109
109
#define DNS_GETDB_NOLOG 0x02U
110
110
#define DNS_GETDB_PARTIAL 0x04U
112
#define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0)
112
114
typedef struct client_additionalctx {
113
115
ns_client_t *client;
114
116
dns_rdataset_t *rdataset;
1722
1724
if (result == ISC_R_SUCCESS &&
1723
1725
additionaltype == dns_rdatasetadditional_fromcache &&
1724
(rdataset->trust == dns_trust_pending ||
1725
rdataset->trust == dns_trust_glue) &&
1726
(DNS_TRUST_PENDING(rdataset->trust) ||
1727
DNS_TRUST_GLUE(rdataset->trust)) &&
1726
1728
!validate(client, db, fname, rdataset, sigrdataset)) {
1727
1729
dns_rdataset_disassociate(rdataset);
1728
1730
if (dns_rdataset_isassociated(sigrdataset))
1762
1764
if (result == ISC_R_SUCCESS &&
1763
1765
additionaltype == dns_rdatasetadditional_fromcache &&
1764
(rdataset->trust == dns_trust_pending ||
1765
rdataset->trust == dns_trust_glue) &&
1766
(DNS_TRUST_PENDING(rdataset->trust) ||
1767
DNS_TRUST_GLUE(rdataset->trust)) &&
1766
1768
!validate(client, db, fname, rdataset, sigrdataset)) {
1767
1769
dns_rdataset_disassociate(rdataset);
1768
1770
if (dns_rdataset_isassociated(sigrdataset))
2548
2550
* Attempt to validate RRsets that are pending or that are glue.
2550
if ((rdataset->trust == dns_trust_pending ||
2551
(sigrdataset != NULL && sigrdataset->trust == dns_trust_pending))
2552
if ((DNS_TRUST_PENDING(rdataset->trust) ||
2553
(sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust)))
2552
2554
&& !validate(client, db, fname, rdataset, sigrdataset) &&
2553
(client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0)
2555
!PENDINGOK(client->query.dboptions))
2556
if ((rdataset->trust == dns_trust_glue ||
2557
(sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)) &&
2558
if ((DNS_TRUST_GLUE(rdataset->trust) ||
2559
(sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
2558
2560
!validate(client, db, fname, rdataset, sigrdataset) &&
2559
2561
SECURE(client) && WANTDNSSEC(client))
3545
3549
* Now look for an answer in the database.
3551
dboptions = client->query.dboptions;
3552
if (sigrdataset == NULL && client->view->enablednssec) {
3554
* If the client doesn't want DNSSEC we still want to
3555
* look for any data pending validation to save a remote
3556
* lookup if possible.
3558
dns_rdataset_init(&tmprdataset);
3559
sigrdataset = &tmprdataset;
3560
dboptions |= DNS_DBFIND_PENDINGOK;
3547
3563
result = dns_db_find(db, client->query.qname, version, type,
3548
client->query.dboptions, client->now,
3549
&node, fname, rdataset, sigrdataset);
3564
dboptions, client->now, &node, fname,
3565
rdataset, sigrdataset);
3567
* If we have found pending data try to validate it.
3568
* If the data does not validate as secure and we can't
3569
* use the unvalidated data requery the database with
3570
* pending disabled to prevent infinite looping.
3572
if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
3573
goto validation_done;
3574
if (validate(client, db, fname, rdataset, sigrdataset))
3575
goto validation_done;
3576
if (rdataset->trust != dns_trust_pending_answer ||
3577
!PENDINGOK(client->query.dboptions)) {
3578
dns_rdataset_disassociate(rdataset);
3579
if (sigrdataset != NULL &&
3580
dns_rdataset_isassociated(sigrdataset))
3581
dns_rdataset_disassociate(sigrdataset);
3582
if (sigrdataset == &tmprdataset)
3584
dns_db_detachnode(db, &node);
3585
dboptions &= ~DNS_DBFIND_PENDINGOK;
3589
if (sigrdataset == &tmprdataset) {
3590
if (dns_rdataset_isassociated(sigrdataset))
3591
dns_rdataset_disassociate(sigrdataset);
3552
3596
CTRACE("query_find: resume");