OpenDNSSEC-signer  2.0.4
query.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2011 NLNet Labs. All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  * notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  * notice, this list of conditions and the following disclaimer in the
11  * documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
15  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16  * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
17  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
19  * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
20  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
21  * IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
22  * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
23  * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  *
25  */
26 
32 #include "config.h"
33 #include "daemon/dnshandler.h"
34 #include "daemon/engine.h"
35 #include "file.h"
36 #include "util.h"
37 #include "wire/axfr.h"
38 #include "wire/query.h"
39 
40 const char* query_str = "query";
41 
42 
49 {
50  query_type* q = NULL;
51  CHECKALLOC(q = (query_type*) malloc(sizeof(query_type)));
52  q->buffer = NULL;
53  q->tsig_rr = NULL;
54  q->axfr_fd = NULL;
56  if (!q->buffer) {
57  query_cleanup(q);
58  return NULL;
59  }
60  q->tsig_rr = tsig_rr_create();
61  if (!q->tsig_rr) {
62  query_cleanup(q);
63  return NULL;
64  }
65  q->edns_rr = edns_rr_create();
66  if (!q->edns_rr) {
67  query_cleanup(q);
68  return NULL;
69  }
71  return q;
72 }
73 
74 
79 void
80 query_reset(query_type* q, size_t maxlen, int is_tcp)
81 {
82  if (!q) {
83  return;
84  }
85  q->addrlen = sizeof(q->addr);
86  q->maxlen = maxlen;
87  q->reserved_space = 0;
88  buffer_clear(q->buffer);
89  tsig_rr_reset(q->tsig_rr, NULL, NULL);
91  q->tsig_prepare_it = 1;
92  q->tsig_update_it = 1;
93  q->tsig_sign_it = 1;
94  q->tcp = is_tcp;
95  /* qname, qtype, qclass */
96  q->zone = NULL;
97  /* domain, opcode, cname count, delegation, compression, temp */
98  q->axfr_is_done = 0;
99  if (q->axfr_fd) {
100  ods_fclose(q->axfr_fd);
101  q->axfr_fd = NULL;
102  }
103  q->serial = 0;
104  q->startpos = 0;
105 }
106 
107 
112 static query_state
113 query_error(query_type* q, ldns_pkt_rcode rcode)
114 {
115  size_t limit = 0;
116  if (!q) {
117  return QUERY_DISCARDED;
118  }
119  limit = buffer_limit(q->buffer);
120  buffer_clear(q->buffer);
122  buffer_pkt_set_rcode(q->buffer, rcode);
126  buffer_set_position(q->buffer, limit);
127  return QUERY_PROCESSED;
128 }
129 
130 
135 static query_state
136 query_formerr(query_type* q)
137 {
138  ldns_pkt_opcode opcode = LDNS_PACKET_QUERY;
139  if (!q) {
140  return QUERY_DISCARDED;
141  }
142  opcode = buffer_pkt_opcode(q->buffer);
143  /* preserve the RD flag, clear the rest */
145  buffer_pkt_set_opcode(q->buffer, opcode);
147  ods_log_debug("[%s] formerr", query_str);
148  return query_error(q, LDNS_RCODE_FORMERR);
149 }
150 
151 
156 static query_state
157 query_servfail(query_type* q)
158 {
159  if (!q) {
160  return QUERY_DISCARDED;
161  }
162  ods_log_debug("[%s] servfail", query_str);
166  return query_error(q, LDNS_RCODE_SERVFAIL);
167 }
168 
169 
174 static query_state
175 query_notimpl(query_type* q)
176 {
177  if (!q) {
178  return QUERY_DISCARDED;
179  }
180  ods_log_debug("[%s] notimpl", query_str);
181  return query_error(q, LDNS_RCODE_NOTIMPL);
182 }
183 
184 
189 static query_state
190 query_refused(query_type* q)
191 {
192  if (!q) {
193  return QUERY_DISCARDED;
194  }
195  ods_log_debug("[%s] refused", query_str);
196  return query_error(q, LDNS_RCODE_REFUSED);
197 }
198 
199 
204 static query_state
205 query_notauth(query_type* q)
206 {
207  if (!q) {
208  return QUERY_DISCARDED;
209  }
210  ods_log_debug("[%s] notauth", query_str);
211  return query_error(q, LDNS_RCODE_NOTAUTH);
212 }
213 
214 
220 static int
221 query_parse_soa(buffer_type* buffer, uint32_t* serial)
222 {
223  ldns_rr_type type = 0;
224  ods_log_assert(buffer);
225  if (!buffer_available(buffer, 10)) {
226  ods_log_error("[%s] bad soa: packet too short", query_str);
227  return 0;
228  }
229  type = (ldns_rr_type) buffer_read_u16(buffer);
230  if (type != LDNS_RR_TYPE_SOA) {
231  ods_log_error("[%s] bad soa: rr is not soa (%d)", query_str, type);
232  return 0;
233  }
234  (void)buffer_read_u16(buffer);
235  (void)buffer_read_u32(buffer);
236  /* rdata length */
237  if (!buffer_available(buffer, buffer_read_u16(buffer))) {
238  ods_log_error("[%s] bad soa: missing rdlength", query_str);
239  return 0;
240  }
241  /* MNAME */
242  if (!buffer_skip_dname(buffer)) {
243  ods_log_error("[%s] bad soa: missing mname", query_str);
244  return 0;
245  }
246  /* RNAME */
247  if (!buffer_skip_dname(buffer)) {
248  ods_log_error("[%s] bad soa: missing rname", query_str);
249  return 0;
250  }
251  if (serial) {
252  *serial = buffer_read_u32(buffer);
253  }
254  return 1;
255 }
256 
257 
264 static query_state
265 query_process_notify(query_type* q, ldns_rr_type qtype, engine_type* engine)
266 {
267  dnsin_type* dnsin = NULL;
268  uint16_t count = 0;
269  uint16_t rrcount = 0;
270  uint32_t serial = 0;
271  size_t pos = 0;
272  char address[128];
273  if (!engine || !q || !q->zone) {
274  return QUERY_DISCARDED;
275  }
276  ods_log_assert(engine->dnshandler);
277  ods_log_assert(q->zone->name);
278  ods_log_verbose("[%s] incoming notify for zone %s", query_str,
279  q->zone->name);
280  if (buffer_pkt_rcode(q->buffer) != LDNS_RCODE_NOERROR ||
281  buffer_pkt_qr(q->buffer) ||
282  !buffer_pkt_aa(q->buffer) ||
283  buffer_pkt_tc(q->buffer) ||
284  buffer_pkt_rd(q->buffer) ||
285  buffer_pkt_ra(q->buffer) ||
286  buffer_pkt_ad(q->buffer) ||
287  buffer_pkt_cd(q->buffer) ||
288  buffer_pkt_qdcount(q->buffer) != 1 ||
289  buffer_pkt_ancount(q->buffer) > 1 ||
290  qtype != LDNS_RR_TYPE_SOA) {
291  return query_formerr(q);
292  }
293  if (!q->zone->adinbound || q->zone->adinbound->type != ADAPTER_DNS) {
294  ods_log_error("[%s] zone %s is not configured to have input dns "
295  "adapter", query_str, q->zone->name);
296  return query_notauth(q);
297  }
298  ods_log_assert(q->zone->adinbound->config);
299  dnsin = (dnsin_type*) q->zone->adinbound->config;
300  if (!acl_find(dnsin->allow_notify, &q->addr, q->tsig_rr)) {
301  if (addr2ip(q->addr, address, sizeof(address))) {
302  ods_log_info("[%s] unauthorized notify for zone %s from %s: "
303  "no acl matches", query_str, q->zone->name, address);
304  } else {
305  ods_log_info("[%s] unauthorized notify for zone %s from unknown "
306  "source: no acl matches", query_str, q->zone->name);
307  }
308  return query_notauth(q);
309  }
310  ods_log_assert(q->zone->xfrd);
311  /* skip header and question section */
313  count = buffer_pkt_qdcount(q->buffer);
314  for (rrcount = 0; rrcount < count; rrcount++) {
315  if (!buffer_skip_rr(q->buffer, 1)) {
316  if (addr2ip(q->addr, address, sizeof(address))) {
317  ods_log_info("[%s] dropped packet: zone %s received bad "
318  "notify from %s (bad question section)", query_str,
319  q->zone->name, address);
320  } else {
321  ods_log_info("[%s] dropped packet: zone %s received bad "
322  "notify from unknown source (bad question section)",
323  query_str, q->zone->name);
324  }
325  return QUERY_DISCARDED;
326  }
327  }
328  pos = buffer_position(q->buffer);
329 
330  /* examine answer section */
331  count = buffer_pkt_ancount(q->buffer);
332  if (count) {
333  if (!buffer_skip_dname(q->buffer) ||
334  !query_parse_soa(q->buffer, &serial)) {
335  if (addr2ip(q->addr, address, sizeof(address))) {
336  ods_log_info("[%s] dropped packet: zone %s received bad "
337  "notify from %s (bad soa in answer section)", query_str,
338  q->zone->name, address);
339  } else {
340  ods_log_info("[%s] dropped packet: zone %s received bad "
341  "notify from unknown source (bad soa in answer section)",
342  query_str, q->zone->name);
343  }
344  return QUERY_DISCARDED;
345  }
346 
347  lock_basic_lock(&q->zone->xfrd->serial_lock);
348  if (!util_serial_gt(serial, q->zone->xfrd->serial_disk)) {
349  if (addr2ip(q->addr, address, sizeof(address))) {
350  ods_log_info("[%s] ignore notify from %s: already got "
351  "zone %s serial %u on disk (received %u)", query_str,
352  address, q->zone->name, q->zone->xfrd->serial_disk,
353  serial);
354  } else {
355  ods_log_info("[%s] ignore notify: already got zone %s "
356  "serial %u on disk (received %u)", query_str,
357  q->zone->name, q->zone->xfrd->serial_disk, serial);
358  }
359  lock_basic_unlock(&q->zone->xfrd->serial_lock);
360  } else if (q->zone->xfrd->serial_notify_acquired) {
361  lock_basic_unlock(&q->zone->xfrd->serial_lock);
362  if (addr2ip(q->addr, address, sizeof(address))) {
363  ods_log_info("[%s] ignore notify from %s: zone %s "
364  "transfer in progress", query_str, address,
365  q->zone->name);
366  } else {
367  ods_log_info("[%s] ignore notify: zone %s transfer in "
368  "progress", query_str, q->zone->name);
369  }
370  } else {
371  q->zone->xfrd->serial_notify = serial;
372  q->zone->xfrd->serial_notify_acquired = time_now();
373  lock_basic_unlock(&q->zone->xfrd->serial_lock);
374  /* forward notify to xfrd */
375  if (addr2ip(q->addr, address, sizeof(address))) {
376  ods_log_verbose("[%s] forward notify for zone %s from client %s",
377  query_str, q->zone->name, address);
378  } else {
379  ods_log_verbose("[%s] forward notify for zone %s", query_str,
380  q->zone->name);
381  }
385  }
386  } else { /* Empty answer section, no SOA. We still need to process
387  the notify according to the RFC */
388  /* forward notify to xfrd */
389  if (addr2ip(q->addr, address, sizeof(address))) {
390  ods_log_verbose("[%s] forward notify for zone %s from client %s",
391  query_str, q->zone->name, address);
392  } else {
393  ods_log_verbose("[%s] forward notify for zone %s", query_str,
394  q->zone->name);
395  }
399  }
400 
401  /* send notify ok */
405 
406  buffer_clear(q->buffer); /* lim = pos, pos = 0; */
407  buffer_set_position(q->buffer, pos);
411  return QUERY_PROCESSED;
412 }
413 
414 
419 static query_state
420 query_process_ixfr(query_type* q)
421 {
422  uint16_t count = 0;
423  ods_log_assert(q);
424  ods_log_assert(q->buffer);
425  ods_log_assert(buffer_pkt_qdcount(q->buffer) == 1);
426  /* skip header and question section */
428  if (!buffer_skip_rr(q->buffer, 1)) {
429  ods_log_error("[%s] dropped packet: zone %s received bad ixfr "
430  "request (bad question section)", query_str, q->zone->name);
431  return QUERY_DISCARDED;
432  }
433  /* answer section is empty */
434  ods_log_assert(buffer_pkt_ancount(q->buffer) == 0);
435  /* examine auth section */
437  count = buffer_pkt_nscount(q->buffer);
438  if (count) {
439  if (!buffer_skip_dname(q->buffer) ||
440  !query_parse_soa(q->buffer, &(q->serial))) {
441  ods_log_error("[%s] dropped packet: zone %s received bad ixfr "
442  "request (bad soa in auth section)", query_str, q->zone->name);
443  return QUERY_DISCARDED;
444  }
445  ods_log_debug("[%s] found ixfr request zone %s serial=%u", query_str,
446  q->zone->name, q->serial);
447  return QUERY_PROCESSED;
448  }
449  ods_log_debug("[%s] ixfr request zone %s has no auth section", query_str,
450  q->zone->name);
451  q->serial = 0;
452  return QUERY_PROCESSED;
453 }
454 
455 
460 static int
461 response_add_rrset(response_type* r, rrset_type* rrset,
462  ldns_pkt_section section)
463 {
464  if (!r || !rrset || !section) {
465  return 0;
466  }
467  /* duplicates? */
468  r->sections[r->rrset_count] = section;
469  r->rrsets[r->rrset_count] = rrset;
470  ++r->rrset_count;
471  return 1;
472 }
473 
474 
479 static int
480 response_encode_rr(query_type* q, ldns_rr* rr, ldns_pkt_section section)
481 {
482  uint8_t *data = NULL;
483  size_t size = 0;
484  ldns_status status = LDNS_STATUS_OK;
485  ods_log_assert(q);
486  ods_log_assert(rr);
487  ods_log_assert(section);
488  status = ldns_rr2wire(&data, rr, section, &size);
489  if (status != LDNS_STATUS_OK) {
490  ods_log_error("[%s] unable to send good response: ldns_rr2wire() "
491  "failed (%s)", query_str, ldns_get_errorstr_by_id(status));
492  return 0;
493  }
494  buffer_write(q->buffer, (const void*) data, size);
495  LDNS_FREE(data);
496  return 1;
497 }
498 
499 
504 static uint16_t
505 response_encode_rrset(query_type* q, rrset_type* rrset, ldns_pkt_section section)
506 {
507  rrsig_type* rrsig;
508  uint16_t i = 0;
509  uint16_t added = 0;
510  ods_log_assert(q);
511  ods_log_assert(rrset);
512  ods_log_assert(section);
513 
514  for (i = 0; i < rrset->rr_count; i++) {
515  added += response_encode_rr(q, rrset->rrs[i].rr, section);
516  }
517  if (q->edns_rr && q->edns_rr->dnssec_ok) {
518  while((rrsig = collection_iterator(rrset->rrsigs))) {
519  added += response_encode_rr(q, rrsig->rr, section);
520  }
521  }
522  /* truncation? */
523  return added;
524 }
525 
526 
531 static void
532 response_encode(query_type* q, response_type* r)
533 {
534  uint16_t counts[LDNS_SECTION_ANY];
535  ldns_pkt_section s = LDNS_SECTION_QUESTION;
536  size_t i = 0;
537  ods_log_assert(q);
538  ods_log_assert(r);
539  for (s = LDNS_SECTION_ANSWER; s < LDNS_SECTION_ANY; s++) {
540  counts[s] = 0;
541  }
542  for (s = LDNS_SECTION_ANSWER; s < LDNS_SECTION_ANY; s++) {
543  for (i = 0; i < r->rrset_count; i++) {
544  if (r->sections[i] == s) {
545  counts[s] += response_encode_rrset(q, r->rrsets[i], s);
546  }
547  }
548  }
549  buffer_pkt_set_ancount(q->buffer, counts[LDNS_SECTION_ANSWER]);
550  buffer_pkt_set_nscount(q->buffer, counts[LDNS_SECTION_AUTHORITY]);
551  buffer_pkt_set_arcount(q->buffer, counts[LDNS_SECTION_ADDITIONAL]);
554 }
555 
556 
561 static query_state
562 query_response(query_type* q, ldns_rr_type qtype)
563 {
564  rrset_type* rrset = NULL;
565  response_type r;
566  if (!q || !q->zone) {
567  return QUERY_DISCARDED;
568  }
569  r.rrset_count = 0;
570  lock_basic_lock(&q->zone->zone_lock);
571  rrset = zone_lookup_rrset(q->zone, q->zone->apex, qtype);
572  if (rrset) {
573  if (!response_add_rrset(&r, rrset, LDNS_SECTION_ANSWER)) {
574  lock_basic_unlock(&q->zone->zone_lock);
575  return query_servfail(q);
576  }
577  /* NS RRset goes into Authority Section */
578  rrset = zone_lookup_rrset(q->zone, q->zone->apex, LDNS_RR_TYPE_NS);
579  if (rrset) {
580  if (!response_add_rrset(&r, rrset, LDNS_SECTION_AUTHORITY)) {
581  lock_basic_unlock(&q->zone->zone_lock);
582  return query_servfail(q);
583  }
584  }
585  } else if (qtype != LDNS_RR_TYPE_SOA) {
586  rrset = zone_lookup_rrset(q->zone, q->zone->apex, LDNS_RR_TYPE_SOA);
587  if (rrset) {
588  if (!response_add_rrset(&r, rrset, LDNS_SECTION_AUTHORITY)) {
589  lock_basic_unlock(&q->zone->zone_lock);
590  return query_servfail(q);
591  }
592  }
593  } else {
594  lock_basic_unlock(&q->zone->zone_lock);
595  return query_servfail(q);
596  }
597  lock_basic_unlock(&q->zone->zone_lock);
598 
599  response_encode(q, &r);
600  /* compression */
601  return QUERY_PROCESSED;
602 }
603 
604 
609 void
611 {
612  uint16_t limit = 0;
613  uint16_t flags = 0;
614  ods_log_assert(q);
615  ods_log_assert(q->buffer);
616  limit = buffer_limit(q->buffer);
617  flags = buffer_pkt_flags(q->buffer);
618  flags &= 0x0100U; /* preserve the rd flag */
619  flags |= 0x8000U; /* set the qr flag */
620  buffer_pkt_set_flags(q->buffer, flags);
621  buffer_clear(q->buffer);
622  buffer_set_position(q->buffer, limit);
626 }
627 
628 
633 static query_state
634 query_process_query(query_type* q, ldns_rr_type qtype, engine_type* engine)
635 {
636  dnsout_type* dnsout = NULL;
637  if (!q || !q->zone) {
638  return QUERY_DISCARDED;
639  }
640  ods_log_assert(q->zone->name);
641  ods_log_debug("[%s] incoming query qtype=%s for zone %s", query_str,
642  rrset_type2str(qtype), q->zone->name);
643  /* sanity checks */
644  if (buffer_pkt_qdcount(q->buffer) != 1 || buffer_pkt_tc(q->buffer)) {
646  return query_formerr(q);
647  }
648  if (buffer_pkt_ancount(q->buffer) != 0 ||
649  (qtype != LDNS_RR_TYPE_IXFR && buffer_pkt_nscount(q->buffer) != 0)) {
651  return query_formerr(q);
652  }
653  /* acl */
654  if (!q->zone->adoutbound || q->zone->adoutbound->type != ADAPTER_DNS) {
655  ods_log_error("[%s] zone %s is not configured to have output dns "
656  "adapter", query_str, q->zone->name);
657  return query_refused(q);
658  }
659  ods_log_assert(q->zone->adoutbound->config);
660  dnsout = (dnsout_type*) q->zone->adoutbound->config;
661  /* acl also in use for soa and other queries */
662  if (!acl_find(dnsout->provide_xfr, &q->addr, q->tsig_rr)) {
663  ods_log_debug("[%s] zone %s acl query refused", query_str,
664  q->zone->name);
665  return query_refused(q);
666  }
667 
668  query_prepare(q);
669  /* ixfr? */
670  if (qtype == LDNS_RR_TYPE_IXFR) {
671  ods_log_assert(q->zone->name);
672  ods_log_debug("[%s] incoming ixfr request serial=%u for zone %s",
673  query_str, q->serial, q->zone->name);
674  return ixfr(q, engine);
675  }
676  /* axfr? */
677  if (qtype == LDNS_RR_TYPE_AXFR) {
678  ods_log_assert(q->zone->name);
679  ods_log_debug("[%s] incoming axfr request for zone %s",
680  query_str, q->zone->name);
681  return axfr(q, engine, 0);
682  }
683  /* (soa) query */
684  if (qtype == LDNS_RR_TYPE_SOA) {
685  ods_log_assert(q->zone->name);
686  ods_log_debug("[%s] incoming soa request for zone %s",
687  query_str, q->zone->name);
688  return soa_request(q, engine);
689  }
690  /* other qtypes */
691  return query_response(q, qtype);
692 }
693 
694 
699 static query_state
700 query_process_update(query_type* q)
701 {
702  if (!q || !q->zone) {
703  return QUERY_DISCARDED;
704  }
705  ods_log_debug("[%s] dynamic update not implemented", query_str);
706  return query_notimpl(q);
707 }
708 
709 
714 static ldns_pkt_rcode
715 query_process_tsig(query_type* q)
716 {
717  if (!q || !q->tsig_rr) {
718  return LDNS_RCODE_SERVFAIL;
719  }
720  if (q->tsig_rr->status == TSIG_ERROR) {
721  return LDNS_RCODE_FORMERR;
722  }
723  if (q->tsig_rr->status == TSIG_OK) {
724  if (!tsig_rr_lookup(q->tsig_rr)) {
725  ods_log_debug("[%s] tsig unknown key/algorithm", query_str);
726  return LDNS_RCODE_REFUSED;
727  }
732  if (!tsig_rr_verify(q->tsig_rr)) {
733  ods_log_debug("[%s] bad tsig signature", query_str);
734  return LDNS_RCODE_NOTAUTH;
735  }
736  }
737  return LDNS_RCODE_NOERROR;
738 }
739 
740 
745 static ldns_pkt_rcode
746 query_process_edns(query_type* q)
747 {
748  if (!q || !q->edns_rr) {
749  return LDNS_RCODE_SERVFAIL;
750  }
751  if (q->edns_rr->status == EDNS_ERROR) {
752  /* The only error is VERSION not implemented */
753  return LDNS_RCODE_FORMERR;
754  }
755  if (q->edns_rr->status == EDNS_OK) {
756  /* Only care about UDP size larger than normal... */
757  if (!q->tcp && q->edns_rr->maxlen > UDP_MAX_MESSAGE_LEN) {
758  if (q->edns_rr->maxlen < EDNS_MAX_MESSAGE_LEN) {
759  q->maxlen = q->edns_rr->maxlen;
760  } else {
762  }
763  }
764  /* Strip the OPT resource record off... */
768  }
769  return LDNS_RCODE_NOERROR;
770 }
771 
772 
777 static int
778 query_find_tsig(query_type* q)
779 {
780  size_t saved_pos = 0;
781  size_t rrcount = 0;
782  size_t i = 0;
783 
784  ods_log_assert(q);
785  ods_log_assert(q->tsig_rr);
786  ods_log_assert(q->buffer);
787  if (buffer_pkt_arcount(q->buffer) == 0) {
789  return 1;
790  }
791  saved_pos = buffer_position(q->buffer);
792  rrcount = buffer_pkt_qdcount(q->buffer) + buffer_pkt_ancount(q->buffer) +
795  for (i=0; i < rrcount; i++) {
796  if (!buffer_skip_rr(q->buffer, i < buffer_pkt_qdcount(q->buffer))) {
797  buffer_set_position(q->buffer, saved_pos);
798  return 0;
799  }
800  }
801 
802  rrcount = buffer_pkt_arcount(q->buffer);
803  ods_log_assert(rrcount != 0);
804  if (!tsig_rr_parse(q->tsig_rr, q->buffer)) {
805  ods_log_debug("[%s] got bad tsig", query_str);
806  return 0;
807  }
808  if (q->tsig_rr->status != TSIG_NOT_PRESENT) {
809  --rrcount;
810  }
811  if (rrcount) {
812  if (edns_rr_parse(q->edns_rr, q->buffer)) {
813  --rrcount;
814  }
815  }
816  if (rrcount && q->tsig_rr->status == TSIG_NOT_PRESENT) {
817  /* see if tsig is after the edns record */
818  if (!tsig_rr_parse(q->tsig_rr, q->buffer)) {
819  ods_log_debug("[%s] got bad tsig", query_str);
820  return 0;
821  }
822  if (q->tsig_rr->status != TSIG_NOT_PRESENT) {
823  --rrcount;
824  }
825  }
826  if (rrcount > 0) {
827  ods_log_debug("[%s] too many additional rrs", query_str);
828  return 0;
829  }
830  buffer_set_position(q->buffer, saved_pos);
831  return 1;
832 }
833 
834 
841 {
842  ldns_status status = LDNS_STATUS_OK;
843  ldns_pkt* pkt = NULL;
844  ldns_rr* rr = NULL;
845  ldns_pkt_rcode rcode = LDNS_RCODE_NOERROR;
846  ldns_pkt_opcode opcode = LDNS_PACKET_QUERY;
847  ldns_rr_type qtype = LDNS_RR_TYPE_SOA;
848  ods_log_assert(engine);
849  ods_log_assert(q);
850  ods_log_assert(q->buffer);
851  if (!engine || !q || !q->buffer) {
852  ods_log_error("[%s] drop query: assertion error", query_str);
853  return QUERY_DISCARDED; /* should not happen */
854  }
856  ods_log_debug("[%s] drop query: packet too small", query_str);
857  return QUERY_DISCARDED; /* too small */
858  }
859  if (buffer_pkt_qr(q->buffer)) {
860  ods_log_debug("[%s] drop query: qr bit set", query_str);
861  return QUERY_DISCARDED; /* not a query */
862  }
863  /* parse packet */
864  status = ldns_wire2pkt(&pkt, buffer_current(q->buffer),
866  if (status != LDNS_STATUS_OK) {
867  ods_log_debug("[%s] got bad packet: %s", query_str,
868  ldns_get_errorstr_by_id(status));
869  return query_formerr(q);
870  }
871  rr = ldns_rr_list_rr(ldns_pkt_question(pkt), 0);
872  if (!rr) {
873  ods_log_debug("[%s] no RRset in query section, ignoring", query_str);
874  return QUERY_DISCARDED; /* no RRset in query */
875  }
876  lock_basic_lock(&engine->zonelist->zl_lock);
877  /* we can just lookup the zone, because we will only handle SOA queries,
878  zone transfers, updates and notifies */
879  q->zone = zonelist_lookup_zone_by_dname(engine->zonelist, ldns_rr_owner(rr),
880  ldns_rr_get_class(rr));
881  /* don't answer for zones that are just added */
882  if (q->zone && q->zone->zl_status == ZONE_ZL_ADDED) {
883  ods_log_assert(q->zone->name);
884  ods_log_warning("[%s] zone %s just added, don't answer for now",
885  query_str, q->zone->name);
886  q->zone = NULL;
887  }
888  lock_basic_unlock(&engine->zonelist->zl_lock);
889  if (!q->zone) {
890  ods_log_debug("[%s] zone not found", query_str);
891  return query_servfail(q);
892  }
893  /* see if it is tsig signed */
894  if (!query_find_tsig(q)) {
895  return query_formerr(q);
896  }
897  /* else: valid tsig, or no tsig present */
898  ods_log_debug("[%s] tsig %s", query_str, tsig_status2str(q->tsig_rr->status));
899  /* get opcode, qtype, ixfr=serial */
900  opcode = ldns_pkt_get_opcode(pkt);
901  qtype = ldns_rr_get_type(rr);
902  if (qtype == LDNS_RR_TYPE_IXFR) {
903  ods_log_assert(q->zone->name);
904  ods_log_debug("[%s] incoming ixfr request for zone %s",
905  query_str, q->zone->name);
906  if (query_process_ixfr(q) != QUERY_PROCESSED) {
907  return query_formerr(q);
908  }
909  }
910  /* process tsig */
911  rcode = query_process_tsig(q);
912  if (rcode != LDNS_RCODE_NOERROR) {
913  return query_error(q, rcode);
914  }
915  /* process edns */
916  rcode = query_process_edns(q);
917  if (rcode != LDNS_RCODE_NOERROR) {
918  /* We should not return FORMERR, but BADVERS (=16).
919  * BADVERS is created with Ext. RCODE, followed by RCODE.
920  * Ext. RCODE is set to 1, RCODE must be 0 (getting 0x10 = 16).
921  * Thus RCODE = NOERROR = NSD_RC_OK. */
922  return query_error(q, LDNS_RCODE_NOERROR);
923  }
924  /* handle incoming request */
925  ldns_pkt_free(pkt);
926  switch (opcode) {
927  case LDNS_PACKET_NOTIFY:
928  return query_process_notify(q, qtype, engine);
929  case LDNS_PACKET_QUERY:
930  return query_process_query(q, qtype, engine);
931  case LDNS_PACKET_UPDATE:
932  return query_process_update(q);
933  default:
934  break;
935  }
936  return query_notimpl(q);
937 }
938 
939 
944 static int
945 query_overflow(query_type* q)
946 {
947  ods_log_assert(q);
948  ods_log_assert(q->buffer);
949  return buffer_position(q->buffer) > (q->maxlen - q->reserved_space);
950 }
951 
952 
957 void
959 {
960  edns_data_type* edns = NULL;
961  if (!q || !engine) {
962  return;
963  }
965  if (q->edns_rr) {
966  edns = &engine->edns;
967  switch (q->edns_rr->status) {
968  case EDNS_NOT_PRESENT:
969  break;
970  case EDNS_OK:
971  ods_log_debug("[%s] add edns opt ok", query_str);
972  if (q->edns_rr->dnssec_ok) {
973  edns->ok[7] = 0x80;
974  } else {
975  edns->ok[7] = 0x00;
976  }
977  buffer_write(q->buffer, edns->ok, OPT_LEN);
978  /* fill with NULLs */
981  buffer_pkt_arcount(q->buffer) + 1);
982  break;
983  case EDNS_ERROR:
984  ods_log_debug("[%s] add edns opt err", query_str);
985  if (q->edns_rr->dnssec_ok) {
986  edns->ok[7] = 0x80;
987  } else {
988  edns->ok[7] = 0x00;
989  }
990  buffer_write(q->buffer, edns->error, OPT_LEN);
993  buffer_pkt_arcount(q->buffer) + 1);
994  break;
995  default:
996  break;
997  }
998  }
999 
1001  if (!q->tsig_rr) {
1002  return;
1003  }
1004  if (q->tsig_rr->status != TSIG_NOT_PRESENT) {
1005 
1006  if (q->tsig_rr->status == TSIG_ERROR ||
1007  q->tsig_rr->error_code != LDNS_RCODE_NOERROR) {
1008  ods_log_debug("[%s] add tsig err", query_str);
1009  tsig_rr_error(q->tsig_rr);
1010  tsig_rr_append(q->tsig_rr, q->buffer);
1012  buffer_pkt_arcount(q->buffer)+1);
1013  } else if (q->tsig_rr->status == TSIG_OK &&
1014  q->tsig_rr->error_code == LDNS_RCODE_NOERROR) {
1015  ods_log_debug("[%s] add tsig ok", query_str);
1016  if (q->tsig_prepare_it)
1018  if (q->tsig_update_it)
1019  tsig_rr_update(q->tsig_rr, q->buffer,
1020  buffer_position(q->buffer));
1021  if (q->tsig_sign_it) {
1022  tsig_rr_sign(q->tsig_rr);
1023  tsig_rr_append(q->tsig_rr, q->buffer);
1025  buffer_pkt_arcount(q->buffer)+1);
1026  }
1027  }
1028  }
1029 }
1030 
1031 
1036 int
1037 query_add_rr(query_type* q, ldns_rr* rr)
1038 {
1039  size_t i = 0;
1040  size_t tc_mark = 0;
1041  size_t rdlength_pos = 0;
1042  uint16_t rdlength = 0;
1043 
1044  ods_log_assert(q);
1045  ods_log_assert(q->buffer);
1046  ods_log_assert(rr);
1047 
1048  /* set truncation mark, in case rr does not fit */
1049  tc_mark = buffer_position(q->buffer);
1050  /* owner type class ttl */
1051  if (!buffer_available(q->buffer, ldns_rdf_size(ldns_rr_owner(rr)))) {
1052  goto query_add_rr_tc;
1053  }
1054  buffer_write_rdf(q->buffer, ldns_rr_owner(rr));
1055  if (!buffer_available(q->buffer, sizeof(uint16_t) + sizeof(uint16_t) +
1056  sizeof(uint32_t) + sizeof(rdlength))) {
1057  goto query_add_rr_tc;
1058  }
1059  buffer_write_u16(q->buffer, (uint16_t) ldns_rr_get_type(rr));
1060  buffer_write_u16(q->buffer, (uint16_t) ldns_rr_get_class(rr));
1061  buffer_write_u32(q->buffer, (uint32_t) ldns_rr_ttl(rr));
1062  /* skip rdlength */
1063  rdlength_pos = buffer_position(q->buffer);
1064  buffer_skip(q->buffer, sizeof(rdlength));
1065  /* write rdata */
1066  for (i=0; i < ldns_rr_rd_count(rr); i++) {
1067  if (!buffer_available(q->buffer, ldns_rdf_size(ldns_rr_rdf(rr, i)))) {
1068  goto query_add_rr_tc;
1069  }
1070  buffer_write_rdf(q->buffer, ldns_rr_rdf(rr, i));
1071  }
1072 
1073  if (!query_overflow(q)) {
1074  /* write rdlength */
1075  rdlength = buffer_position(q->buffer) - rdlength_pos - sizeof(rdlength);
1076  buffer_write_u16_at(q->buffer, rdlength_pos, rdlength);
1077  /* position updated by buffer_write() */
1078  return 1;
1079  }
1080 
1081 query_add_rr_tc:
1082  buffer_set_position(q->buffer, tc_mark);
1083  ods_log_assert(!query_overflow(q));
1084  return 0;
1085 
1086 }
1087 
1088 
1093 void
1095 {
1096  if (!q) {
1097  return;
1098  }
1099  if (q->axfr_fd) {
1100  ods_fclose(q->axfr_fd);
1101  q->axfr_fd = NULL;
1102  }
1103  buffer_cleanup(q->buffer);
1106  free(q);
1107 }
edns_data_type edns
Definition: engine.h:66
void edns_rr_cleanup(edns_rr_type *err)
Definition: edns.c:170
ldns_pkt_opcode buffer_pkt_opcode(buffer_type *buffer)
Definition: buffer.c:846
query_type * query_create(void)
Definition: query.c:48
void tsig_rr_update(tsig_rr_type *trr, buffer_type *buffer, size_t length)
Definition: tsig.c:557
size_t maxlen
Definition: query.h:64
zonelist_type * zonelist
Definition: engine.h:60
tsig_status status
Definition: tsig.h:124
size_t rr_count
Definition: rrset.h:65
int edns_rr_parse(edns_rr_type *err, buffer_type *buffer)
Definition: edns.c:107
int buffer_pkt_rd(buffer_type *buffer)
Definition: buffer.c:906
unsigned tsig_sign_it
Definition: query.h:88
const char * rrset_type2str(ldns_rr_type type)
Definition: rrset.c:158
int tcp
Definition: query.h:71
void query_cleanup(query_type *q)
Definition: query.c:1094
void * config
Definition: adapter.h:61
tsig_rr_type * tsig_rr
Definition: query.h:67
#define UDP_MAX_MESSAGE_LEN
Definition: query.h:42
int tsig_rr_parse(tsig_rr_type *trr, buffer_type *buffer)
Definition: tsig.c:321
uint16_t buffer_pkt_arcount(buffer_type *buffer)
Definition: buffer.c:1066
zone_type * zone
Definition: query.h:77
#define BUFFER_PKT_HEADER_SIZE
Definition: buffer.h:43
uint16_t error_code
Definition: tsig.h:142
void edns_rr_reset(edns_rr_type *err)
Definition: edns.c:90
collection_t rrsigs
Definition: rrset.h:66
const char * query_str
Definition: query.c:40
uint32_t serial_notify
Definition: xfrd.h:111
unsigned tsig_update_it
Definition: query.h:87
uint16_t buffer_pkt_qdcount(buffer_type *buffer)
Definition: buffer.c:994
#define OPT_RDATA
Definition: edns.h:44
void buffer_skip(buffer_type *buffer, ssize_t count)
Definition: buffer.c:150
void buffer_pkt_set_flags(buffer_type *buffer, uint16_t flags)
Definition: buffer.c:798
uint16_t buffer_read_u16(buffer_type *buffer)
Definition: buffer.c:721
int buffer_skip_rr(buffer_type *buffer, unsigned qrr)
Definition: buffer.c:342
void buffer_pkt_set_qdcount(buffer_type *buffer, uint16_t count)
Definition: buffer.c:1006
void buffer_clear(buffer_type *buffer)
Definition: buffer.c:99
time_t serial_notify_acquired
Definition: xfrd.h:117
size_t rrset_count
Definition: query.h:97
lock_basic_type zone_lock
Definition: zone.h:86
size_t position
Definition: edns.h:78
adapter_mode type
Definition: adapter.h:58
zone_zl_status zl_status
Definition: zone.h:70
size_t reserved_space
Definition: query.h:65
void query_reset(query_type *q, size_t maxlen, int is_tcp)
Definition: query.c:80
int buffer_pkt_qr(buffer_type *buffer)
Definition: buffer.c:810
edns_rr_type * edns_rr
Definition: query.h:69
int dnssec_ok
Definition: edns.h:80
void tsig_rr_reset(tsig_rr_type *trr, tsig_algo_type *algo, tsig_key_type *key)
Definition: tsig.c:291
void tsig_rr_append(tsig_rr_type *trr, buffer_type *buffer)
Definition: tsig.c:670
unsigned tsig_prepare_it
Definition: query.h:86
void buffer_write(buffer_type *buffer, const void *data, size_t count)
Definition: buffer.c:538
struct sockaddr_storage addr
Definition: query.h:61
rrset_type * rrsets[QUERY_RESPONSE_MAX_RRSET]
Definition: query.h:99
lock_basic_type serial_lock
Definition: xfrd.h:97
uint8_t * buffer_current(buffer_type *buffer)
Definition: buffer.c:438
adapter_type * adoutbound
Definition: zone.h:73
uint16_t buffer_pkt_ancount(buffer_type *buffer)
Definition: buffer.c:1018
size_t buffer_limit(buffer_type *buffer)
Definition: buffer.c:373
tsig_rr_type * tsig_rr_create()
Definition: tsig.c:273
void tsig_rr_prepare(tsig_rr_type *trr)
Definition: tsig.c:535
void buffer_pkt_set_ancount(buffer_type *buffer, uint16_t count)
Definition: buffer.c:1030
const char * tsig_status2str(tsig_status status)
Definition: tsig.c:757
void buffer_pkt_set_nscount(buffer_type *buffer, uint16_t count)
Definition: buffer.c:1054
void buffer_set_limit(buffer_type *buffer, size_t limit)
Definition: buffer.c:385
void buffer_cleanup(buffer_type *buffer)
Definition: buffer.c:1145
zone_type * zonelist_lookup_zone_by_dname(zonelist_type *zonelist, ldns_rdf *dname, ldns_rr_class klass)
Definition: zonelist.c:182
edns_rr_type * edns_rr_create()
Definition: edns.c:50
acl_type * provide_xfr
Definition: addns.h:62
uint16_t buffer_pkt_flags(buffer_type *buffer)
Definition: buffer.c:786
query_state axfr(query_type *q, engine_type *engine, int fallback)
Definition: axfr.c:152
ldns_rr * rr
Definition: rrset.h:45
Definition: edns.h:66
Definition: tsig.h:57
void tsig_rr_cleanup(tsig_rr_type *trr)
Definition: tsig.c:830
adapter_type * adinbound
Definition: zone.h:72
size_t buffer_capacity(buffer_type *buffer)
Definition: buffer.c:401
int buffer_skip_dname(buffer_type *buffer)
Definition: buffer.c:310
acl_type * allow_notify
Definition: addns.h:51
uint32_t buffer_read_u32(buffer_type *buffer)
Definition: buffer.c:736
void query_add_optional(query_type *q, engine_type *engine)
Definition: query.c:958
void buffer_pkt_set_opcode(buffer_type *buffer, ldns_pkt_opcode opcode)
Definition: buffer.c:858
uint32_t serial
Definition: query.h:82
enum query_enum query_state
Definition: query.h:52
buffer_type * buffer
Definition: query.h:73
#define PACKET_BUFFER_SIZE
Definition: buffer.h:50
#define EDNS_MAX_MESSAGE_LEN
Definition: edns.h:47
int tsig_rr_verify(tsig_rr_type *trr)
Definition: tsig.c:648
void buffer_write_u16(buffer_type *buffer, uint16_t data)
Definition: buffer.c:565
query_state query_process(query_type *q, engine_type *engine)
Definition: query.c:840
void buffer_write_u32(buffer_type *buffer, uint32_t data)
Definition: buffer.c:578
void buffer_pkt_set_aa(buffer_type *buffer)
Definition: buffer.c:882
void tsig_rr_error(tsig_rr_type *trr)
Definition: tsig.c:740
size_t startpos
Definition: query.h:83
unsigned axfr_is_done
Definition: query.h:85
int buffer_pkt_aa(buffer_type *buffer)
Definition: buffer.c:870
query_state ixfr(query_type *q, engine_type *engine)
Definition: axfr.c:389
ldns_rr * rr
Definition: rrset.h:52
uint16_t buffer_pkt_nscount(buffer_type *buffer)
Definition: buffer.c:1042
acl_type * acl_find(acl_type *acl, struct sockaddr_storage *addr, tsig_rr_type *trr)
Definition: acl.c:437
rrset_type * zone_lookup_rrset(zone_type *zone, ldns_rdf *owner, ldns_rr_type type)
Definition: zone.c:557
size_t position
Definition: tsig.h:125
void buffer_write_u16_at(buffer_type *buffer, size_t at, uint16_t data)
Definition: buffer.c:512
void buffer_set_position(buffer_type *buffer, size_t pos)
Definition: buffer.c:137
socklen_t addrlen
Definition: query.h:62
void xfrd_set_timer_now(xfrd_type *xfrd)
Definition: xfrd.c:454
int buffer_available(buffer_type *buffer, size_t count)
Definition: buffer.c:487
size_t maxlen
Definition: edns.h:79
int buffer_pkt_ad(buffer_type *buffer)
Definition: buffer.c:930
const char * name
Definition: zone.h:67
int tsig_rr_lookup(tsig_rr_type *trr)
Definition: tsig.c:467
size_t buffer_remaining(buffer_type *buffer)
Definition: buffer.c:463
void buffer_pkt_set_rcode(buffer_type *buffer, ldns_pkt_rcode rcode)
Definition: buffer.c:966
#define OPT_LEN
Definition: edns.h:43
query_state soa_request(query_type *q, engine_type *engine)
Definition: axfr.c:53
void buffer_write_rdf(buffer_type *buffer, ldns_rdf *rdf)
Definition: buffer.c:591
int buffer_pkt_ra(buffer_type *buffer)
Definition: buffer.c:918
void tsig_rr_sign(tsig_rr_type *trr)
Definition: tsig.c:627
void query_prepare(query_type *q)
Definition: query.c:610
int query_add_rr(query_type *q, ldns_rr *rr)
Definition: query.c:1037
size_t edns_rr_reserved_space(edns_rr_type *err)
Definition: edns.c:160
size_t buffer_position(buffer_type *buffer)
Definition: buffer.c:125
FILE * axfr_fd
Definition: query.h:81
unsigned char error[OPT_LEN]
Definition: edns.h:56
unsigned char ok[OPT_LEN]
Definition: edns.h:55
void buffer_pkt_set_arcount(buffer_type *buffer, uint16_t count)
Definition: buffer.c:1078
edns_status status
Definition: edns.h:77
int buffer_pkt_cd(buffer_type *buffer)
Definition: buffer.c:942
xfrd_type * xfrd
Definition: zone.h:80
ldns_pkt_section sections[QUERY_RESPONSE_MAX_RRSET]
Definition: query.h:98
void dnshandler_fwd_notify(dnshandler_type *dnshandler, uint8_t *pkt, size_t len)
Definition: dnshandler.c:240
int addr2ip(struct sockaddr_storage addr, char *ip, size_t len)
Definition: acl.c:416
ldns_rdf * apex
Definition: zone.h:59
lock_basic_type zl_lock
Definition: zonelist.h:50
unsigned char rdata_none[OPT_RDATA]
Definition: edns.h:57
void buffer_pkt_set_qr(buffer_type *buffer)
Definition: buffer.c:822
uint8_t * buffer_begin(buffer_type *buffer)
Definition: buffer.c:426
uint32_t serial_disk
Definition: xfrd.h:113
ldns_pkt_rcode buffer_pkt_rcode(buffer_type *buffer)
Definition: buffer.c:954
buffer_type * buffer_create(size_t capacity)
Definition: buffer.c:78
dnshandler_type * dnshandler
Definition: engine.h:64
int buffer_pkt_tc(buffer_type *buffer)
Definition: buffer.c:894
size_t tsig_rr_reserved_space(tsig_rr_type *trr)
Definition: tsig.c:711
rr_type * rrs
Definition: rrset.h:64