1/* $NetBSD: resolver.h,v 1.9 2024/02/21 22:52:10 christos Exp $ */ 2 3/* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16#pragma once 17 18/***** 19***** Module Info 20*****/ 21 22/*! \file dns/resolver.h 23 * 24 * \brief 25 * This is the BIND 9 resolver, the module responsible for resolving DNS 26 * requests by iteratively querying authoritative servers and following 27 * referrals. This is a "full resolver", not to be confused with 28 * the stub resolvers most people associate with the word "resolver". 29 * The full resolver is part of the caching name server or resolver 30 * daemon the stub resolver talks to. 31 * 32 * MP: 33 *\li The module ensures appropriate synchronization of data structures it 34 * creates and manipulates. 35 * 36 * Reliability: 37 *\li No anticipated impact. 38 * 39 * Resources: 40 *\li TBS 41 * 42 * Security: 43 *\li No anticipated impact. 44 * 45 * Standards: 46 *\li RFCs: 1034, 1035, 2181, TBS 47 *\li Drafts: TBS 48 */ 49 50#include <inttypes.h> 51#include <stdbool.h> 52 53#include <isc/event.h> 54#include <isc/lang.h> 55#include <isc/stats.h> 56 57#include <dns/fixedname.h> 58#include <dns/types.h> 59 60ISC_LANG_BEGINDECLS 61 62/*% 63 * A dns_fetchevent_t is sent when a 'fetch' completes. Any of 'db', 64 * 'node', 'rdataset', and 'sigrdataset' may be bound. It is the 65 * receiver's responsibility to detach before freeing the event. 66 * \brief 67 * 'rdataset', 'sigrdataset', 'client' and 'id' are the values that were 68 * supplied when dns_resolver_createfetch() was called. They are returned 69 * to the caller so that they may be freed. 70 */ 71typedef struct dns_fetchevent { 72 ISC_EVENT_COMMON(struct dns_fetchevent); 73 dns_fetch_t *fetch; 74 isc_result_t result; 75 dns_rdatatype_t qtype; 76 dns_db_t *db; 77 dns_dbnode_t *node; 78 dns_rdataset_t *rdataset; 79 dns_rdataset_t *sigrdataset; 80 dns_fixedname_t fname; 81 dns_name_t *foundname; 82 const isc_sockaddr_t *client; 83 dns_messageid_t id; 84 isc_result_t vresult; 85} dns_fetchevent_t; 86 87/*% 88 * The two quota types (fetches-per-zone and fetches-per-server) 89 */ 90typedef enum { dns_quotatype_zone = 0, dns_quotatype_server } dns_quotatype_t; 91 92/* 93 * Options that modify how a 'fetch' is done. 94 */ 95enum { 96 DNS_FETCHOPT_TCP = 1 << 0, /*%< Use TCP. */ 97 DNS_FETCHOPT_UNSHARED = 1 << 1, /*%< See below. */ 98 DNS_FETCHOPT_RECURSIVE = 1 << 2, /*%< Set RD? */ 99 DNS_FETCHOPT_NOEDNS0 = 1 << 3, /*%< Do not use EDNS. */ 100 DNS_FETCHOPT_FORWARDONLY = 1 << 4, /*%< Only use forwarders. */ 101 DNS_FETCHOPT_NOVALIDATE = 1 << 5, /*%< Disable validation. */ 102 DNS_FETCHOPT_WANTNSID = 1 << 6, /*%< Request NSID */ 103 DNS_FETCHOPT_PREFETCH = 1 << 7, /*%< Do prefetch */ 104 DNS_FETCHOPT_NOCDFLAG = 1 << 8, /*%< Don't set CD flag. */ 105 DNS_FETCHOPT_NONTA = 1 << 9, /*%< Ignore NTA table. */ 106 DNS_FETCHOPT_NOCACHED = 1 << 10, /*%< Force cache update. */ 107 DNS_FETCHOPT_QMINIMIZE = 1 << 11, /*%< Use qname minimization. */ 108 DNS_FETCHOPT_NOFOLLOW = 1 << 12, /*%< Don't retrieve the NS RRset 109 * from the child zone when a 110 * delegation is returned in 111 * response to a NS query. */ 112 DNS_FETCHOPT_QMIN_STRICT = 1 << 13, /*%< Do not work around servers 113 * that return errors on 114 * non-empty terminals. */ 115 DNS_FETCHOPT_QMIN_SKIP_IP6A = 1 << 14, /*%< Skip some labels when 116 * doing qname minimization 117 * on ip6.arpa. */ 118 DNS_FETCHOPT_NOFORWARD = 1 << 15, /*%< Do not use forwarders if 119 * possible. */ 120 DNS_FETCHOPT_TRYSTALE_ONTIMEOUT = 1 << 16, 121 122 /*% EDNS version bits: */ 123 DNS_FETCHOPT_EDNSVERSIONSET = 1 << 23, 124 DNS_FETCHOPT_EDNSVERSIONSHIFT = 24, 125 DNS_FETCHOPT_EDNSVERSIONMASK = 0xff000000, 126}; 127 128/* 129 * Upper bounds of class of query RTT (ms). Corresponds to 130 * dns_resstatscounter_queryrttX statistics counters. 131 */ 132#define DNS_RESOLVER_QRYRTTCLASS0 10 133#define DNS_RESOLVER_QRYRTTCLASS0STR "10" 134#define DNS_RESOLVER_QRYRTTCLASS1 100 135#define DNS_RESOLVER_QRYRTTCLASS1STR "100" 136#define DNS_RESOLVER_QRYRTTCLASS2 500 137#define DNS_RESOLVER_QRYRTTCLASS2STR "500" 138#define DNS_RESOLVER_QRYRTTCLASS3 800 139#define DNS_RESOLVER_QRYRTTCLASS3STR "800" 140#define DNS_RESOLVER_QRYRTTCLASS4 1600 141#define DNS_RESOLVER_QRYRTTCLASS4STR "1600" 142 143/* 144 * XXXRTH Should this API be made semi-private? (I.e. 145 * _dns_resolver_create()). 146 */ 147 148#define DNS_RESOLVER_CHECKNAMES 0x01 149#define DNS_RESOLVER_CHECKNAMESFAIL 0x02 150 151#define DNS_QMIN_MAXLABELS 7 152#define DNS_QMIN_MAX_NO_DELEGATION 3 153#define DNS_MAX_LABELS 127 154 155isc_result_t 156dns_resolver_create(dns_view_t *view, isc_taskmgr_t *taskmgr, 157 unsigned int ntasks, unsigned int ndisp, isc_nm_t *nm, 158 isc_timermgr_t *timermgr, unsigned int options, 159 dns_dispatchmgr_t *dispatchmgr, dns_dispatch_t *dispatchv4, 160 dns_dispatch_t *dispatchv6, dns_resolver_t **resp); 161 162/*%< 163 * Create a resolver. 164 * 165 * Notes: 166 * 167 *\li Generally, applications should not create a resolver directly, but 168 * should instead call dns_view_createresolver(). 169 * 170 * Requires: 171 * 172 *\li 'view' is a valid view. 173 * 174 *\li 'taskmgr' is a valid task manager. 175 * 176 *\li 'ntasks' > 0. 177 * 178 *\li 'nm' is a valid network manager. 179 * 180 *\li 'timermgr' is a valid timer manager. 181 * 182 *\li 'dispatchv4' is a dispatch with an IPv4 UDP socket, or is NULL. 183 * If not NULL, 'ndisp' clones of it will be created by the resolver. 184 * 185 *\li 'dispatchv6' is a dispatch with an IPv6 UDP socket, or is NULL. 186 * If not NULL, 'ndisp' clones of it will be created by the resolver. 187 * 188 *\li resp != NULL && *resp == NULL. 189 * 190 * Returns: 191 * 192 *\li #ISC_R_SUCCESS On success. 193 * 194 *\li Anything else Failure. 195 */ 196 197void 198dns_resolver_freeze(dns_resolver_t *res); 199/*%< 200 * Freeze resolver. 201 * 202 * Notes: 203 * 204 *\li Certain configuration changes cannot be made after the resolver 205 * is frozen. Fetches cannot be created until the resolver is frozen. 206 * 207 * Requires: 208 * 209 *\li 'res' is a valid resolver. 210 * 211 * Ensures: 212 * 213 *\li 'res' is frozen. 214 */ 215 216void 217dns_resolver_prime(dns_resolver_t *res); 218/*%< 219 * Prime resolver. 220 * 221 * Notes: 222 * 223 *\li Resolvers which have a forwarding policy other than dns_fwdpolicy_only 224 * need to be primed with the root nameservers, otherwise the root 225 * nameserver hints data may be used indefinitely. This function requests 226 * that the resolver start a priming fetch, if it isn't already priming. 227 * 228 * Requires: 229 * 230 *\li 'res' is a valid, frozen resolver. 231 */ 232 233void 234dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task, 235 isc_event_t **eventp); 236/*%< 237 * Send '*eventp' to 'task' when 'res' has completed shutdown. 238 * 239 * Notes: 240 * 241 *\li It is not safe to detach the last reference to 'res' until 242 * shutdown is complete. 243 * 244 * Requires: 245 * 246 *\li 'res' is a valid resolver. 247 * 248 *\li 'task' is a valid task. 249 * 250 *\li *eventp is a valid event. 251 * 252 * Ensures: 253 * 254 *\li *eventp == NULL. 255 */ 256 257void 258dns_resolver_shutdown(dns_resolver_t *res); 259/*%< 260 * Start the shutdown process for 'res'. 261 * 262 * Notes: 263 * 264 *\li This call has no effect if the resolver is already shutting down. 265 * 266 * Requires: 267 * 268 *\li 'res' is a valid resolver. 269 */ 270 271void 272dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp); 273 274void 275dns_resolver_detach(dns_resolver_t **resp); 276 277isc_result_t 278dns_resolver_createfetch(dns_resolver_t *res, const dns_name_t *name, 279 dns_rdatatype_t type, const dns_name_t *domain, 280 dns_rdataset_t *nameservers, 281 dns_forwarders_t *forwarders, 282 const isc_sockaddr_t *client, dns_messageid_t id, 283 unsigned int options, unsigned int depth, 284 isc_counter_t *qc, isc_task_t *task, 285 isc_taskaction_t action, void *arg, 286 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, 287 dns_fetch_t **fetchp); 288/*%< 289 * Recurse to answer a question. 290 * 291 * Notes: 292 * 293 *\li This call starts a query for 'name', type 'type'. 294 * 295 *\li The 'domain' is a parent domain of 'name' for which 296 * a set of name servers 'nameservers' is known. If no 297 * such name server information is available, set 298 * 'domain' and 'nameservers' to NULL. 299 * 300 *\li 'forwarders' is unimplemented, and subject to change when 301 * we figure out how selective forwarding will work. 302 * 303 *\li When the fetch completes (successfully or otherwise), a 304 * #DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be 305 * posted to 'task'. 306 * 307 *\li The values of 'rdataset' and 'sigrdataset' will be returned in 308 * the FETCHDONE event. 309 * 310 *\li 'client' and 'id' are used for duplicate query detection. '*client' 311 * must remain stable until after 'action' has been called or 312 * dns_resolver_cancelfetch() is called. 313 * 314 * Requires: 315 * 316 *\li 'res' is a valid resolver that has been frozen. 317 * 318 *\li 'name' is a valid name. 319 * 320 *\li 'type' is not a meta type other than ANY. 321 * 322 *\li 'domain' is a valid name or NULL. 323 * 324 *\li 'nameservers' is a valid NS rdataset (whose owner name is 'domain') 325 * iff. 'domain' is not NULL. 326 * 327 *\li 'forwarders' is NULL. 328 * 329 *\li 'client' is a valid sockaddr or NULL. 330 * 331 *\li 'options' contains valid options. 332 * 333 *\li 'rdataset' is a valid, disassociated rdataset. 334 * 335 *\li 'sigrdataset' is NULL, or is a valid, disassociated rdataset. 336 * 337 *\li fetchp != NULL && *fetchp == NULL. 338 * 339 * Returns: 340 * 341 *\li #ISC_R_SUCCESS Success 342 *\li #DNS_R_DUPLICATE 343 *\li #DNS_R_DROP 344 * 345 *\li Many other values are possible, all of which indicate failure. 346 */ 347 348void 349dns_resolver_cancelfetch(dns_fetch_t *fetch); 350/*%< 351 * Cancel 'fetch'. 352 * 353 * Notes: 354 * 355 *\li If 'fetch' has not completed, post its FETCHDONE event with a 356 * result code of #ISC_R_CANCELED. 357 * 358 * Requires: 359 * 360 *\li 'fetch' is a valid fetch. 361 */ 362 363void 364dns_resolver_destroyfetch(dns_fetch_t **fetchp); 365/*%< 366 * Destroy 'fetch'. 367 * 368 * Requires: 369 * 370 *\li '*fetchp' is a valid fetch. 371 * 372 *\li The caller has received the FETCHDONE event (either because the 373 * fetch completed or because dns_resolver_cancelfetch() was called). 374 * 375 * Ensures: 376 * 377 *\li *fetchp == NULL. 378 */ 379 380void 381dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx, 382 isc_logcategory_t *category, isc_logmodule_t *module, 383 int level, bool duplicateok); 384/*%< 385 * Dump a log message on internal state at the completion of given 'fetch'. 386 * 'lctx', 'category', 'module', and 'level' are used to write the log message. 387 * By default, only one log message is written even if the corresponding fetch 388 * context serves multiple clients; if 'duplicateok' is true the suppression 389 * is disabled and the message can be written every time this function is 390 * called. 391 * 392 * Requires: 393 * 394 *\li 'fetch' is a valid fetch, and has completed. 395 */ 396 397dns_dispatchmgr_t * 398dns_resolver_dispatchmgr(dns_resolver_t *resolver); 399 400dns_dispatch_t * 401dns_resolver_dispatchv4(dns_resolver_t *resolver); 402 403dns_dispatch_t * 404dns_resolver_dispatchv6(dns_resolver_t *resolver); 405 406isc_taskmgr_t * 407dns_resolver_taskmgr(dns_resolver_t *resolver); 408 409uint32_t 410dns_resolver_getlamettl(dns_resolver_t *resolver); 411/*%< 412 * Get the resolver's lame-ttl. zero => no lame processing. 413 * 414 * Requires: 415 *\li 'resolver' to be valid. 416 */ 417 418void 419dns_resolver_setlamettl(dns_resolver_t *resolver, uint32_t lame_ttl); 420/*%< 421 * Set the resolver's lame-ttl. zero => no lame processing. 422 * 423 * Requires: 424 *\li 'resolver' to be valid. 425 */ 426 427void 428dns_resolver_addalternate(dns_resolver_t *resolver, const isc_sockaddr_t *alt, 429 const dns_name_t *name, in_port_t port); 430/*%< 431 * Add alternate addresses to be tried in the event that the nameservers 432 * for a zone are not available in the address families supported by the 433 * operating system. 434 * 435 * Require: 436 * \li only one of 'name' or 'alt' to be valid. 437 */ 438 439void 440dns_resolver_setudpsize(dns_resolver_t *resolver, uint16_t udpsize); 441/*%< 442 * Set the EDNS UDP buffer size advertised by the server. 443 */ 444 445uint16_t 446dns_resolver_getudpsize(dns_resolver_t *resolver); 447/*%< 448 * Get the current EDNS UDP buffer size. 449 */ 450 451void 452dns_resolver_reset_algorithms(dns_resolver_t *resolver); 453/*%< 454 * Clear the disabled DNSSEC algorithms. 455 */ 456 457void 458dns_resolver_reset_ds_digests(dns_resolver_t *resolver); 459/*%< 460 * Clear the disabled DS digest types. 461 */ 462 463isc_result_t 464dns_resolver_disable_algorithm(dns_resolver_t *resolver, const dns_name_t *name, 465 unsigned int alg); 466/*%< 467 * Mark the given DNSSEC algorithm as disabled and below 'name'. 468 * Valid algorithms are less than 256. 469 * 470 * Returns: 471 *\li #ISC_R_SUCCESS 472 *\li #ISC_R_RANGE 473 *\li #ISC_R_NOMEMORY 474 */ 475 476isc_result_t 477dns_resolver_disable_ds_digest(dns_resolver_t *resolver, const dns_name_t *name, 478 unsigned int digest_type); 479/*%< 480 * Mark the given DS digest type as disabled and below 'name'. 481 * Valid types are less than 256. 482 * 483 * Returns: 484 *\li #ISC_R_SUCCESS 485 *\li #ISC_R_RANGE 486 *\li #ISC_R_NOMEMORY 487 */ 488 489bool 490dns_resolver_algorithm_supported(dns_resolver_t *resolver, 491 const dns_name_t *name, unsigned int alg); 492/*%< 493 * Check if the given algorithm is supported by this resolver. 494 * This checks whether the algorithm has been disabled via 495 * dns_resolver_disable_algorithm(), then checks the underlying 496 * crypto libraries if it was not specifically disabled. 497 */ 498 499bool 500dns_resolver_ds_digest_supported(dns_resolver_t *resolver, 501 const dns_name_t *name, 502 unsigned int digest_type); 503/*%< 504 * Check if the given digest type is supported by this resolver. 505 * This checks whether the digest type has been disabled via 506 * dns_resolver_disable_ds_digest(), then checks the underlying 507 * crypto libraries if it was not specifically disabled. 508 */ 509 510void 511dns_resolver_resetmustbesecure(dns_resolver_t *resolver); 512 513isc_result_t 514dns_resolver_setmustbesecure(dns_resolver_t *resolver, const dns_name_t *name, 515 bool value); 516 517bool 518dns_resolver_getmustbesecure(dns_resolver_t *resolver, const dns_name_t *name); 519 520void 521dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int timeout); 522/*%< 523 * Set the length of time the resolver will work on a query, in milliseconds. 524 * 525 * 'timeout' was originally defined in seconds, and later redefined to be in 526 * milliseconds. Values less than or equal to 300 are treated as seconds. 527 * 528 * If timeout is 0, the default timeout will be applied. 529 * 530 * Requires: 531 * \li resolver to be valid. 532 */ 533 534unsigned int 535dns_resolver_gettimeout(dns_resolver_t *resolver); 536/*%< 537 * Get the current length of time the resolver will work on a query, 538 * in milliseconds. 539 * 540 * Requires: 541 * \li resolver to be valid. 542 */ 543 544void 545dns_resolver_setclientsperquery(dns_resolver_t *resolver, uint32_t min, 546 uint32_t max); 547void 548dns_resolver_setfetchesperzone(dns_resolver_t *resolver, uint32_t clients); 549 550void 551dns_resolver_getclientsperquery(dns_resolver_t *resolver, uint32_t *cur, 552 uint32_t *min, uint32_t *max); 553 554bool 555dns_resolver_getzeronosoattl(dns_resolver_t *resolver); 556 557void 558dns_resolver_setzeronosoattl(dns_resolver_t *resolver, bool state); 559 560unsigned int 561dns_resolver_getretryinterval(dns_resolver_t *resolver); 562 563void 564dns_resolver_setretryinterval(dns_resolver_t *resolver, unsigned int interval); 565/*%< 566 * Sets the amount of time, in milliseconds, that is waited for a reply 567 * to a server before another server is tried. Interacts with the 568 * value of dns_resolver_getnonbackofftries() by trying that number of times 569 * at this interval, before doing exponential backoff and doubling the interval 570 * on each subsequent try, to a maximum of 10 seconds. Defaults to 800 ms; 571 * silently capped at 2000 ms. 572 * 573 * Requires: 574 * \li resolver to be valid. 575 * \li interval > 0. 576 */ 577 578unsigned int 579dns_resolver_getnonbackofftries(dns_resolver_t *resolver); 580 581void 582dns_resolver_setnonbackofftries(dns_resolver_t *resolver, unsigned int tries); 583/*%< 584 * Sets the number of failures of getting a reply from remote servers for 585 * a query before backing off by doubling the retry interval for each 586 * subsequent request sent. Defaults to 3. 587 * 588 * Requires: 589 * \li resolver to be valid. 590 * \li tries > 0. 591 */ 592 593unsigned int 594dns_resolver_getoptions(dns_resolver_t *resolver); 595/*%< 596 * Get the resolver options. 597 * 598 * Requires: 599 * \li resolver to be valid. 600 */ 601 602void 603dns_resolver_addbadcache(dns_resolver_t *resolver, const dns_name_t *name, 604 dns_rdatatype_t type, isc_time_t *expire); 605/*%< 606 * Add a entry to the bad cache for <name,type> that will expire at 'expire'. 607 * 608 * Requires: 609 * \li resolver to be valid. 610 * \li name to be valid. 611 */ 612 613bool 614dns_resolver_getbadcache(dns_resolver_t *resolver, const dns_name_t *name, 615 dns_rdatatype_t type, isc_time_t *now); 616/*%< 617 * Check to see if there is a unexpired entry in the bad cache for 618 * <name,type>. 619 * 620 * Requires: 621 * \li resolver to be valid. 622 * \li name to be valid. 623 */ 624 625void 626dns_resolver_flushbadcache(dns_resolver_t *resolver, const dns_name_t *name); 627/*%< 628 * Flush the bad cache of all entries at 'name' if 'name' is non NULL. 629 * Flush the entire bad cache if 'name' is NULL. 630 * 631 * Requires: 632 * \li resolver to be valid. 633 */ 634 635void 636dns_resolver_flushbadnames(dns_resolver_t *resolver, const dns_name_t *name); 637/*%< 638 * Flush the bad cache of all entries at or below 'name'. 639 * 640 * Requires: 641 * \li resolver to be valid. 642 * \li name != NULL 643 */ 644 645void 646dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp); 647/*% 648 * Print out the contents of the bad cache to 'fp'. 649 * 650 * Requires: 651 * \li resolver to be valid. 652 */ 653 654void 655dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth); 656unsigned int 657dns_resolver_getmaxdepth(dns_resolver_t *resolver); 658/*% 659 * Get and set how many NS indirections will be followed when looking for 660 * nameserver addresses. 661 * 662 * Requires: 663 * \li resolver to be valid. 664 */ 665 666void 667dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries); 668unsigned int 669dns_resolver_getmaxqueries(dns_resolver_t *resolver); 670/*% 671 * Get and set how many iterative queries will be allowed before 672 * terminating a recursive query. 673 * 674 * Requires: 675 * \li resolver to be valid. 676 */ 677 678void 679dns_resolver_setquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which, 680 isc_result_t resp); 681isc_result_t 682dns_resolver_getquotaresponse(dns_resolver_t *resolver, dns_quotatype_t which); 683/*% 684 * Get and set the result code that will be used when quotas 685 * are exceeded. If 'which' is set to quotatype "zone", then the 686 * result specified in 'resp' will be used when the fetches-per-zone 687 * quota is exceeded by a fetch. If 'which' is set to quotatype "server", 688 * then the result specified in 'resp' will be used when the 689 * fetches-per-server quota has been exceeded for all the 690 * authoritative servers for a zone. Valid choices are 691 * DNS_R_DROP or DNS_R_SERVFAIL. 692 * 693 * Requires: 694 * \li 'resolver' to be valid. 695 * \li 'which' to be dns_quotatype_zone or dns_quotatype_server 696 * \li 'resp' to be DNS_R_DROP or DNS_R_SERVFAIL. 697 */ 698 699void 700dns_resolver_dumpfetches(dns_resolver_t *resolver, isc_statsformat_t format, 701 FILE *fp); 702 703#ifdef ENABLE_AFL 704/*% 705 * Enable fuzzing of resolver, changes behaviour and eliminates retries 706 */ 707void 708dns_resolver_setfuzzing(void); 709#endif /* ifdef ENABLE_AFL */ 710 711ISC_LANG_ENDDECLS 712