833
rpz_log(ns_client_t *client) {
834
char namebuf1[DNS_NAME_FORMATSIZE];
835
char namebuf2[DNS_NAME_FORMATSIZE];
834
rpz_log_rewrite(ns_client_t *client, const char *disabled,
835
dns_rpz_policy_t policy, dns_rpz_type_t type,
836
dns_name_t *rpz_qname) {
837
char qname_buf[DNS_NAME_FORMATSIZE];
838
char rpz_qname_buf[DNS_NAME_FORMATSIZE];
839
if (!ns_g_server->log_queries ||
840
!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
840
if (!isc_log_wouldlog(ns_g_lctx, DNS_RPZ_INFO_LEVEL))
843
st = client->query.rpz_st;
844
dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
845
dns_name_format(st->qname, namebuf2, sizeof(namebuf2));
843
dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf));
844
dns_name_format(rpz_qname, rpz_qname_buf, sizeof(rpz_qname_buf));
847
switch (st->m.policy) {
848
case DNS_RPZ_POLICY_NO_OP:
849
pat ="response policy %s rewrite %s NO-OP using %s";
851
case DNS_RPZ_POLICY_NXDOMAIN:
852
pat = "response policy %s rewrite %s to NXDOMAIN using %s";
854
case DNS_RPZ_POLICY_NODATA:
855
pat = "response policy %s rewrite %s to NODATA using %s";
857
case DNS_RPZ_POLICY_RECORD:
858
case DNS_RPZ_POLICY_CNAME:
859
pat = "response policy %s rewrite %s using %s";
864
ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
865
DNS_RPZ_INFO_LEVEL, pat, dns_rpz_type2str(st->m.type),
846
ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY,
847
DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s",
849
dns_rpz_type2str(type), dns_rpz_policy2str(policy),
850
qname_buf, rpz_qname_buf);
870
rpz_fail_log(ns_client_t *client, int level, dns_rpz_type_t rpz_type,
871
dns_name_t *name, const char *str, isc_result_t result)
854
rpz_log_fail(ns_client_t *client, int level,
855
dns_rpz_type_t rpz_type, dns_name_t *name,
856
const char *str, isc_result_t result)
873
858
char namebuf1[DNS_NAME_FORMATSIZE];
874
859
char namebuf2[DNS_NAME_FORMATSIZE];
876
if (!ns_g_server->log_queries || !isc_log_wouldlog(ns_g_lctx, level))
861
if (!isc_log_wouldlog(ns_g_lctx, level))
879
864
dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1));
880
865
dns_name_format(name, namebuf2, sizeof(namebuf2));
881
866
ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS,
882
867
NS_LOGMODULE_QUERY, level,
883
"response policy %s rewrite %s via %s %sfailed: %s",
868
"rpz %s rewrite %s via %s %sfailed: %s",
884
869
dns_rpz_type2str(rpz_type),
885
870
namebuf1, namebuf2, str, isc_result_totext(result));
901
885
result = query_getzonedb(client, rpz_qname, dns_rdatatype_any,
902
886
DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version);
903
887
if (result == ISC_R_SUCCESS) {
904
if (ns_g_server->log_queries &&
905
isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
888
if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) {
906
889
dns_name_format(client->query.qname, namebuf1,
907
890
sizeof(namebuf1));
908
891
dns_name_format(rpz_qname, namebuf2, sizeof(namebuf2));
909
ns_client_log(client, NS_LOGCATEGORY_QUERIES,
892
ns_client_log(client, DNS_LOGCATEGORY_RPZ,
910
893
NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2,
911
894
"try rpz %s rewrite %s via %s",
912
895
dns_rpz_type2str(rpz_type),
3798
3822
rpz_st_clear(ns_client_t *client) {
3799
3823
dns_rpz_st_t *st = client->query.rpz_st;
3801
rpz_clean(&st->m.zone, &st->m.db, &st->m.node, NULL);
3802
3825
if (st->m.rdataset != NULL)
3803
3826
query_putrdataset(client, &st->m.rdataset);
3827
rpz_match_clear(st);
3805
rpz_clean(NULL, &st->ns.db, NULL, NULL);
3806
if (st->ns.ns_rdataset != NULL)
3807
query_putrdataset(client, &st->ns.ns_rdataset);
3808
if (st->ns.r_rdataset != NULL)
3809
query_putrdataset(client, &st->ns.r_rdataset);
3829
rpz_clean(NULL, &st->r.db, NULL, NULL);
3830
if (st->r.ns_rdataset != NULL)
3831
query_putrdataset(client, &st->r.ns_rdataset);
3832
if (st->r.r_rdataset != NULL)
3833
query_putrdataset(client, &st->r.r_rdataset);
3811
3835
rpz_clean(&st->q.zone, &st->q.db, &st->q.node, NULL);
3812
3836
if (st->q.rdataset != NULL)
3814
3838
if (st->q.sigrdataset != NULL)
3815
3839
query_putrdataset(client, &st->q.sigrdataset);
3841
st->m.type = DNS_RPZ_TYPE_BAD;
3842
st->m.policy = DNS_RPZ_POLICY_MISS;
3820
* Get NS, A, or AAAA rrset for rpz nsdname or nsip checking.
3846
* Get NS, A, or AAAA rrset for response policy zone checks.
3822
3848
static isc_result_t
3823
rpz_ns_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type,
3824
dns_db_t **dbp, dns_dbversion_t *version,
3825
dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
3849
rpz_rrset_find(ns_client_t *client, dns_rpz_type_t rpz_type,
3850
dns_name_t *name, dns_rdatatype_t type,
3851
dns_db_t **dbp, dns_dbversion_t *version,
3852
dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
3827
3854
dns_rpz_st_t *st;
3828
3855
isc_boolean_t is_zone;
3834
3861
st = client->query.rpz_st;
3835
3862
if ((st->state & DNS_RPZ_RECURSING) != 0) {
3836
INSIST(st->ns.r_type == type);
3863
INSIST(st->r.r_type == type);
3837
3864
INSIST(dns_name_equal(name, st->r_name));
3838
3865
INSIST(*rdatasetp == NULL ||
3839
3866
!dns_rdataset_isassociated(*rdatasetp));
3840
3867
st->state &= ~DNS_RPZ_RECURSING;
3843
3870
if (*rdatasetp != NULL)
3844
3871
query_putrdataset(client, rdatasetp);
3845
*rdatasetp = st->ns.r_rdataset;
3846
st->ns.r_rdataset = NULL;
3847
result = st->ns.r_result;
3872
*rdatasetp = st->r.r_rdataset;
3873
st->r.r_rdataset = NULL;
3874
result = st->r.r_result;
3848
3875
if (result == DNS_R_DELEGATION) {
3849
rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
3850
DNS_RPZ_TYPE_NSIP, name,
3851
"rpz_ns_find() ", result);
3876
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
3878
"rpz_rrset_find(1) ", result);
3852
3879
st->m.policy = DNS_RPZ_POLICY_ERROR;
3853
3880
result = DNS_R_SERVFAIL;
3902
3929
rpz_clean(NULL, dbp, &node, NULL);
3903
3930
if (result == DNS_R_DELEGATION) {
3905
* Recurse to get NS rrset or A or AAAA rrset for an NS name.
3907
3931
rpz_clean(NULL, NULL, NULL, rdatasetp);
3908
dns_name_copy(name, st->r_name, NULL);
3909
result = query_recurse(client, type, st->r_name, NULL, NULL,
3911
if (result == ISC_R_SUCCESS) {
3912
st->state |= DNS_RPZ_RECURSING;
3913
result = DNS_R_DELEGATION;
3933
* Recurse for NS rrset or A or AAAA rrset for an NS.
3934
* Do not recurse for addresses for the query name.
3936
if (rpz_type == DNS_RPZ_TYPE_IP) {
3937
result = DNS_R_NXRRSET;
3939
dns_name_copy(name, st->r_name, NULL);
3940
result = query_recurse(client, type, st->r_name,
3941
NULL, NULL, resuming);
3942
if (result == ISC_R_SUCCESS) {
3943
st->state |= DNS_RPZ_RECURSING;
3944
result = DNS_R_DELEGATION;
3916
3948
return (result);
3942
for (new_rpz = ISC_LIST_HEAD(client->view->rpz_zones);
3944
new_rpz = ISC_LIST_NEXT(new_rpz, link)) {
3974
for (rpz = ISC_LIST_HEAD(client->view->rpz_zones);
3976
rpz = ISC_LIST_NEXT(rpz, link)) {
3977
if (!RECURSIONOK(client) && rpz->recursive_only)
3981
* Do not check policy zones that cannot replace a policy
3982
* already known to match.
3984
if (st->m.policy != DNS_RPZ_POLICY_MISS) {
3985
if (st->m.rpz->num < rpz->num)
3987
if (st->m.rpz->num == rpz->num &&
3988
st->m.type < rpz_type)
3993
* Find the database for this policy zone to get its radix tree.
3945
3995
version = NULL;
3948
* Find the database for this policy zone to get its
3951
result = rpz_getdb(client, rpz_type, &new_rpz->origin,
3996
result = rpz_getdb(client, rpz_type, &rpz->origin,
3952
3997
&zone, &db, &version);
3953
3998
if (result != ISC_R_SUCCESS) {
3954
3999
rpz_clean(&zone, &db, NULL, NULL);
3960
4005
* hit, if any. Note the domain name and quality of the
3963
result = dns_db_rpz_findips(new_rpz, rpz_type, zone, db,
3964
version, rdataset, st);
3965
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4008
dns_db_rpz_findips(rpz, rpz_type, zone, db, version,
4009
rdataset, st, client->query.rpz_st->qname);
3966
4010
rpz_clean(&zone, &db, NULL, NULL);
3968
4012
return (ISC_R_SUCCESS);
4016
* Look for an A or AAAA rdataset
4017
* and check for IP or NSIP rewrite policy rules.
3971
4019
static isc_result_t
3972
rpz_rewrite_nsip(ns_client_t *client, dns_rdatatype_t type, dns_name_t *name,
3973
dns_db_t **dbp, dns_dbversion_t *version,
3974
dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
4020
rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type,
4021
dns_rdatatype_t type, dns_name_t *name,
4022
dns_db_t **dbp, dns_dbversion_t *version,
4023
dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
3976
4025
isc_result_t result;
3978
result = rpz_ns_find(client, name, type, dbp, version, rdatasetp,
4027
result = rpz_rrset_find(client, rpz_type, name, type, dbp, version,
4028
rdatasetp, resuming);
3980
4029
switch (result) {
3981
4030
case ISC_R_SUCCESS:
3982
result = rpz_rewrite_ip(client, *rdatasetp, DNS_RPZ_TYPE_NSIP);
4031
result = rpz_rewrite_ip(client, *rdatasetp, rpz_type);
3984
4033
case DNS_R_EMPTYNAME:
3985
4034
case DNS_R_EMPTYWILD:
4064
* Look for both A and AAAA rdatasets
4065
* and check for IP or NSIP rewrite policy rules.
4066
* Look only for addresses that will be in the ANSWER section
4067
* when checking for IP rules.
4070
rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type,
4071
dns_name_t *name, dns_rdatatype_t type,
4072
dns_rdataset_t **rdatasetp, isc_boolean_t resuming)
4075
dns_dbversion_t *version;
4077
isc_result_t result;
4079
st = client->query.rpz_st;
4082
if ((st->state & DNS_RPZ_DONE_IPv4) == 0 &&
4083
((rpz_type == DNS_RPZ_TYPE_NSIP) ?
4084
(st->state & DNS_RPZ_HAVE_NSIPv4) :
4085
(st->state & DNS_RPZ_HAVE_IP)) != 0 &&
4086
(type == dns_rdatatype_any || type == dns_rdatatype_a)) {
4087
result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_a,
4088
name, &ipdb, version, rdatasetp,
4090
if (result == ISC_R_SUCCESS)
4091
st->state |= DNS_RPZ_DONE_IPv4;
4093
result = ISC_R_SUCCESS;
4095
if (result == ISC_R_SUCCESS &&
4096
((rpz_type == DNS_RPZ_TYPE_NSIP) ?
4097
(st->state & DNS_RPZ_HAVE_NSIPv6) :
4098
(st->state & DNS_RPZ_HAVE_IP)) != 0 &&
4099
(type == dns_rdatatype_any || type == dns_rdatatype_aaaa)) {
4100
result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_aaaa,
4101
name, &ipdb, version, rdatasetp,
4105
dns_db_detach(&ipdb);
4008
4110
* Get the rrset from a response policy zone.
4010
4112
static isc_result_t
4011
4113
rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef,
4012
dns_name_t *sname, dns_rpz_type_t rpz_type, dns_zone_t **zonep,
4013
dns_db_t **dbp, dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
4114
dns_name_t *sname, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
4115
dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp,
4116
dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp,
4014
4117
dns_rpz_policy_t *policyp)
4016
dns_dbversion_t *version;
4017
4119
dns_rpz_policy_t policy;
4018
4120
dns_fixedname_t fixed;
4019
4121
dns_name_t *found;
4039
4141
dns_fixedname_init(&fixed);
4040
4142
found = dns_fixedname_name(&fixed);
4041
result = dns_db_find(*dbp, qnamef, version, dns_rdatatype_any, 0,
4143
result = dns_db_find(*dbp, qnamef, *versionp, dns_rdatatype_any, 0,
4042
4144
client->now, nodep, found, *rdatasetp, NULL);
4043
4145
if (result == ISC_R_SUCCESS) {
4044
4146
dns_rdatasetiter_t *rdsiter;
4046
4148
rdsiter = NULL;
4047
result = dns_db_allrdatasets(*dbp, *nodep, version, 0,
4149
result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0,
4049
4151
if (result != ISC_R_SUCCESS) {
4050
4152
dns_db_detachnode(*dbp, nodep);
4051
rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
4052
qnamef, "allrdatasets()", result);
4153
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type,
4154
qnamef, "allrdatasets() ", result);
4053
4155
*policyp = DNS_RPZ_POLICY_ERROR;
4054
4156
return (DNS_R_SERVFAIL);
4211
4330
return (DNS_R_SERVFAIL);
4214
* when more than one name or address hits a rule,
4215
* prefer the first set of names (qname or NS),
4216
* the first policy zone, and the smallest name
4218
if (st->m.type == rpz_type &&
4219
rpz->num > st->m.rpz->num &&
4220
0 <= dns_name_compare(rpz_qname, st->qname))
4222
rpz_clean(&st->m.zone, &st->m.db, &st->m.node,
4333
* We are dealing with names here.
4334
* With more than one applicable policy, prefer
4335
* the earliest configured policy,
4336
* QNAME over IP over NSDNAME over NSIP,
4337
* and the smallest name.
4338
* Because of the testing above,
4339
* we known st->m.rpz->num >= rpz->num and either
4340
* st->m.rpz->num > rpz->num or st->m.type >= rpz_type
4342
if (st->m.policy != DNS_RPZ_POLICY_MISS &&
4343
rpz->num == st->m.rpz->num &&
4344
(st->m.type < rpz_type ||
4345
(st->m.type == rpz_type &&
4346
0 >= dns_name_compare(rpz_qname, st->qname))))
4350
* Merely log DNS_RPZ_POLICY_DISABLED hits.
4352
if (rpz->policy == DNS_RPZ_POLICY_DISABLED) {
4353
rpz_log_rewrite(client, "disabled ",
4354
policy, rpz_type, rpz_qname);
4358
rpz_match_clear(st);
4224
4359
st->m.rpz = rpz;
4225
4360
st->m.type = rpz_type;
4226
4361
st->m.prefix = 0;
4227
4362
st->m.policy = policy;
4228
4363
st->m.result = result;
4229
4364
dns_name_copy(rpz_qname, st->qname, NULL);
4230
if (dns_rdataset_isassociated(*rdatasetp)) {
4365
if (*rdatasetp != NULL &&
4366
dns_rdataset_isassociated(*rdatasetp)) {
4231
4367
dns_rdataset_t *trdataset;
4233
4369
trdataset = st->m.rdataset;
4234
4370
st->m.rdataset = *rdatasetp;
4235
4371
*rdatasetp = trdataset;
4236
st->m.ttl = st->m.rdataset->ttl;
4372
st->m.ttl = ISC_MIN(st->m.rdataset->ttl,
4373
rpz->max_policy_ttl);
4238
st->m.ttl = DNS_RPZ_TTL_DEFAULT;
4375
st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT,
4376
rpz->max_policy_ttl);
4240
4378
st->m.node = node;
4382
st->m.version = version;
4244
4383
st->m.zone = zone;
4250
4389
return (ISC_R_SUCCESS);
4393
rpz_rewrite_ns_skip(ns_client_t *client, dns_name_t *nsname,
4394
isc_result_t result, int level, const char *str)
4398
st = client->query.rpz_st;
4401
rpz_log_fail(client, level, DNS_RPZ_TYPE_NSIP, nsname,
4403
if (st->r.ns_rdataset != NULL &&
4404
dns_rdataset_isassociated(st->r.ns_rdataset))
4405
dns_rdataset_disassociate(st->r.ns_rdataset);
4254
* Look for response policy zone NSIP and NSDNAME rewriting.
4411
* Look for response policy zone QNAME, NSIP, and NSDNAME rewriting.
4256
4413
static isc_result_t
4257
rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype,
4414
rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
4258
4415
isc_boolean_t resuming)
4260
4417
dns_rpz_st_t *st;
4262
4418
dns_rdataset_t *rdataset;
4263
4419
dns_fixedname_t nsnamef;
4264
4420
dns_name_t *nsname;
4265
dns_dbversion_t *version;
4421
isc_boolean_t ck_ip;
4266
4422
isc_result_t result;
4271
4424
st = client->query.rpz_st;
4272
4425
if (st == NULL) {
4273
4426
st = isc_mem_get(client->mctx, sizeof(*st));
4285
4440
st->fname = dns_fixedname_name(&st->_fnamef);
4286
4441
client->query.rpz_st = st;
4445
* There is nothing to rewrite if the main query failed.
4453
case DNS_R_EMPTYNAME:
4455
case DNS_R_NXDOMAIN:
4456
case DNS_R_EMPTYWILD:
4457
case DNS_R_NCACHENXDOMAIN:
4458
case DNS_R_NCACHENXRRSET:
4463
case DNS_R_DELEGATION:
4464
case ISC_R_NOTFOUND:
4465
return (ISC_R_SUCCESS);
4467
case ISC_R_TIMEDOUT:
4468
case DNS_R_BROKENCHAIN:
4469
rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME,
4470
client->query.qname,
4471
"stop on qresult in rpz_rewrite() ",
4473
return (ISC_R_SUCCESS);
4475
rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME,
4476
client->query.qname,
4477
"stop on unrecognized qresult in rpz_rewrite() ",
4479
return (ISC_R_SUCCESS);
4288
4483
if ((st->state & DNS_RPZ_DONE_QNAME) == 0) {
4289
st->state = DNS_RPZ_DONE_QNAME;
4290
st->m.type = DNS_RPZ_TYPE_BAD;
4291
st->m.policy = DNS_RPZ_POLICY_MISS;
4294
* Check rules for the name if this it the first time,
4295
* i.e. we've not been recursing.
4485
* Check rules for the query name if this it the first time
4486
* for the current qname, i.e. we've not been recursing.
4487
* There is a first time for each name in a CNAME chain.
4297
st->state &= ~(DNS_RPZ_HAVE_IP | DNS_RPZ_HAVE_NSIPv4 |
4298
DNS_RPZ_HAVE_NSIPv6 | DNS_RPZ_HAD_NSDNAME);
4299
4489
result = rpz_rewrite_name(client, qtype, client->query.qname,
4300
4490
DNS_RPZ_TYPE_QNAME, &rdataset);
4301
4491
if (result != ISC_R_SUCCESS)
4303
if (st->m.policy != DNS_RPZ_POLICY_MISS)
4305
if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 |
4306
DNS_RPZ_HAD_NSDNAME)) == 0)
4308
st->ns.label = dns_name_countlabels(client->query.qname);
4494
st->r.label = dns_name_countlabels(client->query.qname);
4496
st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4);
4497
st->state |= DNS_RPZ_DONE_QNAME;
4501
* Check known IP addresses for the query name.
4502
* Any recursion required for the query has already happened.
4503
* Do not check addresses that will not be in the ANSWER section.
4505
if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 &&
4506
(st->state & DNS_RPZ_HAVE_IP) != 0 && ck_ip) {
4507
result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_IP,
4508
client->query.qname, qtype,
4509
&rdataset, resuming);
4510
if (result != ISC_R_SUCCESS)
4512
st->state &= ~DNS_RPZ_DONE_IPv4;
4513
st->state |= DNS_RPZ_DONE_QNAME_IP;
4517
* Stop looking for rules if there are none of the other kinds.
4519
if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 |
4520
DNS_RPZ_HAVE_NSDNAME)) == 0) {
4521
result = ISC_R_SUCCESS;
4311
4525
dns_fixedname_init(&nsnamef);
4312
4526
dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
4313
while (st->ns.label > 1 && st->m.policy == DNS_RPZ_POLICY_MISS) {
4314
if (st->ns.label == dns_name_countlabels(client->query.qname)) {
4527
while (st->r.label > 1) {
4529
* Get NS rrset for each domain in the current qname.
4531
if (st->r.label == dns_name_countlabels(client->query.qname)) {
4315
4532
nsname = client->query.qname;
4317
4534
nsname = dns_fixedname_name(&nsnamef);
4318
dns_name_split(client->query.qname, st->ns.label,
4535
dns_name_split(client->query.qname, st->r.label,
4321
if (st->ns.ns_rdataset == NULL ||
4322
!dns_rdataset_isassociated(st->ns.ns_rdataset)) {
4538
if (st->r.ns_rdataset == NULL ||
4539
!dns_rdataset_isassociated(st->r.ns_rdataset)) {
4323
4540
dns_db_t *db = NULL;
4324
result = rpz_ns_find(client, nsname, dns_rdatatype_ns,
4325
&db, NULL, &st->ns.ns_rdataset,
4541
result = rpz_rrset_find(client, DNS_RPZ_TYPE_NSDNAME,
4542
nsname, dns_rdatatype_ns,
4543
&db, NULL, &st->r.ns_rdataset,
4327
4545
if (db != NULL)
4328
4546
dns_db_detach(&db);
4329
if (result != ISC_R_SUCCESS) {
4330
if (result == DNS_R_DELEGATION)
4547
if (st->m.policy == DNS_RPZ_POLICY_ERROR)
4551
result = dns_rdataset_first(st->r.ns_rdataset);
4552
if (result != ISC_R_SUCCESS)
4332
if (result == DNS_R_EMPTYNAME ||
4333
result == DNS_R_NXRRSET ||
4334
result == DNS_R_EMPTYWILD ||
4335
result == DNS_R_NXDOMAIN ||
4336
result == DNS_R_NCACHENXDOMAIN ||
4337
result == DNS_R_NCACHENXRRSET ||
4338
result == DNS_R_CNAME ||
4339
result == DNS_R_DNAME) {
4340
rpz_fail_log(client,
4341
DNS_RPZ_DEBUG_LEVEL2,
4342
DNS_RPZ_TYPE_NSIP, nsname,
4343
"NS db_find() ", result);
4344
dns_rdataset_disassociate(st->ns.
4349
if (st->m.policy != DNS_RPZ_POLICY_ERROR) {
4350
rpz_fail_log(client, DNS_RPZ_INFO_LEVEL,
4351
DNS_RPZ_TYPE_NSIP, nsname,
4352
"NS db_find() ", result);
4353
st->m.policy = DNS_RPZ_POLICY_ERROR;
4554
st->state &= ~(DNS_RPZ_DONE_NSDNAME |
4557
case DNS_R_DELEGATION:
4559
case DNS_R_EMPTYNAME:
4561
case DNS_R_EMPTYWILD:
4562
case DNS_R_NXDOMAIN:
4563
case DNS_R_NCACHENXDOMAIN:
4564
case DNS_R_NCACHENXRRSET:
4565
case ISC_R_NOTFOUND:
4568
rpz_rewrite_ns_skip(client, nsname, result,
4571
case ISC_R_TIMEDOUT:
4572
case DNS_R_BROKENCHAIN:
4574
rpz_rewrite_ns_skip(client, nsname, result,
4575
DNS_RPZ_DEBUG_LEVEL3,
4579
rpz_rewrite_ns_skip(client, nsname, result,
4581
"unrecognized NS db_find() ");
4357
result = dns_rdataset_first(st->ns.ns_rdataset);
4358
if (result != ISC_R_SUCCESS)
4362
4586
* Check all NS names.
4365
4589
dns_rdata_ns_t ns;
4366
4590
dns_rdata_t nsrdata = DNS_RDATA_INIT;
4368
dns_rdataset_current(st->ns.ns_rdataset, &nsrdata);
4592
dns_rdataset_current(st->r.ns_rdataset, &nsrdata);
4369
4593
result = dns_rdata_tostruct(&nsrdata, &ns, NULL);
4370
4594
dns_rdata_reset(&nsrdata);
4371
4595
if (result != ISC_R_SUCCESS) {
4372
rpz_fail_log(client, DNS_RPZ_ERROR_LEVEL,
4596
rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL,
4373
4597
DNS_RPZ_TYPE_NSIP, nsname,
4374
4598
"rdata_tostruct() ", result);
4375
4599
st->m.policy = DNS_RPZ_POLICY_ERROR;
4378
if ((st->state & DNS_RPZ_HAD_NSDNAME) != 0) {
4603
* Do nothing about "NS ."
4605
if (dns_name_equal(&ns.name, dns_rootname)) {
4606
dns_rdata_freestruct(&ns);
4607
result = dns_rdataset_next(st->r.ns_rdataset);
4611
* Check this NS name if we did not handle it
4612
* during a previous recursion.
4614
if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0 &&
4615
(st->state & DNS_RPZ_HAVE_NSDNAME) != 0) {
4379
4616
result = rpz_rewrite_name(client, qtype,
4381
4618
DNS_RPZ_TYPE_NSDNAME,
4384
4621
dns_rdata_freestruct(&ns);
4624
st->state |= DNS_RPZ_DONE_NSDNAME;
4389
* Check all IP addresses for this NS name, but don't
4390
* bother without NSIP rules or with a NSDNAME hit.
4627
* Check all IP addresses for this NS name.
4393
if ((st->state & DNS_RPZ_HAVE_NSIPv4) != 0 &&
4394
st->m.type != DNS_RPZ_TYPE_NSDNAME &&
4395
(st->state & DNS_RPZ_DONE_A) == 0) {
4396
result = rpz_rewrite_nsip(client,
4401
if (result == ISC_R_SUCCESS)
4402
st->state |= DNS_RPZ_DONE_A;
4404
if (result == ISC_R_SUCCESS &&
4405
(st->state & DNS_RPZ_HAVE_NSIPv6) != 0 &&
4406
st->m.type != DNS_RPZ_TYPE_NSDNAME) {
4407
result = rpz_rewrite_nsip(client,
4629
result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_NSIP,
4630
&ns.name, dns_rdatatype_any,
4631
&rdataset, resuming);
4413
4632
dns_rdata_freestruct(&ns);
4415
dns_db_detach(&ipdb);
4416
4633
if (result != ISC_R_SUCCESS)
4418
st->state &= ~DNS_RPZ_DONE_A;
4419
result = dns_rdataset_next(st->ns.ns_rdataset);
4635
st->state &= ~(DNS_RPZ_DONE_NSDNAME |
4637
result = dns_rdataset_next(st->r.ns_rdataset);
4420
4638
} while (result == ISC_R_SUCCESS);
4421
dns_rdataset_disassociate(st->ns.ns_rdataset);
4639
dns_rdataset_disassociate(st->r.ns_rdataset);
4431
4649
if (st->m.policy != DNS_RPZ_POLICY_MISS &&
4432
st->m.policy != DNS_RPZ_POLICY_NO_OP &&
4433
4650
st->m.policy != DNS_RPZ_POLICY_ERROR &&
4434
4651
st->m.rpz->policy != DNS_RPZ_POLICY_GIVEN)
4435
4652
st->m.policy = st->m.rpz->policy;
4436
if (st->m.policy == DNS_RPZ_POLICY_NO_OP)
4438
4653
if (st->m.policy == DNS_RPZ_POLICY_MISS ||
4439
st->m.policy == DNS_RPZ_POLICY_NO_OP ||
4440
st->m.policy == DNS_RPZ_POLICY_ERROR)
4441
rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset);
4442
if (st->m.policy != DNS_RPZ_POLICY_MISS)
4443
st->state |= DNS_RPZ_REWRITTEN;
4654
st->m.policy == DNS_RPZ_POLICY_PASSTHRU ||
4655
st->m.policy == DNS_RPZ_POLICY_ERROR) {
4656
if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU &&
4657
result != DNS_R_DELEGATION)
4658
rpz_log_rewrite(client, "", st->m.policy, st->m.type,
4660
rpz_match_clear(st);
4444
4662
if (st->m.policy == DNS_RPZ_POLICY_ERROR) {
4445
4663
st->m.type = DNS_RPZ_TYPE_BAD;
4446
4664
result = DNS_R_SERVFAIL;
4448
if (rdataset != NULL)
4449
query_putrdataset(client, &rdataset);
4450
if ((st->state & DNS_RPZ_RECURSING) == 0) {
4451
rpz_clean(NULL, &st->ns.db, NULL, &st->ns.ns_rdataset);
4666
query_putrdataset(client, &rdataset);
4667
if ((st->state & DNS_RPZ_RECURSING) == 0)
4668
rpz_clean(NULL, &st->r.db, NULL, &st->r.ns_rdataset);
4454
4670
return (result);
4674
* See if response policy zone rewriting is allowed a lack of interest
4675
* by the client in DNSSEC or a lack of signatures.
4677
static isc_boolean_t
4678
rpz_ck_dnssec(ns_client_t *client, isc_result_t result,
4679
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
4681
dns_fixedname_t fixed;
4683
dns_rdataset_t trdataset;
4684
dns_rdatatype_t type;
4686
if (client->view->rpz_break_dnssec)
4689
* sigrdataset == NULL if and only !WANTDNSSEC(client)
4691
if (sigrdataset == NULL)
4693
if (dns_rdataset_isassociated(sigrdataset))
4697
* We are happy to rewrite nothing.
4699
if (rdataset == NULL || !dns_rdataset_isassociated(rdataset))
4702
* Do not rewrite if there is any sign of signatures.
4704
if (rdataset->type == dns_rdatatype_nsec ||
4705
rdataset->type == dns_rdatatype_nsec3 ||
4706
rdataset->type == dns_rdatatype_rrsig)
4710
* Look for a signature in a negative cache rdataset.
4712
if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0)
4714
dns_fixedname_init(&fixed);
4715
found = dns_fixedname_name(&fixed);
4716
dns_rdataset_init(&trdataset);
4717
for (result = dns_rdataset_first(rdataset);
4718
result == ISC_R_SUCCESS;
4719
result = dns_rdataset_next(rdataset)) {
4720
dns_ncache_current(rdataset, found, &trdataset);
4721
type = trdataset.type;
4722
dns_rdataset_disassociate(&trdataset);
4723
if (type == dns_rdatatype_nsec ||
4724
type == dns_rdatatype_nsec3 ||
4725
type == dns_rdatatype_rrsig)
4732
* Add a CNAME to the query response, including translating foo.evil.com and
4733
* *.evil.com CNAME *.example.com
4735
* foo.evil.com CNAME foo.evil.com.example.com
4738
rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
4739
dns_name_t *cname, dns_name_t *fname, isc_buffer_t *dbuf)
4741
dns_fixedname_t prefix, suffix;
4742
unsigned int labels;
4743
isc_result_t result;
4745
labels = dns_name_countlabels(cname);
4746
if (labels > 2 && dns_name_iswildcard(cname)) {
4747
dns_fixedname_init(&prefix);
4748
dns_name_split(client->query.qname, 1,
4749
dns_fixedname_name(&prefix), NULL);
4750
dns_fixedname_init(&suffix);
4751
dns_name_split(cname, labels-1,
4752
NULL, dns_fixedname_name(&suffix));
4753
result = dns_name_concatenate(dns_fixedname_name(&prefix),
4754
dns_fixedname_name(&suffix),
4756
if (result == DNS_R_NAMETOOLONG)
4757
client->message->rcode = dns_rcode_yxdomain;
4759
result = dns_name_copy(cname, fname, NULL);
4760
RUNTIME_CHECK(result == ISC_R_SUCCESS);
4762
if (result != ISC_R_SUCCESS)
4764
query_keepname(client, fname, dbuf);
4765
result = query_add_cname(client, client->query.qname,
4766
fname, dns_trust_authanswer, st->m.ttl);
4767
if (result != ISC_R_SUCCESS)
4769
rpz_log_rewrite(client, "", st->m.policy, st->m.type, st->qname);
4770
ns_client_qnamereplace(client, fname);
4772
* Turn off DNSSEC because the results of a
4773
* response policy zone cannot verify.
4775
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
4776
DNS_MESSAGEFLAG_AD);
4777
return (ISC_R_SUCCESS);
4457
4780
#define MAX_RESTARTS 16
4459
4782
#define QUERY_ERROR(r) \
5285
5607
RECURSE_ERROR(rresult);
5610
if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS)
5611
rpz_st->state |= DNS_RPZ_REWRITTEN;
5288
5612
if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS &&
5289
rpz_st->m.policy != DNS_RPZ_POLICY_NO_OP) {
5290
result = dns_name_copy(client->query.qname, fname,
5292
RUNTIME_CHECK(result == ISC_R_SUCCESS);
5613
rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU &&
5614
rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) {
5615
if (rpz_st->m.type == DNS_RPZ_TYPE_QNAME) {
5616
result = dns_name_copy(client->query.qname,
5618
RUNTIME_CHECK(result == ISC_R_SUCCESS);
5294
5620
rpz_clean(&zone, &db, &node, NULL);
5295
5621
if (rpz_st->m.rdataset != NULL) {
5296
if (rdataset != NULL)
5297
query_putrdataset(client, &rdataset);
5622
query_putrdataset(client, &rdataset);
5298
5623
rdataset = rpz_st->m.rdataset;
5299
5624
rpz_st->m.rdataset = NULL;
5300
5625
} else if (rdataset != NULL &&
5317
5643
result = DNS_R_NXRRSET;
5319
5645
case DNS_RPZ_POLICY_RECORD:
5320
if (type == dns_rdatatype_any &&
5321
result != DNS_R_CNAME &&
5322
dns_rdataset_isassociated(rdataset))
5323
dns_rdataset_disassociate(rdataset);
5646
result = rpz_st->m.result;
5647
if (qtype == dns_rdatatype_any &&
5648
result != DNS_R_CNAME) {
5650
* We will add all of the rdatasets of
5651
* the node by iterating, setting the
5654
if (dns_rdataset_isassociated(rdataset))
5655
dns_rdataset_disassociate(rdataset);
5658
* We will add this rdataset.
5660
rdataset->ttl = ISC_MIN(rdataset->ttl,
5664
case DNS_RPZ_POLICY_WILDCNAME:
5665
result = dns_rdataset_first(rdataset);
5666
RUNTIME_CHECK(result == ISC_R_SUCCESS);
5667
dns_rdataset_current(rdataset, &rdata);
5668
result = dns_rdata_tostruct(&rdata, &cname,
5670
RUNTIME_CHECK(result == ISC_R_SUCCESS);
5671
dns_rdata_reset(&rdata);
5672
result = rpz_add_cname(client, rpz_st,
5675
if (result != ISC_R_SUCCESS)
5678
want_restart = ISC_TRUE;
5325
5680
case DNS_RPZ_POLICY_CNAME:
5326
result = dns_name_copy(&rpz_st->m.rpz->cname,
5328
RUNTIME_CHECK(result == ISC_R_SUCCESS);
5329
query_keepname(client, fname, dbuf);
5330
result = query_add_cname(client,
5331
client->query.qname,
5333
dns_trust_authanswer,
5682
* Add overridding CNAME from a named.conf
5683
* response-policy statement
5685
result = rpz_add_cname(client, rpz_st,
5686
&rpz_st->m.rpz->cname,
5335
5688
if (result != ISC_R_SUCCESS)
5337
ns_client_qnamereplace(client, fname);
5339
client->attributes &= ~NS_CLIENTATTR_WANTDNSSEC;
5341
5691
want_restart = ISC_TRUE;
6240
* Check all A and AAAA records in all response policy
6243
rpz_st = client->query.rpz_st;
6244
if (rpz_st != NULL &&
6245
(rpz_st->state & DNS_RPZ_DONE_QNAME) != 0 &&
6246
(rpz_st->state & DNS_RPZ_REWRITTEN) == 0 &&
6247
RECURSIONOK(client) && !RECURSING(client) &&
6248
(rpz_st->state & DNS_RPZ_HAVE_IP) != 0) {
6249
for (result = dns_rdatasetiter_first(rdsiter);
6250
result == ISC_R_SUCCESS;
6251
result = dns_rdatasetiter_next(rdsiter)) {
6252
dns_rdatasetiter_current(rdsiter, rdataset);
6253
if (rdataset->type == dns_rdatatype_a ||
6254
rdataset->type == dns_rdatatype_aaaa)
6255
result = rpz_rewrite_ip(client,
6258
dns_rdataset_disassociate(rdataset);
6259
if (result != ISC_R_SUCCESS)
6262
if (result != ISC_R_NOMORE) {
6263
dns_rdatasetiter_destroy(&rdsiter);
6264
QUERY_ERROR(DNS_R_SERVFAIL);
6267
switch (rpz_st->m.policy) {
6268
case DNS_RPZ_POLICY_MISS:
6270
case DNS_RPZ_POLICY_NO_OP:
6272
rpz_st->state |= DNS_RPZ_REWRITTEN;
6274
case DNS_RPZ_POLICY_NXDOMAIN:
6275
case DNS_RPZ_POLICY_NODATA:
6276
case DNS_RPZ_POLICY_RECORD:
6277
case DNS_RPZ_POLICY_CNAME:
6278
dns_rdatasetiter_destroy(&rdsiter);
6279
rpz_st->state |= DNS_RPZ_REWRITTEN;
6280
goto finish_rewrite;
6287
6596
* Calling query_addrrset() with a non-NULL dbuf is going
6288
6597
* to either keep or release the name. We don't want it to
6289
6598
* release fname, since we may have to call query_addrrset()
6361
6674
* Filter AAAAs if there is an A and there is no signature
6362
6675
* or we are supposed to break DNSSEC.
6364
if (filter_aaaa && have_aaaa && have_a &&
6365
(!have_sig || !WANTDNSSEC(client) ||
6366
client->view->v4_aaaa == dns_v4_aaaa_break_dnssec))
6677
if (client->filter_aaaa == dns_v4_aaaa_break_dnssec)
6367
6678
client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
6679
else if (client->filter_aaaa != dns_v4_aaaa_ok &&
6680
have_aaaa && have_a &&
6681
(!have_sig || !WANTDNSSEC(client)))
6682
client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
6369
6684
if (fname != NULL)
6370
6685
dns_message_puttempname(client->message, &fname);
6372
if (n == 0 && is_zone) {
6374
* We didn't match any rdatasets.
6689
* No matching rdatasets found in cache. If we were
6690
* searching for RRSIG/SIG, that's probably okay;
6691
* otherwise this is an error condition.
6376
6693
if ((qtype == dns_rdatatype_rrsig ||
6377
6694
qtype == dns_rdatatype_sig) &&
6378
6695
result == ISC_R_NOMORE) {
6380
* XXXRTH If this is a secure zone and we
6381
* didn't find any SIGs, we should generate
6382
* an error unless we were searching for
6385
6696
if (!is_zone) {
6387
* Note: this is dead code because
6388
* is_zone is always true due to the
6389
* condition above. But naive
6390
* recursion would cause infinite
6391
* attempts of recursion because
6392
* the answer to (RR)SIG queries
6393
* won't be cached. Until we figure
6394
* out what we should do and implement
6395
* it we intentionally keep this code
6398
6697
authoritative = ISC_FALSE;
6399
6698
dns_rdatasetiter_destroy(&rdsiter);
6400
if (RECURSIONOK(client)) {
6401
result = query_recurse(client,
6403
client->query.qname,
6406
if (result == ISC_R_SUCCESS)
6407
client->query.attributes |=
6408
NS_QUERYATTR_RECURSING;
6410
RECURSE_ERROR(result);
6699
client->attributes &= ~NS_CLIENTATTR_RA;
6415
* We were searching for SIG records in
6416
* a nonsecure zone. Send a "no error,
6417
* no data" response.
6422
result = query_addsoa(client, db, version,
6425
if (result == ISC_R_SUCCESS)
6426
result = ISC_R_NOMORE;
6429
* Something went wrong.
6703
if (dns_db_issecure(db)) {
6704
char namebuf[DNS_NAME_FORMATSIZE];
6705
dns_name_format(client->query.qname,
6708
ns_client_log(client,
6709
DNS_LOGCATEGORY_DNSSEC,
6712
"missing signature "
6716
dns_rdatasetiter_destroy(&rdsiter);
6717
fname = query_newname(client, dbuf, &b);
6431
6720
result = DNS_R_SERVFAIL;
6434
6723
dns_rdatasetiter_destroy(&rdsiter);
6435
6724
if (result != ISC_R_NOMORE) {
6436
6725
QUERY_ERROR(DNS_R_SERVFAIL);
6442
6731
* we know the answer.
6446
* Check all A and AAAA records in all response policy
6449
rpz_st = client->query.rpz_st;
6450
if (rpz_st != NULL &&
6451
(rpz_st->state & DNS_RPZ_DONE_QNAME) != 0 &&
6452
(rpz_st->state & DNS_RPZ_REWRITTEN) == 0 &&
6453
RECURSIONOK(client) && !RECURSING(client) &&
6454
(rpz_st->state & DNS_RPZ_HAVE_IP) != 0 &&
6455
(qtype == dns_rdatatype_aaaa || qtype == dns_rdatatype_a)) {
6456
result = rpz_rewrite_ip(client, rdataset,
6458
if (result != ISC_R_SUCCESS) {
6459
QUERY_ERROR(DNS_R_SERVFAIL);
6463
* After a hit in the radix tree for the policy domain,
6464
* either stop trying to rewrite (DNS_RPZ_POLICY_NO_OP)
6465
* or restart to ask the ordinary database of the
6466
* policy zone for the DNS record corresponding to the
6467
* record in the radix tree.
6469
switch (rpz_st->m.policy) {
6470
case DNS_RPZ_POLICY_MISS:
6472
case DNS_RPZ_POLICY_NO_OP:
6474
rpz_st->state |= DNS_RPZ_REWRITTEN;
6476
case DNS_RPZ_POLICY_NXDOMAIN:
6477
case DNS_RPZ_POLICY_NODATA:
6478
case DNS_RPZ_POLICY_RECORD:
6479
case DNS_RPZ_POLICY_CNAME:
6480
rpz_st->state |= DNS_RPZ_REWRITTEN;
6481
goto finish_rewrite;
6487
6734
#ifdef ALLOW_FILTER_AAAA_ON_V4
6489
6736
* Optionally hide AAAAs from IPv4 clients if there is an A.