src - FreeBSD source tree

diff options


context:
space:
mode:

author	Doug Barton <dougb@FreeBSD.org>	2011-07-16 11:12:09 +0000
committer	Doug Barton <dougb@FreeBSD.org>	2011-07-16 11:12:09 +0000
commit	7afecc12f4d7b56f03438d5f41b837b9696f0a94 (patch)
tree	7873e6a2dac5f9ddbfefa3b07f3cf0570f682321 /contrib/bind9/bin/named/client.c
parent	a9285ae5c428d2017b1b907b8403ebe30f369bec (diff)
parent	473038528ab5bd55332138ebf791ab91a25f747b (diff)

Upgrade to version 9.8.0-P4

This version has many new features, see /usr/share/doc/bind9/README for details.

Notes

Notes: svn path=/head/; revision=224092

Diffstat (limited to 'contrib/bind9/bin/named/client.c')

-rw-r--r--

contrib/bind9/bin/named/client.c

130

1 files changed, 85 insertions, 45 deletions

diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c
index 6236d27f28a0..bc9cc878adbc 100644
--- a/contrib/bind9/bin/named/client.c
+++ b/contrib/bind9/bin/named/client.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and/or distribute this software for any

@@ -15,7 +15,7 @@

* PERFORMANCE OF THIS SOFTWARE.

-/* $Id: client.c,v 1.259.12.5 2010-09-24 08:30:27 tbox Exp $ */

+/* $Id: client.c,v 1.271 2011-01-11 23:47:12 tbox Exp $ */

#include <config.h>

@@ -918,7 +918,7 @@ ns_client_send(ns_client_t *client) {

dns_compress_t cctx;

isc_boolean_t cleanup_cctx = ISC_FALSE;

unsigned char sendbuf[SEND_BUFFER_SIZE];

- unsigned int dnssec_opts;

+ unsigned int render_opts;

unsigned int preferred_glue;

isc_boolean_t opt_included = ISC_FALSE;

@@ -930,10 +930,21 @@ ns_client_send(ns_client_t *client) {

client->message->flags |= DNS_MESSAGEFLAG_RA;

if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)

- dnssec_opts = 0;

+ render_opts = 0;

else

- dnssec_opts = DNS_MESSAGERENDER_OMITDNSSEC;

+ render_opts = DNS_MESSAGERENDER_OMITDNSSEC;

+#ifdef ALLOW_FILTER_AAAA_ON_V4

+ /*

+ * filter-aaaa-on-v4 yes or break-dnssec option to suppress

+ * AAAA records

+ * We already know that request came via IPv4,

+ * that we have both AAAA and A records,

+ * and that we either have no signatures that the client wants

+ * or we are supposed to break DNSSEC.

+ */

+ if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0)

+ render_opts |= DNS_MESSAGERENDER_FILTER_AAAA;

+#endif

preferred_glue = 0;

if (client->view != NULL) {

if (client->view->preferred_glue == dns_rdatatype_a)

@@ -977,7 +988,7 @@ ns_client_send(ns_client_t *client) {

result = dns_message_rendersection(client->message,

DNS_SECTION_ANSWER,

DNS_MESSAGERENDER_PARTIAL |

- dnssec_opts);

+ render_opts);

if (result == ISC_R_NOSPACE) {

client->message->flags |= DNS_MESSAGEFLAG_TC;

goto renderend;

@@ -987,7 +998,7 @@ ns_client_send(ns_client_t *client) {

result = dns_message_rendersection(client->message,

DNS_SECTION_AUTHORITY,

DNS_MESSAGERENDER_PARTIAL |

- dnssec_opts);

+ render_opts);

if (result == ISC_R_NOSPACE) {

client->message->flags |= DNS_MESSAGEFLAG_TC;

goto renderend;

@@ -996,7 +1007,7 @@ ns_client_send(ns_client_t *client) {

goto done;

result = dns_message_rendersection(client->message,

DNS_SECTION_ADDITIONAL,

- preferred_glue | dnssec_opts);

+ preferred_glue | render_opts);

if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)

goto done;

renderend:

@@ -1355,7 +1366,6 @@ client_request(isc_task_t *task, isc_event_t *event) {

dns_name_t *signame;

isc_boolean_t ra; /* Recursion available. */

isc_netaddr_t netaddr;

- isc_netaddr_t destaddr;

int match;

dns_messageid_t id;

unsigned int flags;

@@ -1473,7 +1483,7 @@ client_request(isc_task_t *task, isc_event_t *event) {

* Silently drop multicast requests for the present.

- * XXXMPA look at when/if mDNS spec stabilizes.

+ * XXXMPA revisit this as mDNS spec was published.

if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) {

ns_client_log(client, NS_LOGCATEGORY_CLIENT,

@@ -1647,24 +1657,20 @@ client_request(isc_task_t *task, isc_event_t *event) {

* etc), we regard this as an error for safety.

if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0)

- isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr);

+ isc_netaddr_fromsockaddr(&client->destaddr,

+ &client->interface->addr);

else {

+ isc_sockaddr_t sockaddr;

result = ISC_R_FAILURE;

- if (TCP_CLIENT(client)) {

- isc_sockaddr_t destsockaddr;

+ if (TCP_CLIENT(client))

result = isc_socket_getsockname(client->tcpsocket,

- &destsockaddr);

- if (result == ISC_R_SUCCESS)

- isc_netaddr_fromsockaddr(&destaddr,

- &destsockaddr);

- }

+ &sockaddr);

+ if (result == ISC_R_SUCCESS)

+ isc_netaddr_fromsockaddr(&client->destaddr, &sockaddr);

if (result != ISC_R_SUCCESS &&

client->interface->addr.type.sa.sa_family == AF_INET6 &&

(client->attributes & NS_CLIENTATTR_PKTINFO) != 0) {

- isc_uint32_t zone = 0;

* XXXJT technically, we should convert the receiving

* interface ID to a proper scope zone ID. However,

@@ -1673,12 +1679,11 @@ client_request(isc_task_t *task, isc_event_t *event) {

* interface index as link ID. Despite the assumption,

* it should cover most typical cases.

- if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))

- zone = (isc_uint32_t)client->pktinfo.ipi6_ifindex;

- isc_netaddr_fromin6(&destaddr,

+ isc_netaddr_fromin6(&client->destaddr,

&client->pktinfo.ipi6_addr);

- isc_netaddr_setzone(&destaddr, zone);

+ if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))

+ isc_netaddr_setzone(&client->destaddr,

+ client->pktinfo.ipi6_ifindex);

result = ISC_R_SUCCESS;

}

if (result != ISC_R_SUCCESS) {

@@ -1708,7 +1713,8 @@ client_request(isc_task_t *task, isc_event_t *event) {

tsig = dns_tsigkey_identity(client->message->tsigkey);

if (allowed(&netaddr, tsig, view->matchclients) &&

- allowed(&destaddr, tsig, view->matchdestinations) &&

+ allowed(&client->destaddr, tsig,

+ view->matchdestinations) &&

!((client->message->flags & DNS_MESSAGEFLAG_RD)

== 0 && view->matchrecursiveonly))

{

@@ -1771,9 +1777,11 @@ client_request(isc_task_t *task, isc_event_t *event) {

}

if (result == ISC_R_SUCCESS) {

+ char namebuf[DNS_NAME_FORMATSIZE];

+ dns_name_format(&client->signername, namebuf, sizeof(namebuf));

ns_client_log(client, DNS_LOGCATEGORY_SECURITY,

NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),

- "request has valid signature");

+ "request has valid signature: %s", namebuf);

client->signer = &client->signername;

} else if (result == ISC_R_NOTFOUND) {

ns_client_log(client, DNS_LOGCATEGORY_SECURITY,

@@ -1861,10 +1869,10 @@ client_request(isc_task_t *task, isc_event_t *event) {

ns_client_checkaclsilent(client, NULL,

client->view->cacheacl,

ISC_TRUE) == ISC_R_SUCCESS &&

- ns_client_checkaclsilent(client, &client->interface->addr,

+ ns_client_checkaclsilent(client, &client->destaddr,

client->view->recursiononacl,

ISC_TRUE) == ISC_R_SUCCESS &&

- ns_client_checkaclsilent(client, &client->interface->addr,

+ ns_client_checkaclsilent(client, &client->destaddr,

client->view->cacheonacl,

ISC_TRUE) == ISC_R_SUCCESS)

ra = ISC_TRUE;

@@ -2600,12 +2608,12 @@ ns_client_getsockaddr(ns_client_t *client) {

}

isc_result_t

-ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,

+ns_client_checkaclsilent(ns_client_t *client, isc_netaddr_t *netaddr,

dns_acl_t *acl, isc_boolean_t default_allow)

{

isc_result_t result;

+ isc_netaddr_t tmpnetaddr;

int match;

- isc_netaddr_t netaddr;

if (acl == NULL) {

if (default_allow)

@@ -2614,15 +2622,13 @@ ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,

goto deny;

}

+ if (netaddr == NULL) {

+ isc_netaddr_fromsockaddr(&tmpnetaddr, &client->peeraddr);

+ netaddr = &tmpnetaddr;

+ }

- if (sockaddr == NULL)

- isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);

- else

- isc_netaddr_fromsockaddr(&netaddr, sockaddr);

- result = dns_acl_match(&netaddr, client->signer, acl,

- &ns_g_server->aclenv,

- &match, NULL);

+ result = dns_acl_match(netaddr, client->signer, acl,

+ &ns_g_server->aclenv, &match, NULL);

if (result != ISC_R_SUCCESS)

goto deny; /* Internal error, already logged. */

@@ -2642,8 +2648,14 @@ ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,

const char *opname, dns_acl_t *acl,

isc_boolean_t default_allow, int log_level)

{

- isc_result_t result =

- ns_client_checkaclsilent(client, sockaddr, acl, default_allow);

+ isc_result_t result;

+ isc_netaddr_t netaddr;

+ if (sockaddr != NULL)

+ isc_netaddr_fromsockaddr(&netaddr, sockaddr);

+ result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,

+ acl, default_allow);

if (result == ISC_R_SUCCESS)

ns_client_log(client, DNS_LOGCATEGORY_SECURITY,

@@ -2753,9 +2765,14 @@ void

ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {

ns_client_t *client;

char namebuf[DNS_NAME_FORMATSIZE];

+ char original[DNS_NAME_FORMATSIZE];

char peerbuf[ISC_SOCKADDR_FORMATSIZE];

+ char typebuf[DNS_RDATATYPE_FORMATSIZE];

+ char classbuf[DNS_RDATACLASS_FORMATSIZE];

const char *name;

const char *sep;

+ const char *origfor;

+ dns_rdataset_t *rdataset;

REQUIRE(VALID_MANAGER(manager));

@@ -2773,8 +2790,31 @@ ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {

sep = "";

}

dns_name_format(client->query.qname, namebuf, sizeof(namebuf));

- fprintf(f, "; client %s%s%s: '%s' requesttime %d\n",

- peerbuf, sep, name, namebuf, client->requesttime);

+ if (client->query.qname != client->query.origqname &&

+ client->query.origqname != NULL) {

+ origfor = " for ";

+ dns_name_format(client->query.origqname, original,

+ sizeof(original));

+ } else {

+ origfor = "";

+ original[0] = '\0';

+ }

+ rdataset = ISC_LIST_HEAD(client->query.qname->list);

+ if (rdataset == NULL && client->query.origqname != NULL)

+ rdataset = ISC_LIST_HEAD(client->query.origqname->list);

+ if (rdataset != NULL) {

+ dns_rdatatype_format(rdataset->type, typebuf,

+ sizeof(typebuf));

+ dns_rdataclass_format(rdataset->rdclass, classbuf,

+ sizeof(classbuf));

+ } else {

+ strcpy(typebuf, "-");

+ strcpy(classbuf, "-");

+ }

+ fprintf(f, "; client %s%s%s: id %u '%s/%s/%s'%s%s "

+ "requesttime %d\n", peerbuf, sep, name,

+ client->message->id, namebuf, typebuf, classbuf,

+ origfor, original, client->requesttime);

client = ISC_LIST_NEXT(client, link);

}

UNLOCK(&manager->lock);