx; 2233 2234 if (TAILQ_EMPTY(&autoconf_forwarder_list)) 2235 return; 2236 2237 if ((resolv_conf = gen_resolv_conf()) == NULL) { 2238 log_warnx("could not create asr context"); 2239 return; 2240 } 2241 2242 if ((asr_ctx = asr_resolver_from_string(resolv_conf)) != NULL) { 2243 if ((aq = res_query_async("ipv4only.arpa", LDNS_RR_CLASS_IN, 2244 LDNS_RR_TYPE_AAAA, asr_ctx)) == NULL) { 2245 log_warn("%s: res_query_async", __func__); 2246 asr_resolver_free(asr_ctx); 2247 } 2248 if (event_asr_run(aq, check_dns64_done, asr_ctx) == NULL) { 2249 log_warn("%s: event_asr_run", __func__); 2250 free(aq); 2251 asr_resolver_free(asr_ctx); 2252 } 2253 } else 2254 log_warnx("%s: could not create asr context", __func__); 2255 2256 free(resolv_conf); 2257 } 2258 2259 void 2260 check_dns64_done(struct asr_result *ar, void *arg) 2261 { 2262 /* RFC 7050: ipv4only.arpa resolves to 192.0.0.170 and 192.9.0.171 */ 2263 const uint8_t wka1[] = {192, 0, 0, 170}; 2264 const uint8_t wka2[] = {192, 0, 0, 171}; 2265 struct query_info skip, qinfo; 2266 struct reply_info *rinfo = NULL; 2267 struct regional *region = NULL; 2268 struct sldns_buffer *buf = NULL; 2269 struct ub_packed_rrset_key *an_rrset = NULL; 2270 struct packed_rrset_data *an_rrset_data; 2271 struct alloc_cache alloc; 2272 struct edns_data edns; 2273 struct dns64_prefix *prefixes = NULL; 2274 size_t i; 2275 int preflen, count = 0; 2276 void *asr_ctx = arg; 2277 2278 memset(&qinfo, 0, sizeof(qinfo)); 2279 alloc_init(&alloc, NULL, 0); 2280 2281 if (ar->ar_datalen < LDNS_HEADER_SIZE) { 2282 log_warnx("%s: bad packet: too short: %d", __func__, 2283 ar->ar_datalen); 2284 goto out; 2285 } 2286 2287 if (ar->ar_datalen > UINT16_MAX) { 2288 log_warnx("%s: bad packet: too large: %d", __func__, 2289 ar->ar_datalen); 2290 goto out; 2291 } 2292 2293 if (ar->ar_rcode == LDNS_RCODE_NXDOMAIN) { 2294 /* XXX this means that the dhcp resolver is broken */ 2295 log_debug("%s: NXDOMAIN", __func__); 2296 goto out; 2297 } 2298 2299 if ((buf = sldns_buffer_new(ar->ar_datalen)) == NULL) 2300 goto out; 2301 2302 if ((region = regional_create()) == NULL) 2303 goto out; 2304 2305 sldns_buffer_write(buf, ar->ar_data, ar->ar_datalen); 2306 sldns_buffer_flip(buf); 2307 2308 /* read past query section, no memory is allocated */ 2309 if (!query_info_parse(&skip, buf)) 2310 goto out; 2311 2312 if (reply_info_parse(buf, &alloc, &qinfo, &rinfo, region, &edns) != 0) 2313 goto out; 2314 2315 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) == NULL) 2316 goto out; 2317 2318 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data; 2319 2320 prefixes = calloc(an_rrset_data->count, sizeof(struct dns64_prefix)); 2321 if (prefixes == NULL) 2322 goto out; 2323 2324 for (i = 0; i < an_rrset_data->count; i++) { 2325 struct in6_addr in6; 2326 2327 /* check for AAAA record */ 2328 if (an_rrset_data->rr_len[i] != 18) /* 2 + 128/8 */ 2329 continue; 2330 if (an_rrset_data->rr_data[i][0] != 0 && 2331 an_rrset_data->rr_data[i][1] != 16) 2332 continue; 2333 2334 memcpy(&in6, &an_rrset_data->rr_data[i][2], 2335 sizeof(in6)); 2336 if ((preflen = dns64_prefixlen(&in6, wka1)) != -1) 2337 add_dns64_prefix(&in6, preflen, prefixes, 2338 an_rrset_data->count, WKA1_FOUND); 2339 if ((preflen = dns64_prefixlen(&in6, wka2)) != -1) 2340 add_dns64_prefix(&in6, preflen, prefixes, 2341 an_rrset_data->count, WKA2_FOUND); 2342 } 2343 2344 for (i = 0; i < an_rrset_data->count && prefixes[i].flags != 0; i++) 2345 if ((prefixes[i].flags & (WKA1_FOUND | WKA2_FOUND)) == 2346 (WKA1_FOUND | WKA2_FOUND)) 2347 count++; 2348 2349 dns64_present = count > 0; 2350 2351 if (dns64_present) { 2352 /* downgrade DHCP resolvers, DNS64 breaks DNSSEC */ 2353 if (resolvers[UW_RES_DHCP] != NULL && 2354 resolvers[UW_RES_DHCP]->state == VALIDATING) 2355 new_resolver(UW_RES_DHCP, RESOLVING); 2356 if (resolvers[UW_RES_ODOT_DHCP] != NULL && 2357 resolvers[UW_RES_ODOT_DHCP]->state == VALIDATING) 2358 new_resolver(UW_RES_ODOT_DHCP, RESOLVING); 2359 } 2360 2361 resolver_imsg_compose_frontend(IMSG_NEW_DNS64_PREFIXES_START, 0, 2362 &count, sizeof(count)); 2363 for (i = 0; i < an_rrset_data->count && prefixes[i].flags != 0; i++) { 2364 if ((prefixes[i].flags & (WKA1_FOUND | WKA2_FOUND)) == 2365 (WKA1_FOUND | WKA2_FOUND)) { 2366 resolver_imsg_compose_frontend(IMSG_NEW_DNS64_PREFIX, 2367 0, &prefixes[i], sizeof(struct dns64_prefix)); 2368 } 2369 } 2370 resolver_imsg_compose_frontend(IMSG_NEW_DNS64_PREFIXES_DONE, 0, NULL, 2371 0); 2372 out: 2373 free(prefixes); 2374 query_info_clear(&qinfo); 2375 reply_info_parsedelete(rinfo, &alloc); 2376 alloc_clear(&alloc); 2377 regional_destroy(region); 2378 sldns_buffer_free(buf); 2379 free(ar->ar_data); 2380 asr_resolver_free(asr_ctx); 2381 } 2382 2383 int 2384 dns64_prefixlen(const struct in6_addr *in6, const uint8_t *wka) 2385 { 2386 /* RFC 6052, 2.2 */ 2387 static const int possible_prefixes[] = {32, 40, 48, 56, 64, 96}; 2388 size_t i, j; 2389 int found, pos; 2390 2391 for (i = 0; i < nitems(possible_prefixes); i++) { 2392 pos = possible_prefixes[i] / 8; 2393 found = 1; 2394 for (j = 0; j < 4 && found; j++, pos++) { 2395 if (pos == 8) { 2396 if (in6->s6_addr[pos] != 0) 2397 found = 0; 2398 pos++; 2399 } 2400 if (in6->s6_addr[pos] != wka[j]) 2401 found = 0; 2402 } 2403 if (found) 2404 return possible_prefixes[i]; 2405 } 2406 return -1; 2407 } 2408 2409 void 2410 add_dns64_prefix(const struct in6_addr *in6, int prefixlen, 2411 struct dns64_prefix *prefixes, int prefixes_size, int flag) 2412 { 2413 struct in6_addr tmp; 2414 int i; 2415 2416 tmp = *in6; 2417 2418 for(i = prefixlen / 8; i < 16; i++) 2419 tmp.s6_addr[i] = 0; 2420 2421 for (i = 0; i < prefixes_size; i++) { 2422 if (prefixes[i].flags == 0) { 2423 prefixes[i].in6 = tmp; 2424 prefixes[i].prefixlen = prefixlen; 2425 prefixes[i].flags |= flag; 2426 break; 2427 } else if (prefixes[i].prefixlen == prefixlen && 2428 memcmp(&prefixes[i].in6, &tmp, sizeof(tmp)) == 0) { 2429 prefixes[i].flags |= flag; 2430 break; 2431 } 2432 } 2433 } 2434