235
243
static int forward_query(int udpfd, union mysockaddr *udpaddr,
236
244
struct all_addr *dst_addr, unsigned int dst_iface,
237
struct dns_header *header, size_t plen, time_t now, struct frec *forward)
245
struct dns_header *header, size_t plen, time_t now,
246
struct frec *forward, int ad_reqd, int do_bit)
239
248
char *domain = NULL;
240
249
int type = 0, norebind = 0;
241
250
struct all_addr *addrp = NULL;
251
unsigned int flags = 0;
252
struct server *start = NULL;
254
void *hash = hash_questions(header, plen, daemon->namebuff);
242
256
unsigned int crc = questions_crc(header, plen, daemon->namebuff);
243
unsigned int flags = 0;
244
unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
245
struct server *start = NULL;
247
/* RFC 4035: sect 4.6 para 2 */
248
header->hb4 &= ~HB4_AD;
259
unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
250
263
/* may be no servers available. */
251
264
if (!daemon->servers)
253
else if (forward || (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, crc)))
266
else if (forward || (hash && (forward = lookup_frec_by_sender(ntohs(header->id), udpaddr, hash))))
269
/* If we've already got an answer to this query, but we're awaiting keys for validation,
270
there's no point retrying the query, retry the key query instead...... */
271
if (forward->blocking_query)
275
while (forward->blocking_query)
276
forward = forward->blocking_query;
278
blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
279
plen = forward->stash_len;
281
if (forward->sentto->addr.sa.sa_family == AF_INET)
282
log_query(F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
285
log_query(F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
288
if (forward->sentto->sfd)
289
fd = forward->sentto->sfd->fd;
293
if (forward->sentto->addr.sa.sa_family == AF_INET6)
294
fd = forward->rfd6->fd;
297
fd = forward->rfd4->fd;
300
while (sendto(fd, (char *)header, plen, 0,
301
&forward->sentto->addr.sa,
302
sa_len(&forward->sentto->addr)) == -1 && retry_send());
255
308
/* retry on existing query, send to all available servers */
256
309
domain = forward->sentto->domain;
257
310
forward->sentto->failed_queries++;
640
772
if (!option_bool(OPT_ALL_SERVERS))
641
773
daemon->last_server = server;
644
776
/* If the answer is an error, keep the forward record in place in case
645
777
we get a good reply from another server. Kill it when we've
646
778
had replies from all to avoid filling the forwarding table when
647
779
everything is broken */
648
if (forward->forwardall == 0 || --forward->forwardall == 1 ||
649
(RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
780
if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != SERVFAIL)
651
int check_rebind = !(forward->flags & FREC_NOREBIND);
653
if (!option_bool(OPT_NO_REBIND))
656
if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, forward->flags & FREC_CHECKING_DISABLED,
657
forward->flags & FREC_HAS_SUBNET, &forward->source)))
782
int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0;
784
if (option_bool(OPT_NO_REBIND))
785
check_rebind = !(forward->flags & FREC_NOREBIND);
787
/* Don't cache replies where DNSSEC validation was turned off, either
788
the upstream server told us so, or the original query specified it. */
789
if ((header->hb4 & HB4_CD) || (forward->flags & FREC_CHECKING_DISABLED))
793
if (server && option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
797
/* We've had a reply already, which we're validating. Ignore this duplicate */
798
if (forward->blocking_query)
801
if (header->hb3 & HB3_TC)
803
/* Truncated answer can't be validated.
804
If this is an answer to a DNSSEC-generated query, we still
805
need to get the client to retry over TCP, so return
806
an answer with the TC bit set, even if the actual answer fits.
808
status = STAT_TRUNCATED;
810
else if (forward->flags & FREC_DNSKEY_QUERY)
811
status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
812
else if (forward->flags & FREC_DS_QUERY)
814
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
815
if (status == STAT_NO_DS)
816
status = STAT_INSECURE;
818
else if (forward->flags & FREC_CHECK_NOSIGN)
819
status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
822
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
823
if (status == STAT_NO_SIG)
825
if (option_bool(OPT_DNSSEC_NO_SIGN))
826
status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
828
status = STAT_INSECURE;
831
/* Can't validate, as we're missing key data. Put this
832
answer aside, whilst we get that. */
833
if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
835
struct frec *new, *orig;
837
/* Free any saved query */
839
blockdata_free(forward->stash);
841
/* Now save reply pending receipt of key data */
842
if (!(forward->stash = blockdata_alloc((char *)header, n)))
844
forward->stash_len = n;
847
/* Find the original query that started it all.... */
848
for (orig = forward; orig->dependent; orig = orig->dependent);
850
if (--orig->work_counter == 0 || !(new = get_new_frec(now, NULL, 1)))
851
status = STAT_INSECURE;
855
struct frec *next = new->next;
856
*new = *forward; /* copy everything, then overwrite */
858
new->blocking_query = NULL;
859
new->sentto = server;
864
new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_CHECK_NOSIGN);
866
new->dependent = forward; /* to find query awaiting new one. */
867
forward->blocking_query = new; /* for garbage cleaning */
868
/* validate routines leave name of required record in daemon->keyname */
869
if (status == STAT_NEED_KEY)
871
new->flags |= FREC_DNSKEY_QUERY;
872
nn = dnssec_generate_query(header, ((char *) header) + daemon->packet_buff_sz,
873
daemon->keyname, forward->class, T_DNSKEY, &server->addr);
877
if (status == STAT_NEED_DS_NEG)
878
new->flags |= FREC_CHECK_NOSIGN;
880
new->flags |= FREC_DS_QUERY;
881
nn = dnssec_generate_query(header,((char *) header) + daemon->packet_buff_sz,
882
daemon->keyname, forward->class, T_DS, &server->addr);
884
if ((hash = hash_questions(header, nn, daemon->namebuff)))
885
memcpy(new->hash, hash, HASH_SIZE);
886
new->new_id = get_id();
887
header->id = htons(new->new_id);
888
/* Save query for retransmission */
889
new->stash = blockdata_alloc((char *)header, nn);
892
/* Don't resend this. */
893
daemon->srv_save = NULL;
896
fd = server->sfd->fd;
901
if (server->addr.sa.sa_family == AF_INET6)
903
if (new->rfd6 || (new->rfd6 = allocate_rfd(AF_INET6)))
909
if (new->rfd4 || (new->rfd4 = allocate_rfd(AF_INET)))
916
while (sendto(fd, (char *)header, nn, 0, &server->addr.sa, sa_len(&server->addr)) == -1 && retry_send());
924
/* Ok, we reached far enough up the chain-of-trust that we can validate something.
925
Now wind back down, pulling back answers which wouldn't previously validate
926
and validate them with the new data. Note that if an answer needs multiple
927
keys to validate, we may find another key is needed, in which case we set off
928
down another branch of the tree. Once we get to the original answer
929
(FREC_DNSSEC_QUERY not set) and it validates, return it to the original requestor. */
930
while (forward->dependent)
932
struct frec *prev = forward->dependent;
935
forward->blocking_query = NULL; /* already gone */
936
blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
937
n = forward->stash_len;
939
if (status == STAT_SECURE)
941
if (forward->flags & FREC_DNSKEY_QUERY)
942
status = dnssec_validate_by_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
943
else if (forward->flags & FREC_DS_QUERY)
945
status = dnssec_validate_ds(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
946
if (status == STAT_NO_DS)
947
status = STAT_INSECURE;
949
else if (forward->flags & FREC_CHECK_NOSIGN)
950
status = do_check_sign(now, header, n, daemon->namebuff, daemon->keyname, forward->class);
953
status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, NULL);
954
if (status == STAT_NO_SIG)
956
if (option_bool(OPT_DNSSEC_NO_SIGN))
957
status = send_check_sign(now, header, n, daemon->namebuff, daemon->keyname);
959
status = STAT_INSECURE;
963
if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG || status == STAT_NEED_KEY)
968
if (status == STAT_TRUNCATED)
969
header->hb3 |= HB3_TC;
974
if (forward->work_counter == 0)
975
result = "ABANDONED";
977
result = (status == STAT_SECURE ? "SECURE" : (status == STAT_INSECURE ? "INSECURE" : "BOGUS"));
979
log_query(F_KEYTAG | F_SECSTAT, "result", NULL, result);
984
if (status == STAT_SECURE)
986
else if (status == STAT_BOGUS)
991
/* restore CD bit to the value in the query */
992
if (forward->flags & FREC_CHECKING_DISABLED)
993
header->hb4 |= HB4_CD;
995
header->hb4 &= ~HB4_CD;
997
if ((nn = process_reply(header, now, server, (size_t)n, check_rebind, no_cache_dnssec, cache_secure,
998
forward->flags & FREC_AD_QUESTION, forward->flags & FREC_DO_QUESTION,
999
forward->flags & FREC_ADDED_PHEADER, forward->flags & FREC_HAS_SUBNET, &forward->source)))
659
1001
header->id = htons(forward->orig_id);
660
1002
header->hb4 |= HB4_RA; /* recursion if available */
908
1298
daemon->local_answer++;
910
1300
else if (forward_query(listen->fd, &source_addr, &dst_addr, if_index,
911
header, (size_t)n, now, NULL))
1301
header, (size_t)n, now, NULL, ad_reqd, do_bit))
912
1302
daemon->queries_forwarded++;
914
1304
daemon->local_answer++;
1310
/* UDP: we've got an unsigned answer, return STAT_INSECURE if we can prove there's no DS
1311
and therefore the answer shouldn't be signed, or STAT_BOGUS if it should be, or
1312
STAT_NEED_DS_NEG and keyname if we need to do the query. */
1313
static int send_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname)
1316
char *name_start = name;
1317
int status = dnssec_chase_cname(now, header, plen, name, keyname);
1319
if (status != STAT_INSECURE)
1324
crecp = cache_find_by_name(NULL, name_start, now, F_DS);
1326
if (crecp && (crecp->flags & F_DNSSECOK))
1327
return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
1329
if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
1331
name_start++; /* chop a label off and try again */
1335
/* Reached the root */
1339
strcpy(keyname, name_start);
1340
return STAT_NEED_DS_NEG;
1344
/* Got answer to DS query from send_check_sign, check for proven non-existence, or make the next DS query to try. */
1345
static int do_check_sign(time_t now, struct dns_header *header, size_t plen, char *name, char *keyname, int class)
1350
int status = dnssec_validate_ds(now, header, plen, name, keyname, class);
1352
if (status != STAT_INSECURE)
1354
if (status == STAT_NO_DS)
1355
status = STAT_INSECURE;
1359
p = (unsigned char *)(header+1);
1361
if (extract_name(header, plen, &p, name, 1, 4) &&
1362
(name_start = strchr(name, '.')))
1364
name_start++; /* chop a label off and try again */
1365
strcpy(keyname, name_start);
1366
return STAT_NEED_DS_NEG;
1372
/* Move toward the root, until we find a signed non-existance of a DS, in which case
1373
an unsigned answer is OK, or we find a signed DS, in which case there should be
1374
a signature, and the answer is BOGUS */
1375
static int tcp_check_for_unsigned_zone(time_t now, struct dns_header *header, size_t plen, int class, char *name,
1376
char *keyname, struct server *server, int *keycount)
1379
unsigned char *packet, *payload;
1381
unsigned char *p = (unsigned char *)(header+1);
1383
char *name_start = name;
1385
/* Get first insecure entry in CNAME chain */
1386
status = tcp_key_recurse(now, STAT_CHASE_CNAME, header, plen, class, name, keyname, server, keycount);
1387
if (status == STAT_BOGUS)
1390
if (!(packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16))))
1393
payload = &packet[2];
1394
header = (struct dns_header *)payload;
1395
length = (u16 *)packet;
1399
unsigned char *newhash, hash[HASH_SIZE];
1400
unsigned char c1, c2;
1401
struct crec *crecp = cache_find_by_name(NULL, name_start, now, F_DS);
1403
if (--(*keycount) == 0)
1409
if (crecp && (crecp->flags & F_DNSSECOK))
1412
return (crecp->flags & F_NEG) ? STAT_INSECURE : STAT_BOGUS;
1415
/* If we have cached insecurely that a DS doesn't exist,
1416
ise that is a hit for where to start looking for the secure one */
1417
if (crecp && (crecp->flags & F_NEG) && (name_start = strchr(name_start, '.')))
1419
name_start++; /* chop a label off and try again */
1423
/* reached the root */
1430
m = dnssec_generate_query(header, ((char *) header) + 65536, name_start, class, T_DS, &server->addr);
1432
/* We rely on the question section coming back unchanged, ensure it is with the hash. */
1433
if ((newhash = hash_questions(header, (unsigned int)m, name)))
1435
memcpy(hash, newhash, HASH_SIZE);
1439
if (read_write(server->tcpfd, packet, m + sizeof(u16), 0) &&
1440
read_write(server->tcpfd, &c1, 1, 1) &&
1441
read_write(server->tcpfd, &c2, 1, 1) &&
1442
read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1446
newhash = hash_questions(header, (unsigned int)m, name);
1447
if (newhash && memcmp(hash, newhash, HASH_SIZE) == 0)
1449
/* Note this trashes all three name workspaces */
1450
status = tcp_key_recurse(now, STAT_NEED_DS_NEG, header, m, class, name, keyname, server, keycount);
1452
/* We've found a DS which proves the bit of the DNS where the
1453
original query is, is unsigned, so the answer is OK,
1455
if (status == STAT_NO_DS)
1458
return STAT_INSECURE;
1461
/* No DS, not got to DNSSEC-land yet, go up. */
1462
if (status == STAT_INSECURE)
1464
p = (unsigned char *)(header+1);
1466
if (extract_name(header, plen, &p, name, 1, 4) &&
1467
(name_start = strchr(name, '.')))
1469
name_start++; /* chop a label off and try again */
1483
static int tcp_key_recurse(time_t now, int status, struct dns_header *header, size_t n,
1484
int class, char *name, char *keyname, struct server *server, int *keycount)
1486
/* Recurse up the key heirarchy */
1489
/* limit the amount of work we do, to avoid cycling forever on loops in the DNS */
1490
if (--(*keycount) == 0)
1491
return STAT_INSECURE;
1493
if (status == STAT_NEED_KEY)
1494
new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1495
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1497
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1498
if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
1499
new_status = STAT_INSECURE;
1501
else if (status == STAT_CHASE_CNAME)
1502
new_status = dnssec_chase_cname(now, header, n, name, keyname);
1505
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
1507
if (new_status == STAT_NO_SIG)
1509
if (option_bool(OPT_DNSSEC_NO_SIGN))
1510
new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1512
new_status = STAT_INSECURE;
1516
/* Can't validate because we need a key/DS whose name now in keyname.
1517
Make query for same, and recurse to validate */
1518
if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1521
unsigned char *packet = whine_malloc(65536 + MAXDNAME + RRFIXEDSZ + sizeof(u16));
1522
unsigned char *payload = &packet[2];
1523
struct dns_header *new_header = (struct dns_header *)payload;
1524
u16 *length = (u16 *)packet;
1525
unsigned char c1, c2;
1528
return STAT_INSECURE;
1531
m = dnssec_generate_query(new_header, ((char *) new_header) + 65536, keyname, class,
1532
new_status == STAT_NEED_KEY ? T_DNSKEY : T_DS, &server->addr);
1536
if (!read_write(server->tcpfd, packet, m + sizeof(u16), 0) ||
1537
!read_write(server->tcpfd, &c1, 1, 1) ||
1538
!read_write(server->tcpfd, &c2, 1, 1) ||
1539
!read_write(server->tcpfd, payload, (c1 << 8) | c2, 1))
1540
new_status = STAT_INSECURE;
1545
new_status = tcp_key_recurse(now, new_status, new_header, m, class, name, keyname, server, keycount);
1547
if (new_status == STAT_SECURE)
1549
/* Reached a validated record, now try again at this level.
1550
Note that we may get ANOTHER NEED_* if an answer needs more than one key.
1551
If so, go round again. */
1553
if (status == STAT_NEED_KEY)
1554
new_status = dnssec_validate_by_ds(now, header, n, name, keyname, class);
1555
else if (status == STAT_NEED_DS || status == STAT_NEED_DS_NEG)
1557
new_status = dnssec_validate_ds(now, header, n, name, keyname, class);
1558
if (status == STAT_NEED_DS && new_status == STAT_NO_DS)
1559
new_status = STAT_INSECURE; /* Validated no DS */
1561
else if (status == STAT_CHASE_CNAME)
1562
new_status = dnssec_chase_cname(now, header, n, name, keyname);
1565
new_status = dnssec_validate_reply(now, header, n, name, keyname, &class, NULL);
1567
if (new_status == STAT_NO_SIG)
1569
if (option_bool(OPT_DNSSEC_NO_SIGN))
1570
new_status = tcp_check_for_unsigned_zone(now, header, n, class, name, keyname, server, keycount);
1572
new_status = STAT_INSECURE;
1576
if (new_status == STAT_NEED_DS || new_status == STAT_NEED_KEY)
1577
goto another_tcp_key;
918
1588
/* The daemon forks before calling this: it should deal with one connection,
919
1589
blocking as neccessary, and then return. Note, need to be a bit careful
920
1590
about resources for debug mode, when the fork is suppressed: that's