query.cc 25.8 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
// Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

15
#include <algorithm>            // for std::max
Michal Vaner's avatar
Michal Vaner committed
16
17
#include <vector>
#include <boost/foreach.hpp>
18
19
#include <boost/bind.hpp>
#include <boost/function.hpp>
Michal Vaner's avatar
Michal Vaner committed
20

21
22
#include <dns/message.h>
#include <dns/rcode.h>
23
#include <dns/rdataclass.h>
24

25
#include <datasrc/client.h>
26
27
28
29
30

#include <auth/query.h>

using namespace isc::dns;
using namespace isc::datasrc;
31
using namespace isc::dns::rdata;
32
33
34

namespace isc {
namespace auth {
35

36
void
37
Query::addAdditional(ZoneFinder& zone, const AbstractRRset& rrset) {
chenzhengzhang's avatar
chenzhengzhang committed
38
39
40
41
42
43
    RdataIteratorPtr rdata_iterator(rrset.getRdataIterator());
    for (; !rdata_iterator->isLast(); rdata_iterator->next()) {
        const Rdata& rdata(rdata_iterator->getCurrent());
        if (rrset.getType() == RRType::NS()) {
            // Need to perform the search in the "GLUE OK" mode.
            const generic::NS& ns = dynamic_cast<const generic::NS&>(rdata);
44
            addAdditionalAddrs(zone, ns.getNSName(), ZoneFinder::FIND_GLUE_OK);
chenzhengzhang's avatar
chenzhengzhang committed
45
46
        } else if (rrset.getType() == RRType::MX()) {
            const generic::MX& mx(dynamic_cast<const generic::MX&>(rdata));
47
            addAdditionalAddrs(zone, mx.getMXName());
48
        }
49
50
51
52
    }
}

void
53
54
Query::addAdditionalAddrs(ZoneFinder& zone, const Name& qname,
                          const ZoneFinder::FindOptions options)
55
{
56
57
58
59
60
61
    // Out of zone name
    NameComparisonResult result = zone.getOrigin().compare(qname);
    if ((result.getRelation() != NameComparisonResult::SUPERDOMAIN) &&
        (result.getRelation() != NameComparisonResult::EQUAL))
        return;

62
63
64
65
66
67
68
69
    // Omit additional data which has already been provided in the answer
    // section from the additional.
    //
    // All the address rrset with the owner name of qname have been inserted
    // into ANSWER section.
    if (qname_ == qname && qtype_ == RRType::ANY())
        return;

70
    // Find A rrset
71
    if (qname_ != qname || qtype_ != RRType::A()) {
72
73
        ZoneFinder::FindResult a_result = zone.find(qname, RRType::A(),
                                                    options | dnssec_opt_);
74
        if (a_result.code == ZoneFinder::SUCCESS) {
75
            response_.addRRset(Message::SECTION_ADDITIONAL,
76
                    boost::const_pointer_cast<AbstractRRset>(a_result.rrset), dnssec_);
77
        }
78
    }
79

80
    // Find AAAA rrset
81
    if (qname_ != qname || qtype_ != RRType::AAAA()) {
82
83
        ZoneFinder::FindResult aaaa_result = zone.find(qname, RRType::AAAA(),
                                                       options | dnssec_opt_);
84
        if (aaaa_result.code == ZoneFinder::SUCCESS) {
85
            response_.addRRset(Message::SECTION_ADDITIONAL,
86
                    boost::const_pointer_cast<AbstractRRset>(aaaa_result.rrset),
87
                    dnssec_);
88
        }
89
90
91
    }
}

Michal Vaner's avatar
Michal Vaner committed
92
void
93
Query::addSOA(ZoneFinder& finder) {
94
95
96
    ZoneFinder::FindResult soa_result = finder.find(finder.getOrigin(),
                                                    RRType::SOA(),
                                                    dnssec_opt_);
97
    if (soa_result.code != ZoneFinder::SUCCESS) {
Michal Vaner's avatar
Michal Vaner committed
98
        isc_throw(NoSOA, "There's no SOA record in zone " <<
99
            finder.getOrigin().toText());
Michal Vaner's avatar
Michal Vaner committed
100
101
102
103
104
105
106
    } else {
        /*
         * FIXME:
         * The const-cast is wrong, but the Message interface seems
         * to insist.
         */
        response_.addRRset(Message::SECTION_AUTHORITY,
107
            boost::const_pointer_cast<AbstractRRset>(soa_result.rrset), dnssec_);
Michal Vaner's avatar
Michal Vaner committed
108
109
110
    }
}

111
112
113
114
115
116
117
118
// Note: unless the data source client implementation or the zone content
// is broken, 'nsec' should be a valid NSEC RR.  Likewise, the call to
// find() in this method should result in NXDOMAIN and an NSEC RR that proves
// the non existent of matching wildcard.  If these assumptions aren't met
// due to a buggy data source implementation or a broken zone, we'll let
// underlying libdns++ modules throw an exception, which would result in
// either an SERVFAIL response or just ignoring the query.  We at least prevent
// a complete crash due to such broken behavior.
119
void
120
Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
121
122
123
    if (nsec->getRdataCount() == 0) {
        isc_throw(BadNSEC, "NSEC for NXDOMAIN is empty");
    }
124

125
    // Add the NSEC proving NXDOMAIN to the authority section.
126
    response_.addRRset(Message::SECTION_AUTHORITY,
127
                       boost::const_pointer_cast<AbstractRRset>(nsec), dnssec_);
128

129
130
131
132
133
134
135
136
137
    // Next, identify the best possible wildcard name that would match
    // the query name.  It's the longer common suffix with the qname
    // between the owner or the next domain of the NSEC that proves NXDOMAIN,
    // prefixed by the wildcard label, "*".  For example, for query name
    // a.b.example.com, if the NXDOMAIN NSEC is
    // b.example.com. NSEC c.example.com., the longer suffix is b.example.com.,
    // and the best possible wildcard is *.b.example.com.  If the NXDOMAIN
    // NSEC is a.example.com. NSEC c.b.example.com., the longer suffix
    // is the next domain of the NSEC, and we get the same wildcard name.
138
139
140
    const int qlabels = qname_.getLabelCount();
    const int olabels = qname_.compare(nsec->getName()).getCommonLabels();
    const int nlabels = qname_.compare(
141
142
        dynamic_cast<const generic::NSEC&>(nsec->getRdataIterator()->
                                           getCurrent()).
143
144
145
146
        getNextName()).getCommonLabels();
    const int common_labels = std::max(olabels, nlabels);
    const Name wildname(Name("*").concatenate(qname_.split(qlabels -
                                                           common_labels)));
147
148
149
150

    // Confirm the wildcard doesn't exist (this should result in NXDOMAIN;
    // otherwise we shouldn't have got NXDOMAIN for the original query in
    // the first place).
151
    const ZoneFinder::FindResult fresult =
152
        finder.find(wildname, RRType::NSEC(), dnssec_opt_);
153
154
155
156
    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
        fresult.rrset->getRdataCount() == 0) {
        isc_throw(BadNSEC, "Unexpected result for wildcard NXDOMAIN proof");
    }
157
158
159
160
161
162
163
164

    // Add the (no-) wildcard proof only when it's different from the NSEC
    // that proves NXDOMAIN; sometimes they can be the same.
    // Note: name comparison is relatively expensive.  When we are at the
    // stage of performance optimization, we should consider optimizing this
    // for some optimized data source implementations.
    if (nsec->getName() != fresult.rrset->getName()) {
        response_.addRRset(Message::SECTION_AUTHORITY,
165
                           boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
166
167
168
169
                           dnssec_);
    }
}

170
void
171
Query::addWildcardProof(ZoneFinder& finder,
172
                        const ZoneFinder::FindResult& db_result)
173
{
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
    // The query name shouldn't exist in the zone if there were no wildcard
    // substitution.  Confirm that by specifying NO_WILDCARD.  It should result
    // in NXDOMAIN and an NSEC RR that proves it should be returned.
    if (db_result.isNSECSigned() && db_result.isWildcard()){
        const ZoneFinder::FindResult fresult =
            finder.find(qname_, RRType::NSEC(),
                        dnssec_opt_ | ZoneFinder::NO_WILDCARD);
        if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
            fresult.rrset->getRdataCount() == 0) {
            isc_throw(BadNSEC,
                      "Unexpected NSEC result for wildcard proof");
        }
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               fresult.rrset),
                           dnssec_);
    } else if (db_result.isNSEC3Signed() && db_result.isWildcard()) {
        // case for RFC5155 Section 7.2.6
192
193
194
195
        // Note that the closest encloser must be the immediate ancestor
        // of the matching wildcard, so NSEC3 for its next closer is what
        // we are expected to provided per the RFC (if this assumption isn't
        // met the zone is broken anyway).
196
197
        const ZoneFinder::FindNSEC3Result NSEC3Result(
            finder.findNSEC3(qname_, true));
198
199
200
        // Note that at this point next_proof must not be NULL unless it's
        // a run time collision (or zone/findNSEC3() is broken).  The
        // unexpected case will be caught in addRRset() and result in SERVFAIL.
201
202
203
204
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               NSEC3Result.next_proof), dnssec_);
    }
205
206
}

207
void
208
Query::addWildcardNXRRSETProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
209
    // There should be one NSEC RR which was found in the zone to prove
210
    // that there is not matched <QNAME,QTYPE> via wildcard expansion.
211
    if (nsec->getRdataCount() == 0) {
212
213
214
215
        isc_throw(BadNSEC, "NSEC for WILDCARD_NXRRSET is empty");
    }
    
    const ZoneFinder::FindResult fresult =
216
217
        finder.find(qname_, RRType::NSEC(),
                    dnssec_opt_ | ZoneFinder::NO_WILDCARD);
218
219
220
221
222
    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
        fresult.rrset->getRdataCount() == 0) {
        isc_throw(BadNSEC, "Unexpected result for no match QNAME proof");
    }
   
223
    if (nsec->getName() != fresult.rrset->getName()) {
224
        // one NSEC RR proves wildcard_nxrrset that no matched QNAME.
225
        response_.addRRset(Message::SECTION_AUTHORITY,
226
                           boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
227
                           dnssec_);
228
    }
229
}
230
231

void
232
Query::addDS(ZoneFinder& finder, const Name& dname) {
233
    ZoneFinder::FindResult ds_result =
234
        finder.find(dname, RRType::DS(), dnssec_opt_);
235
236
    if (ds_result.code == ZoneFinder::SUCCESS) {
        response_.addRRset(Message::SECTION_AUTHORITY,
237
238
                           boost::const_pointer_cast<AbstractRRset>(
                               ds_result.rrset),
239
                           dnssec_);
240
241
    } else if (ds_result.code == ZoneFinder::NXRRSET &&
               ds_result.isNSECSigned()) {
242
        addNXRRsetProof(finder, ds_result);
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
    } else if (ds_result.code == ZoneFinder::NXRRSET &&
               ds_result.isNSEC3Signed()) {
        // Add no DS proof with NSEC3 as specified in RFC5155 Section 7.2.7.
        // Depending on whether the zone is optout or not, findNSEC3() may
        // return non-NULL or NULL next_proof (respectively).  The Opt-Out flag
        // must be set or cleared accordingly, but we don't check that
        // in this level (as long as the zone signed validly and findNSEC3()
        // is valid, the condition should be met; otherwise we'd let the
        // validator detect the error).
        const ZoneFinder::FindNSEC3Result nsec3_result =
            finder.findNSEC3(dname, true);
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               nsec3_result.closest_proof), dnssec_);
        if (nsec3_result.next_proof) {
            response_.addRRset(Message::SECTION_AUTHORITY,
                               boost::const_pointer_cast<AbstractRRset>(
                                   nsec3_result.next_proof), dnssec_);
        }
262
263
264
    } else {
        // Any other case should be an error
        isc_throw(BadDS, "Unexpected result for DS lookup for delegation");
265
266
    }
}
267
268

void
269
270
Query::addNXRRsetProof(ZoneFinder& finder,
                       const ZoneFinder::FindResult& db_result)
271
{
272
273
    if (db_result.isNSECSigned() && db_result.rrset) {
        response_.addRRset(Message::SECTION_AUTHORITY,
274
                           boost::const_pointer_cast<AbstractRRset>(
275
276
277
278
279
                               db_result.rrset),
                           dnssec_);
        if (db_result.isWildcard()) {
            addWildcardNXRRSETProof(finder, db_result.rrset);
        }
280
    } else if (db_result.isNSEC3Signed() && !db_result.isWildcard()) {
281
282
283
284
285
286
        // Handling depends on whether query type is DS or not
        // (see RFC5155, 7.2.3 and 7.2.4):  If qtype == DS, do
        // recursive search (and add next_proof, if necessary),
        // otherwise, do non-recursive search
        const bool qtype_ds = (qtype_ == RRType::DS());
        ZoneFinder::FindNSEC3Result result(finder.findNSEC3(qname_, qtype_ds));
287
288
289
290
        if (result.matched) {
            response_.addRRset(Message::SECTION_AUTHORITY,
                               boost::const_pointer_cast<AbstractRRset>(
                                   result.closest_proof), dnssec_);
291
            // For qtype == DS, next_proof could be set
Jelte Jansen's avatar
Jelte Jansen committed
292
293
            // (We could check for opt-out here, but that's really the
            // responsibility of the datasource)
294
295
296
297
298
            if (qtype_ds && result.next_proof != ConstRRsetPtr()) {
                response_.addRRset(Message::SECTION_AUTHORITY,
                                   boost::const_pointer_cast<AbstractRRset>(
                                       result.next_proof), dnssec_);
            }
299
        } else {
300
301
            isc_throw(BadNSEC3, "No matching NSEC3 found for existing domain "
                      << qname_);
302
        }
303
304
305
306
    } else if (db_result.isNSEC3Signed() && db_result.isWildcard()) {
        // Case for RFC5155 Section 7.2.5
        const ZoneFinder::FindNSEC3Result result(finder.findNSEC3(qname_,
                                                                  true));
307
308
309
310
311
        // We know there's no exact match for the qname, so findNSEC3() should
        // return both closest and next proofs.  If the latter is NULL, it
        // means a run time collision (or the zone is broken in other way).
        // In that case addRRset() will throw, and it will be converted to
        // SERVFAIL.
312
313
314
315
316
317
318
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               result.closest_proof), dnssec_);
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               result.next_proof), dnssec_);

319
        // Construct the matched wildcard name and add NSEC3 for it.
320
321
322
323
        const Name wname = Name("*").concatenate(
            qname_.split(qname_.getLabelCount() - result.closest_labels));
        const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
                                                                   false));
324
325
326
327
328
329
330
331
        if (wresult.matched) {
            response_.addRRset(Message::SECTION_AUTHORITY,
                               boost::const_pointer_cast<AbstractRRset>(
                                   wresult.closest_proof), dnssec_);
        } else {
            isc_throw(BadNSEC3, "No matching NSEC3 found for existing domain "
                      << wname);
        }
332
333
334
    }
}

335
void
336
Query::addAuthAdditional(ZoneFinder& finder) {
337
    // Fill in authority and addtional sections.
338
    ZoneFinder::FindResult ns_result =
339
340
        finder.find(finder.getOrigin(), RRType::NS(), dnssec_opt_);

341
    // zone origin name should have NS records
342
    if (ns_result.code != ZoneFinder::SUCCESS) {
Jerry's avatar
Jerry committed
343
        isc_throw(NoApexNS, "There's no apex NS records in zone " <<
344
                finder.getOrigin().toText());
Jerry's avatar
Jerry committed
345
346
    } else {
        response_.addRRset(Message::SECTION_AUTHORITY,
347
            boost::const_pointer_cast<AbstractRRset>(ns_result.rrset), dnssec_);
348
        // Handle additional for authority section
349
        addAdditional(finder, *ns_result.rrset);
Jerry's avatar
Jerry committed
350
    }
351
352
}

353
354
355
namespace {
// A simple wrapper for DataSourceClient::findZone().  Normally we can simply
// check the closest zone to the qname, but for type DS query we need to
356
357
358
359
// look into the parent zone.  Nevertheless, if there is no "parent" (i.e.,
// the qname consists of a single label, which also means it's the root name),
// we should search the deepest zone we have (which should be the root zone;
// otherwise it's a query error).
360
361
DataSourceClient::FindResult
findZone(const DataSourceClient& client, const Name& qname, RRType qtype) {
362
    if (qtype != RRType::DS() || qname.getLabelCount() == 1) {
363
364
365
366
367
368
        return (client.findZone(qname));
    }
    return (client.findZone(qname.split(1)));
}
}

369
void
370
Query::process() {
371
372
373
    // Found a zone which is the nearest ancestor to QNAME
    const DataSourceClient::FindResult result = findZone(datasrc_client_,
                                                         qname_, qtype_);
374

375
376
377
378
379
    // If we have no matching authoritative zone for the query name, return
    // REFUSED.  In short, this is to be compatible with BIND 9, but the
    // background discussion is not that simple.  See the relevant topic
    // at the BIND 10 developers's ML:
    // https://lists.isc.org/mailman/htdig/bind10-dev/2010-December/001633.html
380
381
    if (result.code != result::SUCCESS &&
        result.code != result::PARTIALMATCH) {
382
383
384
385
386
        // If we tried to find a "parent zone" for a DS query and failed,
        // we may still have authority at the child side.  If we do, the query
        // has to be handled there.
        if (qtype_ == RRType::DS() && qname_.getLabelCount() > 1 &&
            processDSAtChild()) {
387
388
            return;
        }
389
        response_.setHeaderFlag(Message::HEADERFLAG_AA, false);
390
        response_.setRcode(Rcode::REFUSED());
391
392
        return;
    }
393
    ZoneFinder& zfinder = *result.zone_finder;
394

395
396
    // We have authority for a zone that contain the query name (possibly
    // indirectly via delegation).  Look into the zone.
Jerry's avatar
Jerry committed
397
    response_.setHeaderFlag(Message::HEADERFLAG_AA);
398
    response_.setRcode(Rcode::NOERROR());
399
400
    std::vector<ConstRRsetPtr> target;
    boost::function0<ZoneFinder::FindResult> find;
401
    const bool qtype_is_any = (qtype_ == RRType::ANY());
402
403
404
405
406
407
408
    if (qtype_is_any) {
        find = boost::bind(&ZoneFinder::findAll, &zfinder, qname_,
                           boost::ref(target), dnssec_opt_);
    } else {
        find = boost::bind(&ZoneFinder::find, &zfinder, qname_, qtype_,
                           dnssec_opt_);
    }
409
    ZoneFinder::FindResult db_result(find());
410
411
412
413
    switch (db_result.code) {
        case ZoneFinder::DNAME: {
            // First, put the dname into the answer
            response_.addRRset(Message::SECTION_ANSWER,
414
                boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
                dnssec_);
            /*
             * Empty DNAME should never get in, as it is impossible to
             * create one in master file.
             *
             * FIXME: Other way to prevent this should be done
             */
            assert(db_result.rrset->getRdataCount() > 0);
            // Get the data of DNAME
            const rdata::generic::DNAME& dname(
                dynamic_cast<const rdata::generic::DNAME&>(
                db_result.rrset->getRdataIterator()->getCurrent()));
            // The yet unmatched prefix dname
            const Name prefix(qname_.split(0, qname_.getLabelCount() -
                db_result.rrset->getName().getLabelCount()));
            // If we put it together, will it be too long?
            // (The prefix contains trailing ., which will be removed
            if (prefix.getLength() - Name::ROOT_NAME().getLength() +
                dname.getDname().getLength() > Name::MAX_WIRE) {
434
                /*
435
436
                 * In case the synthesized name is too long, section 4.1
                 * of RFC 2672 mandates we return YXDOMAIN.
437
                 */
438
439
                response_.setRcode(Rcode::YXDOMAIN());
                return;
440
            }
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
            // The new CNAME we are creating (it will be unsigned even
            // with DNSSEC, the DNAME is signed and it can be validated
            // by that)
            RRsetPtr cname(new RRset(qname_, db_result.rrset->getClass(),
                RRType::CNAME(), db_result.rrset->getTTL()));
            // Construct the new target by replacing the end
            cname->addRdata(rdata::generic::CNAME(qname_.split(0,
                qname_.getLabelCount() -
                db_result.rrset->getName().getLabelCount()).
                concatenate(dname.getDname())));
            response_.addRRset(Message::SECTION_ANSWER, cname, dnssec_);
            break;
        }
        case ZoneFinder::CNAME:
            /*
             * We don't do chaining yet. Therefore handling a CNAME is
             * mostly the same as handling SUCCESS, but we didn't get
             * what we expected. It means no exceptions in ANY or NS
             * on the origin (though CNAME in origin is probably
             * forbidden anyway).
             *
             * So, just put it there.
             */
            response_.addRRset(Message::SECTION_ANSWER,
465
                boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
466
                dnssec_);
467

468
469
            // If the answer is a result of wildcard substitution,
            // add a proof that there's no closer name.
470
            if (dnssec_ && db_result.isWildcard()) {
471
                addWildcardProof(*result.zone_finder,db_result);
472
473
474
475
476
477
478
            }
            break;
        case ZoneFinder::SUCCESS:
            if (qtype_is_any) {
                // If quety type is ANY, insert all RRs under the domain
                // into answer section.
                BOOST_FOREACH(ConstRRsetPtr rrset, target) {
chenzhengzhang's avatar
chenzhengzhang committed
479
                    response_.addRRset(Message::SECTION_ANSWER,
480
                        boost::const_pointer_cast<AbstractRRset>(rrset), dnssec_);
chenzhengzhang's avatar
chenzhengzhang committed
481
                    // Handle additional for answer section
482
                    addAdditional(*result.zone_finder, *rrset.get());
483
                }
484
485
            } else {
                response_.addRRset(Message::SECTION_ANSWER,
486
                    boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
487
                    dnssec_);
488
                // Handle additional for answer section
489
                addAdditional(*result.zone_finder, *db_result.rrset);
490
491
492
493
494
495
496
497
498
499
500
501
502
503
            }
            // If apex NS records haven't been provided in the answer
            // section, insert apex NS records into the authority section
            // and AAAA/A RRS of each of the NS RDATA into the additional
            // section.
            if (qname_ != result.zone_finder->getOrigin() ||
                db_result.code != ZoneFinder::SUCCESS ||
                (qtype_ != RRType::NS() && !qtype_is_any))
            {
                addAuthAdditional(*result.zone_finder);
            }

            // If the answer is a result of wildcard substitution,
            // add a proof that there's no closer name.
504
            if (dnssec_ && db_result.isWildcard()) {
505
                addWildcardProof(*result.zone_finder,db_result);
506
507
508
            }
            break;
        case ZoneFinder::DELEGATION:
509
510
511
512
513
514
515
516
            // If a DS query resulted in delegation, we also need to check
            // if we are an authority of the child, too.  If so, we need to
            // complete the process in the child as specified in Section
            // 2.2.1.2. of RFC3658.
            if (qtype_ == RRType::DS() && processDSAtChild()) {
                return;
            }

517
518
            response_.setHeaderFlag(Message::HEADERFLAG_AA, false);
            response_.addRRset(Message::SECTION_AUTHORITY,
519
                boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
520
                dnssec_);
521
522
523
524
525
            // If DNSSEC is requested, see whether there is a DS
            // record for this delegation.
            if (dnssec_) {
                addDS(*result.zone_finder, db_result.rrset->getName());
            }
526
527
528
529
530
531
532
533
534
535
536
            addAdditional(*result.zone_finder, *db_result.rrset);
            break;
        case ZoneFinder::NXDOMAIN:
            response_.setRcode(Rcode::NXDOMAIN());
            addSOA(*result.zone_finder);
            if (dnssec_ && db_result.rrset) {
                addNXDOMAINProof(zfinder, db_result.rrset);
            }
            break;
        case ZoneFinder::NXRRSET:
            addSOA(*result.zone_finder);
537
            if (dnssec_) {
538
                addNXRRsetProof(zfinder, db_result);
539
540
541
542
543
544
545
546
            }
            break;
        default:
            // This is basically a bug of the data source implementation,
            // but could also happen in the middle of development where
            // we try to add a new result code.
            isc_throw(isc::NotImplemented, "Unknown result code");
            break;
547
    }
548
}
Michal Vaner's avatar
Michal Vaner committed
549

550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
bool
Query::processDSAtChild() {
    const DataSourceClient::FindResult zresult =
        datasrc_client_.findZone(qname_);

    if (zresult.code != result::SUCCESS) {
        return (false);
    }

    // We are receiving a DS query at the child side of the owner name,
    // where the DS isn't supposed to belong.  We should return a "no data"
    // response as described in Section 3.1.4.1 of RFC4035 and Section
    // 2.2.1.1 of RFC 3658.  find(DS) should result in NXRRSET, in which
    // case (and if DNSSEC is required) we also add the proof for that,
    // but even if find() returns an unexpected result, we don't bother.
    // The important point in this case is to return SOA so that the resolver
    // that happens to contact us can hunt for the appropriate parent zone
    // by seeing the SOA.
    response_.setHeaderFlag(Message::HEADERFLAG_AA);
    response_.setRcode(Rcode::NOERROR());
    addSOA(*zresult.zone_finder);
    const ZoneFinder::FindResult ds_result =
        zresult.zone_finder->find(qname_, RRType::DS(), dnssec_opt_);
    if (ds_result.code == ZoneFinder::NXRRSET) {
        if (dnssec_) {
            addNXRRsetProof(*zresult.zone_finder, ds_result);
        }
    }

    return (true);
}

582
583
}
}