"Fossies" - the Fresh Open Source Software Archive

Member "nsd-4.3.6/query.c" (6 Apr 2021, 51557 Bytes) of package /linux/misc/dns/nsd-4.3.6.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "query.c" see the Fossies "Dox" file reference documentation and the latest Fossies "Diffs" side-by-side code changes report: 4.3.5_vs_4.3.6.

    1 /*
    2  * query.c -- nsd(8) the resolver.
    3  *
    4  * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
    5  *
    6  * See LICENSE for the license.
    7  *
    8  */
    9 
   10 #include "config.h"
   11 
   12 #include <sys/types.h>
   13 #include <sys/socket.h>
   14 #include <netinet/in.h>
   15 #include <arpa/inet.h>
   16 #include <assert.h>
   17 #include <ctype.h>
   18 #include <errno.h>
   19 #include <limits.h>
   20 #include <stddef.h>
   21 #include <stdio.h>
   22 #include <stdlib.h>
   23 #include <string.h>
   24 #include <time.h>
   25 #include <unistd.h>
   26 #include <netdb.h>
   27 
   28 #include "answer.h"
   29 #include "axfr.h"
   30 #include "dns.h"
   31 #include "dname.h"
   32 #include "nsd.h"
   33 #include "namedb.h"
   34 #include "query.h"
   35 #include "util.h"
   36 #include "options.h"
   37 #include "nsec3.h"
   38 #include "tsig.h"
   39 
   40 /* [Bug #253] Adding unnecessary NS RRset may lead to undesired truncation.
   41  * This function determines if the final response packet needs the NS RRset
   42  * included. Currently, it will only return negative if QTYPE == DNSKEY|DS.
   43  * This way, resolvers won't fallback to TCP unnecessarily when priming
   44  * trust anchors.
   45  */
   46 static int answer_needs_ns(struct query  *query);
   47 
   48 static int add_rrset(struct query  *query,
   49              answer_type    *answer,
   50              rr_section_type section,
   51              domain_type    *owner,
   52              rrset_type     *rrset);
   53 
   54 static void answer_authoritative(struct nsd   *nsd,
   55                  struct query     *q,
   56                  answer_type      *answer,
   57                  size_t            domain_number,
   58                  int               exact,
   59                  domain_type      *closest_match,
   60                  domain_type      *closest_encloser,
   61                  const dname_type *qname);
   62 
   63 static void answer_lookup_zone(struct nsd *nsd, struct query *q,
   64                    answer_type *answer, size_t domain_number,
   65                    int exact, domain_type *closest_match,
   66                    domain_type *closest_encloser,
   67                    const dname_type *qname);
   68 
   69 void
   70 query_put_dname_offset(struct query *q, domain_type *domain, uint16_t offset)
   71 {
   72     assert(q);
   73     assert(domain);
   74     assert(domain->number > 0);
   75 
   76     if (offset > MAX_COMPRESSION_OFFSET)
   77         return;
   78     if (q->compressed_dname_count >= MAX_COMPRESSED_DNAMES)
   79         return;
   80 
   81     q->compressed_dname_offsets[domain->number] = offset;
   82     q->compressed_dnames[q->compressed_dname_count] = domain;
   83     ++q->compressed_dname_count;
   84 }
   85 
   86 void
   87 query_clear_dname_offsets(struct query *q, size_t max_offset)
   88 {
   89     while (q->compressed_dname_count > 0
   90            && (q->compressed_dname_offsets[q->compressed_dnames[q->compressed_dname_count - 1]->number]
   91            >= max_offset))
   92     {
   93         q->compressed_dname_offsets[q->compressed_dnames[q->compressed_dname_count - 1]->number] = 0;
   94         --q->compressed_dname_count;
   95     }
   96 }
   97 
   98 void
   99 query_clear_compression_tables(struct query *q)
  100 {
  101     uint16_t i;
  102 
  103     for (i = 0; i < q->compressed_dname_count; ++i) {
  104         assert(q->compressed_dnames);
  105         q->compressed_dname_offsets[q->compressed_dnames[i]->number] = 0;
  106     }
  107     q->compressed_dname_count = 0;
  108 }
  109 
  110 void
  111 query_add_compression_domain(struct query *q, domain_type *domain, uint16_t offset)
  112 {
  113     while (domain->parent) {
  114         DEBUG(DEBUG_NAME_COMPRESSION, 2,
  115               (LOG_INFO, "query dname: %s, number: %lu, offset: %u\n",
  116                domain_to_string(domain),
  117                (unsigned long) domain->number,
  118                offset));
  119         query_put_dname_offset(q, domain, offset);
  120         offset += label_length(dname_name(domain_dname(domain))) + 1;
  121         domain = domain->parent;
  122     }
  123 }
  124 
  125 /*
  126  * Generate an error response with the specified RCODE.
  127  */
  128 query_state_type
  129 query_error (struct query *q, nsd_rc_type rcode)
  130 {
  131     if (rcode == NSD_RC_DISCARD) {
  132         return QUERY_DISCARDED;
  133     }
  134 
  135     buffer_clear(q->packet);
  136 
  137     QR_SET(q->packet);     /* This is an answer.  */
  138     AD_CLR(q->packet);
  139     RCODE_SET(q->packet, (int) rcode); /* Error code.  */
  140 
  141     /* Truncate the question as well... */
  142     QDCOUNT_SET(q->packet, 0);
  143     ANCOUNT_SET(q->packet, 0);
  144     NSCOUNT_SET(q->packet, 0);
  145     ARCOUNT_SET(q->packet, 0);
  146     buffer_set_position(q->packet, QHEADERSZ);
  147     return QUERY_PROCESSED;
  148 }
  149 
  150 static int
  151 query_ratelimit_err(nsd_type* nsd)
  152 {
  153     time_t now = time(NULL);
  154     if(nsd->err_limit_time == now) {
  155         /* see if limit is exceeded for this second */
  156         if(nsd->err_limit_count++ > ERROR_RATELIMIT)
  157             return 1;
  158     } else {
  159         /* new second, new limits */
  160         nsd->err_limit_time = now;
  161         nsd->err_limit_count = 1;
  162     }
  163     return 0;
  164 }
  165 
  166 static query_state_type
  167 query_formerr (struct query *query, nsd_type* nsd)
  168 {
  169     int opcode = OPCODE(query->packet);
  170     if(query_ratelimit_err(nsd))
  171         return QUERY_DISCARDED;
  172     FLAGS_SET(query->packet, FLAGS(query->packet) & 0x0100U);
  173             /* Preserve the RD flag. Clear the rest. */
  174     OPCODE_SET(query->packet, opcode);
  175     return query_error(query, NSD_RC_FORMAT);
  176 }
  177 
  178 static void
  179 query_cleanup(void *data)
  180 {
  181     query_type *query = (query_type *) data;
  182     region_destroy(query->region);
  183 }
  184 
  185 query_type *
  186 query_create(region_type *region, uint16_t *compressed_dname_offsets,
  187     size_t compressed_dname_size, domain_type **compressed_dnames)
  188 {
  189     query_type *query
  190         = (query_type *) region_alloc_zero(region, sizeof(query_type));
  191     /* create region with large block size, because the initial chunk
  192        saves many mallocs in the server */
  193     query->region = region_create_custom(xalloc, free, 16384, 16384/8, 32, 0);
  194     query->compressed_dname_offsets = compressed_dname_offsets;
  195     query->compressed_dnames = compressed_dnames;
  196     query->packet = buffer_create(region, QIOBUFSZ);
  197     region_add_cleanup(region, query_cleanup, query);
  198     query->compressed_dname_offsets_size = compressed_dname_size;
  199     tsig_create_record(&query->tsig, region);
  200     query->tsig_prepare_it = 1;
  201     query->tsig_update_it = 1;
  202     query->tsig_sign_it = 1;
  203     return query;
  204 }
  205 
  206 void
  207 query_reset(query_type *q, size_t maxlen, int is_tcp)
  208 {
  209     /*
  210      * As long as less than 4Kb (region block size) has been used,
  211      * this call to free_all is free, the block is saved for re-use,
  212      * so no malloc() or free() calls are done.
  213      * at present use of the region is for:
  214      *   o query qname dname_type (255 max).
  215      *   o wildcard expansion domain_type (7*ptr+u32+2bytes)+(5*ptr nsec3)
  216      *   o wildcard expansion for additional section domain_type.
  217      *   o nsec3 hashed name(s) (3 dnames for a nonexist_proof,
  218      *     one proof per wildcard and for nx domain).
  219      */
  220     region_free_all(q->region);
  221     q->addrlen = sizeof(q->addr);
  222     q->maxlen = maxlen;
  223     q->reserved_space = 0;
  224     buffer_clear(q->packet);
  225     edns_init_record(&q->edns);
  226     tsig_init_record(&q->tsig, NULL, NULL);
  227     q->tsig_prepare_it = 1;
  228     q->tsig_update_it = 1;
  229     q->tsig_sign_it = 1;
  230     q->tcp = is_tcp;
  231     q->qname = NULL;
  232     q->qtype = 0;
  233     q->qclass = 0;
  234     q->zone = NULL;
  235     q->opcode = 0;
  236     q->cname_count = 0;
  237     q->delegation_domain = NULL;
  238     q->delegation_rrset = NULL;
  239     q->compressed_dname_count = 0;
  240     q->number_temporary_domains = 0;
  241 
  242     q->axfr_is_done = 0;
  243     q->axfr_zone = NULL;
  244     q->axfr_current_domain = NULL;
  245     q->axfr_current_rrset = NULL;
  246     q->axfr_current_rr = 0;
  247 
  248 #ifdef RATELIMIT
  249     q->wildcard_domain = NULL;
  250 #endif
  251 }
  252 
  253 /* get a temporary domain number (or 0=failure) */
  254 static domain_type*
  255 query_get_tempdomain(struct query *q)
  256 {
  257     static domain_type d[EXTRA_DOMAIN_NUMBERS];
  258     if(q->number_temporary_domains >= EXTRA_DOMAIN_NUMBERS)
  259         return 0;
  260     q->number_temporary_domains ++;
  261     memset(&d[q->number_temporary_domains-1], 0, sizeof(domain_type));
  262     d[q->number_temporary_domains-1].number = q->compressed_dname_offsets_size +
  263         q->number_temporary_domains - 1;
  264     return &d[q->number_temporary_domains-1];
  265 }
  266 
  267 static void
  268 query_addtxt(struct query  *q,
  269          const uint8_t *dname,
  270          uint16_t       klass,
  271          uint32_t       ttl,
  272          const char    *txt)
  273 {
  274     size_t txt_length = strlen(txt);
  275     uint8_t len = (uint8_t) txt_length;
  276 
  277     assert(txt_length <= UCHAR_MAX);
  278 
  279     /* Add the dname */
  280     if (dname >= buffer_begin(q->packet)
  281         && dname <= buffer_current(q->packet))
  282     {
  283         buffer_write_u16(q->packet,
  284                  0xc000 | (dname - buffer_begin(q->packet)));
  285     } else {
  286         buffer_write(q->packet, dname + 1, *dname);
  287     }
  288 
  289     buffer_write_u16(q->packet, TYPE_TXT);
  290     buffer_write_u16(q->packet, klass);
  291     buffer_write_u32(q->packet, ttl);
  292     buffer_write_u16(q->packet, len + 1);
  293     buffer_write_u8(q->packet, len);
  294     buffer_write(q->packet, txt, len);
  295 }
  296 
  297 /*
  298  * Parse the question section of a query.  The normalized query name
  299  * is stored in QUERY->name, the class in QUERY->klass, and the type
  300  * in QUERY->type.
  301  */
  302 static int
  303 process_query_section(query_type *query)
  304 {
  305     uint8_t qnamebuf[MAXDOMAINLEN];
  306 
  307     buffer_set_position(query->packet, QHEADERSZ);
  308     /* Lets parse the query name and convert it to lower case.  */
  309     if(!packet_read_query_section(query->packet, qnamebuf,
  310         &query->qtype, &query->qclass))
  311         return 0;
  312     query->qname = dname_make(query->region, qnamebuf, 1);
  313     return 1;
  314 }
  315 
  316 
  317 /*
  318  * Process an optional EDNS OPT record.  Sets QUERY->EDNS to 0 if
  319  * there was no EDNS record, to -1 if there was an invalid or
  320  * unsupported EDNS record, and to 1 otherwise.  Updates QUERY->MAXLEN
  321  * if the EDNS record specifies a maximum supported response length.
  322  *
  323  * Return NSD_RC_FORMAT on failure, NSD_RC_OK on success.
  324  */
  325 static nsd_rc_type
  326 process_edns(nsd_type* nsd, struct query *q)
  327 {
  328     if (q->edns.status == EDNS_ERROR) {
  329         /* The only error is VERSION not implemented */
  330         return NSD_RC_FORMAT;
  331     }
  332 
  333     if (q->edns.status == EDNS_OK) {
  334         /* Only care about UDP size larger than normal... */
  335         if (!q->tcp && q->edns.maxlen > UDP_MAX_MESSAGE_LEN) {
  336             size_t edns_size;
  337 #if defined(INET6)
  338             if (q->addr.ss_family == AF_INET6) {
  339                 edns_size = nsd->ipv6_edns_size;
  340             } else
  341 #endif
  342             edns_size = nsd->ipv4_edns_size;
  343 
  344             if (q->edns.maxlen < edns_size) {
  345                 q->maxlen = q->edns.maxlen;
  346             } else {
  347                 q->maxlen = edns_size;
  348             }
  349 
  350 #if defined(INET6) && !defined(IPV6_USE_MIN_MTU) && !defined(IPV6_MTU)
  351             /*
  352              * Use IPv6 minimum MTU to avoid sending
  353              * packets that are too large for some links.
  354              * IPv6 will not automatically fragment in
  355              * this case (unlike IPv4).
  356              */
  357             if (q->addr.ss_family == AF_INET6
  358                 && q->maxlen > IPV6_MIN_MTU)
  359             {
  360                 q->maxlen = IPV6_MIN_MTU;
  361             }
  362 #endif
  363         }
  364 
  365         /* Strip the OPT resource record off... */
  366         buffer_set_position(q->packet, q->edns.position);
  367         buffer_set_limit(q->packet, q->edns.position);
  368         ARCOUNT_SET(q->packet, ARCOUNT(q->packet) - 1);
  369     }
  370     return NSD_RC_OK;
  371 }
  372 
  373 /*
  374  * Processes TSIG.
  375  * Sets error when tsig does not verify on the query.
  376  */
  377 static nsd_rc_type
  378 process_tsig(struct query* q)
  379 {
  380     if(q->tsig.status == TSIG_ERROR)
  381         return NSD_RC_FORMAT;
  382     if(q->tsig.status == TSIG_OK) {
  383         if(!tsig_from_query(&q->tsig)) {
  384             char a[128];
  385             addr2str(&q->addr, a, sizeof(a));
  386             log_msg(LOG_ERR, "query: bad tsig (%s) for key %s from %s",
  387                 tsig_error(q->tsig.error_code),
  388                 dname_to_string(q->tsig.key_name, NULL), a);
  389             return NSD_RC_NOTAUTH;
  390         }
  391         buffer_set_limit(q->packet, q->tsig.position);
  392         ARCOUNT_SET(q->packet, ARCOUNT(q->packet) - 1);
  393         tsig_prepare(&q->tsig);
  394         tsig_update(&q->tsig, q->packet, buffer_limit(q->packet));
  395         if(!tsig_verify(&q->tsig)) {
  396             char a[128];
  397             addr2str(&q->addr, a, sizeof(a));
  398             log_msg(LOG_ERR, "query: bad tsig signature for key %s from %s",
  399                 dname_to_string(q->tsig.key->name, NULL), a);
  400             return NSD_RC_NOTAUTH;
  401         }
  402         DEBUG(DEBUG_XFRD,1, (LOG_INFO, "query good tsig signature for %s",
  403             dname_to_string(q->tsig.key->name, NULL)));
  404     }
  405     return NSD_RC_OK;
  406 }
  407 
  408 /*
  409  * Check notify acl and forward to xfrd (or return an error).
  410  */
  411 static query_state_type
  412 answer_notify(struct nsd* nsd, struct query *query)
  413 {
  414     int acl_num, acl_num_xfr;
  415     struct acl_options *why;
  416     nsd_rc_type rc;
  417 
  418     struct zone_options* zone_opt;
  419     DEBUG(DEBUG_XFRD,1, (LOG_INFO, "got notify %s processing acl",
  420         dname_to_string(query->qname, NULL)));
  421 
  422     zone_opt = zone_options_find(nsd->options, query->qname);
  423     if(!zone_opt)
  424         return query_error(query, NSD_RC_NXDOMAIN);
  425 
  426     if(!nsd->this_child) /* we are in debug mode or something */
  427         return query_error(query, NSD_RC_SERVFAIL);
  428 
  429     if(!tsig_find_rr(&query->tsig, query->packet)) {
  430         DEBUG(DEBUG_XFRD,2, (LOG_ERR, "bad tsig RR format"));
  431         return query_error(query, NSD_RC_FORMAT);
  432     }
  433     rc = process_tsig(query);
  434     if(rc != NSD_RC_OK)
  435         return query_error(query, rc);
  436 
  437     /* check if it passes acl */
  438     if((acl_num = acl_check_incoming(zone_opt->pattern->allow_notify, query,
  439         &why)) != -1)
  440     {
  441         sig_atomic_t mode = NSD_PASS_TO_XFRD;
  442         int s = nsd->this_child->parent_fd;
  443         uint16_t sz;
  444         uint32_t acl_send = htonl(acl_num);
  445         uint32_t acl_xfr;
  446         size_t pos;
  447 
  448         /* Find priority candidate for request XFR. -1 if no match */
  449         acl_num_xfr = acl_check_incoming(
  450             zone_opt->pattern->request_xfr, query, NULL);
  451 
  452         acl_xfr = htonl(acl_num_xfr);
  453 
  454         assert(why);
  455         DEBUG(DEBUG_XFRD,1, (LOG_INFO, "got notify %s passed acl %s %s",
  456             dname_to_string(query->qname, NULL),
  457             why->ip_address_spec,
  458             why->nokey?"NOKEY":
  459             (why->blocked?"BLOCKED":why->key_name)));
  460         sz = buffer_limit(query->packet);
  461         if(buffer_limit(query->packet) > MAX_PACKET_SIZE)
  462             return query_error(query, NSD_RC_SERVFAIL);
  463         /* forward to xfrd for processing
  464            Note. Blocking IPC I/O, but acl is OK. */
  465         sz = htons(sz);
  466         if(!write_socket(s, &mode, sizeof(mode)) ||
  467             !write_socket(s, &sz, sizeof(sz)) ||
  468             !write_socket(s, buffer_begin(query->packet),
  469                 buffer_limit(query->packet)) ||
  470             !write_socket(s, &acl_send, sizeof(acl_send)) ||
  471             !write_socket(s, &acl_xfr, sizeof(acl_xfr))) {
  472             log_msg(LOG_ERR, "error in IPC notify server2main, %s",
  473                 strerror(errno));
  474             return query_error(query, NSD_RC_SERVFAIL);
  475         }
  476         if(verbosity >= 1) {
  477             uint32_t serial = 0;
  478             char address[128];
  479             addr2str(&query->addr, address, sizeof(address));
  480             if(packet_find_notify_serial(query->packet, &serial))
  481               VERBOSITY(1, (LOG_INFO, "notify for %s from %s serial %u",
  482                 dname_to_string(query->qname, NULL), address,
  483                 (unsigned)serial));
  484             else
  485               VERBOSITY(1, (LOG_INFO, "notify for %s from %s",
  486                 dname_to_string(query->qname, NULL), address));
  487         }
  488 
  489         /* create notify reply - keep same query contents */
  490         QR_SET(query->packet);         /* This is an answer.  */
  491         AA_SET(query->packet);     /* we are authoritative. */
  492         ANCOUNT_SET(query->packet, 0);
  493         NSCOUNT_SET(query->packet, 0);
  494         ARCOUNT_SET(query->packet, 0);
  495         RCODE_SET(query->packet, RCODE_OK); /* Error code.  */
  496         /* position is right after the query */
  497         pos = buffer_position(query->packet);
  498         buffer_clear(query->packet);
  499         buffer_set_position(query->packet, pos);
  500         /* tsig is added in add_additional later (if needed) */
  501         return QUERY_PROCESSED;
  502     }
  503 
  504     if (verbosity >= 2) {
  505         char address[128];
  506         addr2str(&query->addr, address, sizeof(address));
  507         VERBOSITY(2, (LOG_INFO, "notify for %s from %s refused, %s%s",
  508             dname_to_string(query->qname, NULL),
  509             address,
  510             why?why->key_name:"no acl matches",
  511             why?why->ip_address_spec:"."));
  512     }
  513 
  514     return query_error(query, NSD_RC_REFUSE);
  515 }
  516 
  517 
  518 /*
  519  * Answer a query in the CHAOS class.
  520  */
  521 static query_state_type
  522 answer_chaos(struct nsd *nsd, query_type *q)
  523 {
  524     AA_CLR(q->packet);
  525     switch (q->qtype) {
  526     case TYPE_ANY:
  527     case TYPE_TXT:
  528         if ((q->qname->name_size == 11
  529              && memcmp(dname_name(q->qname), "\002id\006server", 11) == 0) ||
  530             (q->qname->name_size ==  15
  531              && memcmp(dname_name(q->qname), "\010hostname\004bind", 15) == 0))
  532         {
  533             if(!nsd->options->hide_identity) {
  534                 /* Add ID */
  535                 query_addtxt(q,
  536                      buffer_begin(q->packet) + QHEADERSZ,
  537                      CLASS_CH,
  538                      0,
  539                      nsd->identity);
  540                 ANCOUNT_SET(q->packet, ANCOUNT(q->packet) + 1);
  541             } else {
  542                 RCODE_SET(q->packet, RCODE_REFUSE);
  543                 /* RFC8914 - Extended DNS Errors
  544                  * 4.19. Extended DNS Error Code 18 - Prohibited */
  545                 q->edns.ede = EDE_PROHIBITED;
  546             }
  547         } else if ((q->qname->name_size == 16
  548                 && memcmp(dname_name(q->qname), "\007version\006server", 16) == 0) ||
  549                (q->qname->name_size == 14
  550                 && memcmp(dname_name(q->qname), "\007version\004bind", 14) == 0))
  551         {
  552             if(!nsd->options->hide_version) {
  553                 /* Add version */
  554                 query_addtxt(q,
  555                      buffer_begin(q->packet) + QHEADERSZ,
  556                      CLASS_CH,
  557                      0,
  558                      nsd->version);
  559                 ANCOUNT_SET(q->packet, ANCOUNT(q->packet) + 1);
  560             } else {
  561                 RCODE_SET(q->packet, RCODE_REFUSE);
  562                 /* RFC8914 - Extended DNS Errors
  563                  * 4.19. Extended DNS Error Code 18 - Prohibited */
  564                 q->edns.ede = EDE_PROHIBITED;
  565             }
  566         } else {
  567             RCODE_SET(q->packet, RCODE_REFUSE);
  568             /* RFC8914 - Extended DNS Errors
  569              * 4.22. Extended DNS Error Code 21 - Not Supported */
  570             q->edns.ede = EDE_NOT_SUPPORTED;
  571 
  572         }
  573         break;
  574     default:
  575         RCODE_SET(q->packet, RCODE_REFUSE);
  576         /* RFC8914 - Extended DNS Errors
  577          * 4.22. Extended DNS Error Code 21 - Not Supported */
  578         q->edns.ede = EDE_NOT_SUPPORTED;
  579         break;
  580     }
  581 
  582     return QUERY_PROCESSED;
  583 }
  584 
  585 
  586 /*
  587  * Find the covering NSEC for a non-existent domain name.  Normally
  588  * the NSEC will be located at CLOSEST_MATCH, except when it is an
  589  * empty non-terminal.  In this case the NSEC may be located at the
  590  * previous domain name (in canonical ordering).
  591  */
  592 static domain_type *
  593 find_covering_nsec(domain_type *closest_match,
  594            zone_type   *zone,
  595            rrset_type **nsec_rrset)
  596 {
  597     assert(closest_match);
  598     assert(nsec_rrset);
  599 
  600     /* loop away temporary created domains. For real ones it is &RBTREE_NULL */
  601 #ifdef USE_RADIX_TREE
  602     while (closest_match->rnode == NULL)
  603 #else
  604     while (closest_match->node.parent == NULL)
  605 #endif
  606         closest_match = closest_match->parent;
  607     while (closest_match) {
  608         *nsec_rrset = domain_find_rrset(closest_match, zone, TYPE_NSEC);
  609         if (*nsec_rrset) {
  610             return closest_match;
  611         }
  612         if (closest_match == zone->apex) {
  613             /* Don't look outside the current zone.  */
  614             return NULL;
  615         }
  616         closest_match = domain_previous(closest_match);
  617     }
  618     return NULL;
  619 }
  620 
  621 
  622 struct additional_rr_types
  623 {
  624     uint16_t        rr_type;
  625     rr_section_type rr_section;
  626 };
  627 
  628 struct additional_rr_types default_additional_rr_types[] = {
  629     { TYPE_A, ADDITIONAL_A_SECTION },
  630     { TYPE_AAAA, ADDITIONAL_AAAA_SECTION },
  631     { 0, (rr_section_type) 0 }
  632 };
  633 
  634 struct additional_rr_types swap_aaaa_additional_rr_types[] = {
  635     { TYPE_AAAA, ADDITIONAL_A_SECTION },
  636     { TYPE_A, ADDITIONAL_AAAA_SECTION },
  637     { 0, (rr_section_type) 0 }
  638 };
  639 
  640 struct additional_rr_types rt_additional_rr_types[] = {
  641     { TYPE_A, ADDITIONAL_A_SECTION },
  642     { TYPE_AAAA, ADDITIONAL_AAAA_SECTION },
  643     { TYPE_X25, ADDITIONAL_OTHER_SECTION },
  644     { TYPE_ISDN, ADDITIONAL_OTHER_SECTION },
  645     { 0, (rr_section_type) 0 }
  646 };
  647 
  648 static void
  649 add_additional_rrsets(struct query *query, answer_type *answer,
  650               rrset_type *master_rrset, size_t rdata_index,
  651               int allow_glue, struct additional_rr_types types[])
  652 {
  653     size_t i;
  654 
  655     assert(query);
  656     assert(answer);
  657     assert(master_rrset);
  658     assert(rdata_atom_is_domain(rrset_rrtype(master_rrset), rdata_index));
  659 
  660     for (i = 0; i < master_rrset->rr_count; ++i) {
  661         int j;
  662         domain_type *additional = rdata_atom_domain(master_rrset->rrs[i].rdatas[rdata_index]);
  663         domain_type *match = additional;
  664 
  665         assert(additional);
  666 
  667         if (!allow_glue && domain_is_glue(match, query->zone))
  668             continue;
  669 
  670         /*
  671          * Check to see if we need to generate the dependent
  672          * based on a wildcard domain.
  673          */
  674         while (!match->is_existing) {
  675             match = match->parent;
  676         }
  677         if (additional != match && domain_wildcard_child(match)) {
  678             domain_type *wildcard_child = domain_wildcard_child(match);
  679             domain_type *temp = (domain_type *) region_alloc(
  680                 query->region, sizeof(domain_type));
  681 #ifdef USE_RADIX_TREE
  682             temp->rnode = NULL;
  683             temp->dname = additional->dname;
  684 #else
  685             memcpy(&temp->node, &additional->node, sizeof(rbnode_type));
  686             temp->node.parent = NULL;
  687 #endif
  688             temp->number = additional->number;
  689             temp->parent = match;
  690             temp->wildcard_child_closest_match = temp;
  691             temp->rrsets = wildcard_child->rrsets;
  692             temp->is_existing = wildcard_child->is_existing;
  693             additional = temp;
  694         }
  695 
  696         for (j = 0; types[j].rr_type != 0; ++j) {
  697             rrset_type *rrset = domain_find_rrset(
  698                 additional, query->zone, types[j].rr_type);
  699             if (rrset) {
  700                 answer_add_rrset(answer, types[j].rr_section,
  701                          additional, rrset);
  702             }
  703         }
  704     }
  705 }
  706 
  707 static int
  708 answer_needs_ns(struct query* query)
  709 {
  710     assert(query);
  711     /* Currently, only troublesome for DNSKEY and DS,
  712          * cuz their RRSETs are quite large. */
  713     return (query->qtype != TYPE_DNSKEY && query->qtype != TYPE_DS
  714         && query->qtype != TYPE_ANY);
  715 }
  716 
  717 static int
  718 add_rrset(struct query   *query,
  719       answer_type    *answer,
  720       rr_section_type section,
  721       domain_type    *owner,
  722       rrset_type     *rrset)
  723 {
  724     int result;
  725 
  726     assert(query);
  727     assert(answer);
  728     assert(owner);
  729     assert(rrset);
  730     assert(rrset_rrclass(rrset) == CLASS_IN);
  731 
  732     result = answer_add_rrset(answer, section, owner, rrset);
  733     if(minimal_responses && section != AUTHORITY_SECTION &&
  734         query->qtype != TYPE_NS)
  735         return result;
  736     switch (rrset_rrtype(rrset)) {
  737     case TYPE_NS:
  738 #if defined(INET6)
  739         /* if query over IPv6, swap A and AAAA; put AAAA first */
  740         add_additional_rrsets(query, answer, rrset, 0, 1,
  741             (query->addr.ss_family == AF_INET6)?
  742             swap_aaaa_additional_rr_types:
  743             default_additional_rr_types);
  744 #else
  745         add_additional_rrsets(query, answer, rrset, 0, 1,
  746                       default_additional_rr_types);
  747 #endif
  748         break;
  749     case TYPE_MB:
  750         add_additional_rrsets(query, answer, rrset, 0, 0,
  751                       default_additional_rr_types);
  752         break;
  753     case TYPE_MX:
  754     case TYPE_KX:
  755         add_additional_rrsets(query, answer, rrset, 1, 0,
  756                       default_additional_rr_types);
  757         break;
  758     case TYPE_RT:
  759         add_additional_rrsets(query, answer, rrset, 1, 0,
  760                       rt_additional_rr_types);
  761         break;
  762     case TYPE_SRV:
  763         add_additional_rrsets(query, answer, rrset, 3, 0,
  764                       default_additional_rr_types);
  765         break;
  766     default:
  767         break;
  768     }
  769 
  770     return result;
  771 }
  772 
  773 
  774 /* returns 0 on error, or the domain number for to_name.
  775    from_name is changes to to_name by the DNAME rr.
  776    DNAME rr is from src to dest.
  777    closest encloser encloses the to_name. */
  778 static size_t
  779 query_synthesize_cname(struct query* q, struct answer* answer, const dname_type* from_name,
  780     const dname_type* to_name, domain_type* src, domain_type* to_closest_encloser,
  781     domain_type** to_closest_match, uint32_t ttl)
  782 {
  783     /* add temporary domains for from_name and to_name and all
  784        their (not allocated yet) parents */
  785     /* any domains below src are not_existing (because of DNAME at src) */
  786     int i;
  787     size_t j;
  788     domain_type* cname_domain;
  789     domain_type* cname_dest;
  790     rrset_type* rrset;
  791 
  792     domain_type* lastparent = src;
  793     assert(q && answer && from_name && to_name && src && to_closest_encloser);
  794     assert(to_closest_match);
  795 
  796     /* check for loop by duplicate CNAME rrset synthesized */
  797     for(j=0; j<answer->rrset_count; ++j) {
  798         if(answer->section[j] == ANSWER_SECTION &&
  799             answer->rrsets[j]->rr_count == 1 &&
  800             answer->rrsets[j]->rrs[0].type == TYPE_CNAME &&
  801             dname_compare(domain_dname(answer->rrsets[j]->rrs[0].owner), from_name) == 0 &&
  802             answer->rrsets[j]->rrs[0].rdata_count == 1 &&
  803             dname_compare(domain_dname(answer->rrsets[j]->rrs[0].rdatas->domain), to_name) == 0) {
  804             DEBUG(DEBUG_QUERY,2, (LOG_INFO, "loop for synthesized CNAME rrset for query %s", dname_to_string(q->qname, NULL)));
  805             return 0;
  806         }
  807     }
  808 
  809     /* allocate source part */
  810     for(i=0; i < from_name->label_count - domain_dname(src)->label_count; i++)
  811     {
  812         domain_type* newdom = query_get_tempdomain(q);
  813         if(!newdom)
  814             return 0;
  815         newdom->is_existing = 1;
  816         newdom->parent = lastparent;
  817 #ifdef USE_RADIX_TREE
  818         newdom->dname
  819 #else
  820         newdom->node.key
  821 #endif
  822             = dname_partial_copy(q->region,
  823             from_name, domain_dname(src)->label_count + i + 1);
  824         if(dname_compare(domain_dname(newdom), q->qname) == 0) {
  825             /* 0 good for query name, otherwise new number */
  826             newdom->number = 0;
  827         }
  828         DEBUG(DEBUG_QUERY,2, (LOG_INFO, "created temp domain src %d. %s nr %d", i,
  829             domain_to_string(newdom), (int)newdom->number));
  830         lastparent = newdom;
  831     }
  832     cname_domain = lastparent;
  833 
  834     /* allocate dest part */
  835     lastparent = to_closest_encloser;
  836     for(i=0; i < to_name->label_count - domain_dname(to_closest_encloser)->label_count;
  837         i++)
  838     {
  839         domain_type* newdom = query_get_tempdomain(q);
  840         if(!newdom)
  841             return 0;
  842         newdom->is_existing = 0;
  843         newdom->parent = lastparent;
  844 #ifdef USE_RADIX_TREE
  845         newdom->dname
  846 #else
  847         newdom->node.key
  848 #endif
  849             = dname_partial_copy(q->region,
  850             to_name, domain_dname(to_closest_encloser)->label_count + i + 1);
  851         DEBUG(DEBUG_QUERY,2, (LOG_INFO, "created temp domain dest %d. %s nr %d", i,
  852             domain_to_string(newdom), (int)newdom->number));
  853         lastparent = newdom;
  854     }
  855     cname_dest = lastparent;
  856     *to_closest_match = cname_dest;
  857 
  858     /* allocate the CNAME RR */
  859     rrset = (rrset_type*) region_alloc(q->region, sizeof(rrset_type));
  860     memset(rrset, 0, sizeof(rrset_type));
  861     rrset->zone = q->zone;
  862     rrset->rr_count = 1;
  863     rrset->rrs = (rr_type*) region_alloc(q->region, sizeof(rr_type));
  864     memset(rrset->rrs, 0, sizeof(rr_type));
  865     rrset->rrs->owner = cname_domain;
  866     rrset->rrs->ttl = ttl;
  867     rrset->rrs->type = TYPE_CNAME;
  868     rrset->rrs->klass = CLASS_IN;
  869     rrset->rrs->rdata_count = 1;
  870     rrset->rrs->rdatas = (rdata_atom_type*)region_alloc(q->region,
  871         sizeof(rdata_atom_type));
  872     rrset->rrs->rdatas->domain = cname_dest;
  873 
  874     if(!add_rrset(q, answer, ANSWER_SECTION, cname_domain, rrset)) {
  875         DEBUG(DEBUG_QUERY,2, (LOG_INFO, "could not add synthesized CNAME rrset to packet for query %s", dname_to_string(q->qname, NULL)));
  876         /* failure to add CNAME; likely is a loop, the same twice */
  877         return 0;
  878     }
  879 
  880     return cname_dest->number;
  881 }
  882 
  883 /*
  884  * Answer delegation information.
  885  *
  886  * DNSSEC: Include the DS RRset if present.  Otherwise include an NSEC
  887  * record proving the DS RRset does not exist.
  888  */
  889 static void
  890 answer_delegation(query_type *query, answer_type *answer)
  891 {
  892     assert(answer);
  893     assert(query->delegation_domain);
  894     assert(query->delegation_rrset);
  895 
  896     if (query->cname_count == 0) {
  897         AA_CLR(query->packet);
  898     } else {
  899         AA_SET(query->packet);
  900     }
  901 
  902     add_rrset(query,
  903           answer,
  904           AUTHORITY_SECTION,
  905           query->delegation_domain,
  906           query->delegation_rrset);
  907     if (query->edns.dnssec_ok && zone_is_secure(query->zone)) {
  908         rrset_type *rrset;
  909         if ((rrset = domain_find_rrset(query->delegation_domain, query->zone, TYPE_DS))) {
  910             add_rrset(query, answer, AUTHORITY_SECTION,
  911                   query->delegation_domain, rrset);
  912 #ifdef NSEC3
  913         } else if (query->zone->nsec3_param) {
  914             nsec3_answer_delegation(query, answer);
  915 #endif
  916         } else if ((rrset = domain_find_rrset(query->delegation_domain, query->zone, TYPE_NSEC))) {
  917             add_rrset(query, answer, AUTHORITY_SECTION,
  918                   query->delegation_domain, rrset);
  919         }
  920     }
  921 }
  922 
  923 
  924 /*
  925  * Answer SOA information.
  926  */
  927 static void
  928 answer_soa(struct query *query, answer_type *answer)
  929 {
  930     if (query->qclass != CLASS_ANY) {
  931         add_rrset(query, answer,
  932               AUTHORITY_SECTION,
  933               query->zone->apex,
  934               query->zone->soa_nx_rrset);
  935     }
  936 }
  937 
  938 
  939 /*
  940  * Answer that the domain name exists but there is no RRset with the
  941  * requested type.
  942  *
  943  * DNSSEC: Include the correct NSEC record proving that the type does
  944  * not exist.  In the wildcard no data (3.1.3.4) case the wildcard IS
  945  * NOT expanded, so the ORIGINAL parameter must point to the original
  946  * wildcard entry, not to the generated entry.
  947  */
  948 static void
  949 answer_nodata(struct query *query, answer_type *answer, domain_type *original)
  950 {
  951     answer_soa(query, answer);
  952 
  953 #ifdef NSEC3
  954     if (query->edns.dnssec_ok && query->zone->nsec3_param) {
  955         nsec3_answer_nodata(query, answer, original);
  956     } else
  957 #endif
  958     if (query->edns.dnssec_ok && zone_is_secure(query->zone)) {
  959         domain_type *nsec_domain;
  960         rrset_type *nsec_rrset;
  961 
  962         nsec_domain = find_covering_nsec(original, query->zone, &nsec_rrset);
  963         if (nsec_domain) {
  964             add_rrset(query, answer, AUTHORITY_SECTION, nsec_domain, nsec_rrset);
  965         }
  966     }
  967 }
  968 
  969 static void
  970 answer_nxdomain(query_type *query, answer_type *answer)
  971 {
  972     RCODE_SET(query->packet, RCODE_NXDOMAIN);
  973     answer_soa(query, answer);
  974 }
  975 
  976 
  977 /*
  978  * Answer domain information (or SOA if we do not have an RRset for
  979  * the type specified by the query).
  980  */
  981 static void
  982 answer_domain(struct nsd* nsd, struct query *q, answer_type *answer,
  983           domain_type *domain, domain_type *original)
  984 {
  985     rrset_type *rrset;
  986 
  987     if (q->qtype == TYPE_ANY) {
  988         rrset_type *preferred_rrset = NULL;
  989         rrset_type *normal_rrset = NULL;
  990         rrset_type *non_preferred_rrset = NULL;
  991 
  992         /*
  993          * Minimize response size for ANY, with one RRset
  994          * according to RFC 8482(4.1).
  995          * Prefers popular and not large rtypes (A,AAAA,...)
  996          * lowering large ones (DNSKEY,RRSIG,...).
  997          */
  998         for (rrset = domain_find_any_rrset(domain, q->zone); rrset; rrset = rrset->next) {
  999             if (rrset->zone == q->zone
 1000 #ifdef NSEC3
 1001                 && rrset_rrtype(rrset) != TYPE_NSEC3
 1002 #endif
 1003                 /*
 1004                  * Don't include the RRSIG RRset when
 1005                  * DNSSEC is used, because it is added
 1006                  * automatically on an per-RRset basis.
 1007                  */
 1008                 && !(q->edns.dnssec_ok
 1009                  && zone_is_secure(q->zone)
 1010                  && rrset_rrtype(rrset) == TYPE_RRSIG))
 1011             {
 1012                 switch(rrset_rrtype(rrset)) {
 1013                     case TYPE_A:
 1014                     case TYPE_AAAA:
 1015                     case TYPE_SOA:
 1016                     case TYPE_MX:
 1017                     case TYPE_PTR:
 1018                         preferred_rrset = rrset;
 1019                         break;
 1020                     case TYPE_DNSKEY:
 1021                     case TYPE_RRSIG:
 1022                     case TYPE_NSEC:
 1023                         non_preferred_rrset = rrset;
 1024                         break;
 1025                     default:
 1026                         normal_rrset = rrset;
 1027                 }
 1028                 if (preferred_rrset) break;
 1029             }
 1030         }
 1031         if (preferred_rrset) {
 1032             add_rrset(q, answer, ANSWER_SECTION, domain, preferred_rrset);
 1033         } else if (normal_rrset) {
 1034             add_rrset(q, answer, ANSWER_SECTION, domain, normal_rrset);
 1035         } else if (non_preferred_rrset) {
 1036             add_rrset(q, answer, ANSWER_SECTION, domain, non_preferred_rrset);
 1037         } else {
 1038             answer_nodata(q, answer, original);
 1039             return;
 1040         }
 1041 #ifdef NSEC3
 1042     } else if (q->qtype == TYPE_NSEC3) {
 1043         answer_nodata(q, answer, original);
 1044         return;
 1045 #endif
 1046     } else if ((rrset = domain_find_rrset(domain, q->zone, q->qtype))) {
 1047         add_rrset(q, answer, ANSWER_SECTION, domain, rrset);
 1048     } else if ((rrset = domain_find_rrset(domain, q->zone, TYPE_CNAME))) {
 1049         int added;
 1050 
 1051         /*
 1052          * If the CNAME is not added it is already in the
 1053          * answer, so we have a CNAME loop.  Don't follow the
 1054          * CNAME target in this case.
 1055          */
 1056         added = add_rrset(q, answer, ANSWER_SECTION, domain, rrset);
 1057         assert(rrset->rr_count > 0);
 1058         if (added) {
 1059             /* only process first CNAME record */
 1060             domain_type *closest_match = rdata_atom_domain(rrset->rrs[0].rdatas[0]);
 1061             domain_type *closest_encloser = closest_match;
 1062             zone_type* origzone = q->zone;
 1063             ++q->cname_count;
 1064 
 1065             answer_lookup_zone(nsd, q, answer, closest_match->number,
 1066                          closest_match == closest_encloser,
 1067                          closest_match, closest_encloser,
 1068                          domain_dname(closest_match));
 1069             q->zone = origzone;
 1070         }
 1071         return;
 1072     } else {
 1073         answer_nodata(q, answer, original);
 1074         return;
 1075     }
 1076 
 1077     if (q->qclass != CLASS_ANY && q->zone->ns_rrset && answer_needs_ns(q)
 1078         && !minimal_responses) {
 1079         add_rrset(q, answer, OPTIONAL_AUTHORITY_SECTION, q->zone->apex,
 1080               q->zone->ns_rrset);
 1081     }
 1082 }
 1083 
 1084 
 1085 /*
 1086  * Answer with authoritative data.  If a wildcard is matched the owner
 1087  * name will be expanded to the domain name specified by
 1088  * DOMAIN_NUMBER.  DOMAIN_NUMBER 0 (zero) is reserved for the original
 1089  * query name.
 1090  *
 1091  * DNSSEC: Include the necessary NSEC records in case the request
 1092  * domain name does not exist and/or a wildcard match does not exist.
 1093  */
 1094 static void
 1095 answer_authoritative(struct nsd   *nsd,
 1096              struct query *q,
 1097              answer_type  *answer,
 1098              size_t        domain_number,
 1099              int           exact,
 1100              domain_type  *closest_match,
 1101              domain_type  *closest_encloser,
 1102              const dname_type *qname)
 1103 {
 1104     domain_type *match;
 1105     domain_type *original = closest_match;
 1106     domain_type *dname_ce;
 1107     domain_type *wildcard_child;
 1108     rrset_type *rrset;
 1109 
 1110 #ifdef NSEC3
 1111     if(exact && domain_has_only_NSEC3(closest_match, q->zone)) {
 1112         exact = 0; /* pretend it does not exist */
 1113         if(closest_encloser->parent)
 1114             closest_encloser = closest_encloser->parent;
 1115     }
 1116 #endif /* NSEC3 */
 1117     if((dname_ce = find_dname_above(closest_encloser, q->zone)) != NULL) {
 1118         /* occlude the found data, the DNAME is closest_encloser */
 1119         closest_encloser = dname_ce;
 1120         exact = 0;
 1121     }
 1122 
 1123     if (exact) {
 1124         match = closest_match;
 1125     } else if ((rrset=domain_find_rrset(closest_encloser, q->zone, TYPE_DNAME))) {
 1126         /* process DNAME */
 1127         const dname_type* name = qname;
 1128         domain_type* src = closest_encloser;
 1129         domain_type *dest = rdata_atom_domain(rrset->rrs[0].rdatas[0]);
 1130         const dname_type* newname;
 1131         size_t newnum = 0;
 1132         zone_type* origzone = q->zone;
 1133         assert(rrset->rr_count > 0);
 1134         if(domain_number != 0) /* we followed CNAMEs or DNAMEs */
 1135             name = domain_dname(closest_match);
 1136         DEBUG(DEBUG_QUERY,2, (LOG_INFO, "expanding DNAME for q=%s", dname_to_string(name, NULL)));
 1137         DEBUG(DEBUG_QUERY,2, (LOG_INFO, "->src is %s",
 1138             domain_to_string(closest_encloser)));
 1139         DEBUG(DEBUG_QUERY,2, (LOG_INFO, "->dest is %s",
 1140             domain_to_string(dest)));
 1141         if(!add_rrset(q, answer, ANSWER_SECTION, closest_encloser, rrset)) {
 1142             /* stop if DNAME loops, when added second time */
 1143             if(dname_is_subdomain(domain_dname(dest), domain_dname(src))) {
 1144                 return;
 1145             }
 1146         }
 1147         newname = dname_replace(q->region, name,
 1148             domain_dname(src), domain_dname(dest));
 1149         ++q->cname_count;
 1150         if(!newname) { /* newname too long */
 1151             RCODE_SET(q->packet, RCODE_YXDOMAIN);
 1152             /* RFC 8914 - Extended DNS Errors
 1153              * 4.21. Extended DNS Error Code 0 - Other */
 1154             ASSIGN_EDE_CODE_AND_STRING_LITERAL(q->edns.ede,
 1155                 EDE_OTHER, "DNAME expansion became too large");
 1156             return;
 1157         }
 1158         DEBUG(DEBUG_QUERY,2, (LOG_INFO, "->result is %s", dname_to_string(newname, NULL)));
 1159         /* follow the DNAME */
 1160         (void)namedb_lookup(nsd->db, newname, &closest_match, &closest_encloser);
 1161         /* synthesize CNAME record */
 1162         newnum = query_synthesize_cname(q, answer, name, newname,
 1163             src, closest_encloser, &closest_match, rrset->rrs[0].ttl);
 1164         if(!newnum) {
 1165             /* could not synthesize the CNAME. */
 1166             /* return previous CNAMEs to make resolver recurse for us */
 1167             return;
 1168         }
 1169         if(q->qtype == TYPE_CNAME) {
 1170             /* The synthesized CNAME is the answer to
 1171              * that query, same as BIND does for query
 1172              * of type CNAME */
 1173             return;
 1174         }
 1175 
 1176         answer_lookup_zone(nsd, q, answer, newnum,
 1177             closest_match == closest_encloser,
 1178             closest_match, closest_encloser, newname);
 1179         q->zone = origzone;
 1180         return;
 1181     } else if ((wildcard_child=domain_wildcard_child(closest_encloser))!=NULL &&
 1182         wildcard_child->is_existing) {
 1183         /* Generate the domain from the wildcard.  */
 1184 #ifdef RATELIMIT
 1185         q->wildcard_domain = wildcard_child;
 1186 #endif
 1187 
 1188         match = (domain_type *) region_alloc(q->region,
 1189                              sizeof(domain_type));
 1190 #ifdef USE_RADIX_TREE
 1191         match->rnode = NULL;
 1192         match->dname = wildcard_child->dname;
 1193 #else
 1194         memcpy(&match->node, &wildcard_child->node, sizeof(rbnode_type));
 1195         match->node.parent = NULL;
 1196 #endif
 1197         match->parent = closest_encloser;
 1198         match->wildcard_child_closest_match = match;
 1199         match->number = domain_number;
 1200         match->rrsets = wildcard_child->rrsets;
 1201         match->is_existing = wildcard_child->is_existing;
 1202 #ifdef NSEC3
 1203         match->nsec3 = wildcard_child->nsec3;
 1204         /* copy over these entries:
 1205         match->nsec3_is_exact = wildcard_child->nsec3_is_exact;
 1206         match->nsec3_cover = wildcard_child->nsec3_cover;
 1207         match->nsec3_wcard_child_cover = wildcard_child->nsec3_wcard_child_cover;
 1208         match->nsec3_ds_parent_is_exact = wildcard_child->nsec3_ds_parent_is_exact;
 1209         match->nsec3_ds_parent_cover = wildcard_child->nsec3_ds_parent_cover;
 1210         */
 1211 
 1212         if (q->edns.dnssec_ok && q->zone->nsec3_param) {
 1213             /* Only add nsec3 wildcard data when do bit is set */
 1214             nsec3_answer_wildcard(q, answer, wildcard_child, qname);
 1215         }
 1216 #endif
 1217 
 1218         /*
 1219          * Remember the original domain in case a Wildcard No
 1220          * Data (3.1.3.4) response needs to be generated.  In
 1221          * this particular case the wildcard IS NOT
 1222          * expanded.
 1223          */
 1224         original = wildcard_child;
 1225     } else {
 1226         match = NULL;
 1227     }
 1228 
 1229     /* Authoritative zone.  */
 1230 #ifdef NSEC3
 1231     if (q->edns.dnssec_ok && q->zone->nsec3_param) {
 1232         nsec3_answer_authoritative(&match, q, answer,
 1233             closest_encloser, qname);
 1234     } else
 1235 #endif
 1236     if (q->edns.dnssec_ok && zone_is_secure(q->zone)) {
 1237         if (match != closest_encloser) {
 1238             domain_type *nsec_domain;
 1239             rrset_type *nsec_rrset;
 1240 
 1241             /*
 1242              * No match found or generated from wildcard,
 1243              * include NSEC record.
 1244              */
 1245             nsec_domain = find_covering_nsec(closest_match, q->zone, &nsec_rrset);
 1246             if (nsec_domain) {
 1247                 add_rrset(q, answer, AUTHORITY_SECTION, nsec_domain, nsec_rrset);
 1248             }
 1249         }
 1250         if (!match) {
 1251             domain_type *nsec_domain;
 1252             rrset_type *nsec_rrset;
 1253 
 1254             /*
 1255              * No match and no wildcard.  Include NSEC
 1256              * proving there is no wildcard.
 1257              */
 1258             if(closest_encloser && (nsec_domain =
 1259                 find_covering_nsec(closest_encloser->
 1260                     wildcard_child_closest_match, q->zone,
 1261                     &nsec_rrset)) != NULL) {
 1262                 add_rrset(q, answer, AUTHORITY_SECTION, nsec_domain, nsec_rrset);
 1263             }
 1264         }
 1265     }
 1266 
 1267 #ifdef NSEC3
 1268     if (RCODE(q->packet)!=RCODE_OK) {
 1269         return; /* nsec3 collision failure */
 1270     }
 1271 #endif
 1272     if (match) {
 1273         answer_domain(nsd, q, answer, match, original);
 1274     } else {
 1275         answer_nxdomain(q, answer);
 1276     }
 1277 }
 1278 
 1279 /*
 1280  * qname may be different after CNAMEs have been followed from query->qname.
 1281  */
 1282 static void
 1283 answer_lookup_zone(struct nsd *nsd, struct query *q, answer_type *answer,
 1284     size_t domain_number, int exact, domain_type *closest_match,
 1285     domain_type *closest_encloser, const dname_type *qname)
 1286 {
 1287     zone_type* origzone = q->zone;
 1288     q->zone = domain_find_zone(nsd->db, closest_encloser);
 1289     if (!q->zone) {
 1290         /* no zone for this */
 1291         if(q->cname_count == 0) {
 1292             RCODE_SET(q->packet, RCODE_REFUSE);
 1293             /* RFC 8914 - Extended DNS Errors
 1294              * 4.21. Extended DNS Error Code 20 - Not Authoritative */
 1295             q->edns.ede = EDE_NOT_AUTHORITATIVE;
 1296         }
 1297         return;
 1298     }
 1299     assert(closest_encloser); /* otherwise, no q->zone would be found */
 1300     if(q->zone->opts && q->zone->opts->pattern
 1301     && q->zone->opts->pattern->allow_query) {
 1302         struct acl_options *why = NULL;
 1303 
 1304         /* check if it passes acl */
 1305         if(acl_check_incoming(
 1306            q->zone->opts->pattern->allow_query, q, &why) != -1) {
 1307             assert(why);
 1308             DEBUG(DEBUG_QUERY,1, (LOG_INFO, "query %s passed acl %s %s",
 1309                 dname_to_string(q->qname, NULL),
 1310                 why->ip_address_spec,
 1311                 why->nokey?"NOKEY":
 1312                 (why->blocked?"BLOCKED":why->key_name)));
 1313         } else { 
 1314             if (verbosity >= 2) {
 1315                 char address[128];
 1316                 addr2str(&q->addr, address, sizeof(address));
 1317                 VERBOSITY(2, (LOG_INFO, "query %s from %s refused, %s %s",
 1318                     dname_to_string(q->qname, NULL),
 1319                     address,
 1320                     why ? ( why->nokey    ? "NOKEY"
 1321                           : why->blocked  ? "BLOCKED"
 1322                           : why->key_name ) 
 1323                         : "no acl matches",
 1324                     why?why->ip_address_spec:"."));
 1325             }
 1326             /* no zone for this */
 1327             if(q->cname_count == 0) {
 1328                 RCODE_SET(q->packet, RCODE_REFUSE);
 1329                 /* RFC8914 - Extended DNS Errors
 1330                  * 4.19. Extended DNS Error Code 18 - Prohibited */
 1331                 q->edns.ede = EDE_PROHIBITED;
 1332             }
 1333             return;
 1334         }
 1335     }
 1336     if(!q->zone->apex || !q->zone->soa_rrset) {
 1337         /* zone is configured but not loaded */
 1338         if(q->cname_count == 0) {
 1339             RCODE_SET(q->packet, RCODE_SERVFAIL);
 1340             /* RFC 8914 - Extended DNS Errors
 1341              * 4.15. Extended DNS Error Code 14 - Not Ready */
 1342             q->edns.ede = EDE_NOT_READY;
 1343             ASSIGN_EDE_CODE_AND_STRING_LITERAL(q->edns.ede,
 1344                 EDE_NOT_READY, "Zone is configured but not loaded");
 1345         }
 1346         return;
 1347     }
 1348 
 1349     /*
 1350      * If confine-to-zone is set to yes do not return additional
 1351      * information for a zone with a different apex from the query zone.
 1352     */
 1353     if (nsd->options->confine_to_zone &&
 1354        (origzone != NULL && dname_compare(domain_dname(origzone->apex), domain_dname(q->zone->apex)) != 0)) {
 1355         return;
 1356     }
 1357 
 1358     /* now move up the closest encloser until it exists, previous
 1359      * (possibly empty) closest encloser was useful to finding the zone
 1360      * (for empty zones too), but now we want actual data nodes */
 1361     if (closest_encloser && !closest_encloser->is_existing) {
 1362         exact = 0;
 1363         while (closest_encloser != NULL && !closest_encloser->is_existing)
 1364             closest_encloser = closest_encloser->parent;
 1365     }
 1366 
 1367     /*
 1368      * See RFC 4035 (DNSSEC protocol) section 3.1.4.1 Responding
 1369      * to Queries for DS RRs.
 1370      */
 1371     if (exact && q->qtype == TYPE_DS && closest_encloser == q->zone->apex) {
 1372         /*
 1373          * Type DS query at a zone cut, use the responsible
 1374          * parent zone to generate the answer if we are
 1375          * authoritative for the parent zone.
 1376          */
 1377         zone_type *zone = domain_find_parent_zone(nsd->db, q->zone);
 1378         if (zone) {
 1379             q->zone = zone;
 1380             if(!q->zone->apex || !q->zone->soa_rrset) {
 1381                 /* zone is configured but not loaded */
 1382                 if(q->cname_count == 0) {
 1383                     RCODE_SET(q->packet, RCODE_SERVFAIL);
 1384                     /* RFC 8914 - Extended DNS Errors
 1385                      * 4.15. Extended DNS Error Code 14 - Not Ready */
 1386                     ASSIGN_EDE_CODE_AND_STRING_LITERAL(
 1387                        q->edns.ede, EDE_NOT_READY,
 1388                        "Zone is configured but not loaded");
 1389                 }
 1390                 return;
 1391             }
 1392         }
 1393     }
 1394 
 1395     /* see if the zone has expired (for secondary zones) */
 1396     if(q->zone && q->zone->opts && q->zone->opts->pattern &&
 1397         q->zone->opts->pattern->request_xfr != 0 && !q->zone->is_ok) {
 1398         if(q->cname_count == 0) {
 1399             RCODE_SET(q->packet, RCODE_SERVFAIL);
 1400             /* RFC 8914 - Extended DNS Errors
 1401              * 4.25. Extended DNS Error Code 24 - Invalid Data */
 1402             ASSIGN_EDE_CODE_AND_STRING_LITERAL(q->edns.ede,
 1403                 EDE_INVALID_DATA, "Zone has expired");
 1404         }
 1405         return;
 1406     }
 1407 
 1408     if (exact && q->qtype == TYPE_DS && closest_encloser == q->zone->apex) {
 1409         /*
 1410          * Type DS query at the zone apex (and the server is
 1411          * not authoritative for the parent zone).
 1412          */
 1413         if (q->qclass == CLASS_ANY) {
 1414             AA_CLR(q->packet);
 1415         } else {
 1416             AA_SET(q->packet);
 1417         }
 1418         answer_nodata(q, answer, closest_encloser);
 1419     } else {
 1420         q->delegation_domain = domain_find_ns_rrsets(
 1421             closest_encloser, q->zone, &q->delegation_rrset);
 1422         if(q->delegation_domain && find_dname_above(q->delegation_domain, q->zone)) {
 1423             q->delegation_domain = NULL; /* use higher DNAME */
 1424         }
 1425 
 1426         if (!q->delegation_domain
 1427             || (exact && q->qtype == TYPE_DS && closest_encloser == q->delegation_domain))
 1428         {
 1429             if (q->qclass == CLASS_ANY) {
 1430                 AA_CLR(q->packet);
 1431             } else {
 1432                 AA_SET(q->packet);
 1433             }
 1434             answer_authoritative(nsd, q, answer, domain_number, exact,
 1435                          closest_match, closest_encloser, qname);
 1436         }
 1437         else {
 1438             answer_delegation(q, answer);
 1439         }
 1440     }
 1441 }
 1442 
 1443 static void
 1444 answer_query(struct nsd *nsd, struct query *q)
 1445 {
 1446     domain_type *closest_match;
 1447     domain_type *closest_encloser;
 1448     int exact;
 1449     uint16_t offset;
 1450     answer_type answer;
 1451 
 1452     answer_init(&answer);
 1453 
 1454     exact = namedb_lookup(nsd->db, q->qname, &closest_match, &closest_encloser);
 1455 
 1456     answer_lookup_zone(nsd, q, &answer, 0, exact, closest_match,
 1457         closest_encloser, q->qname);
 1458     ZTATUP2(nsd, q->zone, opcode, q->opcode);
 1459     ZTATUP2(nsd, q->zone, qtype, q->qtype);
 1460     ZTATUP2(nsd, q->zone, qclass, q->qclass);
 1461 
 1462     offset = dname_label_offsets(q->qname)[domain_dname(closest_encloser)->label_count - 1] + QHEADERSZ;
 1463     query_add_compression_domain(q, closest_encloser, offset);
 1464     encode_answer(q, &answer);
 1465     query_clear_compression_tables(q);
 1466 }
 1467 
 1468 void
 1469 query_prepare_response(query_type *q)
 1470 {
 1471     uint16_t flags;
 1472 
 1473     /*
 1474      * Preserve the data up-to the current packet's limit.
 1475      */
 1476     buffer_set_position(q->packet, buffer_limit(q->packet));
 1477     buffer_set_limit(q->packet, buffer_capacity(q->packet));
 1478 
 1479     /*
 1480      * Reserve space for the EDNS records if required.
 1481      */
 1482     q->reserved_space = edns_reserved_space(&q->edns);
 1483     q->reserved_space += tsig_reserved_space(&q->tsig);
 1484 
 1485     /* Update the flags.  */
 1486     flags = FLAGS(q->packet);
 1487     flags &= 0x0100U;   /* Preserve the RD flag.  */
 1488                 /* CD flag must be cleared for auth answers */
 1489     flags |= 0x8000U;   /* Set the QR flag.  */
 1490     FLAGS_SET(q->packet, flags);
 1491 }
 1492 
 1493 /*
 1494  * Processes the query.
 1495  *
 1496  */
 1497 query_state_type
 1498 query_process(query_type *q, nsd_type *nsd)
 1499 {
 1500     /* The query... */
 1501     nsd_rc_type rc;
 1502     query_state_type query_state;
 1503     uint16_t arcount;
 1504 
 1505     /* Sanity checks */
 1506     if (buffer_limit(q->packet) < QHEADERSZ) {
 1507         /* packet too small to contain DNS header.
 1508         Now packet investigation macros will work without problems. */
 1509         return QUERY_DISCARDED;
 1510     }
 1511     if (QR(q->packet)) {
 1512         /* Not a query? Drop it on the floor. */
 1513         return QUERY_DISCARDED;
 1514     }
 1515 
 1516     /* check opcode early on, because new opcodes may have different
 1517      * specification of the meaning of the rest of the packet */
 1518     q->opcode = OPCODE(q->packet);
 1519     if(q->opcode != OPCODE_QUERY && q->opcode != OPCODE_NOTIFY) {
 1520         if(query_ratelimit_err(nsd))
 1521             return QUERY_DISCARDED;
 1522         if(nsd->options->drop_updates && q->opcode == OPCODE_UPDATE)
 1523             return QUERY_DISCARDED;
 1524         return query_error(q, NSD_RC_IMPL);
 1525     }
 1526 
 1527     if (RCODE(q->packet) != RCODE_OK || !process_query_section(q)) {
 1528         return query_formerr(q, nsd);
 1529     }
 1530 
 1531     /* Update statistics.  */
 1532     STATUP2(nsd, opcode, q->opcode);
 1533     STATUP2(nsd, qtype, q->qtype);
 1534     STATUP2(nsd, qclass, q->qclass);
 1535 
 1536     if (q->opcode != OPCODE_QUERY) {
 1537         if (q->opcode == OPCODE_NOTIFY) {
 1538             return answer_notify(nsd, q);
 1539         } else {
 1540             if(query_ratelimit_err(nsd))
 1541                 return QUERY_DISCARDED;
 1542             return query_error(q, NSD_RC_IMPL);
 1543         }
 1544     }
 1545 
 1546     /* Dont bother to answer more than one question at once... */
 1547     if (QDCOUNT(q->packet) != 1) {
 1548         if(QDCOUNT(q->packet) == 0 && ANCOUNT(q->packet) == 0 &&
 1549             NSCOUNT(q->packet) == 0 && ARCOUNT(q->packet) == 1 &&
 1550             buffer_limit(q->packet) >= QHEADERSZ+OPT_LEN+
 1551             OPT_RDATA) {
 1552             /* add edns section to answer */
 1553             buffer_set_position(q->packet, QHEADERSZ);
 1554             if (edns_parse_record(&q->edns, q->packet, q, nsd)) {
 1555                 if(process_edns(nsd, q) == NSD_RC_OK) {
 1556                     int opcode = OPCODE(q->packet);
 1557                     (void)query_error(q, NSD_RC_FORMAT);
 1558                     query_add_optional(q, nsd);
 1559                     FLAGS_SET(q->packet, FLAGS(q->packet) & 0x0100U);
 1560                         /* Preserve the RD flag. Clear the rest. */
 1561                     OPCODE_SET(q->packet, opcode);
 1562                     QR_SET(q->packet);
 1563                     return QUERY_PROCESSED;
 1564                 }
 1565             }
 1566         }
 1567         FLAGS_SET(q->packet, 0);
 1568         return query_formerr(q, nsd);
 1569     }
 1570     /* Ignore settings of flags */
 1571 
 1572     /* Dont allow any records in the answer or authority section...
 1573        except for IXFR queries. */
 1574     if (ANCOUNT(q->packet) != 0 ||
 1575         (q->qtype!=TYPE_IXFR && NSCOUNT(q->packet) != 0)) {
 1576         return query_formerr(q, nsd);
 1577     }
 1578     if(q->qtype==TYPE_IXFR && NSCOUNT(q->packet) > 0) {
 1579         unsigned int i; /* skip ixfr soa information data here */
 1580         unsigned int nscount = (unsigned)NSCOUNT(q->packet);
 1581         /* define a bound on the number of extraneous records allowed,
 1582          * we expect 1, a SOA serial record, and no more.
 1583          * perhaps RRSIGs (but not needed), otherwise we do not
 1584          * understand what this means.  We do not want too many
 1585          * because the high iteration counts slow down. */
 1586         if(nscount > 64) return query_formerr(q, nsd);
 1587         for(i=0; i< nscount; i++)
 1588             if(!packet_skip_rr(q->packet, 0))
 1589                 return query_formerr(q, nsd);
 1590     }
 1591 
 1592     arcount = ARCOUNT(q->packet);
 1593     /* A TSIG RR is not allowed before the EDNS OPT RR.
 1594      * In RFC6891 (about EDNS) it says:
 1595      * "The placement flexibility for the OPT RR does not
 1596      * override the need for the TSIG or SIG(0) RRs to be
 1597      * the last in the additional section whenever they are
 1598      * present."
 1599      * And in RFC8945 (about TSIG) it says:
 1600      * "If multiple TSIG records are detected or a TSIG record is
 1601      * present in any other position, the DNS message is dropped
 1602      * and a response with RCODE 1 (FORMERR) MUST be returned."
 1603      */
 1604     /* See if there is an OPT RR. */
 1605     if (arcount > 0) {
 1606         if (edns_parse_record(&q->edns, q->packet, q, nsd))
 1607             --arcount;
 1608     }
 1609     /* See if there is a TSIG RR. */
 1610     if (arcount > 0 && q->tsig.status == TSIG_NOT_PRESENT) {
 1611         /* see if tsig is after the edns record */
 1612         if (!tsig_parse_rr(&q->tsig, q->packet))
 1613             return query_formerr(q, nsd);
 1614         if(q->tsig.status != TSIG_NOT_PRESENT)
 1615             --arcount;
 1616     }
 1617     /* If more RRs left in Add. Section, FORMERR. */
 1618     if (arcount > 0) {
 1619         return query_formerr(q, nsd);
 1620     }
 1621 
 1622     /* Do we have any trailing garbage? */
 1623 #ifdef  STRICT_MESSAGE_PARSE
 1624     if (buffer_remaining(q->packet) > 0) {
 1625         /* If we're strict.... */
 1626         return query_formerr(q, nsd);
 1627     }
 1628 #endif
 1629     /* Remove trailing garbage.  */
 1630     buffer_set_limit(q->packet, buffer_position(q->packet));
 1631 
 1632     rc = process_tsig(q);
 1633     if (rc != NSD_RC_OK) {
 1634         return query_error(q, rc);
 1635     }
 1636     rc = process_edns(nsd, q);
 1637     if (rc != NSD_RC_OK) {
 1638         /* We should not return FORMERR, but BADVERS (=16).
 1639          * BADVERS is created with Ext. RCODE, followed by RCODE.
 1640          * Ext. RCODE is set to 1, RCODE must be 0 (getting 0x10 = 16).
 1641          * Thus RCODE = NOERROR = NSD_RC_OK. */
 1642         RCODE_SET(q->packet, NSD_RC_OK);
 1643         buffer_clear(q->packet);
 1644         buffer_set_position(q->packet,
 1645             QHEADERSZ + 4 + q->qname->name_size);
 1646         QR_SET(q->packet);
 1647         AD_CLR(q->packet);
 1648         QDCOUNT_SET(q->packet, 1);
 1649         ANCOUNT_SET(q->packet, 0);
 1650         NSCOUNT_SET(q->packet, 0);
 1651         ARCOUNT_SET(q->packet, 0);
 1652         return QUERY_PROCESSED;
 1653     }
 1654 
 1655     query_prepare_response(q);
 1656 
 1657     if (q->qclass != CLASS_IN && q->qclass != CLASS_ANY) {
 1658         if (q->qclass == CLASS_CH) {
 1659             return answer_chaos(nsd, q);
 1660         } else {
 1661             /* RFC8914 - Extended DNS Errors
 1662              * 4.22. Extended DNS Error Code 21 - Not Supported */
 1663             q->edns.ede = EDE_NOT_SUPPORTED;
 1664             return query_error(q, RCODE_REFUSE);
 1665         }
 1666     }
 1667     query_state = answer_axfr_ixfr(nsd, q);
 1668     if (query_state == QUERY_PROCESSED || query_state == QUERY_IN_AXFR) {
 1669         return query_state;
 1670     }
 1671     if(q->qtype == TYPE_ANY && nsd->options->refuse_any && !q->tcp) {
 1672         TC_SET(q->packet);
 1673         return query_error(q, NSD_RC_OK);
 1674     }
 1675 
 1676     answer_query(nsd, q);
 1677 
 1678     return QUERY_PROCESSED;
 1679 }
 1680 
 1681 void
 1682 query_add_optional(query_type *q, nsd_type *nsd)
 1683 {
 1684     struct edns_data *edns = &nsd->edns_ipv4;
 1685 #if defined(INET6)
 1686     if (q->addr.ss_family == AF_INET6) {
 1687         edns = &nsd->edns_ipv6;
 1688     }
 1689 #endif
 1690     if (RCODE(q->packet) == RCODE_FORMAT) {
 1691         return;
 1692     }
 1693     switch (q->edns.status) {
 1694     case EDNS_NOT_PRESENT:
 1695         break;
 1696     case EDNS_OK:
 1697         if (q->edns.dnssec_ok)  edns->ok[7] = 0x80;
 1698         else            edns->ok[7] = 0x00;
 1699         buffer_write(q->packet, edns->ok, OPT_LEN);
 1700 
 1701         /* Add Extended DNS Error (RFC8914)
 1702          * to verify that we stay in bounds */
 1703         if (q->edns.ede >= 0)
 1704             q->edns.opt_reserved_space +=
 1705                 6 + ( q->edns.ede_text_len
 1706                         ? q->edns.ede_text_len : 0);
 1707 
 1708         if(q->edns.opt_reserved_space == 0 || !buffer_available(
 1709             q->packet, 2+q->edns.opt_reserved_space)) {
 1710             /* fill with NULLs */
 1711             buffer_write(q->packet, edns->rdata_none, OPT_RDATA);
 1712         } else {
 1713             /* rdata length */
 1714             buffer_write_u16(q->packet, q->edns.opt_reserved_space);
 1715             /* edns options */
 1716             if(q->edns.nsid) {
 1717                 /* nsid opt header */
 1718                 buffer_write(q->packet, edns->nsid, OPT_HDR);
 1719                 /* nsid payload */
 1720                 buffer_write(q->packet, nsd->nsid, nsd->nsid_len);
 1721             }
 1722             /* Append Extended DNS Error (RFC8914) option if needed */
 1723             if (q->edns.ede >= 0) { /* < 0 means no EDE */
 1724                 /* OPTION-CODE */
 1725                 buffer_write_u16(q->packet, EDE_CODE);
 1726                 /* OPTION-LENGTH */
 1727                 buffer_write_u16(q->packet,
 1728                     2 + ( q->edns.ede_text_len
 1729                         ? q->edns.ede_text_len : 0));
 1730                 /* INFO-CODE */
 1731                 buffer_write_u16(q->packet, q->edns.ede);
 1732                 /* EXTRA-TEXT */
 1733                 if (q->edns.ede_text_len)
 1734                     buffer_write(q->packet,
 1735                             q->edns.ede_text,
 1736                             q->edns.ede_text_len);
 1737             }
 1738         }
 1739         ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
 1740         STATUP(nsd, edns);
 1741         ZTATUP(nsd, q->zone, edns);
 1742         break;
 1743     case EDNS_ERROR:
 1744         if (q->edns.dnssec_ok)  edns->error[7] = 0x80;
 1745         else            edns->error[7] = 0x00;
 1746         buffer_write(q->packet, edns->error, OPT_LEN);
 1747         buffer_write(q->packet, edns->rdata_none, OPT_RDATA);
 1748         ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
 1749         STATUP(nsd, ednserr);
 1750         ZTATUP(nsd, q->zone, ednserr);
 1751         break;
 1752     }
 1753 
 1754     if (q->tsig.status != TSIG_NOT_PRESENT) {
 1755         if (q->tsig.status == TSIG_ERROR ||
 1756             q->tsig.error_code != TSIG_ERROR_NOERROR) {
 1757             tsig_error_reply(&q->tsig);
 1758             tsig_append_rr(&q->tsig, q->packet);
 1759             ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
 1760         } else if(q->tsig.status == TSIG_OK &&
 1761             q->tsig.error_code == TSIG_ERROR_NOERROR)
 1762         {
 1763             if(q->tsig_prepare_it)
 1764                 tsig_prepare(&q->tsig);
 1765             if(q->tsig_update_it)
 1766                 tsig_update(&q->tsig, q->packet, buffer_position(q->packet));
 1767             if(q->tsig_sign_it) {
 1768                 tsig_sign(&q->tsig);
 1769                 tsig_append_rr(&q->tsig, q->packet);
 1770                 ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
 1771             }
 1772         }
 1773     }
 1774 }