"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "syncres.cc" between
pdns-recursor-4.5.1.tar.bz2 and pdns-recursor-4.5.2.tar.bz2

About: PowerDNS - a separate release of the PowerDNS Recursor (without the authoritative nameserver).

syncres.cc  (pdns-recursor-4.5.1.tar.bz2):syncres.cc  (pdns-recursor-4.5.2.tar.bz2)
skipping to change at line 3402 skipping to change at line 3402
{ {
cspmap_t csp = harvestCSPFromNE(ne); cspmap_t csp = harvestCSPFromNE(ne);
return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, exp ectedState == dState::NXQTYPE); return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, exp ectedState == dState::NXQTYPE);
} }
bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co nst QType qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vec tor<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherWildcardProof, const unsigned int wildcardLabelsCount, int& rc ode, bool& negIndicHasSignatures, unsigned int depth) bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, co nst QType qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vec tor<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherWildcardProof, const unsigned int wildcardLabelsCount, int& rc ode, bool& negIndicHasSignatures, unsigned int depth)
{ {
bool done = false; bool done = false;
DNSName dnameTarget, dnameOwner; DNSName dnameTarget, dnameOwner;
uint32_t dnameTTL = 0; uint32_t dnameTTL = 0;
bool referralOnDS = false;
for (auto& rec : lwr.d_records) { for (auto& rec : lwr.d_records) {
if (rec.d_type != QType::OPT && rec.d_class != QClass::IN) { if (rec.d_type != QType::OPT && rec.d_class != QClass::IN) {
continue; continue;
} }
if (rec.d_place == DNSResourceRecord::ANSWER && !(lwr.d_aabit || sendRDQuery )) { if (rec.d_place == DNSResourceRecord::ANSWER && !(lwr.d_aabit || sendRDQuery )) {
/* for now we allow a CNAME for the exact qname in ANSWER with AA=0, becau se Amazon DNS servers /* for now we allow a CNAME for the exact qname in ANSWER with AA=0, becau se Amazon DNS servers
are sending such responses */ are sending such responses */
if (!(rec.d_type == QType::CNAME && rec.d_name == qname)) { if (!(rec.d_type == QType::CNAME && rec.d_name == qname)) {
skipping to change at line 3521 skipping to change at line 3522
throw ImmediateServFailException("Unable to perform DNAME substituti on(DNAME owner: '" + dnameOwner.toLogString() + throw ImmediateServFailException("Unable to perform DNAME substituti on(DNAME owner: '" + dnameOwner.toLogString() +
"', DNAME target: '" + dnameTarget. toLogString() + "', substituted name: '" + "', DNAME target: '" + dnameTarget. toLogString() + "', substituted name: '" +
qname.makeRelative(dnameOwner).toLo gString() + "." + dnameTarget.toLogString() + qname.makeRelative(dnameOwner).toLo gString() + "." + dnameTarget.toLogString() +
"' : " + e.what()); "' : " + e.what());
} }
} }
} }
} }
/* if we have a positive answer synthesized from a wildcard, we need to /* if we have a positive answer synthesized from a wildcard, we need to
return the corresponding NSEC/NSEC3 records from the AUTHORITY section return the corresponding NSEC/NSEC3 records from the AUTHORITY section
proving that the exact name did not exist */ proving that the exact name did not exist.
else if (gatherWildcardProof && (rec.d_type == QType::RRSIG || rec.d_type == Except if this is a NODATA answer because then we will gather the NXNSEC
QType::NSEC || rec.d_type == QType::NSEC3) && rec.d_place == DNSResourceRecord: records later */
:AUTHORITY) { else if (gatherWildcardProof && !negindic && (rec.d_type == QType::RRSIG ||
rec.d_type == QType::NSEC || rec.d_type == QType::NSEC3) && rec.d_place == DNSRe
sourceRecord::AUTHORITY) {
ret.push_back(rec); // enjoy your DNSSEC ret.push_back(rec); // enjoy your DNSSEC
} }
// for ANY answers we *must* have an authoritative answer, unless we are for warding recursively // for ANY answers we *must* have an authoritative answer, unless we are for warding recursively
else if (rec.d_place == DNSResourceRecord::ANSWER && rec.d_name == qname && else if (rec.d_place == DNSResourceRecord::ANSWER && rec.d_name == qname &&
( (
rec.d_type == qtype.getCode() || ((lwr.d_aabit || sendRDQuery) && qtype == QType::ANY) rec.d_type == qtype.getCode() || ((lwr.d_aabit || sendRDQuery) && qtype == QType::ANY)
) )
) )
{ {
LOG(prefix<<qname<<": answer is in: resolved to '"<< rec.d_content->getZon eRepresentation()<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"'"<<endl); LOG(prefix<<qname<<": answer is in: resolved to '"<< rec.d_content->getZon eRepresentation()<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"'"<<endl);
skipping to change at line 3587 skipping to change at line 3589
} }
ret.push_back(rec); ret.push_back(rec);
} }
else if ((rec.d_type == QType::RRSIG || rec.d_type == QType::NSEC || rec.d_t ype == QType::NSEC3) && rec.d_place == DNSResourceRecord::ANSWER) { else if ((rec.d_type == QType::RRSIG || rec.d_type == QType::NSEC || rec.d_t ype == QType::NSEC3) && rec.d_place == DNSResourceRecord::ANSWER) {
if (rec.d_type != QType::RRSIG || rec.d_name == qname) { if (rec.d_type != QType::RRSIG || rec.d_name == qname) {
ret.push_back(rec); // enjoy your DNSSEC ret.push_back(rec); // enjoy your DNSSEC
} else if (rec.d_type == QType::RRSIG && qname.isPartOf(rec.d_name)) { } else if (rec.d_type == QType::RRSIG && qname.isPartOf(rec.d_name)) {
auto rrsig = getRR<RRSIGRecordContent>(rec); auto rrsig = getRR<RRSIGRecordContent>(rec);
if (rrsig != nullptr && rrsig->d_type == QType::DNAME) { if (rrsig != nullptr && rrsig->d_type == QType::DNAME) {
ret.push_back(rec); ret.push_back(rec);
} }
} }
} }
else if (rec.d_place == DNSResourceRecord::AUTHORITY && rec.d_type == QType: :NS && qname.isPartOf(rec.d_name)) { else if (rec.d_place == DNSResourceRecord::AUTHORITY && rec.d_type == QType: :NS && qname.isPartOf(rec.d_name)) {
if (moreSpecificThan(rec.d_name,auth)) { if (moreSpecificThan(rec.d_name,auth)) {
newauth = rec.d_name; newauth = rec.d_name;
LOG(prefix<<qname<<": got NS record '"<<rec.d_name<<"' -> '"<<rec.d_cont ent->getZoneRepresentation()<<"'"<<endl); LOG(prefix<<qname<<": got NS record '"<<rec.d_name<<"' -> '"<<rec.d_cont ent->getZoneRepresentation()<<"'"<<endl);
realreferral = true;
/* check if we have a referral from the parent zone to a child zone for
a DS query, which is not right */
if (qtype == QType::DS && (newauth.isPartOf(qname) || qname == newauth))
{
/* just got a referral from the parent zone when asking for a DS, look
s like this server did not get the DNSSEC memo.. */
referralOnDS = true;
}
else {
realreferral = true;
if (auto content = getRR<NSRecordContent>(rec)) {
nsset.insert(content->getNS());
}
}
} }
else { else {
LOG(prefix<<qname<<": got upwards/level NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"', had '"<<auth<<"'"<<endl); LOG(prefix<<qname<<": got upwards/level NS record '"<<rec.d_name<<"' -> '"<<rec.d_content->getZoneRepresentation()<<"', had '"<<auth<<"'"<<endl);
} if (auto content = getRR<NSRecordContent>(rec)) {
if (auto content = getRR<NSRecordContent>(rec)) { nsset.insert(content->getNS());
nsset.insert(content->getNS()); }
} }
} }
else if (rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::DS && qname.isPartOf(rec.d_name)) { else if (rec.d_place==DNSResourceRecord::AUTHORITY && rec.d_type==QType::DS && qname.isPartOf(rec.d_name)) {
LOG(prefix<<qname<<": got DS record '"<<rec.d_name<<"' -> '"<<rec.d_conten t->getZoneRepresentation()<<"'"<<endl); LOG(prefix<<qname<<": got DS record '"<<rec.d_name<<"' -> '"<<rec.d_conten t->getZoneRepresentation()<<"'"<<endl);
} }
else if (realreferral && rec.d_place == DNSResourceRecord::AUTHORITY && (rec .d_type == QType::NSEC || rec.d_type == QType::NSEC3) && newauth.isPartOf(auth)) { else if (realreferral && rec.d_place == DNSResourceRecord::AUTHORITY && (rec .d_type == QType::NSEC || rec.d_type == QType::NSEC3) && newauth.isPartOf(auth)) {
/* we might have received a denial of the DS, let's check */ /* we might have received a denial of the DS, let's check */
NegCache::NegCacheEntry ne; NegCache::NegCacheEntry ne;
uint32_t lowestTTL = rec.d_ttl; uint32_t lowestTTL = rec.d_ttl;
harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL); harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL);
skipping to change at line 3636 skipping to change at line 3649
ne.d_validationState = vState::Secure; ne.d_validationState = vState::Secure;
if (denialState == dState::OPTOUT) { if (denialState == dState::OPTOUT) {
ne.d_validationState = vState::Insecure; ne.d_validationState = vState::Insecure;
} }
LOG(prefix<<qname<<": got negative indication of DS record for '"<<n ewauth<<"'"<<endl); LOG(prefix<<qname<<": got negative indication of DS record for '"<<n ewauth<<"'"<<endl);
if (!wasVariable()) { if (!wasVariable()) {
g_negCache->add(ne); g_negCache->add(ne);
} }
if (qname == newauth && qtype == QType::DS) { if (qtype == QType::DS && qname == newauth) {
/* we are actually done! */ /* we are actually done! */
negindic = true; negindic = true;
negIndicHasSignatures = !ne.authoritySOA.signatures.empty() || !ne .DNSSECRecords.signatures.empty(); negIndicHasSignatures = !ne.authoritySOA.signatures.empty() || !ne .DNSSECRecords.signatures.empty();
nsset.clear(); nsset.clear();
} }
} }
} }
} }
} }
else if (!done && rec.d_place == DNSResourceRecord::AUTHORITY && rec.d_type == QType::SOA && else if (!done && rec.d_place == DNSResourceRecord::AUTHORITY && rec.d_type == QType::SOA &&
skipping to change at line 3705 skipping to change at line 3718
if (!dnameTarget.empty()) { if (!dnameTarget.empty()) {
// Synthesize a CNAME // Synthesize a CNAME
auto cnamerec = DNSRecord(); auto cnamerec = DNSRecord();
cnamerec.d_name = qname; cnamerec.d_name = qname;
cnamerec.d_type = QType::CNAME; cnamerec.d_type = QType::CNAME;
cnamerec.d_ttl = dnameTTL; cnamerec.d_ttl = dnameTTL;
cnamerec.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent (newtarget)); cnamerec.d_content = std::make_shared<CNAMERecordContent>(CNAMERecordContent (newtarget));
ret.push_back(std::move(cnamerec)); ret.push_back(std::move(cnamerec));
} }
/* If we have seen a proper denial, let's forget that we also had a referral f
or a DS query.
Otherwise we need to deal with it. */
if (referralOnDS && !negindic) {
LOG(prefix<<qname<<": got a referral to the child zone for a DS query withou
t a negative indication (missing SOA in authority), treating that as a NODATA"<<
endl);
if (!vStateIsBogus(state)) {
auto recordState = getValidationStatus(qname, false, true, depth);
if (recordState == vState::Secure) {
/* we are in a secure zone, got a referral to the child zone on a DS que
ry, no denial, that's wrong */
LOG(prefix<<qname<<": NODATA without a negative indication (missing SOA
in authority) in a DNSSEC secure zone, going Bogus"<<endl);
updateValidationState(state, vState::BogusMissingNegativeIndication);
}
}
negindic = true;
negIndicHasSignatures = false;
}
return done; return done;
} }
bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname, const QType qtype, LWResult& lwr, boost::optional<Netmask>& ednsmask, const DNS Name& auth, bool const sendRDQuery, const bool wasForwarded, const DNSName& nsNa me, const ComboAddress& remoteIP, bool doTCP, bool& truncated, bool& spoofed) bool SyncRes::doResolveAtThisIP(const std::string& prefix, const DNSName& qname, const QType qtype, LWResult& lwr, boost::optional<Netmask>& ednsmask, const DNS Name& auth, bool const sendRDQuery, const bool wasForwarded, const DNSName& nsNa me, const ComboAddress& remoteIP, bool doTCP, bool& truncated, bool& spoofed)
{ {
bool chained = false; bool chained = false;
LWResult::Result resolveret = LWResult::Result::Success; LWResult::Result resolveret = LWResult::Result::Success;
s_outqueries++; s_outqueries++;
d_outqueries++; d_outqueries++;
skipping to change at line 4340 skipping to change at line 4370
void SyncRes::parseEDNSSubnetAddFor(const std::string& subnetlist) void SyncRes::parseEDNSSubnetAddFor(const std::string& subnetlist)
{ {
vector<string> parts; vector<string> parts;
stringtok(parts, subnetlist, ",; "); stringtok(parts, subnetlist, ",; ");
for(const auto& a : parts) { for(const auto& a : parts) {
s_ednslocalsubnets.addMask(a); s_ednslocalsubnets.addMask(a);
} }
} }
// used by PowerDNSLua - note that this neglects to add the packet count & stati stics back to pdns_ercursor.cc
int directResolve(const DNSName& qname, const QType qtype, int qclass, vector<DN SRecord>& ret) int directResolve(const DNSName& qname, const QType qtype, int qclass, vector<DN SRecord>& ret)
{ {
return directResolve(qname, qtype, qclass, ret, SyncRes::s_qnameminimization);
}
// used by PowerDNSLua - note that this neglects to add the packet count & stati
stics back to pdns_recursor.cc
int directResolve(const DNSName& qname, const QType qtype, int qclass, vector<DN
SRecord>& ret, bool qm)
{
struct timeval now; struct timeval now;
gettimeofday(&now, 0); gettimeofday(&now, 0);
SyncRes sr(now); SyncRes sr(now);
sr.setQNameMinimization(qm);
int res = -1; int res = -1;
try { try {
res = sr.beginResolve(qname, qtype, qclass, ret, 0); res = sr.beginResolve(qname, qtype, qclass, ret, 0);
} }
catch(const PDNSException& e) { catch(const PDNSException& e) {
g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got pdns exception: "< <e.reason<<endl; g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got pdns exception: "< <e.reason<<endl;
ret.clear(); ret.clear();
} }
catch(const ImmediateServFailException& e) { catch(const ImmediateServFailException& e) {
g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got ImmediateServFailE xception: "<<e.reason<<endl; g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got ImmediateServFailE xception: "<<e.reason<<endl;
skipping to change at line 4415 skipping to change at line 4452
g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.wh at()<<endl; g_log<<Logger::Error<<"Failed to update . records, got an exception: "<<e.wh at()<<endl;
} }
catch(...) { catch(...) {
g_log<<Logger::Error<<"Failed to update . records, got an exception"<<endl; g_log<<Logger::Error<<"Failed to update . records, got an exception"<<endl;
} }
if(!res) { if(!res) {
g_log<<Logger::Notice<<"Refreshed . records"<<endl; g_log<<Logger::Notice<<"Refreshed . records"<<endl;
} }
else else
g_log<<Logger::Error<<"Failed to update . records, RCODE="<<res<<endl; g_log<<Logger::Warning<<"Failed to update . records, RCODE="<<res<<endl;
return res; return res;
} }
 End of changes. 11 change blocks. 
12 lines changed or deleted 60 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)