|
 |
ac9274 |
diff --git a/iterator/iter_delegpt.c b/iterator/iter_delegpt.c
|
|
|
ac9274 |
index ecf88b2..1ababa1 100644
|
|
|
ac9274 |
--- a/iterator/iter_delegpt.c
|
|
|
ac9274 |
+++ b/iterator/iter_delegpt.c
|
|
|
ac9274 |
@@ -84,7 +84,7 @@ struct delegpt* delegpt_copy(struct delegpt* dp, struct regional* region)
|
|
|
ac9274 |
}
|
|
|
ac9274 |
for(a = dp->target_list; a; a = a->next_target) {
|
|
|
ac9274 |
if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen,
|
|
|
ac9274 |
- a->bogus, a->lame))
|
|
|
ac9274 |
+ a->bogus, a->lame, NULL))
|
|
|
ac9274 |
return NULL;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
return copy;
|
|
|
ac9274 |
@@ -161,7 +161,7 @@ delegpt_find_addr(struct delegpt* dp, struct sockaddr_storage* addr,
|
|
|
ac9274 |
int
|
|
|
ac9274 |
delegpt_add_target(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
|
|
|
ac9274 |
- socklen_t addrlen, uint8_t bogus, uint8_t lame)
|
|
|
ac9274 |
+ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen);
|
|
|
ac9274 |
log_assert(!dp->dp_type_mlc);
|
|
|
ac9274 |
@@ -176,13 +176,13 @@ delegpt_add_target(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
if(ns->got4 && ns->got6)
|
|
|
ac9274 |
ns->resolved = 1;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
- return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame);
|
|
|
ac9274 |
+ return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, additions);
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
ac9274 |
int
|
|
|
ac9274 |
delegpt_add_addr(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus,
|
|
|
ac9274 |
- uint8_t lame)
|
|
|
ac9274 |
+ uint8_t lame, int* additions)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
struct delegpt_addr* a;
|
|
|
ac9274 |
log_assert(!dp->dp_type_mlc);
|
|
|
ac9274 |
@@ -195,6 +195,9 @@ delegpt_add_addr(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
return 1;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
ac9274 |
+ if(additions)
|
|
|
ac9274 |
+ *additions = 1;
|
|
|
ac9274 |
+
|
|
|
ac9274 |
a = (struct delegpt_addr*)regional_alloc(region,
|
|
|
ac9274 |
sizeof(struct delegpt_addr));
|
|
|
ac9274 |
if(!a)
|
|
|
ac9274 |
@@ -370,10 +373,10 @@ delegpt_from_message(struct dns_msg* msg, struct regional* region)
|
|
|
ac9274 |
continue;
|
|
|
ac9274 |
|
|
|
ac9274 |
if(ntohs(s->rk.type) == LDNS_RR_TYPE_A) {
|
|
|
ac9274 |
- if(!delegpt_add_rrset_A(dp, region, s, 0))
|
|
|
ac9274 |
+ if(!delegpt_add_rrset_A(dp, region, s, 0, NULL))
|
|
|
ac9274 |
return NULL;
|
|
|
ac9274 |
} else if(ntohs(s->rk.type) == LDNS_RR_TYPE_AAAA) {
|
|
|
ac9274 |
- if(!delegpt_add_rrset_AAAA(dp, region, s, 0))
|
|
|
ac9274 |
+ if(!delegpt_add_rrset_AAAA(dp, region, s, 0, NULL))
|
|
|
ac9274 |
return NULL;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
}
|
|
|
ac9274 |
@@ -404,7 +407,7 @@ delegpt_rrset_add_ns(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
|
|
|
ac9274 |
int
|
|
|
ac9274 |
delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
- struct ub_packed_rrset_key* ak, uint8_t lame)
|
|
|
ac9274 |
+ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
|
|
|
ac9274 |
size_t i;
|
|
|
ac9274 |
@@ -420,7 +423,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
memmove(&sa.sin_addr, d->rr_data[i]+2, INET_SIZE);
|
|
|
ac9274 |
if(!delegpt_add_target(dp, region, ak->rk.dname,
|
|
|
ac9274 |
ak->rk.dname_len, (struct sockaddr_storage*)&sa,
|
|
|
ac9274 |
- len, (d->security==sec_status_bogus), lame))
|
|
|
ac9274 |
+ len, (d->security==sec_status_bogus), lame, additions))
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
return 1;
|
|
|
ac9274 |
@@ -428,7 +431,7 @@ delegpt_add_rrset_A(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
|
|
|
ac9274 |
int
|
|
|
ac9274 |
delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
- struct ub_packed_rrset_key* ak, uint8_t lame)
|
|
|
ac9274 |
+ struct ub_packed_rrset_key* ak, uint8_t lame, int* additions)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
struct packed_rrset_data* d=(struct packed_rrset_data*)ak->entry.data;
|
|
|
ac9274 |
size_t i;
|
|
|
ac9274 |
@@ -444,7 +447,7 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
memmove(&sa.sin6_addr, d->rr_data[i]+2, INET6_SIZE);
|
|
|
ac9274 |
if(!delegpt_add_target(dp, region, ak->rk.dname,
|
|
|
ac9274 |
ak->rk.dname_len, (struct sockaddr_storage*)&sa,
|
|
|
ac9274 |
- len, (d->security==sec_status_bogus), lame))
|
|
|
ac9274 |
+ len, (d->security==sec_status_bogus), lame, additions))
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
return 1;
|
|
|
ac9274 |
@@ -452,20 +455,32 @@ delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
|
|
|
ac9274 |
int
|
|
|
ac9274 |
delegpt_add_rrset(struct delegpt* dp, struct regional* region,
|
|
|
ac9274 |
- struct ub_packed_rrset_key* rrset, uint8_t lame)
|
|
|
ac9274 |
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
if(!rrset)
|
|
|
ac9274 |
return 1;
|
|
|
ac9274 |
if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_NS)
|
|
|
ac9274 |
return delegpt_rrset_add_ns(dp, region, rrset, lame);
|
|
|
ac9274 |
else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_A)
|
|
|
ac9274 |
- return delegpt_add_rrset_A(dp, region, rrset, lame);
|
|
|
ac9274 |
+ return delegpt_add_rrset_A(dp, region, rrset, lame, additions);
|
|
|
ac9274 |
else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_AAAA)
|
|
|
ac9274 |
- return delegpt_add_rrset_AAAA(dp, region, rrset, lame);
|
|
|
ac9274 |
+ return delegpt_add_rrset_AAAA(dp, region, rrset, lame, additions);
|
|
|
ac9274 |
log_warn("Unknown rrset type added to delegpt");
|
|
|
ac9274 |
return 1;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
ac9274 |
+void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype)
|
|
|
ac9274 |
+{
|
|
|
ac9274 |
+ if(ns) {
|
|
|
ac9274 |
+ if(qtype == LDNS_RR_TYPE_A)
|
|
|
ac9274 |
+ ns->got4 = 2;
|
|
|
ac9274 |
+ else if(qtype == LDNS_RR_TYPE_AAAA)
|
|
|
ac9274 |
+ ns->got6 = 2;
|
|
|
ac9274 |
+ if(ns->got4 && ns->got6)
|
|
|
ac9274 |
+ ns->resolved = 1;
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+}
|
|
|
ac9274 |
+
|
|
|
ac9274 |
void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
struct reply_info* rep = (struct reply_info*)msg->entry.data;
|
|
|
ac9274 |
@@ -475,14 +490,7 @@ void delegpt_add_neg_msg(struct delegpt* dp, struct msgreply_entry* msg)
|
|
|
ac9274 |
if(FLAGS_GET_RCODE(rep->flags) != 0 || rep->an_numrrsets == 0) {
|
|
|
ac9274 |
struct delegpt_ns* ns = delegpt_find_ns(dp, msg->key.qname,
|
|
|
ac9274 |
msg->key.qname_len);
|
|
|
ac9274 |
- if(ns) {
|
|
|
ac9274 |
- if(msg->key.qtype == LDNS_RR_TYPE_A)
|
|
|
ac9274 |
- ns->got4 = 1;
|
|
|
ac9274 |
- else if(msg->key.qtype == LDNS_RR_TYPE_AAAA)
|
|
|
ac9274 |
- ns->got6 = 1;
|
|
|
ac9274 |
- if(ns->got4 && ns->got6)
|
|
|
ac9274 |
- ns->resolved = 1;
|
|
|
ac9274 |
- }
|
|
|
ac9274 |
+ delegpt_mark_neg(ns, msg->key.qtype);
|
|
|
ac9274 |
}
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
ac9274 |
diff --git a/iterator/iter_delegpt.h b/iterator/iter_delegpt.h
|
|
|
ac9274 |
index 4bd79c8..e640fc6 100644
|
|
|
ac9274 |
--- a/iterator/iter_delegpt.h
|
|
|
ac9274 |
+++ b/iterator/iter_delegpt.h
|
|
|
ac9274 |
@@ -102,9 +102,10 @@ struct delegpt_ns {
|
|
|
ac9274 |
* and marked true if got4 and got6 are both true.
|
|
|
ac9274 |
*/
|
|
|
ac9274 |
int resolved;
|
|
|
ac9274 |
- /** if the ipv4 address is in the delegpt */
|
|
|
ac9274 |
+ /** if the ipv4 address is in the delegpt, 0=not, 1=yes 2=negative,
|
|
|
ac9274 |
+ * * negative means it was done, but no content. */
|
|
|
ac9274 |
uint8_t got4;
|
|
|
ac9274 |
- /** if the ipv6 address is in the delegpt */
|
|
|
ac9274 |
+ /** if the ipv6 address is in the delegpt, 0=not, 1=yes 2=negative */
|
|
|
ac9274 |
uint8_t got6;
|
|
|
ac9274 |
/**
|
|
|
ac9274 |
* If the name is parent-side only and thus dispreferred.
|
|
|
ac9274 |
@@ -209,11 +210,12 @@ int delegpt_rrset_add_ns(struct delegpt* dp, struct regional* regional,
|
|
|
ac9274 |
* @param addrlen: the length of addr.
|
|
|
ac9274 |
* @param bogus: security status for the address, pass true if bogus.
|
|
|
ac9274 |
* @param lame: address is lame.
|
|
|
ac9274 |
+ * @param additions: will be set to 1 if a new address is added
|
|
|
ac9274 |
* @return false on error.
|
|
|
ac9274 |
*/
|
|
|
ac9274 |
int delegpt_add_target(struct delegpt* dp, struct regional* regional,
|
|
|
ac9274 |
uint8_t* name, size_t namelen, struct sockaddr_storage* addr,
|
|
|
ac9274 |
- socklen_t addrlen, uint8_t bogus, uint8_t lame);
|
|
|
ac9274 |
+ socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions);
|
|
|
ac9274 |
|
|
|
ac9274 |
/**
|
|
|
ac9274 |
* Add A RRset to delegpt.
|
|
|
ac9274 |
@@ -221,21 +223,23 @@ int delegpt_add_target(struct delegpt* dp, struct regional* regional,
|
|
|
ac9274 |
* @param regional: where to allocate the info.
|
|
|
ac9274 |
* @param rrset: RRset A to add.
|
|
|
ac9274 |
* @param lame: rrset is lame, disprefer it.
|
|
|
ac9274 |
+ * @param additions: will be set to 1 if a new address is added
|
|
|
ac9274 |
* @return 0 on alloc error.
|
|
|
ac9274 |
*/
|
|
|
ac9274 |
int delegpt_add_rrset_A(struct delegpt* dp, struct regional* regional,
|
|
|
ac9274 |
- struct ub_packed_rrset_key* rrset, uint8_t lame);
|
|
|
ac9274 |
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
|
|
|
ac9274 |
|
|
|
ac9274 |
/**
|
|
|
ac9274 |
* Add AAAA RRset to delegpt.
|
|
|
ac9274 |
* @param dp: delegation point.
|
|
|
ac9274 |
* @param regional: where to allocate the info.
|
|
|
ac9274 |
* @param rrset: RRset AAAA to add.
|
|
|
ac9274 |
+ * @param additions: will be set to 1 if a new address is added
|
|
|
ac9274 |
* @param lame: rrset is lame, disprefer it.
|
|
|
ac9274 |
* @return 0 on alloc error.
|
|
|
ac9274 |
*/
|
|
|
ac9274 |
int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional,
|
|
|
ac9274 |
- struct ub_packed_rrset_key* rrset, uint8_t lame);
|
|
|
ac9274 |
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
|
|
|
ac9274 |
|
|
|
ac9274 |
/**
|
|
|
ac9274 |
* Add any RRset to delegpt.
|
|
|
ac9274 |
@@ -244,10 +248,11 @@ int delegpt_add_rrset_AAAA(struct delegpt* dp, struct regional* regional,
|
|
|
ac9274 |
* @param regional: where to allocate the info.
|
|
|
ac9274 |
* @param rrset: RRset to add, NS, A, AAAA.
|
|
|
ac9274 |
* @param lame: rrset is lame, disprefer it.
|
|
|
ac9274 |
+ * @param additions: will be set to 1 if a new address is added
|
|
|
ac9274 |
* @return 0 on alloc error.
|
|
|
ac9274 |
*/
|
|
|
ac9274 |
int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
|
|
|
ac9274 |
- struct ub_packed_rrset_key* rrset, uint8_t lame);
|
|
|
ac9274 |
+ struct ub_packed_rrset_key* rrset, uint8_t lame, int* additions);
|
|
|
ac9274 |
|
|
|
ac9274 |
/**
|
|
|
ac9274 |
* Add address to the delegation point. No servername is associated or checked.
|
|
|
ac9274 |
@@ -257,11 +262,13 @@ int delegpt_add_rrset(struct delegpt* dp, struct regional* regional,
|
|
|
ac9274 |
* @param addrlen: the length of addr.
|
|
|
ac9274 |
* @param bogus: if address is bogus.
|
|
|
ac9274 |
* @param lame: if address is lame.
|
|
|
ac9274 |
+ * @param additions: will be set to 1 if a new address is added
|
|
|
ac9274 |
+ * @return 0 on alloc error.
|
|
|
ac9274 |
* @return false on error.
|
|
|
ac9274 |
*/
|
|
|
ac9274 |
int delegpt_add_addr(struct delegpt* dp, struct regional* regional,
|
|
|
ac9274 |
struct sockaddr_storage* addr, socklen_t addrlen,
|
|
|
ac9274 |
- uint8_t bogus, uint8_t lame);
|
|
|
ac9274 |
+ uint8_t bogus, uint8_t lame, int* additions);
|
|
|
ac9274 |
|
|
|
ac9274 |
/**
|
|
|
ac9274 |
* Find NS record in name list of delegation point.
|
|
|
ac9274 |
@@ -334,6 +341,14 @@ size_t delegpt_count_targets(struct delegpt* dp);
|
|
|
ac9274 |
struct delegpt* delegpt_from_message(struct dns_msg* msg,
|
|
|
ac9274 |
struct regional* regional);
|
|
|
ac9274 |
|
|
|
ac9274 |
+/**
|
|
|
ac9274 |
+* Mark negative return in delegation point for specific nameserver.
|
|
|
ac9274 |
+* sets the got4 or got6 to negative, updates the ns->resolved.
|
|
|
ac9274 |
+* @param ns: the nameserver in the delegpt.
|
|
|
ac9274 |
+* @param qtype: A or AAAA (host order).
|
|
|
ac9274 |
+*/
|
|
|
ac9274 |
+void delegpt_mark_neg(struct delegpt_ns* ns, uint16_t qtype);
|
|
|
ac9274 |
+
|
|
|
ac9274 |
/**
|
|
|
ac9274 |
* Add negative message to delegation point.
|
|
|
ac9274 |
* @param dp: delegation point.
|
|
|
ac9274 |
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
|
|
|
ac9274 |
index 6bdfe41..36ff766 100644
|
|
|
ac9274 |
--- a/iterator/iter_scrub.c
|
|
|
ac9274 |
+++ b/iterator/iter_scrub.c
|
|
|
ac9274 |
@@ -185,8 +185,9 @@ mark_additional_rrset(sldns_buffer* pkt, struct msg_parse* msg,
|
|
|
ac9274 |
/** Get target name of a CNAME */
|
|
|
ac9274 |
static int
|
|
|
ac9274 |
parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
|
|
|
ac9274 |
- size_t* snamelen)
|
|
|
ac9274 |
+ size_t* snamelen, sldns_buffer* pkt)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
+ size_t oldpos, dlen;
|
|
|
ac9274 |
if(rrset->rr_count != 1) {
|
|
|
ac9274 |
struct rr_parse* sig;
|
|
|
ac9274 |
verbose(VERB_ALGO, "Found CNAME rrset with "
|
|
|
ac9274 |
@@ -204,6 +205,19 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
|
|
|
ac9274 |
*sname = rrset->rr_first->ttl_data + sizeof(uint32_t)
|
|
|
ac9274 |
+ sizeof(uint16_t); /* skip ttl, rdatalen */
|
|
|
ac9274 |
*snamelen = rrset->rr_first->size - sizeof(uint16_t);
|
|
|
ac9274 |
+
|
|
|
ac9274 |
+ if(rrset->rr_first->outside_packet) {
|
|
|
ac9274 |
+ if(!dname_valid(*sname, *snamelen))
|
|
|
ac9274 |
+ return 0;
|
|
|
ac9274 |
+ return 1;
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+ oldpos = sldns_buffer_position(pkt);
|
|
|
ac9274 |
+ sldns_buffer_set_position(pkt, (size_t)(*sname - sldns_buffer_begin(pkt)));
|
|
|
ac9274 |
+ dlen = pkt_dname_len(pkt);
|
|
|
ac9274 |
+ sldns_buffer_set_position(pkt, oldpos);
|
|
|
ac9274 |
+ if(dlen == 0)
|
|
|
ac9274 |
+ return 0; /* parse fail on the rdata name */
|
|
|
ac9274 |
+ *snamelen = dlen;
|
|
|
ac9274 |
return 1;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
ac9274 |
@@ -215,7 +229,7 @@ synth_cname(uint8_t* qname, size_t qnamelen, struct rrset_parse* dname_rrset,
|
|
|
ac9274 |
/* we already know that sname is a strict subdomain of DNAME owner */
|
|
|
ac9274 |
uint8_t* dtarg = NULL;
|
|
|
ac9274 |
size_t dtarglen;
|
|
|
ac9274 |
- if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen))
|
|
|
ac9274 |
+ if(!parse_get_cname_target(dname_rrset, &dtarg, &dtarglen, pkt))
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
log_assert(qnamelen > dname_rrset->dname_len);
|
|
|
ac9274 |
/* DNAME from com. to net. with qname example.com. -> example.net. */
|
|
|
ac9274 |
@@ -372,7 +386,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|
|
ac9274 |
/* check next cname */
|
|
|
ac9274 |
uint8_t* t = NULL;
|
|
|
ac9274 |
size_t tlen = 0;
|
|
|
ac9274 |
- if(!parse_get_cname_target(nx, &t, &tlen))
|
|
|
ac9274 |
+ if(!parse_get_cname_target(nx, &t, &tlen, pkt))
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
if(dname_pkt_compare(pkt, alias, t) == 0) {
|
|
|
ac9274 |
/* it's OK and better capitalized */
|
|
|
ac9274 |
@@ -423,7 +437,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|
|
ac9274 |
size_t tlen = 0;
|
|
|
ac9274 |
if(synth_cname(sname, snamelen, nx, alias,
|
|
|
ac9274 |
&aliaslen, pkt) &&
|
|
|
ac9274 |
- parse_get_cname_target(rrset, &t, &tlen) &&
|
|
|
ac9274 |
+ parse_get_cname_target(rrset, &t, &tlen, pkt) &&
|
|
|
ac9274 |
dname_pkt_compare(pkt, alias, t) == 0) {
|
|
|
ac9274 |
/* the synthesized CNAME equals the
|
|
|
ac9274 |
* current CNAME. This CNAME is the
|
|
|
ac9274 |
@@ -441,7 +455,7 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
ac9274 |
/* move to next name in CNAME chain */
|
|
|
ac9274 |
- if(!parse_get_cname_target(rrset, &sname, &snamelen))
|
|
|
ac9274 |
+ if(!parse_get_cname_target(rrset, &sname, &snamelen, pkt))
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
prev = rrset;
|
|
|
ac9274 |
rrset = rrset->rrset_all_next;
|
|
|
ac9274 |
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
|
|
|
ac9274 |
index 70cab40..fc7d625 100644
|
|
|
ac9274 |
--- a/iterator/iter_utils.c
|
|
|
ac9274 |
+++ b/iterator/iter_utils.c
|
|
|
ac9274 |
@@ -997,7 +997,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
|
|
|
ac9274 |
log_rrset_key(VERB_ALGO, "found parent-side", akey);
|
|
|
ac9274 |
ns->done_pside4 = 1;
|
|
|
ac9274 |
/* a negative-cache-element has no addresses it adds */
|
|
|
ac9274 |
- if(!delegpt_add_rrset_A(dp, region, akey, 1))
|
|
|
ac9274 |
+ if(!delegpt_add_rrset_A(dp, region, akey, 1, NULL))
|
|
|
ac9274 |
log_err("malloc failure in lookup_parent_glue");
|
|
|
ac9274 |
lock_rw_unlock(&akey->entry.lock);
|
|
|
ac9274 |
}
|
|
|
ac9274 |
@@ -1009,7 +1009,7 @@ int iter_lookup_parent_glue_from_cache(struct module_env* env,
|
|
|
ac9274 |
log_rrset_key(VERB_ALGO, "found parent-side", akey);
|
|
|
ac9274 |
ns->done_pside6 = 1;
|
|
|
ac9274 |
/* a negative-cache-element has no addresses it adds */
|
|
|
ac9274 |
- if(!delegpt_add_rrset_AAAA(dp, region, akey, 1))
|
|
|
ac9274 |
+ if(!delegpt_add_rrset_AAAA(dp, region, akey, 1, NULL))
|
|
|
ac9274 |
log_err("malloc failure in lookup_parent_glue");
|
|
|
ac9274 |
lock_rw_unlock(&akey->entry.lock);
|
|
|
ac9274 |
}
|
|
|
ac9274 |
diff --git a/iterator/iterator.c b/iterator/iterator.c
|
|
|
8db6ed |
index 01ac883..edf5751 100644
|
|
|
ac9274 |
--- a/iterator/iterator.c
|
|
|
ac9274 |
+++ b/iterator/iterator.c
|
|
|
ac9274 |
@@ -68,6 +68,8 @@
|
|
|
ac9274 |
#include "sldns/parseutil.h"
|
|
|
ac9274 |
#include "sldns/sbuffer.h"
|
|
|
ac9274 |
|
|
|
ac9274 |
+static void target_count_increase_nx(struct iter_qstate* iq, int num);
|
|
|
ac9274 |
+
|
|
|
ac9274 |
int
|
|
|
ac9274 |
iter_init(struct module_env* env, int id)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
@@ -146,6 +148,7 @@ iter_new(struct module_qstate* qstate, int id)
|
|
|
ac9274 |
iq->sent_count = 0;
|
|
|
ac9274 |
iq->ratelimit_ok = 0;
|
|
|
ac9274 |
iq->target_count = NULL;
|
|
|
ac9274 |
+ iq->dp_target_count = 0;
|
|
|
ac9274 |
iq->wait_priming_stub = 0;
|
|
|
ac9274 |
iq->refetch_glue = 0;
|
|
|
ac9274 |
iq->dnssec_expected = 0;
|
|
|
ac9274 |
@@ -217,6 +220,7 @@ final_state(struct iter_qstate* iq)
|
|
|
ac9274 |
static void
|
|
|
ac9274 |
error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
|
|
|
ac9274 |
struct iter_qstate* super_iq = (struct iter_qstate*)super->minfo[id];
|
|
|
ac9274 |
|
|
|
ac9274 |
if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
|
|
|
ac9274 |
@@ -241,7 +245,11 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
|
|
|
ac9274 |
super->region, super_iq->dp))
|
|
|
ac9274 |
log_err("out of memory adding missing");
|
|
|
ac9274 |
}
|
|
|
ac9274 |
+ delegpt_mark_neg(dpns, qstate->qinfo.qtype);
|
|
|
ac9274 |
dpns->resolved = 1; /* mark as failed */
|
|
|
ac9274 |
+ if((dpns->got4 == 2 || !ie->supports_ipv4) &&
|
|
|
ac9274 |
+ (dpns->got6 == 2 || !ie->supports_ipv6))
|
|
|
ac9274 |
+ target_count_increase_nx(super_iq, 1);
|
|
|
ac9274 |
}
|
|
|
ac9274 |
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS) {
|
|
|
ac9274 |
/* prime failed to get delegation */
|
|
|
ac9274 |
@@ -574,7 +582,7 @@ static void
|
|
|
ac9274 |
target_count_create(struct iter_qstate* iq)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
if(!iq->target_count) {
|
|
|
ac9274 |
- iq->target_count = (int*)calloc(2, sizeof(int));
|
|
|
ac9274 |
+ iq->target_count = (int*)calloc(3, sizeof(int));
|
|
|
ac9274 |
/* if calloc fails we simply do not track this number */
|
|
|
ac9274 |
if(iq->target_count)
|
|
|
ac9274 |
iq->target_count[0] = 1;
|
|
|
ac9274 |
@@ -587,6 +595,15 @@ target_count_increase(struct iter_qstate* iq, int num)
|
|
|
ac9274 |
target_count_create(iq);
|
|
|
ac9274 |
if(iq->target_count)
|
|
|
ac9274 |
iq->target_count[1] += num;
|
|
|
ac9274 |
+ iq->dp_target_count++;
|
|
|
ac9274 |
+}
|
|
|
ac9274 |
+
|
|
|
ac9274 |
+static void
|
|
|
ac9274 |
+target_count_increase_nx(struct iter_qstate* iq, int num)
|
|
|
ac9274 |
+{
|
|
|
ac9274 |
+ target_count_create(iq);
|
|
|
ac9274 |
+ if(iq->target_count)
|
|
|
ac9274 |
+ iq->target_count[2] += num;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
ac9274 |
/**
|
|
|
ac9274 |
@@ -609,13 +626,15 @@ target_count_increase(struct iter_qstate* iq, int num)
|
|
|
ac9274 |
* @param subq_ret: if newly allocated, the subquerystate, or NULL if it does
|
|
|
ac9274 |
* not need initialisation.
|
|
|
ac9274 |
* @param v: if true, validation is done on the subquery.
|
|
|
ac9274 |
+ * @param detached: true if this qstate should not attach to the subquery
|
|
|
ac9274 |
* @return false on error (malloc).
|
|
|
ac9274 |
*/
|
|
|
ac9274 |
static int
|
|
|
ac9274 |
generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
|
|
|
ac9274 |
uint16_t qclass, struct module_qstate* qstate, int id,
|
|
|
ac9274 |
struct iter_qstate* iq, enum iter_state initial_state,
|
|
|
ac9274 |
- enum iter_state finalstate, struct module_qstate** subq_ret, int v)
|
|
|
ac9274 |
+ enum iter_state finalstate, struct module_qstate** subq_ret, int v,
|
|
|
ac9274 |
+ int detached)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
struct module_qstate* subq = NULL;
|
|
|
ac9274 |
struct iter_qstate* subiq = NULL;
|
|
|
ac9274 |
@@ -642,12 +661,24 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
|
|
|
ac9274 |
valrec = 1;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
ac9274 |
- /* attach subquery, lookup existing or make a new one */
|
|
|
ac9274 |
- fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
|
|
|
ac9274 |
- if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, valrec,
|
|
|
ac9274 |
- &subq)) {
|
|
|
ac9274 |
- return 0;
|
|
|
ac9274 |
- }
|
|
|
ac9274 |
+ if(detached) {
|
|
|
ac9274 |
+ struct mesh_state* sub = NULL;
|
|
|
ac9274 |
+ fptr_ok(fptr_whitelist_modenv_add_sub(
|
|
|
ac9274 |
+ qstate->env->add_sub));
|
|
|
ac9274 |
+ if(!(*qstate->env->add_sub)(qstate, &qinf,
|
|
|
ac9274 |
+ qflags, prime, valrec, &subq, &sub)){
|
|
|
ac9274 |
+ return 0;
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+ else {
|
|
|
ac9274 |
+ /* attach subquery, lookup existing or make a new one */
|
|
|
ac9274 |
+ fptr_ok(fptr_whitelist_modenv_attach_sub(
|
|
|
ac9274 |
+ qstate->env->attach_sub));
|
|
|
ac9274 |
+ if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime,
|
|
|
ac9274 |
+ valrec, &subq)) {
|
|
|
ac9274 |
+ return 0;
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
*subq_ret = subq;
|
|
|
ac9274 |
if(subq) {
|
|
|
ac9274 |
/* initialise the new subquery */
|
|
|
ac9274 |
@@ -669,6 +700,7 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype,
|
|
|
ac9274 |
subiq->target_count = iq->target_count;
|
|
|
ac9274 |
if(iq->target_count)
|
|
|
ac9274 |
iq->target_count[0] ++; /* extra reference */
|
|
|
ac9274 |
+ subiq->dp_target_count = 0;
|
|
|
ac9274 |
subiq->num_current_queries = 0;
|
|
|
ac9274 |
subiq->depth = iq->depth+1;
|
|
|
ac9274 |
outbound_list_init(&subiq->outlist);
|
|
|
ac9274 |
@@ -712,7 +744,7 @@ prime_root(struct module_qstate* qstate, struct iter_qstate* iq, int id,
|
|
|
ac9274 |
* the normal INIT state logic (which would cause an infloop). */
|
|
|
ac9274 |
if(!generate_sub_request((uint8_t*)"\000", 1, LDNS_RR_TYPE_NS,
|
|
|
ac9274 |
qclass, qstate, id, iq, QUERYTARGETS_STATE, PRIME_RESP_STATE,
|
|
|
ac9274 |
- &subq, 0)) {
|
|
|
ac9274 |
+ &subq, 0, 0)) {
|
|
|
ac9274 |
verbose(VERB_ALGO, "could not prime root");
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
@@ -797,7 +829,7 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, int id,
|
|
|
ac9274 |
* redundant INIT state processing. */
|
|
|
ac9274 |
if(!generate_sub_request(stub_dp->name, stub_dp->namelen,
|
|
|
ac9274 |
LDNS_RR_TYPE_NS, qclass, qstate, id, iq,
|
|
|
ac9274 |
- QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0)) {
|
|
|
ac9274 |
+ QUERYTARGETS_STATE, PRIME_RESP_STATE, &subq, 0, 0)) {
|
|
|
ac9274 |
verbose(VERB_ALGO, "could not prime stub");
|
|
|
ac9274 |
(void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
|
|
ac9274 |
return 1; /* return 1 to make module stop, with error */
|
|
|
ac9274 |
@@ -878,7 +910,7 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
if(!generate_sub_request(s->rk.dname, s->rk.dname_len,
|
|
|
ac9274 |
ntohs(s->rk.type), ntohs(s->rk.rrset_class),
|
|
|
ac9274 |
qstate, id, iq,
|
|
|
ac9274 |
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
|
|
|
ac9274 |
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
|
|
|
ac9274 |
verbose(VERB_ALGO, "could not generate addr check");
|
|
|
ac9274 |
return;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
@@ -919,7 +951,7 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
|
|
|
ac9274 |
iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
|
|
|
ac9274 |
if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
|
|
|
ac9274 |
LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
|
|
|
ac9274 |
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
|
|
|
ac9274 |
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
|
|
|
ac9274 |
verbose(VERB_ALGO, "could not generate ns check");
|
|
|
ac9274 |
return;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
@@ -976,7 +1008,7 @@ generate_dnskey_prefetch(struct module_qstate* qstate,
|
|
|
ac9274 |
iq->dp->name, LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass);
|
|
|
ac9274 |
if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
|
|
|
ac9274 |
LDNS_RR_TYPE_DNSKEY, iq->qchase.qclass, qstate, id, iq,
|
|
|
ac9274 |
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
|
|
|
ac9274 |
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
|
|
|
ac9274 |
/* we'll be slower, but it'll work */
|
|
|
ac9274 |
verbose(VERB_ALGO, "could not generate dnskey prefetch");
|
|
|
ac9274 |
return;
|
|
|
ac9274 |
@@ -1150,6 +1182,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
iq->refetch_glue = 0;
|
|
|
ac9274 |
iq->query_restart_count++;
|
|
|
ac9274 |
iq->sent_count = 0;
|
|
|
ac9274 |
+ iq->dp_target_count = 0;
|
|
|
ac9274 |
sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region);
|
|
|
ac9274 |
if(qstate->env->cfg->qname_minimisation)
|
|
|
ac9274 |
iq->minimisation_state = INIT_MINIMISE_STATE;
|
|
|
ac9274 |
@@ -1468,7 +1501,7 @@ generate_parentside_target_query(struct module_qstate* qstate,
|
|
|
ac9274 |
{
|
|
|
ac9274 |
struct module_qstate* subq;
|
|
|
ac9274 |
if(!generate_sub_request(name, namelen, qtype, qclass, qstate,
|
|
|
ac9274 |
- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
|
|
|
ac9274 |
+ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
if(subq) {
|
|
|
ac9274 |
struct iter_qstate* subiq =
|
|
|
ac9274 |
@@ -1519,7 +1552,7 @@ generate_target_query(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
{
|
|
|
ac9274 |
struct module_qstate* subq;
|
|
|
ac9274 |
if(!generate_sub_request(name, namelen, qtype, qclass, qstate,
|
|
|
ac9274 |
- id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0))
|
|
|
ac9274 |
+ id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0))
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
log_nametypeclass(VERB_QUERY, "new target", name, qtype, qclass);
|
|
|
ac9274 |
return 1;
|
|
|
ac9274 |
@@ -1558,6 +1591,14 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
"number of glue fetches %d", s, iq->target_count[1]);
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
+ if(iq->dp_target_count > MAX_DP_TARGET_COUNT) {
|
|
|
ac9274 |
+ char s[LDNS_MAX_DOMAINLEN+1];
|
|
|
ac9274 |
+ dname_str(qstate->qinfo.qname, s);
|
|
|
ac9274 |
+ verbose(VERB_QUERY, "request %s has exceeded the maximum "
|
|
|
ac9274 |
+ "number of glue fetches %d to a single delegation point",
|
|
|
ac9274 |
+ s, iq->dp_target_count);
|
|
|
ac9274 |
+ return 0;
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
|
|
|
ac9274 |
iter_mark_cycle_targets(qstate, iq->dp);
|
|
|
ac9274 |
missing = (int)delegpt_count_missing_targets(iq->dp);
|
|
|
ac9274 |
@@ -1670,7 +1711,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
for(a = p->target_list; a; a=a->next_target) {
|
|
|
ac9274 |
(void)delegpt_add_addr(iq->dp, qstate->region,
|
|
|
ac9274 |
&a->addr, a->addrlen, a->bogus,
|
|
|
ac9274 |
- a->lame);
|
|
|
ac9274 |
+ a->lame, NULL);
|
|
|
ac9274 |
}
|
|
|
ac9274 |
}
|
|
|
ac9274 |
iq->dp->has_parent_side_NS = 1;
|
|
|
ac9274 |
@@ -1687,6 +1728,7 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
iq->refetch_glue = 1;
|
|
|
ac9274 |
iq->query_restart_count++;
|
|
|
ac9274 |
iq->sent_count = 0;
|
|
|
ac9274 |
+ iq->dp_target_count = 0;
|
|
|
ac9274 |
if(qstate->env->cfg->qname_minimisation)
|
|
|
ac9274 |
iq->minimisation_state = INIT_MINIMISE_STATE;
|
|
|
ac9274 |
return next_state(iq, INIT_REQUEST_STATE);
|
|
|
ac9274 |
@@ -1841,7 +1883,7 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id)
|
|
|
ac9274 |
iq->dsns_point, LDNS_RR_TYPE_NS, iq->qchase.qclass);
|
|
|
ac9274 |
if(!generate_sub_request(iq->dsns_point, iq->dsns_point_len,
|
|
|
ac9274 |
LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
|
|
|
ac9274 |
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0)) {
|
|
|
ac9274 |
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 0, 0)) {
|
|
|
ac9274 |
return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
ac9274 |
@@ -1893,6 +1935,15 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
"number of sends with %d", iq->sent_count);
|
|
|
ac9274 |
return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
|
|
ac9274 |
}
|
|
|
8db6ed |
+
|
|
|
ac9274 |
+ if(iq->target_count && iq->target_count[2] > MAX_TARGET_NX) {
|
|
|
ac9274 |
+ verbose(VERB_QUERY, "request has exceeded the maximum "
|
|
|
ac9274 |
+ " number of nxdomain nameserver lookups with %d",
|
|
|
ac9274 |
+ iq->target_count[2]);
|
|
|
ac9274 |
+ errinf(qstate, "exceeded the maximum nameserver nxdomains");
|
|
|
ac9274 |
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+
|
|
|
ac9274 |
|
|
|
ac9274 |
/* Make sure we have a delegation point, otherwise priming failed
|
|
|
ac9274 |
* or another failure occurred */
|
|
|
8db6ed |
@@ -1920,6 +1971,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
8db6ed |
* generated query will immediately be discarded due to depth and
|
|
|
8db6ed |
* that servfail is cached, which is not good as opportunism goes. */
|
|
|
8db6ed |
if(iq->depth < ie->max_dependency_depth
|
|
|
8db6ed |
+ && iq->num_target_queries == 0
|
|
|
8db6ed |
+ && (!iq->target_count || iq->target_count[2]==0)
|
|
|
8db6ed |
&& iq->sent_count < TARGET_FETCH_STOP) {
|
|
|
8db6ed |
tf_policy = ie->target_fetch_policy[iq->depth];
|
|
|
8db6ed |
}
|
|
|
8db6ed |
@@ -1957,6 +2010,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
8db6ed |
iq->num_current_queries++; /* RespState decrements it*/
|
|
|
8db6ed |
iq->referral_count++; /* make sure we don't loop */
|
|
|
8db6ed |
iq->sent_count = 0;
|
|
|
8db6ed |
+ iq->dp_target_count = 0;
|
|
|
8db6ed |
iq->state = QUERY_RESP_STATE;
|
|
|
8db6ed |
return 1;
|
|
|
8db6ed |
}
|
|
|
8db6ed |
@@ -2041,6 +2095,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
8db6ed |
iq->num_current_queries++; /* RespState decrements it*/
|
|
|
8db6ed |
iq->referral_count++; /* make sure we don't loop */
|
|
|
8db6ed |
iq->sent_count = 0;
|
|
|
8db6ed |
+ iq->dp_target_count = 0;
|
|
|
8db6ed |
iq->state = QUERY_RESP_STATE;
|
|
|
8db6ed |
return 1;
|
|
|
8db6ed |
}
|
|
|
8db6ed |
@@ -2160,12 +2215,41 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
iq->qinfo_out.qtype, iq->qinfo_out.qclass,
|
|
|
ac9274 |
qstate->query_flags, qstate->region,
|
|
|
ac9274 |
qstate->env->scratch);
|
|
|
ac9274 |
- if(msg && msg->rep->an_numrrsets == 0
|
|
|
ac9274 |
- && FLAGS_GET_RCODE(msg->rep->flags) ==
|
|
|
ac9274 |
+ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
|
|
|
ac9274 |
LDNS_RCODE_NOERROR)
|
|
|
ac9274 |
/* no need to send query if it is already
|
|
|
ac9274 |
- * cached as NOERROR/NODATA */
|
|
|
ac9274 |
+ * cached as NOERROR */
|
|
|
ac9274 |
return 1;
|
|
|
ac9274 |
+ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
|
|
|
ac9274 |
+ LDNS_RCODE_NXDOMAIN &&
|
|
|
ac9274 |
+ qstate->env->need_to_validate &&
|
|
|
ac9274 |
+ qstate->env->cfg->harden_below_nxdomain) {
|
|
|
ac9274 |
+ if(msg->rep->security == sec_status_secure) {
|
|
|
ac9274 |
+ iq->response = msg;
|
|
|
ac9274 |
+ return final_state(iq);
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+ if(msg->rep->security == sec_status_unchecked) {
|
|
|
ac9274 |
+ struct module_qstate* subq = NULL;
|
|
|
ac9274 |
+ if(!generate_sub_request(
|
|
|
ac9274 |
+ iq->qinfo_out.qname,
|
|
|
ac9274 |
+ iq->qinfo_out.qname_len,
|
|
|
ac9274 |
+ iq->qinfo_out.qtype,
|
|
|
ac9274 |
+ iq->qinfo_out.qclass,
|
|
|
ac9274 |
+ qstate, id, iq,
|
|
|
ac9274 |
+ INIT_REQUEST_STATE,
|
|
|
ac9274 |
+ FINISHED_STATE, &subq, 1, 1))
|
|
|
ac9274 |
+ verbose(VERB_ALGO,
|
|
|
ac9274 |
+ "could not validate NXDOMAIN "
|
|
|
ac9274 |
+ "response");
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+ if(msg && FLAGS_GET_RCODE(msg->rep->flags) ==
|
|
|
ac9274 |
+ LDNS_RCODE_NXDOMAIN) {
|
|
|
ac9274 |
+ /* return and add a label in the next
|
|
|
ac9274 |
+ * minimisation iteration.
|
|
|
ac9274 |
+ */
|
|
|
ac9274 |
+ return 1;
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
}
|
|
|
ac9274 |
}
|
|
|
ac9274 |
if(iq->minimisation_state == SKIP_MINIMISE_STATE) {
|
|
|
8db6ed |
@@ -2216,6 +2300,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
outbound_list_insert(&iq->outlist, outq);
|
|
|
ac9274 |
iq->num_current_queries++;
|
|
|
ac9274 |
iq->sent_count++;
|
|
|
ac9274 |
+ iq->dp_target_count = 0;
|
|
|
ac9274 |
qstate->ext_state[id] = module_wait_reply;
|
|
|
ac9274 |
|
|
|
ac9274 |
return 0;
|
|
|
8db6ed |
@@ -2404,7 +2489,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
/* Make subrequest to validate intermediate
|
|
|
ac9274 |
* NXDOMAIN if harden-below-nxdomain is
|
|
|
ac9274 |
* enabled. */
|
|
|
ac9274 |
- if(qstate->env->cfg->harden_below_nxdomain) {
|
|
|
ac9274 |
+ if(qstate->env->cfg->harden_below_nxdomain &&
|
|
|
ac9274 |
+ qstate->env->need_to_validate) {
|
|
|
ac9274 |
struct module_qstate* subq = NULL;
|
|
|
ac9274 |
log_query_info(VERB_QUERY,
|
|
|
ac9274 |
"schedule NXDOMAIN validation:",
|
|
|
8db6ed |
@@ -2416,7 +2502,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
iq->response->qinfo.qclass,
|
|
|
ac9274 |
qstate, id, iq,
|
|
|
ac9274 |
INIT_REQUEST_STATE,
|
|
|
ac9274 |
- FINISHED_STATE, &subq, 1))
|
|
|
ac9274 |
+ FINISHED_STATE, &subq, 1, 1))
|
|
|
ac9274 |
verbose(VERB_ALGO,
|
|
|
ac9274 |
"could not validate NXDOMAIN "
|
|
|
ac9274 |
"response");
|
|
|
8db6ed |
@@ -2499,6 +2585,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
ac9274 |
/* Count this as a referral. */
|
|
|
ac9274 |
iq->referral_count++;
|
|
|
ac9274 |
iq->sent_count = 0;
|
|
|
ac9274 |
+ iq->dp_target_count = 0;
|
|
|
ac9274 |
/* see if the next dp is a trust anchor, or a DS was sent
|
|
|
ac9274 |
* along, indicating dnssec is expected for next zone */
|
|
|
ac9274 |
iq->dnssec_expected = iter_indicates_dnssec(qstate->env,
|
|
|
8db6ed |
@@ -2576,6 +2663,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
|
|
8db6ed |
/* Note the query restart. */
|
|
|
8db6ed |
iq->query_restart_count++;
|
|
|
8db6ed |
iq->sent_count = 0;
|
|
|
8db6ed |
+ iq->dp_target_count = 0;
|
|
|
8db6ed |
|
|
|
8db6ed |
/* stop current outstanding queries.
|
|
|
8db6ed |
* FIXME: should the outstanding queries be waited for and
|
|
|
8db6ed |
@@ -2739,7 +2827,7 @@ processPrimeResponse(struct module_qstate* qstate, int id)
|
|
|
ac9274 |
if(!generate_sub_request(qstate->qinfo.qname,
|
|
|
ac9274 |
qstate->qinfo.qname_len, qstate->qinfo.qtype,
|
|
|
ac9274 |
qstate->qinfo.qclass, qstate, id, iq,
|
|
|
ac9274 |
- INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
|
|
|
ac9274 |
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1, 0)) {
|
|
|
ac9274 |
verbose(VERB_ALGO, "could not generate prime check");
|
|
|
ac9274 |
}
|
|
|
ac9274 |
generate_a_aaaa_check(qstate, iq, id);
|
|
|
8db6ed |
@@ -2767,6 +2855,7 @@ static void
|
|
|
ac9274 |
processTargetResponse(struct module_qstate* qstate, int id,
|
|
|
ac9274 |
struct module_qstate* forq)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
+ struct iter_env* ie = (struct iter_env*)qstate->env->modinfo[id];
|
|
|
ac9274 |
struct iter_qstate* iq = (struct iter_qstate*)qstate->minfo[id];
|
|
|
ac9274 |
struct iter_qstate* foriq = (struct iter_qstate*)forq->minfo[id];
|
|
|
ac9274 |
struct ub_packed_rrset_key* rrset;
|
|
|
8db6ed |
@@ -2804,7 +2893,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
|
|
|
ac9274 |
log_rrset_key(VERB_ALGO, "add parentside glue to dp",
|
|
|
ac9274 |
iq->pside_glue);
|
|
|
ac9274 |
if(!delegpt_add_rrset(foriq->dp, forq->region,
|
|
|
ac9274 |
- iq->pside_glue, 1))
|
|
|
ac9274 |
+ iq->pside_glue, 1, NULL))
|
|
|
ac9274 |
log_err("out of memory adding pside glue");
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
8db6ed |
@@ -2815,6 +2904,7 @@ processTargetResponse(struct module_qstate* qstate, int id,
|
|
|
ac9274 |
* response type was ANSWER. */
|
|
|
ac9274 |
rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep);
|
|
|
ac9274 |
if(rrset) {
|
|
|
ac9274 |
+ int additions = 0;
|
|
|
ac9274 |
/* if CNAMEs have been followed - add new NS to delegpt. */
|
|
|
ac9274 |
/* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */
|
|
|
ac9274 |
if(!delegpt_find_ns(foriq->dp, rrset->rk.dname,
|
|
|
8db6ed |
@@ -2826,13 +2916,23 @@ processTargetResponse(struct module_qstate* qstate, int id,
|
|
|
ac9274 |
}
|
|
|
ac9274 |
/* if dpns->lame then set the address(es) lame too */
|
|
|
ac9274 |
if(!delegpt_add_rrset(foriq->dp, forq->region, rrset,
|
|
|
ac9274 |
- dpns->lame))
|
|
|
ac9274 |
+ dpns->lame, &additions))
|
|
|
ac9274 |
log_err("out of memory adding targets");
|
|
|
ac9274 |
+ if(!additions) {
|
|
|
ac9274 |
+ /* no new addresses, increase the nxns counter, like
|
|
|
ac9274 |
+ * this could be a list of wildcards with no new
|
|
|
ac9274 |
+ * addresses */
|
|
|
ac9274 |
+ target_count_increase_nx(foriq, 1);
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
verbose(VERB_ALGO, "added target response");
|
|
|
ac9274 |
delegpt_log(VERB_ALGO, foriq->dp);
|
|
|
ac9274 |
} else {
|
|
|
ac9274 |
verbose(VERB_ALGO, "iterator TargetResponse failed");
|
|
|
ac9274 |
+ delegpt_mark_neg(dpns, qstate->qinfo.qtype);
|
|
|
ac9274 |
dpns->resolved = 1; /* fail the target */
|
|
|
ac9274 |
+ if((dpns->got4 == 2 || !ie->supports_ipv4) &&
|
|
|
ac9274 |
+ (dpns->got6 == 2 || !ie->supports_ipv6))
|
|
|
ac9274 |
+ target_count_increase_nx(foriq, 1);
|
|
|
ac9274 |
}
|
|
|
ac9274 |
}
|
|
|
ac9274 |
|
|
|
8db6ed |
@@ -3003,7 +3103,7 @@ processCollectClass(struct module_qstate* qstate, int id)
|
|
|
ac9274 |
qstate->qinfo.qname_len, qstate->qinfo.qtype,
|
|
|
ac9274 |
c, qstate, id, iq, INIT_REQUEST_STATE,
|
|
|
ac9274 |
FINISHED_STATE, &subq,
|
|
|
ac9274 |
- (int)!(qstate->query_flags&BIT_CD))) {
|
|
|
ac9274 |
+ (int)!(qstate->query_flags&BIT_CD), 0)) {
|
|
|
ac9274 |
return error_response(qstate, id,
|
|
|
ac9274 |
LDNS_RCODE_SERVFAIL);
|
|
|
ac9274 |
}
|
|
|
ac9274 |
diff --git a/iterator/iterator.h b/iterator/iterator.h
|
|
|
ac9274 |
index 75aafee..3534b5c 100644
|
|
|
ac9274 |
--- a/iterator/iterator.h
|
|
|
ac9274 |
+++ b/iterator/iterator.h
|
|
|
ac9274 |
@@ -55,6 +55,11 @@ struct rbtree_type;
|
|
|
ac9274 |
|
|
|
ac9274 |
/** max number of targets spawned for a query and its subqueries */
|
|
|
ac9274 |
#define MAX_TARGET_COUNT 64
|
|
|
ac9274 |
+/** max number of target lookups per qstate, per delegation point */
|
|
|
ac9274 |
+#define MAX_DP_TARGET_COUNT 16
|
|
|
ac9274 |
+/** max number of nxdomains allowed for target lookups for a query and
|
|
|
ac9274 |
+ * its subqueries */
|
|
|
ac9274 |
+#define MAX_TARGET_NX 5
|
|
|
ac9274 |
/** max number of query restarts. Determines max number of CNAME chain. */
|
|
|
ac9274 |
#define MAX_RESTART_COUNT 8
|
|
|
ac9274 |
/** max number of referrals. Makes sure resolver does not run away */
|
|
|
ac9274 |
@@ -305,9 +310,14 @@ struct iter_qstate {
|
|
|
ac9274 |
int sent_count;
|
|
|
ac9274 |
|
|
|
ac9274 |
/** number of target queries spawned in [1], for this query and its
|
|
|
ac9274 |
- * subqueries, the malloced-array is shared, [0] refcount. */
|
|
|
ac9274 |
+ * subqueries, the malloced-array is shared, [0] refcount.
|
|
|
ac9274 |
+ * in [2] the number of nxdomains is counted. */
|
|
|
ac9274 |
int* target_count;
|
|
|
ac9274 |
|
|
|
ac9274 |
+ /** number of target lookups per delegation point. Reset to 0 after
|
|
|
ac9274 |
+ * receiving referral answer. Not shared with subqueries. */
|
|
|
ac9274 |
+ int dp_target_count;
|
|
|
ac9274 |
+
|
|
|
ac9274 |
/** if true, already tested for ratelimiting and passed the test */
|
|
|
ac9274 |
int ratelimit_ok;
|
|
|
ac9274 |
|
|
|
ac9274 |
diff --git a/services/cache/dns.c b/services/cache/dns.c
|
|
|
ac9274 |
index da43c50..ce138f1 100644
|
|
|
ac9274 |
--- a/services/cache/dns.c
|
|
|
ac9274 |
+++ b/services/cache/dns.c
|
|
|
ac9274 |
@@ -223,7 +223,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
|
|
|
ac9274 |
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
|
|
|
ac9274 |
ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
|
|
|
ac9274 |
if(akey) {
|
|
|
ac9274 |
- if(!delegpt_add_rrset_A(dp, region, akey, 0)) {
|
|
|
ac9274 |
+ if(!delegpt_add_rrset_A(dp, region, akey, 0, NULL)) {
|
|
|
ac9274 |
lock_rw_unlock(&akey->entry.lock);
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
@@ -243,7 +243,7 @@ find_add_addrs(struct module_env* env, uint16_t qclass,
|
|
|
ac9274 |
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
|
|
|
ac9274 |
ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
|
|
|
ac9274 |
if(akey) {
|
|
|
ac9274 |
- if(!delegpt_add_rrset_AAAA(dp, region, akey, 0)) {
|
|
|
ac9274 |
+ if(!delegpt_add_rrset_AAAA(dp, region, akey, 0, NULL)) {
|
|
|
ac9274 |
lock_rw_unlock(&akey->entry.lock);
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
@@ -277,7 +277,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
|
|
|
ac9274 |
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
|
|
|
ac9274 |
ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0);
|
|
|
ac9274 |
if(akey) {
|
|
|
ac9274 |
- if(!delegpt_add_rrset_A(dp, region, akey, ns->lame)) {
|
|
|
ac9274 |
+ if(!delegpt_add_rrset_A(dp, region, akey, ns->lame,
|
|
|
ac9274 |
+ NULL)) {
|
|
|
ac9274 |
lock_rw_unlock(&akey->entry.lock);
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
@@ -297,7 +298,8 @@ cache_fill_missing(struct module_env* env, uint16_t qclass,
|
|
|
ac9274 |
akey = rrset_cache_lookup(env->rrset_cache, ns->name,
|
|
|
ac9274 |
ns->namelen, LDNS_RR_TYPE_AAAA, qclass, 0, now, 0);
|
|
|
ac9274 |
if(akey) {
|
|
|
ac9274 |
- if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame)) {
|
|
|
ac9274 |
+ if(!delegpt_add_rrset_AAAA(dp, region, akey, ns->lame,
|
|
|
ac9274 |
+ NULL)) {
|
|
|
ac9274 |
lock_rw_unlock(&akey->entry.lock);
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
diff --git a/util/data/dname.c b/util/data/dname.c
|
|
|
ac9274 |
index 517af28..a80a4e2 100644
|
|
|
ac9274 |
--- a/util/data/dname.c
|
|
|
ac9274 |
+++ b/util/data/dname.c
|
|
|
ac9274 |
@@ -231,17 +231,28 @@ int
|
|
|
ac9274 |
dname_pkt_compare(sldns_buffer* pkt, uint8_t* d1, uint8_t* d2)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
uint8_t len1, len2;
|
|
|
ac9274 |
+ int count1 = 0, count2 = 0;
|
|
|
ac9274 |
log_assert(pkt && d1 && d2);
|
|
|
ac9274 |
len1 = *d1++;
|
|
|
ac9274 |
len2 = *d2++;
|
|
|
ac9274 |
while( len1 != 0 || len2 != 0 ) {
|
|
|
ac9274 |
/* resolve ptrs */
|
|
|
ac9274 |
if(LABEL_IS_PTR(len1)) {
|
|
|
ac9274 |
+ if((size_t)PTR_OFFSET(len1, *d1)
|
|
|
ac9274 |
+ >= sldns_buffer_limit(pkt))
|
|
|
ac9274 |
+ return -1;
|
|
|
ac9274 |
+ if(count1++ > MAX_COMPRESS_PTRS)
|
|
|
ac9274 |
+ return -1;
|
|
|
ac9274 |
d1 = sldns_buffer_at(pkt, PTR_OFFSET(len1, *d1));
|
|
|
ac9274 |
len1 = *d1++;
|
|
|
ac9274 |
continue;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
if(LABEL_IS_PTR(len2)) {
|
|
|
ac9274 |
+ if((size_t)PTR_OFFSET(len2, *d2)
|
|
|
ac9274 |
+ >= sldns_buffer_limit(pkt))
|
|
|
ac9274 |
+ return 1;
|
|
|
ac9274 |
+ if(count2++ > MAX_COMPRESS_PTRS)
|
|
|
ac9274 |
+ return 1;
|
|
|
ac9274 |
d2 = sldns_buffer_at(pkt, PTR_OFFSET(len2, *d2));
|
|
|
ac9274 |
len2 = *d2++;
|
|
|
ac9274 |
continue;
|
|
|
ac9274 |
@@ -276,6 +287,7 @@ dname_query_hash(uint8_t* dname, hashvalue_type h)
|
|
|
ac9274 |
uint8_t labuf[LDNS_MAX_LABELLEN+1];
|
|
|
ac9274 |
uint8_t lablen;
|
|
|
ac9274 |
int i;
|
|
|
ac9274 |
+ int count = 0;
|
|
|
ac9274 |
|
|
|
ac9274 |
/* preserve case of query, make hash label by label */
|
|
|
ac9274 |
lablen = *dname++;
|
|
|
ac9274 |
@@ -333,6 +345,9 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
|
|
|
ac9274 |
while(lablen) {
|
|
|
ac9274 |
if(LABEL_IS_PTR(lablen)) {
|
|
|
ac9274 |
/* follow pointer */
|
|
|
ac9274 |
+ if((size_t)PTR_OFFSET(lablen, *dname)
|
|
|
ac9274 |
+ >= sldns_buffer_limit(pkt))
|
|
|
ac9274 |
+ return;
|
|
|
ac9274 |
dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
|
|
|
ac9274 |
lablen = *dname++;
|
|
|
ac9274 |
continue;
|
|
|
ac9274 |
@@ -357,6 +372,7 @@ void dname_pkt_copy(sldns_buffer* pkt, uint8_t* to, uint8_t* dname)
|
|
|
ac9274 |
void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
|
|
|
ac9274 |
{
|
|
|
ac9274 |
uint8_t lablen;
|
|
|
ac9274 |
+ int count = 0;
|
|
|
ac9274 |
if(!out) out = stdout;
|
|
|
ac9274 |
if(!dname) return;
|
|
|
ac9274 |
|
|
|
ac9274 |
@@ -370,6 +386,15 @@ void dname_print(FILE* out, struct sldns_buffer* pkt, uint8_t* dname)
|
|
|
ac9274 |
fputs("??compressionptr??", out);
|
|
|
ac9274 |
return;
|
|
|
ac9274 |
}
|
|
|
ac9274 |
+ if((size_t)PTR_OFFSET(lablen, *dname)
|
|
|
ac9274 |
+ >= sldns_buffer_limit(pkt)) {
|
|
|
ac9274 |
+ fputs("??compressionptr??", out);
|
|
|
ac9274 |
+ return;
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
+ if(count++ > MAX_COMPRESS_PTRS) {
|
|
|
ac9274 |
+ fputs("??compressionptr??", out);
|
|
|
ac9274 |
+ return;
|
|
|
ac9274 |
+ }
|
|
|
ac9274 |
dname = sldns_buffer_at(pkt, PTR_OFFSET(lablen, *dname));
|
|
|
ac9274 |
lablen = *dname++;
|
|
|
ac9274 |
continue;
|
|
|
ac9274 |
diff --git a/util/data/msgparse.c b/util/data/msgparse.c
|
|
|
ac9274 |
index 2887200..783f3a7 100644
|
|
|
ac9274 |
--- a/util/data/msgparse.c
|
|
|
ac9274 |
+++ b/util/data/msgparse.c
|
|
|
ac9274 |
@@ -55,7 +55,11 @@ smart_compare(sldns_buffer* pkt, uint8_t* dnow,
|
|
|
ac9274 |
{
|
|
|
ac9274 |
if(LABEL_IS_PTR(*dnow)) {
|
|
|
ac9274 |
/* ptr points to a previous dname */
|
|
|
ac9274 |
- uint8_t* p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
|
|
|
ac9274 |
+ uint8_t* p;
|
|
|
ac9274 |
+ if((size_t)PTR_OFFSET(dnow[0], dnow[1])
|
|
|
ac9274 |
+ >= sldns_buffer_limit(pkt))
|
|
|
ac9274 |
+ return -1;
|
|
|
ac9274 |
+ p = sldns_buffer_at(pkt, PTR_OFFSET(dnow[0], dnow[1]));
|
|
|
ac9274 |
if( p == dprfirst || p == dprlast )
|
|
|
ac9274 |
return 0;
|
|
|
ac9274 |
/* prev dname is also a ptr, both ptrs are the same. */
|