--- embedaddon/dnsmasq/src/forward.c 2016/11/02 09:57:01 1.1.1.3 +++ embedaddon/dnsmasq/src/forward.c 2021/03/17 00:56:46 1.1.1.4 @@ -1,4 +1,4 @@ -/* dnsmasq is Copyright (c) 2000-2016 Simon Kelley +/* dnsmasq is Copyright (c) 2000-2021 Simon Kelley This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -16,17 +16,19 @@ #include "dnsmasq.h" -static struct frec *lookup_frec(unsigned short id, void *hash); +static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash); static struct frec *lookup_frec_by_sender(unsigned short id, union mysockaddr *addr, void *hash); +static struct frec *lookup_frec_by_query(void *hash, unsigned int flags); + static unsigned short get_id(void); static void free_frec(struct frec *f); /* Send a UDP packet with its source address set as "source" unless nowild is true, when we just send it with the kernel default */ int send_from(int fd, int nowild, char *packet, size_t len, - union mysockaddr *to, struct all_addr *source, + union mysockaddr *to, union all_addr *source, unsigned int iface) { struct msghdr msg; @@ -38,9 +40,7 @@ int send_from(int fd, int nowild, char *packet, size_t #elif defined(IP_SENDSRCADDR) char control[CMSG_SPACE(sizeof(struct in_addr))]; #endif -#ifdef HAVE_IPV6 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))]; -#endif } control_u; iov[0].iov_base = packet; @@ -66,47 +66,49 @@ int send_from(int fd, int nowild, char *packet, size_t #if defined(HAVE_LINUX_NETWORK) struct in_pktinfo p; p.ipi_ifindex = 0; - p.ipi_spec_dst = source->addr.addr4; + p.ipi_spec_dst = source->addr4; + msg.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo)); memcpy(CMSG_DATA(cmptr), &p, sizeof(p)); - msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); + cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo)); cmptr->cmsg_level = IPPROTO_IP; cmptr->cmsg_type = IP_PKTINFO; #elif defined(IP_SENDSRCADDR) - memcpy(CMSG_DATA(cmptr), &(source->addr.addr4), sizeof(source->addr.addr4)); - msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); + msg.msg_controllen = CMSG_SPACE(sizeof(struct in_addr)); + memcpy(CMSG_DATA(cmptr), &(source->addr4), sizeof(source->addr4)); + cmptr->cmsg_len = CMSG_LEN(sizeof(struct in_addr)); cmptr->cmsg_level = IPPROTO_IP; cmptr->cmsg_type = IP_SENDSRCADDR; #endif } else -#ifdef HAVE_IPV6 { struct in6_pktinfo p; p.ipi6_ifindex = iface; /* Need iface for IPv6 to handle link-local addrs */ - p.ipi6_addr = source->addr.addr6; + p.ipi6_addr = source->addr6; + msg.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); memcpy(CMSG_DATA(cmptr), &p, sizeof(p)); - msg.msg_controllen = cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); + cmptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); cmptr->cmsg_type = daemon->v6pktinfo; cmptr->cmsg_level = IPPROTO_IPV6; } -#else - (void)iface; /* eliminate warning */ -#endif } while (retry_send(sendmsg(fd, &msg, 0))); - /* If interface is still in DAD, EINVAL results - ignore that. */ - if (errno != 0 && errno != EINVAL) + if (errno != 0) { - my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno)); +#ifdef HAVE_LINUX_NETWORK + /* If interface is still in DAD, EINVAL results - ignore that. */ + if (errno != EINVAL) + my_syslog(LOG_ERR, _("failed to send packet: %s"), strerror(errno)); +#endif return 0; } return 1; } -static unsigned int search_servers(time_t now, struct all_addr **addrpp, unsigned int qtype, +static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned int qtype, char *qdomain, int *type, char **domain, int *norebind) { @@ -118,26 +120,36 @@ static unsigned int search_servers(time_t now, struct unsigned int matchlen = 0; struct server *serv; unsigned int flags = 0; + static union all_addr zero; for (serv = daemon->servers; serv; serv=serv->next) + if (qtype == F_DNSSECOK && !(serv->flags & SERV_DO_DNSSEC)) + continue; /* domain matches take priority over NODOTS matches */ - if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0) + else if ((serv->flags & SERV_FOR_NODOTS) && *type != SERV_HAS_DOMAIN && !strchr(qdomain, '.') && namelen != 0) { unsigned int sflag = serv->addr.sa.sa_family == AF_INET ? F_IPV4 : F_IPV6; *type = SERV_FOR_NODOTS; - if (serv->flags & SERV_NO_ADDR) + if ((serv->flags & SERV_NO_REBIND) && norebind) + *norebind = 1; + else if (serv->flags & SERV_NO_ADDR) flags = F_NXDOMAIN; - else if (serv->flags & SERV_LITERAL_ADDRESS) + else if (serv->flags & SERV_LITERAL_ADDRESS) { - if (sflag & qtype) + /* literal address = '#' -> return all-zero address for IPv4 and IPv6 */ + if ((serv->flags & SERV_USE_RESOLV) && (qtype & (F_IPV6 | F_IPV4))) { + memset(&zero, 0, sizeof(zero)); + flags = qtype; + *addrpp = &zero; + } + else if (sflag & qtype) + { flags = sflag; if (serv->addr.sa.sa_family == AF_INET) - *addrpp = (struct all_addr *)&serv->addr.in.sin_addr; -#ifdef HAVE_IPV6 + *addrpp = (union all_addr *)&serv->addr.in.sin_addr; else - *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr; -#endif + *addrpp = (union all_addr *)&serv->addr.in6.sin6_addr; } else if (!flags || (flags & F_NXDOMAIN)) flags = F_NOERR; @@ -182,15 +194,20 @@ static unsigned int search_servers(time_t now, struct flags = F_NXDOMAIN; else if (serv->flags & SERV_LITERAL_ADDRESS) { - if (sflag & qtype) + /* literal address = '#' -> return all-zero address for IPv4 and IPv6 */ + if ((serv->flags & SERV_USE_RESOLV) && (qtype & (F_IPV6 | F_IPV4))) + { + memset(&zero, 0, sizeof(zero)); + flags = qtype; + *addrpp = &zero; + } + else if (sflag & qtype) { flags = sflag; if (serv->addr.sa.sa_family == AF_INET) - *addrpp = (struct all_addr *)&serv->addr.in.sin_addr; -#ifdef HAVE_IPV6 + *addrpp = (union all_addr *)&serv->addr.in.sin_addr; else - *addrpp = (struct all_addr *)&serv->addr.in6.sin6_addr; -#endif + *addrpp = (union all_addr *)&serv->addr.in6.sin6_addr; } else if (!flags || (flags & F_NXDOMAIN)) flags = F_NOERR; @@ -202,7 +219,7 @@ static unsigned int search_servers(time_t now, struct } } - if (flags == 0 && !(qtype & F_QUERY) && + if (flags == 0 && !(qtype & (F_QUERY | F_DNSSECOK)) && option_bool(OPT_NODOTS_LOCAL) && !strchr(qdomain, '.') && namelen != 0) /* don't forward A or AAAA queries for simple names, except the empty name */ flags = F_NOERR; @@ -212,12 +229,16 @@ static unsigned int search_servers(time_t now, struct if (flags) { - int logflags = 0; - - if (flags == F_NXDOMAIN || flags == F_NOERR) - logflags = F_NEG | qtype; - - log_query(logflags | flags | F_CONFIG | F_FORWARD, qdomain, *addrpp, NULL); + if (flags == F_NXDOMAIN || flags == F_NOERR) + log_query(flags | qtype | F_NEG | F_CONFIG | F_FORWARD, qdomain, NULL, NULL); + else + { + /* handle F_IPV4 and F_IPV6 set on ANY query to 0.0.0.0/:: domain. */ + if (flags & F_IPV4) + log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV6, qdomain, *addrpp, NULL); + if (flags & F_IPV6) + log_query((flags | F_CONFIG | F_FORWARD) & ~F_IPV4, qdomain, *addrpp, NULL); + } } else if ((*type) & SERV_USE_RESOLV) { @@ -228,28 +249,37 @@ static unsigned int search_servers(time_t now, struct } static int forward_query(int udpfd, union mysockaddr *udpaddr, - struct all_addr *dst_addr, unsigned int dst_iface, + union all_addr *dst_addr, unsigned int dst_iface, struct dns_header *header, size_t plen, time_t now, struct frec *forward, int ad_reqd, int do_bit) { char *domain = NULL; int type = SERV_DO_DNSSEC, norebind = 0; - struct all_addr *addrp = NULL; + union all_addr *addrp = NULL; unsigned int flags = 0; + unsigned int fwd_flags = 0; struct server *start = NULL; -#ifdef HAVE_DNSSEC void *hash = hash_questions(header, plen, daemon->namebuff); +#ifdef HAVE_DNSSEC int do_dnssec = 0; -#else - unsigned int crc = questions_crc(header, plen, daemon->namebuff); - void *hash = &crc; #endif - unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); - - (void)do_bit; - + unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL); + unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL); + (void)do_bit; + + if (header->hb4 & HB4_CD) + fwd_flags |= FREC_CHECKING_DISABLED; + if (ad_reqd) + fwd_flags |= FREC_AD_QUESTION; + if (oph) + fwd_flags |= FREC_HAS_PHEADER; +#ifdef HAVE_DNSSEC + if (do_bit) + fwd_flags |= FREC_DO_QUESTION; +#endif + /* may be no servers available. */ - if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash)))) + if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))) { /* If we didn't get an answer advertising a maximal packet in EDNS, fall back to 1280, which should work everywhere on IPv6. @@ -270,36 +300,32 @@ static int forward_query(int udpfd, union mysockaddr * while (forward->blocking_query) forward = forward->blocking_query; - forward->flags |= FREC_TEST_PKTSZ; - blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); plen = forward->stash_len; + forward->flags |= FREC_TEST_PKTSZ; if (find_pseudoheader(header, plen, NULL, &pheader, &is_sign, NULL) && !is_sign) PUTSHORT(SAFE_PKTSZ, pheader); - + if (forward->sentto->addr.sa.sa_family == AF_INET) - log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); -#ifdef HAVE_IPV6 + log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); else - log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); -#endif + log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); + if (forward->sentto->sfd) fd = forward->sentto->sfd->fd; else { -#ifdef HAVE_IPV6 if (forward->sentto->addr.sa.sa_family == AF_INET6) fd = forward->rfd6->fd; else -#endif fd = forward->rfd4->fd; } - while (retry_send( sendto(fd, (char *)header, plen, 0, - &forward->sentto->addr.sa, - sa_len(&forward->sentto->addr)))); + while (retry_send(sendto(fd, (char *)header, plen, 0, + &forward->sentto->addr.sa, + sa_len(&forward->sentto->addr)))); return 1; } @@ -324,6 +350,40 @@ static int forward_query(int udpfd, union mysockaddr * } else { + /* Query from new source, but the same query may be in progress + from another source. If so, just add this client to the + list that will get the reply.*/ + + if (!option_bool(OPT_ADD_MAC) && !option_bool(OPT_MAC_B64) && + (forward = lookup_frec_by_query(hash, fwd_flags))) + { + /* Note whine_malloc() zeros memory. */ + if (!daemon->free_frec_src && + daemon->frec_src_count < daemon->ftabsize && + (daemon->free_frec_src = whine_malloc(sizeof(struct frec_src)))) + { + daemon->frec_src_count++; + daemon->free_frec_src->next = NULL; + } + + /* If we've been spammed with many duplicates, just drop the query. */ + if (daemon->free_frec_src) + { + struct frec_src *new = daemon->free_frec_src; + daemon->free_frec_src = new->next; + new->next = forward->frec_src.next; + forward->frec_src.next = new; + new->orig_id = ntohs(header->id); + new->source = *udpaddr; + new->dest = *dst_addr; + new->log_id = daemon->log_id; + new->iface = dst_iface; + new->fd = udpfd; + } + + return 1; + } + if (gotname) flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind); @@ -331,22 +391,23 @@ static int forward_query(int udpfd, union mysockaddr * do_dnssec = type & SERV_DO_DNSSEC; #endif type &= ~SERV_DO_DNSSEC; - + if (daemon->servers && !flags) - forward = get_new_frec(now, NULL, 0); + forward = get_new_frec(now, NULL, NULL); /* table full - flags == 0, return REFUSED */ if (forward) { - forward->source = *udpaddr; - forward->dest = *dst_addr; - forward->iface = dst_iface; - forward->orig_id = ntohs(header->id); + forward->frec_src.source = *udpaddr; + forward->frec_src.orig_id = ntohs(header->id); + forward->frec_src.dest = *dst_addr; + forward->frec_src.iface = dst_iface; + forward->frec_src.next = NULL; + forward->frec_src.fd = udpfd; forward->new_id = get_id(); - forward->fd = udpfd; memcpy(forward->hash, hash, HASH_SIZE); forward->forwardall = 0; - forward->flags = 0; + forward->flags = fwd_flags; if (norebind) forward->flags |= FREC_NOREBIND; if (header->hb4 & HB4_CD) @@ -396,33 +457,26 @@ static int forward_query(int udpfd, union mysockaddr * if (!flags && forward) { struct server *firstsentto = start; - int subnet, forwarded = 0; + int subnet, cacheable, forwarded = 0; size_t edns0_len; - + unsigned char *pheader; + /* If a query is retried, use the log_id for the retry when logging the answer. */ - forward->log_id = daemon->log_id; + forward->frec_src.log_id = daemon->log_id; - edns0_len = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->source, now, &subnet); + plen = add_edns0_config(header, plen, ((unsigned char *)header) + PACKETSZ, &forward->frec_src.source, now, &subnet, &cacheable); - if (edns0_len != plen) - { - plen = edns0_len; - forward->flags |= FREC_ADDED_PHEADER; - - if (subnet) - forward->flags |= FREC_HAS_SUBNET; - } - + if (subnet) + forward->flags |= FREC_HAS_SUBNET; + + if (!cacheable) + forward->flags |= FREC_NO_CACHE; + #ifdef HAVE_DNSSEC if (option_bool(OPT_DNSSEC_VALID) && do_dnssec) { - size_t new = add_do_bit(header, plen, ((unsigned char *) header) + PACKETSZ); - - if (new != plen) - forward->flags |= FREC_ADDED_PHEADER; - - plen = new; - + plen = add_do_bit(header, plen, ((unsigned char *) header) + PACKETSZ); + /* For debugging, set Checking Disabled, otherwise, have the upstream check too, this allows it to select auth servers when one is returning bad data. */ if (option_bool(OPT_DNSSEC_DEBUG)) @@ -431,9 +485,20 @@ static int forward_query(int udpfd, union mysockaddr * } #endif - /* If we're sending an EDNS0 with any options, we can't recreate the query from a reply. */ - if (find_pseudoheader(header, plen, &edns0_len, NULL, NULL, NULL) && edns0_len > 11) - forward->flags |= FREC_HAS_EXTRADATA; + if (find_pseudoheader(header, plen, &edns0_len, &pheader, NULL, NULL)) + { + /* If there wasn't a PH before, and there is now, we added it. */ + if (!oph) + forward->flags |= FREC_ADDED_PHEADER; + + /* If we're sending an EDNS0 with any options, we can't recreate the query from a reply. */ + if (edns0_len > 11) + forward->flags |= FREC_HAS_EXTRADATA; + + /* Reduce udp size on retransmits. */ + if (forward->flags & FREC_TEST_PKTSZ) + PUTSHORT(SAFE_PKTSZ, pheader); + } while (1) { @@ -452,7 +517,6 @@ static int forward_query(int udpfd, union mysockaddr * fd = start->sfd->fd; else { -#ifdef HAVE_IPV6 if (start->addr.sa.sa_family == AF_INET6) { if (!forward->rfd6 && @@ -462,7 +526,6 @@ static int forward_query(int udpfd, union mysockaddr * fd = forward->rfd6->fd; } else -#endif { if (!forward->rfd4 && !(forward->rfd4 = allocate_rfd(AF_INET))) @@ -476,7 +539,7 @@ static int forward_query(int udpfd, union mysockaddr * if (option_bool(OPT_CONNTRACK)) { unsigned int mark; - if (get_incoming_mark(&forward->source, &forward->dest, 0, &mark)) + if (get_incoming_mark(&forward->frec_src.source, &forward->frec_src.dest, 0, &mark)) setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); } #endif @@ -505,6 +568,10 @@ static int forward_query(int udpfd, union mysockaddr * if (errno == 0) { +#ifdef HAVE_DUMPFILE + dump_packet(DUMP_UP_QUERY, (void *)header, plen, NULL, &start->addr); +#endif + /* Keep info in case we want to re-send this packet */ daemon->srv_save = start; daemon->packet_len = plen; @@ -513,12 +580,10 @@ static int forward_query(int udpfd, union mysockaddr * strcpy(daemon->namebuff, "query"); if (start->addr.sa.sa_family == AF_INET) log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff, - (struct all_addr *)&start->addr.in.sin_addr, NULL); -#ifdef HAVE_IPV6 + (union all_addr *)&start->addr.in.sin_addr, NULL); else log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff, - (struct all_addr *)&start->addr.in6.sin6_addr, NULL); -#endif + (union all_addr *)&start->addr.in6.sin6_addr, NULL); start->queries++; forwarded = 1; forward->sentto = start; @@ -539,7 +604,7 @@ static int forward_query(int udpfd, union mysockaddr * return 1; /* could not send on, prepare to return */ - header->id = htons(forward->orig_id); + header->id = htons(forward->frec_src.orig_id); free_frec(forward); /* cancel */ } @@ -547,6 +612,8 @@ static int forward_query(int udpfd, union mysockaddr * if (udpfd != -1) { plen = setup_reply(header, plen, addrp, flags, daemon->local_ttl); + if (oph) + plen = add_pseudoheader(header, plen, ((unsigned char *) header) + PACKETSZ, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0); send_from(udpfd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, plen, udpaddr, dst_addr, dst_iface); } @@ -560,8 +627,9 @@ static size_t process_reply(struct dns_header *header, unsigned char *pheader, *sizep; char **sets = 0; int munged = 0, is_sign; + unsigned int rcode = RCODE(header); size_t plen; - + (void)ad_reqd; (void)do_bit; (void)bogusanswer; @@ -587,9 +655,12 @@ static size_t process_reply(struct dns_header *header, } } #endif - + if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign, NULL))) { + /* Get extended RCODE. */ + rcode |= sizep[2] << 4; + if (check_subnet && !check_source(header, plen, pheader, query_source)) { my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch")); @@ -638,20 +709,29 @@ static size_t process_reply(struct dns_header *header, if (!is_sign && !option_bool(OPT_DNSSEC_PROXY)) header->hb4 &= ~HB4_AD; - if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN)) + if (OPCODE(header) != QUERY) return resize_packet(header, n, pheader, plen); + + if (rcode != NOERROR && rcode != NXDOMAIN) + { + union all_addr a; + a.log.rcode = rcode; + log_query(F_UPSTREAM | F_RCODE, "error", &a, NULL); + + return resize_packet(header, n, pheader, plen); + } /* Complain loudly if the upstream server is non-recursive. */ - if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && + if (!(header->hb4 & HB4_RA) && rcode == NOERROR && server && !(server->flags & SERV_WARNED_RECURSIVE)) { - prettyprint_addr(&server->addr, daemon->namebuff); + (void)prettyprint_addr(&server->addr, daemon->namebuff); my_syslog(LOG_WARNING, _("nameserver %s refused to do a recursive query"), daemon->namebuff); if (!option_bool(OPT_LOG)) server->flags |= SERV_WARNED_RECURSIVE; } - if (daemon->bogus_addr && RCODE(header) != NXDOMAIN && + if (daemon->bogus_addr && rcode != NXDOMAIN && check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now)) { munged = 1; @@ -663,7 +743,7 @@ static size_t process_reply(struct dns_header *header, { int doctored = 0; - if (RCODE(header) == NXDOMAIN && + if (rcode == NXDOMAIN && extract_request(header, n, daemon->namebuff, NULL) && check_for_local_domain(daemon->namebuff, now)) { @@ -738,22 +818,16 @@ void reply_query(int fd, int family, time_t now) size_t nn; struct server *server; void *hash; -#ifndef HAVE_DNSSEC - unsigned int crc; -#endif /* packet buffer overwritten */ daemon->srv_save = NULL; /* Determine the address of the server replying so that we can mark that as good */ - serveraddr.sa.sa_family = family; -#ifdef HAVE_IPV6 - if (serveraddr.sa.sa_family == AF_INET6) + if ((serveraddr.sa.sa_family = family) == AF_INET6) serveraddr.in6.sin6_flowinfo = 0; -#endif header = (struct dns_header *)daemon->packet; - + if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR)) return; @@ -765,21 +839,25 @@ void reply_query(int fd, int family, time_t now) if (!server) return; - -#ifdef HAVE_DNSSEC + + /* If sufficient time has elapsed, try and expand UDP buffer size again. */ + if (difftime(now, server->pktsz_reduced) > UDP_TEST_TIME) + server->edns_pktsz = daemon->edns_pktsz; + hash = hash_questions(header, n, daemon->namebuff); -#else - hash = &crc; - crc = questions_crc(header, n, daemon->namebuff); -#endif - if (!(forward = lookup_frec(ntohs(header->id), hash))) + if (!(forward = lookup_frec(ntohs(header->id), fd, family, hash))) return; +#ifdef HAVE_DUMPFILE + dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_REPLY : DUMP_UP_REPLY, + (void *)header, n, &serveraddr, NULL); +#endif + /* log_query gets called indirectly all over the place, so pass these in global variables - sorry. */ - daemon->log_display_id = forward->log_id; - daemon->log_source_addr = &forward->source; + daemon->log_display_id = forward->frec_src.log_id; + daemon->log_source_addr = &forward->frec_src.source; if (daemon->ignore_addr && RCODE(header) == NOERROR && check_for_ignored_address(header, n, daemon->ignore_addr)) @@ -787,8 +865,7 @@ void reply_query(int fd, int family, time_t now) /* Note: if we send extra options in the EDNS0 header, we can't recreate the query from the reply. */ - if (RCODE(header) == REFUSED && - !option_bool(OPT_ORDER) && + if ((RCODE(header) == REFUSED || RCODE(header) == SERVFAIL) && forward->forwardall == 0 && !(forward->flags & FREC_HAS_EXTRADATA)) /* for broken servers, attempt to send to another one. */ @@ -796,10 +873,87 @@ void reply_query(int fd, int family, time_t now) unsigned char *pheader; size_t plen; int is_sign; + +#ifdef HAVE_DNSSEC + if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) + { + struct server *start; + + blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); + plen = forward->stash_len; + + forward->forwardall = 2; /* only retry once */ + start = forward->sentto; + + /* for non-domain specific servers, see if we can find another to try. */ + if ((forward->sentto->flags & SERV_TYPE) == 0) + while (1) + { + if (!(start = start->next)) + start = daemon->servers; + if (start == forward->sentto) + break; + + if ((start->flags & SERV_TYPE) == 0 && + (start->flags & SERV_DO_DNSSEC)) + break; + } + + + fd = -1; + + if (start->sfd) + fd = start->sfd->fd; + else + { + if (start->addr.sa.sa_family == AF_INET6) + { + /* may have changed family */ + if (forward->rfd6 || (forward->rfd6 = allocate_rfd(AF_INET6))) + fd = forward->rfd6->fd; + } + else + { + /* may have changed family */ + if (forward->rfd4 || (forward->rfd4 = allocate_rfd(AF_INET))) + fd = forward->rfd4->fd; + } + } + + /* Can't get socket. */ + if (fd == -1) + return; + +#ifdef HAVE_DUMPFILE + dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)plen, NULL, &start->addr); +#endif + + while (retry_send(sendto(fd, (char *)header, plen, 0, + &start->addr.sa, + sa_len(&start->addr)))); + + if (start->addr.sa.sa_family == AF_INET) + log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (union all_addr *)&start->addr.in.sin_addr, "dnssec"); + else + log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (union all_addr *)&start->addr.in6.sin6_addr, "dnssec"); + + return; + } +#endif + /* In strict order mode, there must be a server later in the chain + left to send to, otherwise without the forwardall mechanism, + code further on will cycle around the list forwever if they + all return REFUSED. Note that server is always non-NULL before + this executes. */ + if (option_bool(OPT_ORDER)) + for (server = forward->sentto->next; server; server = server->next) + if (!(server->flags & (SERV_LITERAL_ADDRESS | SERV_HAS_DOMAIN | SERV_FOR_NODOTS | SERV_NO_ADDR | SERV_LOOP))) + break; + /* recreate query from reply */ pheader = find_pseudoheader(header, (size_t)n, &plen, NULL, &is_sign, NULL); - if (!is_sign) + if (!is_sign && server) { header->ancount = htons(0); header->nscount = htons(0); @@ -843,12 +997,18 @@ void reply_query(int fd, int family, time_t now) } /* We tried resending to this server with a smaller maximum size and got an answer. - Make that permanent. To avoid reduxing the packet size for an single dropped packet, + Make that permanent. To avoid reduxing the packet size for a single dropped packet, only do this when we get a truncated answer, or one larger than the safe size. */ - if (server && (forward->flags & FREC_TEST_PKTSZ) && + if (forward->sentto->edns_pktsz > SAFE_PKTSZ && (forward->flags & FREC_TEST_PKTSZ) && ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ)) - server->edns_pktsz = SAFE_PKTSZ; - + { + forward->sentto->edns_pktsz = SAFE_PKTSZ; + forward->sentto->pktsz_reduced = now; + (void)prettyprint_addr(&forward->sentto->addr, daemon->addrbuff); + my_syslog(LOG_WARNING, _("reducing DNS packet size for nameserver %s to %d"), daemon->addrbuff, SAFE_PKTSZ); + } + + /* If the answer is an error, keep the forward record in place in case we get a good reply from another server. Kill it when we've had replies from all to avoid filling the forwarding table when @@ -856,7 +1016,7 @@ void reply_query(int fd, int family, time_t now) if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED) { int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; - + if (option_bool(OPT_NO_REBIND)) check_rebind = !(forward->flags & FREC_NOREBIND); @@ -866,7 +1026,7 @@ void reply_query(int fd, int family, time_t now) no_cache_dnssec = 1; #ifdef HAVE_DNSSEC - if (server && (server->flags & SERV_DO_DNSSEC) && + if ((forward->sentto->flags & SERV_DO_DNSSEC) && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED)) { int status = 0; @@ -876,10 +1036,10 @@ void reply_query(int fd, int family, time_t now) return; /* Truncated answer can't be validated. - If this is an answer to a DNSSEC-generated query, we still - need to get the client to retry over TCP, so return - an answer with the TC bit set, even if the actual answer fits. - */ + If this is an answer to a DNSSEC-generated query, we still + need to get the client to retry over TCP, so return + an answer with the TC bit set, even if the actual answer fits. + */ if (header->hb3 & HB3_TC) status = STAT_TRUNCATED; @@ -896,7 +1056,13 @@ void reply_query(int fd, int family, time_t now) status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class); else status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, - option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL); + !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC), + NULL, NULL, NULL); +#ifdef HAVE_DUMPFILE + if (status == STAT_BOGUS) + dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS, + header, (size_t)n, &serveraddr, NULL); +#endif } /* Can't validate, as we're missing key data. Put this @@ -917,11 +1083,13 @@ void reply_query(int fd, int family, time_t now) /* Find the original query that started it all.... */ for (orig = forward; orig->dependent; orig = orig->dependent); - if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1))) + /* Make sure we don't expire and free the orig frec during the + allocation of a new one. */ + if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, orig))) status = STAT_ABANDONED; else { - int fd, type = SERV_DO_DNSSEC; + int querytype, fd, type = SERV_DO_DNSSEC; struct frec *next = new->next; char *domain; @@ -932,42 +1100,41 @@ void reply_query(int fd, int family, time_t now) /* Find server to forward to. This will normally be the same as for the original query, but may be another if servers for domains are involved. */ - if (search_servers(now, NULL, F_QUERY, daemon->keyname, &type, &domain, NULL) == 0) + if (search_servers(now, NULL, F_DNSSECOK, daemon->keyname, &type, &domain, NULL) == 0) { - struct server *start = server, *new_server = NULL; - type &= ~SERV_DO_DNSSEC; - - while (1) - { - if (type == (start->flags & SERV_TYPE) && - (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && - !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) - { - new_server = start; - if (server == start) - { - new_server = NULL; - break; - } - } - - if (!(start = start->next)) - start = daemon->servers; - if (start == server) - break; - } - - if (new_server) - server = new_server; + struct server *start, *new_server = NULL; + start = server = forward->sentto; + + while (1) + { + if (type == (start->flags & (SERV_TYPE | SERV_DO_DNSSEC)) && + ((type & SERV_TYPE) != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && + !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) + { + new_server = start; + if (server == start) + { + new_server = NULL; + break; + } + } + + if (!(start = start->next)) + start = daemon->servers; + if (start == server) + break; + } + + if (new_server) + server = new_server; } - + new->sentto = server; - new->rfd4 = NULL; -#ifdef HAVE_IPV6 new->rfd6 = NULL; -#endif - new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY); + new->frec_src.next = NULL; + new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); + new->forwardall = 0; new->dependent = forward; /* to find query awaiting new one. */ forward->blocking_query = new; /* for garbage cleaning */ @@ -975,17 +1142,25 @@ void reply_query(int fd, int family, time_t now) if (status == STAT_NEED_KEY) { new->flags |= FREC_DNSKEY_QUERY; - nn = dnssec_generate_query(header, ((unsigned char *) header) + server->edns_pktsz, - daemon->keyname, forward->class, T_DNSKEY, &server->addr, server->edns_pktsz); + querytype = T_DNSKEY; } else { new->flags |= FREC_DS_QUERY; - nn = dnssec_generate_query(header,((unsigned char *) header) + server->edns_pktsz, - daemon->keyname, forward->class, T_DS, &server->addr, server->edns_pktsz); + querytype = T_DS; } - if ((hash = hash_questions(header, nn, daemon->namebuff))) - memcpy(new->hash, hash, HASH_SIZE); + + nn = dnssec_generate_query(header,((unsigned char *) header) + server->edns_pktsz, + daemon->keyname, forward->class, querytype, server->edns_pktsz); + + if (server->addr.sa.sa_family == AF_INET) + log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, daemon->keyname, (union all_addr *)&(server->addr.in.sin_addr), + querystr("dnssec-query", querytype)); + else + log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, daemon->keyname, (union all_addr *)&(server->addr.in6.sin6_addr), + querystr("dnssec-query", querytype)); + + memcpy(new->hash, hash_questions(header, nn, daemon->namebuff), HASH_SIZE); new->new_id = get_id(); header->id = htons(new->new_id); /* Save query for retransmission */ @@ -1000,14 +1175,12 @@ void reply_query(int fd, int family, time_t now) else { fd = -1; -#ifdef HAVE_IPV6 if (server->addr.sa.sa_family == AF_INET6) { if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6))) fd = new->rfd6->fd; } else -#endif { if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET))) fd = new->rfd4->fd; @@ -1021,10 +1194,15 @@ void reply_query(int fd, int family, time_t now) if (option_bool(OPT_CONNTRACK)) { unsigned int mark; - if (get_incoming_mark(&orig->source, &orig->dest, 0, &mark)) + if (get_incoming_mark(&orig->frec_src.source, &orig->frec_src.dest, 0, &mark)) setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); } #endif + +#ifdef HAVE_DUMPFILE + dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)nn, NULL, &server->addr); +#endif + while (retry_send(sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)))); @@ -1038,7 +1216,7 @@ void reply_query(int fd, int family, time_t now) if (!forward->dependent) break; - /* validated subsdiary query, (and cached result) + /* validated subsidiary query, (and cached result) pop that and return to the previous query we were working on. */ struct frec *prev = forward->dependent; free_frec(forward); @@ -1068,7 +1246,7 @@ void reply_query(int fd, int family, time_t now) if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL)) domain = daemon->namebuff; - log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); + log_query(F_SECSTAT, domain, NULL, result); } if (status == STAT_SECURE) @@ -1079,23 +1257,31 @@ void reply_query(int fd, int family, time_t now) bogusanswer = 1; } } -#endif - + +#endif + /* restore CD bit to the value in the query */ if (forward->flags & FREC_CHECKING_DISABLED) header->hb4 |= HB4_CD; else header->hb4 &= ~HB4_CD; + + /* Never cache answers which are contingent on the source or MAC address EDSN0 option, + since the cache is ignorant of such things. */ + if (forward->flags & FREC_NO_CACHE) + no_cache_dnssec = 1; if ((nn = process_reply(header, now, forward->sentto, (size_t)n, check_rebind, no_cache_dnssec, cache_secure, bogusanswer, forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION, - forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source))) + forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->frec_src.source))) { - header->id = htons(forward->orig_id); + struct frec_src *src; + + header->id = htons(forward->frec_src.orig_id); header->hb4 |= HB4_RA; /* recursion if available */ #ifdef HAVE_DNSSEC /* We added an EDNSO header for the purpose of getting DNSSEC RRs, and set the value of the UDP payload size - greater than the no-EDNS0-implied 512 to have if space for the RRSIGS. If, having stripped them and the EDNS0 + greater than the no-EDNS0-implied 512 to have space for the RRSIGS. If, having stripped them and the EDNS0 header, the answer is still bigger than 512, truncate it and mark it so. The client then retries with TCP. */ if (option_bool(OPT_DNSSEC_VALID) && (forward->flags & FREC_ADDED_PHEADER) && (nn > PACKETSZ)) { @@ -1106,9 +1292,27 @@ void reply_query(int fd, int family, time_t now) nn = resize_packet(header, nn, NULL, 0); } #endif - send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, - &forward->source, &forward->dest, forward->iface); + + for (src = &forward->frec_src; src; src = src->next) + { + header->id = htons(src->orig_id); + +#ifdef HAVE_DUMPFILE + dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &src->source); +#endif + + send_from(src->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, + &src->source, &src->dest, src->iface); + + if (option_bool(OPT_EXTRALOG) && src != &forward->frec_src) + { + daemon->log_display_id = src->log_id; + daemon->log_source_addr = &src->source; + log_query(F_UPSTREAM, "query", NULL, "duplicate"); + } + } } + free_frec(forward); /* cancel */ } } @@ -1120,7 +1324,7 @@ void receive_query(struct listener *listen, time_t now union mysockaddr source_addr; unsigned char *pheader; unsigned short type, udp_size = PACKETSZ; /* default if no EDNS0 */ - struct all_addr dst_addr; + union all_addr dst_addr; struct in_addr netmask, dst_addr_4; size_t m; ssize_t n; @@ -1133,9 +1337,7 @@ void receive_query(struct listener *listen, time_t now struct cmsghdr *cmptr; union { struct cmsghdr align; /* this ensures alignment */ -#ifdef HAVE_IPV6 char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))]; -#endif #if defined(HAVE_LINUX_NETWORK) char control[CMSG_SPACE(sizeof(struct in_pktinfo))]; #elif defined(IP_RECVDSTADDR) && defined(HAVE_SOLARIS_NETWORK) @@ -1146,26 +1348,23 @@ void receive_query(struct listener *listen, time_t now CMSG_SPACE(sizeof(struct sockaddr_dl))]; #endif } control_u; -#ifdef HAVE_IPV6 + int family = listen->addr.sa.sa_family; /* Can always get recvd interface for IPv6 */ - int check_dst = !option_bool(OPT_NOWILD) || listen->family == AF_INET6; -#else - int check_dst = !option_bool(OPT_NOWILD); -#endif + int check_dst = !option_bool(OPT_NOWILD) || family == AF_INET6; /* packet buffer overwritten */ daemon->srv_save = NULL; - dst_addr_4.s_addr = dst_addr.addr.addr4.s_addr = 0; + dst_addr_4.s_addr = dst_addr.addr4.s_addr = 0; netmask.s_addr = 0; if (option_bool(OPT_NOWILD) && listen->iface) { auth_dns = listen->iface->dns_auth; - if (listen->family == AF_INET) + if (family == AF_INET) { - dst_addr_4 = dst_addr.addr.addr4 = listen->iface->addr.in.sin_addr; + dst_addr_4 = dst_addr.addr4 = listen->iface->addr.in.sin_addr; netmask = listen->iface->netmask; } } @@ -1188,17 +1387,20 @@ void receive_query(struct listener *listen, time_t now (msg.msg_flags & MSG_TRUNC) || (header->hb3 & HB3_QR)) return; + + /* Clear buffer beyond request to avoid risk of + information disclosure. */ + memset(daemon->packet + n, 0, daemon->edns_pktsz - n); - source_addr.sa.sa_family = listen->family; + source_addr.sa.sa_family = family; - if (listen->family == AF_INET) + if (family == AF_INET) { /* Source-port == 0 is an error, we can't send back to that. http://www.ietf.org/mail-archive/web/dnsop/current/msg11441.html */ if (source_addr.in.sin_port == 0) return; } -#ifdef HAVE_IPV6 else { /* Source-port == 0 is an error, we can't send back to that. */ @@ -1206,29 +1408,27 @@ void receive_query(struct listener *listen, time_t now return; source_addr.in6.sin6_flowinfo = 0; } -#endif /* We can be configured to only accept queries from at-most-one-hop-away addresses. */ if (option_bool(OPT_LOCAL_SERVICE)) { struct addrlist *addr; -#ifdef HAVE_IPV6 - if (listen->family == AF_INET6) + + if (family == AF_INET6) { for (addr = daemon->interface_addrs; addr; addr = addr->next) if ((addr->flags & ADDRLIST_IPV6) && - is_same_net6(&addr->addr.addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen)) + is_same_net6(&addr->addr.addr6, &source_addr.in6.sin6_addr, addr->prefixlen)) break; } else -#endif { struct in_addr netmask; for (addr = daemon->interface_addrs; addr; addr = addr->next) { netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen)); if (!(addr->flags & ADDRLIST_IPV6) && - is_same_net(addr->addr.addr.addr4, source_addr.in.sin_addr, netmask)) + is_same_net(addr->addr.addr4, source_addr.in.sin_addr, netmask)) break; } } @@ -1252,7 +1452,7 @@ void receive_query(struct listener *listen, time_t now return; #if defined(HAVE_LINUX_NETWORK) - if (listen->family == AF_INET) + if (family == AF_INET) for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr)) if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_PKTINFO) { @@ -1261,11 +1461,11 @@ void receive_query(struct listener *listen, time_t now struct in_pktinfo *p; } p; p.c = CMSG_DATA(cmptr); - dst_addr_4 = dst_addr.addr.addr4 = p.p->ipi_spec_dst; + dst_addr_4 = dst_addr.addr4 = p.p->ipi_spec_dst; if_index = p.p->ipi_ifindex; } #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF) - if (listen->family == AF_INET) + if (family == AF_INET) { for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr)) { @@ -1279,7 +1479,7 @@ void receive_query(struct listener *listen, time_t now } p; p.c = CMSG_DATA(cmptr); if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVDSTADDR) - dst_addr_4 = dst_addr.addr.addr4 = *(p.a); + dst_addr_4 = dst_addr.addr4 = *(p.a); else if (cmptr->cmsg_level == IPPROTO_IP && cmptr->cmsg_type == IP_RECVIF) #ifdef HAVE_SOLARIS_NETWORK if_index = *(p.i); @@ -1290,8 +1490,7 @@ void receive_query(struct listener *listen, time_t now } #endif -#ifdef HAVE_IPV6 - if (listen->family == AF_INET6) + if (family == AF_INET6) { for (cmptr = CMSG_FIRSTHDR(&msg); cmptr; cmptr = CMSG_NXTHDR(&msg, cmptr)) if (cmptr->cmsg_level == IPPROTO_IPV6 && cmptr->cmsg_type == daemon->v6pktinfo) @@ -1302,32 +1501,31 @@ void receive_query(struct listener *listen, time_t now } p; p.c = CMSG_DATA(cmptr); - dst_addr.addr.addr6 = p.p->ipi6_addr; + dst_addr.addr6 = p.p->ipi6_addr; if_index = p.p->ipi6_ifindex; } } -#endif /* enforce available interface configuration */ if (!indextoname(listen->fd, if_index, ifr.ifr_name)) return; - if (!iface_check(listen->family, &dst_addr, ifr.ifr_name, &auth_dns)) + if (!iface_check(family, &dst_addr, ifr.ifr_name, &auth_dns)) { if (!option_bool(OPT_CLEVERBIND)) enumerate_interfaces(0); - if (!loopback_exception(listen->fd, listen->family, &dst_addr, ifr.ifr_name) && - !label_exception(if_index, listen->family, &dst_addr)) + if (!loopback_exception(listen->fd, family, &dst_addr, ifr.ifr_name) && + !label_exception(if_index, family, &dst_addr)) return; } - if (listen->family == AF_INET && option_bool(OPT_LOCALISE)) + if (family == AF_INET && option_bool(OPT_LOCALISE)) { struct irec *iface; - /* get the netmask of the interface whch has the address we were sent to. - This is no neccessarily the interface we arrived on. */ + /* get the netmask of the interface which has the address we were sent to. + This is no necessarily the interface we arrived on. */ for (iface = daemon->interfaces; iface; iface = iface->next) if (iface->addr.sa.sa_family == AF_INET && @@ -1355,7 +1553,11 @@ void receive_query(struct listener *listen, time_t now pass these in global variables - sorry. */ daemon->log_display_id = ++daemon->log_id; daemon->log_source_addr = &source_addr; - + +#ifdef HAVE_DUMPFILE + dump_packet(DUMP_QUERY, daemon->packet, (size_t)n, &source_addr, NULL); +#endif + if (extract_request(header, (size_t)n, daemon->namebuff, &type)) { #ifdef HAVE_AUTH @@ -1363,14 +1565,12 @@ void receive_query(struct listener *listen, time_t now #endif char *types = querystr(auth_dns ? "auth" : "query", type); - if (listen->family == AF_INET) + if (family == AF_INET) log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff, - (struct all_addr *)&source_addr.in.sin_addr, types); -#ifdef HAVE_IPV6 + (union all_addr *)&source_addr.in.sin_addr, types); else log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff, - (struct all_addr *)&source_addr.in6.sin6_addr, types); -#endif + (union all_addr *)&source_addr.in6.sin6_addr, types); #ifdef HAVE_AUTH /* find queries for zones we're authoritative for, and answer them directly */ @@ -1408,6 +1608,8 @@ void receive_query(struct listener *listen, time_t now defaults to 512 */ if (udp_size > daemon->edns_pktsz) udp_size = daemon->edns_pktsz; + else if (udp_size < PACKETSZ) + udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */ } #ifdef HAVE_AUTH @@ -1419,7 +1621,7 @@ void receive_query(struct listener *listen, time_t now { send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, m, &source_addr, &dst_addr, if_index); - daemon->auth_answer++; + daemon->metrics[METRIC_DNS_AUTH_ANSWERED]++; } } else @@ -1437,18 +1639,18 @@ void receive_query(struct listener *listen, time_t now { send_from(listen->fd, option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND), (char *)header, m, &source_addr, &dst_addr, if_index); - daemon->local_answer++; + daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++; } else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index, header, (size_t)n, now, NULL, ad_reqd, do_bit)) - daemon->queries_forwarded++; + daemon->metrics[METRIC_DNS_QUERIES_FORWARDED]++; else - daemon->local_answer++; + daemon->metrics[METRIC_DNS_LOCAL_ANSWERED]++; } } #ifdef HAVE_DNSSEC -/* Recurse up the key heirarchy */ +/* Recurse up the key hierarchy */ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n, int class, char *name, char *keyname, struct server *server, int have_mark, unsigned int mark, int *keycount) @@ -1458,14 +1660,15 @@ static int tcp_key_recurse(time_t now, int status, str unsigned char *payload = NULL; struct dns_header *new_header = NULL; u16 *length = NULL; - + while (1) { int type = SERV_DO_DNSSEC; char *domain; size_t m; unsigned char c1, c2; - + struct server *firstsendto = NULL; + /* limit the amount of work we do, to avoid cycling forever on loops in the DNS */ if (--(*keycount) == 0) new_status = STAT_ABANDONED; @@ -1474,7 +1677,9 @@ static int tcp_key_recurse(time_t now, int status, str else if (status == STAT_NEED_DS) new_status = dnssec_validate_ds(now, header, n, name, keyname, class); else - new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, option_bool(OPT_DNSSEC_NO_SIGN), NULL, NULL); + new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, + !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC), + NULL, NULL, NULL); if (new_status != STAT_NEED_DS && new_status != STAT_NEED_KEY) break; @@ -1494,90 +1699,117 @@ static int tcp_key_recurse(time_t now, int status, str new_status = STAT_ABANDONED; break; } - + m = dnssec_generate_query(new_header, ((unsigned char *) new_header) + 65536, keyname, class, - new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr, server->edns_pktsz); + new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, server->edns_pktsz); *length = htons(m); /* Find server to forward to. This will normally be the same as for the original query, but may be another if servers for domains are involved. */ - if (search_servers(now, NULL, F_QUERY, keyname, &type, &domain, NULL) == 0) + if (search_servers(now, NULL, F_DNSSECOK, keyname, &type, &domain, NULL) != 0) { - struct server *start = server, *new_server = NULL; - type &= ~SERV_DO_DNSSEC; - - while (1) + new_status = STAT_ABANDONED; + break; + } + + while (1) + { + int data_sent = 0; + + if (!firstsendto) + firstsendto = server; + else { - if (type == (start->flags & SERV_TYPE) && - (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && - !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) + if (!(server = server->next)) + server = daemon->servers; + if (server == firstsendto) { - new_server = start; - if (server == start) - { - new_server = NULL; - break; - } + /* can't find server to accept our query. */ + new_status = STAT_ABANDONED; + break; } - - if (!(start = start->next)) - start = daemon->servers; - if (start == server) - break; } - + + if (type != (server->flags & (SERV_TYPE | SERV_DO_DNSSEC)) || + (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, server->domain)) || + (server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) + continue; - if (new_server) + retry: + /* may need to make new connection. */ + if (server->tcpfd == -1) { - server = new_server; - /* may need to make new connection. */ - if (server->tcpfd == -1) - { - if ((server->tcpfd = socket(server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1) - { - new_status = STAT_ABANDONED; - break; - } - + if ((server->tcpfd = socket(server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1) + continue; /* No good, next server */ + #ifdef HAVE_CONNTRACK - /* Copy connection mark of incoming query to outgoing connection. */ - if (have_mark) - setsockopt(server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); + /* Copy connection mark of incoming query to outgoing connection. */ + if (have_mark) + setsockopt(server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); #endif - - if (!local_bind(server->tcpfd, &server->source_addr, server->interface, 1) || - connect(server->tcpfd, &server->addr.sa, sa_len(&server->addr)) == -1) - { - close(server->tcpfd); - server->tcpfd = -1; - new_status = STAT_ABANDONED; - break; - } - + + if (!local_bind(server->tcpfd, &server->source_addr, server->interface, 0, 1)) + { + close(server->tcpfd); + server->tcpfd = -1; + continue; /* No good, next server */ } + +#ifdef MSG_FASTOPEN + while(retry_send(sendto(server->tcpfd, packet, m + sizeof(u16), + MSG_FASTOPEN, &server->addr.sa, sa_len(&server->addr)))); + + if (errno == 0) + data_sent = 1; +#endif + + if (!data_sent && connect(server->tcpfd, &server->addr.sa, sa_len(&server->addr)) == -1) + { + close(server->tcpfd); + server->tcpfd = -1; + continue; /* No good, next server */ + } + + server->flags &= ~SERV_GOT_TCP; } - } + + if ((!data_sent && !read_write(server->tcpfd, packet, m + sizeof(u16), 0)) || + !read_write(server->tcpfd, &c1, 1, 1) || + !read_write(server->tcpfd, &c2, 1, 1) || + !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) + { + close(server->tcpfd); + server->tcpfd = -1; + /* We get data then EOF, reopen connection to same server, + else try next. This avoids DoS from a server which accepts + connections and then closes them. */ + if (server->flags & SERV_GOT_TCP) + goto retry; + else + continue; + } - - if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) || - !read_write(server->tcpfd, &c1, 1, 1) || - !read_write(server->tcpfd, &c2, 1, 1) || - !read_write(server->tcpfd, payload, (c1 << 8) | c2, 1)) - { - new_status = STAT_ABANDONED; + + if (server->addr.sa.sa_family == AF_INET) + log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, keyname, (union all_addr *)&(server->addr.in.sin_addr), + querystr("dnssec-query", new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS)); + else + log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, keyname, (union all_addr *)&(server->addr.in6.sin6_addr), + querystr("dnssec-query", new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS)); + + server->flags |= SERV_GOT_TCP; + + m = (c1 << 8) | c2; + new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount); break; } - - m = (c1 << 8) | c2; - new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, have_mark, mark, keycount); - if (new_status != STAT_OK) break; } - + if (packet) free(packet); @@ -1587,7 +1819,7 @@ static int tcp_key_recurse(time_t now, int status, str /* The daemon forks before calling this: it should deal with one connection, - blocking as neccessary, and then return. Note, need to be a bit careful + blocking as necessary, and then return. Note, need to be a bit careful about resources for debug mode, when the fork is suppressed: that's done by the caller. */ unsigned char *tcp_request(int confd, time_t now, @@ -1599,7 +1831,7 @@ unsigned char *tcp_request(int confd, time_t now, int local_auth = 0; #endif int checking_disabled, do_bit, added_pheader = 0, have_pseudoheader = 0; - int check_subnet, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; + int check_subnet, cacheable, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; size_t m; unsigned short qtype; unsigned int gotname; @@ -1629,13 +1861,12 @@ unsigned char *tcp_request(int confd, time_t now, /* Get connection mark of incoming query to set on outgoing connections. */ if (option_bool(OPT_CONNTRACK)) { - struct all_addr local; -#ifdef HAVE_IPV6 + union all_addr local; + if (local_addr->sa.sa_family == AF_INET6) - local.addr.addr6 = local_addr->in6.sin6_addr; + local.addr6 = local_addr->in6.sin6_addr; else -#endif - local.addr.addr4 = local_addr->in.sin_addr; + local.addr4 = local_addr->in.sin_addr; have_mark = get_incoming_mark(&peer_addr, &local, 1, &mark); } @@ -1645,23 +1876,22 @@ unsigned char *tcp_request(int confd, time_t now, if (option_bool(OPT_LOCAL_SERVICE)) { struct addrlist *addr; -#ifdef HAVE_IPV6 + if (peer_addr.sa.sa_family == AF_INET6) { for (addr = daemon->interface_addrs; addr; addr = addr->next) if ((addr->flags & ADDRLIST_IPV6) && - is_same_net6(&addr->addr.addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen)) + is_same_net6(&addr->addr.addr6, &peer_addr.in6.sin6_addr, addr->prefixlen)) break; } else -#endif { struct in_addr netmask; for (addr = daemon->interface_addrs; addr; addr = addr->next) { netmask.s_addr = htonl(~(in_addr_t)0 << (32 - addr->prefixlen)); if (!(addr->flags & ADDRLIST_IPV6) && - is_same_net(addr->addr.addr.addr4, peer_addr.in.sin_addr, netmask)) + is_same_net(addr->addr.addr4, peer_addr.in.sin_addr, netmask)) break; } } @@ -1683,6 +1913,10 @@ unsigned char *tcp_request(int confd, time_t now, if (size < (int)sizeof(struct dns_header)) continue; + + /* Clear buffer beyond request to avoid risk of + information disclosure. */ + memset(payload + size, 0, 65536 - size); query_count++; @@ -1704,12 +1938,10 @@ unsigned char *tcp_request(int confd, time_t now, if (peer_addr.sa.sa_family == AF_INET) log_query(F_QUERY | F_IPV4 | F_FORWARD, daemon->namebuff, - (struct all_addr *)&peer_addr.in.sin_addr, types); -#ifdef HAVE_IPV6 + (union all_addr *)&peer_addr.in.sin_addr, types); else log_query(F_QUERY | F_IPV6 | F_FORWARD, daemon->namebuff, - (struct all_addr *)&peer_addr.in6.sin6_addr, types); -#endif + (union all_addr *)&peer_addr.in6.sin6_addr, types); #ifdef HAVE_AUTH /* find queries for zones we're authoritative for, and answer them directly */ @@ -1765,20 +1997,33 @@ unsigned char *tcp_request(int confd, time_t now, if (m == 0) { unsigned int flags = 0; - struct all_addr *addrp = NULL; + union all_addr *addrp = NULL; int type = SERV_DO_DNSSEC; char *domain = NULL; - size_t new_size = add_edns0_config(header, size, ((unsigned char *) header) + 65536, &peer_addr, now, &check_subnet); + unsigned char *oph = find_pseudoheader(header, size, NULL, NULL, NULL, NULL); - if (size != new_size) - { - added_pheader = 1; - size = new_size; - } - + size = add_edns0_config(header, size, ((unsigned char *) header) + 65536, &peer_addr, now, &check_subnet, &cacheable); + if (gotname) flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind); - + +#ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID) && (type & SERV_DO_DNSSEC)) + { + size = add_do_bit(header, size, ((unsigned char *) header) + 65536); + + /* For debugging, set Checking Disabled, otherwise, have the upstream check too, + this allows it to select auth servers when one is returning bad data. */ + if (option_bool(OPT_DNSSEC_DEBUG)) + header->hb4 |= HB4_CD; + } +#endif + + /* Check if we added a pheader on forwarding - may need to + strip it from the reply. */ + if (!oph && find_pseudoheader(header, size, NULL, NULL, NULL, NULL)) + added_pheader = 1; + type &= ~SERV_DO_DNSSEC; if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server) @@ -1789,20 +2034,16 @@ unsigned char *tcp_request(int confd, time_t now, if (!flags && last_server) { struct server *firstsendto = NULL; -#ifdef HAVE_DNSSEC - unsigned char *newhash, hash[HASH_SIZE]; - if ((newhash = hash_questions(header, (unsigned int)size, daemon->namebuff))) - memcpy(hash, newhash, HASH_SIZE); - else - memset(hash, 0, HASH_SIZE); -#else - unsigned int crc = questions_crc(header, (unsigned int)size, daemon->namebuff); -#endif + unsigned char hash[HASH_SIZE]; + memcpy(hash, hash_questions(header, (unsigned int)size, daemon->namebuff), HASH_SIZE); + /* Loop round available servers until we succeed in connecting to one. - Note that this code subtley ensures that consecutive queries on this connection + Note that this code subtly ensures that consecutive queries on this connection which can go to the same server, do so. */ while (1) { + int data_sent = 0; + if (!firstsendto) firstsendto = last_server; else @@ -1819,7 +2060,10 @@ unsigned char *tcp_request(int confd, time_t now, (type == SERV_HAS_DOMAIN && !hostname_isequal(domain, last_server->domain)) || (last_server->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) continue; - + + retry: + *length = htons(size); + if (last_server->tcpfd == -1) { if ((last_server->tcpfd = socket(last_server->addr.sa.sa_family, SOCK_STREAM, 0)) == -1) @@ -1829,61 +2073,63 @@ unsigned char *tcp_request(int confd, time_t now, /* Copy connection mark of incoming query to outgoing connection. */ if (have_mark) setsockopt(last_server->tcpfd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); -#endif +#endif - if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 1) || - connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1)) + if ((!local_bind(last_server->tcpfd, &last_server->source_addr, last_server->interface, 0, 1))) { close(last_server->tcpfd); last_server->tcpfd = -1; continue; } -#ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID) && (last_server->flags & SERV_DO_DNSSEC)) +#ifdef MSG_FASTOPEN + while(retry_send(sendto(last_server->tcpfd, packet, size + sizeof(u16), + MSG_FASTOPEN, &last_server->addr.sa, sa_len(&last_server->addr)))); + + if (errno == 0) + data_sent = 1; +#endif + + if (!data_sent && connect(last_server->tcpfd, &last_server->addr.sa, sa_len(&last_server->addr)) == -1) { - new_size = add_do_bit(header, size, ((unsigned char *) header) + 65536); - - if (size != new_size) - { - added_pheader = 1; - size = new_size; - } - - /* For debugging, set Checking Disabled, otherwise, have the upstream check too, - this allows it to select auth servers when one is returning bad data. */ - if (option_bool(OPT_DNSSEC_DEBUG)) - header->hb4 |= HB4_CD; + close(last_server->tcpfd); + last_server->tcpfd = -1; + continue; } -#endif + + last_server->flags &= ~SERV_GOT_TCP; } - *length = htons(size); - /* get query name again for logging - may have been overwritten */ if (!(gotname = extract_request(header, (unsigned int)size, daemon->namebuff, &qtype))) strcpy(daemon->namebuff, "query"); - if (!read_write(last_server->tcpfd, packet, size + sizeof(u16), 0) || + if ((!data_sent && !read_write(last_server->tcpfd, packet, size + sizeof(u16), 0)) || !read_write(last_server->tcpfd, &c1, 1, 1) || !read_write(last_server->tcpfd, &c2, 1, 1) || !read_write(last_server->tcpfd, payload, (c1 << 8) | c2, 1)) { close(last_server->tcpfd); last_server->tcpfd = -1; - continue; - } + /* We get data then EOF, reopen connection to same server, + else try next. This avoids DoS from a server which accepts + connections and then closes them. */ + if (last_server->flags & SERV_GOT_TCP) + goto retry; + else + continue; + } + last_server->flags |= SERV_GOT_TCP; + m = (c1 << 8) | c2; if (last_server->addr.sa.sa_family == AF_INET) log_query(F_SERVER | F_IPV4 | F_FORWARD, daemon->namebuff, - (struct all_addr *)&last_server->addr.in.sin_addr, NULL); -#ifdef HAVE_IPV6 + (union all_addr *)&last_server->addr.in.sin_addr, NULL); else log_query(F_SERVER | F_IPV6 | F_FORWARD, daemon->namebuff, - (struct all_addr *)&last_server->addr.in6.sin6_addr, NULL); -#endif + (union all_addr *)&last_server->addr.in6.sin6_addr, NULL); #ifdef HAVE_DNSSEC if (option_bool(OPT_DNSSEC_VALID) && !checking_disabled && (last_server->flags & SERV_DO_DNSSEC)) @@ -1904,7 +2150,7 @@ unsigned char *tcp_request(int confd, time_t now, if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL)) domain = daemon->namebuff; - log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); + log_query(F_SECSTAT, domain, NULL, result); if (status == STAT_BOGUS) { @@ -1929,21 +2175,17 @@ unsigned char *tcp_request(int confd, time_t now, /* If the crc of the question section doesn't match the crc we sent, then someone might be attempting to insert bogus values into the cache by sending replies containing questions and bogus answers. */ -#ifdef HAVE_DNSSEC - newhash = hash_questions(header, (unsigned int)m, daemon->namebuff); - if (!newhash || memcmp(hash, newhash, HASH_SIZE) != 0) + if (memcmp(hash, hash_questions(header, (unsigned int)m, daemon->namebuff), HASH_SIZE) != 0) { m = 0; break; } -#else - if (crc != questions_crc(header, (unsigned int)m, daemon->namebuff)) - { - m = 0; - break; - } -#endif + /* Never cache answers which are contingent on the source or MAC address EDSN0 option, + since the cache is ignorant of such things. */ + if (!cacheable) + no_cache_dnssec = 1; + m = process_reply(header, now, last_server, (unsigned int)m, option_bool(OPT_NO_REBIND) && !norebind, no_cache_dnssec, cache_secure, bogusanswer, ad_reqd, do_bit, added_pheader, check_subnet, &peer_addr); @@ -1954,7 +2196,11 @@ unsigned char *tcp_request(int confd, time_t now, /* In case of local answer or no connections made. */ if (m == 0) - m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl); + { + m = setup_reply(header, (unsigned int)size, addrp, flags, daemon->local_ttl); + if (have_pseudoheader) + m = add_pseudoheader(header, m, ((unsigned char *) header) + 65536, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0); + } } } @@ -1978,9 +2224,7 @@ static struct frec *allocate_frec(time_t now) f->sentto = NULL; f->rfd4 = NULL; f->flags = 0; -#ifdef HAVE_IPV6 f->rfd6 = NULL; -#endif #ifdef HAVE_DNSSEC f->dependent = NULL; f->blocking_query = NULL; @@ -2036,15 +2280,23 @@ void free_rfd(struct randfd *rfd) static void free_frec(struct frec *f) { + struct frec_src *last; + + /* add back to freelist if not the record builtin to every frec. */ + for (last = f->frec_src.next; last && last->next; last = last->next) ; + if (last) + { + last->next = daemon->free_frec_src; + daemon->free_frec_src = f->frec_src.next; + } + + f->frec_src.next = NULL; free_rfd(f->rfd4); f->rfd4 = NULL; f->sentto = NULL; f->flags = 0; - -#ifdef HAVE_IPV6 free_rfd(f->rfd6); f->rfd6 = NULL; -#endif #ifdef HAVE_DNSSEC if (f->stash) @@ -2061,13 +2313,16 @@ static void free_frec(struct frec *f) #endif } + + /* if wait==NULL return a free or older than TIMEOUT record. else return *wait zero if one available, or *wait is delay to when the oldest in-use record will expire. Impose an absolute limit of 4*TIMEOUT before we wipe things (for random sockets). - If force is set, always return a result, even if we have - to allocate above the limit. */ -struct frec *get_new_frec(time_t now, int *wait, int force) + If force is non-NULL, always return a result, even if we have + to allocate above the limit, and never free the record pointed + to by the force argument. */ +struct frec *get_new_frec(time_t now, int *wait, struct frec *force) { struct frec *f, *oldest, *target; int count; @@ -2084,7 +2339,7 @@ struct frec *get_new_frec(time_t now, int *wait, int f /* Don't free DNSSEC sub-queries here, as we may end up with dangling references to them. They'll go when their "real" query is freed. */ - if (!f->dependent) + if (!f->dependent && f != force) #endif { if (difftime(now, f->time) >= 4*TIMEOUT) @@ -2107,7 +2362,7 @@ struct frec *get_new_frec(time_t now, int *wait, int f /* can't find empty one, use oldest if there is one and it's older than timeout */ - if (oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT) + if (!force && oldest && ((int)difftime(now, oldest->time)) >= TIMEOUT) { /* keep stuff for twice timeout if we can by allocating a new record instead */ @@ -2147,16 +2402,26 @@ struct frec *get_new_frec(time_t now, int *wait, int f return f; /* OK if malloc fails and this is NULL */ } - -/* crc is all-ones if not known. */ -static struct frec *lookup_frec(unsigned short id, void *hash) + +static struct frec *lookup_frec(unsigned short id, int fd, int family, void *hash) { struct frec *f; for(f = daemon->frec_list; f; f = f->next) if (f->sentto && f->new_id == id && - (!hash || memcmp(hash, f->hash, HASH_SIZE) == 0)) - return f; + (memcmp(hash, f->hash, HASH_SIZE) == 0)) + { + /* sent from random port */ + if (family == AF_INET && f->rfd4 && f->rfd4->fd == fd) + return f; + + if (family == AF_INET6 && f->rfd6 && f->rfd6->fd == fd) + return f; + + /* sent to upstream from bound socket. */ + if (f->sentto->sfd && f->sentto->sfd->fd == fd) + return f; + } return NULL; } @@ -2166,17 +2431,42 @@ static struct frec *lookup_frec_by_sender(unsigned sho void *hash) { struct frec *f; + struct frec_src *src; + + for (f = daemon->frec_list; f; f = f->next) + if (f->sentto && + !(f->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) && + memcmp(hash, f->hash, HASH_SIZE) == 0) + for (src = &f->frec_src; src; src = src->next) + if (src->orig_id == id && + sockaddr_isequal(&src->source, addr)) + return f; + return NULL; +} + +static struct frec *lookup_frec_by_query(void *hash, unsigned int flags) +{ + struct frec *f; + + /* FREC_DNSKEY and FREC_DS_QUERY are never set in flags, so the test below + ensures that no frec created for internal DNSSEC query can be returned here. + + Similarly FREC_NO_CACHE is never set in flags, so a query which is + contigent on a particular source address EDNS0 option will never be matched. */ + +#define FLAGMASK (FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION \ + | FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_NO_CACHE) + for(f = daemon->frec_list; f; f = f->next) if (f->sentto && - f->orig_id == id && - memcmp(hash, f->hash, HASH_SIZE) == 0 && - sockaddr_isequal(&f->source, addr)) + (f->flags & FLAGMASK) == flags && + memcmp(hash, f->hash, HASH_SIZE) == 0) return f; - + return NULL; } - + /* Send query packet again, if we can. */ void resend_query() { @@ -2217,12 +2507,20 @@ void server_gone(struct server *server) static unsigned short get_id(void) { unsigned short ret = 0; + struct frec *f; - do - ret = rand16(); - while (lookup_frec(ret, NULL)); - - return ret; + while (1) + { + ret = rand16(); + + /* ensure id is unique. */ + for (f = daemon->frec_list; f; f = f->next) + if (f->sentto && f->new_id == ret) + break; + + if (!f) + return ret; + } }