Lines Matching refs:client
58 #include <named/client.h>
126 "client %p: %s", client, (m))
145 ns_client_t *client;
150 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
153 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
158 dns_dbversion_t *version, ns_client_t *client,
164 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
167 rpz_st_clear(ns_client_t *client);
173 inc_stats(ns_client_t *client, isc_statscounter_t counter) {
174 dns_zone_t *zone = client->query.authzone;
202 rdataset = ISC_LIST_HEAD(client->query.qname->list);
213 query_send(ns_client_t *client) {
216 if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
217 inc_stats(client, dns_nsstatscounter_nonauthans);
219 inc_stats(client, dns_nsstatscounter_authans);
221 if (client->message->rcode == dns_rcode_noerror) {
223 if (ISC_LIST_EMPTY(client->message->sections[answer])) {
224 if (client->query.isreferral)
230 } else if (client->message->rcode == dns_rcode_nxdomain)
235 inc_stats(client, counter);
236 ns_client_send(client);
240 query_error(ns_client_t *client, isc_result_t result, int line) {
246 inc_stats(client, dns_nsstatscounter_servfail);
249 inc_stats(client, dns_nsstatscounter_formerr);
252 inc_stats(client, dns_nsstatscounter_failure);
256 log_queryerror(client, result, line, loglevel);
258 ns_client_error(client, result);
262 query_next(ns_client_t *client, isc_result_t result) {
264 inc_stats(client, dns_nsstatscounter_duplicate);
266 inc_stats(client, dns_nsstatscounter_dropped);
268 inc_stats(client, dns_nsstatscounter_failure);
269 ns_client_next(client, result);
273 query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
277 for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
287 ISC_LIST_UNLINK(client->query.freeversions, dbversion,
289 isc_mem_put(client->mctx, dbversion,
296 ns_query_cancel(ns_client_t *client) {
297 LOCK(&client->query.fetchlock);
298 if (client->query.fetch != NULL) {
299 dns_resolver_cancelfetch(client->query.fetch);
301 client->query.fetch = NULL;
303 UNLOCK(&client->query.fetchlock);
307 query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
314 dns_message_puttemprdataset(client->message, rdatasetp);
320 query_reset(ns_client_t *client, isc_boolean_t everything) {
325 * Reset the query state of a client to its default state.
331 ns_query_cancel(client);
336 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
343 ISC_LIST_INITANDAPPEND(client->query.freeversions,
346 ISC_LIST_INIT(client->query.activeversions);
348 if (client->query.authdb != NULL)
349 dns_db_detach(&client->query.authdb);
350 if (client->query.authzone != NULL)
351 dns_zone_detach(&client->query.authzone);
353 if (client->query.dns64_aaaa != NULL)
354 query_putrdataset(client, &client->query.dns64_aaaa);
355 if (client->query.dns64_sigaaaa != NULL)
356 query_putrdataset(client, &client->query.dns64_sigaaaa);
357 if (client->query.dns64_aaaaok != NULL) {
358 isc_mem_put(client->mctx, client->query.dns64_aaaaok,
359 client->query.dns64_aaaaoklen *
361 client->query.dns64_aaaaok = NULL;
362 client->query.dns64_aaaaoklen = 0;
365 query_freefreeversions(client, everything);
367 for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
372 ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
377 if (client->query.restarts > 0) {
379 * client->query.qname was dynamically allocated.
381 dns_message_puttempname(client->message,
382 &client->query.qname);
384 client->query.qname = NULL;
385 client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
388 client->query.restarts = 0;
389 client->query.timerset = ISC_FALSE;
390 if (client->query.rpz_st != NULL) {
391 rpz_st_clear(client);
393 isc_mem_put(client->mctx, client->query.rpz_st,
394 sizeof(*client->query.rpz_st));
395 client->query.rpz_st = NULL;
398 client->query.origqname = NULL;
399 client->query.dboptions = 0;
400 client->query.fetchoptions = 0;
401 client->query.gluedb = NULL;
402 client->query.authdbset = ISC_FALSE;
403 client->query.isreferral = ISC_FALSE;
404 client->query.dns64_options = 0;
405 client->query.dns64_ttl = ISC_UINT32_MAX;
409 query_next_callback(ns_client_t *client) {
410 query_reset(client, ISC_FALSE);
414 ns_query_free(ns_client_t *client) {
415 query_reset(client, ISC_TRUE);
419 query_newnamebuf(ns_client_t *client) {
429 result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
434 ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
441 query_getnamebuf(ns_client_t *client) {
452 if (ISC_LIST_EMPTY(client->query.namebufs)) {
453 result = query_newnamebuf(client);
460 dbuf = ISC_LIST_TAIL(client->query.namebufs);
464 result = query_newnamebuf(client);
470 dbuf = ISC_LIST_TAIL(client->query.namebufs);
479 query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
488 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
493 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
497 query_releasename(ns_client_t *client, dns_name_t **namep) {
508 INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
510 client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
512 dns_message_puttempname(client->message, namep);
517 query_newname(ns_client_t *client, isc_buffer_t *dbuf,
524 REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
528 result = dns_message_gettempname(client->message, &name);
537 client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
544 query_newrdataset(ns_client_t *client) {
550 result = dns_message_gettemprdataset(client->message, &rdataset);
563 query_newdbversion(ns_client_t *client, unsigned int n) {
568 dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
572 ISC_LIST_INITANDAPPEND(client->query.freeversions,
590 query_getdbversion(ns_client_t *client) {
594 if (ISC_LIST_EMPTY(client->query.freeversions)) {
595 result = query_newdbversion(client, 1);
599 dbversion = ISC_LIST_HEAD(client->query.freeversions);
601 ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
607 ns_query_init(ns_client_t *client) {
610 ISC_LIST_INIT(client->query.namebufs);
611 ISC_LIST_INIT(client->query.activeversions);
612 ISC_LIST_INIT(client->query.freeversions);
613 client->query.restarts = 0;
614 client->query.timerset = ISC_FALSE;
615 client->query.rpz_st = NULL;
616 client->query.qname = NULL;
617 result = isc_mutex_init(&client->query.fetchlock);
620 client->query.fetch = NULL;
621 client->query.authdb = NULL;
622 client->query.authzone = NULL;
623 client->query.authdbset = ISC_FALSE;
624 client->query.isreferral = ISC_FALSE;
625 client->query.dns64_aaaa = NULL;
626 client->query.dns64_sigaaaa = NULL;
627 client->query.dns64_aaaaok = NULL;
628 client->query.dns64_aaaaoklen = 0;
629 query_reset(client, ISC_FALSE);
630 result = query_newdbversion(client, 3);
632 DESTROYLOCK(&client->query.fetchlock);
635 result = query_newnamebuf(client);
637 query_freefreeversions(client, ISC_TRUE);
643 query_findversion(ns_client_t *client, dns_db_t *db)
652 for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
664 dbversion = query_getdbversion(client);
671 ISC_LIST_APPEND(client->query.activeversions,
679 query_validatezonedb(ns_client_t *client, dns_name_t *name,
697 if (!client->view->additionalfromauth &&
698 client->query.authdbset &&
699 db != client->query.authdb)
708 !RECURSIONOK(client)) {
723 dbversion = query_findversion(client, db);
737 queryacl = client->view->queryacl;
738 if ((client->query.attributes &
742 * NS_QUERYATTR_QUERYOK is set, then the client is
747 if ((client->query.attributes &
757 result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
763 client->view->rdclass,
765 ns_client_log(client,
773 client->view->rdclass,
775 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
781 if (queryacl == client->view->queryacl) {
788 client->query.attributes |= NS_QUERYATTR_QUERYOK;
794 client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
801 queryonacl = client->view->queryonacl;
803 result = ns_client_checkaclsilent(client, &client->destaddr,
807 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
827 query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
846 result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
856 result = query_validatezonedb(client, name, qtype, options, zone, db,
880 rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled,
906 dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
909 ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
917 rpz_log_fail(ns_client_t *client, int level,
930 dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
932 ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
943 rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type, dns_name_t *rpz_qname,
951 result = query_getzonedb(client, rpz_qname, dns_rdatatype_any,
955 dns_name_format(client->query.qname, namebuf1,
958 ns_client_log(client, DNS_LOGCATEGORY_RPZ,
967 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname,
973 query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
984 * This may fail with DNS_R_REFUSED if the client
988 if (!USECACHE(client))
990 dns_db_attach(client->view->cachedb, &db);
992 if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) != 0) {
995 * NS_QUERYATTR_CACHEACLOK is set, then the client is
1000 if ((client->query.attributes & NS_QUERYATTR_CACHEACLOK) == 0)
1013 result = ns_client_checkaclsilent(client, NULL,
1014 client->view->cacheacl,
1021 client->query.attributes |=
1027 client->view->rdclass,
1029 ns_client_log(client,
1037 client->view->rdclass, msg,
1039 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
1047 client->query.attributes |= NS_QUERYATTR_CACHEACLOKVALID;
1071 query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
1092 result = query_getzonedb(client, name, qtype, options, &zone,
1102 if (zonelabels < namelabels && client->view->dlzdatabase != NULL) {
1103 tresult = dns_dlzfindzone(client->view, name,
1151 result = query_getcachedb(client, name, qtype, dbp, options);
1158 query_isduplicate(ns_client_t *client, dns_name_t *name,
1170 result = dns_message_findname(client->message, section,
1198 ns_client_t *client = arg;
1213 REQUIRE(NS_CLIENT_VALID(client));
1216 if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
1237 dns_clientinfo_init(&ci, client);
1253 dbuf = query_getnamebuf(client);
1256 fname = query_newname(client, dbuf, &b);
1257 rdataset = query_newrdataset(client);
1260 if (WANTDNSSEC(client)) {
1261 sigrdataset = query_newrdataset(client);
1270 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1284 client->query.dboptions,
1285 client->now, &node, fname, &cm, &ci,
1308 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
1311 * Most likely the client isn't allowed to query the cache.
1318 sigrdataset = query_newrdataset(client);
1323 client->query.dboptions |
1325 client->now, &node, fname, &cm, &ci,
1328 validate(client, db, fname, rdataset, sigrdataset))
1330 if (!WANTDNSSEC(client))
1331 query_putrdataset(client, &sigrdataset);
1356 * case (identified by client->query.gluedb being set).
1359 if (client->query.gluedb == NULL)
1365 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
1368 dns_db_attach(client->query.gluedb, &db);
1370 client->query.dboptions | DNS_DBFIND_GLUEOK,
1371 client->now, &node, fname, &cm, &ci,
1383 query_keepname(client, fname, dbuf);
1391 !query_isduplicate(client, fname, type, &mname)) {
1394 query_releasename(client, &fname);
1430 rdataset = query_newrdataset(client);
1437 } else if (WANTDNSSEC(client)) {
1438 sigrdataset = query_newrdataset(client);
1442 if (query_isduplicate(client, fname, dns_rdatatype_a, NULL))
1446 client->now,
1461 if (!query_isduplicate(client, fname,
1465 query_releasename(client, &fname);
1478 query_newrdataset(client);
1480 rdataset = query_newrdataset(client);
1483 if (WANTDNSSEC(client) && sigrdataset == NULL)
1493 if (query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
1497 client->now,
1514 (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
1515 (client->filter_aaaa == dns_v4_aaaa_filter &&
1516 (!WANTDNSSEC(client) || sigrdataset == NULL ||
1520 if (!query_isduplicate(client, fname,
1524 query_releasename(client, &fname);
1557 dns_message_addname(client->message, fname,
1580 client);
1585 query_putrdataset(client, &rdataset);
1587 query_putrdataset(client, &sigrdataset);
1589 query_releasename(client, &fname);
1602 query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
1612 query_putrdataset(client, &rdataset);
1622 (void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
1657 ns_client_t *client;
1678 client = additionalctx->client;
1679 REQUIRE(NS_CLIENT_VALID(client));
1681 if (qtype != dns_rdatatype_a || client->view->acache == NULL) {
1687 return (query_addadditional(additionalctx->client,
1713 dns_clientinfo_init(&ci, client);
1731 dbuf = query_getnamebuf(client);
1734 fname = query_newname(client, dbuf, &b);
1741 type, client->view->acache, &zone,
1743 client->message, client->now);
1755 query_discardcache(client, rdataset_base, additionaltype,
1774 result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
1777 query_discardcache(client, rdataset_base, additionaltype,
1789 query_keepname(client, fname, dbuf);
1797 result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
1802 type, client->view->acache,
1817 client->query.dboptions,
1818 client->now, &node, fname, &cm, &ci,
1825 type, client->view->acache, zone, db,
1839 result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
1842 * Most likely the client isn't allowed to query the cache.
1847 client->query.dboptions |
1849 client->now, &node, fname, &cm, &ci,
1871 * case (identified by client->query.gluedb being set).
1873 if (client->query.gluedb == NULL)
1879 if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
1885 type, client->view->acache, NULL,
1887 client->message, client->now);
1891 result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
1894 query_discardcache(client, rdataset_base, additionaltype,
1914 query_keepname(client, fname, dbuf);
1918 dns_db_attach(client->query.gluedb, &db);
1920 client->query.dboptions | DNS_DBFIND_GLUEOK,
1921 client->now, &node, fname, &cm, &ci,
1928 type, client->view->acache,
1942 query_keepname(client, fname, dbuf);
1945 rdataset = query_newrdataset(client);
1949 sigrdataset = query_newrdataset(client);
1954 query_isduplicate(client, fname, dns_rdatatype_a, NULL))
1958 * for a client using DNSSEC, we'll continue the process to make a
1964 client->now, rdataset, sigrdataset);
1973 !validate(client, db, fname, rdataset, sigrdataset)) {
1991 sigrdataset = query_newrdataset(client);
1993 rdataset = query_newrdataset(client);
2002 query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
2006 0, client->now, rdataset, sigrdataset);
2015 !validate(client, db, fname, rdataset, sigrdataset)) {
2039 type, client->view->acache,
2057 if (!query_isduplicate(client, fname, crdataset->type,
2071 query_releasename(client, &fname);
2084 need_sigrrset && WANTDNSSEC(client)) {
2106 dns_message_addname(client->message, fname,
2114 query_putrdataset(client, &rdataset);
2116 query_putrdataset(client, &sigrdataset);
2119 query_putrdataset(client, &crdataset);
2122 query_releasename(client, &fname);
2135 query_addrdataset(ns_client_t *client, dns_name_t *fname,
2142 * 'fname', a name in the response message for 'client'.
2149 if (client->view->order != NULL)
2150 rdataset->attributes |= dns_order_find(client->view->order,
2155 if (NOADDITIONAL(client))
2163 additionalctx.client = client;
2171 query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset,
2184 dns_view_t *view = client->view;
2190 * To the current response for 'client', add the answer RRset
2207 result = dns_message_findname(client->message, section,
2218 query_releasename(client, namep);
2225 query_keepname(client, name, dbuf);
2226 dns_message_addname(client->message, name, section);
2232 query_releasename(client, namep);
2238 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2240 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
2242 result = isc_buffer_allocate(client->mctx, &buffer, view->dns64cnt *
2246 result = dns_message_gettemprdataset(client->message, &dns64_rdataset);
2249 result = dns_message_gettemprdatalist(client->message,
2258 if (client->query.dns64_ttl != ISC_UINT32_MAX)
2260 client->query.dns64_ttl);
2264 if (RECURSIONOK(client))
2277 for (dns64 = ISC_LIST_HEAD(client->view->dns64);
2284 client->signer,
2294 result = dns_message_gettemprdata(client->message,
2316 client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
2318 query_addrdataset(client, mname, dns64_rdataset);
2321 dns_message_takebuffer(client->message, &buffer);
2329 dns_message_puttemprdata(client->message, &dns64_rdata);
2332 dns_message_puttemprdataset(client->message, &dns64_rdataset);
2341 dns_message_puttemprdata(client->message, &dns64_rdata);
2343 dns_message_puttemprdatalist(client->message, &dns64_rdatalist);
2351 query_filter64(ns_client_t *client, dns_name_t **namep,
2367 INSIST(client->query.dns64_aaaaok != NULL);
2368 INSIST(client->query.dns64_aaaaoklen == dns_rdataset_count(rdataset));
2376 result = dns_message_findname(client->message, section,
2387 query_releasename(client, namep);
2395 query_releasename(client, namep);
2402 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2404 result = isc_buffer_allocate(client->mctx, &buffer,
2408 result = dns_message_gettemprdataset(client->message, &myrdataset);
2411 result = dns_message_gettemprdatalist(client->message, &myrdatalist);
2425 if (!client->query.dns64_aaaaok[i++])
2432 result = dns_message_gettemprdata(client->message, &myrdata);
2448 client->query.attributes |= NS_QUERYATTR_NOADDITIONAL;
2451 query_keepname(client, name, dbuf);
2452 dns_message_addname(client->message, name, section);
2456 query_addrdataset(client, mname, myrdataset);
2459 dns_message_takebuffer(client->message, &buffer);
2466 dns_message_puttemprdata(client->message, &myrdata);
2469 dns_message_puttemprdataset(client->message, &myrdataset);
2477 dns_message_puttemprdata(client->message, &myrdata);
2479 dns_message_puttemprdatalist(client->message, &myrdatalist);
2482 query_releasename(client, &name);
2488 query_addrrset(ns_client_t *client, dns_name_t **namep,
2497 * To the current response for 'client', add the answer RRset
2515 result = dns_message_findname(client->message, section,
2525 query_releasename(client, namep);
2532 query_keepname(client, name, dbuf);
2533 dns_message_addname(client->message, name, section);
2539 query_releasename(client, namep);
2545 client->query.attributes &= ~NS_QUERYATTR_SECURE;
2551 query_addrdataset(client, mname, rdataset);
2564 query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
2585 dns_clientinfo_init(&ci, client);
2590 if (ns_g_nosoa && (!WANTDNSSEC(client) || !isassociated))
2596 result = dns_message_gettempname(client->message, &name);
2601 rdataset = query_newrdataset(client);
2606 if (WANTDNSSEC(client) && dns_db_issecure(db)) {
2607 sigrdataset = query_newrdataset(client);
2620 dns_rdatatype_soa, 0, client->now,
2630 client->query.dboptions, 0, &node,
2672 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2677 query_putrdataset(client, &rdataset);
2679 query_putrdataset(client, &sigrdataset);
2681 query_releasename(client, &name);
2689 query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
2710 dns_clientinfo_init(&ci, client);
2715 result = dns_message_gettempname(client->message, &name);
2722 rdataset = query_newrdataset(client);
2728 if (WANTDNSSEC(client) && dns_db_issecure(db)) {
2729 sigrdataset = query_newrdataset(client);
2743 dns_rdatatype_ns, 0, client->now,
2748 client->query.dboptions, 0, &node,
2765 query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
2771 query_putrdataset(client, &rdataset);
2773 query_putrdataset(client, &sigrdataset);
2775 query_releasename(client, &name);
2784 query_add_cname(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
2799 result = dns_message_gettempname(client->message, &aname);
2802 result = dns_name_dup(qname, client->mctx, aname);
2804 dns_message_puttempname(client->message, &aname);
2809 result = dns_message_gettemprdatalist(client->message, &rdatalist);
2811 dns_message_puttempname(client->message, &aname);
2815 result = dns_message_gettemprdata(client->message, &rdata);
2817 dns_message_puttempname(client->message, &aname);
2818 dns_message_puttemprdatalist(client->message, &rdatalist);
2822 result = dns_message_gettemprdataset(client->message, &rdataset);
2824 dns_message_puttempname(client->message, &aname);
2825 dns_message_puttemprdatalist(client->message, &rdatalist);
2826 dns_message_puttemprdata(client->message, &rdata);
2832 rdatalist->rdclass = client->message->rdclass;
2838 rdata->rdclass = client->message->rdclass;
2847 query_addrrset(client, &aname, &rdataset, NULL, NULL,
2852 dns_message_puttemprdataset(client->message, &rdataset);
2855 dns_message_puttempname(client->message, &aname);
2865 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
2878 dns_clientinfo_init(&ci, client);
2889 client->view->acceptexpired);
2891 (void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
2893 (void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset,
2905 get_key(ns_client_t *client, dns_db_t *db, dns_rdata_rrsig_t *rrsig,
2915 dns_clientinfo_init(&ci, client);
2925 client->now, keyrdataset, NULL);
2946 client->mctx, keyp);
2962 dns_rdata_t *rdata, ns_client_t *client)
2972 client->view->maxbits, client->mctx,
2974 if (result == DNS_R_SIGEXPIRED && client->view->acceptexpired) {
2987 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
3008 if (!dns_resolver_algorithm_supported(client->view->resolver,
3015 if (!get_key(client, db, &rrsig, &keyrdataset, &key))
3017 if (verify(key, name, rdataset, &rdata, client)) {
3020 mark_secure(client, db, name, &rrsig,
3033 query_addbestns(ns_client_t *client) {
3063 dns_clientinfo_init(&ci, client);
3068 result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
3077 dbuf = query_getnamebuf(client);
3080 fname = query_newname(client, dbuf, &b);
3081 rdataset = query_newrdataset(client);
3085 * Get the RRSIGs if the client requested them or if we may
3088 if (WANTDNSSEC(client) || !is_zone) {
3089 sigrdataset = query_newrdataset(client);
3098 result = dns_db_findext(db, client->query.qname, version,
3100 client->query.dboptions,
3101 client->now, &node, fname,
3105 if (USECACHE(client)) {
3106 query_keepname(client, fname, dbuf);
3117 dns_db_attach(client->view->cachedb, &db);
3122 result = dns_db_findzonecut(db, client->query.qname,
3123 client->query.dboptions,
3124 client->now, &node, fname,
3146 query_releasename(client, &fname);
3156 query_putrdataset(client, &rdataset);
3158 query_putrdataset(client, &sigrdataset);
3170 && !validate(client, db, fname, rdataset, sigrdataset) &&
3171 !PENDINGOK(client->query.dboptions))
3176 !validate(client, db, fname, rdataset, sigrdataset) &&
3177 SECURE(client) && WANTDNSSEC(client))
3181 * If the answer is secure only add NS records if they are secure * when the client may be looking for AD in the response.
3183 if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) &&
3189 * If the client doesn't want DNSSEC we can discard the sigrdataset
3192 if (!WANTDNSSEC(client))
3193 query_putrdataset(client, &sigrdataset);
3194 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
3199 query_putrdataset(client, &rdataset);
3201 query_putrdataset(client, &sigrdataset);
3203 query_releasename(client, &fname);
3211 query_putrdataset(client, &zrdataset);
3213 query_putrdataset(client, &zsigrdataset);
3215 query_releasename(client, &zfname);
3221 fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) {
3223 *rdataset = query_newrdataset(client);
3229 fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf,
3233 *dbuf = query_getnamebuf(client);
3236 *fname = query_newname(client, *dbuf, nbuf);
3241 query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
3260 rdataset = query_newrdataset(client);
3261 sigrdataset = query_newrdataset(client);
3269 client->now, rdataset, sigrdataset);
3275 dns_rdatatype_nsec, 0, client->now,
3288 result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
3293 dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
3311 dbuf = query_getnamebuf(client);
3314 fname = query_newname(client, dbuf, &b);
3320 query_findclosestnsec3(name, db, version, client, rdataset,
3325 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
3336 fixfname(client, &fname, &dbuf, &b);
3337 fixrdataset(client, &rdataset);
3338 fixrdataset(client, &sigrdataset);
3342 client, rdataset, sigrdataset, fname,
3346 query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
3352 query_putrdataset(client, &rdataset);
3354 query_putrdataset(client, &sigrdataset);
3356 query_releasename(client, &fname);
3360 query_addwildcardproof(ns_client_t *client, dns_db_t *db,
3389 dns_clientinfo_init(&ci, client);
3433 options = client->query.dboptions | DNS_DBFIND_NOWILD;
3441 dbuf = query_getnamebuf(client);
3444 fname = query_newname(client, dbuf, &b);
3445 rdataset = query_newrdataset(client);
3446 sigrdataset = query_newrdataset(client);
3482 query_findclosestnsec3(cname, db, NULL, client, rdataset,
3487 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3494 dbuf = query_getnamebuf(client);
3497 fname = query_newname(client, dbuf, &b);
3501 rdataset = query_newrdataset(client);
3506 sigrdataset = query_newrdataset(client);
3521 query_findclosestnsec3(wname, db, NULL, client, rdataset,
3525 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3535 dbuf = query_getnamebuf(client);
3538 fname = query_newname(client, dbuf, &b);
3542 rdataset = query_newrdataset(client);
3547 sigrdataset = query_newrdataset(client);
3561 query_findclosestnsec3(wname, db, NULL, client, rdataset,
3565 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3598 query_addrrset(client, &fname, &rdataset, &sigrdataset,
3602 query_putrdataset(client, &rdataset);
3604 query_putrdataset(client, &sigrdataset);
3606 query_releasename(client, &fname);
3616 query_putrdataset(client, &rdataset);
3618 query_putrdataset(client, &sigrdataset);
3620 query_releasename(client, &fname);
3624 query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db,
3639 query_addrrset(client, namep, rdatasetp, sigrdatasetp,
3664 query_addwildcardproof(client, db, version, client->query.qname,
3670 dbuf = query_getnamebuf(client);
3673 fname = query_newname(client, dbuf, &b);
3680 query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
3688 ns_client_t *client;
3701 client = devent->ev_arg;
3702 REQUIRE(NS_CLIENT_VALID(client));
3703 REQUIRE(task == client->task);
3704 REQUIRE(RECURSING(client));
3706 LOCK(&client->query.fetchlock);
3707 if (client->query.fetch != NULL) {
3711 INSIST(devent->fetch == client->query.fetch);
3712 client->query.fetch = NULL;
3715 * Update client->now.
3717 isc_stdtime_get(&client->now);
3725 UNLOCK(&client->query.fetchlock);
3726 INSIST(client->query.fetch == NULL);
3728 client->query.attributes &= ~NS_QUERYATTR_RECURSING;
3733 * If this client is shutting down, or this transaction
3736 client_shuttingdown = ns_client_shuttingdown(client);
3742 query_putrdataset(client, &devent->rdataset);
3744 query_putrdataset(client, &devent->sigrdataset);
3747 query_error(client, DNS_R_SERVFAIL, __LINE__);
3749 query_next(client, ISC_R_CANCELED);
3751 * This may destroy the client.
3753 ns_client_detach(&client);
3755 result = query_find(client, devent, 0);
3774 query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
3783 inc_stats(client, dns_nsstatscounter_recursion);
3786 * We are about to recurse, which means that this client will
3788 * amount of time. If this client is currently responsible
3789 * for handling incoming queries, set up a new client
3795 if (client->recursionquota == NULL) {
3797 &client->recursionquota);
3804 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3810 client->recursionquota->used,
3811 client->recursionquota->soft,
3812 client->recursionquota->max);
3814 ns_client_killoldestquery(client);
3822 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3832 ns_client_killoldestquery(client);
3834 if (result == ISC_R_SUCCESS && !client->mortal &&
3835 (client->attributes & NS_CLIENTATTR_TCP) == 0) {
3836 result = ns_client_replace(client);
3838 ns_client_log(client, NS_LOGCATEGORY_CLIENT,
3843 isc_quota_detach(&client->recursionquota);
3848 ns_client_recursing(client);
3855 REQUIRE(client->query.fetch == NULL);
3857 rdataset = query_newrdataset(client);
3860 if (WANTDNSSEC(client)) {
3861 sigrdataset = query_newrdataset(client);
3863 query_putrdataset(client, &rdataset);
3869 if (client->query.timerset == ISC_FALSE)
3870 ns_client_settimeout(client, 60);
3871 if ((client->attributes & NS_CLIENTATTR_TCP) == 0)
3872 peeraddr = &client->peeraddr;
3875 result = dns_resolver_createfetch3(client->view->resolver,
3877 NULL, peeraddr, client->message->id,
3878 client->query.fetchoptions, 0,
3879 client->task, query_resume, client,
3881 &client->query.fetch);
3885 * Record that we're waiting for an event. A client which
3890 query_putrdataset(client, &rdataset);
3892 query_putrdataset(client, &sigrdataset);
3923 rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp,
3930 *rdatasetp = query_newrdataset(client);
3938 rpz_st_clear(ns_client_t *client) {
3939 dns_rpz_st_t *st = client->query.rpz_st;
3942 query_putrdataset(client, &st->m.rdataset);
3947 query_putrdataset(client, &st->r.ns_rdataset);
3949 query_putrdataset(client, &st->r.r_rdataset);
3953 query_putrdataset(client, &st->q.rdataset);
3955 query_putrdataset(client, &st->q.sigrdataset);
3965 rpz_rrset_find(ns_client_t *client, dns_rpz_type_t rpz_type,
3980 dns_clientinfo_init(&ci, client);
3982 st = client->query.rpz_st;
3992 query_putrdataset(client, rdatasetp);
3997 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
4006 result = rpz_ready(client, NULL, NULL, NULL, rdatasetp);
4018 result = query_getdb(client, name, type, 0, &zone, dbp,
4021 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
4037 client->now, &node, found,
4039 if (result == DNS_R_DELEGATION && is_zone && USECACHE(client)) {
4046 dns_db_attach(client->view->cachedb, dbp);
4048 0, client->now, &node, found,
4062 result = query_recurse(client, type, st->r_name,
4078 rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset,
4088 st = client->query.rpz_st;
4090 st->m.rdataset = query_newrdataset(client);
4096 for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
4099 if (!RECURSIONOK(client) && rpz->recursive_only)
4118 result = rpz_getdb(client, rpz_type, &rpz->origin,
4131 rdataset, st, client->query.rpz_st->qname);
4142 rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type,
4149 result = rpz_rrset_find(client, rpz_type, name, type, dbp, version,
4155 result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
4172 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, rpz_type,
4177 if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
4178 client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR;
4179 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
4194 rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type,
4203 st = client->query.rpz_st;
4211 result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_a,
4224 result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_aaaa,
4237 rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
4253 dns_clientinfo_init(&ci, client);
4255 result = rpz_ready(client, zonep, dbp, nodep, rdatasetp);
4266 result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, versionp);
4275 client->now, nodep, found, &cm, &ci,
4285 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
4302 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
4321 qtype, 0, client->now,
4361 (void)dns_db_rpz_enabled(*dbp, client->query.rpz_st);
4370 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef,
4383 rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
4398 st = client->query.rpz_st;
4403 for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
4406 if (!RECURSIONOK(client) && rpz->recursive_only)
4443 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
4449 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1,
4459 result = rpz_find(client, qtype, rpz_qname, qname, rpz,
4523 rpz_log_rewrite(client, ISC_TRUE, policy,
4563 rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname,
4568 st = client->query.rpz_st;
4571 rpz_log_fail(client, level, DNS_RPZ_TYPE_NSIP, nsname,
4584 rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
4594 st = client->query.rpz_st;
4596 st = isc_mem_get(client->mctx, sizeof(*st));
4612 client->query.rpz_st = st;
4640 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME,
4641 client->query.qname,
4646 rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME,
4647 client->query.qname,
4660 result = rpz_rewrite_name(client, qtype, client->query.qname,
4665 st->r.label = dns_name_countlabels(client->query.qname);
4678 result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_IP,
4679 client->query.qname, qtype,
4697 dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
4698 while (st->r.label > client->view->rpz_min_ns_labels) {
4702 if (st->r.label == dns_name_countlabels(client->query.qname)) {
4703 nsname = client->query.qname;
4706 dns_name_split(client->query.qname, st->r.label,
4712 result = rpz_rrset_find(client, DNS_RPZ_TYPE_NSDNAME,
4739 rpz_rewrite_ns_skip(client, nsname, result,
4745 rpz_rewrite_ns_skip(client, nsname, result,
4750 rpz_rewrite_ns_skip(client, nsname, result,
4767 rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
4787 result = rpz_rewrite_name(client, qtype,
4800 result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_NSIP,
4829 rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
4837 query_putrdataset(client, &rdataset);
4846 * by the client in DNSSEC or a lack of signatures.
4849 rpz_ck_dnssec(ns_client_t *client, isc_result_t result,
4857 if (client->view->rpz_break_dnssec)
4860 * sigrdataset == NULL if and only !WANTDNSSEC(client)
4909 rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
4919 dns_name_split(client->query.qname, 1,
4928 client->message->rcode = dns_rcode_yxdomain;
4935 query_keepname(client, fname, dbuf);
4936 result = query_add_cname(client, client->query.qname,
4940 rpz_log_rewrite(client, ISC_FALSE, st->m.policy,
4942 ns_client_qnamereplace(client, fname);
4947 client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
5026 * Find the sortlist statement that applies to 'client' and set up
5027 * the sortlist info in in client->message appropriately.
5030 setup_query_sortlist(ns_client_t *client) {
5035 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
5036 switch (ns_sortlist_setup(client->view->sortlist,
5051 dns_message_setsortorder(client->message, order, order_arg);
5055 query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
5067 dbuf = query_getnamebuf(client);
5070 fname = query_newname(client, dbuf, &b);
5071 neg = query_newrdataset(client);
5072 negsig = query_newrdataset(client);
5079 query_addrrset(client, &fname, &neg, &negsig, dbuf,
5086 dbuf = query_getnamebuf(client);
5089 fname = query_newname(client, dbuf, &b);
5092 neg = query_newrdataset(client);
5096 negsig = query_newrdataset(client);
5104 query_addrrset(client, &fname, &neg, &negsig, dbuf,
5109 query_putrdataset(client, &neg);
5111 query_putrdataset(client, &negsig);
5113 query_releasename(client, &fname);
5117 answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
5123 msg = client->message;
5127 if (dns_name_equal(name, client->query.qname)) {
5210 warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
5236 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
5250 dns_dbversion_t *version, ns_client_t *client,
5280 dns_clientinfo_init(&ci, client);
5296 dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3;
5298 dns_rdatatype_nsec3, dboptions, client->now,
5320 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
5326 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
5334 ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
5348 is_v4_client(ns_client_t *client) {
5349 if (isc_sockaddr_pf(&client->peeraddr) == AF_INET)
5351 if (isc_sockaddr_pf(&client->peeraddr) == AF_INET6 &&
5352 IN6_IS_ADDR_V4MAPPED(&client->peeraddr.type.sin6.sin6_addr))
5395 dns64_aaaaok(ns_client_t *client, dns_rdataset_t *rdataset,
5399 dns_dns64_t *dns64 = ISC_LIST_HEAD(client->view->dns64);
5404 INSIST(client->query.dns64_aaaaok == NULL);
5405 INSIST(client->query.dns64_aaaaoklen == 0);
5406 INSIST(client->query.dns64_aaaa == NULL);
5407 INSIST(client->query.dns64_sigaaaa == NULL);
5412 if (RECURSIONOK(client))
5419 aaaaok = isc_mem_get(client->mctx, sizeof(isc_boolean_t) * count);
5421 isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
5422 if (dns_dns64_aaaaok(dns64, &netaddr, client->signer,
5427 client->query.dns64_aaaaok = aaaaok;
5428 client->query.dns64_aaaaoklen = count;
5433 isc_mem_put(client->mctx, aaaaok,
5438 isc_mem_put(client->mctx, aaaaok,
5448 * Only perform the update if the client is in the allow query acl and
5452 redirect(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset,
5469 if (client->view->redirect == NULL)
5477 dns_clientinfo_init(&ci, client);
5479 if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp))
5482 if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) {
5504 result = ns_client_checkaclsilent(client, NULL,
5505 dns_zone_getqueryacl(client->view->redirect),
5510 result = dns_zone_getdb(client->view->redirect, &db);
5514 dbversion = query_findversion(client, db);
5523 result = dns_db_findext(db, client->query.qname, dbversion->version,
5524 qtype, 0, client->now, &node, found, &cm, &ci,
5552 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
5559 * Do the bulk of query processing for the current query of 'client'.
5564 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
5630 dns_clientinfo_init(&ci, client);
5639 rpz_st = client->query.rpz_st;
5661 query_putrdataset(client, &event->sigrdataset);
5677 if (DNS64(client)) {
5678 client->query.attributes &= ~NS_QUERYATTR_DNS64;
5681 if (DNS64EXCLUDE(client)) {
5682 client->query.attributes &= ~NS_QUERYATTR_DNS64EXCLUDE;
5689 dbuf = query_getnamebuf(client);
5694 fname = query_newname(client, dbuf, &b);
5741 if (client->view->checknames &&
5742 !dns_rdata_checkowner(client->query.qname,
5743 client->message->rdclass,
5749 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
5751 dns_rdataclass_format(client->message->rdclass, classname,
5753 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
5766 !dns_name_equal(client->query.qname, dns_rootname))
5768 result = query_getdb(client, client->query.qname, qtype, options,
5770 if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) &&
5781 tresult = query_getzonedb(client, client->query.qname, qtype,
5786 query_putrdataset(client, &rdataset);
5805 if (WANTRECURSION(client)) {
5806 inc_stats(client,
5809 inc_stats(client, dns_nsstatscounter_authrej);
5810 if (!PARTIALANSWER(client))
5825 if (event == NULL && client->query.restarts == 0) {
5832 dns_zone_attach(zone, &client->query.authzone);
5834 dns_db_attach(db, &client->query.authdb);
5836 client->query.authdbset = ISC_TRUE;
5844 dbuf = query_getnamebuf(client);
5849 fname = query_newname(client, dbuf, &b);
5850 rdataset = query_newrdataset(client);
5855 if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) {
5856 sigrdataset = query_newrdataset(client);
5866 result = dns_db_findext(db, client->query.qname, version, type,
5867 client->query.dboptions, client->now,
5875 * Rate limit these responses to this client.
5884 if (client->view->rrl != NULL &&
5886 (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) &&
5887 !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) &&
5888 (client->query.rpz_st == NULL ||
5889 (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0)&&
5890 (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) {
5897 client->query.attributes |= NS_QUERYATTR_RRL_CHECKED;
5948 rrl_result = dns_rrl(client->view, &client->peeraddr,
5949 ISC_TF((client->attributes
5951 client->message->rdclass, qtype, tname,
5952 resp_result, client->now,
5966 ns_client_log(client,
5972 if (!client->view->rrl->log_only) {
5978 inc_stats(client,
5986 inc_stats(client,
5988 client->message->flags |=
5991 client->message->rcode =
6000 if (!ISC_LIST_EMPTY(client->view->rpz_zones) &&
6001 (RECURSIONOK(client) || !client->view->rpz_recursive_only) &&
6002 rpz_ck_dnssec(client, result, rdataset, sigrdataset) &&
6003 !RECURSING(client) &&
6004 (client->query.rpz_st == NULL ||
6005 (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) &&
6006 !dns_name_equal(client->query.qname, dns_rootname)) {
6009 rresult = rpz_rewrite(client, qtype, result, resuming);
6010 rpz_st = client->query.rpz_st;
6034 client->query.attributes |= NS_QUERYATTR_RECURSING;
6046 result = dns_name_copy(client->query.qname,
6052 query_putrdataset(client, &rdataset);
6102 result = rpz_add_cname(client, rpz_st,
6115 result = rpz_add_cname(client, rpz_st,
6131 client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
6133 query_putrdataset(client, &sigrdataset);
6136 rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
6164 if (client->view->hints == NULL) {
6168 dns_db_attach(client->view->hints, &db);
6171 0, client->now, &node,
6192 if (RECURSIONOK(client)) {
6193 result = query_recurse(client, qtype,
6194 client->query.qname,
6197 client->query.attributes |=
6200 client->query.attributes |=
6203 client->query.attributes |=
6225 if (!RECURSIONOK(client) &&
6231 result = query_getzonedb(client,
6232 client->query.qname,
6239 query_putrdataset(client, &rdataset);
6241 query_putrdataset(client,
6244 query_releasename(client,
6266 if (!USECACHE(client) || !RECURSIONOK(client)) {
6277 * If the client is making a nonrecursive
6286 * database by setting client->query.gluedb.
6288 client->query.gluedb = db;
6289 client->query.isreferral = ISC_TRUE;
6296 client->query.attributes &=
6302 query_addrrset(client, &fname,
6305 client->query.gluedb = NULL;
6306 if (WANTDNSSEC(client))
6307 query_addds(client, db, node, version,
6318 query_keepname(client, fname, dbuf);
6330 dns_db_attach(client->view->cachedb, &db);
6353 query_releasename(client, &fname);
6363 query_putrdataset(client, &rdataset);
6365 query_putrdataset(client,
6380 if (RECURSIONOK(client)) {
6385 result = query_recurse(client, qtype,
6386 client->query.qname,
6389 result = query_recurse(client,
6391 client->query.qname,
6394 result = query_recurse(client, qtype,
6395 client->query.qname,
6400 client->query.attributes |=
6403 client->query.attributes |=
6406 client->query.attributes |=
6422 client->query.attributes |=
6424 client->query.gluedb = zdb;
6425 client->query.isreferral = ISC_TRUE;
6432 client->query.attributes &=
6438 query_addrrset(client, &fname,
6441 client->query.gluedb = NULL;
6442 client->query.attributes &=
6444 if (WANTDNSSEC(client))
6445 query_addds(client, db, node, version,
6466 query_putrdataset(client, &rdataset);
6468 query_putrdataset(client, &sigrdataset);
6469 rdataset = client->query.dns64_aaaa;
6470 sigrdataset = client->query.dns64_sigaaaa;
6471 client->query.dns64_aaaa = NULL;
6472 client->query.dns64_sigaaaa = NULL;
6474 dbuf = query_getnamebuf(client);
6479 fname = query_newname(client, dbuf, &b);
6485 dns_name_copy(client->query.qname, fname, NULL);
6495 !ISC_LIST_EMPTY(client->view->dns64) &&
6496 client->message->rdclass == dns_rdataclass_in &&
6503 INSIST(client->query.dns64_aaaa == NULL);
6504 INSIST(client->query.dns64_sigaaaa == NULL);
6505 client->query.dns64_aaaa = rdataset;
6506 client->query.dns64_sigaaaa = sigrdataset;
6507 client->query.dns64_ttl = dns64_ttl(db, version);
6508 query_releasename(client, &fname);
6513 rpz_st = client->query.rpz_st;
6520 rpz_st_clear(client);
6531 WANTDNSSEC(client)) {
6538 qname = client->query.qname;
6541 client, rdataset,
6560 query_addrrset(client, &fname,
6573 fixfname(client, &fname, &dbuf, &b);
6574 fixrdataset(client, &rdataset);
6575 fixrdataset(client, &sigrdataset);
6588 client,
6596 query_releasename(client, &fname);
6597 query_addwildcardproof(client, db, version,
6598 client->query.qname,
6608 query_keepname(client, fname, dbuf);
6615 query_releasename(client, &fname);
6620 result = query_addsoa(client, db, version, ISC_UINT32_MAX,
6629 if (WANTDNSSEC(client)) {
6631 query_addnxrrsetnsec(client, db, version,
6644 redirect(client, fname, rdataset, &node, &db, &version,
6653 query_keepname(client, fname, dbuf);
6660 query_releasename(client, &fname);
6672 result = query_addsoa(client, db, version, 0,
6675 result = query_addsoa(client, db, version,
6683 if (WANTDNSSEC(client)) {
6688 query_addrrset(client, &fname, &rdataset,
6691 query_addwildcardproof(client, db, version,
6692 client->query.qname, ISC_FALSE,
6700 client->message->rcode = dns_rcode_noerror;
6702 client->message->rcode = dns_rcode_nxdomain;
6706 if (redirect(client, fname, rdataset, &node, &db, &version,
6717 client->message->rcode = dns_rcode_nxdomain;
6723 client->message->rdclass == dns_rdataclass_in &&
6725 warn_rfc1918(client, fname, rdataset);
6737 query_putrdataset(client, &rdataset);
6739 query_putrdataset(client, &sigrdataset);
6740 rdataset = client->query.dns64_aaaa;
6741 sigrdataset = client->query.dns64_sigaaaa;
6742 client->query.dns64_aaaa = NULL;
6743 client->query.dns64_sigaaaa = NULL;
6745 dbuf = query_getnamebuf(client);
6750 fname = query_newname(client, dbuf, &b);
6756 dns_name_copy(client->query.qname, fname, NULL);
6763 !ISC_LIST_EMPTY(client->view->dns64) &&
6764 client->message->rdclass == dns_rdataclass_in &&
6771 INSIST(client->query.dns64_aaaa == NULL);
6772 INSIST(client->query.dns64_sigaaaa == NULL);
6773 client->query.dns64_aaaa = rdataset;
6774 client->query.dns64_sigaaaa = sigrdataset;
6781 client->query.dns64_ttl = rdataset->ttl;
6783 client->query.dns64_ttl = 0;
6784 query_releasename(client, &fname);
6790 rpz_st = client->query.rpz_st;
6797 rpz_st_clear(client);
6807 query_keepname(client, fname, dbuf);
6808 dns_message_addname(client->message, fname,
6829 if (WANTDNSSEC(client) &&
6837 if (NOQNAME(rdataset) && WANTDNSSEC(client))
6841 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
6844 query_addnoqnameproof(client, noqname);
6849 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
6855 result = dns_message_gettempname(client->message, &tname);
6860 dns_message_puttempname(client->message, &tname);
6867 dns_message_puttempname(client->message, &tname);
6871 result = dns_name_dup(&cname.cname, client->mctx, tname);
6873 dns_message_puttempname(client->message, &tname);
6878 ns_client_qnamereplace(client, tname);
6880 if (!WANTRECURSION(client))
6889 namereln = dns_name_fullcompare(client->query.qname, fname,
6905 if (WANTDNSSEC(client) &&
6913 query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
6919 client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
6924 result = dns_message_gettempname(client->message, &tname);
6929 dns_message_puttempname(client->message, &tname);
6936 dns_message_puttempname(client->message, &tname);
6947 dns_name_split(client->query.qname, nlabels, prefix, NULL);
6949 dbuf = query_getnamebuf(client);
6951 dns_message_puttempname(client->message, &tname);
6954 fname = query_newname(client, dbuf, &b);
6956 dns_message_puttempname(client->message, &tname);
6960 dns_message_puttempname(client->message, &tname);
6968 client->message->rcode = dns_rcode_yxdomain;
6972 query_keepname(client, fname, dbuf);
6987 result = query_add_cname(client, client->query.qname, fname,
6994 ns_client_qnamereplace(client, fname);
6997 if (!WANTRECURSION(client))
7008 if (WANTDNSSEC(client) &&
7017 if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
7018 is_v4_client(client) &&
7019 ns_client_checkaclsilent(client, NULL,
7020 client->view->v4_aaaa_acl,
7022 client->filter_aaaa = client->view->v4_aaaa;
7024 client->filter_aaaa = dns_v4_aaaa_ok;
7066 query_keepname(client, fname, dbuf);
7076 if (client->filter_aaaa != dns_v4_aaaa_ok) {
7098 if (NOQNAME(rdataset) && WANTDNSSEC(client))
7102 rpz_st = client->query.rpz_st;
7106 query_addrrset(client,
7111 query_addnoqnameproof(client, noqname);
7119 query_putrdataset(client, &rdataset);
7120 rdataset = query_newrdataset(client);
7137 if (client->filter_aaaa == dns_v4_aaaa_break_dnssec)
7138 client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
7139 else if (client->filter_aaaa != dns_v4_aaaa_ok &&
7141 (!have_sig || !WANTDNSSEC(client)))
7142 client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
7145 dns_message_puttempname(client->message, &fname);
7159 client->attributes &= ~NS_CLIENTATTR_RA;
7166 dns_name_format(client->query.qname,
7169 ns_client_log(client,
7178 fname = query_newname(client, dbuf, &b);
7204 if (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
7205 (client->filter_aaaa == dns_v4_aaaa_filter &&
7206 (!WANTDNSSEC(client) || sigrdataset == NULL ||
7210 trdataset = query_newrdataset(client);
7213 client->now,
7217 query_putrdataset(client, &trdataset);
7225 * for this client, although that could be
7233 client->attributes |=
7237 !RECURSIONOK(client) ||
7240 client->attributes &=
7251 result = query_recurse(client,
7253 client->query.qname,
7256 client->attributes |=
7258 client->query.attributes |=
7264 (client->attributes &
7266 client->attributes &=
7268 client->attributes |=
7282 INSIST(client->query.dns64_aaaaok == NULL);
7285 !ISC_LIST_EMPTY(client->view->dns64) &&
7286 client->message->rdclass == dns_rdataclass_in &&
7287 !dns64_aaaaok(client, rdataset, sigrdataset)) {
7292 client->query.dns64_aaaa = rdataset;
7293 client->query.dns64_sigaaaa = sigrdataset;
7294 client->query.dns64_ttl = rdataset->ttl;
7295 query_releasename(client, &fname);
7300 rpz_st = client->query.rpz_st;
7307 rpz_st_clear(client);
7317 if (NOQNAME(rdataset) && WANTDNSSEC(client))
7325 dns_name_equal(client->query.qname, dns_rootname))
7326 client->query.attributes &= ~NS_QUERYATTR_NOADDITIONAL;
7330 result = query_dns64(client, &fname, rdataset,
7334 dns_message_puttemprdataset(client->message, &rdataset);
7343 (void)query_addsoa(client, db, version,
7356 } else if (client->query.dns64_aaaaok != NULL) {
7357 query_filter64(client, &fname, rdataset, dbuf,
7359 query_putrdataset(client, &rdataset);
7361 query_addrrset(client, &fname, &rdataset,
7365 query_addnoqnameproof(client, noqname);
7379 if (!want_restart && !NOAUTHORITY(client)) {
7383 dns_name_equal(client->query.qname,
7385 (void)query_addns(client, db, version);
7388 query_releasename(client, &fname);
7389 query_addbestns(client);
7398 query_addwildcardproof(client, db, version,
7406 rpz_st = client->query.rpz_st;
7412 query_putrdataset(client, &rdataset);
7414 query_putrdataset(client, &sigrdataset);
7416 query_releasename(client, &fname);
7424 query_putrdataset(client, &zrdataset);
7426 query_putrdataset(client, &zsigrdataset);
7428 query_releasename(client, &zfname);
7437 if (client->query.restarts == 0 && !authoritative) {
7442 client->message->flags &= ~DNS_MESSAGEFLAG_AA;
7448 if (want_restart && client->query.restarts < MAX_RESTARTS) {
7449 client->query.restarts++;
7455 (!PARTIALANSWER(client) || WANTRECURSION(client)
7459 (!PARTIALANSWER(client) || WANTRECURSION(client)))
7469 query_next(client, eresult);
7472 * If we don't have any answer to give the client,
7473 * or if the client requested recursion and thus wanted
7477 query_error(client, eresult, line);
7479 ns_client_detach(&client);
7480 } else if (!RECURSING(client)) {
7487 setup_query_sortlist(client);
7494 if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) &&
7495 client->message->rcode == dns_rcode_noerror &&
7497 answer_in_glue(client, qtype);
7499 if (client->message->rcode == dns_rcode_nxdomain &&
7500 client->view->auth_nxdomain == ISC_TRUE)
7501 client->message->flags |= DNS_MESSAGEFLAG_AA;
7504 * If the response is somehow unexpected for the client and this
7509 (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) ||
7510 client->message->rcode != dns_rcode_noerror))
7513 query_send(client);
7514 ns_client_detach(&client);
7522 log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
7533 rdataset = ISC_LIST_HEAD(client->query.qname->list);
7535 dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
7538 isc_netaddr_format(&client->destaddr, onbuf, sizeof(onbuf));
7540 ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
7542 classname, typename, WANTRECURSION(client) ? "+" : "-",
7543 (client->signer != NULL) ? "S": "",
7544 (client->opt != NULL) ? "E" : "",
7545 ((client->attributes & NS_CLIENTATTR_TCP) != 0) ?
7553 log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) {
7570 if (client->query.origqname != NULL) {
7571 dns_name_format(client->query.origqname, namebuf,
7576 rdataset = ISC_LIST_HEAD(client->query.origqname->list);
7588 ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY,
7595 ns_query_start(ns_client_t *client) {
7597 dns_message_t *message = client->message;
7601 unsigned int saved_extflags = client->extflags;
7602 unsigned int saved_flags = client->message->flags;
7609 if (ns_g_clienttest && (client->attributes & NS_CLIENTATTR_TCP) == 0)
7610 RUNTIME_CHECK(ns_client_replace(client) == ISC_R_SUCCESS);
7615 client->next = query_next_callback;
7620 if (!client->view->enablednssec) {
7622 client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
7623 if (client->opt != NULL)
7624 client->opt->ttl &= ~DNS_MESSAGEEXTFLAG_DO;
7628 client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
7630 if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
7631 client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
7633 if (client->view->minimalresponses)
7634 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
7637 if ((client->view->cachedb == NULL)
7638 || (!client->view->additionalfromcache)) {
7643 client->query.attributes &=
7645 } else if ((client->attributes & NS_CLIENTATTR_RA) == 0 ||
7648 * If the client isn't allowed to recurse (due to
7653 client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
7661 query_error(client, result, __LINE__);
7665 &client->query.qname);
7666 client->query.origqname = client->query.qname;
7674 query_error(client, DNS_R_FORMERR, __LINE__);
7676 query_error(client, result, __LINE__);
7681 log_query(client, saved_flags, saved_extflags);
7687 query_error(client, DNS_R_FORMERR, __LINE__);
7694 rdataset = ISC_LIST_HEAD(client->query.qname->list);
7705 ns_xfr_start(client, rdataset->type);
7709 query_error(client, DNS_R_NOTIMP, __LINE__);
7712 result = dns_tkey_processquery(client->message,
7714 client->view->dynamickeys);
7716 query_send(client);
7718 query_error(client, result, __LINE__);
7721 query_error(client, DNS_R_FORMERR, __LINE__);
7730 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
7736 if (client->opt != NULL && client->udpsize <= 512U &&
7737 (client->attributes & NS_CLIENTATTR_TCP) == 0)
7738 client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
7742 * If the client has requested that DNSSEC checking be disabled,
7752 client->query.dboptions |= DNS_DBFIND_PENDINGOK;
7753 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
7754 } else if (!client->view->enablevalidation)
7755 client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
7762 client->query.attributes &= ~NS_QUERYATTR_SECURE;
7765 * Set NS_CLIENTATTR_WANTDNSSEC if the client has set AD in the query.
7769 client->attributes |= NS_CLIENTATTR_WANTAD;
7776 query_next(client, result);
7794 if (WANTDNSSEC(client) || WANTAD(client))
7798 ns_client_attach(client, &qclient);