query.cc 25.8 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
// Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
// AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
// PERFORMANCE OF THIS SOFTWARE.

15
#include <algorithm>            // for std::max
Michal Vaner's avatar
Michal Vaner committed
16
17
#include <vector>
#include <boost/foreach.hpp>
18
19
#include <boost/bind.hpp>
#include <boost/function.hpp>
Michal Vaner's avatar
Michal Vaner committed
20

21
22
#include <dns/message.h>
#include <dns/rcode.h>
23
#include <dns/rdataclass.h>
24

25
#include <datasrc/client.h>
26
27
28
29
30

#include <auth/query.h>

using namespace isc::dns;
using namespace isc::datasrc;
31
using namespace isc::dns::rdata;
32
33
34

namespace isc {
namespace auth {
35

36
void
37
Query::addAdditional(ZoneFinder& zone, const AbstractRRset& rrset) {
chenzhengzhang's avatar
chenzhengzhang committed
38
39
40
41
42
43
    RdataIteratorPtr rdata_iterator(rrset.getRdataIterator());
    for (; !rdata_iterator->isLast(); rdata_iterator->next()) {
        const Rdata& rdata(rdata_iterator->getCurrent());
        if (rrset.getType() == RRType::NS()) {
            // Need to perform the search in the "GLUE OK" mode.
            const generic::NS& ns = dynamic_cast<const generic::NS&>(rdata);
44
            addAdditionalAddrs(zone, ns.getNSName(), ZoneFinder::FIND_GLUE_OK);
chenzhengzhang's avatar
chenzhengzhang committed
45
46
        } else if (rrset.getType() == RRType::MX()) {
            const generic::MX& mx(dynamic_cast<const generic::MX&>(rdata));
47
            addAdditionalAddrs(zone, mx.getMXName());
48
        }
49
50
51
52
    }
}

void
53
54
Query::addAdditionalAddrs(ZoneFinder& zone, const Name& qname,
                          const ZoneFinder::FindOptions options)
55
{
56
57
58
59
60
61
    // Out of zone name
    NameComparisonResult result = zone.getOrigin().compare(qname);
    if ((result.getRelation() != NameComparisonResult::SUPERDOMAIN) &&
        (result.getRelation() != NameComparisonResult::EQUAL))
        return;

62
63
64
65
66
67
68
69
    // Omit additional data which has already been provided in the answer
    // section from the additional.
    //
    // All the address rrset with the owner name of qname have been inserted
    // into ANSWER section.
    if (qname_ == qname && qtype_ == RRType::ANY())
        return;

70
    // Find A rrset
71
    if (qname_ != qname || qtype_ != RRType::A()) {
72
73
        ZoneFinder::FindResult a_result = zone.find(qname, RRType::A(),
                                                    options | dnssec_opt_);
74
        if (a_result.code == ZoneFinder::SUCCESS) {
75
            response_.addRRset(Message::SECTION_ADDITIONAL,
76
                    boost::const_pointer_cast<AbstractRRset>(a_result.rrset), dnssec_);
77
        }
78
    }
79

80
    // Find AAAA rrset
81
    if (qname_ != qname || qtype_ != RRType::AAAA()) {
82
83
        ZoneFinder::FindResult aaaa_result = zone.find(qname, RRType::AAAA(),
                                                       options | dnssec_opt_);
84
        if (aaaa_result.code == ZoneFinder::SUCCESS) {
85
            response_.addRRset(Message::SECTION_ADDITIONAL,
86
                    boost::const_pointer_cast<AbstractRRset>(aaaa_result.rrset),
87
                    dnssec_);
88
        }
89
90
91
    }
}

Michal Vaner's avatar
Michal Vaner committed
92
void
93
Query::addSOA(ZoneFinder& finder) {
94
95
96
    ZoneFinder::FindResult soa_result = finder.find(finder.getOrigin(),
                                                    RRType::SOA(),
                                                    dnssec_opt_);
97
    if (soa_result.code != ZoneFinder::SUCCESS) {
Michal Vaner's avatar
Michal Vaner committed
98
        isc_throw(NoSOA, "There's no SOA record in zone " <<
99
            finder.getOrigin().toText());
Michal Vaner's avatar
Michal Vaner committed
100
101
102
103
104
105
106
    } else {
        /*
         * FIXME:
         * The const-cast is wrong, but the Message interface seems
         * to insist.
         */
        response_.addRRset(Message::SECTION_AUTHORITY,
107
            boost::const_pointer_cast<AbstractRRset>(soa_result.rrset), dnssec_);
Michal Vaner's avatar
Michal Vaner committed
108
109
110
    }
}

111
112
113
114
115
116
117
118
// Note: unless the data source client implementation or the zone content
// is broken, 'nsec' should be a valid NSEC RR.  Likewise, the call to
// find() in this method should result in NXDOMAIN and an NSEC RR that proves
// the non existent of matching wildcard.  If these assumptions aren't met
// due to a buggy data source implementation or a broken zone, we'll let
// underlying libdns++ modules throw an exception, which would result in
// either an SERVFAIL response or just ignoring the query.  We at least prevent
// a complete crash due to such broken behavior.
119
void
120
Query::addNXDOMAINProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
121
122
123
    if (nsec->getRdataCount() == 0) {
        isc_throw(BadNSEC, "NSEC for NXDOMAIN is empty");
    }
124

125
    // Add the NSEC proving NXDOMAIN to the authority section.
126
    response_.addRRset(Message::SECTION_AUTHORITY,
127
                       boost::const_pointer_cast<AbstractRRset>(nsec), dnssec_);
128

129
130
131
132
133
134
135
136
137
    // Next, identify the best possible wildcard name that would match
    // the query name.  It's the longer common suffix with the qname
    // between the owner or the next domain of the NSEC that proves NXDOMAIN,
    // prefixed by the wildcard label, "*".  For example, for query name
    // a.b.example.com, if the NXDOMAIN NSEC is
    // b.example.com. NSEC c.example.com., the longer suffix is b.example.com.,
    // and the best possible wildcard is *.b.example.com.  If the NXDOMAIN
    // NSEC is a.example.com. NSEC c.b.example.com., the longer suffix
    // is the next domain of the NSEC, and we get the same wildcard name.
138
139
140
    const int qlabels = qname_.getLabelCount();
    const int olabels = qname_.compare(nsec->getName()).getCommonLabels();
    const int nlabels = qname_.compare(
141
142
        dynamic_cast<const generic::NSEC&>(nsec->getRdataIterator()->
                                           getCurrent()).
143
144
145
146
        getNextName()).getCommonLabels();
    const int common_labels = std::max(olabels, nlabels);
    const Name wildname(Name("*").concatenate(qname_.split(qlabels -
                                                           common_labels)));
147
148
149
150

    // Confirm the wildcard doesn't exist (this should result in NXDOMAIN;
    // otherwise we shouldn't have got NXDOMAIN for the original query in
    // the first place).
151
    const ZoneFinder::FindResult fresult =
152
        finder.find(wildname, RRType::NSEC(), dnssec_opt_);
153
154
155
156
    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
        fresult.rrset->getRdataCount() == 0) {
        isc_throw(BadNSEC, "Unexpected result for wildcard NXDOMAIN proof");
    }
157
158
159
160
161
162
163
164

    // Add the (no-) wildcard proof only when it's different from the NSEC
    // that proves NXDOMAIN; sometimes they can be the same.
    // Note: name comparison is relatively expensive.  When we are at the
    // stage of performance optimization, we should consider optimizing this
    // for some optimized data source implementations.
    if (nsec->getName() != fresult.rrset->getName()) {
        response_.addRRset(Message::SECTION_AUTHORITY,
165
                           boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
166
167
168
169
                           dnssec_);
    }
}

170
void
171
Query::addWildcardProof(ZoneFinder& finder,
172
                        const ZoneFinder::FindResult& db_result)
173
{
174
175
176
177
178
179
    if (db_result.isNSECSigned()) {
        // Case for RFC4035 Section 3.1.3.3.
        //
        // The query name shouldn't exist in the zone if there were no wildcard
        // substitution.  Confirm that by specifying NO_WILDCARD.  It should
        // result in NXDOMAIN and an NSEC RR that proves it should be returned.
180
181
182
183
184
185
186
187
188
189
190
191
        const ZoneFinder::FindResult fresult =
            finder.find(qname_, RRType::NSEC(),
                        dnssec_opt_ | ZoneFinder::NO_WILDCARD);
        if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
            fresult.rrset->getRdataCount() == 0) {
            isc_throw(BadNSEC,
                      "Unexpected NSEC result for wildcard proof");
        }
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               fresult.rrset),
                           dnssec_);
192
193
194
    } else if (db_result.isNSEC3Signed()) {
        // Case for RFC5155 Section 7.2.6.
        //
195
196
197
198
        // Note that the closest encloser must be the immediate ancestor
        // of the matching wildcard, so NSEC3 for its next closer is what
        // we are expected to provided per the RFC (if this assumption isn't
        // met the zone is broken anyway).
199
200
        const ZoneFinder::FindNSEC3Result NSEC3Result(
            finder.findNSEC3(qname_, true));
201
202
203
        // Note that at this point next_proof must not be NULL unless it's
        // a run time collision (or zone/findNSEC3() is broken).  The
        // unexpected case will be caught in addRRset() and result in SERVFAIL.
204
205
206
207
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               NSEC3Result.next_proof), dnssec_);
    }
208
209
}

210
void
211
Query::addWildcardNXRRSETProof(ZoneFinder& finder, ConstRRsetPtr nsec) {
212
    // There should be one NSEC RR which was found in the zone to prove
213
    // that there is not matched <QNAME,QTYPE> via wildcard expansion.
214
    if (nsec->getRdataCount() == 0) {
215
216
217
218
        isc_throw(BadNSEC, "NSEC for WILDCARD_NXRRSET is empty");
    }
    
    const ZoneFinder::FindResult fresult =
219
220
        finder.find(qname_, RRType::NSEC(),
                    dnssec_opt_ | ZoneFinder::NO_WILDCARD);
221
222
223
224
225
    if (fresult.code != ZoneFinder::NXDOMAIN || !fresult.rrset ||
        fresult.rrset->getRdataCount() == 0) {
        isc_throw(BadNSEC, "Unexpected result for no match QNAME proof");
    }
   
226
    if (nsec->getName() != fresult.rrset->getName()) {
227
        // one NSEC RR proves wildcard_nxrrset that no matched QNAME.
228
        response_.addRRset(Message::SECTION_AUTHORITY,
229
                           boost::const_pointer_cast<AbstractRRset>(fresult.rrset),
230
                           dnssec_);
231
    }
232
}
233
234

void
235
Query::addDS(ZoneFinder& finder, const Name& dname) {
236
    ZoneFinder::FindResult ds_result =
237
        finder.find(dname, RRType::DS(), dnssec_opt_);
238
239
    if (ds_result.code == ZoneFinder::SUCCESS) {
        response_.addRRset(Message::SECTION_AUTHORITY,
240
241
                           boost::const_pointer_cast<AbstractRRset>(
                               ds_result.rrset),
242
                           dnssec_);
243
244
    } else if (ds_result.code == ZoneFinder::NXRRSET &&
               ds_result.isNSECSigned()) {
245
        addNXRRsetProof(finder, ds_result);
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
    } else if (ds_result.code == ZoneFinder::NXRRSET &&
               ds_result.isNSEC3Signed()) {
        // Add no DS proof with NSEC3 as specified in RFC5155 Section 7.2.7.
        // Depending on whether the zone is optout or not, findNSEC3() may
        // return non-NULL or NULL next_proof (respectively).  The Opt-Out flag
        // must be set or cleared accordingly, but we don't check that
        // in this level (as long as the zone signed validly and findNSEC3()
        // is valid, the condition should be met; otherwise we'd let the
        // validator detect the error).
        const ZoneFinder::FindNSEC3Result nsec3_result =
            finder.findNSEC3(dname, true);
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               nsec3_result.closest_proof), dnssec_);
        if (nsec3_result.next_proof) {
            response_.addRRset(Message::SECTION_AUTHORITY,
                               boost::const_pointer_cast<AbstractRRset>(
                                   nsec3_result.next_proof), dnssec_);
        }
265
266
267
    } else {
        // Any other case should be an error
        isc_throw(BadDS, "Unexpected result for DS lookup for delegation");
268
269
    }
}
270
271

void
272
273
Query::addNXRRsetProof(ZoneFinder& finder,
                       const ZoneFinder::FindResult& db_result)
274
{
275
276
    if (db_result.isNSECSigned() && db_result.rrset) {
        response_.addRRset(Message::SECTION_AUTHORITY,
277
                           boost::const_pointer_cast<AbstractRRset>(
278
279
280
281
282
                               db_result.rrset),
                           dnssec_);
        if (db_result.isWildcard()) {
            addWildcardNXRRSETProof(finder, db_result.rrset);
        }
283
    } else if (db_result.isNSEC3Signed() && !db_result.isWildcard()) {
284
285
286
287
288
289
        // Handling depends on whether query type is DS or not
        // (see RFC5155, 7.2.3 and 7.2.4):  If qtype == DS, do
        // recursive search (and add next_proof, if necessary),
        // otherwise, do non-recursive search
        const bool qtype_ds = (qtype_ == RRType::DS());
        ZoneFinder::FindNSEC3Result result(finder.findNSEC3(qname_, qtype_ds));
290
291
292
293
        if (result.matched) {
            response_.addRRset(Message::SECTION_AUTHORITY,
                               boost::const_pointer_cast<AbstractRRset>(
                                   result.closest_proof), dnssec_);
294
            // For qtype == DS, next_proof could be set
Jelte Jansen's avatar
Jelte Jansen committed
295
296
            // (We could check for opt-out here, but that's really the
            // responsibility of the datasource)
297
298
299
300
301
            if (qtype_ds && result.next_proof != ConstRRsetPtr()) {
                response_.addRRset(Message::SECTION_AUTHORITY,
                                   boost::const_pointer_cast<AbstractRRset>(
                                       result.next_proof), dnssec_);
            }
302
        } else {
303
304
            isc_throw(BadNSEC3, "No matching NSEC3 found for existing domain "
                      << qname_);
305
        }
306
307
308
309
    } else if (db_result.isNSEC3Signed() && db_result.isWildcard()) {
        // Case for RFC5155 Section 7.2.5
        const ZoneFinder::FindNSEC3Result result(finder.findNSEC3(qname_,
                                                                  true));
310
311
312
313
314
        // We know there's no exact match for the qname, so findNSEC3() should
        // return both closest and next proofs.  If the latter is NULL, it
        // means a run time collision (or the zone is broken in other way).
        // In that case addRRset() will throw, and it will be converted to
        // SERVFAIL.
315
316
317
318
319
320
321
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               result.closest_proof), dnssec_);
        response_.addRRset(Message::SECTION_AUTHORITY,
                           boost::const_pointer_cast<AbstractRRset>(
                               result.next_proof), dnssec_);

322
        // Construct the matched wildcard name and add NSEC3 for it.
323
324
325
326
        const Name wname = Name("*").concatenate(
            qname_.split(qname_.getLabelCount() - result.closest_labels));
        const ZoneFinder::FindNSEC3Result wresult(finder.findNSEC3(wname,
                                                                   false));
327
328
329
330
331
332
333
334
        if (wresult.matched) {
            response_.addRRset(Message::SECTION_AUTHORITY,
                               boost::const_pointer_cast<AbstractRRset>(
                                   wresult.closest_proof), dnssec_);
        } else {
            isc_throw(BadNSEC3, "No matching NSEC3 found for existing domain "
                      << wname);
        }
335
336
337
    }
}

338
void
339
Query::addAuthAdditional(ZoneFinder& finder) {
340
    // Fill in authority and addtional sections.
341
    ZoneFinder::FindResult ns_result =
342
343
        finder.find(finder.getOrigin(), RRType::NS(), dnssec_opt_);

344
    // zone origin name should have NS records
345
    if (ns_result.code != ZoneFinder::SUCCESS) {
Jerry's avatar
Jerry committed
346
        isc_throw(NoApexNS, "There's no apex NS records in zone " <<
347
                finder.getOrigin().toText());
Jerry's avatar
Jerry committed
348
349
    } else {
        response_.addRRset(Message::SECTION_AUTHORITY,
350
            boost::const_pointer_cast<AbstractRRset>(ns_result.rrset), dnssec_);
351
        // Handle additional for authority section
352
        addAdditional(finder, *ns_result.rrset);
Jerry's avatar
Jerry committed
353
    }
354
355
}

356
357
358
namespace {
// A simple wrapper for DataSourceClient::findZone().  Normally we can simply
// check the closest zone to the qname, but for type DS query we need to
359
360
361
362
// look into the parent zone.  Nevertheless, if there is no "parent" (i.e.,
// the qname consists of a single label, which also means it's the root name),
// we should search the deepest zone we have (which should be the root zone;
// otherwise it's a query error).
363
364
DataSourceClient::FindResult
findZone(const DataSourceClient& client, const Name& qname, RRType qtype) {
365
    if (qtype != RRType::DS() || qname.getLabelCount() == 1) {
366
367
368
369
370
371
        return (client.findZone(qname));
    }
    return (client.findZone(qname.split(1)));
}
}

372
void
373
Query::process() {
374
375
376
    // Found a zone which is the nearest ancestor to QNAME
    const DataSourceClient::FindResult result = findZone(datasrc_client_,
                                                         qname_, qtype_);
377

378
379
380
381
382
    // If we have no matching authoritative zone for the query name, return
    // REFUSED.  In short, this is to be compatible with BIND 9, but the
    // background discussion is not that simple.  See the relevant topic
    // at the BIND 10 developers's ML:
    // https://lists.isc.org/mailman/htdig/bind10-dev/2010-December/001633.html
383
384
    if (result.code != result::SUCCESS &&
        result.code != result::PARTIALMATCH) {
385
386
387
388
389
        // If we tried to find a "parent zone" for a DS query and failed,
        // we may still have authority at the child side.  If we do, the query
        // has to be handled there.
        if (qtype_ == RRType::DS() && qname_.getLabelCount() > 1 &&
            processDSAtChild()) {
390
391
            return;
        }
392
        response_.setHeaderFlag(Message::HEADERFLAG_AA, false);
393
        response_.setRcode(Rcode::REFUSED());
394
395
        return;
    }
396
    ZoneFinder& zfinder = *result.zone_finder;
397

398
399
    // We have authority for a zone that contain the query name (possibly
    // indirectly via delegation).  Look into the zone.
Jerry's avatar
Jerry committed
400
    response_.setHeaderFlag(Message::HEADERFLAG_AA);
401
    response_.setRcode(Rcode::NOERROR());
402
403
    std::vector<ConstRRsetPtr> target;
    boost::function0<ZoneFinder::FindResult> find;
404
    const bool qtype_is_any = (qtype_ == RRType::ANY());
405
406
407
408
409
410
411
    if (qtype_is_any) {
        find = boost::bind(&ZoneFinder::findAll, &zfinder, qname_,
                           boost::ref(target), dnssec_opt_);
    } else {
        find = boost::bind(&ZoneFinder::find, &zfinder, qname_, qtype_,
                           dnssec_opt_);
    }
412
    ZoneFinder::FindResult db_result(find());
413
414
415
416
    switch (db_result.code) {
        case ZoneFinder::DNAME: {
            // First, put the dname into the answer
            response_.addRRset(Message::SECTION_ANSWER,
417
                boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
                dnssec_);
            /*
             * Empty DNAME should never get in, as it is impossible to
             * create one in master file.
             *
             * FIXME: Other way to prevent this should be done
             */
            assert(db_result.rrset->getRdataCount() > 0);
            // Get the data of DNAME
            const rdata::generic::DNAME& dname(
                dynamic_cast<const rdata::generic::DNAME&>(
                db_result.rrset->getRdataIterator()->getCurrent()));
            // The yet unmatched prefix dname
            const Name prefix(qname_.split(0, qname_.getLabelCount() -
                db_result.rrset->getName().getLabelCount()));
            // If we put it together, will it be too long?
            // (The prefix contains trailing ., which will be removed
            if (prefix.getLength() - Name::ROOT_NAME().getLength() +
                dname.getDname().getLength() > Name::MAX_WIRE) {
437
                /*
438
439
                 * In case the synthesized name is too long, section 4.1
                 * of RFC 2672 mandates we return YXDOMAIN.
440
                 */
441
442
                response_.setRcode(Rcode::YXDOMAIN());
                return;
443
            }
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
            // The new CNAME we are creating (it will be unsigned even
            // with DNSSEC, the DNAME is signed and it can be validated
            // by that)
            RRsetPtr cname(new RRset(qname_, db_result.rrset->getClass(),
                RRType::CNAME(), db_result.rrset->getTTL()));
            // Construct the new target by replacing the end
            cname->addRdata(rdata::generic::CNAME(qname_.split(0,
                qname_.getLabelCount() -
                db_result.rrset->getName().getLabelCount()).
                concatenate(dname.getDname())));
            response_.addRRset(Message::SECTION_ANSWER, cname, dnssec_);
            break;
        }
        case ZoneFinder::CNAME:
            /*
             * We don't do chaining yet. Therefore handling a CNAME is
             * mostly the same as handling SUCCESS, but we didn't get
             * what we expected. It means no exceptions in ANY or NS
             * on the origin (though CNAME in origin is probably
             * forbidden anyway).
             *
             * So, just put it there.
             */
            response_.addRRset(Message::SECTION_ANSWER,
468
                boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
469
                dnssec_);
470

471
472
            // If the answer is a result of wildcard substitution,
            // add a proof that there's no closer name.
473
            if (dnssec_ && db_result.isWildcard()) {
474
                addWildcardProof(*result.zone_finder,db_result);
475
476
477
478
479
480
481
            }
            break;
        case ZoneFinder::SUCCESS:
            if (qtype_is_any) {
                // If quety type is ANY, insert all RRs under the domain
                // into answer section.
                BOOST_FOREACH(ConstRRsetPtr rrset, target) {
chenzhengzhang's avatar
chenzhengzhang committed
482
                    response_.addRRset(Message::SECTION_ANSWER,
483
                        boost::const_pointer_cast<AbstractRRset>(rrset), dnssec_);
chenzhengzhang's avatar
chenzhengzhang committed
484
                    // Handle additional for answer section
485
                    addAdditional(*result.zone_finder, *rrset.get());
486
                }
487
488
            } else {
                response_.addRRset(Message::SECTION_ANSWER,
489
                    boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
490
                    dnssec_);
491
                // Handle additional for answer section
492
                addAdditional(*result.zone_finder, *db_result.rrset);
493
494
495
496
497
498
499
500
501
502
503
504
505
506
            }
            // If apex NS records haven't been provided in the answer
            // section, insert apex NS records into the authority section
            // and AAAA/A RRS of each of the NS RDATA into the additional
            // section.
            if (qname_ != result.zone_finder->getOrigin() ||
                db_result.code != ZoneFinder::SUCCESS ||
                (qtype_ != RRType::NS() && !qtype_is_any))
            {
                addAuthAdditional(*result.zone_finder);
            }

            // If the answer is a result of wildcard substitution,
            // add a proof that there's no closer name.
507
            if (dnssec_ && db_result.isWildcard()) {
508
                addWildcardProof(*result.zone_finder,db_result);
509
510
511
            }
            break;
        case ZoneFinder::DELEGATION:
512
513
514
515
516
517
518
519
            // If a DS query resulted in delegation, we also need to check
            // if we are an authority of the child, too.  If so, we need to
            // complete the process in the child as specified in Section
            // 2.2.1.2. of RFC3658.
            if (qtype_ == RRType::DS() && processDSAtChild()) {
                return;
            }

520
521
            response_.setHeaderFlag(Message::HEADERFLAG_AA, false);
            response_.addRRset(Message::SECTION_AUTHORITY,
522
                boost::const_pointer_cast<AbstractRRset>(db_result.rrset),
523
                dnssec_);
524
525
526
527
528
            // If DNSSEC is requested, see whether there is a DS
            // record for this delegation.
            if (dnssec_) {
                addDS(*result.zone_finder, db_result.rrset->getName());
            }
529
530
531
532
533
534
535
536
537
538
539
            addAdditional(*result.zone_finder, *db_result.rrset);
            break;
        case ZoneFinder::NXDOMAIN:
            response_.setRcode(Rcode::NXDOMAIN());
            addSOA(*result.zone_finder);
            if (dnssec_ && db_result.rrset) {
                addNXDOMAINProof(zfinder, db_result.rrset);
            }
            break;
        case ZoneFinder::NXRRSET:
            addSOA(*result.zone_finder);
540
            if (dnssec_) {
541
                addNXRRsetProof(zfinder, db_result);
542
543
544
545
546
547
548
549
            }
            break;
        default:
            // This is basically a bug of the data source implementation,
            // but could also happen in the middle of development where
            // we try to add a new result code.
            isc_throw(isc::NotImplemented, "Unknown result code");
            break;
550
    }
551
}
Michal Vaner's avatar
Michal Vaner committed
552

553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
bool
Query::processDSAtChild() {
    const DataSourceClient::FindResult zresult =
        datasrc_client_.findZone(qname_);

    if (zresult.code != result::SUCCESS) {
        return (false);
    }

    // We are receiving a DS query at the child side of the owner name,
    // where the DS isn't supposed to belong.  We should return a "no data"
    // response as described in Section 3.1.4.1 of RFC4035 and Section
    // 2.2.1.1 of RFC 3658.  find(DS) should result in NXRRSET, in which
    // case (and if DNSSEC is required) we also add the proof for that,
    // but even if find() returns an unexpected result, we don't bother.
    // The important point in this case is to return SOA so that the resolver
    // that happens to contact us can hunt for the appropriate parent zone
    // by seeing the SOA.
    response_.setHeaderFlag(Message::HEADERFLAG_AA);
    response_.setRcode(Rcode::NOERROR());
    addSOA(*zresult.zone_finder);
    const ZoneFinder::FindResult ds_result =
        zresult.zone_finder->find(qname_, RRType::DS(), dnssec_opt_);
    if (ds_result.code == ZoneFinder::NXRRSET) {
        if (dnssec_) {
            addNXRRsetProof(*zresult.zone_finder, ds_result);
        }
    }

    return (true);
}

585
586
}
}