/**
* Inser canonical owner name into buffer.
* @param buf: buffer to insert into at current position.
* @param k: rrset with its owner name.
* @param sig: signature with signer name and label count.
* must be length checked, at least 18 bytes long.
* @param can_owner: position in buffer returned for future use.
* @param can_owner_len: length of canonical owner name.
*/
static void
insert_can_owner(sldns_buffer* buf, struct ub_packed_rrset_key* k,
uint8_t* sig, uint8_t** can_owner, size_t* can_owner_len)
{
int rrsig_labels = (int)sig[3];
int fqdn_labels = dname_signame_label_count(k->rk.dname);
*can_owner = sldns_buffer_current(buf);
if(rrsig_labels == fqdn_labels) {
/* no change */
sldns_buffer_write(buf, k->rk.dname, k->rk.dname_len);
query_dname_tolower(*can_owner);
*can_owner_len = k->rk.dname_len;
return;
}
log_assert(rrsig_labels < fqdn_labels);
/* *. | fqdn(rightmost rrsig_labels) */
if(rrsig_labels < fqdn_labels) {
int i;
uint8_t* nm = k->rk.dname;
size_t len = k->rk.dname_len;
/* so skip fqdn_labels-rrsig_labels */
for(i=0; i<fqdn_labels-rrsig_labels; i++) {
dname_remove_label(&nm, &len);
}
*can_owner_len = len+2;
sldns_buffer_write(buf, (uint8_t*)"\001*", 2);
sldns_buffer_write(buf, nm, len);
query_dname_tolower(*can_owner);
}
}
/**
* findClosestEncloser
* Given a name and a list of NSEC3s, find the candidate closest encloser.
* This will be the first ancestor of 'name' (including itself) to have a
* matching NSEC3 RR.
* @param env: module environment with temporary region and buffer.
* @param flt: the NSEC3 RR filter, contains zone name and RRs.
* @param ct: cached hashes table.
* @param qinfo: query that is verified for.
* @param ce: closest encloser information is returned in here.
* @return true if a closest encloser candidate is found, false if not.
*/
static int
nsec3_find_closest_encloser(struct module_env* env, struct nsec3_filter* flt,
rbtree_t* ct, struct query_info* qinfo, struct ce_response* ce)
{
uint8_t* nm = qinfo->qname;
size_t nmlen = qinfo->qname_len;
/* This scans from longest name to shortest, so the first match
* we find is the only viable candidate. */
/* (David:) FIXME: modify so that the NSEC3 matching the zone apex need
* not be present. (Mark Andrews idea).
* (Wouter:) But make sure you check for DNAME bit in zone apex,
* if the NSEC3 you find is the only NSEC3 in the zone, then this
* may be the case. */
while(dname_subdomain_c(nm, flt->zone)) {
if(find_matching_nsec3(env, flt, ct, nm, nmlen,
&ce->ce_rrset, &ce->ce_rr)) {
ce->ce = nm;
ce->ce_len = nmlen;
return 1;
}
dname_remove_label(&nm, &nmlen);
}
return 0;
}
/**
* Create chain of data element and parents
* @param nm: name
* @param nm_len: length of name
* @param labs: labels in name.
* @param parent: up to where to make, if NULL up to root label.
* @return lowest element with name nm, or NULL malloc failure.
*/
static struct val_neg_data* neg_data_chain(
uint8_t* nm, size_t nm_len, int labs, struct val_neg_data* parent)
{
int i;
int tolabs = parent?parent->labs:0;
struct val_neg_data* el, *first = NULL, *prev = NULL;
/* create the new subtree, i is labelcount of current creation */
/* this creates a 'first' to z->parent=NULL list of zones */
for(i=labs; i!=tolabs; i--) {
/* create new item */
el = neg_setup_data_node(nm, nm_len, i);
if(!el) {
/* need to delete other allocations in this routine!*/
struct val_neg_data* p = first, *np;
while(p) {
np = p->parent;
free(p);
free(p->name);
p = np;
}
return NULL;
}
if(i == labs) {
first = el;
} else {
prev->parent = el;
}
/* prepare for next name */
prev = el;
dname_remove_label(&nm, &nm_len);
}
return first;
}
void
dname_remove_labels(uint8_t** dname, size_t* len, int n)
{
int i;
for(i=0; i<n; i++)
dname_remove_label(dname, len);
}
/** find a node, create it if not and all its empty nonterminal parents */
static int
lz_find_create_node(struct local_zone* z, uint8_t* nm, size_t nmlen,
int nmlabs, struct local_data** res)
{
struct local_data* ld = lz_find_node(z, nm, nmlen, nmlabs);
if(!ld) {
/* create a domain name to store rr. */
ld = (struct local_data*)regional_alloc_zero(z->region,
sizeof(*ld));
if(!ld) {
log_err("out of memory adding local data");
return 0;
}
ld->node.key = ld;
ld->name = regional_alloc_init(z->region, nm, nmlen);
if(!ld->name) {
log_err("out of memory");
return 0;
}
ld->namelen = nmlen;
ld->namelabs = nmlabs;
if(!rbtree_insert(&z->data, &ld->node)) {
log_assert(0); /* duplicate name */
}
/* see if empty nonterminals need to be created */
if(nmlabs > z->namelabs) {
dname_remove_label(&nm, &nmlen);
if(!lz_find_create_node(z, nm, nmlen, nmlabs-1, res))
return 0;
}
}
*res = ld;
return 1;
}
/** find nsec3 closest encloser in neg cache */
static struct val_neg_data*
neg_find_nsec3_ce(struct val_neg_zone* zone, uint8_t* qname, size_t qname_len,
int qlabs, ldns_buffer* buf, uint8_t* hashnc, size_t* nclen)
{
struct val_neg_data* data;
uint8_t hashce[SHA_DIGEST_LENGTH];
uint8_t b32[257];
size_t celen, b32len;
*nclen = 0;
while(qlabs > 0) {
/* hash */
if(!(celen=nsec3_get_hashed(buf, qname, qname_len,
zone->nsec3_hash, zone->nsec3_iter, zone->nsec3_salt,
zone->nsec3_saltlen, hashce, sizeof(hashce))))
return NULL;
if(!(b32len=nsec3_hash_to_b32(hashce, celen, zone->name,
zone->len, b32, sizeof(b32))))
return NULL;
/* lookup (exact match only) */
data = neg_find_data(zone, b32, b32len, zone->labs+1);
if(data && data->in_use) {
/* found ce match! */
return data;
}
*nclen = celen;
memmove(hashnc, hashce, celen);
dname_remove_label(&qname, &qname_len);
qlabs --;
}
return NULL;
}
struct key_entry_key*
key_cache_obtain(struct key_cache* kcache, uint8_t* name, size_t namelen,
uint16_t key_class, struct regional* region, uint32_t now)
{
/* keep looking until we find a nonexpired entry */
while(1) {
struct key_entry_key* k = key_cache_search(kcache, name,
namelen, key_class, 0);
if(k) {
/* see if TTL is OK */
struct key_entry_data* d = (struct key_entry_data*)
k->entry.data;
if(now <= d->ttl) {
/* copy and return it */
struct key_entry_key* retkey =
key_entry_copy_toregion(k, region);
lock_rw_unlock(&k->entry.lock);
return retkey;
}
lock_rw_unlock(&k->entry.lock);
}
/* snip off first label to continue */
if(dname_is_root(name))
break;
dname_remove_label(&name, &namelen);
}
return NULL;
}
/** test dname_remove_label */
static void
dname_test_removelabel(void)
{
uint8_t* orig = (uint8_t*)"\007example\003com\000";
uint8_t* n = orig;
size_t l = 13;
unit_show_func("util/data/dname.c", "dname_remove_label");
dname_remove_label(&n, &l);
unit_assert( n == orig+8 );
unit_assert( l == 5 );
dname_remove_label(&n, &l);
unit_assert( n == orig+12 );
unit_assert( l == 1 );
dname_remove_label(&n, &l);
unit_assert( n == orig+12 );
unit_assert( l == 1 );
}
/**
* Calculate space needed for zone and all its parents
* @param d: name of zone
* @param len: length of name
* @return size.
*/
static size_t calc_zone_need(uint8_t* d, size_t len)
{
size_t res = sizeof(struct val_neg_zone) + len;
while(!dname_is_root(d)) {
log_assert(len > 1); /* not root label */
dname_remove_label(&d, &len);
res += sizeof(struct val_neg_zone) + len;
}
return res;
}
size_t nsec3_get_nextowner_b32(struct ub_packed_rrset_key* rrset, int r,
uint8_t* buf, size_t max)
{
uint8_t* nm, *zone;
size_t nmlen, zonelen;
if(!nsec3_get_nextowner(rrset, r, &nm, &nmlen))
return 0;
/* append zone name; the owner name must be <b32>.zone */
zone = rrset->rk.dname;
zonelen = rrset->rk.dname_len;
dname_remove_label(&zone, &zonelen);
return nsec3_hash_to_b32(nm, nmlen, zone, zonelen, buf, max);
}
/** delete empty terminals from tree when final data is deleted */
static void
del_empty_term(struct local_zone* z, struct local_data* d,
uint8_t* name, size_t len, int labs)
{
while(d && d->rrsets == NULL && is_terminal(d)) {
/* is this empty nonterminal? delete */
/* note, no memory recycling in zone region */
(void)rbtree_delete(&z->data, d);
/* go up and to the next label */
if(dname_is_root(name))
return;
dname_remove_label(&name, &len);
labs--;
d = lz_find_node(z, name, len, labs);
}
}
/** see if zone needs to have a hole inserted */
static int
need_hole_insert(rbtree_t* tree, struct iter_forward_zone* zone)
{
struct iter_forward_zone k;
if(rbtree_search(tree, zone))
return 0; /* exact match exists */
k = *zone;
k.node.key = &k;
/* search up the tree */
do {
dname_remove_label(&k.name, &k.namelen);
k.namelabs --;
if(rbtree_search(tree, &k))
return 1; /* found an upper forward zone, need hole */
} while(k.namelabs > 1);
return 0; /* no forwards above, no holes needed */
}
/**
* Calculate space needed for the data and all its parents
* @param rep: NSEC entries.
* @return size.
*/
static size_t calc_data_need(struct reply_info* rep)
{
uint8_t* d;
size_t i, len, res = 0;
for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NSEC) {
d = rep->rrsets[i]->rk.dname;
len = rep->rrsets[i]->rk.dname_len;
res = sizeof(struct val_neg_data) + len;
while(!dname_is_root(d)) {
log_assert(len > 1); /* not root label */
dname_remove_label(&d, &len);
res += sizeof(struct val_neg_data) + len;
}
}
}
return res;
}
/**
* Initialize the filter structure.
* Finds the zone by looking at available NSEC3 records and best match.
* (skips the unknown flag and unknown algo NSEC3s).
*
* @param filter: nsec3 filter structure.
* @param list: list of rrsets, an array of them.
* @param num: number of rrsets in list.
* @param qinfo:
* query name to match a zone for.
* query type (if DS a higher zone must be chosen)
* qclass, to filter NSEC3s with.
*/
static void
filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key** list,
size_t num, struct query_info* qinfo)
{
size_t i;
uint8_t* nm;
size_t nmlen;
filter->zone = NULL;
filter->zone_len = 0;
filter->list = list;
filter->num = num;
filter->fclass = qinfo->qclass;
for(i=0; i<num; i++) {
/* ignore other stuff in the list */
if(ntohs(list[i]->rk.type) != LDNS_RR_TYPE_NSEC3 ||
ntohs(list[i]->rk.rrset_class) != qinfo->qclass)
continue;
/* skip unknown flags, algo */
if(!nsec3_rrset_has_known(list[i]))
continue;
/* since NSEC3s are base32.zonename, we can find the zone
* name by stripping off the first label of the record */
nm = list[i]->rk.dname;
nmlen = list[i]->rk.dname_len;
dname_remove_label(&nm, &nmlen);
/* if we find a domain that can prove about the qname,
* and if this domain is closer to the qname */
if(dname_subdomain_c(qinfo->qname, nm) && (!filter->zone ||
dname_subdomain_c(nm, filter->zone))) {
/* for a type DS do not accept a zone equal to qname*/
if(qinfo->qtype == LDNS_RR_TYPE_DS &&
query_dname_compare(qinfo->qname, nm) == 0 &&
!dname_is_root(qinfo->qname))
continue;
filter->zone = nm;
filter->zone_len = nmlen;
}
}
}
/**
* Iterate through NSEC3 list, per RR
* This routine gives the next RR in the list (or sets rrset null).
* Usage:
*
* size_t rrsetnum;
* int rrnum;
* struct ub_packed_rrset_key* rrset;
* for(rrset=filter_first(filter, &rrsetnum, &rrnum); rrset;
* rrset=filter_next(filter, &rrsetnum, &rrnum))
* do_stuff;
*
* Also filters out
* o unknown flag NSEC3s
* o unknown algorithm NSEC3s.
* @param filter: nsec3 filter structure.
* @param rrsetnum: in/out rrset number to look at.
* @param rrnum: in/out rr number in rrset to look at.
* @returns ptr to the next rrset (or NULL at end).
*/
static struct ub_packed_rrset_key*
filter_next(struct nsec3_filter* filter, size_t* rrsetnum, int* rrnum)
{
size_t i;
int r;
uint8_t* nm;
size_t nmlen;
if(!filter->zone) /* empty list */
return NULL;
for(i=*rrsetnum; i<filter->num; i++) {
/* see if RRset qualifies */
if(ntohs(filter->list[i]->rk.type) != LDNS_RR_TYPE_NSEC3 ||
ntohs(filter->list[i]->rk.rrset_class) !=
filter->fclass)
continue;
/* check RRset zone */
nm = filter->list[i]->rk.dname;
nmlen = filter->list[i]->rk.dname_len;
dname_remove_label(&nm, &nmlen);
if(query_dname_compare(nm, filter->zone) != 0)
continue;
if(i == *rrsetnum)
r = (*rrnum) + 1; /* continue at next RR */
else r = 0; /* new RRset start at first RR */
for(; r < (int)rrset_get_count(filter->list[i]); r++) {
/* skip unknown flags, algo */
if(nsec3_unknown_flags(filter->list[i], r) ||
!nsec3_known_algo(filter->list[i], r))
continue;
/* this one is a good target */
*rrsetnum = i;
*rrnum = r;
return filter->list[i];
}
}
return NULL;
}
int print_deleg_lookup(SSL* ssl, struct worker* worker, uint8_t* nm,
size_t nmlen, int ATTR_UNUSED(nmlabs))
{
/* deep links into the iterator module */
struct delegpt* dp;
struct dns_msg* msg;
struct regional* region = worker->scratchpad;
char b[260];
struct query_info qinfo;
struct iter_hints_stub* stub;
regional_free_all(region);
qinfo.qname = nm;
qinfo.qname_len = nmlen;
qinfo.qtype = LDNS_RR_TYPE_A;
qinfo.qclass = LDNS_RR_CLASS_IN;
qinfo.local_alias = NULL;
dname_str(nm, b);
if(!ssl_printf(ssl, "The following name servers are used for lookup "
"of %s\n", b))
return 0;
dp = forwards_lookup(worker->env.fwds, nm, qinfo.qclass);
if(dp) {
if(!ssl_printf(ssl, "forwarding request:\n"))
return 0;
print_dp_main(ssl, dp, NULL);
print_dp_details(ssl, worker, dp);
return 1;
}
while(1) {
dp = dns_cache_find_delegation(&worker->env, nm, nmlen,
qinfo.qtype, qinfo.qclass, region, &msg,
*worker->env.now);
if(!dp) {
return ssl_printf(ssl, "no delegation from "
"cache; goes to configured roots\n");
}
/* go up? */
if(iter_dp_is_useless(&qinfo, BIT_RD, dp)) {
print_dp_main(ssl, dp, msg);
print_dp_details(ssl, worker, dp);
if(!ssl_printf(ssl, "cache delegation was "
"useless (no IP addresses)\n"))
return 0;
if(dname_is_root(nm)) {
/* goes to root config */
return ssl_printf(ssl, "no delegation from "
"cache; goes to configured roots\n");
} else {
/* useless, goes up */
nm = dp->name;
nmlen = dp->namelen;
dname_remove_label(&nm, &nmlen);
dname_str(nm, b);
if(!ssl_printf(ssl, "going up, lookup %s\n", b))
return 0;
continue;
}
}
stub = hints_lookup_stub(worker->env.hints, nm, qinfo.qclass,
dp);
if(stub) {
if(stub->noprime) {
if(!ssl_printf(ssl, "The noprime stub servers "
"are used:\n"))
return 0;
} else {
if(!ssl_printf(ssl, "The stub is primed "
"with servers:\n"))
return 0;
}
print_dp_main(ssl, stub->dp, NULL);
print_dp_details(ssl, worker, stub->dp);
} else {
print_dp_main(ssl, dp, msg);
print_dp_details(ssl, worker, dp);
}
break;
}
return 1;
}
struct dns_msg*
dns_cache_lookup(struct module_env* env,
uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
uint16_t flags, struct regional* region, struct regional* scratch)
{
struct lruhash_entry* e;
struct query_info k;
hashvalue_t h;
time_t now = *env->now;
struct ub_packed_rrset_key* rrset;
/* lookup first, this has both NXdomains and ANSWER responses */
k.qname = qname;
k.qname_len = qnamelen;
k.qtype = qtype;
k.qclass = qclass;
h = query_info_hash(&k, flags);
e = slabhash_lookup(env->msg_cache, h, &k, 0);
if(e) {
struct msgreply_entry* key = (struct msgreply_entry*)e->key;
struct reply_info* data = (struct reply_info*)e->data;
struct dns_msg* msg = tomsg(env, &key->key, data, region, now,
scratch);
if(msg) {
lock_rw_unlock(&e->lock);
return msg;
}
/* could be msg==NULL; due to TTL or not all rrsets available */
lock_rw_unlock(&e->lock);
}
/* see if a DNAME exists. Checked for first, to enforce that DNAMEs
* are more important, the CNAME is resynthesized and thus
* consistent with the DNAME */
if( (rrset=find_closest_of_type(env, qname, qnamelen, qclass, now,
LDNS_RR_TYPE_DNAME, 1))) {
/* synthesize a DNAME+CNAME message based on this */
struct dns_msg* msg = synth_dname_msg(rrset, region, now, &k);
if(msg) {
lock_rw_unlock(&rrset->entry.lock);
return msg;
}
lock_rw_unlock(&rrset->entry.lock);
}
/* see if we have CNAME for this domain,
* but not for DS records (which are part of the parent) */
if( qtype != LDNS_RR_TYPE_DS &&
(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen,
LDNS_RR_TYPE_CNAME, qclass, 0, now, 0))) {
struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
if(msg) {
lock_rw_unlock(&rrset->entry.lock);
return msg;
}
lock_rw_unlock(&rrset->entry.lock);
}
/* construct DS, DNSKEY, DLV messages from rrset cache. */
if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY ||
qtype == LDNS_RR_TYPE_DLV) &&
(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen,
qtype, qclass, 0, now, 0))) {
/* if the rrset is from the additional section, and the
* signatures have fallen off, then do not synthesize a msg
* instead, allow a full query for signed results to happen.
* Forego all rrset data from additional section, because
* some signatures may not be present and cause validation
* failure.
*/
struct packed_rrset_data *d = (struct packed_rrset_data*)
rrset->entry.data;
if(d->trust != rrset_trust_add_noAA &&
d->trust != rrset_trust_add_AA &&
(qtype == LDNS_RR_TYPE_DS ||
(d->trust != rrset_trust_auth_noAA
&& d->trust != rrset_trust_auth_AA) )) {
struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
if(msg) {
lock_rw_unlock(&rrset->entry.lock);
return msg;
}
}
lock_rw_unlock(&rrset->entry.lock);
}
/* stop downwards cache search on NXDOMAIN.
* Empty nonterminals are NOERROR, so an NXDOMAIN for foo
* means bla.foo also does not exist. The DNSSEC proofs are
* the same. We search upwards for NXDOMAINs. */
if(env->cfg->harden_below_nxdomain)
while(!dname_is_root(k.qname)) {
dname_remove_label(&k.qname, &k.qname_len);
h = query_info_hash(&k, flags);
e = slabhash_lookup(env->msg_cache, h, &k, 0);
if(e) {
struct reply_info* data = (struct reply_info*)e->data;
struct dns_msg* msg;
if(FLAGS_GET_RCODE(data->flags) == LDNS_RCODE_NXDOMAIN
&& data->security == sec_status_secure
&& (msg=tomsg(env, &k, data, region, now, scratch))) {
lock_rw_unlock(&e->lock);
msg->qinfo.qname=qname;
msg->qinfo.qname_len=qnamelen;
/* check that DNSSEC really works out */
msg->rep->security = sec_status_unchecked;
return msg;
}
lock_rw_unlock(&e->lock);
}
}
return NULL;
}
struct dns_msg*
dns_cache_lookup(struct module_env* env,
uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass,
uint16_t flags, struct regional* region, struct regional* scratch,
int no_partial)
{
struct lruhash_entry* e;
struct query_info k;
hashvalue_type h;
time_t now = *env->now;
struct ub_packed_rrset_key* rrset;
/* lookup first, this has both NXdomains and ANSWER responses */
k.qname = qname;
k.qname_len = qnamelen;
k.qtype = qtype;
k.qclass = qclass;
k.local_alias = NULL;
h = query_info_hash(&k, flags);
e = slabhash_lookup(env->msg_cache, h, &k, 0);
if(e) {
struct msgreply_entry* key = (struct msgreply_entry*)e->key;
struct reply_info* data = (struct reply_info*)e->data;
struct dns_msg* msg = tomsg(env, &key->key, data, region, now,
scratch);
if(msg) {
lock_rw_unlock(&e->lock);
return msg;
}
/* could be msg==NULL; due to TTL or not all rrsets available */
lock_rw_unlock(&e->lock);
}
/* see if a DNAME exists. Checked for first, to enforce that DNAMEs
* are more important, the CNAME is resynthesized and thus
* consistent with the DNAME */
if(!no_partial &&
(rrset=find_closest_of_type(env, qname, qnamelen, qclass, now,
LDNS_RR_TYPE_DNAME, 1))) {
/* synthesize a DNAME+CNAME message based on this */
enum sec_status sec_status = sec_status_unchecked;
struct dns_msg* msg = synth_dname_msg(rrset, region, now, &k,
&sec_status);
if(msg) {
struct ub_packed_rrset_key* cname_rrset;
lock_rw_unlock(&rrset->entry.lock);
/* now, after unlocking the DNAME rrset lock,
* check the sec_status, and see if we need to look
* up the CNAME record associated before it can
* be used */
/* normally, only secure DNAMEs allowed from cache*/
if(sec_status == sec_status_secure)
return msg;
/* but if we have a CNAME cached with this name, then we
* have previously already allowed this name to pass.
* the next cache lookup is going to fetch that CNAME itself,
* but it is better to have the (unsigned)DNAME + CNAME in
* that case */
cname_rrset = rrset_cache_lookup(
env->rrset_cache, qname, qnamelen,
LDNS_RR_TYPE_CNAME, qclass, 0, now, 0);
if(cname_rrset) {
/* CNAME already synthesized by
* synth_dname_msg routine, so we can
* straight up return the msg */
lock_rw_unlock(&cname_rrset->entry.lock);
return msg;
}
} else {
lock_rw_unlock(&rrset->entry.lock);
}
}
/* see if we have CNAME for this domain,
* but not for DS records (which are part of the parent) */
if(!no_partial && qtype != LDNS_RR_TYPE_DS &&
(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen,
LDNS_RR_TYPE_CNAME, qclass, 0, now, 0))) {
uint8_t* wc = NULL;
size_t wl;
/* if the rrset is not a wildcard expansion, with wcname */
/* because, if we return that CNAME rrset on its own, it is
* missing the NSEC or NSEC3 proof */
if(!(val_rrset_wildcard(rrset, &wc, &wl) && wc != NULL)) {
struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
if(msg) {
lock_rw_unlock(&rrset->entry.lock);
return msg;
}
}
lock_rw_unlock(&rrset->entry.lock);
}
/* construct DS, DNSKEY, DLV messages from rrset cache. */
if((qtype == LDNS_RR_TYPE_DS || qtype == LDNS_RR_TYPE_DNSKEY ||
qtype == LDNS_RR_TYPE_DLV) &&
(rrset=rrset_cache_lookup(env->rrset_cache, qname, qnamelen,
qtype, qclass, 0, now, 0))) {
/* if the rrset is from the additional section, and the
* signatures have fallen off, then do not synthesize a msg
* instead, allow a full query for signed results to happen.
* Forego all rrset data from additional section, because
* some signatures may not be present and cause validation
* failure.
*/
struct packed_rrset_data *d = (struct packed_rrset_data*)
rrset->entry.data;
if(d->trust != rrset_trust_add_noAA &&
d->trust != rrset_trust_add_AA &&
(qtype == LDNS_RR_TYPE_DS ||
(d->trust != rrset_trust_auth_noAA
&& d->trust != rrset_trust_auth_AA) )) {
struct dns_msg* msg = rrset_msg(rrset, region, now, &k);
if(msg) {
lock_rw_unlock(&rrset->entry.lock);
return msg;
}
}
lock_rw_unlock(&rrset->entry.lock);
}
/* stop downwards cache search on NXDOMAIN.
* Empty nonterminals are NOERROR, so an NXDOMAIN for foo
* means bla.foo also does not exist. The DNSSEC proofs are
* the same. We search upwards for NXDOMAINs. */
if(env->cfg->harden_below_nxdomain)
while(!dname_is_root(k.qname)) {
dname_remove_label(&k.qname, &k.qname_len);
h = query_info_hash(&k, flags);
e = slabhash_lookup(env->msg_cache, h, &k, 0);
if(!e && k.qtype != LDNS_RR_TYPE_A &&
env->cfg->qname_minimisation) {
k.qtype = LDNS_RR_TYPE_A;
h = query_info_hash(&k, flags);
e = slabhash_lookup(env->msg_cache, h, &k, 0);
}
if(e) {
struct reply_info* data = (struct reply_info*)e->data;
struct dns_msg* msg;
if(FLAGS_GET_RCODE(data->flags) == LDNS_RCODE_NXDOMAIN
&& data->security == sec_status_secure
&& (msg=tomsg(env, &k, data, region, now, scratch))){
lock_rw_unlock(&e->lock);
msg->qinfo.qname=qname;
msg->qinfo.qname_len=qnamelen;
/* check that DNSSEC really works out */
msg->rep->security = sec_status_unchecked;
return msg;
}
lock_rw_unlock(&e->lock);
}
k.qtype = qtype;
}
/* fill common RR types for ANY response to avoid requery */
if(qtype == LDNS_RR_TYPE_ANY) {
return fill_any(env, qname, qnamelen, qtype, qclass, region);
}
return NULL;
}
struct dns_msg*
val_neg_getmsg(struct val_neg_cache* neg, struct query_info* qinfo,
struct regional* region, struct rrset_cache* rrset_cache,
ldns_buffer* buf, uint32_t now, int addsoa, uint8_t* topname)
{
struct dns_msg* msg;
struct ub_packed_rrset_key* rrset;
uint8_t* zname;
size_t zname_len;
int zname_labs;
struct val_neg_zone* zone;
/* only for DS queries */
if(qinfo->qtype != LDNS_RR_TYPE_DS)
return NULL;
log_assert(!topname || dname_subdomain_c(qinfo->qname, topname));
/* see if info from neg cache is available
* For NSECs, because there is no optout; a DS next to a delegation
* always has exactly an NSEC for it itself; check its DS bit.
* flags=0 (not the zone apex).
*/
rrset = grab_nsec(rrset_cache, qinfo->qname, qinfo->qname_len,
LDNS_RR_TYPE_NSEC, qinfo->qclass, 0, region, 1,
qinfo->qtype, now);
if(rrset) {
/* return msg with that rrset */
if(!(msg = dns_msg_create(qinfo->qname, qinfo->qname_len,
qinfo->qtype, qinfo->qclass, region, 2)))
return NULL;
/* TTL already subtracted in grab_nsec */
if(!dns_msg_authadd(msg, region, rrset, 0))
return NULL;
if(addsoa && !add_soa(rrset_cache, now, region, msg, NULL))
return NULL;
return msg;
}
/* check NSEC3 neg cache for type DS */
/* need to look one zone higher for DS type */
zname = qinfo->qname;
zname_len = qinfo->qname_len;
dname_remove_label(&zname, &zname_len);
zname_labs = dname_count_labels(zname);
/* lookup closest zone */
lock_basic_lock(&neg->lock);
zone = neg_closest_zone_parent(neg, zname, zname_len, zname_labs,
qinfo->qclass);
while(zone && !zone->in_use)
zone = zone->parent;
/* check that the zone is not too high up so that we do not pick data
* out of a zone that is above the last-seen key (or trust-anchor). */
if(zone && topname) {
if(!dname_subdomain_c(zone->name, topname))
zone = NULL;
}
if(!zone) {
lock_basic_unlock(&neg->lock);
return NULL;
}
msg = neg_nsec3_proof_ds(zone, qinfo->qname, qinfo->qname_len,
zname_labs+1, buf, rrset_cache, region, now, topname);
if(msg && addsoa && !add_soa(rrset_cache, now, region, msg, zone)) {
lock_basic_unlock(&neg->lock);
return NULL;
}
lock_basic_unlock(&neg->lock);
return msg;
}