You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

4199 lines
158 KiB

  1. /*
  2. * This file is part of PowerDNS or dnsdist.
  3. * Copyright -- PowerDNS.COM B.V. and its contributors
  4. *
  5. * This program is free software; you can redistribute it and/or modify
  6. * it under the terms of version 2 of the GNU General Public License as
  7. * published by the Free Software Foundation.
  8. *
  9. * In addition, for the avoidance of any doubt, permission is granted to
  10. * link this program with OpenSSL and to (re)distribute the binaries
  11. * produced as the result of such linking.
  12. *
  13. * This program is distributed in the hope that it will be useful,
  14. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  16. * GNU General Public License for more details.
  17. *
  18. * You should have received a copy of the GNU General Public License
  19. * along with this program; if not, write to the Free Software
  20. * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21. */
  22. #ifdef HAVE_CONFIG_H
  23. #include "config.h"
  24. #endif
  25. #include "arguments.hh"
  26. #include "cachecleaner.hh"
  27. #include "dns_random.hh"
  28. #include "dnsparser.hh"
  29. #include "dnsrecords.hh"
  30. #include "ednssubnet.hh"
  31. #include "logger.hh"
  32. #include "lua-recursor4.hh"
  33. #include "rec-lua-conf.hh"
  34. #include "syncres.hh"
  35. #include "dnsseckeeper.hh"
  36. #include "validate-recursor.hh"
  37. thread_local SyncRes::ThreadLocalStorage SyncRes::t_sstorage;
  38. thread_local std::unique_ptr<addrringbuf_t> t_timeouts;
  39. std::unordered_set<DNSName> SyncRes::s_delegationOnly;
  40. std::unique_ptr<NetmaskGroup> SyncRes::s_dontQuery{nullptr};
  41. NetmaskGroup SyncRes::s_ednslocalsubnets;
  42. NetmaskGroup SyncRes::s_ednsremotesubnets;
  43. SuffixMatchNode SyncRes::s_ednsdomains;
  44. EDNSSubnetOpts SyncRes::s_ecsScopeZero;
  45. string SyncRes::s_serverID;
  46. SyncRes::LogMode SyncRes::s_lm;
  47. const std::unordered_set<uint16_t> SyncRes::s_redirectionQTypes = {QType::CNAME, QType::DNAME};
  48. unsigned int SyncRes::s_maxnegttl;
  49. unsigned int SyncRes::s_maxbogusttl;
  50. unsigned int SyncRes::s_maxcachettl;
  51. unsigned int SyncRes::s_maxqperq;
  52. unsigned int SyncRes::s_maxnsaddressqperq;
  53. unsigned int SyncRes::s_maxtotusec;
  54. unsigned int SyncRes::s_maxdepth;
  55. unsigned int SyncRes::s_minimumTTL;
  56. unsigned int SyncRes::s_minimumECSTTL;
  57. unsigned int SyncRes::s_packetcachettl;
  58. unsigned int SyncRes::s_packetcacheservfailttl;
  59. unsigned int SyncRes::s_serverdownmaxfails;
  60. unsigned int SyncRes::s_serverdownthrottletime;
  61. unsigned int SyncRes::s_ecscachelimitttl;
  62. std::atomic<uint64_t> SyncRes::s_authzonequeries;
  63. std::atomic<uint64_t> SyncRes::s_queries;
  64. std::atomic<uint64_t> SyncRes::s_outgoingtimeouts;
  65. std::atomic<uint64_t> SyncRes::s_outgoing4timeouts;
  66. std::atomic<uint64_t> SyncRes::s_outgoing6timeouts;
  67. std::atomic<uint64_t> SyncRes::s_outqueries;
  68. std::atomic<uint64_t> SyncRes::s_tcpoutqueries;
  69. std::atomic<uint64_t> SyncRes::s_throttledqueries;
  70. std::atomic<uint64_t> SyncRes::s_dontqueries;
  71. std::atomic<uint64_t> SyncRes::s_qnameminfallbacksuccess;
  72. std::atomic<uint64_t> SyncRes::s_nodelegated;
  73. std::atomic<uint64_t> SyncRes::s_unreachables;
  74. std::atomic<uint64_t> SyncRes::s_ecsqueries;
  75. std::atomic<uint64_t> SyncRes::s_ecsresponses;
  76. std::map<uint8_t, std::atomic<uint64_t>> SyncRes::s_ecsResponsesBySubnetSize4;
  77. std::map<uint8_t, std::atomic<uint64_t>> SyncRes::s_ecsResponsesBySubnetSize6;
  78. uint8_t SyncRes::s_ecsipv4limit;
  79. uint8_t SyncRes::s_ecsipv6limit;
  80. uint8_t SyncRes::s_ecsipv4cachelimit;
  81. uint8_t SyncRes::s_ecsipv6cachelimit;
  82. bool SyncRes::s_doIPv4;
  83. bool SyncRes::s_doIPv6;
  84. bool SyncRes::s_nopacketcache;
  85. bool SyncRes::s_rootNXTrust;
  86. bool SyncRes::s_noEDNS;
  87. bool SyncRes::s_qnameminimization;
  88. SyncRes::HardenNXD SyncRes::s_hardenNXD;
  89. #define LOG(x) if(d_lm == Log) { g_log <<Logger::Warning << x; } else if(d_lm == Store) { d_trace << x; }
  90. static void accountAuthLatency(int usec, int family)
  91. {
  92. if(family == AF_INET) {
  93. if(usec < 1000)
  94. g_stats.auth4Answers0_1++;
  95. else if(usec < 10000)
  96. g_stats.auth4Answers1_10++;
  97. else if(usec < 100000)
  98. g_stats.auth4Answers10_100++;
  99. else if(usec < 1000000)
  100. g_stats.auth4Answers100_1000++;
  101. else
  102. g_stats.auth4AnswersSlow++;
  103. } else {
  104. if(usec < 1000)
  105. g_stats.auth6Answers0_1++;
  106. else if(usec < 10000)
  107. g_stats.auth6Answers1_10++;
  108. else if(usec < 100000)
  109. g_stats.auth6Answers10_100++;
  110. else if(usec < 1000000)
  111. g_stats.auth6Answers100_1000++;
  112. else
  113. g_stats.auth6AnswersSlow++;
  114. }
  115. }
  116. SyncRes::SyncRes(const struct timeval& now) : d_authzonequeries(0), d_outqueries(0), d_tcpoutqueries(0), d_throttledqueries(0), d_timeouts(0), d_unreachables(0),
  117. d_totUsec(0), d_now(now),
  118. d_cacheonly(false), d_doDNSSEC(false), d_doEDNS0(false), d_qNameMinimization(s_qnameminimization), d_lm(s_lm)
  119. {
  120. }
  121. /** everything begins here - this is the entry point just after receiving a packet */
  122. int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qclass, vector<DNSRecord>&ret, unsigned int depth)
  123. {
  124. vState state = vState::Indeterminate;
  125. s_queries++;
  126. d_wasVariable=false;
  127. d_wasOutOfBand=false;
  128. if (doSpecialNamesResolve(qname, qtype, qclass, ret)) {
  129. d_queryValidationState = vState::Insecure; // this could fool our stats into thinking a validation took place
  130. return 0; // so do check before updating counters (we do now)
  131. }
  132. auto qtypeCode = qtype.getCode();
  133. /* rfc6895 section 3.1 */
  134. if (qtypeCode == 0 || (qtypeCode >= 128 && qtypeCode <= 254) || qtypeCode == QType::RRSIG || qtypeCode == QType::NSEC3 || qtypeCode == QType::OPT || qtypeCode == 65535) {
  135. return -1;
  136. }
  137. if(qclass==QClass::ANY)
  138. qclass=QClass::IN;
  139. else if(qclass!=QClass::IN)
  140. return -1;
  141. set<GetBestNSAnswer> beenthere;
  142. int res=doResolve(qname, qtype, ret, depth, beenthere, state);
  143. d_queryValidationState = state;
  144. if (shouldValidate()) {
  145. if (d_queryValidationState != vState::Indeterminate) {
  146. g_stats.dnssecValidations++;
  147. }
  148. increaseDNSSECStateCounter(d_queryValidationState);
  149. }
  150. return res;
  151. }
  152. /*! Handles all special, built-in names
  153. * Fills ret with an answer and returns true if it handled the query.
  154. *
  155. * Handles the following queries (and their ANY variants):
  156. *
  157. * - localhost. IN A
  158. * - localhost. IN AAAA
  159. * - 1.0.0.127.in-addr.arpa. IN PTR
  160. * - 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. IN PTR
  161. * - version.bind. CH TXT
  162. * - version.pdns. CH TXT
  163. * - id.server. CH TXT
  164. * - trustanchor.server CH TXT
  165. * - negativetrustanchor.server CH TXT
  166. */
  167. bool SyncRes::doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector<DNSRecord> &ret)
  168. {
  169. static const DNSName arpa("1.0.0.127.in-addr.arpa."), ip6_arpa("1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa."),
  170. localhost("localhost."), versionbind("version.bind."), idserver("id.server."), versionpdns("version.pdns."), trustanchorserver("trustanchor.server."),
  171. negativetrustanchorserver("negativetrustanchor.server.");
  172. bool handled = false;
  173. vector<pair<QType::typeenum, string> > answers;
  174. if ((qname == arpa || qname == ip6_arpa) &&
  175. qclass == QClass::IN) {
  176. handled = true;
  177. if (qtype == QType::PTR || qtype == QType::ANY)
  178. answers.push_back({QType::PTR, "localhost."});
  179. }
  180. if (qname == localhost &&
  181. qclass == QClass::IN) {
  182. handled = true;
  183. if (qtype == QType::A || qtype == QType::ANY)
  184. answers.push_back({QType::A, "127.0.0.1"});
  185. if (qtype == QType::AAAA || qtype == QType::ANY)
  186. answers.push_back({QType::AAAA, "::1"});
  187. }
  188. if ((qname == versionbind || qname == idserver || qname == versionpdns) &&
  189. qclass == QClass::CHAOS) {
  190. handled = true;
  191. if (qtype == QType::TXT || qtype == QType::ANY) {
  192. if(qname == versionbind || qname == versionpdns)
  193. answers.push_back({QType::TXT, "\""+::arg()["version-string"]+"\""});
  194. else if (s_serverID != "disabled")
  195. answers.push_back({QType::TXT, "\""+s_serverID+"\""});
  196. }
  197. }
  198. if (qname == trustanchorserver && qclass == QClass::CHAOS &&
  199. ::arg().mustDo("allow-trust-anchor-query")) {
  200. handled = true;
  201. if (qtype == QType::TXT || qtype == QType::ANY) {
  202. auto luaLocal = g_luaconfs.getLocal();
  203. for (auto const &dsAnchor : luaLocal->dsAnchors) {
  204. ostringstream ans;
  205. ans<<"\"";
  206. ans<<dsAnchor.first.toString(); // Explicit toString to have a trailing dot
  207. for (auto const &dsRecord : dsAnchor.second) {
  208. ans<<" ";
  209. ans<<dsRecord.d_tag;
  210. }
  211. ans << "\"";
  212. answers.push_back({QType::TXT, ans.str()});
  213. }
  214. }
  215. }
  216. if (qname == negativetrustanchorserver && qclass == QClass::CHAOS &&
  217. ::arg().mustDo("allow-trust-anchor-query")) {
  218. handled = true;
  219. if (qtype == QType::TXT || qtype == QType::ANY) {
  220. auto luaLocal = g_luaconfs.getLocal();
  221. for (auto const &negAnchor : luaLocal->negAnchors) {
  222. ostringstream ans;
  223. ans<<"\"";
  224. ans<<negAnchor.first.toString(); // Explicit toString to have a trailing dot
  225. if (negAnchor.second.length())
  226. ans<<" "<<negAnchor.second;
  227. ans << "\"";
  228. answers.push_back({QType::TXT, ans.str()});
  229. }
  230. }
  231. }
  232. if (handled && !answers.empty()) {
  233. ret.clear();
  234. d_wasOutOfBand=true;
  235. DNSRecord dr;
  236. dr.d_name = qname;
  237. dr.d_place = DNSResourceRecord::ANSWER;
  238. dr.d_class = qclass;
  239. dr.d_ttl = 86400;
  240. for (const auto& ans : answers) {
  241. dr.d_type = ans.first;
  242. dr.d_content = DNSRecordContent::mastermake(ans.first, qclass, ans.second);
  243. ret.push_back(dr);
  244. }
  245. }
  246. return handled;
  247. }
  248. //! This is the 'out of band resolver', in other words, the authoritative server
  249. void SyncRes::AuthDomain::addSOA(std::vector<DNSRecord>& records) const
  250. {
  251. SyncRes::AuthDomain::records_t::const_iterator ziter = d_records.find(boost::make_tuple(getName(), QType::SOA));
  252. if (ziter != d_records.end()) {
  253. DNSRecord dr = *ziter;
  254. dr.d_place = DNSResourceRecord::AUTHORITY;
  255. records.push_back(dr);
  256. }
  257. else {
  258. // cerr<<qname<<": can't find SOA record '"<<getName()<<"' in our zone!"<<endl;
  259. }
  260. }
  261. int SyncRes::AuthDomain::getRecords(const DNSName& qname, uint16_t qtype, std::vector<DNSRecord>& records) const
  262. {
  263. int result = RCode::NoError;
  264. records.clear();
  265. // partial lookup
  266. std::pair<records_t::const_iterator,records_t::const_iterator> range = d_records.equal_range(tie(qname));
  267. SyncRes::AuthDomain::records_t::const_iterator ziter;
  268. bool somedata = false;
  269. for(ziter = range.first; ziter != range.second; ++ziter) {
  270. somedata = true;
  271. if(qtype == QType::ANY || ziter->d_type == qtype || ziter->d_type == QType::CNAME) {
  272. // let rest of nameserver do the legwork on this one
  273. records.push_back(*ziter);
  274. }
  275. else if (ziter->d_type == QType::NS && ziter->d_name.countLabels() > getName().countLabels()) {
  276. // we hit a delegation point!
  277. DNSRecord dr = *ziter;
  278. dr.d_place=DNSResourceRecord::AUTHORITY;
  279. records.push_back(dr);
  280. }
  281. }
  282. if (!records.empty()) {
  283. /* We have found an exact match, we're done */
  284. // cerr<<qname<<": exact match in zone '"<<getName()<<"'"<<endl;
  285. return result;
  286. }
  287. if (somedata) {
  288. /* We have records for that name, but not of the wanted qtype */
  289. // cerr<<qname<<": found record in '"<<getName()<<"', but nothing of the right type, sending SOA"<<endl;
  290. addSOA(records);
  291. return result;
  292. }
  293. // cerr<<qname<<": nothing found so far in '"<<getName()<<"', trying wildcards"<<endl;
  294. DNSName wcarddomain(qname);
  295. while(wcarddomain != getName() && wcarddomain.chopOff()) {
  296. // cerr<<qname<<": trying '*."<<wcarddomain<<"' in "<<getName()<<endl;
  297. range = d_records.equal_range(boost::make_tuple(g_wildcarddnsname + wcarddomain));
  298. if (range.first==range.second)
  299. continue;
  300. for(ziter = range.first; ziter != range.second; ++ziter) {
  301. DNSRecord dr = *ziter;
  302. // if we hit a CNAME, just answer that - rest of recursor will do the needful & follow
  303. if(dr.d_type == qtype || qtype == QType::ANY || dr.d_type == QType::CNAME) {
  304. dr.d_name = qname;
  305. dr.d_place = DNSResourceRecord::ANSWER;
  306. records.push_back(dr);
  307. }
  308. }
  309. if (records.empty()) {
  310. addSOA(records);
  311. }
  312. // cerr<<qname<<": in '"<<getName()<<"', had wildcard match on '*."<<wcarddomain<<"'"<<endl;
  313. return result;
  314. }
  315. /* Nothing for this name, no wildcard, let's see if there is some NS */
  316. DNSName nsdomain(qname);
  317. while (nsdomain.chopOff() && nsdomain != getName()) {
  318. range = d_records.equal_range(boost::make_tuple(nsdomain,QType::NS));
  319. if(range.first == range.second)
  320. continue;
  321. for(ziter = range.first; ziter != range.second; ++ziter) {
  322. DNSRecord dr = *ziter;
  323. dr.d_place = DNSResourceRecord::AUTHORITY;
  324. records.push_back(dr);
  325. }
  326. }
  327. if(records.empty()) {
  328. // cerr<<qname<<": no NS match in zone '"<<getName()<<"' either, handing out SOA"<<endl;
  329. addSOA(records);
  330. result = RCode::NXDomain;
  331. }
  332. return result;
  333. }
  334. bool SyncRes::doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res)
  335. {
  336. d_authzonequeries++;
  337. s_authzonequeries++;
  338. res = domain.getRecords(qname, qtype.getCode(), ret);
  339. return true;
  340. }
  341. bool SyncRes::doOOBResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int& res)
  342. {
  343. string prefix;
  344. if(doLog()) {
  345. prefix=d_prefix;
  346. prefix.append(depth, ' ');
  347. }
  348. DNSName authdomain(qname);
  349. domainmap_t::const_iterator iter=getBestAuthZone(&authdomain);
  350. if(iter==t_sstorage.domainmap->end() || !iter->second.isAuth()) {
  351. LOG(prefix<<qname<<": auth storage has no zone for this query!"<<endl);
  352. return false;
  353. }
  354. LOG(prefix<<qname<<": auth storage has data, zone='"<<authdomain<<"'"<<endl);
  355. return doOOBResolve(iter->second, qname, qtype, ret, res);
  356. }
  357. bool SyncRes::isRecursiveForwardOrAuth(const DNSName &qname) const {
  358. DNSName authname(qname);
  359. domainmap_t::const_iterator iter = getBestAuthZone(&authname);
  360. return iter != t_sstorage.domainmap->end() && (iter->second.isAuth() || iter->second.shouldRecurse());
  361. }
  362. uint64_t SyncRes::doEDNSDump(int fd)
  363. {
  364. int newfd = dup(fd);
  365. if (newfd == -1) {
  366. return 0;
  367. }
  368. auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(newfd, "w"), fclose);
  369. if (!fp) {
  370. close(newfd);
  371. return 0;
  372. }
  373. uint64_t count = 0;
  374. fprintf(fp.get(),"; edns from thread follows\n;\n");
  375. for(const auto& eds : t_sstorage.ednsstatus) {
  376. count++;
  377. char tmp[26];
  378. fprintf(fp.get(), "%s\t%d\t%s", eds.address.toString().c_str(), (int)eds.mode, ctime_r(&eds.modeSetAt, tmp));
  379. }
  380. return count;
  381. }
  382. uint64_t SyncRes::doDumpNSSpeeds(int fd)
  383. {
  384. int newfd = dup(fd);
  385. if (newfd == -1) {
  386. return 0;
  387. }
  388. auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(newfd, "w"), fclose);
  389. if (!fp) {
  390. close(newfd);
  391. return 0;
  392. }
  393. fprintf(fp.get(), "; nsspeed dump from thread follows\n;\n");
  394. uint64_t count=0;
  395. for(const auto& i : t_sstorage.nsSpeeds)
  396. {
  397. count++;
  398. // an <empty> can appear hear in case of authoritative (hosted) zones
  399. fprintf(fp.get(), "%s -> ", i.first.toLogString().c_str());
  400. for(const auto& j : i.second.d_collection)
  401. {
  402. // typedef vector<pair<ComboAddress, DecayingEwma> > collection_t;
  403. fprintf(fp.get(), "%s/%f ", j.first.toString().c_str(), j.second.peek());
  404. }
  405. fprintf(fp.get(), "\n");
  406. }
  407. return count;
  408. }
  409. uint64_t SyncRes::doDumpThrottleMap(int fd)
  410. {
  411. int newfd = dup(fd);
  412. if (newfd == -1) {
  413. return 0;
  414. }
  415. auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(newfd, "w"), fclose);
  416. if (!fp) {
  417. close(newfd);
  418. return 0;
  419. }
  420. fprintf(fp.get(), "; throttle map dump follows\n");
  421. fprintf(fp.get(), "; remote IP\tqname\tqtype\tcount\tttd\n");
  422. uint64_t count=0;
  423. const auto& throttleMap = t_sstorage.throttle.getThrottleMap();
  424. for(const auto& i : throttleMap)
  425. {
  426. count++;
  427. char tmp[26];
  428. // remote IP, dns name, qtype, count, ttd
  429. fprintf(fp.get(), "%s\t%s\t%d\t%u\t%s", i.thing.get<0>().toString().c_str(), i.thing.get<1>().toLogString().c_str(), i.thing.get<2>(), i.count, ctime_r(&i.ttd, tmp));
  430. }
  431. return count;
  432. }
  433. uint64_t SyncRes::doDumpFailedServers(int fd)
  434. {
  435. int newfd = dup(fd);
  436. if (newfd == -1) {
  437. return 0;
  438. }
  439. auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(newfd, "w"), fclose);
  440. if (!fp) {
  441. close(newfd);
  442. return 0;
  443. }
  444. fprintf(fp.get(), "; failed servers dump follows\n");
  445. fprintf(fp.get(), "; remote IP\tcount\ttimestamp\n");
  446. uint64_t count=0;
  447. for(const auto& i : t_sstorage.fails.getMap())
  448. {
  449. count++;
  450. char tmp[26];
  451. ctime_r(&i.last, tmp);
  452. fprintf(fp.get(), "%s\t%lld\t%s", i.address.toString().c_str(),
  453. static_cast<long long>(i.value), tmp);
  454. }
  455. return count;
  456. }
  457. /* so here is the story. First we complete the full resolution process for a domain name. And only THEN do we decide
  458. to also do DNSSEC validation, which leads to new queries. To make this simple, we *always* ask for DNSSEC records
  459. so that if there are RRSIGs for a name, we'll have them.
  460. However, some hosts simply can't answer questions which ask for DNSSEC. This can manifest itself as:
  461. * No answer
  462. * FormErr
  463. * Nonsense answer
  464. The cause of "No answer" may be fragmentation, and it is tempting to probe if smaller answers would get through.
  465. Another cause of "No answer" may simply be a network condition.
  466. Nonsense answers are a clearer indication this host won't be able to do DNSSEC evah.
  467. Previous implementations have suffered from turning off DNSSEC questions for an authoritative server based on timeouts.
  468. A clever idea is to only turn off DNSSEC if we know a domain isn't signed anyhow. The problem with that really
  469. clever idea however is that at this point in PowerDNS, we may simply not know that yet. All the DNSSEC thinking happens
  470. elsewhere. It may not have happened yet.
  471. For now this means we can't be clever, but will turn off DNSSEC if you reply with FormError or gibberish.
  472. */
  473. int SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, const DNSName& auth, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res, bool* chained) const
  474. {
  475. /* what is your QUEST?
  476. the goal is to get as many remotes as possible on the highest level of EDNS support
  477. The levels are:
  478. 0) UNKNOWN Unknown state
  479. 1) EDNS: Honors EDNS0
  480. 2) EDNSIGNORANT: Ignores EDNS0, gives replies without EDNS0
  481. 3) NOEDNS: Generates FORMERR on EDNS queries
  482. Everybody starts out assumed to be '0'.
  483. If '0', send out EDNS0
  484. If you FORMERR us, go to '3',
  485. If no EDNS in response, go to '2'
  486. If '1', send out EDNS0
  487. If FORMERR, downgrade to 3
  488. If '2', keep on including EDNS0, see what happens
  489. Same behaviour as 0
  490. If '3', send bare queries
  491. */
  492. auto ednsstatus = t_sstorage.ednsstatus.insert(ip).first; // does this include port? YES
  493. auto &ind = t_sstorage.ednsstatus.get<ComboAddress>();
  494. if (ednsstatus->modeSetAt && ednsstatus->modeSetAt + 3600 < d_now.tv_sec) {
  495. t_sstorage.ednsstatus.reset(ind, ednsstatus);
  496. // cerr<<"Resetting EDNS Status for "<<ip.toString()<<endl);
  497. }
  498. const SyncRes::EDNSStatus::EDNSMode *mode = &ednsstatus->mode;
  499. const SyncRes::EDNSStatus::EDNSMode oldmode = *mode;
  500. int EDNSLevel = 0;
  501. auto luaconfsLocal = g_luaconfs.getLocal();
  502. ResolveContext ctx;
  503. #ifdef HAVE_PROTOBUF
  504. ctx.d_initialRequestId = d_initialRequestId;
  505. #endif
  506. #ifdef HAVE_FSTRM
  507. ctx.d_auth = auth;
  508. #endif
  509. int ret;
  510. for(int tries = 0; tries < 3; ++tries) {
  511. // cerr<<"Remote '"<<ip.toString()<<"' currently in mode "<<mode<<endl;
  512. if (*mode == EDNSStatus::NOEDNS) {
  513. g_stats.noEdnsOutQueries++;
  514. EDNSLevel = 0; // level != mode
  515. }
  516. else if (ednsMANDATORY || *mode == EDNSStatus::UNKNOWN || *mode == EDNSStatus::EDNSOK || *mode == EDNSStatus::EDNSIGNORANT)
  517. EDNSLevel = 1;
  518. DNSName sendQname(domain);
  519. if (g_lowercaseOutgoing)
  520. sendQname.makeUsLowerCase();
  521. if (d_asyncResolve) {
  522. ret = d_asyncResolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, res, chained);
  523. }
  524. else {
  525. ret=asyncresolve(ip, sendQname, type, doTCP, sendRDQuery, EDNSLevel, now, srcmask, ctx, d_outgoingProtobufServers, d_frameStreamServers, luaconfsLocal->outgoingProtobufExportConfig.exportTypes, res, chained);
  526. }
  527. // ednsstatus might be cleared, so do a new lookup
  528. ednsstatus = t_sstorage.ednsstatus.insert(ip).first;
  529. mode = &ednsstatus->mode;
  530. if(ret < 0) {
  531. return ret; // transport error, nothing to learn here
  532. }
  533. if(ret == 0) { // timeout, not doing anything with it now
  534. return ret;
  535. }
  536. else if (*mode == EDNSStatus::UNKNOWN || *mode == EDNSStatus::EDNSOK || *mode == EDNSStatus::EDNSIGNORANT ) {
  537. if(res->d_validpacket && !res->d_haveEDNS && res->d_rcode == RCode::FormErr) {
  538. // cerr<<"Downgrading to NOEDNS because of "<<RCode::to_s(res->d_rcode)<<" for query to "<<ip.toString()<<" for '"<<domain<<"'"<<endl;
  539. t_sstorage.ednsstatus.setMode(ind, ednsstatus, EDNSStatus::NOEDNS);
  540. continue;
  541. }
  542. else if(!res->d_haveEDNS) {
  543. if (*mode != EDNSStatus::EDNSIGNORANT) {
  544. t_sstorage.ednsstatus.setMode(ind, ednsstatus, EDNSStatus::EDNSIGNORANT);
  545. // cerr<<"We find that "<<ip.toString()<<" is an EDNS-ignorer for '"<<domain<<"', moving to mode 2"<<endl;
  546. }
  547. }
  548. else {
  549. t_sstorage.ednsstatus.setMode(ind, ednsstatus, EDNSStatus::EDNSOK);
  550. // cerr<<"We find that "<<ip.toString()<<" is EDNS OK!"<<endl;
  551. }
  552. }
  553. if (oldmode != *mode || !ednsstatus->modeSetAt)
  554. t_sstorage.ednsstatus.setTS(ind, ednsstatus, d_now.tv_sec);
  555. // cerr<<"Result: ret="<<ret<<", EDNS-level: "<<EDNSLevel<<", haveEDNS: "<<res->d_haveEDNS<<", new mode: "<<mode<<endl;
  556. return ret;
  557. }
  558. return ret;
  559. }
  560. #define QLOG(x) LOG(prefix << " child=" << child << ": " << x << endl)
  561. int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state) {
  562. string prefix = d_prefix;
  563. prefix.append(depth, ' ');
  564. auto luaconfsLocal = g_luaconfs.getLocal();
  565. /* Apply qname (including CNAME chain) filtering policies */
  566. if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
  567. if (luaconfsLocal->dfe.getQueryPolicy(qname, d_discardedPolicies, d_appliedPolicy)) {
  568. mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
  569. bool done = false;
  570. int rcode = RCode::NoError;
  571. handlePolicyHit(prefix, qname, qtype, ret, done, rcode, depth);
  572. if (done) {
  573. return rcode;
  574. }
  575. }
  576. }
  577. // In the auth or recursive forward case, it does not make sense to do qname-minimization
  578. if (!getQNameMinimization() || isRecursiveForwardOrAuth(qname)) {
  579. return doResolveNoQNameMinimization(qname, qtype, ret, depth, beenthere, state);
  580. }
  581. // The qname minimization algorithm is a simplified version of the one in RFC 7816 (bis).
  582. // It could be simplified because the cache maintenance (both positive and negative)
  583. // is already done by doResolveNoQNameMinimization().
  584. //
  585. // Sketch of algorithm:
  586. // Check cache
  587. // If result found: done
  588. // Otherwise determine closes ancestor from cache data
  589. // Repeat querying A, adding more labels of the original qname
  590. // If we get a delegation continue at ancestor determination
  591. // Until we have the full name.
  592. //
  593. // The algorithm starts with adding a single label per iteration, and
  594. // moves to three labels per iteration after three iterations.
  595. DNSName child;
  596. prefix.append(string("QM ") + qname.toString() + "|" + qtype.getName());
  597. QLOG("doResolve");
  598. // Look in cache only
  599. vector<DNSRecord> retq;
  600. bool old = setCacheOnly(true);
  601. bool fromCache = false;
  602. // For cache peeking, we tell doResolveNoQNameMinimization not to consider the (non-recursive) forward case.
  603. // Otherwise all queries in a forward domain will be forwarded, while we want to consult the cache.
  604. // The out-of-band cases for doResolveNoQNameMinimization() should be reconsidered and redone some day.
  605. int res = doResolveNoQNameMinimization(qname, qtype, retq, depth, beenthere, state, &fromCache, nullptr, false);
  606. setCacheOnly(old);
  607. if (fromCache) {
  608. QLOG("Step0 Found in cache");
  609. if (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None && (d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NXDOMAIN || d_appliedPolicy.d_kind == DNSFilterEngine::PolicyKind::NODATA)) {
  610. ret.clear();
  611. }
  612. ret.insert(ret.end(), retq.begin(), retq.end());
  613. return res;
  614. }
  615. QLOG("Step0 Not cached");
  616. const unsigned int qnamelen = qname.countLabels();
  617. DNSName fwdomain(qname);
  618. const bool forwarded = getBestAuthZone(&fwdomain) != t_sstorage.domainmap->end();
  619. if (forwarded) {
  620. QLOG("Step0 qname is in a forwarded domain " << fwdomain);
  621. }
  622. for (unsigned int i = 0; i <= qnamelen; ) {
  623. // Step 1
  624. vector<DNSRecord> bestns;
  625. DNSName nsdomain(qname);
  626. if (qtype == QType::DS) {
  627. nsdomain.chopOff();
  628. }
  629. // the two retries allow getBestNSFromCache&co to reprime the root
  630. // hints, in case they ever go missing
  631. for (int tries = 0; tries < 2 && bestns.empty(); ++tries) {
  632. bool flawedNSSet = false;
  633. set<GetBestNSAnswer> beenthereIgnored;
  634. getBestNSFromCache(nsdomain, qtype, bestns, &flawedNSSet, depth, beenthereIgnored, boost::make_optional(forwarded, fwdomain));
  635. if (forwarded) {
  636. break;
  637. }
  638. }
  639. if (bestns.size() == 0) {
  640. if (!forwarded) {
  641. // Something terrible is wrong
  642. QLOG("Step1 No ancestor found return ServFail");
  643. return RCode::ServFail;
  644. }
  645. child = fwdomain;
  646. } else {
  647. QLOG("Step1 Ancestor from cache is " << bestns[0].d_name);
  648. if (forwarded) {
  649. child = bestns[0].d_name.isPartOf(fwdomain) ? bestns[0].d_name : fwdomain;
  650. QLOG("Step1 Final Ancestor (using forwarding info) is " << child);
  651. } else {
  652. child = bestns[0].d_name;
  653. }
  654. }
  655. unsigned int targetlen = std::min(child.countLabels() + (i > 3 ? 3 : 1), qnamelen);
  656. for (; i <= qnamelen; i++) {
  657. // Step 2
  658. while (child.countLabels() < targetlen) {
  659. child.prependRawLabel(qname.getRawLabel(qnamelen - child.countLabels() - 1));
  660. }
  661. targetlen += i > 3 ? 3 : 1;
  662. targetlen = std::min(targetlen, qnamelen);
  663. QLOG("Step2 New child");
  664. // Step 3 resolve
  665. if (child == qname) {
  666. QLOG("Step3 Going to do final resolve");
  667. res = doResolveNoQNameMinimization(qname, qtype, ret, depth, beenthere, state);
  668. QLOG("Step3 Final resolve: " << RCode::to_s(res) << "/" << ret.size());
  669. return res;
  670. }
  671. // Step 4
  672. QLOG("Step4 Resolve A for child");
  673. bool oldFollowCNAME = d_followCNAME;
  674. d_followCNAME = false;
  675. retq.resize(0);
  676. StopAtDelegation stopAtDelegation = Stop;
  677. res = doResolveNoQNameMinimization(child, QType::A, retq, depth, beenthere, state, NULL, &stopAtDelegation);
  678. d_followCNAME = oldFollowCNAME;
  679. QLOG("Step4 Resolve A result is " << RCode::to_s(res) << "/" << retq.size() << "/" << stopAtDelegation);
  680. if (stopAtDelegation == Stopped) {
  681. QLOG("Delegation seen, continue at step 1");
  682. break;
  683. }
  684. if (res != RCode::NoError) {
  685. // Case 5: unexpected answer
  686. QLOG("Step5: other rcode, last effort final resolve");
  687. setQNameMinimization(false);
  688. // We might have hit a depth level check, but we still want to allow some recursion levels in the fallback
  689. // no-qname-minimization case. This has the effect that a qname minimization fallback case might reach 150% of
  690. // maxdepth.
  691. res = doResolveNoQNameMinimization(qname, qtype, ret, depth/2, beenthere, state);
  692. if(res == RCode::NoError) {
  693. s_qnameminfallbacksuccess++;
  694. }
  695. QLOG("Step5 End resolve: " << RCode::to_s(res) << "/" << ret.size());
  696. return res;
  697. }
  698. }
  699. }
  700. // Should not be reached
  701. QLOG("Max iterations reached, return ServFail");
  702. return RCode::ServFail;
  703. }
  704. /*! This function will check the cache and go out to the internet if the answer is not in cache
  705. *
  706. * \param qname The name we need an answer for
  707. * \param qtype
  708. * \param ret The vector of DNSRecords we need to fill with the answers
  709. * \param depth The recursion depth we are in
  710. * \param beenthere
  711. * \param fromCache tells the caller the result came from the cache, may be nullptr
  712. * \param stopAtDelegation if non-nullptr and pointed-to value is Stop requests the callee to stop at a delegation, if so pointed-to value is set to Stopped
  713. * \return DNS RCODE or -1 (Error)
  714. */
  715. int SyncRes::doResolveNoQNameMinimization(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state, bool *fromCache, StopAtDelegation *stopAtDelegation, bool considerforwards)
  716. {
  717. string prefix;
  718. if(doLog()) {
  719. prefix=d_prefix;
  720. prefix.append(depth, ' ');
  721. }
  722. LOG(prefix<<qname<<": Wants "<< (d_doDNSSEC ? "" : "NO ") << "DNSSEC processing, "<<(d_requireAuthData ? "" : "NO ")<<"auth data in query for "<<qtype.getName()<<endl);
  723. state = vState::Indeterminate;
  724. if (s_maxdepth && depth > s_maxdepth) {
  725. string msg = "More than " + std::to_string(s_maxdepth) + " (max-recursion-depth) levels of recursion needed while resolving " + qname.toLogString();
  726. LOG(prefix << qname << ": " << msg << endl);
  727. throw ImmediateServFailException(msg);
  728. }
  729. int res=0;
  730. // This is a difficult way of expressing "this is a normal query", i.e. not getRootNS.
  731. if(!(d_updatingRootNS && qtype.getCode()==QType::NS && qname.isRoot())) {
  732. if(d_cacheonly) { // very limited OOB support
  733. LWResult lwr;
  734. LOG(prefix<<qname<<": Recursion not requested for '"<<qname<<"|"<<qtype.getName()<<"', peeking at auth/forward zones"<<endl);
  735. DNSName authname(qname);
  736. domainmap_t::const_iterator iter=getBestAuthZone(&authname);
  737. if(iter != t_sstorage.domainmap->end()) {
  738. if(iter->second.isAuth()) {
  739. ret.clear();
  740. d_wasOutOfBand = doOOBResolve(qname, qtype, ret, depth, res);
  741. if (fromCache)
  742. *fromCache = d_wasOutOfBand;
  743. return res;
  744. }
  745. else if (considerforwards) {
  746. const vector<ComboAddress>& servers = iter->second.d_servers;
  747. const ComboAddress remoteIP = servers.front();
  748. LOG(prefix<<qname<<": forwarding query to hardcoded nameserver '"<< remoteIP.toStringWithPort()<<"' for zone '"<<authname<<"'"<<endl);
  749. boost::optional<Netmask> nm;
  750. bool chained = false;
  751. res=asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, authname, qtype.getCode(), false, false, &d_now, nm, &lwr, &chained);
  752. d_totUsec += lwr.d_usec;
  753. accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family);
  754. if (fromCache)
  755. *fromCache = true;
  756. // filter out the good stuff from lwr.result()
  757. if (res == 1) {
  758. for(const auto& rec : lwr.d_records) {
  759. if(rec.d_place == DNSResourceRecord::ANSWER)
  760. ret.push_back(rec);
  761. }
  762. return 0;
  763. }
  764. else {
  765. return RCode::ServFail;
  766. }
  767. }
  768. }
  769. }
  770. DNSName authname(qname);
  771. bool wasForwardedOrAuthZone = false;
  772. bool wasAuthZone = false;
  773. bool wasForwardRecurse = false;
  774. domainmap_t::const_iterator iter = getBestAuthZone(&authname);
  775. if(iter != t_sstorage.domainmap->end()) {
  776. const auto& domain = iter->second;
  777. wasForwardedOrAuthZone = true;
  778. if (domain.isAuth()) {
  779. wasAuthZone = true;
  780. } else if (domain.shouldRecurse()) {
  781. wasForwardRecurse = true;
  782. }
  783. }
  784. if (doCNAMECacheCheck(qname, qtype, ret, depth, res, state, wasAuthZone, wasForwardRecurse)) { // will reroute us if needed
  785. d_wasOutOfBand = wasAuthZone;
  786. // Here we have an issue. If we were prevented from going out to the network (cache-only was set, possibly because we
  787. // are in QM Step0) we might have a CNAME but not the corresponding target.
  788. // It means that we will sometimes go to the next steps when we are in fact done, but that's fine since
  789. // we will get the records from the cache, resulting in a small overhead.
  790. // This might be a real problem if we had a RPZ hit, though, because we do not want the processing to continue, since
  791. // RPZ rules will not be evaluated anymore (we already matched).
  792. const bool stoppedByPolicyHit = d_appliedPolicy.wasHit();
  793. if (fromCache && (!d_cacheonly || stoppedByPolicyHit)) {
  794. *fromCache = true;
  795. }
  796. /* Apply Post filtering policies */
  797. if (d_wantsRPZ && !stoppedByPolicyHit) {
  798. auto luaLocal = g_luaconfs.getLocal();
  799. if (luaLocal->dfe.getPostPolicy(ret, d_discardedPolicies, d_appliedPolicy)) {
  800. mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
  801. bool done = false;
  802. handlePolicyHit(prefix, qname, qtype, ret, done, res, depth);
  803. if (done && fromCache) {
  804. *fromCache = true;
  805. }
  806. }
  807. }
  808. return res;
  809. }
  810. if (doCacheCheck(qname, authname, wasForwardedOrAuthZone, wasAuthZone, wasForwardRecurse, qtype, ret, depth, res, state)) {
  811. // we done
  812. d_wasOutOfBand = wasAuthZone;
  813. if (fromCache) {
  814. *fromCache = true;
  815. }
  816. if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
  817. auto luaLocal = g_luaconfs.getLocal();
  818. if (luaLocal->dfe.getPostPolicy(ret, d_discardedPolicies, d_appliedPolicy)) {
  819. mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
  820. bool done = false;
  821. handlePolicyHit(prefix, qname, qtype, ret, done, res, depth);
  822. }
  823. }
  824. return res;
  825. }
  826. }
  827. if (d_cacheonly) {
  828. return 0;
  829. }
  830. LOG(prefix<<qname<<": No cache hit for '"<<qname<<"|"<<qtype.getName()<<"', trying to find an appropriate NS record"<<endl);
  831. DNSName subdomain(qname);
  832. if(qtype == QType::DS) subdomain.chopOff();
  833. NsSet nsset;
  834. bool flawedNSSet=false;
  835. /* we use subdomain here instead of qname because for DS queries we only care about the state of the parent zone */
  836. computeZoneCuts(subdomain, g_rootdnsname, depth);
  837. // the two retries allow getBestNSNamesFromCache&co to reprime the root
  838. // hints, in case they ever go missing
  839. for(int tries=0;tries<2 && nsset.empty();++tries) {
  840. subdomain=getBestNSNamesFromCache(subdomain, qtype, nsset, &flawedNSSet, depth, beenthere); // pass beenthere to both occasions
  841. }
  842. state = getValidationStatus(qname, false);
  843. LOG(prefix<<qname<<": initial validation status for "<<qname<<" is "<<state<<endl);
  844. res = doResolveAt(nsset, subdomain, flawedNSSet, qname, qtype, ret, depth, beenthere, state, stopAtDelegation);
  845. /* Apply Post filtering policies */
  846. if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
  847. auto luaLocal = g_luaconfs.getLocal();
  848. if (luaLocal->dfe.getPostPolicy(ret, d_discardedPolicies, d_appliedPolicy)) {
  849. mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
  850. bool done = false;
  851. handlePolicyHit(prefix, qname, qtype, ret, done, res, depth);
  852. }
  853. }
  854. if (!res) {
  855. return 0;
  856. }
  857. LOG(prefix<<qname<<": failed (res="<<res<<")"<<endl);
  858. return res<0 ? RCode::ServFail : res;
  859. }
  860. #if 0
  861. // for testing purposes
  862. static bool ipv6First(const ComboAddress& a, const ComboAddress& b)
  863. {
  864. return !(a.sin4.sin_family < a.sin4.sin_family);
  865. }
  866. #endif
  867. struct speedOrderCA
  868. {
  869. speedOrderCA(std::map<ComboAddress,float>& speeds): d_speeds(speeds) {}
  870. bool operator()(const ComboAddress& a, const ComboAddress& b) const
  871. {
  872. return d_speeds[a] < d_speeds[b];
  873. }
  874. std::map<ComboAddress, float>& d_speeds;
  875. };
  876. /** This function explicitly goes out for A or AAAA addresses
  877. */
  878. vector<ComboAddress> SyncRes::getAddrs(const DNSName &qname, unsigned int depth, set<GetBestNSAnswer>& beenthere, bool cacheOnly, unsigned int& addressQueriesForNS)
  879. {
  880. typedef vector<DNSRecord> res_t;
  881. typedef vector<ComboAddress> ret_t;
  882. ret_t ret;
  883. bool oldCacheOnly = setCacheOnly(cacheOnly);
  884. bool oldRequireAuthData = d_requireAuthData;
  885. bool oldValidationRequested = d_DNSSECValidationRequested;
  886. bool oldFollowCNAME = d_followCNAME;
  887. const unsigned int startqueries = d_outqueries;
  888. d_requireAuthData = false;
  889. d_DNSSECValidationRequested = false;
  890. d_followCNAME = true;
  891. try {
  892. vState newState = vState::Indeterminate;
  893. res_t resv4;
  894. // If IPv4 ever becomes second class, we should revisit this
  895. if (s_doIPv4 && doResolve(qname, QType::A, resv4, depth+1, beenthere, newState) == 0) { // this consults cache, OR goes out
  896. for (auto const &i : resv4) {
  897. if (i.d_type == QType::A) {
  898. if (auto rec = getRR<ARecordContent>(i)) {
  899. ret.push_back(rec->getCA(53));
  900. }
  901. }
  902. }
  903. }
  904. if (s_doIPv6) { // s_doIPv6 **IMPLIES** pdns::isQueryLocalAddressFamilyEnabled(AF_INET6) returned true
  905. if (ret.empty()) {
  906. // We did not find IPv4 addresses, try to get IPv6 ones
  907. newState = vState::Indeterminate;
  908. res_t resv6;
  909. if (doResolve(qname, QType::AAAA, resv6, depth+1, beenthere, newState) == 0) { // this consults cache, OR goes out
  910. for (const auto &i : resv6) {
  911. if (i.d_type == QType::AAAA) {
  912. if (auto rec = getRR<AAAARecordContent>(i))
  913. ret.push_back(rec->getCA(53));
  914. }
  915. }
  916. }
  917. } else {
  918. // We have some IPv4 records, don't bother with going out to get IPv6, but do consult the cache
  919. // Once IPv6 adoption matters, this needs to be revisited
  920. res_t cset;
  921. if (s_RC->get(d_now.tv_sec, qname, QType(QType::AAAA), false, &cset, d_cacheRemote, d_routingTag) > 0) {
  922. for (const auto &i : cset) {
  923. if (i.d_ttl > (unsigned int)d_now.tv_sec ) {
  924. if (auto rec = getRR<AAAARecordContent>(i)) {
  925. ret.push_back(rec->getCA(53));
  926. }
  927. }
  928. }
  929. }
  930. }
  931. }
  932. }
  933. catch (const PolicyHitException& e) {
  934. /* we ignore a policy hit while trying to retrieve the addresses
  935. of a NS and keep processing the current query */
  936. }
  937. if (ret.empty() && d_outqueries > startqueries) {
  938. // We did 1 or more outgoing queries to resolve this NS name but returned empty handed
  939. addressQueriesForNS++;
  940. }
  941. d_requireAuthData = oldRequireAuthData;
  942. d_DNSSECValidationRequested = oldValidationRequested;
  943. setCacheOnly(oldCacheOnly);
  944. d_followCNAME = oldFollowCNAME;
  945. /* we need to remove from the nsSpeeds collection the existing IPs
  946. for this nameserver that are no longer in the set, even if there
  947. is only one or none at all in the current set.
  948. */
  949. map<ComboAddress, float> speeds;
  950. auto& collection = t_sstorage.nsSpeeds[qname];
  951. float factor = collection.getFactor(d_now);
  952. for(const auto& val: ret) {
  953. speeds[val] = collection.d_collection[val].get(factor);
  954. }
  955. t_sstorage.nsSpeeds[qname].purge(speeds);
  956. if(ret.size() > 1) {
  957. shuffle(ret.begin(), ret.end(), pdns::dns_random_engine());
  958. speedOrderCA so(speeds);
  959. stable_sort(ret.begin(), ret.end(), so);
  960. if(doLog()) {
  961. string prefix=d_prefix;
  962. prefix.append(depth, ' ');
  963. LOG(prefix<<"Nameserver "<<qname<<" IPs: ");
  964. bool first = true;
  965. for(const auto& addr : ret) {
  966. if (first) {
  967. first = false;
  968. }
  969. else {
  970. LOG(", ");
  971. }
  972. LOG((addr.toString())<<"(" << (boost::format("%0.2f") % (speeds[addr]/1000.0)).str() <<"ms)");
  973. }
  974. LOG(endl);
  975. }
  976. }
  977. return ret;
  978. }
  979. void SyncRes::getBestNSFromCache(const DNSName &qname, const QType& qtype, vector<DNSRecord>& bestns, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>& beenthere, const boost::optional<DNSName>& cutOffDomain)
  980. {
  981. string prefix;
  982. DNSName subdomain(qname);
  983. if(doLog()) {
  984. prefix=d_prefix;
  985. prefix.append(depth, ' ');
  986. }
  987. bestns.clear();
  988. bool brokeloop;
  989. do {
  990. if (cutOffDomain && (subdomain == *cutOffDomain || !subdomain.isPartOf(*cutOffDomain))) {
  991. break;
  992. }
  993. brokeloop=false;
  994. LOG(prefix<<qname<<": Checking if we have NS in cache for '"<<subdomain<<"'"<<endl);
  995. vector<DNSRecord> ns;
  996. *flawedNSSet = false;
  997. if(s_RC->get(d_now.tv_sec, subdomain, QType(QType::NS), false, &ns, d_cacheRemote, d_routingTag) > 0) {
  998. bestns.reserve(ns.size());
  999. for(auto k=ns.cbegin();k!=ns.cend(); ++k) {
  1000. if(k->d_ttl > (unsigned int)d_now.tv_sec ) {
  1001. vector<DNSRecord> aset;
  1002. QType nsqt{QType::ADDR};
  1003. if (s_doIPv4 && !s_doIPv6) {
  1004. nsqt = QType::A;
  1005. } else if (!s_doIPv4 && s_doIPv6) {
  1006. nsqt = QType::AAAA;
  1007. }
  1008. const DNSRecord& dr=*k;
  1009. auto nrr = getRR<NSRecordContent>(dr);
  1010. if(nrr && (!nrr->getNS().isPartOf(subdomain) || s_RC->get(d_now.tv_sec, nrr->getNS(), nsqt,
  1011. false, doLog() ? &aset : 0, d_cacheRemote, d_routingTag) > 5)) {
  1012. bestns.push_back(dr);
  1013. LOG(prefix<<qname<<": NS (with ip, or non-glue) in cache for '"<<subdomain<<"' -> '"<<nrr->getNS()<<"'"<<endl);
  1014. LOG(prefix<<qname<<": within bailiwick: "<< nrr->getNS().isPartOf(subdomain));
  1015. if(!aset.empty()) {
  1016. LOG(", in cache, ttl="<<(unsigned int)(((time_t)aset.begin()->d_ttl- d_now.tv_sec ))<<endl);
  1017. }
  1018. else {
  1019. LOG(", not in cache / did not look at cache"<<endl);
  1020. }
  1021. }
  1022. else {
  1023. *flawedNSSet=true;
  1024. LOG(prefix<<qname<<": NS in cache for '"<<subdomain<<"', but needs glue ("<<nrr->getNS()<<") which we miss or is expired"<<endl);
  1025. }
  1026. }
  1027. }
  1028. if(!bestns.empty()) {
  1029. GetBestNSAnswer answer;
  1030. answer.qname=qname;
  1031. answer.qtype=qtype.getCode();
  1032. for(const auto& dr : bestns) {
  1033. if (auto nsContent = getRR<NSRecordContent>(dr)) {
  1034. answer.bestns.insert(make_pair(dr.d_name, nsContent->getNS()));
  1035. }
  1036. }
  1037. auto insertionPair = beenthere.insert(std::move(answer));
  1038. if(!insertionPair.second) {
  1039. brokeloop=true;
  1040. LOG(prefix<<qname<<": We have NS in cache for '"<<subdomain<<"' but part of LOOP (already seen "<<answer.qname<<")! Trying less specific NS"<<endl);
  1041. ;
  1042. if(doLog())
  1043. for( set<GetBestNSAnswer>::const_iterator j=beenthere.begin();j!=beenthere.end();++j) {
  1044. bool neo = (j == insertionPair.first);
  1045. LOG(prefix<<qname<<": beenthere"<<(neo?"*":"")<<": "<<j->qname<<"|"<<DNSRecordContent::NumberToType(j->qtype)<<" ("<<(unsigned int)j->bestns.size()<<")"<<endl);
  1046. }
  1047. bestns.clear();
  1048. }
  1049. else {
  1050. LOG(prefix<<qname<<": We have NS in cache for '"<<subdomain<<"' (flawedNSSet="<<*flawedNSSet<<")"<<endl);
  1051. return;
  1052. }
  1053. }
  1054. }
  1055. LOG(prefix<<qname<<": no valid/useful NS in cache for '"<<subdomain<<"'"<<endl);
  1056. if(subdomain.isRoot() && !brokeloop) {
  1057. // We lost the root NS records
  1058. primeHints();
  1059. primeRootNSZones(g_dnssecmode != DNSSECMode::Off, depth);
  1060. LOG(prefix<<qname<<": reprimed the root"<<endl);
  1061. /* let's prevent an infinite loop */
  1062. if (!d_updatingRootNS) {
  1063. getRootNS(d_now, d_asyncResolve, depth);
  1064. }
  1065. }
  1066. } while(subdomain.chopOff());
  1067. }
  1068. SyncRes::domainmap_t::const_iterator SyncRes::getBestAuthZone(DNSName* qname) const
  1069. {
  1070. if (t_sstorage.domainmap->empty()) {
  1071. return t_sstorage.domainmap->end();
  1072. }
  1073. SyncRes::domainmap_t::const_iterator ret;
  1074. do {
  1075. ret=t_sstorage.domainmap->find(*qname);
  1076. if(ret!=t_sstorage.domainmap->end())
  1077. break;
  1078. }while(qname->chopOff());
  1079. return ret;
  1080. }
  1081. /** doesn't actually do the work, leaves that to getBestNSFromCache */
  1082. DNSName SyncRes::getBestNSNamesFromCache(const DNSName &qname, const QType& qtype, NsSet& nsset, bool* flawedNSSet, unsigned int depth, set<GetBestNSAnswer>&beenthere)
  1083. {
  1084. string prefix;
  1085. if (doLog()) {
  1086. prefix = d_prefix;
  1087. prefix.append(depth, ' ');
  1088. }
  1089. DNSName authOrForwDomain(qname);
  1090. domainmap_t::const_iterator iter = getBestAuthZone(&authOrForwDomain);
  1091. // We have an auth, forwarder of forwarder-recurse
  1092. if (iter != t_sstorage.domainmap->end()) {
  1093. if (iter->second.isAuth()) {
  1094. // this gets picked up in doResolveAt, the empty DNSName, combined with the
  1095. // empty vector means 'we are auth for this zone'
  1096. nsset.insert({DNSName(), {{}, false}});
  1097. return authOrForwDomain;
  1098. }
  1099. else {
  1100. if (iter->second.shouldRecurse()) {
  1101. // Again, picked up in doResolveAt. An empty DNSName, combined with a
  1102. // non-empty vector of ComboAddresses means 'this is a forwarded domain'
  1103. // This is actually picked up in retrieveAddressesForNS called from doResolveAt.
  1104. nsset.insert({DNSName(), {iter->second.d_servers, true }});
  1105. return authOrForwDomain;
  1106. }
  1107. }
  1108. }
  1109. // We might have a (non-recursive) forwarder, but maybe the cache already contains
  1110. // a better NS
  1111. vector<DNSRecord> bestns;
  1112. DNSName nsFromCacheDomain(g_rootdnsname);
  1113. getBestNSFromCache(qname, qtype, bestns, flawedNSSet, depth, beenthere);
  1114. // Pick up the auth domain
  1115. for (const auto& k : bestns) {
  1116. const auto nsContent = getRR<NSRecordContent>(k);
  1117. if (nsContent) {
  1118. nsFromCacheDomain = k.d_name;
  1119. break;
  1120. }
  1121. }
  1122. if (iter != t_sstorage.domainmap->end()) {
  1123. if (doLog()) {
  1124. LOG(prefix << qname << " authOrForwDomain: " << authOrForwDomain << " nsFromCacheDomain: " << nsFromCacheDomain << " isPartof: " << authOrForwDomain.isPartOf(nsFromCacheDomain) << endl);
  1125. }
  1126. // If the forwarder is better or equal to what's found in the cache, use forwarder. Note that name.isPartOf(name).
  1127. // So queries that get NS for authOrForwDomain itself go to the forwarder
  1128. if (authOrForwDomain.isPartOf(nsFromCacheDomain)) {
  1129. if (doLog()) {
  1130. LOG(prefix << qname << ": using forwarder as NS" << endl);
  1131. }
  1132. nsset.insert({DNSName(), {iter->second.d_servers, false }});
  1133. return authOrForwDomain;
  1134. } else {
  1135. if (doLog()) {
  1136. LOG(prefix << qname << ": using NS from cache" << endl);
  1137. }
  1138. }
  1139. }
  1140. for (auto k = bestns.cbegin(); k != bestns.cend(); ++k) {
  1141. // The actual resolver code will not even look at the ComboAddress or bool
  1142. const auto nsContent = getRR<NSRecordContent>(*k);
  1143. if (nsContent) {
  1144. nsset.insert({nsContent->getNS(), {{}, false}});
  1145. }
  1146. }
  1147. return nsFromCacheDomain;
  1148. }
  1149. void SyncRes::updateValidationStatusInCache(const DNSName &qname, const QType& qt, bool aa, vState newState) const
  1150. {
  1151. if (qt == QType::ANY || qt == QType::ADDR) {
  1152. // not doing that
  1153. return;
  1154. }
  1155. if (vStateIsBogus(newState)) {
  1156. s_RC->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, d_routingTag, aa, newState, s_maxbogusttl + d_now.tv_sec);
  1157. }
  1158. else {
  1159. s_RC->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, d_routingTag, aa, newState, boost::none);
  1160. }
  1161. }
  1162. static bool scanForCNAMELoop(const DNSName& name, const vector<DNSRecord>& records)
  1163. {
  1164. for (const auto& record: records) {
  1165. if (record.d_type == QType::CNAME && record.d_place == DNSResourceRecord::ANSWER) {
  1166. if (name == record.d_name) {
  1167. return true;
  1168. }
  1169. }
  1170. }
  1171. return false;
  1172. }
  1173. bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>& ret, unsigned int depth, int &res, vState& state, bool wasAuthZone, bool wasForwardRecurse)
  1174. {
  1175. string prefix;
  1176. if(doLog()) {
  1177. prefix=d_prefix;
  1178. prefix.append(depth, ' ');
  1179. }
  1180. if((depth>9 && d_outqueries>10 && d_throttledqueries>5) || depth > 15) {
  1181. LOG(prefix<<qname<<": recursing (CNAME or other indirection) too deep, depth="<<depth<<endl);
  1182. res=RCode::ServFail;
  1183. return true;
  1184. }
  1185. vector<DNSRecord> cset;
  1186. vector<std::shared_ptr<RRSIGRecordContent>> signatures;
  1187. vector<std::shared_ptr<DNSRecord>> authorityRecs;
  1188. bool wasAuth;
  1189. uint32_t capTTL = std::numeric_limits<uint32_t>::max();
  1190. DNSName foundName;
  1191. QType foundQT = QType(0); // 0 == QTYPE::ENT
  1192. LOG(prefix<<qname<<": Looking for CNAME cache hit of '"<<qname<<"|CNAME"<<"'"<<endl);
  1193. /* we don't require auth data for forward-recurse lookups */
  1194. if (s_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_routingTag, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
  1195. foundName = qname;
  1196. foundQT = QType(QType::CNAME);
  1197. }
  1198. if (foundName.empty() && qname != g_rootdnsname) {
  1199. // look for a DNAME cache hit
  1200. auto labels = qname.getRawLabels();
  1201. DNSName dnameName(g_rootdnsname);
  1202. LOG(prefix<<qname<<": Looking for DNAME cache hit of '"<<qname<<"|DNAME' or its ancestors"<<endl);
  1203. do {
  1204. dnameName.prependRawLabel(labels.back());
  1205. labels.pop_back();
  1206. if (dnameName == qname && qtype != QType::DNAME) { // The client does not want a DNAME, but we've reached the QNAME already. So there is no match
  1207. break;
  1208. }
  1209. if (s_RC->get(d_now.tv_sec, dnameName, QType(QType::DNAME), !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_routingTag, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
  1210. foundName = dnameName;
  1211. foundQT = QType(QType::DNAME);
  1212. break;
  1213. }
  1214. } while(!labels.empty());
  1215. }
  1216. if (foundName.empty()) {
  1217. LOG(prefix<<qname<<": No CNAME or DNAME cache hit of '"<< qname <<"' found"<<endl);
  1218. return false;
  1219. }
  1220. for(auto const &record : cset) {
  1221. if (record.d_class != QClass::IN) {
  1222. continue;
  1223. }
  1224. if(record.d_ttl > (unsigned int) d_now.tv_sec) {
  1225. if (!wasAuthZone && shouldValidate() && (wasAuth || wasForwardRecurse) && state == vState::Indeterminate && d_requireAuthData) {
  1226. /* This means we couldn't figure out the state when this entry was cached,
  1227. most likely because we hadn't computed the zone cuts yet. */
  1228. /* make sure they are computed before validating */
  1229. DNSName subdomain(foundName);
  1230. /* if we are retrieving a DS, we only care about the state of the parent zone */
  1231. if(qtype == QType::DS)
  1232. subdomain.chopOff();
  1233. computeZoneCuts(subdomain, g_rootdnsname, depth);
  1234. vState recordState = getValidationStatus(foundName, false);
  1235. if (recordState == vState::Secure) {
  1236. LOG(prefix<<qname<<": got vState::Indeterminate state from the "<<foundQT.getName()<<" cache, validating.."<<endl);
  1237. state = SyncRes::validateRecordsWithSigs(depth, qname, qtype, foundName, foundQT, cset, signatures);
  1238. if (state != vState::Indeterminate) {
  1239. LOG(prefix<<qname<<": got vState::Indeterminate state from the "<<foundQT.getName()<<" cache, new validation result is "<<state<<endl);
  1240. if (vStateIsBogus(state)) {
  1241. capTTL = s_maxbogusttl;
  1242. }
  1243. updateValidationStatusInCache(foundName, foundQT, wasAuth, state);
  1244. }
  1245. }
  1246. }
  1247. LOG(prefix<<qname<<": Found cache "<<foundQT.getName()<<" hit for '"<< foundName << "|"<<foundQT.getName()<<"' to '"<<record.d_content->getZoneRepresentation()<<"', validation state is "<<state<<endl);
  1248. DNSRecord dr = record;
  1249. dr.d_ttl -= d_now.tv_sec;
  1250. dr.d_ttl = std::min(dr.d_ttl, capTTL);
  1251. const uint32_t ttl = dr.d_ttl;
  1252. ret.reserve(ret.size() + 2 + signatures.size() + authorityRecs.size());
  1253. ret.push_back(dr);
  1254. for(const auto& signature : signatures) {
  1255. DNSRecord sigdr;
  1256. sigdr.d_type=QType::RRSIG;
  1257. sigdr.d_name=foundName;
  1258. sigdr.d_ttl=ttl;
  1259. sigdr.d_content=signature;
  1260. sigdr.d_place=DNSResourceRecord::ANSWER;
  1261. sigdr.d_class=QClass::IN;
  1262. ret.push_back(sigdr);
  1263. }
  1264. for(const auto& rec : authorityRecs) {
  1265. DNSRecord authDR(*rec);
  1266. authDR.d_ttl=ttl;
  1267. ret.push_back(authDR);
  1268. }
  1269. DNSName newTarget;
  1270. if (foundQT == QType::DNAME) {
  1271. if (qtype == QType::DNAME && qname == foundName) { // client wanted the DNAME, no need to synthesize a CNAME
  1272. res = RCode::NoError;
  1273. return true;
  1274. }
  1275. // Synthesize a CNAME
  1276. auto dnameRR = getRR<DNAMERecordContent>(record);
  1277. if (dnameRR == nullptr) {
  1278. throw ImmediateServFailException("Unable to get record content for "+foundName.toLogString()+"|DNAME cache entry");
  1279. }
  1280. const auto& dnameSuffix = dnameRR->getTarget();
  1281. DNSName targetPrefix = qname.makeRelative(foundName);
  1282. try {
  1283. dr.d_type = QType::CNAME;
  1284. dr.d_name = targetPrefix + foundName;
  1285. newTarget = targetPrefix + dnameSuffix;
  1286. dr.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newTarget));
  1287. ret.push_back(dr);
  1288. } catch (const std::exception &e) {
  1289. // We should probably catch an std::range_error here and set the rcode to YXDOMAIN (RFC 6672, section 2.2)
  1290. // But this is consistent with processRecords
  1291. throw ImmediateServFailException("Unable to perform DNAME substitution(DNAME owner: '" + foundName.toLogString() +
  1292. "', DNAME target: '" + dnameSuffix.toLogString() + "', substituted name: '" +
  1293. targetPrefix.toLogString() + "." + dnameSuffix.toLogString() +
  1294. "' : " + e.what());
  1295. }
  1296. LOG(prefix<<qname<<": Synthesized "<<dr.d_name<<"|CNAME "<<newTarget<<endl);
  1297. }
  1298. if(qtype == QType::CNAME) { // perhaps they really wanted a CNAME!
  1299. res = RCode::NoError;
  1300. return true;
  1301. }
  1302. if (qtype == QType::DS || qtype == QType::DNSKEY) {
  1303. res = RCode::NoError;
  1304. return true;
  1305. }
  1306. // We have a DNAME _or_ CNAME cache hit and the client wants something else than those two.
  1307. // Let's find the answer!
  1308. if (foundQT == QType::CNAME) {
  1309. const auto cnameContent = getRR<CNAMERecordContent>(record);
  1310. if (cnameContent == nullptr) {
  1311. throw ImmediateServFailException("Unable to get record content for "+foundName.toLogString()+"|CNAME cache entry");
  1312. }
  1313. newTarget = cnameContent->getTarget();
  1314. }
  1315. if (qname == newTarget) {
  1316. string msg = "got a CNAME referral (from cache) to self";
  1317. LOG(prefix<<qname<<": "<<msg<<endl);
  1318. throw ImmediateServFailException(msg);
  1319. }
  1320. if (newTarget.isPartOf(qname)) {
  1321. // a.b.c. CNAME x.a.b.c will go to great depths with QM on
  1322. string msg = "got a CNAME referral (from cache) to child, disabling QM";
  1323. LOG(prefix<<qname<<": "<<msg<<endl);
  1324. setQNameMinimization(false);
  1325. }
  1326. if (!d_followCNAME) {
  1327. res = RCode::NoError;
  1328. return true;
  1329. }
  1330. // Check to see if we already have seen the new target as a previous target
  1331. if (scanForCNAMELoop(newTarget, ret)) {
  1332. string msg = "got a CNAME referral (from cache) that causes a loop";
  1333. LOG(prefix<<qname<<": status="<<msg<<endl);
  1334. throw ImmediateServFailException(msg);
  1335. }
  1336. set<GetBestNSAnswer>beenthere;
  1337. vState cnameState = vState::Indeterminate;
  1338. // Be aware that going out on the network might be disabled (cache-only), for example because we are in QM Step0,
  1339. // so you can't trust that a real lookup will have been made.
  1340. res = doResolve(newTarget, qtype, ret, depth+1, beenthere, cnameState);
  1341. LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<state<<" with the state from the DNAME/CNAME quest: "<<cnameState<<endl);
  1342. updateValidationState(state, cnameState);
  1343. return true;
  1344. }
  1345. }
  1346. throw ImmediateServFailException("Could not determine whether or not there was a CNAME or DNAME in cache for '" + qname.toLogString() + "'");
  1347. }
  1348. namespace {
  1349. struct CacheEntry
  1350. {
  1351. vector<DNSRecord> records;
  1352. vector<shared_ptr<RRSIGRecordContent>> signatures;
  1353. uint32_t signaturesTTL{std::numeric_limits<uint32_t>::max()};
  1354. };
  1355. struct CacheKey
  1356. {
  1357. DNSName name;
  1358. uint16_t type;
  1359. DNSResourceRecord::Place place;
  1360. bool operator<(const CacheKey& rhs) const {
  1361. return tie(type, place, name) < tie(rhs.type, rhs.place, rhs.name);
  1362. }
  1363. };
  1364. typedef map<CacheKey, CacheEntry> tcache_t;
  1365. }
  1366. static void reapRecordsFromNegCacheEntryForValidation(tcache_t& tcache, const vector<DNSRecord>& records)
  1367. {
  1368. for (const auto& rec : records) {
  1369. if (rec.d_type == QType::RRSIG) {
  1370. auto rrsig = getRR<RRSIGRecordContent>(rec);
  1371. if (rrsig) {
  1372. tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signatures.push_back(rrsig);
  1373. }
  1374. } else {
  1375. tcache[{rec.d_name,rec.d_type,rec.d_place}].records.push_back(rec);
  1376. }
  1377. }
  1378. }
  1379. static void reapRecordsForValidation(std::map<uint16_t, CacheEntry>& entries, const vector<DNSRecord>& records)
  1380. {
  1381. for (const auto& rec : records) {
  1382. entries[rec.d_type].records.push_back(rec);
  1383. }
  1384. }
  1385. static void reapSignaturesForValidation(std::map<uint16_t, CacheEntry>& entries, const vector<std::shared_ptr<RRSIGRecordContent>>& signatures)
  1386. {
  1387. for (const auto& sig : signatures) {
  1388. entries[sig->d_type].signatures.push_back(sig);
  1389. }
  1390. }
  1391. /*!
  1392. * Convenience function to push the records from records into ret with a new TTL
  1393. *
  1394. * \param records DNSRecords that need to go into ret
  1395. * \param ttl The new TTL for these records
  1396. * \param ret The vector of DNSRecords that should contain the records with the modified TTL
  1397. */
  1398. static void addTTLModifiedRecords(vector<DNSRecord>& records, const uint32_t ttl, vector<DNSRecord>& ret) {
  1399. for (auto& rec : records) {
  1400. rec.d_ttl = ttl;
  1401. ret.push_back(std::move(rec));
  1402. }
  1403. }
  1404. void SyncRes::computeNegCacheValidationStatus(const NegCache::NegCacheEntry& ne, const DNSName& qname, const QType& qtype, const int res, vState& state, unsigned int depth)
  1405. {
  1406. DNSName subdomain(qname);
  1407. /* if we are retrieving a DS, we only care about the state of the parent zone */
  1408. if(qtype == QType::DS)
  1409. subdomain.chopOff();
  1410. computeZoneCuts(subdomain, g_rootdnsname, depth);
  1411. tcache_t tcache;
  1412. reapRecordsFromNegCacheEntryForValidation(tcache, ne.authoritySOA.records);
  1413. reapRecordsFromNegCacheEntryForValidation(tcache, ne.authoritySOA.signatures);
  1414. reapRecordsFromNegCacheEntryForValidation(tcache, ne.DNSSECRecords.records);
  1415. reapRecordsFromNegCacheEntryForValidation(tcache, ne.DNSSECRecords.signatures);
  1416. for (const auto& entry : tcache) {
  1417. // this happens when we did store signatures, but passed on the records themselves
  1418. if (entry.second.records.empty()) {
  1419. continue;
  1420. }
  1421. const DNSName& owner = entry.first.name;
  1422. vState recordState = getValidationStatus(owner, false);
  1423. if (state == vState::Indeterminate) {
  1424. state = recordState;
  1425. }
  1426. if (recordState == vState::Secure) {
  1427. recordState = SyncRes::validateRecordsWithSigs(depth, qname, qtype, owner, QType(entry.first.type), entry.second.records, entry.second.signatures);
  1428. }
  1429. if (recordState != vState::Indeterminate && recordState != state) {
  1430. updateValidationState(state, recordState);
  1431. if (state != vState::Secure) {
  1432. break;
  1433. }
  1434. }
  1435. }
  1436. if (state == vState::Secure) {
  1437. vState neValidationState = ne.d_validationState;
  1438. dState expectedState = res == RCode::NXDomain ? dState::NXDOMAIN : dState::NXQTYPE;
  1439. dState denialState = getDenialValidationState(ne, state, expectedState, false);
  1440. updateDenialValidationState(neValidationState, ne.d_name, state, denialState, expectedState, qtype == QType::DS || expectedState == dState::NXDOMAIN);
  1441. }
  1442. if (state != vState::Indeterminate) {
  1443. /* validation succeeded, let's update the cache entry so we don't have to validate again */
  1444. boost::optional<uint32_t> capTTD = boost::none;
  1445. if (vStateIsBogus(state)) {
  1446. capTTD = d_now.tv_sec + s_maxbogusttl;
  1447. }
  1448. t_sstorage.negcache.updateValidationStatus(ne.d_name, ne.d_qtype, state, capTTD);
  1449. }
  1450. }
  1451. bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool wasForwardedOrAuthZone, bool wasAuthZone, bool wasForwardRecurse, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res, vState& state)
  1452. {
  1453. bool giveNegative=false;
  1454. string prefix;
  1455. if(doLog()) {
  1456. prefix=d_prefix;
  1457. prefix.append(depth, ' ');
  1458. }
  1459. // sqname and sqtype are used contain 'higher' names if we have them (e.g. powerdns.com|SOA when we find a negative entry for doesnotexist.powerdns.com|A)
  1460. DNSName sqname(qname);
  1461. QType sqt(qtype);
  1462. uint32_t sttl=0;
  1463. // cout<<"Lookup for '"<<qname<<"|"<<qtype.getName()<<"' -> "<<getLastLabel(qname)<<endl;
  1464. vState cachedState;
  1465. NegCache::NegCacheEntry ne;
  1466. if(s_rootNXTrust &&
  1467. t_sstorage.negcache.getRootNXTrust(qname, d_now, ne) &&
  1468. ne.d_auth.isRoot() &&
  1469. !(wasForwardedOrAuthZone && !authname.isRoot())) { // when forwarding, the root may only neg-cache if it was forwarded to.
  1470. sttl = ne.d_ttd - d_now.tv_sec;
  1471. LOG(prefix<<qname<<": Entire name '"<<qname<<"', is negatively cached via '"<<ne.d_auth<<"' & '"<<ne.d_name<<"' for another "<<sttl<<" seconds"<<endl);
  1472. res = RCode::NXDomain;
  1473. giveNegative = true;
  1474. cachedState = ne.d_validationState;
  1475. } else if (t_sstorage.negcache.get(qname, qtype, d_now, ne)) {
  1476. /* If we are looking for a DS, discard NXD if auth == qname
  1477. and ask for a specific denial instead */
  1478. if (qtype != QType::DS || ne.d_qtype.getCode() || ne.d_auth != qname ||
  1479. t_sstorage.negcache.get(qname, qtype, d_now, ne, true))
  1480. {
  1481. res = RCode::NXDomain;
  1482. sttl = ne.d_ttd - d_now.tv_sec;
  1483. giveNegative = true;
  1484. cachedState = ne.d_validationState;
  1485. if (ne.d_qtype.getCode()) {
  1486. LOG(prefix<<qname<<": "<<qtype.getName()<<" is negatively cached via '"<<ne.d_auth<<"' for another "<<sttl<<" seconds"<<endl);
  1487. res = RCode::NoError;
  1488. } else {
  1489. LOG(prefix<<qname<<": Entire name '"<<qname<<"' is negatively cached via '"<<ne.d_auth<<"' for another "<<sttl<<" seconds"<<endl);
  1490. }
  1491. }
  1492. } else if (s_hardenNXD != HardenNXD::No && !qname.isRoot() && !wasForwardedOrAuthZone) {
  1493. auto labels = qname.getRawLabels();
  1494. DNSName negCacheName(g_rootdnsname);
  1495. negCacheName.prependRawLabel(labels.back());
  1496. labels.pop_back();
  1497. while(!labels.empty()) {
  1498. if (t_sstorage.negcache.get(negCacheName, QType(0), d_now, ne, true)) {
  1499. if (ne.d_validationState == vState::Indeterminate && validationEnabled()) {
  1500. // LOG(prefix << negCacheName << " negatively cached and vState::Indeterminate, trying to validate NXDOMAIN" << endl);
  1501. // ...
  1502. // And get the updated ne struct
  1503. //t_sstorage.negcache.get(negCacheName, QType(0), d_now, ne, true);
  1504. }
  1505. if ((s_hardenNXD == HardenNXD::Yes && !vStateIsBogus(ne.d_validationState)) || ne.d_validationState == vState::Secure) {
  1506. res = RCode::NXDomain;
  1507. sttl = ne.d_ttd - d_now.tv_sec;
  1508. giveNegative = true;
  1509. cachedState = ne.d_validationState;
  1510. LOG(prefix<<qname<<": Name '"<<negCacheName<<"' and below, is negatively cached via '"<<ne.d_auth<<"' for another "<<sttl<<" seconds"<<endl);
  1511. break;
  1512. }
  1513. }
  1514. negCacheName.prependRawLabel(labels.back());
  1515. labels.pop_back();
  1516. }
  1517. }
  1518. if (giveNegative) {
  1519. state = cachedState;
  1520. if (!wasAuthZone && shouldValidate() && state == vState::Indeterminate) {
  1521. LOG(prefix<<qname<<": got vState::Indeterminate state for records retrieved from the negative cache, validating.."<<endl);
  1522. computeNegCacheValidationStatus(ne, qname, qtype, res, state, depth);
  1523. if (state != cachedState && vStateIsBogus(state)) {
  1524. sttl = std::min(sttl, s_maxbogusttl);
  1525. }
  1526. }
  1527. // Transplant SOA to the returned packet
  1528. addTTLModifiedRecords(ne.authoritySOA.records, sttl, ret);
  1529. if(d_doDNSSEC) {
  1530. addTTLModifiedRecords(ne.authoritySOA.signatures, sttl, ret);
  1531. addTTLModifiedRecords(ne.DNSSECRecords.records, sttl, ret);
  1532. addTTLModifiedRecords(ne.DNSSECRecords.signatures, sttl, ret);
  1533. }
  1534. LOG(prefix<<qname<<": updating validation state with negative cache content for "<<qname<<" to "<<state<<endl);
  1535. return true;
  1536. }
  1537. vector<DNSRecord> cset;
  1538. bool found=false, expired=false;
  1539. vector<std::shared_ptr<RRSIGRecordContent>> signatures;
  1540. vector<std::shared_ptr<DNSRecord>> authorityRecs;
  1541. uint32_t ttl=0;
  1542. uint32_t capTTL = std::numeric_limits<uint32_t>::max();
  1543. bool wasCachedAuth;
  1544. if(s_RC->get(d_now.tv_sec, sqname, sqt, !wasForwardRecurse && d_requireAuthData, &cset, d_cacheRemote, d_routingTag, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &cachedState, &wasCachedAuth) > 0) {
  1545. LOG(prefix<<sqname<<": Found cache hit for "<<sqt.getName()<<": ");
  1546. if (!wasAuthZone && shouldValidate() && (wasCachedAuth || wasForwardRecurse) && cachedState == vState::Indeterminate && d_requireAuthData) {
  1547. /* This means we couldn't figure out the state when this entry was cached,
  1548. most likely because we hadn't computed the zone cuts yet. */
  1549. /* make sure they are computed before validating */
  1550. DNSName subdomain(sqname);
  1551. /* if we are retrieving a DS, we only care about the state of the parent zone */
  1552. if(qtype == QType::DS)
  1553. subdomain.chopOff();
  1554. computeZoneCuts(subdomain, g_rootdnsname, depth);
  1555. vState recordState = getValidationStatus(qname, false);
  1556. if (recordState == vState::Secure) {
  1557. LOG(prefix<<sqname<<": got vState::Indeterminate state from the cache, validating.."<<endl);
  1558. if (sqt == QType::DNSKEY) {
  1559. cachedState = validateDNSKeys(sqname, cset, signatures, depth);
  1560. }
  1561. else {
  1562. if (sqt == QType::ANY) {
  1563. std::map<uint16_t, CacheEntry> types;
  1564. reapRecordsForValidation(types, cset);
  1565. reapSignaturesForValidation(types, signatures);
  1566. for (const auto& type : types) {
  1567. vState cachedRecordState;
  1568. if (type.first == QType::DNSKEY) {
  1569. cachedRecordState = validateDNSKeys(sqname, type.second.records, type.second.signatures, depth);
  1570. }
  1571. else {
  1572. cachedRecordState = SyncRes::validateRecordsWithSigs(depth, qname, qtype, sqname, QType(type.first), type.second.records, type.second.signatures);
  1573. }
  1574. updateDNSSECValidationState(cachedState, cachedRecordState);
  1575. }
  1576. }
  1577. else {
  1578. cachedState = SyncRes::validateRecordsWithSigs(depth, qname, qtype, sqname, sqt, cset, signatures);
  1579. }
  1580. }
  1581. }
  1582. else {
  1583. cachedState = recordState;
  1584. }
  1585. if (cachedState != vState::Indeterminate) {
  1586. LOG(prefix<<qname<<": got vState::Indeterminate state from the cache, validation result is "<<cachedState<<endl);
  1587. if (vStateIsBogus(cachedState)) {
  1588. capTTL = s_maxbogusttl;
  1589. }
  1590. if (sqt != QType::ANY && sqt != QType::ADDR) {
  1591. updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState);
  1592. }
  1593. }
  1594. }
  1595. for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) {
  1596. LOG(j->d_content->getZoneRepresentation());
  1597. if (j->d_class != QClass::IN) {
  1598. continue;
  1599. }
  1600. if(j->d_ttl>(unsigned int) d_now.tv_sec) {
  1601. DNSRecord dr=*j;
  1602. dr.d_ttl -= d_now.tv_sec;
  1603. dr.d_ttl = std::min(dr.d_ttl, capTTL);
  1604. ttl = dr.d_ttl;
  1605. ret.push_back(dr);
  1606. LOG("[ttl="<<dr.d_ttl<<"] ");
  1607. found=true;
  1608. }
  1609. else {
  1610. LOG("[expired] ");
  1611. expired=true;
  1612. }
  1613. }
  1614. ret.reserve(ret.size() + signatures.size() + authorityRecs.size());
  1615. for(const auto& signature : signatures) {
  1616. DNSRecord dr;
  1617. dr.d_type=QType::RRSIG;
  1618. dr.d_name=sqname;
  1619. dr.d_ttl=ttl;
  1620. dr.d_content=signature;
  1621. dr.d_place = DNSResourceRecord::ANSWER;
  1622. dr.d_class=QClass::IN;
  1623. ret.push_back(dr);
  1624. }
  1625. for(const auto& rec : authorityRecs) {
  1626. DNSRecord dr(*rec);
  1627. dr.d_ttl=ttl;
  1628. ret.push_back(dr);
  1629. }
  1630. LOG(endl);
  1631. if(found && !expired) {
  1632. if (!giveNegative)
  1633. res=0;
  1634. LOG(prefix<<qname<<": updating validation state with cache content for "<<qname<<" to "<<cachedState<<endl);
  1635. state = cachedState;
  1636. return true;
  1637. }
  1638. else
  1639. LOG(prefix<<qname<<": cache had only stale entries"<<endl);
  1640. }
  1641. return false;
  1642. }
  1643. bool SyncRes::moreSpecificThan(const DNSName& a, const DNSName &b) const
  1644. {
  1645. return (a.isPartOf(b) && a.countLabels() > b.countLabels());
  1646. }
  1647. struct speedOrder
  1648. {
  1649. bool operator()(const std::pair<DNSName, float> &a, const std::pair<DNSName, float> &b) const
  1650. {
  1651. return a.second < b.second;
  1652. }
  1653. };
  1654. inline std::vector<std::pair<DNSName, float>> SyncRes::shuffleInSpeedOrder(NsSet &tnameservers, const string &prefix)
  1655. {
  1656. std::vector<std::pair<DNSName, float>> rnameservers;
  1657. rnameservers.reserve(tnameservers.size());
  1658. for(const auto& tns: tnameservers) {
  1659. float speed = t_sstorage.nsSpeeds[tns.first].get(d_now);
  1660. rnameservers.push_back({tns.first, speed});
  1661. if(tns.first.empty()) // this was an authoritative OOB zone, don't pollute the nsSpeeds with that
  1662. return rnameservers;
  1663. }
  1664. shuffle(rnameservers.begin(),rnameservers.end(), pdns::dns_random_engine());
  1665. speedOrder so;
  1666. stable_sort(rnameservers.begin(),rnameservers.end(), so);
  1667. if(doLog()) {
  1668. LOG(prefix<<"Nameservers: ");
  1669. for(auto i=rnameservers.begin();i!=rnameservers.end();++i) {
  1670. if(i!=rnameservers.begin()) {
  1671. LOG(", ");
  1672. if(!((i-rnameservers.begin())%3)) {
  1673. LOG(endl<<prefix<<" ");
  1674. }
  1675. }
  1676. LOG(i->first.toLogString()<<"(" << (boost::format("%0.2f") % (i->second/1000.0)).str() <<"ms)");
  1677. }
  1678. LOG(endl);
  1679. }
  1680. return rnameservers;
  1681. }
  1682. inline vector<ComboAddress> SyncRes::shuffleForwardSpeed(const vector<ComboAddress> &rnameservers, const string &prefix, const bool wasRd)
  1683. {
  1684. vector<ComboAddress> nameservers = rnameservers;
  1685. map<ComboAddress, float> speeds;
  1686. for(const auto& val: nameservers) {
  1687. float speed;
  1688. DNSName nsName = DNSName(val.toStringWithPort());
  1689. speed=t_sstorage.nsSpeeds[nsName].get(d_now);
  1690. speeds[val]=speed;
  1691. }
  1692. shuffle(nameservers.begin(),nameservers.end(), pdns::dns_random_engine());
  1693. speedOrderCA so(speeds);
  1694. stable_sort(nameservers.begin(),nameservers.end(), so);
  1695. if(doLog()) {
  1696. LOG(prefix<<"Nameservers: ");
  1697. for(vector<ComboAddress>::const_iterator i=nameservers.cbegin();i!=nameservers.cend();++i) {
  1698. if(i!=nameservers.cbegin()) {
  1699. LOG(", ");
  1700. if(!((i-nameservers.cbegin())%3)) {
  1701. LOG(endl<<prefix<<" ");
  1702. }
  1703. }
  1704. LOG((wasRd ? string("+") : string("-")) << i->toStringWithPort() <<"(" << (boost::format("%0.2f") % (speeds[*i]/1000.0)).str() <<"ms)");
  1705. }
  1706. LOG(endl);
  1707. }
  1708. return nameservers;
  1709. }
  1710. static uint32_t getRRSIGTTL(const time_t now, const std::shared_ptr<RRSIGRecordContent>& rrsig)
  1711. {
  1712. uint32_t res = 0;
  1713. if (now < rrsig->d_sigexpire) {
  1714. res = static_cast<uint32_t>(rrsig->d_sigexpire) - now;
  1715. }
  1716. return res;
  1717. }
  1718. static const set<uint16_t> nsecTypes = {QType::NSEC, QType::NSEC3};
  1719. /* Fills the authoritySOA and DNSSECRecords fields from ne with those found in the records
  1720. *
  1721. * \param records The records to parse for the authority SOA and NSEC(3) records
  1722. * \param ne The NegCacheEntry to be filled out (will not be cleared, only appended to
  1723. */
  1724. static void harvestNXRecords(const vector<DNSRecord>& records, NegCache::NegCacheEntry& ne, const time_t now, uint32_t* lowestTTL) {
  1725. for(const auto& rec : records) {
  1726. if(rec.d_place != DNSResourceRecord::AUTHORITY)
  1727. // RFC 4035 section 3.1.3. indicates that NSEC records MUST be placed in
  1728. // the AUTHORITY section. Section 3.1.1 indicates that that RRSIGs for
  1729. // records MUST be in the same section as the records they cover.
  1730. // Hence, we ignore all records outside of the AUTHORITY section.
  1731. continue;
  1732. if(rec.d_type == QType::RRSIG) {
  1733. auto rrsig = getRR<RRSIGRecordContent>(rec);
  1734. if(rrsig) {
  1735. if(rrsig->d_type == QType::SOA) {
  1736. ne.authoritySOA.signatures.push_back(rec);
  1737. if (lowestTTL && isRRSIGNotExpired(now, rrsig)) {
  1738. *lowestTTL = min(*lowestTTL, rec.d_ttl);
  1739. *lowestTTL = min(*lowestTTL, getRRSIGTTL(now, rrsig));
  1740. }
  1741. }
  1742. if(nsecTypes.count(rrsig->d_type)) {
  1743. ne.DNSSECRecords.signatures.push_back(rec);
  1744. if (lowestTTL && isRRSIGNotExpired(now, rrsig)) {
  1745. *lowestTTL = min(*lowestTTL, rec.d_ttl);
  1746. *lowestTTL = min(*lowestTTL, getRRSIGTTL(now, rrsig));
  1747. }
  1748. }
  1749. }
  1750. continue;
  1751. }
  1752. if(rec.d_type == QType::SOA) {
  1753. ne.authoritySOA.records.push_back(rec);
  1754. if (lowestTTL) {
  1755. *lowestTTL = min(*lowestTTL, rec.d_ttl);
  1756. }
  1757. continue;
  1758. }
  1759. if(nsecTypes.count(rec.d_type)) {
  1760. ne.DNSSECRecords.records.push_back(rec);
  1761. if (lowestTTL) {
  1762. *lowestTTL = min(*lowestTTL, rec.d_ttl);
  1763. }
  1764. continue;
  1765. }
  1766. }
  1767. }
  1768. static cspmap_t harvestCSPFromNE(const NegCache::NegCacheEntry& ne)
  1769. {
  1770. cspmap_t cspmap;
  1771. for(const auto& rec : ne.DNSSECRecords.signatures) {
  1772. if(rec.d_type == QType::RRSIG) {
  1773. auto rrc = getRR<RRSIGRecordContent>(rec);
  1774. if (rrc) {
  1775. cspmap[{rec.d_name,rrc->d_type}].signatures.push_back(rrc);
  1776. }
  1777. }
  1778. }
  1779. for(const auto& rec : ne.DNSSECRecords.records) {
  1780. cspmap[{rec.d_name, rec.d_type}].records.insert(rec.d_content);
  1781. }
  1782. return cspmap;
  1783. }
  1784. // TODO remove after processRecords is fixed!
  1785. // Adds the RRSIG for the SOA and the NSEC(3) + RRSIGs to ret
  1786. static void addNXNSECS(vector<DNSRecord>&ret, const vector<DNSRecord>& records)
  1787. {
  1788. NegCache::NegCacheEntry ne;
  1789. harvestNXRecords(records, ne, 0, nullptr);
  1790. ret.insert(ret.end(), ne.authoritySOA.signatures.begin(), ne.authoritySOA.signatures.end());
  1791. ret.insert(ret.end(), ne.DNSSECRecords.records.begin(), ne.DNSSECRecords.records.end());
  1792. ret.insert(ret.end(), ne.DNSSECRecords.signatures.begin(), ne.DNSSECRecords.signatures.end());
  1793. }
  1794. static bool rpzHitShouldReplaceContent(const DNSName& qname, const QType& qtype, const std::vector<DNSRecord>& records)
  1795. {
  1796. if (qtype == QType::CNAME) {
  1797. return true;
  1798. }
  1799. for (const auto& record : records) {
  1800. if (record.d_type == QType::CNAME) {
  1801. if (auto content = getRR<CNAMERecordContent>(record)) {
  1802. if (qname == content->getTarget()) {
  1803. /* we have a CNAME whose target matches the entry we are about to
  1804. generate, so it will complete the current records, not replace
  1805. them
  1806. */
  1807. return false;
  1808. }
  1809. }
  1810. }
  1811. }
  1812. return true;
  1813. }
  1814. static void removeConflictingRecord(std::vector<DNSRecord>& records, const DNSName& name, uint16_t dtype)
  1815. {
  1816. for (auto it = records.begin(); it != records.end(); ) {
  1817. bool remove = false;
  1818. if (it->d_class == QClass::IN &&
  1819. (it->d_type == QType::CNAME || dtype == QType::CNAME || it->d_type == dtype) &&
  1820. it->d_name == name) {
  1821. remove = true;
  1822. }
  1823. else if (it->d_class == QClass::IN &&
  1824. it->d_type == QType::RRSIG &&
  1825. it->d_name == name) {
  1826. if (auto rrc = getRR<RRSIGRecordContent>(*it)) {
  1827. if (rrc->d_type == QType::CNAME || rrc->d_type == dtype) {
  1828. /* also remove any RRSIG that could conflict */
  1829. remove = true;
  1830. }
  1831. }
  1832. }
  1833. if (remove) {
  1834. it = records.erase(it);
  1835. }
  1836. else {
  1837. ++it;
  1838. }
  1839. }
  1840. }
  1841. void SyncRes::handlePolicyHit(const std::string& prefix, const DNSName& qname, const QType& qtype, std::vector<DNSRecord>& ret, bool& done, int& rcode, unsigned int depth)
  1842. {
  1843. if (d_pdl && d_pdl->policyHitEventFilter(d_requestor, qname, qtype, d_queryReceivedOverTCP, d_appliedPolicy, d_policyTags, d_discardedPolicies)) {
  1844. /* reset to no match */
  1845. d_appliedPolicy = DNSFilterEngine::Policy();
  1846. return;
  1847. }
  1848. /* don't account truncate actions for TCP queries, since they are not applied */
  1849. if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::Truncate || !d_queryReceivedOverTCP) {
  1850. ++g_stats.policyResults[d_appliedPolicy.d_kind];
  1851. }
  1852. if (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) {
  1853. LOG(prefix << qname << "|" << qtype.getName() << d_appliedPolicy.getLogString() << endl);
  1854. }
  1855. switch (d_appliedPolicy.d_kind) {
  1856. case DNSFilterEngine::PolicyKind::NoAction:
  1857. return;
  1858. case DNSFilterEngine::PolicyKind::Drop:
  1859. ++g_stats.policyDrops;
  1860. throw ImmediateQueryDropException();
  1861. case DNSFilterEngine::PolicyKind::NXDOMAIN:
  1862. ret.clear();
  1863. rcode = RCode::NXDomain;
  1864. done = true;
  1865. return;
  1866. case DNSFilterEngine::PolicyKind::NODATA:
  1867. ret.clear();
  1868. rcode = RCode::NoError;
  1869. done = true;
  1870. return;
  1871. case DNSFilterEngine::PolicyKind::Truncate:
  1872. if (!d_queryReceivedOverTCP) {
  1873. ret.clear();
  1874. rcode = RCode::NoError;
  1875. throw SendTruncatedAnswerException();
  1876. }
  1877. return;
  1878. case DNSFilterEngine::PolicyKind::Custom:
  1879. {
  1880. if (rpzHitShouldReplaceContent(qname, qtype, ret)) {
  1881. ret.clear();
  1882. }
  1883. rcode = RCode::NoError;
  1884. done = true;
  1885. auto spoofed = d_appliedPolicy.getCustomRecords(qname, qtype.getCode());
  1886. for (auto& dr : spoofed) {
  1887. removeConflictingRecord(ret, dr.d_name, dr.d_type);
  1888. }
  1889. for (auto& dr : spoofed) {
  1890. ret.push_back(dr);
  1891. if (dr.d_name == qname && dr.d_type == QType::CNAME && qtype != QType::CNAME) {
  1892. if (auto content = getRR<CNAMERecordContent>(dr)) {
  1893. vState newTargetState = vState::Indeterminate;
  1894. handleNewTarget(prefix, qname, content->getTarget(), qtype.getCode(), ret, rcode, depth, {}, newTargetState);
  1895. }
  1896. }
  1897. }
  1898. }
  1899. }
  1900. }
  1901. bool SyncRes::nameserversBlockedByRPZ(const DNSFilterEngine& dfe, const NsSet& nameservers)
  1902. {
  1903. /* we skip RPZ processing if:
  1904. - it was disabled (d_wantsRPZ is false) ;
  1905. - we already got a RPZ hit (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) since
  1906. the only way we can get back here is that it was a 'pass-thru' (NoAction) meaning that we should not
  1907. process any further RPZ rules. Except that we need to process rules of higher priority..
  1908. */
  1909. if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
  1910. for (auto const &ns : nameservers) {
  1911. bool match = dfe.getProcessingPolicy(ns.first, d_discardedPolicies, d_appliedPolicy);
  1912. if (match) {
  1913. mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
  1914. if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
  1915. LOG(", however nameserver "<<ns.first<<" was blocked by RPZ policy '"<<d_appliedPolicy.getName()<<"'"<<endl);
  1916. return true;
  1917. }
  1918. }
  1919. // Traverse all IP addresses for this NS to see if they have an RPN NSIP policy
  1920. for (auto const &address : ns.second.first) {
  1921. match = dfe.getProcessingPolicy(address, d_discardedPolicies, d_appliedPolicy);
  1922. if (match) {
  1923. mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
  1924. if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
  1925. LOG(", however nameserver "<<ns.first<<" IP address "<<address.toString()<<" was blocked by RPZ policy '"<<d_appliedPolicy.getName()<<"'"<<endl);
  1926. return true;
  1927. }
  1928. }
  1929. }
  1930. }
  1931. }
  1932. return false;
  1933. }
  1934. bool SyncRes::nameserverIPBlockedByRPZ(const DNSFilterEngine& dfe, const ComboAddress& remoteIP)
  1935. {
  1936. /* we skip RPZ processing if:
  1937. - it was disabled (d_wantsRPZ is false) ;
  1938. - we already got a RPZ hit (d_appliedPolicy.d_type != DNSFilterEngine::PolicyType::None) since
  1939. the only way we can get back here is that it was a 'pass-thru' (NoAction) meaning that we should not
  1940. process any further RPZ rules. Except that we need to process rules of higher priority..
  1941. */
  1942. if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
  1943. bool match = dfe.getProcessingPolicy(remoteIP, d_discardedPolicies, d_appliedPolicy);
  1944. if (match) {
  1945. mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
  1946. if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) {
  1947. LOG(" (blocked by RPZ policy '" + d_appliedPolicy.getName() + "')");
  1948. return true;
  1949. }
  1950. }
  1951. }
  1952. return false;
  1953. }
  1954. vector<ComboAddress> SyncRes::retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, std::vector<std::pair<DNSName, float>>::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<std::pair<DNSName, float>>& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly, unsigned int &retrieveAddressesForNS)
  1955. {
  1956. vector<ComboAddress> result;
  1957. if(!tns->first.empty()) {
  1958. LOG(prefix<<qname<<": Trying to resolve NS '"<<tns->first<< "' ("<<1+tns-rnameservers.begin()<<"/"<<(unsigned int)rnameservers.size()<<")"<<endl);
  1959. result = getAddrs(tns->first, depth, beenthere, cacheOnly, retrieveAddressesForNS);
  1960. pierceDontQuery=false;
  1961. }
  1962. else {
  1963. LOG(prefix<<qname<<": Domain has hardcoded nameserver");
  1964. if(nameservers[tns->first].first.size() > 1) {
  1965. LOG("s");
  1966. }
  1967. LOG(endl);
  1968. sendRDQuery = nameservers[tns->first].second;
  1969. result = shuffleForwardSpeed(nameservers[tns->first].first, doLog() ? (prefix+qname.toString()+": ") : string(), sendRDQuery);
  1970. pierceDontQuery=true;
  1971. }
  1972. return result;
  1973. }
  1974. bool SyncRes::throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery)
  1975. {
  1976. if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(remoteIP, "", 0))) {
  1977. LOG(prefix<<qname<<": server throttled "<<endl);
  1978. s_throttledqueries++; d_throttledqueries++;
  1979. return true;
  1980. }
  1981. else if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()))) {
  1982. LOG(prefix<<qname<<": query throttled "<<remoteIP.toString()<<", "<<qname<<"; "<<qtype.getName()<<endl);
  1983. s_throttledqueries++; d_throttledqueries++;
  1984. return true;
  1985. }
  1986. else if(!pierceDontQuery && s_dontQuery && s_dontQuery->match(&remoteIP)) {
  1987. LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", blocked by 'dont-query' setting" << endl);
  1988. s_dontqueries++;
  1989. return true;
  1990. }
  1991. return false;
  1992. }
  1993. bool SyncRes::validationEnabled() const
  1994. {
  1995. return g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate;
  1996. }
  1997. uint32_t SyncRes::computeLowestTTD(const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, uint32_t signaturesTTL) const
  1998. {
  1999. uint32_t lowestTTD = std::numeric_limits<uint32_t>::max();
  2000. for(const auto& record : records)
  2001. lowestTTD = min(lowestTTD, record.d_ttl);
  2002. /* even if it was not requested for that request (Process, and neither AD nor DO set),
  2003. it might be requested at a later time so we need to be careful with the TTL. */
  2004. if (validationEnabled() && !signatures.empty()) {
  2005. /* if we are validating, we don't want to cache records after their signatures expire. */
  2006. /* records TTL are now TTD, let's add 'now' to the signatures lowest TTL */
  2007. lowestTTD = min(lowestTTD, static_cast<uint32_t>(signaturesTTL + d_now.tv_sec));
  2008. for(const auto& sig : signatures) {
  2009. if (isRRSIGNotExpired(d_now.tv_sec, sig)) {
  2010. // we don't decerement d_sigexpire by 'now' because we actually want a TTD, not a TTL */
  2011. lowestTTD = min(lowestTTD, static_cast<uint32_t>(sig->d_sigexpire));
  2012. }
  2013. }
  2014. }
  2015. return lowestTTD;
  2016. }
  2017. void SyncRes::updateValidationState(vState& state, const vState stateUpdate)
  2018. {
  2019. LOG(d_prefix<<"validation state was "<<state<<", state update is "<<stateUpdate);
  2020. updateDNSSECValidationState(state, stateUpdate);
  2021. LOG(", validation state is now "<<state<<endl);
  2022. }
  2023. vState SyncRes::getTA(const DNSName& zone, dsmap_t& ds)
  2024. {
  2025. auto luaLocal = g_luaconfs.getLocal();
  2026. if (luaLocal->dsAnchors.empty()) {
  2027. LOG(d_prefix<<": No trust anchors configured, everything is Insecure"<<endl);
  2028. /* We have no TA, everything is insecure */
  2029. return vState::Insecure;
  2030. }
  2031. std::string reason;
  2032. if (haveNegativeTrustAnchor(luaLocal->negAnchors, zone, reason)) {
  2033. LOG(d_prefix<<": got NTA for '"<<zone<<"'"<<endl);
  2034. return vState::NTA;
  2035. }
  2036. if (getTrustAnchor(luaLocal->dsAnchors, zone, ds)) {
  2037. LOG(d_prefix<<": got TA for '"<<zone<<"'"<<endl);
  2038. return vState::TA;
  2039. }
  2040. else {
  2041. LOG(d_prefix<<": no TA found for '"<<zone<<"' among "<< luaLocal->dsAnchors.size()<<endl);
  2042. }
  2043. if (zone.isRoot()) {
  2044. /* No TA for the root */
  2045. return vState::Insecure;
  2046. }
  2047. return vState::Indeterminate;
  2048. }
  2049. static size_t countSupportedDS(const dsmap_t& dsmap)
  2050. {
  2051. size_t count = 0;
  2052. for (const auto& ds : dsmap) {
  2053. if (isSupportedDS(ds)) {
  2054. count++;
  2055. }
  2056. }
  2057. return count;
  2058. }
  2059. vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsigned int depth, bool bogusOnNXD, bool* foundCut)
  2060. {
  2061. vState result = getTA(zone, ds);
  2062. if (result != vState::Indeterminate || taOnly) {
  2063. if (foundCut) {
  2064. *foundCut = (result != vState::Indeterminate);
  2065. }
  2066. if (result == vState::TA) {
  2067. if (countSupportedDS(ds) == 0) {
  2068. ds.clear();
  2069. result = vState::Insecure;
  2070. }
  2071. else {
  2072. result = vState::Secure;
  2073. }
  2074. }
  2075. else if (result == vState::NTA) {
  2076. result = vState::Insecure;
  2077. }
  2078. return result;
  2079. }
  2080. std::set<GetBestNSAnswer> beenthere;
  2081. std::vector<DNSRecord> dsrecords;
  2082. vState state = vState::Indeterminate;
  2083. const bool oldCacheOnly = setCacheOnly(false);
  2084. int rcode = doResolve(zone, QType(QType::DS), dsrecords, depth + 1, beenthere, state);
  2085. setCacheOnly(oldCacheOnly);
  2086. if (rcode == RCode::ServFail) {
  2087. throw ImmediateServFailException("Server Failure while retrieving DS records for " + zone.toLogString());
  2088. }
  2089. if (rcode == RCode::NoError || (rcode == RCode::NXDomain && !bogusOnNXD)) {
  2090. uint8_t bestDigestType = 0;
  2091. bool gotCNAME = false;
  2092. for (const auto& record : dsrecords) {
  2093. if (record.d_type == QType::DS) {
  2094. const auto dscontent = getRR<DSRecordContent>(record);
  2095. if (dscontent && isSupportedDS(*dscontent)) {
  2096. // Make GOST a lower prio than SHA256
  2097. if (dscontent->d_digesttype == DNSSECKeeper::DIGEST_GOST && bestDigestType == DNSSECKeeper::DIGEST_SHA256) {
  2098. continue;
  2099. }
  2100. if (dscontent->d_digesttype > bestDigestType || (bestDigestType == DNSSECKeeper::DIGEST_GOST && dscontent->d_digesttype == DNSSECKeeper::DIGEST_SHA256)) {
  2101. bestDigestType = dscontent->d_digesttype;
  2102. }
  2103. ds.insert(*dscontent);
  2104. }
  2105. }
  2106. else if (record.d_type == QType::CNAME && record.d_name == zone) {
  2107. gotCNAME = true;
  2108. }
  2109. }
  2110. /* RFC 4509 section 3: "Validator implementations SHOULD ignore DS RRs containing SHA-1
  2111. * digests if DS RRs with SHA-256 digests are present in the DS RRset."
  2112. * As SHA348 is specified as well, the spirit of the this line is "use the best algorithm".
  2113. */
  2114. for (auto dsrec = ds.begin(); dsrec != ds.end(); ) {
  2115. if (dsrec->d_digesttype != bestDigestType) {
  2116. dsrec = ds.erase(dsrec);
  2117. }
  2118. else {
  2119. ++dsrec;
  2120. }
  2121. }
  2122. if (rcode == RCode::NoError) {
  2123. if (ds.empty()) {
  2124. /* we have no DS, it's either:
  2125. - a delegation to a non-DNSSEC signed zone
  2126. - no delegation, we stay in the same zone
  2127. */
  2128. if (gotCNAME || denialProvesNoDelegation(zone, dsrecords)) {
  2129. /* we are still inside the same zone */
  2130. if (foundCut) {
  2131. *foundCut = false;
  2132. }
  2133. return state;
  2134. }
  2135. /* delegation with no DS, might be Secure -> Insecure */
  2136. if (foundCut) {
  2137. *foundCut = true;
  2138. }
  2139. /* a delegation with no DS is either:
  2140. - a signed zone (Secure) to an unsigned one (Insecure)
  2141. - an unsigned zone to another unsigned one (Insecure stays Insecure, Bogus stays Bogus)
  2142. */
  2143. return state == vState::Secure ? vState::Insecure : state;
  2144. } else {
  2145. /* we have a DS */
  2146. if (foundCut) {
  2147. *foundCut = true;
  2148. }
  2149. }
  2150. }
  2151. return state;
  2152. }
  2153. LOG(d_prefix<<": returning Bogus state from "<<__func__<<"("<<zone<<")"<<endl);
  2154. return vState::BogusUnableToGetDSs;
  2155. }
  2156. bool SyncRes::haveExactValidationStatus(const DNSName& domain)
  2157. {
  2158. if (!shouldValidate()) {
  2159. return false;
  2160. }
  2161. const auto& it = d_cutStates.find(domain);
  2162. if (it != d_cutStates.cend()) {
  2163. return true;
  2164. }
  2165. return false;
  2166. }
  2167. vState SyncRes::getValidationStatus(const DNSName& subdomain, bool allowIndeterminate)
  2168. {
  2169. vState result = vState::Indeterminate;
  2170. if (!shouldValidate()) {
  2171. return result;
  2172. }
  2173. DNSName name(subdomain);
  2174. do {
  2175. const auto& it = d_cutStates.find(name);
  2176. if (it != d_cutStates.cend()) {
  2177. if (allowIndeterminate || it->second != vState::Indeterminate) {
  2178. LOG(d_prefix<<": got status "<<it->second<<" for name "<<subdomain<<" (from "<<name<<")"<<endl);
  2179. return it->second;
  2180. }
  2181. }
  2182. }
  2183. while (name.chopOff());
  2184. return result;
  2185. }
  2186. bool SyncRes::lookForCut(const DNSName& qname, unsigned int depth, const vState existingState, vState& newState)
  2187. {
  2188. bool foundCut = false;
  2189. dsmap_t ds;
  2190. vState dsState = getDSRecords(qname, ds, vStateIsBogus(newState) || existingState == vState::Insecure || vStateIsBogus(existingState), depth, false, &foundCut);
  2191. if (dsState != vState::Indeterminate) {
  2192. newState = dsState;
  2193. }
  2194. return foundCut;
  2195. }
  2196. void SyncRes::computeZoneCuts(const DNSName& begin, const DNSName& end, unsigned int depth)
  2197. {
  2198. if(!begin.isPartOf(end)) {
  2199. LOG(d_prefix<<" "<<begin.toLogString()<<" is not part of "<<end.toLogString()<<endl);
  2200. throw PDNSException(begin.toLogString() + " is not part of " + end.toLogString());
  2201. }
  2202. if (d_cutStates.count(begin) != 0) {
  2203. return;
  2204. }
  2205. const bool oldCacheOnly = setCacheOnly(false);
  2206. const bool oldWantsRPZ = d_wantsRPZ;
  2207. d_wantsRPZ = false;
  2208. dsmap_t ds;
  2209. vState cutState = getDSRecords(end, ds, false, depth);
  2210. LOG(d_prefix<<": setting cut state for "<<end<<" to "<<cutState<<endl);
  2211. d_cutStates[end] = cutState;
  2212. if (!shouldValidate()) {
  2213. setCacheOnly(oldCacheOnly);
  2214. d_wantsRPZ = oldWantsRPZ;
  2215. return;
  2216. }
  2217. DNSName qname(end);
  2218. std::vector<string> labelsToAdd = begin.makeRelative(end).getRawLabels();
  2219. while(qname != begin) {
  2220. if (labelsToAdd.empty())
  2221. break;
  2222. qname.prependRawLabel(labelsToAdd.back());
  2223. labelsToAdd.pop_back();
  2224. LOG(d_prefix<<": - Looking for a cut at "<<qname<<endl);
  2225. const auto cutIt = d_cutStates.find(qname);
  2226. if (cutIt != d_cutStates.cend()) {
  2227. if (cutIt->second != vState::Indeterminate) {
  2228. LOG(d_prefix<<": - Cut already known at "<<qname<<endl);
  2229. cutState = cutIt->second;
  2230. continue;
  2231. }
  2232. }
  2233. /* no need to look for NS and DS if we are already insecure or bogus,
  2234. just look for (N)TA
  2235. */
  2236. if (cutState == vState::Insecure || vStateIsBogus(cutState)) {
  2237. dsmap_t cutDS;
  2238. vState newState = getDSRecords(qname, cutDS, true, depth);
  2239. if (newState == vState::Indeterminate) {
  2240. continue;
  2241. }
  2242. LOG(d_prefix<<": New state for "<<qname<<" is "<<newState<<endl);
  2243. cutState = newState;
  2244. d_cutStates[qname] = cutState;
  2245. continue;
  2246. }
  2247. vState newState = vState::Indeterminate;
  2248. /* temporarily mark as vState::Indeterminate, so that we won't enter an endless loop
  2249. trying to determine that zone cut again. */
  2250. d_cutStates[qname] = newState;
  2251. bool foundCut = lookForCut(qname, depth, cutState, newState);
  2252. if (foundCut) {
  2253. LOG(d_prefix<<": - Found cut at "<<qname<<endl);
  2254. if (newState != vState::Indeterminate) {
  2255. cutState = newState;
  2256. }
  2257. LOG(d_prefix<<": New state for "<<qname<<" is "<<cutState<<endl);
  2258. d_cutStates[qname] = cutState;
  2259. }
  2260. else {
  2261. /* remove the temporary cut */
  2262. LOG(d_prefix<<qname<<": removing cut state for "<<qname<<endl);
  2263. d_cutStates.erase(qname);
  2264. }
  2265. }
  2266. LOG(d_prefix<<": list of cuts from "<<begin<<" to "<<end<<endl);
  2267. for (const auto& cut : d_cutStates) {
  2268. if (cut.first.isRoot() || (begin.isPartOf(cut.first) && cut.first.isPartOf(end))) {
  2269. LOG(" - "<<cut.first<<": "<<cut.second<<endl);
  2270. }
  2271. }
  2272. setCacheOnly(oldCacheOnly);
  2273. d_wantsRPZ = oldWantsRPZ;
  2274. }
  2275. vState SyncRes::validateDNSKeys(const DNSName& zone, const std::vector<DNSRecord>& dnskeys, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, unsigned int depth)
  2276. {
  2277. dsmap_t ds;
  2278. if (!signatures.empty()) {
  2279. DNSName signer = getSigner(signatures);
  2280. if (!signer.empty() && zone.isPartOf(signer)) {
  2281. vState state = getDSRecords(signer, ds, false, depth);
  2282. if (state != vState::Secure) {
  2283. return state;
  2284. }
  2285. }
  2286. else {
  2287. LOG(d_prefix<<": we have "<<std::to_string(dnskeys.size())<<" DNSKEYs but the zone ("<<zone<<") is not part of the signer ("<<signer<<"), going Bogus!"<<endl);
  2288. return vState::BogusNoValidRRSIG;
  2289. }
  2290. }
  2291. else {
  2292. LOG(d_prefix<<": we have "<<std::to_string(dnskeys.size())<<" DNSKEYs but no signature, going Bogus!"<<endl);
  2293. return vState::BogusNoRRSIG;
  2294. }
  2295. skeyset_t tentativeKeys;
  2296. sortedRecords_t toSign;
  2297. for (const auto& dnskey : dnskeys) {
  2298. if (dnskey.d_type == QType::DNSKEY) {
  2299. auto content = getRR<DNSKEYRecordContent>(dnskey);
  2300. if (content) {
  2301. tentativeKeys.insert(content);
  2302. toSign.insert(content);
  2303. }
  2304. }
  2305. }
  2306. LOG(d_prefix<<": trying to validate "<<std::to_string(tentativeKeys.size())<<" DNSKEYs with "<<std::to_string(ds.size())<<" DS"<<endl);
  2307. skeyset_t validatedKeys;
  2308. auto state = validateDNSKeysAgainstDS(d_now.tv_sec, zone, ds, tentativeKeys, toSign, signatures, validatedKeys);
  2309. LOG(d_prefix<<": we now have "<<std::to_string(validatedKeys.size())<<" DNSKEYs"<<endl);
  2310. /* if we found at least one valid RRSIG covering the set,
  2311. all tentative keys are validated keys. Otherwise it means
  2312. we haven't found at least one DNSKEY and a matching RRSIG
  2313. covering this set, this looks Bogus. */
  2314. if (validatedKeys.size() != tentativeKeys.size()) {
  2315. LOG(d_prefix<<": returning Bogus state from "<<__func__<<"("<<zone<<")"<<endl);
  2316. return state;
  2317. }
  2318. return state;
  2319. }
  2320. vState SyncRes::getDNSKeys(const DNSName& signer, skeyset_t& keys, unsigned int depth)
  2321. {
  2322. std::vector<DNSRecord> records;
  2323. std::set<GetBestNSAnswer> beenthere;
  2324. LOG(d_prefix<<"Retrieving DNSKeys for "<<signer<<endl);
  2325. vState state = vState::Indeterminate;
  2326. const bool oldCacheOnly = setCacheOnly(false);
  2327. int rcode = doResolve(signer, QType(QType::DNSKEY), records, depth + 1, beenthere, state);
  2328. setCacheOnly(oldCacheOnly);
  2329. if (rcode == RCode::ServFail) {
  2330. throw ImmediateServFailException("Server Failure while retrieving DNSKEY records for " + signer.toLogString());
  2331. }
  2332. if (rcode == RCode::NoError) {
  2333. if (state == vState::Secure) {
  2334. for (const auto& key : records) {
  2335. if (key.d_type == QType::DNSKEY) {
  2336. auto content = getRR<DNSKEYRecordContent>(key);
  2337. if (content) {
  2338. keys.insert(content);
  2339. }
  2340. }
  2341. }
  2342. }
  2343. LOG(d_prefix<<"Retrieved "<<keys.size()<<" DNSKeys for "<<signer<<", state is "<<state<<endl);
  2344. return state;
  2345. }
  2346. LOG(d_prefix<<"Returning Bogus state from "<<__func__<<"("<<signer<<")"<<endl);
  2347. return vState::BogusUnableToGetDNSKEYs;
  2348. }
  2349. vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname, const QType& qtype, const DNSName& name, const QType& type, const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures)
  2350. {
  2351. skeyset_t keys;
  2352. if (!signatures.empty()) {
  2353. const DNSName signer = getSigner(signatures);
  2354. if (!signer.empty() && name.isPartOf(signer)) {
  2355. if ((qtype == QType::DNSKEY || qtype == QType::DS) && signer == qname) {
  2356. /* we are already retrieving those keys, sorry */
  2357. if (type == QType::DS && signer == name && !signer.isRoot()) {
  2358. /* Unless we are getting the DS of the root zone, we should never see a
  2359. DS (or a denial of a DS) signed by the DS itself, since we should be
  2360. requesting it from the parent zone. Something is very wrong */
  2361. LOG(d_prefix<<"The DS for "<<qname<<" is signed by itself, going Bogus"<<endl);
  2362. return vState::BogusSelfSignedDS;
  2363. }
  2364. return vState::Indeterminate;
  2365. }
  2366. vState state = getDNSKeys(signer, keys, depth);
  2367. if (state != vState::Secure) {
  2368. return state;
  2369. }
  2370. }
  2371. } else {
  2372. LOG(d_prefix<<"Bogus!"<<endl);
  2373. return vState::BogusNoRRSIG;
  2374. }
  2375. sortedRecords_t recordcontents;
  2376. for (const auto& record : records) {
  2377. recordcontents.insert(record.d_content);
  2378. }
  2379. LOG(d_prefix<<"Going to validate "<<recordcontents.size()<< " record contents with "<<signatures.size()<<" sigs and "<<keys.size()<<" keys for "<<name<<"|"<<type.getName()<<endl);
  2380. vState state = validateWithKeySet(d_now.tv_sec, name, recordcontents, signatures, keys, false);
  2381. if (state == vState::Secure) {
  2382. LOG(d_prefix<<"Secure!"<<endl);
  2383. return vState::Secure;
  2384. }
  2385. LOG(d_prefix<<vStateToString(state)<<"!"<<endl);
  2386. return state;
  2387. }
  2388. static bool allowAdditionalEntry(std::unordered_set<DNSName>& allowedAdditionals, const DNSRecord& rec)
  2389. {
  2390. switch(rec.d_type) {
  2391. case QType::MX:
  2392. {
  2393. if (auto mxContent = getRR<MXRecordContent>(rec)) {
  2394. allowedAdditionals.insert(mxContent->d_mxname);
  2395. }
  2396. return true;
  2397. }
  2398. case QType::NS:
  2399. {
  2400. if (auto nsContent = getRR<NSRecordContent>(rec)) {
  2401. allowedAdditionals.insert(nsContent->getNS());
  2402. }
  2403. return true;
  2404. }
  2405. case QType::SRV:
  2406. {
  2407. if (auto srvContent = getRR<SRVRecordContent>(rec)) {
  2408. allowedAdditionals.insert(srvContent->d_target);
  2409. }
  2410. return true;
  2411. }
  2412. default:
  2413. return false;
  2414. }
  2415. }
  2416. void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, bool rdQuery)
  2417. {
  2418. const bool wasForwardRecurse = wasForwarded && rdQuery;
  2419. /* list of names for which we will allow A and AAAA records in the additional section
  2420. to remain */
  2421. std::unordered_set<DNSName> allowedAdditionals = { qname };
  2422. bool haveAnswers = false;
  2423. bool isNXDomain = false;
  2424. bool isNXQType = false;
  2425. for(auto rec = lwr.d_records.begin(); rec != lwr.d_records.end(); ) {
  2426. if (rec->d_type == QType::OPT) {
  2427. ++rec;
  2428. continue;
  2429. }
  2430. if (rec->d_class != QClass::IN) {
  2431. LOG(prefix<<"Removing non internet-classed data received from "<<auth<<endl);
  2432. rec = lwr.d_records.erase(rec);
  2433. continue;
  2434. }
  2435. if (rec->d_type == QType::ANY) {
  2436. LOG(prefix<<"Removing 'ANY'-typed data received from "<<auth<<endl);
  2437. rec = lwr.d_records.erase(rec);
  2438. continue;
  2439. }
  2440. if (!rec->d_name.isPartOf(auth)) {
  2441. LOG(prefix<<"Removing record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
  2442. rec = lwr.d_records.erase(rec);
  2443. continue;
  2444. }
  2445. /* dealing with the records in answer */
  2446. if (!(lwr.d_aabit || wasForwardRecurse) && rec->d_place == DNSResourceRecord::ANSWER) {
  2447. /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, because Amazon DNS servers
  2448. are sending such responses */
  2449. if (!(rec->d_type == QType::CNAME && qname == rec->d_name)) {
  2450. LOG(prefix<<"Removing record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the answer section without the AA bit set received from "<<auth<<endl);
  2451. rec = lwr.d_records.erase(rec);
  2452. continue;
  2453. }
  2454. }
  2455. if (rec->d_type == QType::DNAME && (rec->d_place != DNSResourceRecord::ANSWER || !qname.isPartOf(rec->d_name))) {
  2456. LOG(prefix<<"Removing invalid DNAME record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
  2457. rec = lwr.d_records.erase(rec);
  2458. continue;
  2459. }
  2460. if (rec->d_place == DNSResourceRecord::ANSWER && (qtype != QType::ANY && rec->d_type != qtype.getCode() && s_redirectionQTypes.count(rec->d_type) == 0 && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG)) {
  2461. LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
  2462. rec = lwr.d_records.erase(rec);
  2463. continue;
  2464. }
  2465. if (rec->d_place == DNSResourceRecord::ANSWER && !haveAnswers) {
  2466. haveAnswers = true;
  2467. }
  2468. if (rec->d_place == DNSResourceRecord::ANSWER) {
  2469. allowAdditionalEntry(allowedAdditionals, *rec);
  2470. }
  2471. /* dealing with the records in authority */
  2472. if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type != QType::NS && rec->d_type != QType::DS && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG && rec->d_type != QType::NSEC && rec->d_type != QType::NSEC3) {
  2473. LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
  2474. rec = lwr.d_records.erase(rec);
  2475. continue;
  2476. }
  2477. if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::SOA) {
  2478. if (!qname.isPartOf(rec->d_name)) {
  2479. LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
  2480. rec = lwr.d_records.erase(rec);
  2481. continue;
  2482. }
  2483. if (!(lwr.d_aabit || wasForwardRecurse)) {
  2484. LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
  2485. rec = lwr.d_records.erase(rec);
  2486. continue;
  2487. }
  2488. if (!haveAnswers) {
  2489. if (lwr.d_rcode == RCode::NXDomain) {
  2490. isNXDomain = true;
  2491. }
  2492. else if (lwr.d_rcode == RCode::NoError) {
  2493. isNXQType = true;
  2494. }
  2495. }
  2496. }
  2497. if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::NS && (isNXDomain || isNXQType)) {
  2498. /* we don't want to pick up NS records in AUTHORITY or ADDITIONAL sections of NXDomain answers
  2499. because they are somewhat easy to insert into a large, fragmented UDP response
  2500. for an off-path attacker by injecting spoofed UDP fragments.
  2501. */
  2502. LOG(prefix<<"Removing NS record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section of a "<<(isNXDomain ? "NXD" : "NXQTYPE")<<" response received from "<<auth<<endl);
  2503. rec = lwr.d_records.erase(rec);
  2504. continue;
  2505. }
  2506. if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::NS) {
  2507. allowAdditionalEntry(allowedAdditionals, *rec);
  2508. }
  2509. /* dealing with the records in additional */
  2510. if (rec->d_place == DNSResourceRecord::ADDITIONAL && rec->d_type != QType::A && rec->d_type != QType::AAAA && rec->d_type != QType::RRSIG) {
  2511. LOG(prefix<<"Removing irrelevant record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
  2512. rec = lwr.d_records.erase(rec);
  2513. continue;
  2514. }
  2515. if (rec->d_place == DNSResourceRecord::ADDITIONAL && allowedAdditionals.count(rec->d_name) == 0) {
  2516. LOG(prefix<<"Removing irrelevant additional record '"<<rec->d_name<<"|"<<DNSRecordContent::NumberToType(rec->d_type)<<"|"<<rec->d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section received from "<<auth<<endl);
  2517. rec = lwr.d_records.erase(rec);
  2518. continue;
  2519. }
  2520. ++rec;
  2521. }
  2522. }
  2523. RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery)
  2524. {
  2525. bool wasForwardRecurse = wasForwarded && rdQuery;
  2526. tcache_t tcache;
  2527. string prefix;
  2528. if(doLog()) {
  2529. prefix=d_prefix;
  2530. prefix.append(depth, ' ');
  2531. }
  2532. sanitizeRecords(prefix, lwr, qname, qtype, auth, wasForwarded, rdQuery);
  2533. std::vector<std::shared_ptr<DNSRecord>> authorityRecs;
  2534. const unsigned int labelCount = qname.countLabels();
  2535. bool isCNAMEAnswer = false;
  2536. bool isDNAMEAnswer = false;
  2537. for (auto& rec : lwr.d_records) {
  2538. if (rec.d_type == QType::OPT || rec.d_class != QClass::IN) {
  2539. continue;
  2540. }
  2541. rec.d_ttl = min(s_maxcachettl, rec.d_ttl);
  2542. if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname && !isDNAMEAnswer) {
  2543. isCNAMEAnswer = true;
  2544. }
  2545. if(!isDNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::DNAME && qtype != QType(QType::DNAME) && qname.isPartOf(rec.d_name)) {
  2546. isDNAMEAnswer = true;
  2547. isCNAMEAnswer = false;
  2548. }
  2549. /* if we have a positive answer synthesized from a wildcard,
  2550. we need to store the corresponding NSEC/NSEC3 records proving
  2551. that the exact name did not exist in the negative cache */
  2552. if(gatherWildcardProof) {
  2553. if (nsecTypes.count(rec.d_type)) {
  2554. authorityRecs.push_back(std::make_shared<DNSRecord>(rec));
  2555. }
  2556. else if (rec.d_type == QType::RRSIG) {
  2557. auto rrsig = getRR<RRSIGRecordContent>(rec);
  2558. if (rrsig && nsecTypes.count(rrsig->d_type)) {
  2559. authorityRecs.push_back(std::make_shared<DNSRecord>(rec));
  2560. }
  2561. }
  2562. }
  2563. if (rec.d_type == QType::RRSIG) {
  2564. auto rrsig = getRR<RRSIGRecordContent>(rec);
  2565. if (rrsig) {
  2566. /* As illustrated in rfc4035's Appendix B.6, the RRSIG label
  2567. count can be lower than the name's label count if it was
  2568. synthesized from the wildcard. Note that the difference might
  2569. be > 1. */
  2570. if (rec.d_name == qname && isWildcardExpanded(labelCount, rrsig)) {
  2571. gatherWildcardProof = true;
  2572. if (!isWildcardExpandedOntoItself(rec.d_name, labelCount, rrsig)) {
  2573. /* if we have a wildcard expanded onto itself, we don't need to prove
  2574. that the exact name doesn't exist because it actually does.
  2575. We still want to gather the corresponding NSEC/NSEC3 records
  2576. to pass them to our client in case it wants to validate by itself.
  2577. */
  2578. LOG(prefix<<qname<<": RRSIG indicates the name was synthesized from a wildcard, we need a wildcard proof"<<endl);
  2579. needWildcardProof = true;
  2580. }
  2581. else {
  2582. LOG(prefix<<qname<<": RRSIG indicates the name was synthesized from a wildcard expanded onto itself, we need to gather wildcard proof"<<endl);
  2583. }
  2584. wildcardLabelsCount = rrsig->d_labels;
  2585. }
  2586. // cerr<<"Got an RRSIG for "<<DNSRecordContent::NumberToType(rrsig->d_type)<<" with name '"<<rec.d_name<<"'"<<endl;
  2587. tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signatures.push_back(rrsig);
  2588. tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signaturesTTL = std::min(tcache[{rec.d_name, rrsig->d_type, rec.d_place}].signaturesTTL, rec.d_ttl);
  2589. }
  2590. }
  2591. }
  2592. // reap all answers from this packet that are acceptable
  2593. for(auto& rec : lwr.d_records) {
  2594. if(rec.d_type == QType::OPT) {
  2595. LOG(prefix<<qname<<": OPT answer '"<<rec.d_name<<"' from '"<<auth<<"' nameservers" <<endl);
  2596. continue;
  2597. }
  2598. LOG(prefix<<qname<<": accept answer '"<<rec.d_name<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"|"<<rec.d_content->getZoneRepresentation()<<"' from '"<<auth<<"' nameservers? ttl="<<rec.d_ttl<<", place="<<(int)rec.d_place<<" ");
  2599. if(rec.d_type == QType::ANY) {
  2600. LOG("NO! - we don't accept 'ANY'-typed data"<<endl);
  2601. continue;
  2602. }
  2603. if(rec.d_class != QClass::IN) {
  2604. LOG("NO! - we don't accept records for any other class than 'IN'"<<endl);
  2605. continue;
  2606. }
  2607. if (!(lwr.d_aabit || wasForwardRecurse) && rec.d_place == DNSResourceRecord::ANSWER) {
  2608. /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, because Amazon DNS servers
  2609. are sending such responses */
  2610. if (!(rec.d_type == QType::CNAME && rec.d_name == qname)) {
  2611. LOG("NO! - we don't accept records in the answers section without the AA bit set"<<endl);
  2612. continue;
  2613. }
  2614. }
  2615. if(rec.d_name.isPartOf(auth)) {
  2616. if (rec.d_type == QType::RRSIG) {
  2617. LOG("RRSIG - separate"<<endl);
  2618. }
  2619. else if (rec.d_type == QType::DS && rec.d_name == auth) {
  2620. LOG("NO - DS provided by child zone"<<endl);
  2621. }
  2622. else if (lwr.d_aabit && lwr.d_rcode==RCode::NoError && rec.d_place==DNSResourceRecord::ANSWER && ((rec.d_type != QType::DNSKEY && rec.d_type != QType::DS) || rec.d_name != auth) && s_delegationOnly.count(auth)) {
  2623. LOG("NO! Is from delegation-only zone"<<endl);
  2624. s_nodelegated++;
  2625. return RCode::NXDomain;
  2626. }
  2627. else {
  2628. bool haveLogged = false;
  2629. if (isDNAMEAnswer && rec.d_type == QType::CNAME) {
  2630. LOG("NO - we already have a DNAME answer for this domain");
  2631. continue;
  2632. }
  2633. if (!t_sstorage.domainmap->empty()) {
  2634. // Check if we are authoritative for a zone in this answer
  2635. DNSName tmp_qname(rec.d_name);
  2636. // We may be auth for domain example.com, but the DS record needs to come from the parent (.com) nameserver
  2637. if (rec.d_type == QType::DS) {
  2638. tmp_qname.chopOff();
  2639. }
  2640. auto auth_domain_iter=getBestAuthZone(&tmp_qname);
  2641. if(auth_domain_iter!=t_sstorage.domainmap->end() &&
  2642. auth.countLabels() <= auth_domain_iter->first.countLabels()) {
  2643. if (auth_domain_iter->first != auth) {
  2644. LOG("NO! - we are authoritative for the zone "<<auth_domain_iter->first<<endl);
  2645. continue;
  2646. } else {
  2647. LOG("YES! - This answer was ");
  2648. if (!wasForwarded) {
  2649. LOG("retrieved from the local auth store.");
  2650. } else {
  2651. LOG("received from a server we forward to.");
  2652. }
  2653. haveLogged = true;
  2654. LOG(endl);
  2655. }
  2656. }
  2657. }
  2658. if (!haveLogged) {
  2659. LOG("YES!"<<endl);
  2660. }
  2661. rec.d_ttl=min(s_maxcachettl, rec.d_ttl);
  2662. DNSRecord dr(rec);
  2663. dr.d_ttl += d_now.tv_sec;
  2664. dr.d_place=DNSResourceRecord::ANSWER;
  2665. tcache[{rec.d_name,rec.d_type,rec.d_place}].records.push_back(dr);
  2666. }
  2667. }
  2668. else
  2669. LOG("NO!"<<endl);
  2670. }
  2671. // supplant
  2672. for(tcache_t::iterator i = tcache.begin(); i != tcache.end(); ++i) {
  2673. if((i->second.records.size() + i->second.signatures.size()) > 1) { // need to group the ttl to be the minimum of the RRSET (RFC 2181, 5.2)
  2674. uint32_t lowestTTD=computeLowestTTD(i->second.records, i->second.signatures, i->second.signaturesTTL);
  2675. for(auto& record : i->second.records)
  2676. record.d_ttl = lowestTTD; // boom
  2677. }
  2678. // cout<<"Have "<<i->second.records.size()<<" records and "<<i->second.signatures.size()<<" signatures for "<<i->first.name;
  2679. // cout<<'|'<<DNSRecordContent::NumberToType(i->first.type)<<endl;
  2680. }
  2681. for(tcache_t::iterator i = tcache.begin(); i != tcache.end(); ++i) {
  2682. if(i->second.records.empty()) // this happens when we did store signatures, but passed on the records themselves
  2683. continue;
  2684. /* Even if the AA bit is set, additional data cannot be considered
  2685. as authoritative. This is especially important during validation
  2686. because keeping records in the additional section is allowed even
  2687. if the corresponding RRSIGs are not included, without setting the TC
  2688. bit, as stated in rfc4035's section 3.1.1. Including RRSIG RRs in a Response:
  2689. "When placing a signed RRset in the Additional section, the name
  2690. server MUST also place its RRSIG RRs in the Additional section.
  2691. If space does not permit inclusion of both the RRset and its
  2692. associated RRSIG RRs, the name server MAY retain the RRset while
  2693. dropping the RRSIG RRs. If this happens, the name server MUST NOT
  2694. set the TC bit solely because these RRSIG RRs didn't fit."
  2695. */
  2696. bool isAA = lwr.d_aabit && i->first.place != DNSResourceRecord::ADDITIONAL;
  2697. /* if we forwarded the query to a recursor, we can expect the answer to be signed,
  2698. even if the answer is not AA. Of course that's not only true inside a Secure
  2699. zone, but we check that below. */
  2700. bool expectSignature = i->first.place == DNSResourceRecord::ANSWER || ((lwr.d_aabit || wasForwardRecurse) && i->first.place != DNSResourceRecord::ADDITIONAL);
  2701. if (isCNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i->first.type != QType::CNAME || i->first.name != qname)) {
  2702. /*
  2703. rfc2181 states:
  2704. Note that the answer section of an authoritative answer normally
  2705. contains only authoritative data. However when the name sought is an
  2706. alias (see section 10.1.1) only the record describing that alias is
  2707. necessarily authoritative. Clients should assume that other records
  2708. may have come from the server's cache. Where authoritative answers
  2709. are required, the client should query again, using the canonical name
  2710. associated with the alias.
  2711. */
  2712. isAA = false;
  2713. expectSignature = false;
  2714. }
  2715. if (isCNAMEAnswer && i->first.place == DNSResourceRecord::AUTHORITY && i->first.type == QType::NS && auth == i->first.name) {
  2716. /* These NS can't be authoritative since we have a CNAME answer for which (see above) only the
  2717. record describing that alias is necessarily authoritative.
  2718. But if we allow the current auth, which might be serving the child zone, to raise the TTL
  2719. of non-authoritative NS in the cache, they might be able to keep a "ghost" zone alive forever,
  2720. even after the delegation is gone from the parent.
  2721. So let's just do nothing with them, we can fetch them directly if we need them.
  2722. */
  2723. LOG(d_prefix<<": skipping authority NS from '"<<auth<<"' nameservers in CNAME answer "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);
  2724. continue;
  2725. }
  2726. vState recordState = getValidationStatus(i->first.name, false);
  2727. LOG(d_prefix<<": got initial zone status "<<recordState<<" for record "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);
  2728. if (shouldValidate() && recordState == vState::Secure) {
  2729. vState initialState = recordState;
  2730. if (expectSignature) {
  2731. if (i->first.place != DNSResourceRecord::ADDITIONAL) {
  2732. /* the additional entries can be insecure,
  2733. like glue:
  2734. "Glue address RRsets associated with delegations MUST NOT be signed"
  2735. */
  2736. if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecord::ANSWER) {
  2737. LOG(d_prefix<<"Validating DNSKEY for "<<i->first.name<<endl);
  2738. recordState = validateDNSKeys(i->first.name, i->second.records, i->second.signatures, depth);
  2739. }
  2740. else {
  2741. /*
  2742. * RFC 6672 section 5.3.1
  2743. * In any response, a signed DNAME RR indicates a non-terminal
  2744. * redirection of the query. There might or might not be a server-
  2745. * synthesized CNAME in the answer section; if there is, the CNAME will
  2746. * never be signed. For a DNSSEC validator, verification of the DNAME
  2747. * RR and then that the CNAME was properly synthesized is sufficient
  2748. * proof.
  2749. *
  2750. * We do the synthesis check in processRecords, here we make sure we
  2751. * don't validate the CNAME.
  2752. */
  2753. if (!(isDNAMEAnswer && i->first.type == QType::CNAME)) {
  2754. LOG(d_prefix<<"Validating non-additional record for "<<i->first.name<<endl);
  2755. recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, QType(i->first.type), i->second.records, i->second.signatures);
  2756. /* we might have missed a cut (zone cut within the same auth servers), causing the NS query for an Insecure zone to seem Bogus during zone cut determination */
  2757. if (qtype == QType::NS && i->second.signatures.empty() && vStateIsBogus(recordState) && haveExactValidationStatus(i->first.name) && getValidationStatus(i->first.name) == vState::Indeterminate) {
  2758. recordState = vState::Indeterminate;
  2759. }
  2760. }
  2761. }
  2762. }
  2763. }
  2764. else {
  2765. recordState = vState::Indeterminate;
  2766. /* in a non authoritative answer, we only care about the DS record (or lack of) */
  2767. if ((i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) {
  2768. LOG(d_prefix<<"Validating DS record for "<<i->first.name<<endl);
  2769. recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.name, QType(i->first.type), i->second.records, i->second.signatures);
  2770. }
  2771. }
  2772. if (initialState == vState::Secure && state != recordState && expectSignature) {
  2773. updateValidationState(state, recordState);
  2774. }
  2775. }
  2776. else {
  2777. if (shouldValidate()) {
  2778. LOG(d_prefix<<"Skipping validation because the current state is "<<recordState<<endl);
  2779. }
  2780. }
  2781. if (vStateIsBogus(recordState)) {
  2782. /* this is a TTD by now, be careful */
  2783. for(auto& record : i->second.records) {
  2784. record.d_ttl = std::min(record.d_ttl, static_cast<uint32_t>(s_maxbogusttl + d_now.tv_sec));
  2785. }
  2786. }
  2787. /* We don't need to store NSEC3 records in the positive cache because:
  2788. - we don't allow direct NSEC3 queries
  2789. - denial of existence proofs in wildcard expanded positive responses are stored in authorityRecs
  2790. - denial of existence proofs for negative responses are stored in the negative cache
  2791. We also don't want to cache non-authoritative data except for:
  2792. - records coming from non forward-recurse servers (those will never be AA)
  2793. - DS (special case)
  2794. - NS, A and AAAA (used for infra queries)
  2795. */
  2796. if (i->first.type != QType::NSEC3 && (i->first.type == QType::DS || i->first.type == QType::NS || i->first.type == QType::A || i->first.type == QType::AAAA || isAA || wasForwardRecurse)) {
  2797. bool doCache = true;
  2798. if (i->first.place == DNSResourceRecord::ANSWER && ednsmask) {
  2799. // If ednsmask is relevant, we do not want to cache if the scope prefix length is large and TTL is small
  2800. if (SyncRes::s_ecscachelimitttl > 0) {
  2801. bool manyMaskBits = (ednsmask->isIPv4() && ednsmask->getBits() > SyncRes::s_ecsipv4cachelimit) ||
  2802. (ednsmask->isIPv6() && ednsmask->getBits() > SyncRes::s_ecsipv6cachelimit);
  2803. if (manyMaskBits) {
  2804. uint32_t minttl = UINT32_MAX;
  2805. for (const auto &it : i->second.records) {
  2806. if (it.d_ttl < minttl)
  2807. minttl = it.d_ttl;
  2808. }
  2809. bool ttlIsSmall = minttl < SyncRes::s_ecscachelimitttl + d_now.tv_sec;
  2810. if (ttlIsSmall) {
  2811. // Case: many bits and ttlIsSmall
  2812. doCache = false;
  2813. }
  2814. }
  2815. }
  2816. }
  2817. if (doCache) {
  2818. s_RC->replace(d_now.tv_sec, i->first.name, QType(i->first.type), i->second.records, i->second.signatures, authorityRecs, i->first.type == QType::DS ? true : isAA, i->first.place == DNSResourceRecord::ANSWER ? ednsmask : boost::none, d_routingTag, recordState);
  2819. }
  2820. }
  2821. if(i->first.place == DNSResourceRecord::ANSWER && ednsmask)
  2822. d_wasVariable=true;
  2823. }
  2824. return RCode::NoError;
  2825. }
  2826. void SyncRes::updateDenialValidationState(vState& neValidationState, const DNSName& neName, vState& state, const dState denialState, const dState expectedState, bool allowOptOut)
  2827. {
  2828. if (denialState == expectedState) {
  2829. neValidationState = vState::Secure;
  2830. }
  2831. else {
  2832. if (denialState == dState::OPTOUT && allowOptOut) {
  2833. LOG(d_prefix<<"OPT-out denial found for "<<neName<<endl);
  2834. /* rfc5155 states:
  2835. "The AD bit, as defined by [RFC4035], MUST NOT be set when returning a
  2836. response containing a closest (provable) encloser proof in which the
  2837. NSEC3 RR that covers the "next closer" name has the Opt-Out bit set.
  2838. This rule is based on what this closest encloser proof actually
  2839. proves: names that would be covered by the Opt-Out NSEC3 RR may or
  2840. may not exist as insecure delegations. As such, not all the data in
  2841. responses containing such closest encloser proofs will have been
  2842. cryptographically verified, so the AD bit cannot be set."
  2843. At best the Opt-Out NSEC3 RR proves that there is no signed DS (so no
  2844. secure delegation).
  2845. */
  2846. neValidationState = vState::Insecure;
  2847. }
  2848. else if (denialState == dState::INSECURE) {
  2849. LOG(d_prefix<<"Insecure denial found for "<<neName<<", returning Insecure"<<endl);
  2850. neValidationState = vState::Insecure;
  2851. }
  2852. else {
  2853. LOG(d_prefix<<"Invalid denial found for "<<neName<<", returning Bogus, res="<<denialState<<", expectedState="<<expectedState<<endl);
  2854. neValidationState = vState::BogusInvalidDenial;
  2855. }
  2856. updateValidationState(state, neValidationState);
  2857. }
  2858. }
  2859. dState SyncRes::getDenialValidationState(const NegCache::NegCacheEntry& ne, const vState state, const dState expectedState, bool referralToUnsigned)
  2860. {
  2861. cspmap_t csp = harvestCSPFromNE(ne);
  2862. return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, expectedState == dState::NXQTYPE);
  2863. }
  2864. bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherWildcardProof, const unsigned int wildcardLabelsCount, int& rcode, unsigned int depth)
  2865. {
  2866. bool done = false;
  2867. DNSName dnameTarget, dnameOwner;
  2868. uint32_t dnameTTL = 0;
  2869. for(auto& rec : lwr.d_records) {
  2870. if (rec.d_type!=QType::OPT && rec.d_class!=QClass::IN)
  2871. continue;
  2872. if (rec.d_place==DNSResourceRecord::ANSWER && !(lwr.d_aabit || sendRDQuery)) {
  2873. /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, because Amazon DNS servers
  2874. are sending such responses */
  2875. if (!(rec.d_type == QType::CNAME && rec.d_name == qname)) {
  2876. continue;
  2877. }
  2878. }
  2879. if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::SOA &&
  2880. lwr.d_rcode==RCode::NXDomain && qname.isPartOf(rec.d_name) && rec.d_name.isPartOf(auth)) {
  2881. LOG(prefix<<qname<<": got negative caching indication for name '"<<qname<<"' (accept="<<rec.d_name.isPartOf(auth)<<"), newtarget='"<<newtarget<<"'"<<endl);
  2882. rec.d_ttl = min(rec.d_ttl, s_maxnegttl);
  2883. // only add a SOA if we're not going anywhere after this
  2884. if (newtarget.empty()) {
  2885. ret.push_back(rec);
  2886. }
  2887. NegCache::NegCacheEntry ne;
  2888. uint32_t lowestTTL = rec.d_ttl;
  2889. /* if we get an NXDomain answer with a CNAME, the name
  2890. does exist but the target does not */
  2891. ne.d_name = newtarget.empty() ? qname : newtarget;
  2892. ne.d_qtype = QType(0); // this encodes 'whole record'
  2893. ne.d_auth = rec.d_name;
  2894. harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL);
  2895. if (state == vState::Secure) {
  2896. dState denialState = getDenialValidationState(ne, state, dState::NXDOMAIN, false);
  2897. updateDenialValidationState(ne.d_validationState, ne.d_name, state, denialState, dState::NXDOMAIN, true);
  2898. }
  2899. else {
  2900. ne.d_validationState = state;
  2901. }
  2902. if (vStateIsBogus(ne.d_validationState)) {
  2903. lowestTTL = min(lowestTTL, s_maxbogusttl);
  2904. }
  2905. ne.d_ttd = d_now.tv_sec + lowestTTL;
  2906. /* if we get an NXDomain answer with a CNAME, let's not cache the
  2907. target, even the server was authoritative for it,
  2908. and do an additional query for the CNAME target.
  2909. We have a regression test making sure we do exactly that.
  2910. */
  2911. if(!wasVariable() && newtarget.empty()) {
  2912. t_sstorage.negcache.add(ne);
  2913. if(s_rootNXTrust && ne.d_auth.isRoot() && auth.isRoot() && lwr.d_aabit) {
  2914. ne.d_name = ne.d_name.getLastLabel();
  2915. t_sstorage.negcache.add(ne);
  2916. }
  2917. }
  2918. negindic=true;
  2919. }
  2920. else if(rec.d_place==DNSResourceRecord::ANSWER && s_redirectionQTypes.count(rec.d_type) > 0 && // CNAME or DNAME answer
  2921. s_redirectionQTypes.count(qtype.getCode()) == 0) { // But not in response to a CNAME or DNAME query
  2922. if (rec.d_type == QType::CNAME && rec.d_name == qname) {
  2923. if (!dnameOwner.empty()) { // We synthesize ourselves
  2924. continue;
  2925. }
  2926. ret.push_back(rec);
  2927. if (auto content = getRR<CNAMERecordContent>(rec)) {
  2928. newtarget=DNSName(content->getTarget());
  2929. }
  2930. } else if (rec.d_type == QType::DNAME && qname.isPartOf(rec.d_name)) { // DNAME
  2931. ret.push_back(rec);
  2932. if (auto content = getRR<DNAMERecordContent>(rec)) {
  2933. dnameOwner = rec.d_name;
  2934. dnameTarget = content->getTarget();
  2935. dnameTTL = rec.d_ttl;
  2936. if (!newtarget.empty()) { // We had a CNAME before, remove it from ret so we don't cache it
  2937. ret.erase(std::remove_if(
  2938. ret.begin(),
  2939. ret.end(),
  2940. [&qname](DNSRecord& rr) {
  2941. return (rr.d_place == DNSResourceRecord::ANSWER && rr.d_type == QType::CNAME && rr.d_name == qname);
  2942. }),
  2943. ret.end());
  2944. }
  2945. try {
  2946. newtarget = qname.makeRelative(dnameOwner) + dnameTarget;
  2947. } catch (const std::exception &e) {
  2948. // We should probably catch an std::range_error here and set the rcode to YXDOMAIN (RFC 6672, section 2.2)
  2949. // But there is no way to set the RCODE from this function
  2950. throw ImmediateServFailException("Unable to perform DNAME substitution(DNAME owner: '" + dnameOwner.toLogString() +
  2951. "', DNAME target: '" + dnameTarget.toLogString() + "', substituted name: '" +
  2952. qname.makeRelative(dnameOwner).toLogString() + "." + dnameTarget.toLogString() +
  2953. "' : " + e.what());
  2954. }
  2955. }
  2956. }
  2957. }
  2958. /* if we have a positive answer synthesized from a wildcard, we need to
  2959. return the corresponding NSEC/NSEC3 records from the AUTHORITY section
  2960. proving that the exact name did not exist */
  2961. else if(gatherWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) {
  2962. ret.push_back(rec); // enjoy your DNSSEC
  2963. }
  2964. // for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively
  2965. else if(rec.d_place==DNSResourceRecord::ANSWER && rec.d_name == qname &&
  2966. (
  2967. rec.d_type==qtype.getCode() || ((lwr.d_aabit || sendRDQuery) && qtype == QType(QType::ANY))
  2968. )
  2969. )
  2970. {
  2971. LOG(prefix<<qname<<": answer is in: resolved to '"<< rec.d_content->getZoneRepresentation()<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"'"<<endl);
  2972. done = true;
  2973. rcode = RCode::NoError;
  2974. if (state == vState::Secure && needWildcardProof) {
  2975. /* We have a positive answer synthesized from a wildcard, we need to check that we have
  2976. proof that the exact name doesn't exist so the wildcard can be used,
  2977. as described in section 5.3.4 of RFC 4035 and 5.3 of RFC 7129.
  2978. */
  2979. NegCache::NegCacheEntry ne;
  2980. uint32_t lowestTTL = rec.d_ttl;
  2981. ne.d_name = qname;
  2982. ne.d_qtype = QType(0); // this encodes 'whole record'
  2983. harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL);
  2984. cspmap_t csp = harvestCSPFromNE(ne);
  2985. dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false, wildcardLabelsCount);
  2986. if (res != dState::NXDOMAIN) {
  2987. vState st = vState::BogusInvalidDenial;
  2988. if (res == dState::INSECURE) {
  2989. /* Some part could not be validated, for example a NSEC3 record with a too large number of iterations,
  2990. this is not enough to warrant a Bogus, but go Insecure. */
  2991. st = vState::Insecure;
  2992. LOG(d_prefix<<"Unable to validate denial in wildcard expanded positive response found for "<<qname<<", returning Insecure, res="<<res<<endl);
  2993. }
  2994. else {
  2995. LOG(d_prefix<<"Invalid denial in wildcard expanded positive response found for "<<qname<<", returning Bogus, res="<<res<<endl);
  2996. rec.d_ttl = std::min(rec.d_ttl, s_maxbogusttl);
  2997. }
  2998. updateValidationState(state, st);
  2999. /* we already stored the record with a different validation status, let's fix it */
  3000. updateValidationStatusInCache(qname, qtype, lwr.d_aabit, st);
  3001. }
  3002. }
  3003. ret.push_back(rec);
  3004. }
  3005. else if((rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::ANSWER) {
  3006. if(rec.d_type != QType::RRSIG || rec.d_name == qname) {
  3007. ret.push_back(rec); // enjoy your DNSSEC
  3008. } else if(rec.d_type == QType::RRSIG && qname.isPartOf(rec.d_name)) {
  3009. auto rrsig = getRR<RRSIGRecordContent>(rec);
  3010. if (rrsig != nullptr && rrsig->d_type == QType::DNAME) {
  3011. ret.push_back(rec);
  3012. }
  3013. }
  3014. }
  3015. else if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::NS && qname.isPartOf(rec.d_name)) {
  3016. if(moreSpecificThan(rec.d_name,auth)) {
  3017. newauth=rec.d_name;
  3018. LOG(prefix<<qname<<": got NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"'"<<endl);
  3019. realreferral=true;
  3020. }
  3021. else {
  3022. LOG(prefix<<qname<<": got upwards/level NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"', had '"<<auth<<"'"<<endl);
  3023. }
  3024. if (auto content = getRR<NSRecordContent>(rec)) {
  3025. nsset.insert(content->getNS());
  3026. }
  3027. }
  3028. else if(rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::DS && qname.isPartOf(rec.d_name)) {
  3029. LOG(prefix<<qname<<": got DS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"'"<<endl);
  3030. }
  3031. else if(realreferral && rec.d_place==DNSResourceRecord::AUTHORITY && (rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && newauth.isPartOf(auth)) {
  3032. /* we might have received a denial of the DS, let's check */
  3033. if (state == vState::Secure) {
  3034. NegCache::NegCacheEntry ne;
  3035. ne.d_auth = auth;
  3036. ne.d_name = newauth;
  3037. ne.d_qtype = QType::DS;
  3038. rec.d_ttl = min(s_maxnegttl, rec.d_ttl);
  3039. uint32_t lowestTTL = rec.d_ttl;
  3040. harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL);
  3041. dState denialState = getDenialValidationState(ne, state, dState::NXQTYPE, true);
  3042. if (denialState == dState::NXQTYPE || denialState == dState::OPTOUT || denialState == dState::INSECURE) {
  3043. ne.d_ttd = lowestTTL + d_now.tv_sec;
  3044. ne.d_validationState = vState::Secure;
  3045. if (denialState == dState::OPTOUT) {
  3046. ne.d_validationState = vState::Insecure;
  3047. }
  3048. LOG(prefix<<qname<<": got negative indication of DS record for '"<<newauth<<"'"<<endl);
  3049. if(!wasVariable()) {
  3050. t_sstorage.negcache.add(ne);
  3051. }
  3052. if (qname == newauth && qtype == QType::DS) {
  3053. /* we are actually done! */
  3054. negindic=true;
  3055. nsset.clear();
  3056. }
  3057. }
  3058. }
  3059. }
  3060. else if (!done && rec.d_place == DNSResourceRecord::AUTHORITY && rec.d_type == QType::SOA &&
  3061. lwr.d_rcode == RCode::NoError && qname.isPartOf(rec.d_name)) {
  3062. LOG(prefix<<qname<<": got negative caching indication for '"<< qname<<"|"<<qtype.getName()<<"'"<<endl);
  3063. if(!newtarget.empty()) {
  3064. LOG(prefix<<qname<<": Hang on! Got a redirect to '"<<newtarget<<"' already"<<endl);
  3065. }
  3066. else {
  3067. rec.d_ttl = min(s_maxnegttl, rec.d_ttl);
  3068. NegCache::NegCacheEntry ne;
  3069. ne.d_auth = rec.d_name;
  3070. uint32_t lowestTTL = rec.d_ttl;
  3071. ne.d_name = qname;
  3072. ne.d_qtype = qtype;
  3073. harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL);
  3074. if (state == vState::Secure) {
  3075. dState denialState = getDenialValidationState(ne, state, dState::NXQTYPE, false);
  3076. updateDenialValidationState(ne.d_validationState, ne.d_name, state, denialState, dState::NXQTYPE, qtype == QType::DS);
  3077. } else {
  3078. ne.d_validationState = state;
  3079. }
  3080. if (vStateIsBogus(ne.d_validationState)) {
  3081. lowestTTL = min(lowestTTL, s_maxbogusttl);
  3082. rec.d_ttl = min(rec.d_ttl, s_maxbogusttl);
  3083. }
  3084. ne.d_ttd = d_now.tv_sec + lowestTTL;
  3085. if(!wasVariable()) {
  3086. if(qtype.getCode()) { // prevents us from blacking out a whole domain
  3087. t_sstorage.negcache.add(ne);
  3088. }
  3089. }
  3090. ret.push_back(rec);
  3091. negindic=true;
  3092. }
  3093. }
  3094. }
  3095. if (!dnameTarget.empty()) {
  3096. // Synthesize a CNAME
  3097. auto cnamerec = DNSRecord();
  3098. cnamerec.d_name = qname;
  3099. cnamerec.d_type = QType::CNAME;
  3100. cnamerec.d_ttl = dnameTTL;
  3101. cnamerec.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent(newtarget));
  3102. ret.push_back(std::move(cnamerec));
  3103. }
  3104. return done;
  3105. }
  3106. bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname, const QType& qtype, LWResult& lwr, boost::optional<Netmask>& ednsmask, const DNSName& auth, bool const sendRDQuery, const DNSName& nsName, const ComboAddress& remoteIP, bool doTCP, bool* truncated)
  3107. {
  3108. bool chained = false;
  3109. int resolveret = RCode::NoError;
  3110. s_outqueries++;
  3111. d_outqueries++;
  3112. if(d_outqueries + d_throttledqueries > s_maxqperq) {
  3113. throw ImmediateServFailException("more than "+std::to_string(s_maxqperq)+" (max-qperq) queries sent while resolving "+qname.toLogString());
  3114. }
  3115. if(s_maxtotusec && d_totUsec > s_maxtotusec) {
  3116. throw ImmediateServFailException("Too much time waiting for "+qname.toLogString()+"|"+qtype.getName()+", timeouts: "+std::to_string(d_timeouts) +", throttles: "+std::to_string(d_throttledqueries) + ", queries: "+std::to_string(d_outqueries)+", "+std::to_string(d_totUsec/1000)+"msec");
  3117. }
  3118. if(doTCP) {
  3119. LOG(prefix<<qname<<": using TCP with "<< remoteIP.toStringWithPort() <<endl);
  3120. s_tcpoutqueries++;
  3121. d_tcpoutqueries++;
  3122. }
  3123. if(d_pdl && d_pdl->preoutquery(remoteIP, d_requestor, qname, qtype, doTCP, lwr.d_records, resolveret)) {
  3124. LOG(prefix<<qname<<": query handled by Lua"<<endl);
  3125. }
  3126. else {
  3127. ednsmask=getEDNSSubnetMask(qname, remoteIP);
  3128. if(ednsmask) {
  3129. LOG(prefix<<qname<<": Adding EDNS Client Subnet Mask "<<ednsmask->toString()<<" to query"<<endl);
  3130. s_ecsqueries++;
  3131. }
  3132. resolveret = asyncresolveWrapper(remoteIP, d_doDNSSEC, qname, auth, qtype.getCode(),
  3133. doTCP, sendRDQuery, &d_now, ednsmask, &lwr, &chained); // <- we go out on the wire!
  3134. if(ednsmask) {
  3135. s_ecsresponses++;
  3136. LOG(prefix<<qname<<": Received EDNS Client Subnet Mask "<<ednsmask->toString()<<" on response"<<endl);
  3137. if (ednsmask->getBits() > 0) {
  3138. if (ednsmask->isIPv4()) {
  3139. ++SyncRes::s_ecsResponsesBySubnetSize4.at(ednsmask->getBits()-1);
  3140. }
  3141. else {
  3142. ++SyncRes::s_ecsResponsesBySubnetSize6.at(ednsmask->getBits()-1);
  3143. }
  3144. }
  3145. }
  3146. }
  3147. /* preoutquery killed the query by setting dq.rcode to -3 */
  3148. if(resolveret==-3) {
  3149. throw ImmediateServFailException("Query killed by policy");
  3150. }
  3151. d_totUsec += lwr.d_usec;
  3152. accountAuthLatency(lwr.d_usec, remoteIP.sin4.sin_family);
  3153. bool dontThrottle = false;
  3154. {
  3155. auto dontThrottleNames = g_dontThrottleNames.getLocal();
  3156. auto dontThrottleNetmasks = g_dontThrottleNetmasks.getLocal();
  3157. dontThrottle = dontThrottleNames->check(nsName) || dontThrottleNetmasks->match(remoteIP);
  3158. }
  3159. if(resolveret != 1) {
  3160. /* Error while resolving */
  3161. if(resolveret == 0) {
  3162. /* Time out */
  3163. LOG(prefix<<qname<<": timeout resolving after "<<lwr.d_usec/1000.0<<"msec "<< (doTCP ? "over TCP" : "")<<endl);
  3164. d_timeouts++;
  3165. s_outgoingtimeouts++;
  3166. if(remoteIP.sin4.sin_family == AF_INET)
  3167. s_outgoing4timeouts++;
  3168. else
  3169. s_outgoing6timeouts++;
  3170. if(t_timeouts)
  3171. t_timeouts->push_back(remoteIP);
  3172. }
  3173. else if(resolveret == -2) {
  3174. /* OS resource limit reached */
  3175. LOG(prefix<<qname<<": hit a local resource limit resolving"<< (doTCP ? " over TCP" : "")<<", probable error: "<<stringerror()<<endl);
  3176. g_stats.resourceLimits++;
  3177. }
  3178. else {
  3179. /* -1 means server unreachable */
  3180. s_unreachables++;
  3181. d_unreachables++;
  3182. // XXX questionable use of errno
  3183. LOG(prefix<<qname<<": error resolving from "<<remoteIP.toString()<< (doTCP ? " over TCP" : "") <<", possible error: "<<stringerror()<< endl);
  3184. }
  3185. if(resolveret != -2 && !chained && !dontThrottle) {
  3186. // don't account for resource limits, they are our own fault
  3187. // And don't throttle when the IP address is on the dontThrottleNetmasks list or the name is part of dontThrottleNames
  3188. t_sstorage.nsSpeeds[nsName.empty()? DNSName(remoteIP.toStringWithPort()) : nsName].submit(remoteIP, 1000000, d_now); // 1 sec
  3189. // code below makes sure we don't filter COM or the root
  3190. if (s_serverdownmaxfails > 0 && (auth != g_rootdnsname) && t_sstorage.fails.incr(remoteIP, d_now) >= s_serverdownmaxfails) {
  3191. LOG(prefix<<qname<<": Max fails reached resolving on "<< remoteIP.toString() <<". Going full throttle for "<< s_serverdownthrottletime <<" seconds" <<endl);
  3192. // mark server as down
  3193. t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, "", 0), s_serverdownthrottletime, 10000);
  3194. }
  3195. else if (resolveret == -1) {
  3196. // unreachable, 1 minute or 100 queries
  3197. t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 100);
  3198. }
  3199. else {
  3200. // timeout, 10 seconds or 5 queries
  3201. t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 10, 5);
  3202. }
  3203. }
  3204. return false;
  3205. }
  3206. /* we got an answer */
  3207. if(lwr.d_rcode==RCode::ServFail || lwr.d_rcode==RCode::Refused) {
  3208. LOG(prefix<<qname<<": "<<nsName<<" ("<<remoteIP.toString()<<") returned a "<< (lwr.d_rcode==RCode::ServFail ? "ServFail" : "Refused") << ", trying sibling IP or NS"<<endl);
  3209. if (!chained && !dontThrottle) {
  3210. t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3);
  3211. }
  3212. return false;
  3213. }
  3214. /* this server sent a valid answer, mark it backup up if it was down */
  3215. if(s_serverdownmaxfails > 0) {
  3216. t_sstorage.fails.clear(remoteIP);
  3217. }
  3218. if(lwr.d_tcbit) {
  3219. *truncated = true;
  3220. if (doTCP) {
  3221. LOG(prefix<<qname<<": truncated bit set, over TCP?"<<endl);
  3222. if (!dontThrottle) {
  3223. /* let's treat that as a ServFail answer from this server */
  3224. t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(remoteIP, qname, qtype.getCode()), 60, 3);
  3225. }
  3226. return false;
  3227. }
  3228. LOG(prefix<<qname<<": truncated bit set, over UDP"<<endl);
  3229. return true;
  3230. }
  3231. return true;
  3232. }
  3233. void SyncRes::handleNewTarget(const std::string& prefix, const DNSName& qname, const DNSName& newtarget, uint16_t qtype, std::vector<DNSRecord>& ret, int& rcode, int depth, const std::vector<DNSRecord>& recordsFromAnswer, vState& state)
  3234. {
  3235. if (newtarget == qname) {
  3236. LOG(prefix<<qname<<": status=got a CNAME referral to self, returning SERVFAIL"<<endl);
  3237. ret.clear();
  3238. rcode = RCode::ServFail;
  3239. return;
  3240. }
  3241. if (newtarget.isPartOf(qname)) {
  3242. // a.b.c. CNAME x.a.b.c will go to great depths with QM on
  3243. LOG(prefix<<qname<<": status=got a CNAME referral to child, disabling QM"<<endl);
  3244. setQNameMinimization(false);
  3245. }
  3246. if (depth > 10) {
  3247. LOG(prefix<<qname<<": status=got a CNAME referral, but recursing too deep, returning SERVFAIL"<<endl);
  3248. rcode = RCode::ServFail;
  3249. return;
  3250. }
  3251. if (!d_followCNAME) {
  3252. rcode = RCode::NoError;
  3253. return;
  3254. }
  3255. // Check to see if we already have seen the new target as a previous target
  3256. if (scanForCNAMELoop(newtarget, ret)) {
  3257. LOG(prefix<<qname<<": status=got a CNAME referral that causes a loop, returning SERVFAIL"<<endl);
  3258. ret.clear();
  3259. rcode = RCode::ServFail;
  3260. return;
  3261. }
  3262. if (qtype == QType::DS || qtype == QType::DNSKEY) {
  3263. LOG(prefix<<qname<<": status=got a CNAME referral, but we are looking for a DS or DNSKEY"<<endl);
  3264. if (d_doDNSSEC) {
  3265. addNXNSECS(ret, recordsFromAnswer);
  3266. }
  3267. rcode = RCode::NoError;
  3268. return;
  3269. }
  3270. LOG(prefix<<qname<<": status=got a CNAME referral, starting over with "<<newtarget<<endl);
  3271. set<GetBestNSAnswer> beenthere;
  3272. vState cnameState = vState::Indeterminate;
  3273. rcode = doResolve(newtarget, QType(qtype), ret, depth + 1, beenthere, cnameState);
  3274. LOG(prefix<<qname<<": updating validation state for response to "<<qname<<" from "<<state<<" with the state from the CNAME quest: "<<cnameState<<endl);
  3275. updateValidationState(state, cnameState);
  3276. }
  3277. bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, bool sendRDQuery, NsSet &nameservers, std::vector<DNSRecord>& ret, const DNSFilterEngine& dfe, bool* gotNewServers, int* rcode, vState& state)
  3278. {
  3279. string prefix;
  3280. if(doLog()) {
  3281. prefix=d_prefix;
  3282. prefix.append(depth, ' ');
  3283. }
  3284. if(s_minimumTTL) {
  3285. for(auto& rec : lwr.d_records) {
  3286. rec.d_ttl = max(rec.d_ttl, s_minimumTTL);
  3287. }
  3288. }
  3289. /* if the answer is ECS-specific, a minimum TTL is set for this kind of answers
  3290. and it's higher than the global minimum TTL */
  3291. if (ednsmask && s_minimumECSTTL > 0 && (s_minimumTTL == 0 || s_minimumECSTTL > s_minimumTTL)) {
  3292. for(auto& rec : lwr.d_records) {
  3293. if (rec.d_place == DNSResourceRecord::ANSWER) {
  3294. rec.d_ttl = max(rec.d_ttl, s_minimumECSTTL);
  3295. }
  3296. }
  3297. }
  3298. bool needWildcardProof = false;
  3299. bool gatherWildcardProof = false;
  3300. unsigned int wildcardLabelsCount;
  3301. *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount, sendRDQuery);
  3302. if (*rcode != RCode::NoError) {
  3303. return true;
  3304. }
  3305. LOG(prefix<<qname<<": determining status after receiving this packet"<<endl);
  3306. set<DNSName> nsset;
  3307. bool realreferral=false, negindic=false;
  3308. DNSName newauth;
  3309. DNSName newtarget;
  3310. bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount, *rcode, depth);
  3311. if (done){
  3312. LOG(prefix<<qname<<": status=got results, this level of recursion done"<<endl);
  3313. LOG(prefix<<qname<<": validation status is "<<state<<endl);
  3314. return true;
  3315. }
  3316. if (!newtarget.empty()) {
  3317. handleNewTarget(prefix, qname, newtarget, qtype.getCode(), ret, *rcode, depth, lwr.d_records, state);
  3318. return true;
  3319. }
  3320. if(lwr.d_rcode == RCode::NXDomain) {
  3321. LOG(prefix<<qname<<": status=NXDOMAIN, we are done "<<(negindic ? "(have negative SOA)" : "")<<endl);
  3322. if (state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
  3323. LOG(prefix<<qname<<": NXDOMAIN without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
  3324. updateValidationState(state, vState::BogusMissingNegativeIndication);
  3325. }
  3326. if(d_doDNSSEC)
  3327. addNXNSECS(ret, lwr.d_records);
  3328. *rcode = RCode::NXDomain;
  3329. return true;
  3330. }
  3331. if(nsset.empty() && !lwr.d_rcode && (negindic || lwr.d_aabit || sendRDQuery)) {
  3332. LOG(prefix<<qname<<": status=noerror, other types may exist, but we are done "<<(negindic ? "(have negative SOA) " : "")<<(lwr.d_aabit ? "(have aa bit) " : "")<<endl);
  3333. if(state == vState::Secure && (lwr.d_aabit || sendRDQuery) && !negindic) {
  3334. LOG(prefix<<qname<<": NODATA without a negative indication (missing SOA in authority) in a DNSSEC secure zone, going Bogus"<<endl);
  3335. updateValidationState(state, vState::BogusMissingNegativeIndication);
  3336. }
  3337. if(d_doDNSSEC)
  3338. addNXNSECS(ret, lwr.d_records);
  3339. *rcode = RCode::NoError;
  3340. return true;
  3341. }
  3342. if(realreferral) {
  3343. LOG(prefix<<qname<<": status=did not resolve, got "<<(unsigned int)nsset.size()<<" NS, ");
  3344. nameservers.clear();
  3345. for (auto const &nameserver : nsset) {
  3346. if (d_wantsRPZ && !d_appliedPolicy.wasHit()) {
  3347. bool match = dfe.getProcessingPolicy(nameserver, d_discardedPolicies, d_appliedPolicy);
  3348. if (match) {
  3349. mergePolicyTags(d_policyTags, d_appliedPolicy.getTags());
  3350. if (d_appliedPolicy.d_kind != DNSFilterEngine::PolicyKind::NoAction) { // client query needs an RPZ response
  3351. if (d_pdl && d_pdl->policyHitEventFilter(d_requestor, qname, qtype, d_queryReceivedOverTCP, d_appliedPolicy, d_policyTags, d_discardedPolicies)) {
  3352. /* reset to no match */
  3353. d_appliedPolicy = DNSFilterEngine::Policy();
  3354. }
  3355. else {
  3356. LOG("however "<<nameserver<<" was blocked by RPZ policy '"<<d_appliedPolicy.getName()<<"'"<<endl);
  3357. throw PolicyHitException();
  3358. }
  3359. }
  3360. }
  3361. }
  3362. nameservers.insert({nameserver, {{}, false}});
  3363. }
  3364. LOG("looping to them"<<endl);
  3365. *gotNewServers = true;
  3366. auth=newauth;
  3367. return false;
  3368. }
  3369. return false;
  3370. }
  3371. /** returns:
  3372. * -1 in case of no results
  3373. * rcode otherwise
  3374. */
  3375. int SyncRes::doResolveAt(NsSet &nameservers, DNSName auth, bool flawedNSSet, const DNSName &qname, const QType &qtype,
  3376. vector<DNSRecord>&ret,
  3377. unsigned int depth, set<GetBestNSAnswer>&beenthere, vState& state, StopAtDelegation* stopAtDelegation)
  3378. {
  3379. auto luaconfsLocal = g_luaconfs.getLocal();
  3380. string prefix;
  3381. if(doLog()) {
  3382. prefix=d_prefix;
  3383. prefix.append(depth, ' ');
  3384. }
  3385. LOG(prefix<<qname<<": Cache consultations done, have "<<(unsigned int)nameservers.size()<<" NS to contact");
  3386. if (nameserversBlockedByRPZ(luaconfsLocal->dfe, nameservers)) {
  3387. /* RPZ hit */
  3388. if (d_pdl && d_pdl->policyHitEventFilter(d_requestor, qname, qtype, d_queryReceivedOverTCP, d_appliedPolicy, d_policyTags, d_discardedPolicies)) {
  3389. /* reset to no match */
  3390. d_appliedPolicy = DNSFilterEngine::Policy();
  3391. }
  3392. else {
  3393. throw PolicyHitException();
  3394. }
  3395. }
  3396. LOG(endl);
  3397. unsigned int addressQueriesForNS = 0;
  3398. for(;;) { // we may get more specific nameservers
  3399. auto rnameservers = shuffleInSpeedOrder(nameservers, doLog() ? (prefix+qname.toString()+": ") : string() );
  3400. // We allow s_maxnsaddressqperq (default 10) queries with empty responses when resolving NS names.
  3401. // If a zone publishes many (more than s_maxnsaddressqperq) NS records, we allow less.
  3402. // This is to "punish" zones that publish many non-resolving NS names.
  3403. // We always allow 5 NS name resolving attempts with empty results.
  3404. unsigned int nsLimit = s_maxnsaddressqperq;
  3405. if (rnameservers.size() > nsLimit) {
  3406. int newLimit = static_cast<int>(nsLimit) - (rnameservers.size() - nsLimit);
  3407. nsLimit = std::max(5, newLimit);
  3408. }
  3409. for(auto tns=rnameservers.cbegin();;++tns) {
  3410. if (addressQueriesForNS >= nsLimit) {
  3411. throw ImmediateServFailException(std::to_string(nsLimit)+" (adjusted max-ns-address-qperq) or more queries with empty results for NS addresses sent resolving "+qname.toLogString());
  3412. }
  3413. if(tns==rnameservers.cend()) {
  3414. LOG(prefix<<qname<<": Failed to resolve via any of the "<<(unsigned int)rnameservers.size()<<" offered NS at level '"<<auth<<"'"<<endl);
  3415. if(!auth.isRoot() && flawedNSSet) {
  3416. LOG(prefix<<qname<<": Ageing nameservers for level '"<<auth<<"', next query might succeed"<<endl);
  3417. if(s_RC->doAgeCache(d_now.tv_sec, auth, QType::NS, 10))
  3418. g_stats.nsSetInvalidations++;
  3419. }
  3420. return -1;
  3421. }
  3422. bool cacheOnly = false;
  3423. // this line needs to identify the 'self-resolving' behaviour
  3424. if(qname == tns->first && (qtype.getCode() == QType::A || qtype.getCode() == QType::AAAA)) {
  3425. /* we might have a glue entry in cache so let's try this NS
  3426. but only if we have enough in the cache to know how to reach it */
  3427. LOG(prefix<<qname<<": Using NS to resolve itself, but only using what we have in cache ("<<(1+tns-rnameservers.cbegin())<<"/"<<rnameservers.size()<<")"<<endl);
  3428. cacheOnly = true;
  3429. }
  3430. typedef vector<ComboAddress> remoteIPs_t;
  3431. remoteIPs_t remoteIPs;
  3432. remoteIPs_t::const_iterator remoteIP;
  3433. bool pierceDontQuery=false;
  3434. bool sendRDQuery=false;
  3435. boost::optional<Netmask> ednsmask;
  3436. LWResult lwr;
  3437. const bool wasForwarded = tns->first.empty() && (!nameservers[tns->first].first.empty());
  3438. int rcode = RCode::NoError;
  3439. bool gotNewServers = false;
  3440. if(tns->first.empty() && !wasForwarded) {
  3441. LOG(prefix<<qname<<": Domain is out-of-band"<<endl);
  3442. /* setting state to indeterminate since validation is disabled for local auth zone,
  3443. and Insecure would be misleading. */
  3444. state = vState::Indeterminate;
  3445. d_wasOutOfBand = doOOBResolve(qname, qtype, lwr.d_records, depth, lwr.d_rcode);
  3446. lwr.d_tcbit=false;
  3447. lwr.d_aabit=true;
  3448. /* we have received an answer, are we done ? */
  3449. bool done = processAnswer(depth, lwr, qname, qtype, auth, false, ednsmask, sendRDQuery, nameservers, ret, luaconfsLocal->dfe, &gotNewServers, &rcode, state);
  3450. if (done) {
  3451. return rcode;
  3452. }
  3453. if (gotNewServers) {
  3454. if (stopAtDelegation && *stopAtDelegation == Stop) {
  3455. *stopAtDelegation = Stopped;
  3456. return rcode;
  3457. }
  3458. break;
  3459. }
  3460. }
  3461. else {
  3462. /* if tns is empty, retrieveAddressesForNS() knows we have hardcoded servers (i.e. "forwards") */
  3463. remoteIPs = retrieveAddressesForNS(prefix, qname, tns, depth, beenthere, rnameservers, nameservers, sendRDQuery, pierceDontQuery, flawedNSSet, cacheOnly, addressQueriesForNS);
  3464. if(remoteIPs.empty()) {
  3465. LOG(prefix<<qname<<": Failed to get IP for NS "<<tns->first<<", trying next if available"<<endl);
  3466. flawedNSSet=true;
  3467. continue;
  3468. }
  3469. else {
  3470. bool hitPolicy{false};
  3471. LOG(prefix<<qname<<": Resolved '"<<auth<<"' NS "<<tns->first<<" to: ");
  3472. for(remoteIP = remoteIPs.cbegin(); remoteIP != remoteIPs.cend(); ++remoteIP) {
  3473. if(remoteIP != remoteIPs.cbegin()) {
  3474. LOG(", ");
  3475. }
  3476. LOG(remoteIP->toString());
  3477. if(nameserverIPBlockedByRPZ(luaconfsLocal->dfe, *remoteIP)) {
  3478. hitPolicy = true;
  3479. }
  3480. }
  3481. LOG(endl);
  3482. if (hitPolicy) { //implies d_wantsRPZ
  3483. /* RPZ hit */
  3484. if (d_pdl && d_pdl->policyHitEventFilter(d_requestor, qname, qtype, d_queryReceivedOverTCP, d_appliedPolicy, d_policyTags, d_discardedPolicies)) {
  3485. /* reset to no match */
  3486. d_appliedPolicy = DNSFilterEngine::Policy();
  3487. }
  3488. else {
  3489. throw PolicyHitException();
  3490. }
  3491. }
  3492. }
  3493. for(remoteIP = remoteIPs.cbegin(); remoteIP != remoteIPs.cend(); ++remoteIP) {
  3494. LOG(prefix<<qname<<": Trying IP "<< remoteIP->toStringWithPort() <<", asking '"<<qname<<"|"<<qtype.getName()<<"'"<<endl);
  3495. if (throttledOrBlocked(prefix, *remoteIP, qname, qtype, pierceDontQuery)) {
  3496. continue;
  3497. }
  3498. bool truncated = false;
  3499. bool gotAnswer = doResolveAtThisIP(prefix, qname, qtype, lwr, ednsmask, auth, sendRDQuery,
  3500. tns->first, *remoteIP, false, &truncated);
  3501. if (gotAnswer && truncated ) {
  3502. /* retry, over TCP this time */
  3503. gotAnswer = doResolveAtThisIP(prefix, qname, qtype, lwr, ednsmask, auth, sendRDQuery,
  3504. tns->first, *remoteIP, true, &truncated);
  3505. }
  3506. if (!gotAnswer) {
  3507. continue;
  3508. }
  3509. LOG(prefix<<qname<<": Got "<<(unsigned int)lwr.d_records.size()<<" answers from "<<tns->first<<" ("<< remoteIP->toString() <<"), rcode="<<lwr.d_rcode<<" ("<<RCode::to_s(lwr.d_rcode)<<"), aa="<<lwr.d_aabit<<", in "<<lwr.d_usec/1000<<"ms"<<endl);
  3510. /* // for you IPv6 fanatics :-)
  3511. if(remoteIP->sin4.sin_family==AF_INET6)
  3512. lwr.d_usec/=3;
  3513. */
  3514. // cout<<"msec: "<<lwr.d_usec/1000.0<<", "<<g_avgLatency/1000.0<<'\n';
  3515. t_sstorage.nsSpeeds[tns->first.empty()? DNSName(remoteIP->toStringWithPort()) : tns->first].submit(*remoteIP, lwr.d_usec, d_now);
  3516. /* we have received an answer, are we done ? */
  3517. bool done = processAnswer(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, sendRDQuery, nameservers, ret, luaconfsLocal->dfe, &gotNewServers, &rcode, state);
  3518. if (done) {
  3519. return rcode;
  3520. }
  3521. if (gotNewServers) {
  3522. if (stopAtDelegation && *stopAtDelegation == Stop) {
  3523. *stopAtDelegation = Stopped;
  3524. return rcode;
  3525. }
  3526. break;
  3527. }
  3528. /* was lame */
  3529. t_sstorage.throttle.throttle(d_now.tv_sec, boost::make_tuple(*remoteIP, qname, qtype.getCode()), 60, 100);
  3530. }
  3531. if (gotNewServers) {
  3532. break;
  3533. }
  3534. if(remoteIP == remoteIPs.cend()) // we tried all IP addresses, none worked
  3535. continue;
  3536. }
  3537. }
  3538. }
  3539. return -1;
  3540. }
  3541. void SyncRes::setQuerySource(const ComboAddress& requestor, boost::optional<const EDNSSubnetOpts&> incomingECS)
  3542. {
  3543. d_requestor = requestor;
  3544. if (incomingECS && incomingECS->source.getBits() > 0) {
  3545. d_cacheRemote = incomingECS->source.getMaskedNetwork();
  3546. uint8_t bits = std::min(incomingECS->source.getBits(), (incomingECS->source.isIPv4() ? s_ecsipv4limit : s_ecsipv6limit));
  3547. ComboAddress trunc = incomingECS->source.getNetwork();
  3548. trunc.truncate(bits);
  3549. d_outgoingECSNetwork = boost::optional<Netmask>(Netmask(trunc, bits));
  3550. } else {
  3551. d_cacheRemote = d_requestor;
  3552. if(!incomingECS && s_ednslocalsubnets.match(d_requestor)) {
  3553. ComboAddress trunc = d_requestor;
  3554. uint8_t bits = d_requestor.isIPv4() ? 32 : 128;
  3555. bits = std::min(bits, (trunc.isIPv4() ? s_ecsipv4limit : s_ecsipv6limit));
  3556. trunc.truncate(bits);
  3557. d_outgoingECSNetwork = boost::optional<Netmask>(Netmask(trunc, bits));
  3558. } else if (s_ecsScopeZero.source.getBits() > 0) {
  3559. /* RFC7871 says we MUST NOT send any ECS if the source scope is 0.
  3560. But using an empty ECS in that case would mean inserting
  3561. a non ECS-specific entry into the cache, preventing any further
  3562. ECS-specific query to be sent.
  3563. So instead we use the trick described in section 7.1.2:
  3564. "The subsequent Recursive Resolver query to the Authoritative Nameserver
  3565. will then either not include an ECS option or MAY optionally include
  3566. its own address information, which is what the Authoritative
  3567. Nameserver will almost certainly use to generate any Tailored
  3568. Response in lieu of an option. This allows the answer to be handled
  3569. by the same caching mechanism as other queries, with an explicit
  3570. indicator of the applicable scope. Subsequent Stub Resolver queries
  3571. for /0 can then be answered from this cached response.
  3572. */
  3573. d_outgoingECSNetwork = boost::optional<Netmask>(s_ecsScopeZero.source.getMaskedNetwork());
  3574. d_cacheRemote = s_ecsScopeZero.source.getNetwork();
  3575. } else {
  3576. // ECS disabled because no scope-zero address could be derived.
  3577. d_outgoingECSNetwork = boost::none;
  3578. }
  3579. }
  3580. }
  3581. boost::optional<Netmask> SyncRes::getEDNSSubnetMask(const DNSName& dn, const ComboAddress& rem)
  3582. {
  3583. if(d_outgoingECSNetwork && (s_ednsdomains.check(dn) || s_ednsremotesubnets.match(rem))) {
  3584. return d_outgoingECSNetwork;
  3585. }
  3586. return boost::none;
  3587. }
  3588. void SyncRes::parseEDNSSubnetWhitelist(const std::string& wlist)
  3589. {
  3590. vector<string> parts;
  3591. stringtok(parts, wlist, ",; ");
  3592. for(const auto& a : parts) {
  3593. try {
  3594. s_ednsremotesubnets.addMask(Netmask(a));
  3595. }
  3596. catch(...) {
  3597. s_ednsdomains.add(DNSName(a));
  3598. }
  3599. }
  3600. }
  3601. void SyncRes::parseEDNSSubnetAddFor(const std::string& subnetlist)
  3602. {
  3603. vector<string> parts;
  3604. stringtok(parts, subnetlist, ",; ");
  3605. for(const auto& a : parts) {
  3606. s_ednslocalsubnets.addMask(a);
  3607. }
  3608. }
  3609. // used by PowerDNSLua - note that this neglects to add the packet count & statistics back to pdns_ercursor.cc
  3610. int directResolve(const DNSName& qname, const QType& qtype, int qclass, vector<DNSRecord>& ret)
  3611. {
  3612. struct timeval now;
  3613. gettimeofday(&now, 0);
  3614. SyncRes sr(now);
  3615. int res = -1;
  3616. try {
  3617. res = sr.beginResolve(qname, QType(qtype), qclass, ret, 0);
  3618. }
  3619. catch(const PDNSException& e) {
  3620. g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got pdns exception: "<<e.reason<<endl;
  3621. ret.clear();
  3622. }
  3623. catch(const ImmediateServFailException& e) {
  3624. g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got ImmediateServFailException: "<<e.reason<<endl;
  3625. ret.clear();
  3626. }
  3627. catch(const PolicyHitException& e) {
  3628. g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got a policy hit"<<endl;
  3629. ret.clear();
  3630. }
  3631. catch(const std::exception& e) {
  3632. g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got STL error: "<<e.what()<<endl;
  3633. ret.clear();
  3634. }
  3635. catch(...) {
  3636. g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got an exception"<<endl;
  3637. ret.clear();
  3638. }
  3639. return res;
  3640. }
  3641. int SyncRes::getRootNS(struct timeval now, asyncresolve_t asyncCallback, unsigned int depth) {
  3642. SyncRes sr(now);
  3643. sr.setDoEDNS0(true);
  3644. sr.setUpdatingRootNS();
  3645. sr.setDoDNSSEC(g_dnssecmode != DNSSECMode::Off);
  3646. sr.setDNSSECValidationRequested(g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate);
  3647. sr.setAsyncCallback(asyncCallback);
  3648. vector<DNSRecord> ret;
  3649. int res=-1;
  3650. try {
  3651. res=sr.beginResolve(g_rootdnsname, QType(QType::NS), 1, ret, depth + 1);
  3652. if (g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate) {
  3653. auto state = sr.getValidationState();
  3654. if (vStateIsBogus(state)) {
  3655. throw PDNSException("Got Bogus validation result for .|NS");
  3656. }
  3657. }
  3658. return res;
  3659. }
  3660. catch(const PDNSException& e) {
  3661. g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.reason<<endl;
  3662. }
  3663. catch(const ImmediateServFailException& e) {
  3664. g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.reason<<endl;
  3665. }
  3666. catch(const PolicyHitException& e) {
  3667. g_log<<Logger::Error<<"Failed to update . records, got a policy hit"<<endl;
  3668. ret.clear();
  3669. }
  3670. catch(const std::exception& e) {
  3671. g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.what()<<endl;
  3672. }
  3673. catch(...) {
  3674. g_log<<Logger::Error<<"Failed to update . records, got an exception"<<endl;
  3675. }
  3676. if(!res) {
  3677. g_log<<Logger::Notice<<"Refreshed . records"<<endl;
  3678. }
  3679. else
  3680. g_log<<Logger::Error<<"Failed to update . records, RCODE="<<res<<endl;
  3681. return res;
  3682. }