"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "syncres.cc" between
pdns-recursor-4.5.5.tar.bz2 and pdns-recursor-4.5.6.tar.bz2

About: PowerDNS - a separate release of the PowerDNS Recursor (without the authoritative nameserver).

syncres.cc  (pdns-recursor-4.5.5.tar.bz2):syncres.cc  (pdns-recursor-4.5.6.tar.bz2)
skipping to change at line 1831 skipping to change at line 1831
LOG(prefix<<sqname<<": Found cache hit for "<<sqt.getName()<<": "); LOG(prefix<<sqname<<": Found cache hit for "<<sqt.getName()<<": ");
if (!wasAuthZone && shouldValidate() && (wasCachedAuth || wasForwardRecurse) && cachedState == vState::Indeterminate && d_requireAuthData) { if (!wasAuthZone && shouldValidate() && (wasCachedAuth || wasForwardRecurse) && cachedState == vState::Indeterminate && d_requireAuthData) {
/* This means we couldn't figure out the state when this entry was cached */ /* This means we couldn't figure out the state when this entry was cached */
vState recordState = getValidationStatus(qname, !signatures.empty(), qtype == QType::DS, depth); vState recordState = getValidationStatus(qname, !signatures.empty(), qtype == QType::DS, depth);
if (recordState == vState::Secure) { if (recordState == vState::Secure) {
LOG(prefix<<sqname<<": got vState::Indeterminate state from the cache, v alidating.."<<endl); LOG(prefix<<sqname<<": got vState::Indeterminate state from the cache, v alidating.."<<endl);
if (sqt == QType::DNSKEY) { if (sqt == QType::DNSKEY && sqname == getSigner(signatures)) {
cachedState = validateDNSKeys(sqname, cset, signatures, depth); cachedState = validateDNSKeys(sqname, cset, signatures, depth);
} }
else { else {
if (sqt == QType::ANY) { if (sqt == QType::ANY) {
std::map<QType, CacheEntry> types; std::map<QType, CacheEntry> types;
reapRecordsForValidation(types, cset); reapRecordsForValidation(types, cset);
reapSignaturesForValidation(types, signatures); reapSignaturesForValidation(types, signatures);
for (const auto& type : types) { for (const auto& type : types) {
vState cachedRecordState; vState cachedRecordState;
if (type.first == QType::DNSKEY) { if (type.first == QType::DNSKEY && sqname == getSigner(type.second .signatures)) {
cachedRecordState = validateDNSKeys(sqname, type.second.records, type.second.signatures, depth); cachedRecordState = validateDNSKeys(sqname, type.second.records, type.second.signatures, depth);
} }
else { else {
cachedRecordState = SyncRes::validateRecordsWithSigs(depth, qnam e, qtype, sqname, type.first, type.second.records, type.second.signatures); cachedRecordState = SyncRes::validateRecordsWithSigs(depth, qnam e, qtype, sqname, type.first, type.second.records, type.second.signatures);
} }
updateDNSSECValidationState(cachedState, cachedRecordState); updateDNSSECValidationState(cachedState, cachedRecordState);
} }
} }
else { else {
cachedState = SyncRes::validateRecordsWithSigs(depth, qname, qtype, sqname, sqt, cset, signatures); cachedState = SyncRes::validateRecordsWithSigs(depth, qname, qtype, sqname, sqt, cset, signatures);
skipping to change at line 2355 skipping to change at line 2355
LOG(prefix<<qname<<": server throttled "<<endl); LOG(prefix<<qname<<": server throttled "<<endl);
s_throttledqueries++; d_throttledqueries++; s_throttledqueries++; d_throttledqueries++;
return true; return true;
} }
else if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(rem oteIP, qname, qtype.getCode()))) { else if(t_sstorage.throttle.shouldThrottle(d_now.tv_sec, boost::make_tuple(rem oteIP, qname, qtype.getCode()))) {
LOG(prefix<<qname<<": query throttled "<<remoteIP.toString()<<", "<<qname<<" ; "<<qtype.getName()<<endl); LOG(prefix<<qname<<": query throttled "<<remoteIP.toString()<<", "<<qname<<" ; "<<qtype.getName()<<endl);
s_throttledqueries++; d_throttledqueries++; s_throttledqueries++; d_throttledqueries++;
return true; return true;
} }
else if(!pierceDontQuery && s_dontQuery && s_dontQuery->match(&remoteIP)) { else if(!pierceDontQuery && s_dontQuery && s_dontQuery->match(&remoteIP)) {
LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ", bl // We could have retrieved an NS from the cache in a forwarding domain
ocked by 'dont-query' setting" << endl); // Even in the case of !pierceDontQuery we still want to allow that NS
s_dontqueries++; DNSName forwardCandidate(qname);
return true; auto it = getBestAuthZone(&forwardCandidate);
if (it == t_sstorage.domainmap->end()) {
LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << ",
blocked by 'dont-query' setting" << endl);
s_dontqueries++;
return true;
} else {
// The name (from the cache) is forwarded, but is it forwarded to an IP in
known forwarders?
const auto& ips = it->second.d_servers;
if (std::find(ips.cbegin(), ips.cend(), remoteIP) == ips.cend()) {
LOG(prefix<<qname<<": not sending query to " << remoteIP.toString() << "
, blocked by 'dont-query' setting" << endl);
s_dontqueries++;
return true;
} else {
LOG(prefix<<qname<<": sending query to " << remoteIP.toString() << ", bl
ocked by 'dont-query' but a forwarding/auth case" << endl);
}
}
} }
return false; return false;
} }
bool SyncRes::validationEnabled() const bool SyncRes::validationEnabled() const
{ {
return g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessN oValidate; return g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessN oValidate;
} }
uint32_t SyncRes::computeLowestTTD(const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, uint32_t signatur esTTL, const std::vector<std::shared_ptr<DNSRecord>>& authorityRecs) const uint32_t SyncRes::computeLowestTTD(const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, uint32_t signatur esTTL, const std::vector<std::shared_ptr<DNSRecord>>& authorityRecs) const
skipping to change at line 2822 skipping to change at line 2838
if ((qtype == QType::DNSKEY || qtype == QType::DS) && signer == qname) { if ((qtype == QType::DNSKEY || qtype == QType::DS) && signer == qname) {
/* we are already retrieving those keys, sorry */ /* we are already retrieving those keys, sorry */
if (type == QType::DS && signer == name && !signer.isRoot()) { if (type == QType::DS && signer == name && !signer.isRoot()) {
/* Unless we are getting the DS of the root zone, we should never see a /* Unless we are getting the DS of the root zone, we should never see a
DS (or a denial of a DS) signed by the DS itself, since we should be DS (or a denial of a DS) signed by the DS itself, since we should be
requesting it from the parent zone. Something is very wrong */ requesting it from the parent zone. Something is very wrong */
LOG(d_prefix<<"The DS for "<<qname<<" is signed by itself"<<endl); LOG(d_prefix<<"The DS for "<<qname<<" is signed by itself"<<endl);
state = vState::BogusSelfSignedDS; state = vState::BogusSelfSignedDS;
dsFailed = true; dsFailed = true;
} }
else if (qtype == QType::DS && signer == qname && !signer.isRoot() && (typ
e == QType::SOA || type == QType::NSEC || type == QType::NSEC3)) {
/* if we are trying to validate the DS or more likely NSEC(3)s proving t
hat it does not exist, we have a problem.
In that case let's go Bogus (we will check later if we missed a cut)
*/
state = vState::BogusSelfSignedDS;
dsFailed = true;
}
else if (qtype == QType::DNSKEY && signer == qname) { else if (qtype == QType::DNSKEY && signer == qname) {
/* that actually does happen when a server returns NS records in authori ty /* that actually does happen when a server returns NS records in authori ty
along with the DNSKEY, leading us to trying to validate the RRSIGs fo r along with the DNSKEY, leading us to trying to validate the RRSIGs fo r
the NS with the DNSKEY that we are about to process. */ the NS with the DNSKEY that we are about to process. */
if ((name == signer && type == QType::NSEC) || type == QType::NSEC3) { if ((name == signer && type == QType::NSEC) || type == QType::NSEC3) {
/* if we are trying to validate the DNSKEY (should not happen here), /* if we are trying to validate the DNSKEY (should not happen here),
or more likely NSEC(3)s proving that it does not exist, we have a p roblem. or more likely NSEC(3)s proving that it does not exist, we have a p roblem.
In that case let's see if the DS does exist, and if it does let's g o Bogus In that case let's see if the DS does exist, and if it does let's g o Bogus
*/ */
dsmap_t results; dsmap_t results;
skipping to change at line 3341 skipping to change at line 3364
contains only authoritative data. However when the name sought is an contains only authoritative data. However when the name sought is an
alias (see section 10.1.1) only the record describing that alias is alias (see section 10.1.1) only the record describing that alias is
necessarily authoritative. Clients should assume that other records necessarily authoritative. Clients should assume that other records
may have come from the server's cache. Where authoritative answers may have come from the server's cache. Where authoritative answers
are required, the client should query again, using the canonical name are required, the client should query again, using the canonical name
associated with the alias. associated with the alias.
*/ */
isAA = false; isAA = false;
expectSignature = false; expectSignature = false;
} }
else if (isDNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i-
>first.type != QType::DNAME || !qname.isPartOf(i->first.name))) {
/* see above */
isAA = false;
expectSignature = false;
}
if (isCNAMEAnswer && i->first.place == DNSResourceRecord::AUTHORITY && i->fi if ((isCNAMEAnswer || isDNAMEAnswer) && i->first.place == DNSResourceRecord:
rst.type == QType::NS && auth == i->first.name) { :AUTHORITY && i->first.type == QType::NS && auth == i->first.name) {
/* These NS can't be authoritative since we have a CNAME answer for which /* These NS can't be authoritative since we have a CNAME/DNAME answer for
(see above) only the which (see above) only the
record describing that alias is necessarily authoritative. record describing that alias is necessarily authoritative.
But if we allow the current auth, which might be serving the child zone , to raise the TTL But if we allow the current auth, which might be serving the child zone , to raise the TTL
of non-authoritative NS in the cache, they might be able to keep a "gho st" zone alive forever, of non-authoritative NS in the cache, they might be able to keep a "gho st" zone alive forever,
even after the delegation is gone from the parent. even after the delegation is gone from the parent.
So let's just do nothing with them, we can fetch them directly if we ne ed them. So let's just do nothing with them, we can fetch them directly if we ne ed them.
*/ */
LOG(d_prefix<<": skipping authority NS from '"<<auth<<"' nameservers in CN AME answer "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)< <endl); LOG(d_prefix<<": skipping authority NS from '"<<auth<<"' nameservers in CN AME/DNAME answer "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first. type)<<endl);
continue; continue;
} }
/* /*
* RFC 6672 section 5.3.1 * RFC 6672 section 5.3.1
* In any response, a signed DNAME RR indicates a non-terminal * In any response, a signed DNAME RR indicates a non-terminal
* redirection of the query. There might or might not be a server- * redirection of the query. There might or might not be a server-
* synthesized CNAME in the answer section; if there is, the CNAME will * synthesized CNAME in the answer section; if there is, the CNAME will
* never be signed. For a DNSSEC validator, verification of the DNAME * never be signed. For a DNSSEC validator, verification of the DNAME
* RR and then that the CNAME was properly synthesized is sufficient * RR and then that the CNAME was properly synthesized is sufficient
skipping to change at line 3377 skipping to change at line 3405
expectSignature = false; expectSignature = false;
} }
vState recordState = vState::Indeterminate; vState recordState = vState::Indeterminate;
if (expectSignature && shouldValidate()) { if (expectSignature && shouldValidate()) {
vState initialState = getValidationStatus(i->first.name, !i->second.signat ures.empty(), i->first.type == QType::DS, depth); vState initialState = getValidationStatus(i->first.name, !i->second.signat ures.empty(), i->first.type == QType::DS, depth);
LOG(d_prefix<<": got initial zone status "<<initialState<<" for record "<< i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl); LOG(d_prefix<<": got initial zone status "<<initialState<<" for record "<< i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);
if (initialState == vState::Secure) { if (initialState == vState::Secure) {
if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecor d::ANSWER) { if (i->first.type == QType::DNSKEY && i->first.place == DNSResourceRecor d::ANSWER && i->first.name == getSigner(i->second.signatures)) {
LOG(d_prefix<<"Validating DNSKEY for "<<i->first.name<<endl); LOG(d_prefix<<"Validating DNSKEY for "<<i->first.name<<endl);
recordState = validateDNSKeys(i->first.name, i->second.records, i->sec ond.signatures, depth); recordState = validateDNSKeys(i->first.name, i->second.records, i->sec ond.signatures, depth);
} }
else { else {
LOG(d_prefix<<"Validating non-additional "<<QType(i->first.type).getNa me()<<" record for "<<i->first.name<<endl); LOG(d_prefix<<"Validating non-additional "<<QType(i->first.type).getNa me()<<" record for "<<i->first.name<<endl);
recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.na me, QType(i->first.type), i->second.records, i->second.signatures); recordState = validateRecordsWithSigs(depth, qname, qtype, i->first.na me, QType(i->first.type), i->second.records, i->second.signatures);
} }
} }
else { else {
recordState = initialState; recordState = initialState;
skipping to change at line 4509 skipping to change at line 4537
void SyncRes::parseEDNSSubnetAddFor(const std::string& subnetlist) void SyncRes::parseEDNSSubnetAddFor(const std::string& subnetlist)
{ {
vector<string> parts; vector<string> parts;
stringtok(parts, subnetlist, ",; "); stringtok(parts, subnetlist, ",; ");
for(const auto& a : parts) { for(const auto& a : parts) {
s_ednslocalsubnets.addMask(a); s_ednslocalsubnets.addMask(a);
} }
} }
int directResolve(const DNSName& qname, const QType qtype, int qclass, vector<DN // used by PowerDNSLua - note that this neglects to add the packet count & stati
SRecord>& ret) stics back to pdns_recursor.cc
int directResolve(const DNSName& qname, const QType qtype, int qclass, vector<DN
SRecord>& ret, shared_ptr<RecursorLua4> pdl)
{ {
return directResolve(qname, qtype, qclass, ret, SyncRes::s_qnameminimization); return directResolve(qname, qtype, qclass, ret, pdl, SyncRes::s_qnameminimizat ion);
} }
// used by PowerDNSLua - note that this neglects to add the packet count & stati int directResolve(const DNSName& qname, const QType qtype, int qclass, vector<DN
stics back to pdns_recursor.cc SRecord>& ret, shared_ptr<RecursorLua4> pdl, bool qm)
int directResolve(const DNSName& qname, const QType qtype, int qclass, vector<DN
SRecord>& ret, bool qm)
{ {
struct timeval now; struct timeval now;
gettimeofday(&now, 0); gettimeofday(&now, 0);
SyncRes sr(now); SyncRes sr(now);
sr.setQNameMinimization(qm); sr.setQNameMinimization(qm);
if (pdl) {
sr.setLuaEngine(pdl);
}
int res = -1; int res = -1;
try { try {
res = sr.beginResolve(qname, qtype, qclass, ret, 0); res = sr.beginResolve(qname, qtype, qclass, ret, 0);
} }
catch(const PDNSException& e) { catch(const PDNSException& e) {
g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got pdns exception: "< <e.reason<<endl; g_log<<Logger::Error<<"Failed to resolve "<<qname<<", got pdns exception: "< <e.reason<<endl;
ret.clear(); ret.clear();
} }
catch(const ImmediateServFailException& e) { catch(const ImmediateServFailException& e) {
 End of changes. 12 change blocks. 
19 lines changed or deleted 56 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)