summaryrefslogtreecommitdiff
path: root/bin/named/query.c
diff options
context:
space:
mode:
Diffstat (limited to 'bin/named/query.c')
-rw-r--r--bin/named/query.c73
1 files changed, 47 insertions, 26 deletions
diff --git a/bin/named/query.c b/bin/named/query.c
index c357f83ee427..af8e5da8204d 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -2278,7 +2278,7 @@ query_dns64(ns_client_t *client, dns_name_t **namep, dns_rdataset_t *rdataset,
dns64 != NULL; dns64 = dns_dns64_next(dns64)) {
dns_rdataset_current(rdataset, &rdata);
- isc__buffer_availableregion(buffer, &r);
+ isc_buffer_availableregion(buffer, &r);
INSIST(r.length >= 16);
result = dns_dns64_aaaafroma(dns64, &netaddr,
client->signer,
@@ -2518,11 +2518,12 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
if (result == ISC_R_SUCCESS) {
/*
* We've already got an RRset of the given name and type.
- * There's nothing else to do;
*/
CTRACE("query_addrrset: dns_message_findname succeeded: done");
if (dbuf != NULL)
query_releasename(client, namep);
+ if ((rdataset->attributes & DNS_RDATASETATTR_REQUIRED) != 0)
+ mrdataset->attributes |= DNS_RDATASETATTR_REQUIRED;
return;
} else if (result == DNS_R_NXDOMAIN) {
/*
@@ -2562,7 +2563,8 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
static inline isc_result_t
query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
- unsigned int override_ttl, isc_boolean_t isassociated)
+ unsigned int override_ttl, isc_boolean_t isassociated,
+ dns_section_t section)
{
dns_name_t *name;
dns_dbnode_t *node;
@@ -2669,8 +2671,11 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
sigrdatasetp = &sigrdataset;
else
sigrdatasetp = NULL;
+
+ if (section == DNS_SECTION_ADDITIONAL)
+ rdataset->attributes |= DNS_RDATASETATTR_REQUIRED;
query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
- DNS_SECTION_AUTHORITY);
+ section);
}
cleanup:
@@ -3872,12 +3877,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
peeraddr = &client->peeraddr;
else
peeraddr = NULL;
- result = dns_resolver_createfetch2(client->view->resolver,
+ result = dns_resolver_createfetch3(client->view->resolver,
qname, qtype, qdomain, nameservers,
NULL, peeraddr, client->message->id,
- client->query.fetchoptions,
- client->task,
- query_resume, client,
+ client->query.fetchoptions, 0, NULL,
+ client->task, query_resume, client,
rdataset, sigrdataset,
&client->query.fetch);
@@ -4946,7 +4950,7 @@ rpz_add_cname(ns_client_t *client, dns_rpz_st_t *st,
* response policy zone cannot verify.
*/
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
- DNS_MESSAGEFLAG_AD);
+ NS_CLIENTATTR_WANTAD);
return (ISC_R_SUCCESS);
}
@@ -5138,7 +5142,7 @@ answer_in_glue(ns_client_t *client, dns_rdatatype_t qtype) {
ISC_LIST_PREPEND(msg->sections[section], name, link);
ISC_LIST_UNLINK(name->list, rdataset, link);
ISC_LIST_PREPEND(name->list, rdataset, link);
- rdataset->attributes |= DNS_RDATASETATTR_REQUIREDGLUE;
+ rdataset->attributes |= DNS_RDATASETATTR_REQUIRED;
}
}
@@ -5594,8 +5598,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
isc_boolean_t resuming;
int line = -1;
isc_boolean_t dns64_exclude, dns64;
+ isc_boolean_t nxrewrite = ISC_FALSE;
dns_clientinfomethods_t cm;
dns_clientinfo_t ci;
+ isc_boolean_t associated;
+ dns_section_t section;
+ dns_ttl_t ttl;
CTRACE("query_find");
@@ -5964,8 +5972,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* with other truncated responses in RespTruncated.
*/
if (wouldlog) {
- ns_client_log(client,
- NS_LOGCATEGORY_QUERY_EERRORS,
+ ns_client_log(client, DNS_LOGCATEGORY_RRL,
NS_LOGMODULE_QUERY,
DNS_RRL_LOG_DROP,
"%s", log_buf);
@@ -6069,9 +6076,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
switch (rpz_st->m.policy) {
case DNS_RPZ_POLICY_NXDOMAIN:
result = DNS_R_NXDOMAIN;
+ nxrewrite = ISC_TRUE;
break;
case DNS_RPZ_POLICY_NODATA:
result = DNS_R_NXRRSET;
+ nxrewrite = ISC_TRUE;
break;
case DNS_RPZ_POLICY_RECORD:
result = rpz_st->m.result;
@@ -6130,7 +6139,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* response policy zone cannot verify.
*/
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
- DNS_MESSAGEFLAG_AD);
+ NS_CLIENTATTR_WANTAD);
+ client->message->flags &= ~DNS_MESSAGEFLAG_AD;
query_putrdataset(client, &sigrdataset);
rpz_st->q.is_zone = is_zone;
is_zone = ISC_TRUE;
@@ -6615,15 +6625,22 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
*/
query_releasename(client, &fname);
}
+
/*
- * Add SOA.
+ * Add SOA to the additional section if generated by a RPZ
+ * rewrite.
*/
+ associated = dns_rdataset_isassociated(rdataset);
+ section = nxrewrite ? DNS_SECTION_ADDITIONAL :
+ DNS_SECTION_AUTHORITY;
+
result = query_addsoa(client, db, version, ISC_UINT32_MAX,
- dns_rdataset_isassociated(rdataset));
+ associated, section);
if (result != ISC_R_SUCCESS) {
QUERY_ERROR(result);
goto cleanup;
}
+
/*
* Add NSEC record if we found one.
*/
@@ -6662,20 +6679,23 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
}
/*
- * Add SOA. If the query was for a SOA record force the
+ * Add SOA to the additional section if generated by a
+ * RPZ rewrite.
+ *
+ * If the query was for a SOA record force the
* ttl to zero so that it is possible for clients to find
* the containing zone of an arbitrary name with a stub
* resolver and not have it cached.
*/
- if (qtype == dns_rdatatype_soa &&
- zone != NULL &&
- dns_zone_getzeronosoattl(zone))
- result = query_addsoa(client, db, version, 0,
- dns_rdataset_isassociated(rdataset));
- else
- result = query_addsoa(client, db, version,
- ISC_UINT32_MAX,
- dns_rdataset_isassociated(rdataset));
+ associated = dns_rdataset_isassociated(rdataset);
+ section = nxrewrite ? DNS_SECTION_ADDITIONAL :
+ DNS_SECTION_AUTHORITY;
+ ttl = ISC_UINT32_MAX;
+ if (!nxrewrite && qtype == dns_rdatatype_soa &&
+ zone != NULL && dns_zone_getzeronosoattl(zone))
+ ttl = 0;
+ result = query_addsoa(client, db, version, ttl, associated,
+ section);
if (result != ISC_R_SUCCESS) {
QUERY_ERROR(result);
goto cleanup;
@@ -7342,7 +7362,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* Add a fake SOA record.
*/
(void)query_addsoa(client, db, version,
- 600, ISC_FALSE);
+ 600, ISC_FALSE,
+ DNS_SECTION_AUTHORITY);
goto cleanup;
}
#endif
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-07 22:25:08 +0000