1 /* $OpenBSD: resolver.c,v 1.153 2021/11/16 16:45:23 kn Exp $ */ 2 3 4 /* 5 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 6 * Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org> 7 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 8 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 9 * 10 * Permission to use, copy, modify, and distribute this software for any 11 * purpose with or without fee is hereby granted, provided that the above 12 * copyright notice and this permission notice appear in all copies. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21 */ 22 23 #include <sys/types.h> 24 #include <sys/queue.h> 25 #include <sys/socket.h> 26 #include <sys/syslog.h> 27 #include <sys/time.h> 28 29 #include <net/route.h> 30 31 #include <errno.h> 32 #include <event.h> 33 #include <imsg.h> 34 #include <limits.h> 35 #include <netdb.h> 36 #include <asr.h> 37 #include <pwd.h> 38 #include <signal.h> 39 #include <stdio.h> 40 #include <stdlib.h> 41 #include <string.h> 42 #include <time.h> 43 #include <tls.h> 44 #include <unistd.h> 45 46 #include "libunbound/config.h" 47 #include "libunbound/libunbound/context.h" 48 #include "libunbound/libunbound/libworker.h" 49 #include "libunbound/libunbound/unbound.h" 50 #include "libunbound/libunbound/unbound-event.h" 51 #include "libunbound/services/cache/rrset.h" 52 #include "libunbound/sldns/sbuffer.h" 53 #include "libunbound/sldns/rrdef.h" 54 #include "libunbound/sldns/pkthdr.h" 55 #include "libunbound/sldns/wire2str.h" 56 #include "libunbound/util/config_file.h" 57 #include "libunbound/util/module.h" 58 #include "libunbound/util/regional.h" 59 #include "libunbound/util/storage/slabhash.h" 60 #include "libunbound/validator/validator.h" 61 #include "libunbound/validator/val_kcache.h" 62 #include "libunbound/validator/val_neg.h" 63 64 #include <openssl/crypto.h> 65 66 #include "log.h" 67 #include "frontend.h" 68 #include "unwind.h" 69 #include "resolver.h" 70 71 #define TLS_DEFAULT_CA_CERT_FILE "/etc/ssl/cert.pem" 72 #define UB_LOG_VERBOSE 4 73 #define UB_LOG_BRIEF 0 74 75 /* maximum size of a libunbound forwarder definition: IP@PORT#AUTHNAME */ 76 #define FWD_MAX (INET6_ADDRSTRLEN + NI_MAXHOST + 2 + 5) 77 78 /* 79 * The prefered resolver type can be this many ms slower than the next 80 * best and still be picked 81 */ 82 #define PREF_RESOLVER_MEDIAN_SKEW 200 /* 200 ms */ 83 #define NEXT_RES_MAX 2000 /* 2000 ms */ 84 85 #define DOUBT_NXDOMAIN_SEC (5 * 60) /* 5 minutes */ 86 87 #define RESOLVER_CHECK_SEC 1 88 #define RESOLVER_CHECK_MAXSEC 1024 /* ~17 minutes */ 89 #define DECAY_PERIOD 60 90 #define DECAY_NOMINATOR 9 91 #define DECAY_DENOMINATOR 10 92 93 #define TRUST_ANCHOR_RETRY_INTERVAL 8640 94 #define TRUST_ANCHOR_QUERY_INTERVAL 43200 95 96 /* in libworker_event_done_cb() enum sec_status gets mapped to 0, 1 and 2 */ 97 #define INSECURE 0 98 #define BOGUS 1 99 #define SECURE 2 100 101 #define WKA1_FOUND 1 102 #define WKA2_FOUND 2 103 104 struct uw_resolver { 105 struct event check_ev; 106 struct event free_ev; 107 struct ub_ctx *ctx; 108 void *asr_ctx; 109 struct timeval check_tv; 110 int ref_cnt; 111 int stop; 112 enum uw_resolver_state state; 113 enum uw_resolver_type type; 114 int check_running; 115 int64_t median; 116 int64_t histogram[nitems(histogram_limits)]; 117 int64_t latest_histogram[nitems(histogram_limits)]; 118 }; 119 120 struct running_query { 121 TAILQ_ENTRY(running_query) entry; 122 struct query_imsg *query_imsg; 123 struct event timer_ev; 124 struct timespec tp; 125 struct resolver_preference res_pref; 126 int next_resolver; 127 int running; 128 }; 129 130 TAILQ_HEAD(, running_query) running_queries; 131 132 typedef void (*resolve_cb_t)(struct uw_resolver *, void *, int, void *, int, 133 int, char *); 134 135 struct resolver_cb_data { 136 resolve_cb_t cb; 137 void *data; 138 struct uw_resolver *res; 139 }; 140 141 __dead void resolver_shutdown(void); 142 void resolver_sig_handler(int sig, short, void *); 143 void resolver_dispatch_frontend(int, short, void *); 144 void resolver_dispatch_main(int, short, void *); 145 int sort_resolver_types(struct resolver_preference *); 146 void setup_query(struct query_imsg *); 147 struct running_query *find_running_query(uint64_t); 148 void try_resolver_timo(int, short, void *); 149 int try_next_resolver(struct running_query *); 150 151 int resolve(struct uw_resolver *, const char*, int, int, 152 void*, resolve_cb_t); 153 void resolve_done(struct uw_resolver *, void *, int, void *, 154 int, int, char *); 155 void ub_resolve_done(void *, int, void *, int, int, char *, 156 int); 157 void asr_resolve_done(struct asr_result *, void *); 158 void new_resolver(enum uw_resolver_type, 159 enum uw_resolver_state); 160 struct uw_resolver *create_resolver(enum uw_resolver_type); 161 void setup_unified_caches(void); 162 void set_unified_cache(struct uw_resolver *); 163 void free_resolver(struct uw_resolver *); 164 void set_forwarders(struct uw_resolver *, 165 struct uw_forwarder_head *, int); 166 void resolver_check_timo(int, short, void *); 167 void resolver_free_timo(int, short, void *); 168 void check_resolver(struct uw_resolver *); 169 void check_resolver_done(struct uw_resolver *, void *, int, 170 void *, int, int, char *); 171 void schedule_recheck_all_resolvers(void); 172 int check_forwarders_changed(struct uw_forwarder_head *, 173 struct uw_forwarder_head *); 174 void replace_forwarders(struct uw_forwarder_head *, 175 struct uw_forwarder_head *); 176 void resolver_ref(struct uw_resolver *); 177 void resolver_unref(struct uw_resolver *); 178 int resolver_cmp(const void *, const void *); 179 void restart_ub_resolvers(int); 180 void show_status(pid_t); 181 void show_autoconf(pid_t); 182 void show_mem(pid_t); 183 void send_resolver_info(struct uw_resolver *, pid_t); 184 void send_detailed_resolver_info(struct uw_resolver *, 185 pid_t); 186 void trust_anchor_resolve(void); 187 void trust_anchor_timo(int, short, void *); 188 void trust_anchor_resolve_done(struct uw_resolver *, void *, 189 int, void *, int, int, char *); 190 void replace_autoconf_forwarders(struct 191 imsg_rdns_proposal *); 192 int force_tree_cmp(struct force_tree_entry *, 193 struct force_tree_entry *); 194 int find_force(struct force_tree *, char *, 195 struct uw_resolver **); 196 int64_t histogram_median(int64_t *); 197 void decay_latest_histograms(int, short, void *); 198 int running_query_cnt(void); 199 int *resolvers_to_restart(struct uw_conf *, 200 struct uw_conf *); 201 const char *query_imsg2str(struct query_imsg *); 202 char *gen_resolv_conf(void); 203 void check_dns64(void); 204 void check_dns64_done(struct asr_result *, void *); 205 int dns64_prefixlen(const struct in6_addr *, 206 const uint8_t *); 207 void add_dns64_prefix(const struct in6_addr *, int, 208 struct dns64_prefix *, int, int); 209 210 struct uw_conf *resolver_conf; 211 static struct imsgev *iev_frontend; 212 static struct imsgev *iev_main; 213 struct uw_forwarder_head autoconf_forwarder_list; 214 struct uw_resolver *resolvers[UW_RES_NONE]; 215 struct timespec last_network_change; 216 217 struct event trust_anchor_timer; 218 struct event decay_timer; 219 220 static struct trust_anchor_head trust_anchors, new_trust_anchors; 221 222 struct event_base *ev_base; 223 224 RB_GENERATE(force_tree, force_tree_entry, entry, force_tree_cmp) 225 226 int val_id = -1; 227 struct slabhash *unified_msg_cache; 228 struct rrset_cache *unified_rrset_cache; 229 struct key_cache *unified_key_cache; 230 struct val_neg_cache *unified_neg_cache; 231 232 int dns64_present; 233 int available_afs = HAVE_IPV4 | HAVE_IPV6; 234 235 static const char * const as112_zones[] = { 236 /* RFC1918 */ 237 "10.in-addr.arpa. transparent", 238 "16.172.in-addr.arpa. transparent", 239 "31.172.in-addr.arpa. transparent", 240 "168.192.in-addr.arpa. transparent", 241 242 /* RFC3330 */ 243 "0.in-addr.arpa. transparent", 244 "254.169.in-addr.arpa. transparent", 245 "2.0.192.in-addr.arpa. transparent", 246 "100.51.198.in-addr.arpa. transparent", 247 "113.0.203.in-addr.arpa. transparent", 248 "255.255.255.255.in-addr.arpa. transparent", 249 250 /* RFC6598 */ 251 "64.100.in-addr.arpa. transparent", 252 "65.100.in-addr.arpa. transparent", 253 "66.100.in-addr.arpa. transparent", 254 "67.100.in-addr.arpa. transparent", 255 "68.100.in-addr.arpa. transparent", 256 "69.100.in-addr.arpa. transparent", 257 "70.100.in-addr.arpa. transparent", 258 "71.100.in-addr.arpa. transparent", 259 "72.100.in-addr.arpa. transparent", 260 "73.100.in-addr.arpa. transparent", 261 "74.100.in-addr.arpa. transparent", 262 "75.100.in-addr.arpa. transparent", 263 "76.100.in-addr.arpa. transparent", 264 "77.100.in-addr.arpa. transparent", 265 "78.100.in-addr.arpa. transparent", 266 "79.100.in-addr.arpa. transparent", 267 "80.100.in-addr.arpa. transparent", 268 "81.100.in-addr.arpa. transparent", 269 "82.100.in-addr.arpa. transparent", 270 "83.100.in-addr.arpa. transparent", 271 "84.100.in-addr.arpa. transparent", 272 "85.100.in-addr.arpa. transparent", 273 "86.100.in-addr.arpa. transparent", 274 "87.100.in-addr.arpa. transparent", 275 "88.100.in-addr.arpa. transparent", 276 "89.100.in-addr.arpa. transparent", 277 "90.100.in-addr.arpa. transparent", 278 "91.100.in-addr.arpa. transparent", 279 "92.100.in-addr.arpa. transparent", 280 "93.100.in-addr.arpa. transparent", 281 "94.100.in-addr.arpa. transparent", 282 "95.100.in-addr.arpa. transparent", 283 "96.100.in-addr.arpa. transparent", 284 "97.100.in-addr.arpa. transparent", 285 "98.100.in-addr.arpa. transparent", 286 "99.100.in-addr.arpa. transparent", 287 "100.100.in-addr.arpa. transparent", 288 "101.100.in-addr.arpa. transparent", 289 "102.100.in-addr.arpa. transparent", 290 "103.100.in-addr.arpa. transparent", 291 "104.100.in-addr.arpa. transparent", 292 "105.100.in-addr.arpa. transparent", 293 "106.100.in-addr.arpa. transparent", 294 "107.100.in-addr.arpa. transparent", 295 "108.100.in-addr.arpa. transparent", 296 "109.100.in-addr.arpa. transparent", 297 "110.100.in-addr.arpa. transparent", 298 "111.100.in-addr.arpa. transparent", 299 "112.100.in-addr.arpa. transparent", 300 "113.100.in-addr.arpa. transparent", 301 "114.100.in-addr.arpa. transparent", 302 "115.100.in-addr.arpa. transparent", 303 "116.100.in-addr.arpa. transparent", 304 "117.100.in-addr.arpa. transparent", 305 "118.100.in-addr.arpa. transparent", 306 "119.100.in-addr.arpa. transparent", 307 "120.100.in-addr.arpa. transparent", 308 "121.100.in-addr.arpa. transparent", 309 "122.100.in-addr.arpa. transparent", 310 "123.100.in-addr.arpa. transparent", 311 "124.100.in-addr.arpa. transparent", 312 "125.100.in-addr.arpa. transparent", 313 "126.100.in-addr.arpa. transparent", 314 "127.100.in-addr.arpa. transparent", 315 316 /* RFC4291 */ 317 "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0." 318 "ip6.arpa. transparent", 319 320 /* RFC4193 */ 321 "D.F.ip6.arpa. transparent", 322 323 /* RFC4291 */ 324 "8.E.F.ip6.arpa. transparent", 325 "9.E.F.ip6.arpa. transparent", 326 "A.E.F.ip6.arpa. transparent", 327 "B.E.F.ip6.arpa. transparent", 328 329 /* RFC3849 */ 330 "8.B.D.0.1.0.0.2.ip6.arpa. transparent" 331 }; 332 333 const char bogus_past[] = "validation failure <. NS IN>: signature " 334 "expired"; 335 const char bogus_future[] = "validation failure <. NS IN>: signature " 336 "before inception date"; 337 338 void 339 resolver_sig_handler(int sig, short event, void *arg) 340 { 341 /* 342 * Normal signal handler rules don't apply because libevent 343 * decouples for us. 344 */ 345 346 switch (sig) { 347 case SIGINT: 348 case SIGTERM: 349 resolver_shutdown(); 350 default: 351 fatalx("unexpected signal"); 352 } 353 } 354 355 void 356 resolver(int debug, int verbose) 357 { 358 struct event ev_sigint, ev_sigterm; 359 struct passwd *pw; 360 struct timeval tv = {DECAY_PERIOD, 0}; 361 struct alloc_cache cache_alloc_test; 362 363 resolver_conf = config_new_empty(); 364 365 log_init(debug, LOG_DAEMON); 366 log_setverbose(verbose); 367 368 if ((pw = getpwnam(UNWIND_USER)) == NULL) 369 fatal("getpwnam"); 370 371 setproctitle("%s", "resolver"); 372 log_procinit("resolver"); 373 374 if (setgroups(1, &pw->pw_gid) || 375 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 376 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 377 fatal("can't drop privileges"); 378 379 if (unveil(TLS_DEFAULT_CA_CERT_FILE, "r") == -1) 380 fatal("unveil %s", TLS_DEFAULT_CA_CERT_FILE); 381 382 if (pledge("stdio inet dns rpath recvfd", NULL) == -1) 383 fatal("pledge"); 384 385 ev_base = event_init(); 386 387 /* Setup signal handler(s). */ 388 signal_set(&ev_sigint, SIGINT, resolver_sig_handler, NULL); 389 signal_set(&ev_sigterm, SIGTERM, resolver_sig_handler, NULL); 390 signal_add(&ev_sigint, NULL); 391 signal_add(&ev_sigterm, NULL); 392 signal(SIGPIPE, SIG_IGN); 393 signal(SIGHUP, SIG_IGN); 394 395 /* Setup pipe and event handler to the main process. */ 396 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 397 fatal(NULL); 398 399 imsg_init(&iev_main->ibuf, 3); 400 iev_main->handler = resolver_dispatch_main; 401 402 /* Setup event handlers. */ 403 iev_main->events = EV_READ; 404 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 405 iev_main->handler, iev_main); 406 event_add(&iev_main->ev, NULL); 407 408 evtimer_set(&trust_anchor_timer, trust_anchor_timo, NULL); 409 evtimer_set(&decay_timer, decay_latest_histograms, NULL); 410 evtimer_add(&decay_timer, &tv); 411 412 clock_gettime(CLOCK_MONOTONIC, &last_network_change); 413 414 alloc_init(&cache_alloc_test, NULL, 0); 415 if (cache_alloc_test.max_reg_blocks != 10) 416 fatalx("local libunbound/util/alloc.c diff lost"); 417 alloc_clear(&cache_alloc_test); 418 419 setup_unified_caches(); 420 421 TAILQ_INIT(&autoconf_forwarder_list); 422 TAILQ_INIT(&trust_anchors); 423 TAILQ_INIT(&new_trust_anchors); 424 TAILQ_INIT(&running_queries); 425 426 event_dispatch(); 427 428 resolver_shutdown(); 429 } 430 431 __dead void 432 resolver_shutdown(void) 433 { 434 /* Close pipes. */ 435 msgbuf_clear(&iev_frontend->ibuf.w); 436 close(iev_frontend->ibuf.fd); 437 msgbuf_clear(&iev_main->ibuf.w); 438 close(iev_main->ibuf.fd); 439 440 config_clear(resolver_conf); 441 442 free(iev_frontend); 443 free(iev_main); 444 445 log_info("resolver exiting"); 446 exit(0); 447 } 448 449 int 450 resolver_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 451 { 452 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 453 } 454 455 int 456 resolver_imsg_compose_frontend(int type, pid_t pid, void *data, 457 uint16_t datalen) 458 { 459 return (imsg_compose_event(iev_frontend, type, 0, pid, -1, 460 data, datalen)); 461 } 462 463 void 464 resolver_dispatch_frontend(int fd, short event, void *bula) 465 { 466 struct imsgev *iev = bula; 467 struct imsgbuf *ibuf; 468 struct imsg imsg; 469 struct query_imsg *query_imsg; 470 ssize_t n; 471 int shut = 0, verbose, i, new_available_afs; 472 char *ta; 473 474 ibuf = &iev->ibuf; 475 476 if (event & EV_READ) { 477 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 478 fatal("imsg_read error"); 479 if (n == 0) /* Connection closed. */ 480 shut = 1; 481 } 482 if (event & EV_WRITE) { 483 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 484 fatal("msgbuf_write"); 485 if (n == 0) /* Connection closed. */ 486 shut = 1; 487 } 488 489 for (;;) { 490 if ((n = imsg_get(ibuf, &imsg)) == -1) 491 fatal("%s: imsg_get error", __func__); 492 if (n == 0) /* No more messages. */ 493 break; 494 495 switch (imsg.hdr.type) { 496 case IMSG_CTL_LOG_VERBOSE: 497 if (IMSG_DATA_SIZE(imsg) != sizeof(verbose)) 498 fatalx("%s: IMSG_CTL_LOG_VERBOSE wrong length: " 499 "%lu", __func__, 500 IMSG_DATA_SIZE(imsg)); 501 memcpy(&verbose, imsg.data, sizeof(verbose)); 502 if (log_getdebug() && (log_getverbose() & OPT_VERBOSE3) 503 != (verbose & OPT_VERBOSE3)) 504 restart_ub_resolvers(0); 505 log_setverbose(verbose); 506 break; 507 case IMSG_QUERY: 508 if (IMSG_DATA_SIZE(imsg) != sizeof(*query_imsg)) 509 fatalx("%s: IMSG_QUERY wrong length: %lu", 510 __func__, IMSG_DATA_SIZE(imsg)); 511 if ((query_imsg = malloc(sizeof(*query_imsg))) == 512 NULL) { 513 log_warn("cannot allocate query"); 514 break; 515 } 516 memcpy(query_imsg, imsg.data, sizeof(*query_imsg)); 517 setup_query(query_imsg); 518 break; 519 case IMSG_CTL_STATUS: 520 if (IMSG_DATA_SIZE(imsg) != 0) 521 fatalx("%s: IMSG_CTL_STATUS wrong length: %lu", 522 __func__, IMSG_DATA_SIZE(imsg)); 523 show_status(imsg.hdr.pid); 524 break; 525 case IMSG_CTL_AUTOCONF: 526 if (IMSG_DATA_SIZE(imsg) != 0) 527 fatalx("%s: IMSG_CTL_AUTOCONF wrong length: " 528 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 529 show_autoconf(imsg.hdr.pid); 530 break; 531 case IMSG_CTL_MEM: 532 if (IMSG_DATA_SIZE(imsg) != 0) 533 fatalx("%s: IMSG_CTL_AUTOCONF wrong length: " 534 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 535 show_mem(imsg.hdr.pid); 536 break; 537 case IMSG_NEW_TA: 538 /* make sure this is a string */ 539 ((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] = '\0'; 540 ta = imsg.data; 541 add_new_ta(&new_trust_anchors, ta); 542 break; 543 case IMSG_NEW_TAS_ABORT: 544 free_tas(&new_trust_anchors); 545 break; 546 case IMSG_NEW_TAS_DONE: 547 if (merge_tas(&new_trust_anchors, &trust_anchors)) 548 restart_ub_resolvers(1); 549 break; 550 case IMSG_NETWORK_CHANGED: 551 clock_gettime(CLOCK_MONOTONIC, &last_network_change); 552 schedule_recheck_all_resolvers(); 553 for (i = 0; i < UW_RES_NONE; i++) { 554 if (resolvers[i] == NULL) 555 continue; 556 memset(resolvers[i]->latest_histogram, 0, 557 sizeof(resolvers[i]->latest_histogram)); 558 resolvers[i]->median = histogram_median( 559 resolvers[i]->latest_histogram); 560 } 561 562 break; 563 case IMSG_REPLACE_DNS: 564 if (IMSG_DATA_SIZE(imsg) != 565 sizeof(struct imsg_rdns_proposal)) 566 fatalx("%s: IMSG_ADD_DNS wrong length: %lu", 567 __func__, IMSG_DATA_SIZE(imsg)); 568 replace_autoconf_forwarders((struct 569 imsg_rdns_proposal *)imsg.data); 570 break; 571 case IMSG_CHANGE_AFS: 572 if (IMSG_DATA_SIZE(imsg) != 573 sizeof(new_available_afs)) 574 fatalx("%s: IMSG_CHANGE_AFS wrong length: %lu", 575 __func__, IMSG_DATA_SIZE(imsg)); 576 memcpy(&new_available_afs, imsg.data, 577 sizeof(new_available_afs)); 578 if (new_available_afs != available_afs) { 579 available_afs = new_available_afs; 580 restart_ub_resolvers(1); 581 } 582 break; 583 default: 584 log_debug("%s: unexpected imsg %d", __func__, 585 imsg.hdr.type); 586 break; 587 } 588 imsg_free(&imsg); 589 } 590 if (!shut) 591 imsg_event_add(iev); 592 else { 593 /* This pipe is dead. Remove its event handler. */ 594 event_del(&iev->ev); 595 event_loopexit(NULL); 596 } 597 } 598 599 void 600 resolver_dispatch_main(int fd, short event, void *bula) 601 { 602 static struct uw_conf *nconf; 603 struct imsg imsg; 604 struct imsgev *iev = bula; 605 struct imsgbuf *ibuf; 606 ssize_t n; 607 int shut = 0, i, *restart; 608 609 ibuf = &iev->ibuf; 610 611 if (event & EV_READ) { 612 if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN) 613 fatal("imsg_read error"); 614 if (n == 0) /* Connection closed. */ 615 shut = 1; 616 } 617 if (event & EV_WRITE) { 618 if ((n = msgbuf_write(&ibuf->w)) == -1 && errno != EAGAIN) 619 fatal("msgbuf_write"); 620 if (n == 0) /* Connection closed. */ 621 shut = 1; 622 } 623 624 for (;;) { 625 if ((n = imsg_get(ibuf, &imsg)) == -1) 626 fatal("%s: imsg_get error", __func__); 627 if (n == 0) /* No more messages. */ 628 break; 629 630 switch (imsg.hdr.type) { 631 case IMSG_SOCKET_IPC_FRONTEND: 632 /* 633 * Setup pipe and event handler to the frontend 634 * process. 635 */ 636 if (iev_frontend) 637 fatalx("%s: received unexpected imsg fd " 638 "to resolver", __func__); 639 640 if ((fd = imsg.fd) == -1) 641 fatalx("%s: expected to receive imsg fd to " 642 "resolver but didn't receive any", __func__); 643 644 iev_frontend = malloc(sizeof(struct imsgev)); 645 if (iev_frontend == NULL) 646 fatal(NULL); 647 648 imsg_init(&iev_frontend->ibuf, fd); 649 iev_frontend->handler = resolver_dispatch_frontend; 650 iev_frontend->events = EV_READ; 651 652 event_set(&iev_frontend->ev, iev_frontend->ibuf.fd, 653 iev_frontend->events, iev_frontend->handler, 654 iev_frontend); 655 event_add(&iev_frontend->ev, NULL); 656 break; 657 658 case IMSG_STARTUP: 659 if (pledge("stdio inet dns rpath", NULL) == -1) 660 fatal("pledge"); 661 break; 662 case IMSG_RECONF_CONF: 663 case IMSG_RECONF_BLOCKLIST_FILE: 664 case IMSG_RECONF_FORWARDER: 665 case IMSG_RECONF_DOT_FORWARDER: 666 case IMSG_RECONF_FORCE: 667 imsg_receive_config(&imsg, &nconf); 668 break; 669 case IMSG_RECONF_END: 670 if (nconf == NULL) 671 fatalx("%s: IMSG_RECONF_END without " 672 "IMSG_RECONF_CONF", __func__); 673 restart = resolvers_to_restart(resolver_conf, nconf); 674 merge_config(resolver_conf, nconf); 675 nconf = NULL; 676 for (i = 0; i < UW_RES_NONE; i++) 677 if (restart[i]) 678 new_resolver(i, UNKNOWN); 679 break; 680 default: 681 log_debug("%s: unexpected imsg %d", __func__, 682 imsg.hdr.type); 683 break; 684 } 685 imsg_free(&imsg); 686 } 687 if (!shut) 688 imsg_event_add(iev); 689 else { 690 /* This pipe is dead. Remove its event handler. */ 691 event_del(&iev->ev); 692 event_loopexit(NULL); 693 } 694 } 695 696 int 697 sort_resolver_types(struct resolver_preference *dst) 698 { 699 memcpy(dst, &resolver_conf->res_pref, sizeof(*dst)); 700 701 /* 702 * Sort by resolver quality, validating > resolving etc. 703 * mergesort is stable and keeps the configured preference order 704 */ 705 return mergesort(dst->types, dst->len, sizeof(dst->types[0]), 706 resolver_cmp); 707 } 708 709 void 710 setup_query(struct query_imsg *query_imsg) 711 { 712 struct running_query *rq; 713 struct uw_resolver *res; 714 715 if (find_running_query(query_imsg->id) != NULL) { 716 free(query_imsg); 717 return; 718 } 719 720 if ((rq = calloc(1, sizeof(*rq))) == NULL) { 721 log_warnx(NULL); 722 free(query_imsg); 723 return; 724 } 725 726 clock_gettime(CLOCK_MONOTONIC, &rq->tp); 727 rq->query_imsg = query_imsg; 728 rq->next_resolver = 0; 729 730 find_force(&resolver_conf->force, query_imsg->qname, &res); 731 732 if (res != NULL && res->state != DEAD && res->state != UNKNOWN) { 733 rq->res_pref.len = 1; 734 rq->res_pref.types[0] = res->type; 735 } else if (sort_resolver_types(&rq->res_pref) == -1) { 736 log_warn("mergesort"); 737 free(rq->query_imsg); 738 free(rq); 739 return; 740 } 741 742 evtimer_set(&rq->timer_ev, try_resolver_timo, rq); 743 744 TAILQ_INSERT_TAIL(&running_queries, rq, entry); 745 try_next_resolver(rq); 746 } 747 748 struct running_query * 749 find_running_query(uint64_t id) 750 { 751 struct running_query *rq; 752 753 TAILQ_FOREACH(rq, &running_queries, entry) { 754 if (rq->query_imsg->id == id) 755 return rq; 756 } 757 return NULL; 758 } 759 760 void 761 try_resolver_timo(int fd, short events, void *arg) 762 { 763 struct running_query *rq = arg; 764 765 try_next_resolver(rq); 766 } 767 768 int 769 try_next_resolver(struct running_query *rq) 770 { 771 struct uw_resolver *res = NULL; 772 struct query_imsg *query_imsg = NULL; 773 struct timespec tp, elapsed; 774 struct timeval tv = {0, 0}; 775 int64_t ms; 776 int i; 777 778 while(rq->next_resolver < rq->res_pref.len && 779 ((res = resolvers[rq->res_pref.types[rq->next_resolver]]) == NULL || 780 res->state == DEAD || res->state == UNKNOWN)) 781 rq->next_resolver++; 782 783 if (res == NULL) { 784 evtimer_del(&rq->timer_ev); /* we are not going to find one */ 785 log_debug("%s: could not find (any more) working resolvers", 786 __func__); 787 goto err; 788 } 789 790 rq->next_resolver++; 791 clock_gettime(CLOCK_MONOTONIC, &tp); 792 timespecsub(&tp, &rq->tp, &elapsed); 793 ms = elapsed.tv_sec * 1000 + elapsed.tv_nsec / 1000000; 794 795 log_debug("%s[+%lldms]: %s[%s] %s", __func__, ms, 796 uw_resolver_type_str[res->type], uw_resolver_state_str[res->state], 797 query_imsg2str(rq->query_imsg)); 798 799 if ((query_imsg = malloc(sizeof(*query_imsg))) == NULL) { 800 log_warnx("%s", __func__); 801 goto err; 802 } 803 memcpy(query_imsg, rq->query_imsg, sizeof(*query_imsg)); 804 clock_gettime(CLOCK_MONOTONIC, &query_imsg->tp); 805 806 ms = res->median; 807 if (ms > NEXT_RES_MAX) 808 ms = NEXT_RES_MAX; 809 810 /* skip over unavailable resolvers in preferences */ 811 for (i = 0; i < resolver_conf->res_pref.len && 812 resolvers[resolver_conf->res_pref.types[i]] == NULL; i++) 813 ; 814 if (res->type == resolver_conf->res_pref.types[i]) 815 tv.tv_usec = 1000 * (PREF_RESOLVER_MEDIAN_SKEW + ms); 816 else 817 tv.tv_usec = 1000 * ms; 818 819 while (tv.tv_usec >= 1000000) { 820 tv.tv_sec++; 821 tv.tv_usec -= 1000000; 822 } 823 evtimer_add(&rq->timer_ev, &tv); 824 825 rq->running++; 826 if (resolve(res, query_imsg->qname, query_imsg->t, 827 query_imsg->c, query_imsg, resolve_done) != 0) { 828 rq->running--; 829 goto err; 830 } 831 832 return 0; 833 834 err: 835 free(query_imsg); 836 if (rq->running == 0) { 837 TAILQ_REMOVE(&running_queries, rq, entry); 838 evtimer_del(&rq->timer_ev); 839 free(rq->query_imsg); 840 free(rq); 841 } 842 return 1; 843 } 844 845 int 846 resolve(struct uw_resolver *res, const char* name, int rrtype, int rrclass, 847 void *mydata, resolve_cb_t cb) 848 { 849 struct resolver_cb_data *cb_data = NULL; 850 struct asr_query *aq = NULL; 851 int err; 852 853 resolver_ref(res); 854 855 if ((cb_data = malloc(sizeof(*cb_data))) == NULL) 856 goto err; 857 cb_data->cb = cb; 858 cb_data->data = mydata; 859 cb_data->res = res; 860 861 switch(res->type) { 862 case UW_RES_ASR: 863 if ((aq = res_query_async(name, rrclass, rrtype, res->asr_ctx)) 864 == NULL) { 865 log_warn("%s: res_query_async", __func__); 866 goto err; 867 } 868 if (event_asr_run(aq, asr_resolve_done, cb_data) == NULL) { 869 log_warn("%s: res_query_async", __func__); 870 goto err; 871 } 872 break; 873 case UW_RES_RECURSOR: 874 case UW_RES_AUTOCONF: 875 case UW_RES_ODOT_AUTOCONF: 876 case UW_RES_FORWARDER: 877 case UW_RES_ODOT_FORWARDER: 878 case UW_RES_DOT: 879 if ((err = ub_resolve_event(res->ctx, name, rrtype, rrclass, 880 cb_data, ub_resolve_done, NULL)) != 0) { 881 log_warn("%s: ub_resolve_event: err: %d, %s", __func__, 882 err, ub_strerror(err)); 883 goto err; 884 } 885 break; 886 default: 887 fatalx("unknown resolver type %d", res->type); 888 break; 889 } 890 891 return 0; 892 err: 893 free(cb_data); 894 free(aq); 895 resolver_unref(res); 896 return 1; 897 } 898 899 void 900 resolve_done(struct uw_resolver *res, void *arg, int rcode, 901 void *answer_packet, int answer_len, int sec, char *why_bogus) 902 { 903 struct uw_resolver *tmp_res; 904 struct ub_result *result = NULL; 905 sldns_buffer *buf = NULL; 906 struct regional *region = NULL; 907 struct query_imsg *query_imsg; 908 struct answer_header *answer_header; 909 struct running_query *rq; 910 struct timespec tp, elapsed; 911 int64_t ms; 912 size_t i; 913 int running_res, asr_pref_pos, force_acceptbogus; 914 char *str; 915 char rcode_buf[16]; 916 uint8_t *p, *data; 917 uint8_t answer_imsg[MAX_IMSGSIZE - IMSG_HEADER_SIZE]; 918 919 clock_gettime(CLOCK_MONOTONIC, &tp); 920 921 query_imsg = (struct query_imsg *)arg; 922 923 answer_header = (struct answer_header *)answer_imsg; 924 data = answer_imsg + sizeof(*answer_header); 925 answer_header->id = query_imsg->id; 926 answer_header->srvfail = 0; 927 answer_header->answer_len = 0; 928 929 timespecsub(&tp, &query_imsg->tp, &elapsed); 930 931 ms = elapsed.tv_sec * 1000 + elapsed.tv_nsec / 1000000; 932 933 for (i = 0; i < nitems(histogram_limits); i++) { 934 if (ms < histogram_limits[i]) 935 break; 936 } 937 if (i == nitems(histogram_limits)) 938 log_debug("histogram bucket error"); 939 else { 940 res->histogram[i]++; 941 /* latest_histogram is in units of 1000 to avoid rounding 942 down when decaying */ 943 res->latest_histogram[i] += 1000; 944 res->median = histogram_median(res->latest_histogram); 945 } 946 947 if ((rq = find_running_query(query_imsg->id)) == NULL) 948 goto out; 949 950 running_res = --rq->running; 951 952 if (answer_len < LDNS_HEADER_SIZE) { 953 log_warnx("bad packet: too short"); 954 goto servfail; 955 } 956 957 if (answer_len > UINT16_MAX) { 958 log_warnx("bad packet: too large: %d - %s", answer_len, 959 query_imsg2str(query_imsg)); 960 goto servfail; 961 } 962 answer_header->answer_len = answer_len; 963 964 if (rcode == LDNS_RCODE_SERVFAIL) { 965 if (res->stop != 1) 966 check_resolver(res); 967 goto servfail; 968 } 969 970 if ((result = calloc(1, sizeof(*result))) == NULL) 971 goto servfail; 972 if ((buf = sldns_buffer_new(answer_len)) == NULL) 973 goto servfail; 974 if ((region = regional_create()) == NULL) 975 goto servfail; 976 977 result->rcode = LDNS_RCODE_SERVFAIL; 978 979 sldns_buffer_clear(buf); 980 sldns_buffer_write(buf, answer_packet, answer_len); 981 sldns_buffer_flip(buf); 982 libworker_enter_result(result, buf, region, sec); 983 result->answer_packet = NULL; 984 result->answer_len = 0; 985 986 sldns_wire2str_rcode_buf(result->rcode, rcode_buf, sizeof(rcode_buf)); 987 log_debug("%s[%s]: %s rcode: %s[%d], elapsed: %lldms, running: %d", 988 __func__, uw_resolver_type_str[res->type], 989 query_imsg2str(query_imsg), rcode_buf, result->rcode, ms, 990 running_query_cnt()); 991 992 force_acceptbogus = find_force(&resolver_conf->force, query_imsg->qname, 993 &tmp_res); 994 if (tmp_res != NULL && tmp_res->type != res->type) 995 force_acceptbogus = 0; 996 997 timespecsub(&tp, &last_network_change, &elapsed); 998 if (sec != SECURE && elapsed.tv_sec < DOUBT_NXDOMAIN_SEC && 999 !force_acceptbogus && res->type != UW_RES_ASR && 1000 (result->rcode == LDNS_RCODE_NXDOMAIN || sec == BOGUS)) { 1001 /* 1002 * Doubt NXDOMAIN or BOGUS if we just switched networks, we 1003 * might be behind a captive portal. 1004 */ 1005 log_debug("%s: doubt NXDOMAIN or BOGUS from %s, network change" 1006 " %llds ago", __func__, uw_resolver_type_str[res->type], 1007 elapsed.tv_sec); 1008 1009 /* search for ASR */ 1010 asr_pref_pos = -1; 1011 for (i = 0; i < (size_t)rq->res_pref.len; i++) 1012 if (rq->res_pref.types[i] == UW_RES_ASR) { 1013 asr_pref_pos = i; 1014 break; 1015 } 1016 1017 if (asr_pref_pos != -1 && resolvers[UW_RES_ASR] != NULL) { 1018 /* go to ASR if not yet scheduled */ 1019 if (asr_pref_pos >= rq->next_resolver) { 1020 rq->next_resolver = asr_pref_pos; 1021 try_next_resolver(rq); 1022 } 1023 goto out; 1024 } 1025 log_debug("%s: using NXDOMAIN or BOGUS, couldn't find working " 1026 "ASR", __func__); 1027 } 1028 1029 if (log_getverbose() & OPT_VERBOSE2 && (str = 1030 sldns_wire2str_pkt(answer_packet, answer_len)) != NULL) { 1031 log_debug("%s", str); 1032 free(str); 1033 } 1034 1035 if (result->rcode == LDNS_RCODE_SERVFAIL) 1036 goto servfail; 1037 1038 if (sec == SECURE && res->state != VALIDATING && res->stop != -1) 1039 check_resolver(res); 1040 1041 if (res->state == VALIDATING && sec == BOGUS) { 1042 answer_header->bogus = !force_acceptbogus; 1043 if (answer_header->bogus && why_bogus != NULL) 1044 log_warnx("%s", why_bogus); 1045 } else 1046 answer_header->bogus = 0; 1047 1048 p = answer_packet; 1049 do { 1050 int len; 1051 1052 if ((size_t)answer_len > sizeof(answer_imsg) - 1053 sizeof(*answer_header)) 1054 len = sizeof(answer_imsg) - sizeof(*answer_header); 1055 else 1056 len = answer_len; 1057 memcpy(data, p, len); 1058 if (resolver_imsg_compose_frontend(IMSG_ANSWER, 0, 1059 &answer_imsg, sizeof(*answer_header) + len) == -1) 1060 fatalx("IMSG_ANSWER failed for \"%s\"", 1061 query_imsg2str(query_imsg)); 1062 answer_len -= len; 1063 p += len; 1064 } while (answer_len > 0); 1065 1066 TAILQ_REMOVE(&running_queries, rq, entry); 1067 evtimer_del(&rq->timer_ev); 1068 free(rq->query_imsg); 1069 free(rq); 1070 goto out; 1071 1072 servfail: 1073 /* try_next_resolver() might free rq */ 1074 if (try_next_resolver(rq) != 0 && running_res == 0) { 1075 /* we are the last one, send SERVFAIL */ 1076 answer_header->srvfail = 1; 1077 resolver_imsg_compose_frontend(IMSG_ANSWER, 0, 1078 answer_imsg, sizeof(*answer_header)); 1079 } 1080 out: 1081 free(query_imsg); 1082 sldns_buffer_free(buf); 1083 regional_destroy(region); 1084 ub_resolve_free(result); 1085 } 1086 1087 void 1088 new_resolver(enum uw_resolver_type type, enum uw_resolver_state state) 1089 { 1090 free_resolver(resolvers[type]); 1091 resolvers[type] = NULL; 1092 1093 if (!resolver_conf->enabled_resolvers[type]) 1094 return; 1095 1096 switch (type) { 1097 case UW_RES_ASR: 1098 case UW_RES_AUTOCONF: 1099 case UW_RES_ODOT_AUTOCONF: 1100 if (TAILQ_EMPTY(&autoconf_forwarder_list)) 1101 return; 1102 break; 1103 case UW_RES_RECURSOR: 1104 break; 1105 case UW_RES_FORWARDER: 1106 case UW_RES_ODOT_FORWARDER: 1107 if (TAILQ_EMPTY(&resolver_conf->uw_forwarder_list)) 1108 return; 1109 break; 1110 case UW_RES_DOT: 1111 if (TAILQ_EMPTY(&resolver_conf->uw_dot_forwarder_list)) 1112 return; 1113 break; 1114 case UW_RES_NONE: 1115 fatalx("cannot create UW_RES_NONE resolver"); 1116 } 1117 1118 switch (type) { 1119 case UW_RES_RECURSOR: 1120 case UW_RES_AUTOCONF: 1121 case UW_RES_ODOT_AUTOCONF: 1122 case UW_RES_FORWARDER: 1123 case UW_RES_ODOT_FORWARDER: 1124 case UW_RES_DOT: 1125 if (TAILQ_EMPTY(&trust_anchors)) 1126 return; 1127 break; 1128 case UW_RES_ASR: 1129 break; 1130 case UW_RES_NONE: 1131 fatalx("cannot create UW_RES_NONE resolver"); 1132 } 1133 1134 if ((resolvers[type] = create_resolver(type)) == NULL) 1135 return; 1136 1137 switch (state) { 1138 case DEAD: 1139 case UNKNOWN: 1140 check_resolver(resolvers[type]); 1141 break; 1142 case VALIDATING: 1143 set_unified_cache(resolvers[type]); 1144 /* FALLTHROUGH */ 1145 case RESOLVING: 1146 resolvers[type]->state = state; 1147 if (type == UW_RES_ASR) 1148 check_dns64(); 1149 break; 1150 } 1151 } 1152 1153 void 1154 set_unified_cache(struct uw_resolver *res) 1155 { 1156 if (res == NULL || res->ctx == NULL) 1157 return; 1158 1159 if (res->ctx->env->msg_cache != NULL) { 1160 /* XXX we are currently not using this */ 1161 if (res->ctx->env->msg_cache != unified_msg_cache || 1162 res->ctx->env->rrset_cache != unified_rrset_cache || 1163 res->ctx->env->key_cache != unified_key_cache || 1164 res->ctx->env->neg_cache != unified_neg_cache) 1165 fatalx("wrong unified cache set on resolver"); 1166 else 1167 /* we are upgrading from UNKNOWN back to VALIDATING */ 1168 return; 1169 } 1170 1171 res->ctx->env->msg_cache = unified_msg_cache; 1172 res->ctx->env->rrset_cache = unified_rrset_cache; 1173 res->ctx->env->key_cache = unified_key_cache; 1174 res->ctx->env->neg_cache = unified_neg_cache; 1175 1176 context_finalize(res->ctx); 1177 1178 if (res->ctx->env->msg_cache != unified_msg_cache || 1179 res->ctx->env->rrset_cache != unified_rrset_cache || 1180 res->ctx->env->key_cache != unified_key_cache || 1181 res->ctx->env->neg_cache != unified_neg_cache) 1182 fatalx("failed to set unified caches, libunbound/validator/" 1183 "validator.c diff lost"); 1184 } 1185 1186 static const struct { 1187 const char *name; 1188 const char *value; 1189 } options[] = { 1190 { "aggressive-nsec:", "yes" }, 1191 { "fast-server-permil:", "950" }, 1192 { "edns-buffer-size:", "1232" }, 1193 { "target-fetch-policy:", "0 0 0 0 0" }, 1194 { "outgoing-range:", "64" }, 1195 { "val-max-restart:", "0" }, 1196 }; 1197 1198 struct uw_resolver * 1199 create_resolver(enum uw_resolver_type type) 1200 { 1201 struct uw_resolver *res; 1202 struct trust_anchor *ta; 1203 size_t i; 1204 int err; 1205 char *resolv_conf; 1206 1207 if ((res = calloc(1, sizeof(*res))) == NULL) { 1208 log_warn("%s", __func__); 1209 return (NULL); 1210 } 1211 1212 res->type = type; 1213 res->state = UNKNOWN; 1214 res->check_tv.tv_sec = RESOLVER_CHECK_SEC; 1215 res->check_tv.tv_usec = arc4random() % 1000000; /* modulo bias is ok */ 1216 1217 switch (type) { 1218 case UW_RES_ASR: 1219 if (TAILQ_EMPTY(&autoconf_forwarder_list)) { 1220 free(res); 1221 return (NULL); 1222 } 1223 if ((resolv_conf = gen_resolv_conf()) == NULL) { 1224 free(res); 1225 log_warnx("could not create asr context"); 1226 return (NULL); 1227 } 1228 if ((res->asr_ctx = asr_resolver_from_string(resolv_conf)) == 1229 NULL) { 1230 free(res); 1231 free(resolv_conf); 1232 log_warnx("could not create asr context"); 1233 return (NULL); 1234 } 1235 free(resolv_conf); 1236 break; 1237 case UW_RES_RECURSOR: 1238 case UW_RES_AUTOCONF: 1239 case UW_RES_ODOT_AUTOCONF: 1240 case UW_RES_FORWARDER: 1241 case UW_RES_ODOT_FORWARDER: 1242 case UW_RES_DOT: 1243 if ((res->ctx = ub_ctx_create_event(ev_base)) == NULL) { 1244 free(res); 1245 log_warnx("could not create unbound context"); 1246 return (NULL); 1247 } 1248 1249 ub_ctx_debuglevel(res->ctx, log_getverbose() & OPT_VERBOSE3 ? 1250 UB_LOG_VERBOSE : UB_LOG_BRIEF); 1251 1252 TAILQ_FOREACH(ta, &trust_anchors, entry) { 1253 if ((err = ub_ctx_add_ta(res->ctx, ta->ta)) != 0) { 1254 ub_ctx_delete(res->ctx); 1255 free(res); 1256 log_warnx("error adding trust anchor: %s", 1257 ub_strerror(err)); 1258 return (NULL); 1259 } 1260 } 1261 1262 for (i = 0; i < nitems(options); i++) { 1263 if ((err = ub_ctx_set_option(res->ctx, options[i].name, 1264 options[i].value)) != 0) { 1265 ub_ctx_delete(res->ctx); 1266 free(res); 1267 log_warnx("error setting %s: %s: %s", 1268 options[i].name, options[i].value, 1269 ub_strerror(err)); 1270 return (NULL); 1271 } 1272 } 1273 1274 if (!(available_afs & HAVE_IPV4)) { 1275 if((err = ub_ctx_set_option(res->ctx, "do-ip4:", 1276 "no")) != 0) { 1277 ub_ctx_delete(res->ctx); 1278 free(res); 1279 log_warnx("error setting do-ip4: no: %s", 1280 ub_strerror(err)); 1281 return (NULL); 1282 } 1283 } 1284 1285 if (!(available_afs & HAVE_IPV6)) { 1286 if((err = ub_ctx_set_option(res->ctx, "do-ip6:", 1287 "no")) != 0) { 1288 ub_ctx_delete(res->ctx); 1289 free(res); 1290 log_warnx("error setting do-ip6: no: %s", 1291 ub_strerror(err)); 1292 return (NULL); 1293 } 1294 } 1295 1296 if (!log_getdebug()) { 1297 if((err = ub_ctx_set_option(res->ctx, "use-syslog:", 1298 "no")) != 0) { 1299 ub_ctx_delete(res->ctx); 1300 free(res); 1301 log_warnx("error setting use-syslog: no: %s", 1302 ub_strerror(err)); 1303 return (NULL); 1304 } 1305 ub_ctx_debugout(res->ctx, NULL); 1306 } 1307 1308 break; 1309 default: 1310 fatalx("unknown resolver type %d", type); 1311 break; 1312 } 1313 1314 evtimer_set(&res->check_ev, resolver_check_timo, res); 1315 1316 switch(res->type) { 1317 case UW_RES_ASR: 1318 break; 1319 case UW_RES_RECURSOR: 1320 break; 1321 case UW_RES_AUTOCONF: 1322 set_forwarders(res, &autoconf_forwarder_list, 0); 1323 break; 1324 case UW_RES_ODOT_AUTOCONF: 1325 set_forwarders(res, &autoconf_forwarder_list, 853); 1326 ub_ctx_set_option(res->ctx, "tls-cert-bundle:", 1327 TLS_DEFAULT_CA_CERT_FILE); 1328 ub_ctx_set_tls(res->ctx, 1); 1329 break; 1330 case UW_RES_FORWARDER: 1331 set_forwarders(res, &resolver_conf->uw_forwarder_list, 0); 1332 break; 1333 case UW_RES_ODOT_FORWARDER: 1334 set_forwarders(res, &resolver_conf->uw_forwarder_list, 853); 1335 ub_ctx_set_option(res->ctx, "tls-cert-bundle:", 1336 TLS_DEFAULT_CA_CERT_FILE); 1337 ub_ctx_set_tls(res->ctx, 1); 1338 break; 1339 case UW_RES_DOT: 1340 set_forwarders(res, &resolver_conf->uw_dot_forwarder_list, 0); 1341 ub_ctx_set_option(res->ctx, "tls-cert-bundle:", 1342 TLS_DEFAULT_CA_CERT_FILE); 1343 ub_ctx_set_tls(res->ctx, 1); 1344 break; 1345 default: 1346 fatalx("unknown resolver type %d", type); 1347 break; 1348 } 1349 1350 /* for the forwarder cases allow AS112 zones */ 1351 switch(res->type) { 1352 case UW_RES_AUTOCONF: 1353 case UW_RES_ODOT_AUTOCONF: 1354 case UW_RES_FORWARDER: 1355 case UW_RES_ODOT_FORWARDER: 1356 case UW_RES_DOT: 1357 for (i = 0; i < nitems(as112_zones); i++) { 1358 if((err = ub_ctx_set_option(res->ctx, "local-zone:", 1359 as112_zones[i])) != 0) { 1360 ub_ctx_delete(res->ctx); 1361 free(res); 1362 log_warnx("error setting local-zone: %s: %s", 1363 as112_zones[i], ub_strerror(err)); 1364 return (NULL); 1365 } 1366 } 1367 break; 1368 default: 1369 break; 1370 } 1371 1372 return (res); 1373 } 1374 1375 void 1376 free_resolver(struct uw_resolver *res) 1377 { 1378 struct val_env *val_env; 1379 1380 if (res == NULL) 1381 return; 1382 1383 if (res->ref_cnt > 0) 1384 res->stop = 1; 1385 else { 1386 evtimer_del(&res->check_ev); 1387 if (res->ctx != NULL) { 1388 if (res->ctx->env->msg_cache == unified_msg_cache) { 1389 val_env = (struct val_env*) 1390 res->ctx->env->modinfo[val_id]; 1391 res->ctx->env->msg_cache = NULL; 1392 res->ctx->env->rrset_cache = NULL; 1393 val_env->kcache = NULL; 1394 res->ctx->env->key_cache = NULL; 1395 val_env->neg_cache = NULL; 1396 res->ctx->env->neg_cache = NULL; 1397 } 1398 } 1399 ub_ctx_delete(res->ctx); 1400 asr_resolver_free(res->asr_ctx); 1401 free(res); 1402 } 1403 } 1404 1405 void 1406 setup_unified_caches(void) 1407 { 1408 struct ub_ctx *ctx; 1409 struct val_env *val_env; 1410 size_t i; 1411 int err, j; 1412 1413 if ((ctx = ub_ctx_create_event(ev_base)) == NULL) 1414 fatalx("could not create unbound context"); 1415 1416 for (i = 0; i < nitems(options); i++) { 1417 if ((err = ub_ctx_set_option(ctx, options[i].name, 1418 options[i].value)) != 0) { 1419 fatalx("error setting %s: %s: %s", options[i].name, 1420 options[i].value, ub_strerror(err)); 1421 } 1422 } 1423 1424 context_finalize(ctx); 1425 1426 if (ctx->env->msg_cache == NULL || ctx->env->rrset_cache == NULL || 1427 ctx->env->key_cache == NULL || ctx->env->neg_cache == NULL) 1428 fatalx("could not setup unified caches"); 1429 1430 unified_msg_cache = ctx->env->msg_cache; 1431 unified_rrset_cache = ctx->env->rrset_cache; 1432 unified_key_cache = ctx->env->key_cache; 1433 unified_neg_cache = ctx->env->neg_cache; 1434 1435 if (val_id == -1) { 1436 for (j = 0; j < ctx->mods.num; j++) { 1437 if (strcmp(ctx->mods.mod[j]->name, "validator") == 0) { 1438 val_id = j; 1439 break; 1440 } 1441 } 1442 if (val_id == -1) 1443 fatalx("cannot find validator module"); 1444 } 1445 1446 val_env = (struct val_env*)ctx->env->modinfo[val_id]; 1447 ctx->env->msg_cache = NULL; 1448 ctx->env->rrset_cache = NULL; 1449 ctx->env->key_cache = NULL; 1450 val_env->kcache = NULL; 1451 ctx->env->neg_cache = NULL; 1452 val_env->neg_cache = NULL; 1453 ub_ctx_delete(ctx); 1454 } 1455 1456 void 1457 set_forwarders(struct uw_resolver *res, struct uw_forwarder_head 1458 *uw_forwarder_list, int port_override) 1459 { 1460 struct uw_forwarder *uw_forwarder; 1461 int ret; 1462 char fwd[FWD_MAX]; 1463 1464 TAILQ_FOREACH(uw_forwarder, uw_forwarder_list, entry) { 1465 if (uw_forwarder->auth_name[0] != '\0') 1466 ret = snprintf(fwd, sizeof(fwd), "%s@%d#%s", 1467 uw_forwarder->ip, port_override ? port_override : 1468 uw_forwarder->port, uw_forwarder->auth_name); 1469 else 1470 ret = snprintf(fwd, sizeof(fwd), "%s@%d", 1471 uw_forwarder->ip, port_override ? port_override : 1472 uw_forwarder->port); 1473 1474 if (ret < 0 || (size_t)ret >= sizeof(fwd)) { 1475 log_warnx("forwarder too long"); 1476 continue; 1477 } 1478 1479 ub_ctx_set_fwd(res->ctx, fwd); 1480 } 1481 } 1482 1483 void 1484 resolver_check_timo(int fd, short events, void *arg) 1485 { 1486 check_resolver((struct uw_resolver *)arg); 1487 } 1488 1489 void 1490 resolver_free_timo(int fd, short events, void *arg) 1491 { 1492 free_resolver((struct uw_resolver *)arg); 1493 } 1494 1495 void 1496 check_resolver(struct uw_resolver *resolver_to_check) 1497 { 1498 struct uw_resolver *res; 1499 1500 if (resolver_to_check == NULL) 1501 return; 1502 1503 if (resolver_to_check->check_running) 1504 return; 1505 1506 if ((res = create_resolver(resolver_to_check->type)) == NULL) 1507 return; 1508 1509 resolver_ref(resolver_to_check); 1510 1511 resolver_to_check->check_running++; 1512 if (resolve(res, ".", LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN, 1513 resolver_to_check, check_resolver_done) != 0) { 1514 resolver_to_check->check_running--; 1515 resolver_to_check->state = UNKNOWN; 1516 resolver_unref(resolver_to_check); 1517 resolver_to_check->check_tv.tv_sec = RESOLVER_CHECK_SEC; 1518 evtimer_add(&resolver_to_check->check_ev, 1519 &resolver_to_check->check_tv); 1520 } 1521 } 1522 1523 void 1524 check_resolver_done(struct uw_resolver *res, void *arg, int rcode, 1525 void *answer_packet, int answer_len, int sec, char *why_bogus) 1526 { 1527 struct uw_resolver *checked_resolver = arg; 1528 struct timeval tv = {0, 1}; 1529 enum uw_resolver_state prev_state; 1530 int bogus_time = 0; 1531 char *str; 1532 1533 checked_resolver->check_running--; 1534 1535 if (checked_resolver != resolvers[checked_resolver->type]) { 1536 log_debug("%s: %s: ignoring late check result", __func__, 1537 uw_resolver_type_str[checked_resolver->type]); 1538 goto out; 1539 } 1540 1541 prev_state = checked_resolver->state; 1542 1543 if (answer_len < LDNS_HEADER_SIZE) { 1544 checked_resolver->state = DEAD; 1545 log_warnx("%s: bad packet: too short", __func__); 1546 goto out; 1547 } 1548 1549 if (rcode == LDNS_RCODE_SERVFAIL) { 1550 log_debug("%s: %s rcode: SERVFAIL", __func__, 1551 uw_resolver_type_str[checked_resolver->type]); 1552 1553 checked_resolver->state = DEAD; 1554 goto out; 1555 } 1556 1557 if (sec == SECURE) { 1558 if (dns64_present && (res->type == UW_RES_AUTOCONF || 1559 res->type == UW_RES_ODOT_AUTOCONF)) { 1560 /* do not upgrade to validating, DNS64 breaks DNSSEC */ 1561 if (prev_state != RESOLVING) 1562 new_resolver(checked_resolver->type, 1563 RESOLVING); 1564 } else { 1565 if (prev_state != VALIDATING) 1566 new_resolver(checked_resolver->type, 1567 VALIDATING); 1568 if (!(evtimer_pending(&trust_anchor_timer, NULL))) 1569 evtimer_add(&trust_anchor_timer, &tv); 1570 } 1571 } else if (rcode == LDNS_RCODE_NOERROR && 1572 LDNS_RCODE_WIRE((uint8_t*)answer_packet) == LDNS_RCODE_NOERROR) { 1573 if (why_bogus) { 1574 bogus_time = strncmp(why_bogus, bogus_past, 1575 sizeof(bogus_past) - 1) == 0 || strncmp(why_bogus, 1576 bogus_future, sizeof(bogus_future) - 1) == 0; 1577 1578 log_warnx("%s: %s", uw_resolver_type_str[ 1579 checked_resolver->type], why_bogus); 1580 } 1581 if (prev_state != RESOLVING) 1582 new_resolver(checked_resolver->type, RESOLVING); 1583 } else 1584 checked_resolver->state = DEAD; /* we know the root exists */ 1585 1586 log_debug("%s: %s: %s", __func__, 1587 uw_resolver_type_str[checked_resolver->type], 1588 uw_resolver_state_str[checked_resolver->state]); 1589 1590 if (log_getverbose() & OPT_VERBOSE2 && (str = 1591 sldns_wire2str_pkt(answer_packet, answer_len)) != NULL) { 1592 log_debug("%s", str); 1593 free(str); 1594 } 1595 1596 out: 1597 if (!checked_resolver->stop && (checked_resolver->state == DEAD || 1598 bogus_time)) { 1599 if (prev_state == DEAD || bogus_time) 1600 checked_resolver->check_tv.tv_sec *= 2; 1601 else 1602 checked_resolver->check_tv.tv_sec = RESOLVER_CHECK_SEC; 1603 1604 if (checked_resolver->check_tv.tv_sec > RESOLVER_CHECK_MAXSEC) 1605 checked_resolver->check_tv.tv_sec = 1606 RESOLVER_CHECK_MAXSEC; 1607 1608 evtimer_add(&checked_resolver->check_ev, 1609 &checked_resolver->check_tv); 1610 } 1611 1612 resolver_unref(checked_resolver); 1613 res->stop = 1; /* do not free in callback */ 1614 } 1615 1616 void 1617 asr_resolve_done(struct asr_result *ar, void *arg) 1618 { 1619 struct resolver_cb_data *cb_data = arg; 1620 cb_data->cb(cb_data->res, cb_data->data, ar->ar_rcode, ar->ar_data, 1621 ar->ar_datalen, 0, NULL); 1622 free(ar->ar_data); 1623 resolver_unref(cb_data->res); 1624 free(cb_data); 1625 } 1626 1627 void 1628 ub_resolve_done(void *arg, int rcode, void *answer_packet, int answer_len, 1629 int sec, char *why_bogus, int was_ratelimited) 1630 { 1631 struct resolver_cb_data *cb_data = arg; 1632 cb_data->cb(cb_data->res, cb_data->data, rcode, answer_packet, 1633 answer_len, sec, why_bogus); 1634 resolver_unref(cb_data->res); 1635 free(cb_data); 1636 } 1637 1638 void 1639 schedule_recheck_all_resolvers(void) 1640 { 1641 struct timeval tv; 1642 int i; 1643 1644 tv.tv_sec = 0; 1645 1646 for (i = 0; i < UW_RES_NONE; i++) { 1647 if (resolvers[i] == NULL) 1648 continue; 1649 tv.tv_usec = arc4random() % 1000000; /* modulo bias is ok */ 1650 resolvers[i]->state = UNKNOWN; 1651 evtimer_add(&resolvers[i]->check_ev, &tv); 1652 } 1653 } 1654 1655 int 1656 check_forwarders_changed(struct uw_forwarder_head *list_a, 1657 struct uw_forwarder_head *list_b) 1658 { 1659 struct uw_forwarder *a, *b; 1660 1661 a = TAILQ_FIRST(list_a); 1662 b = TAILQ_FIRST(list_b); 1663 1664 while(a != NULL && b != NULL) { 1665 if (strcmp(a->ip, b->ip) != 0) 1666 return 1; 1667 if (a->port != b->port) 1668 return 1; 1669 if (strcmp(a->auth_name, b->auth_name) != 0) 1670 return 1; 1671 a = TAILQ_NEXT(a, entry); 1672 b = TAILQ_NEXT(b, entry); 1673 } 1674 1675 if (a != NULL || b != NULL) 1676 return 1; 1677 return 0; 1678 } 1679 1680 void 1681 resolver_ref(struct uw_resolver *res) 1682 { 1683 if (res->ref_cnt == INT_MAX) 1684 fatalx("%s: INT_MAX references", __func__); 1685 res->ref_cnt++; 1686 } 1687 1688 void 1689 resolver_unref(struct uw_resolver *res) 1690 { 1691 struct timeval tv = { 0, 1}; 1692 1693 if (res->ref_cnt == 0) 1694 fatalx("%s: unreferenced resolver", __func__); 1695 1696 res->ref_cnt--; 1697 1698 /* 1699 * Decouple from libunbound event callback. 1700 * If we free the ctx inside of resolve_done or check_resovler_done 1701 * we are cutting of the branch we are sitting on and hit a 1702 * user-after-free 1703 */ 1704 if (res->stop && res->ref_cnt == 0) { 1705 evtimer_set(&res->free_ev, resolver_free_timo, res); 1706 evtimer_add(&res->free_ev, &tv); 1707 } 1708 } 1709 1710 void 1711 replace_forwarders(struct uw_forwarder_head *new_list, struct 1712 uw_forwarder_head *old_list) 1713 { 1714 struct uw_forwarder *uw_forwarder; 1715 1716 while ((uw_forwarder = 1717 TAILQ_FIRST(old_list)) != NULL) { 1718 TAILQ_REMOVE(old_list, uw_forwarder, entry); 1719 free(uw_forwarder); 1720 } 1721 1722 TAILQ_CONCAT(old_list, new_list, entry); 1723 } 1724 1725 int 1726 resolver_cmp(const void *_a, const void *_b) 1727 { 1728 const enum uw_resolver_type a = *(const enum uw_resolver_type *)_a; 1729 const enum uw_resolver_type b = *(const enum uw_resolver_type *)_b; 1730 int64_t a_median, b_median; 1731 1732 if (resolvers[a] == NULL && resolvers[b] == NULL) 1733 return 0; 1734 1735 if (resolvers[b] == NULL) 1736 return -1; 1737 1738 if (resolvers[a] == NULL) 1739 return 1; 1740 1741 if (resolvers[a]->state < resolvers[b]->state) 1742 return 1; 1743 else if (resolvers[a]->state > resolvers[b]->state) 1744 return -1; 1745 else { 1746 a_median = resolvers[a]->median; 1747 b_median = resolvers[b]->median; 1748 if (resolvers[a]->type == resolver_conf->res_pref.types[0]) 1749 a_median -= PREF_RESOLVER_MEDIAN_SKEW; 1750 else if (resolvers[b]->type == resolver_conf->res_pref.types[0]) 1751 b_median -= PREF_RESOLVER_MEDIAN_SKEW; 1752 if (a_median < b_median) 1753 return -1; 1754 else if (a_median > b_median) 1755 return 1; 1756 else 1757 return 0; 1758 } 1759 } 1760 1761 void 1762 restart_ub_resolvers(int recheck) 1763 { 1764 int i; 1765 enum uw_resolver_state state; 1766 1767 for (i = 0; i < UW_RES_NONE; i++) { 1768 if (i == UW_RES_ASR) 1769 continue; 1770 if (recheck || resolvers[i] == NULL) 1771 state = UNKNOWN; 1772 else 1773 state = resolvers[i]->state; 1774 new_resolver(i, state); 1775 } 1776 } 1777 1778 void 1779 show_status(pid_t pid) 1780 { 1781 struct resolver_preference res_pref; 1782 int i; 1783 1784 if (sort_resolver_types(&res_pref) == -1) 1785 log_warn("mergesort"); 1786 1787 for (i = 0; i < resolver_conf->res_pref.len; i++) 1788 send_resolver_info(resolvers[res_pref.types[i]], pid); 1789 1790 resolver_imsg_compose_frontend(IMSG_CTL_END, pid, NULL, 0); 1791 } 1792 1793 void 1794 show_autoconf(pid_t pid) 1795 { 1796 struct uw_forwarder *uw_forwarder; 1797 struct ctl_forwarder_info cfi; 1798 1799 TAILQ_FOREACH(uw_forwarder, &autoconf_forwarder_list, entry) { 1800 memset(&cfi, 0, sizeof(cfi)); 1801 cfi.if_index = uw_forwarder->if_index; 1802 cfi.src = uw_forwarder->src; 1803 /* no truncation, structs are in sync */ 1804 memcpy(cfi.ip, uw_forwarder->ip, sizeof(cfi.ip)); 1805 resolver_imsg_compose_frontend( 1806 IMSG_CTL_AUTOCONF_RESOLVER_INFO, 1807 pid, &cfi, sizeof(cfi)); 1808 } 1809 1810 resolver_imsg_compose_frontend(IMSG_CTL_END, pid, NULL, 0); 1811 } 1812 1813 void 1814 show_mem(pid_t pid) 1815 { 1816 struct ctl_mem_info cmi; 1817 1818 memset(&cmi, 0, sizeof(cmi)); 1819 cmi.msg_cache_used = slabhash_get_mem(unified_msg_cache); 1820 cmi.msg_cache_max = slabhash_get_size(unified_msg_cache); 1821 cmi.rrset_cache_used = slabhash_get_mem(&unified_rrset_cache->table); 1822 cmi.rrset_cache_max = slabhash_get_size(&unified_rrset_cache->table); 1823 cmi.key_cache_used = slabhash_get_mem(unified_key_cache->slab); 1824 cmi.key_cache_max = slabhash_get_size(unified_key_cache->slab); 1825 cmi.neg_cache_used = unified_neg_cache->use; 1826 cmi.neg_cache_max = unified_neg_cache->max; 1827 resolver_imsg_compose_frontend(IMSG_CTL_MEM_INFO, pid, &cmi, 1828 sizeof(cmi)); 1829 1830 } 1831 1832 void 1833 send_resolver_info(struct uw_resolver *res, pid_t pid) 1834 { 1835 struct ctl_resolver_info cri; 1836 size_t i; 1837 1838 if (res == NULL) 1839 return; 1840 1841 cri.state = res->state; 1842 cri.type = res->type; 1843 cri.median = res->median; 1844 1845 memcpy(cri.histogram, res->histogram, sizeof(cri.histogram)); 1846 memcpy(cri.latest_histogram, res->latest_histogram, 1847 sizeof(cri.latest_histogram)); 1848 for (i = 0; i < nitems(histogram_limits); i++) 1849 cri.latest_histogram[i] = 1850 (cri.latest_histogram[i] + 500) / 1000; 1851 1852 resolver_imsg_compose_frontend(IMSG_CTL_RESOLVER_INFO, pid, &cri, 1853 sizeof(cri)); 1854 } 1855 1856 void 1857 trust_anchor_resolve(void) 1858 { 1859 struct resolver_preference res_pref; 1860 struct uw_resolver *res; 1861 struct timeval tv = {TRUST_ANCHOR_RETRY_INTERVAL, 0}; 1862 1863 if (sort_resolver_types(&res_pref) == -1) 1864 log_warn("mergesort"); 1865 1866 res = resolvers[res_pref.types[0]]; 1867 1868 if (res == NULL || res->state < VALIDATING) 1869 goto err; 1870 1871 if (resolve(res, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, NULL, 1872 trust_anchor_resolve_done) != 0) 1873 goto err; 1874 1875 return; 1876 err: 1877 evtimer_add(&trust_anchor_timer, &tv); 1878 } 1879 1880 void 1881 trust_anchor_timo(int fd, short events, void *arg) 1882 { 1883 trust_anchor_resolve(); 1884 } 1885 1886 void 1887 trust_anchor_resolve_done(struct uw_resolver *res, void *arg, int rcode, 1888 void *answer_packet, int answer_len, int sec, char *why_bogus) 1889 { 1890 struct ub_result *result = NULL; 1891 sldns_buffer *buf = NULL; 1892 struct regional *region = NULL; 1893 struct timeval tv = {TRUST_ANCHOR_RETRY_INTERVAL, 0}; 1894 int i, tas, n; 1895 uint16_t dnskey_flags; 1896 char rdata_buf[1024], *ta; 1897 1898 if (answer_len < LDNS_HEADER_SIZE) { 1899 log_warnx("bad packet: too short"); 1900 goto out; 1901 } 1902 1903 if ((result = calloc(1, sizeof(*result))) == NULL) 1904 goto out; 1905 1906 if (sec != SECURE) 1907 goto out; 1908 1909 if ((buf = sldns_buffer_new(answer_len)) == NULL) 1910 goto out; 1911 if ((region = regional_create()) == NULL) 1912 goto out; 1913 result->rcode = LDNS_RCODE_SERVFAIL; 1914 1915 sldns_buffer_clear(buf); 1916 sldns_buffer_write(buf, answer_packet, answer_len); 1917 sldns_buffer_flip(buf); 1918 libworker_enter_result(result, buf, region, sec); 1919 result->answer_packet = NULL; 1920 result->answer_len = 0; 1921 1922 if (result->rcode != LDNS_RCODE_NOERROR) 1923 goto out; 1924 1925 i = 0; 1926 tas = 0; 1927 while(result->data[i] != NULL) { 1928 if (result->len[i] < 2) { 1929 if (tas > 0) 1930 resolver_imsg_compose_frontend( 1931 IMSG_NEW_TAS_ABORT, 0, NULL, 0); 1932 goto out; 1933 } 1934 n = sldns_wire2str_rdata_buf(result->data[i], result->len[i], 1935 rdata_buf, sizeof(rdata_buf), LDNS_RR_TYPE_DNSKEY); 1936 1937 if (n < 0 || (size_t)n >= sizeof(rdata_buf)) { 1938 log_warnx("trust anchor buffer to small"); 1939 resolver_imsg_compose_frontend(IMSG_NEW_TAS_ABORT, 0, 1940 NULL, 0); 1941 goto out; 1942 } 1943 1944 memcpy(&dnskey_flags, result->data[i], 2); 1945 dnskey_flags = ntohs(dnskey_flags); 1946 if ((dnskey_flags & LDNS_KEY_SEP_KEY) && !(dnskey_flags & 1947 LDNS_KEY_REVOKE_KEY)) { 1948 asprintf(&ta, ".\t%d\tIN\tDNSKEY\t%s", ROOT_DNSKEY_TTL, 1949 rdata_buf); 1950 resolver_imsg_compose_frontend(IMSG_NEW_TA, 0, ta, 1951 strlen(ta) + 1); 1952 tas++; 1953 free(ta); 1954 } 1955 i++; 1956 } 1957 if (tas > 0) { 1958 resolver_imsg_compose_frontend(IMSG_NEW_TAS_DONE, 0, NULL, 0); 1959 tv.tv_sec = TRUST_ANCHOR_QUERY_INTERVAL; 1960 } 1961 out: 1962 sldns_buffer_free(buf); 1963 regional_destroy(region); 1964 ub_resolve_free(result); 1965 evtimer_add(&trust_anchor_timer, &tv); 1966 } 1967 1968 void 1969 replace_autoconf_forwarders(struct imsg_rdns_proposal *rdns_proposal) 1970 { 1971 struct uw_forwarder_head new_forwarder_list; 1972 struct uw_forwarder *uw_forwarder, *tmp; 1973 size_t addrsz; 1974 int i, rdns_count, af, changed = 0; 1975 char hostbuf[INET6_ADDRSTRLEN], *src; 1976 1977 TAILQ_INIT(&new_forwarder_list); 1978 af = rdns_proposal->rtdns.sr_family; 1979 src = rdns_proposal->rtdns.sr_dns; 1980 1981 switch (af) { 1982 case AF_INET: 1983 addrsz = sizeof(struct in_addr); 1984 break; 1985 case AF_INET6: 1986 addrsz = sizeof(struct in6_addr); 1987 break; 1988 default: 1989 log_warnx("%s: unsupported address family: %d", __func__, af); 1990 return; 1991 } 1992 1993 if ((rdns_proposal->rtdns.sr_len - 2) % addrsz != 0) { 1994 log_warnx("ignoring invalid RTM_PROPOSAL"); 1995 return; 1996 } 1997 rdns_count = (rdns_proposal->rtdns.sr_len - 1998 offsetof(struct sockaddr_rtdns, sr_dns)) / addrsz; 1999 2000 for (i = 0; i < rdns_count; i++) { 2001 struct sockaddr_storage ss; 2002 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss; 2003 struct sockaddr_in *sin = (struct sockaddr_in *)&ss; 2004 int err; 2005 2006 memset(&ss, 0, sizeof(ss)); 2007 ss.ss_family = af; 2008 switch (af) { 2009 case AF_INET: 2010 memcpy(&sin->sin_addr, src, addrsz); 2011 if (sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) 2012 goto skip; 2013 ss.ss_len = sizeof(*sin); 2014 break; 2015 case AF_INET6: 2016 memcpy(&sin6->sin6_addr, src, addrsz); 2017 if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr)) 2018 goto skip; 2019 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 2020 sin6->sin6_scope_id = rdns_proposal->if_index; 2021 ss.ss_len = sizeof(*sin6); 2022 break; 2023 } 2024 if ((err = getnameinfo((struct sockaddr *)&ss, ss.ss_len, 2025 hostbuf, sizeof(hostbuf), NULL, 0, NI_NUMERICHOST)) != 0) { 2026 log_warnx("getnameinfo: %s", gai_strerror(err)); 2027 goto skip; 2028 } 2029 2030 if ((uw_forwarder = calloc(1, sizeof(struct uw_forwarder))) == 2031 NULL) 2032 fatal(NULL); 2033 if (strlcpy(uw_forwarder->ip, hostbuf, sizeof(uw_forwarder->ip)) 2034 >= sizeof(uw_forwarder->ip)) 2035 fatalx("strlcpy"); 2036 uw_forwarder->port = 53; 2037 uw_forwarder->if_index = rdns_proposal->if_index; 2038 uw_forwarder->src = rdns_proposal->src; 2039 TAILQ_INSERT_TAIL(&new_forwarder_list, uw_forwarder, entry); 2040 2041 skip: 2042 src += addrsz; 2043 } 2044 2045 TAILQ_FOREACH(tmp, &autoconf_forwarder_list, entry) { 2046 /* 2047 * if_index of zero signals to clear all proposals 2048 * src of zero signals interface gone 2049 */ 2050 if ((rdns_proposal->src == 0 || rdns_proposal->src == 2051 tmp->src) && (rdns_proposal->if_index == 0 || 2052 rdns_proposal->if_index == tmp->if_index)) 2053 continue; 2054 if ((uw_forwarder = calloc(1, sizeof(struct uw_forwarder))) == 2055 NULL) 2056 fatal(NULL); 2057 if (strlcpy(uw_forwarder->ip, tmp->ip, 2058 sizeof(uw_forwarder->ip)) >= sizeof(uw_forwarder->ip)) 2059 fatalx("strlcpy"); 2060 uw_forwarder->port = tmp->port; 2061 uw_forwarder->src = tmp->src; 2062 uw_forwarder->if_index = tmp->if_index; 2063 TAILQ_INSERT_TAIL(&new_forwarder_list, uw_forwarder, entry); 2064 } 2065 2066 changed = check_forwarders_changed(&new_forwarder_list, 2067 &autoconf_forwarder_list); 2068 2069 if (changed) { 2070 replace_forwarders(&new_forwarder_list, 2071 &autoconf_forwarder_list); 2072 new_resolver(UW_RES_ASR, UNKNOWN); 2073 new_resolver(UW_RES_AUTOCONF, UNKNOWN); 2074 new_resolver(UW_RES_ODOT_AUTOCONF, UNKNOWN); 2075 } else { 2076 while ((tmp = TAILQ_FIRST(&new_forwarder_list)) != NULL) { 2077 TAILQ_REMOVE(&new_forwarder_list, tmp, entry); 2078 free(tmp); 2079 } 2080 } 2081 } 2082 2083 int 2084 force_tree_cmp(struct force_tree_entry *a, struct force_tree_entry *b) 2085 { 2086 return strcasecmp(a->domain, b->domain); 2087 } 2088 2089 int 2090 find_force(struct force_tree *tree, char *qname, struct uw_resolver **res) 2091 { 2092 struct force_tree_entry *n, e; 2093 char *p; 2094 2095 if (res) 2096 *res = NULL; 2097 if (RB_EMPTY(tree)) 2098 return 0; 2099 2100 p = qname; 2101 do { 2102 if (strlcpy(e.domain, p, sizeof(e.domain)) >= sizeof(e.domain)) 2103 fatal("qname too large"); 2104 n = RB_FIND(force_tree, tree, &e); 2105 if (n != NULL) { 2106 log_debug("%s: %s -> %s[%s]", __func__, qname, p, 2107 uw_resolver_type_str[n->type]); 2108 if (res) 2109 *res = resolvers[n->type]; 2110 return n->acceptbogus; 2111 } 2112 if (*p == '.') 2113 p++; 2114 p = strchr(p, '.'); 2115 if (p != NULL && p[1] != '\0') 2116 p++; 2117 } while (p != NULL); 2118 return 0; 2119 2120 } 2121 2122 int64_t 2123 histogram_median(int64_t *histogram) 2124 { 2125 size_t i; 2126 int64_t sample_count = 0, running_count = 0; 2127 2128 /* skip first bucket, it contains cache hits */ 2129 for (i = 1; i < nitems(histogram_limits); i++) 2130 sample_count += histogram[i]; 2131 2132 if (sample_count == 0) 2133 return 0; 2134 2135 for (i = 1; i < nitems(histogram_limits); i++) { 2136 running_count += histogram[i]; 2137 if (running_count >= sample_count / 2) 2138 break; 2139 } 2140 2141 if (i >= nitems(histogram_limits) - 1) 2142 return INT64_MAX; 2143 return (histogram_limits[i - 1] + histogram_limits[i]) / 2; 2144 } 2145 2146 void 2147 decay_latest_histograms(int fd, short events, void *arg) 2148 { 2149 enum uw_resolver_type i; 2150 size_t j; 2151 struct uw_resolver *res; 2152 struct timeval tv = {DECAY_PERIOD, 0}; 2153 2154 for (i = 0; i < UW_RES_NONE; i++) { 2155 res = resolvers[i]; 2156 if (res == NULL) 2157 continue; 2158 for (j = 0; j < nitems(res->latest_histogram); j++) 2159 /* multiply then divide, avoiding truncating to 0 */ 2160 res->latest_histogram[j] = res->latest_histogram[j] * 2161 DECAY_NOMINATOR / DECAY_DENOMINATOR; 2162 res->median = histogram_median(res->latest_histogram); 2163 } 2164 evtimer_add(&decay_timer, &tv); 2165 } 2166 2167 int 2168 running_query_cnt(void) 2169 { 2170 struct running_query *e; 2171 int cnt = 0; 2172 2173 TAILQ_FOREACH(e, &running_queries, entry) 2174 cnt++; 2175 return cnt; 2176 } 2177 2178 int * 2179 resolvers_to_restart(struct uw_conf *oconf, struct uw_conf *nconf) 2180 { 2181 static int restart[UW_RES_NONE]; 2182 int i; 2183 2184 memset(&restart, 0, sizeof(restart)); 2185 if (check_forwarders_changed(&oconf->uw_forwarder_list, 2186 &nconf->uw_forwarder_list)) { 2187 restart[UW_RES_FORWARDER] = 1; 2188 restart[UW_RES_ODOT_FORWARDER] = 1; 2189 } 2190 if (check_forwarders_changed(&oconf->uw_dot_forwarder_list, 2191 &nconf->uw_dot_forwarder_list)) { 2192 restart[UW_RES_DOT] = 1; 2193 } 2194 2195 for (i = 0; i < UW_RES_NONE; i++) { 2196 if (oconf->enabled_resolvers[i] != nconf->enabled_resolvers[i]) 2197 restart[i] = 1; 2198 } 2199 return restart; 2200 } 2201 2202 const char * 2203 query_imsg2str(struct query_imsg *query_imsg) 2204 { 2205 static char buf[sizeof(query_imsg->qname) + 1 + 16 + 1 + 16]; 2206 char qclass_buf[16]; 2207 char qtype_buf[16]; 2208 2209 sldns_wire2str_class_buf(query_imsg->c, qclass_buf, sizeof(qclass_buf)); 2210 sldns_wire2str_type_buf(query_imsg->t, qtype_buf, sizeof(qtype_buf)); 2211 2212 snprintf(buf, sizeof(buf), "%s %s %s", query_imsg->qname, qclass_buf, 2213 qtype_buf); 2214 return buf; 2215 } 2216 2217 char * 2218 gen_resolv_conf() 2219 { 2220 struct uw_forwarder *uw_forwarder; 2221 char *resolv_conf = NULL, *tmp = NULL; 2222 2223 TAILQ_FOREACH(uw_forwarder, &autoconf_forwarder_list, entry) { 2224 tmp = resolv_conf; 2225 if (asprintf(&resolv_conf, "%snameserver %s\n", tmp == 2226 NULL ? "" : tmp, uw_forwarder->ip) == -1) { 2227 free(tmp); 2228 return (NULL); 2229 } 2230 free(tmp); 2231 } 2232 return resolv_conf; 2233 } 2234 2235 void 2236 check_dns64(void) 2237 { 2238 struct asr_query *aq = NULL; 2239 char *resolv_conf; 2240 void *asr_ctx; 2241 2242 if (TAILQ_EMPTY(&autoconf_forwarder_list)) 2243 return; 2244 2245 if ((resolv_conf = gen_resolv_conf()) == NULL) { 2246 log_warnx("could not create asr context"); 2247 return; 2248 } 2249 2250 if ((asr_ctx = asr_resolver_from_string(resolv_conf)) != NULL) { 2251 if ((aq = res_query_async("ipv4only.arpa", LDNS_RR_CLASS_IN, 2252 LDNS_RR_TYPE_AAAA, asr_ctx)) == NULL) { 2253 log_warn("%s: res_query_async", __func__); 2254 asr_resolver_free(asr_ctx); 2255 } 2256 if (event_asr_run(aq, check_dns64_done, asr_ctx) == NULL) { 2257 log_warn("%s: event_asr_run", __func__); 2258 free(aq); 2259 asr_resolver_free(asr_ctx); 2260 } 2261 } else 2262 log_warnx("%s: could not create asr context", __func__); 2263 2264 free(resolv_conf); 2265 } 2266 2267 void 2268 check_dns64_done(struct asr_result *ar, void *arg) 2269 { 2270 /* RFC 7050: ipv4only.arpa resolves to 192.0.0.170 and 192.9.0.171 */ 2271 const uint8_t wka1[] = {192, 0, 0, 170}; 2272 const uint8_t wka2[] = {192, 0, 0, 171}; 2273 struct query_info skip, qinfo; 2274 struct reply_info *rinfo = NULL; 2275 struct regional *region = NULL; 2276 struct sldns_buffer *buf = NULL; 2277 struct ub_packed_rrset_key *an_rrset = NULL; 2278 struct packed_rrset_data *an_rrset_data; 2279 struct alloc_cache alloc; 2280 struct edns_data edns; 2281 struct dns64_prefix *prefixes = NULL; 2282 size_t i; 2283 int preflen, count = 0; 2284 void *asr_ctx = arg; 2285 2286 memset(&qinfo, 0, sizeof(qinfo)); 2287 alloc_init(&alloc, NULL, 0); 2288 2289 if (ar->ar_datalen < LDNS_HEADER_SIZE) { 2290 log_warnx("%s: bad packet: too short: %d", __func__, 2291 ar->ar_datalen); 2292 goto out; 2293 } 2294 2295 if (ar->ar_datalen > UINT16_MAX) { 2296 log_warnx("%s: bad packet: too large: %d", __func__, 2297 ar->ar_datalen); 2298 goto out; 2299 } 2300 2301 if (ar->ar_rcode == LDNS_RCODE_NXDOMAIN) { 2302 /* XXX this means that the autoconf resolver is broken */ 2303 log_debug("%s: NXDOMAIN", __func__); 2304 goto out; 2305 } 2306 2307 if ((buf = sldns_buffer_new(ar->ar_datalen)) == NULL) 2308 goto out; 2309 2310 if ((region = regional_create()) == NULL) 2311 goto out; 2312 2313 sldns_buffer_write(buf, ar->ar_data, ar->ar_datalen); 2314 sldns_buffer_flip(buf); 2315 2316 /* read past query section, no memory is allocated */ 2317 if (!query_info_parse(&skip, buf)) 2318 goto out; 2319 2320 if (reply_info_parse(buf, &alloc, &qinfo, &rinfo, region, &edns) != 0) 2321 goto out; 2322 2323 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) == NULL) 2324 goto out; 2325 2326 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data; 2327 2328 prefixes = calloc(an_rrset_data->count, sizeof(struct dns64_prefix)); 2329 if (prefixes == NULL) 2330 goto out; 2331 2332 for (i = 0; i < an_rrset_data->count; i++) { 2333 struct in6_addr in6; 2334 2335 /* check for AAAA record */ 2336 if (an_rrset_data->rr_len[i] != 18) /* 2 + 128/8 */ 2337 continue; 2338 if (an_rrset_data->rr_data[i][0] != 0 && 2339 an_rrset_data->rr_data[i][1] != 16) 2340 continue; 2341 2342 memcpy(&in6, &an_rrset_data->rr_data[i][2], 2343 sizeof(in6)); 2344 if ((preflen = dns64_prefixlen(&in6, wka1)) != -1) 2345 add_dns64_prefix(&in6, preflen, prefixes, 2346 an_rrset_data->count, WKA1_FOUND); 2347 if ((preflen = dns64_prefixlen(&in6, wka2)) != -1) 2348 add_dns64_prefix(&in6, preflen, prefixes, 2349 an_rrset_data->count, WKA2_FOUND); 2350 } 2351 2352 for (i = 0; i < an_rrset_data->count && prefixes[i].flags != 0; i++) 2353 if ((prefixes[i].flags & (WKA1_FOUND | WKA2_FOUND)) == 2354 (WKA1_FOUND | WKA2_FOUND)) 2355 count++; 2356 2357 dns64_present = count > 0; 2358 2359 if (dns64_present) { 2360 /* downgrade SLAAC resolvers, DNS64 breaks DNSSEC */ 2361 if (resolvers[UW_RES_AUTOCONF] != NULL && 2362 resolvers[UW_RES_AUTOCONF]->state == VALIDATING) 2363 new_resolver(UW_RES_AUTOCONF, RESOLVING); 2364 if (resolvers[UW_RES_ODOT_AUTOCONF] != NULL && 2365 resolvers[UW_RES_ODOT_AUTOCONF]->state == VALIDATING) 2366 new_resolver(UW_RES_ODOT_AUTOCONF, RESOLVING); 2367 } 2368 2369 resolver_imsg_compose_frontend(IMSG_NEW_DNS64_PREFIXES_START, 0, 2370 &count, sizeof(count)); 2371 for (i = 0; i < an_rrset_data->count && prefixes[i].flags != 0; i++) { 2372 if ((prefixes[i].flags & (WKA1_FOUND | WKA2_FOUND)) == 2373 (WKA1_FOUND | WKA2_FOUND)) { 2374 resolver_imsg_compose_frontend(IMSG_NEW_DNS64_PREFIX, 2375 0, &prefixes[i], sizeof(struct dns64_prefix)); 2376 } 2377 } 2378 resolver_imsg_compose_frontend(IMSG_NEW_DNS64_PREFIXES_DONE, 0, NULL, 2379 0); 2380 out: 2381 free(prefixes); 2382 query_info_clear(&qinfo); 2383 reply_info_parsedelete(rinfo, &alloc); 2384 alloc_clear(&alloc); 2385 regional_destroy(region); 2386 sldns_buffer_free(buf); 2387 free(ar->ar_data); 2388 asr_resolver_free(asr_ctx); 2389 } 2390 2391 int 2392 dns64_prefixlen(const struct in6_addr *in6, const uint8_t *wka) 2393 { 2394 /* RFC 6052, 2.2 */ 2395 static const int possible_prefixes[] = {32, 40, 48, 56, 64, 96}; 2396 size_t i, j; 2397 int found, pos; 2398 2399 for (i = 0; i < nitems(possible_prefixes); i++) { 2400 pos = possible_prefixes[i] / 8; 2401 found = 1; 2402 for (j = 0; j < 4 && found; j++, pos++) { 2403 if (pos == 8) { 2404 if (in6->s6_addr[pos] != 0) 2405 found = 0; 2406 pos++; 2407 } 2408 if (in6->s6_addr[pos] != wka[j]) 2409 found = 0; 2410 } 2411 if (found) 2412 return possible_prefixes[i]; 2413 } 2414 return -1; 2415 } 2416 2417 void 2418 add_dns64_prefix(const struct in6_addr *in6, int prefixlen, 2419 struct dns64_prefix *prefixes, int prefixes_size, int flag) 2420 { 2421 struct in6_addr tmp; 2422 int i; 2423 2424 tmp = *in6; 2425 2426 for(i = prefixlen / 8; i < 16; i++) 2427 tmp.s6_addr[i] = 0; 2428 2429 for (i = 0; i < prefixes_size; i++) { 2430 if (prefixes[i].flags == 0) { 2431 prefixes[i].in6 = tmp; 2432 prefixes[i].prefixlen = prefixlen; 2433 prefixes[i].flags |= flag; 2434 break; 2435 } else if (prefixes[i].prefixlen == prefixlen && 2436 memcmp(&prefixes[i].in6, &tmp, sizeof(tmp)) == 0) { 2437 prefixes[i].flags |= flag; 2438 break; 2439 } 2440 } 2441 } 2442