1 /* $OpenBSD: resolver.c,v 1.173 2024/11/21 13:35:20 claudio Exp $ */ 2 3 4 /* 5 * Copyright (c) 2018 Florian Obser <florian@openbsd.org> 6 * Copyright (c) 2004, 2005 Claudio Jeker <claudio@openbsd.org> 7 * Copyright (c) 2004 Esben Norby <norby@openbsd.org> 8 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> 9 * 10 * Permission to use, copy, modify, and distribute this software for any 11 * purpose with or without fee is hereby granted, provided that the above 12 * copyright notice and this permission notice appear in all copies. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 15 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 16 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 17 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 18 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 19 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 20 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 21 */ 22 23 #include <sys/types.h> 24 #include <sys/queue.h> 25 #include <sys/socket.h> 26 #include <sys/syslog.h> 27 #include <sys/time.h> 28 29 #include <net/route.h> 30 31 #include <errno.h> 32 #include <event.h> 33 #include <imsg.h> 34 #include <limits.h> 35 #include <netdb.h> 36 #include <asr.h> 37 #include <pwd.h> 38 #include <signal.h> 39 #include <stdio.h> 40 #include <stdlib.h> 41 #include <string.h> 42 #include <time.h> 43 #include <tls.h> 44 #include <unistd.h> 45 46 #include "libunbound/config.h" 47 #include "libunbound/libunbound/context.h" 48 #include "libunbound/libunbound/libworker.h" 49 #include "libunbound/libunbound/unbound.h" 50 #include "libunbound/libunbound/unbound-event.h" 51 #include "libunbound/services/cache/rrset.h" 52 #include "libunbound/sldns/sbuffer.h" 53 #include "libunbound/sldns/rrdef.h" 54 #include "libunbound/sldns/pkthdr.h" 55 #include "libunbound/sldns/wire2str.h" 56 #include "libunbound/util/config_file.h" 57 #include "libunbound/util/module.h" 58 #include "libunbound/util/regional.h" 59 #include "libunbound/util/storage/slabhash.h" 60 #include "libunbound/validator/validator.h" 61 #include "libunbound/validator/val_kcache.h" 62 #include "libunbound/validator/val_neg.h" 63 64 #include <openssl/crypto.h> 65 66 #include "log.h" 67 #include "frontend.h" 68 #include "unwind.h" 69 #include "resolver.h" 70 71 #define TLS_DEFAULT_CA_CERT_FILE "/etc/ssl/cert.pem" 72 #define UB_LOG_VERBOSE 4 73 #define UB_LOG_BRIEF 0 74 75 /* maximum size of a libunbound forwarder definition: IP@PORT#AUTHNAME */ 76 #define FWD_MAX (INET6_ADDRSTRLEN + NI_MAXHOST + 2 + 5) 77 78 /* 79 * The prefered resolver type can be this many ms slower than the next 80 * best and still be picked 81 */ 82 #define PREF_RESOLVER_MEDIAN_SKEW 200 /* 200 ms */ 83 #define NEXT_RES_MAX 2000 /* 2000 ms */ 84 85 #define DOUBT_NXDOMAIN_SEC (5 * 60) /* 5 minutes */ 86 87 #define RESOLVER_CHECK_SEC 1 88 #define RESOLVER_CHECK_MAXSEC 1024 /* ~17 minutes */ 89 #define DECAY_PERIOD 60 90 #define DECAY_NOMINATOR 9 91 #define DECAY_DENOMINATOR 10 92 93 #define TRUST_ANCHOR_RETRY_INTERVAL 8640 94 #define TRUST_ANCHOR_QUERY_INTERVAL 43200 95 96 /* in libworker_event_done_cb() enum sec_status gets mapped to 0, 1 and 2 */ 97 #define INSECURE 0 98 #define BOGUS 1 99 #define SECURE 2 100 101 #define WKA1_FOUND 1 102 #define WKA2_FOUND 2 103 104 struct uw_resolver { 105 struct event check_ev; 106 struct event free_ev; 107 struct ub_ctx *ctx; 108 void *asr_ctx; 109 struct timeval check_tv; 110 int ref_cnt; 111 int stop; 112 enum uw_resolver_state state; 113 enum uw_resolver_type type; 114 int check_running; 115 int64_t median; 116 int64_t histogram[nitems(histogram_limits)]; 117 int64_t latest_histogram[nitems(histogram_limits)]; 118 }; 119 120 struct running_query { 121 TAILQ_ENTRY(running_query) entry; 122 struct query_imsg *query_imsg; 123 struct event timer_ev; 124 struct timespec tp; 125 struct resolver_preference res_pref; 126 int next_resolver; 127 int running; 128 }; 129 130 TAILQ_HEAD(, running_query) running_queries; 131 132 typedef void (*resolve_cb_t)(struct uw_resolver *, void *, int, void *, int, 133 int, char *); 134 135 struct resolver_cb_data { 136 resolve_cb_t cb; 137 void *data; 138 struct uw_resolver *res; 139 }; 140 141 __dead void resolver_shutdown(void); 142 void resolver_sig_handler(int sig, short, void *); 143 void resolver_dispatch_frontend(int, short, void *); 144 void resolver_dispatch_main(int, short, void *); 145 int sort_resolver_types(struct resolver_preference *); 146 void setup_query(struct query_imsg *); 147 struct running_query *find_running_query(uint64_t); 148 void try_resolver_timo(int, short, void *); 149 int try_next_resolver(struct running_query *); 150 151 int resolve(struct uw_resolver *, const char*, int, int, 152 void*, resolve_cb_t); 153 void resolve_done(struct uw_resolver *, void *, int, void *, 154 int, int, char *); 155 void ub_resolve_done(void *, int, void *, int, int, char *, 156 int); 157 void asr_resolve_done(struct asr_result *, void *); 158 void new_resolver(enum uw_resolver_type, 159 enum uw_resolver_state); 160 struct uw_resolver *create_resolver(enum uw_resolver_type); 161 #ifdef UNIFIED_CACHE 162 void setup_unified_caches(void); 163 void set_unified_cache(struct uw_resolver *); 164 #endif /* UNIFIED_CACHE */ 165 void free_resolver(struct uw_resolver *); 166 void set_forwarders(struct uw_resolver *, 167 struct uw_forwarder_head *, int); 168 void resolver_check_timo(int, short, void *); 169 void resolver_free_timo(int, short, void *); 170 void check_resolver(struct uw_resolver *); 171 void check_resolver_done(struct uw_resolver *, void *, int, 172 void *, int, int, char *); 173 void schedule_recheck_all_resolvers(void); 174 int check_forwarders_changed(struct uw_forwarder_head *, 175 struct uw_forwarder_head *); 176 void replace_forwarders(struct uw_forwarder_head *, 177 struct uw_forwarder_head *); 178 void resolver_ref(struct uw_resolver *); 179 void resolver_unref(struct uw_resolver *); 180 int resolver_cmp(const void *, const void *); 181 void restart_ub_resolvers(int); 182 void show_status(pid_t); 183 void show_autoconf(pid_t); 184 void show_mem(pid_t); 185 void send_resolver_info(struct uw_resolver *, pid_t); 186 void trust_anchor_resolve(void); 187 void trust_anchor_timo(int, short, void *); 188 void trust_anchor_resolve_done(struct uw_resolver *, void *, 189 int, void *, int, int, char *); 190 void replace_autoconf_forwarders(struct 191 imsg_rdns_proposal *); 192 int force_tree_cmp(struct force_tree_entry *, 193 struct force_tree_entry *); 194 int find_force(struct force_tree *, char *, 195 struct uw_resolver **); 196 int64_t histogram_median(int64_t *); 197 void decay_latest_histograms(int, short, void *); 198 int running_query_cnt(void); 199 int *resolvers_to_restart(struct uw_conf *, 200 struct uw_conf *); 201 const char *query_imsg2str(struct query_imsg *); 202 char *gen_resolv_conf(void); 203 void check_dns64(void); 204 void check_dns64_done(struct asr_result *, void *); 205 int dns64_prefixlen(const struct in6_addr *, 206 const uint8_t *); 207 void add_dns64_prefix(const struct in6_addr *, int, 208 struct dns64_prefix *, int, int); 209 210 struct uw_conf *resolver_conf; 211 static struct imsgev *iev_frontend; 212 static struct imsgev *iev_main; 213 struct uw_forwarder_head autoconf_forwarder_list; 214 struct uw_resolver *resolvers[UW_RES_NONE]; 215 struct timespec last_network_change; 216 217 struct event trust_anchor_timer; 218 struct event decay_timer; 219 220 static struct trust_anchor_head trust_anchors, new_trust_anchors; 221 222 struct event_base *ev_base; 223 224 RB_GENERATE(force_tree, force_tree_entry, entry, force_tree_cmp) 225 226 int val_id = -1; 227 #ifdef UNIFIED_CACHE 228 struct slabhash *unified_msg_cache; 229 struct rrset_cache *unified_rrset_cache; 230 struct key_cache *unified_key_cache; 231 struct val_neg_cache *unified_neg_cache; 232 #endif /* UNIFIED_CACHE */ 233 234 int dns64_present; 235 int available_afs = HAVE_IPV4 | HAVE_IPV6; 236 237 static const char * const forward_transparent_zones[] = { 238 /* RFC1918 */ 239 "10.in-addr.arpa. transparent", 240 "16.172.in-addr.arpa. transparent", 241 "17.172.in-addr.arpa. transparent", 242 "18.172.in-addr.arpa. transparent", 243 "19.172.in-addr.arpa. transparent", 244 "20.172.in-addr.arpa. transparent", 245 "21.172.in-addr.arpa. transparent", 246 "22.172.in-addr.arpa. transparent", 247 "23.172.in-addr.arpa. transparent", 248 "24.172.in-addr.arpa. transparent", 249 "25.172.in-addr.arpa. transparent", 250 "26.172.in-addr.arpa. transparent", 251 "27.172.in-addr.arpa. transparent", 252 "28.172.in-addr.arpa. transparent", 253 "29.172.in-addr.arpa. transparent", 254 "30.172.in-addr.arpa. transparent", 255 "31.172.in-addr.arpa. transparent", 256 "168.192.in-addr.arpa. transparent", 257 258 /* RFC3330 */ 259 "0.in-addr.arpa. transparent", 260 "254.169.in-addr.arpa. transparent", 261 "2.0.192.in-addr.arpa. transparent", 262 "100.51.198.in-addr.arpa. transparent", 263 "113.0.203.in-addr.arpa. transparent", 264 "255.255.255.255.in-addr.arpa. transparent", 265 266 /* RFC6598 */ 267 "64.100.in-addr.arpa. transparent", 268 "65.100.in-addr.arpa. transparent", 269 "66.100.in-addr.arpa. transparent", 270 "67.100.in-addr.arpa. transparent", 271 "68.100.in-addr.arpa. transparent", 272 "69.100.in-addr.arpa. transparent", 273 "70.100.in-addr.arpa. transparent", 274 "71.100.in-addr.arpa. transparent", 275 "72.100.in-addr.arpa. transparent", 276 "73.100.in-addr.arpa. transparent", 277 "74.100.in-addr.arpa. transparent", 278 "75.100.in-addr.arpa. transparent", 279 "76.100.in-addr.arpa. transparent", 280 "77.100.in-addr.arpa. transparent", 281 "78.100.in-addr.arpa. transparent", 282 "79.100.in-addr.arpa. transparent", 283 "80.100.in-addr.arpa. transparent", 284 "81.100.in-addr.arpa. transparent", 285 "82.100.in-addr.arpa. transparent", 286 "83.100.in-addr.arpa. transparent", 287 "84.100.in-addr.arpa. transparent", 288 "85.100.in-addr.arpa. transparent", 289 "86.100.in-addr.arpa. transparent", 290 "87.100.in-addr.arpa. transparent", 291 "88.100.in-addr.arpa. transparent", 292 "89.100.in-addr.arpa. transparent", 293 "90.100.in-addr.arpa. transparent", 294 "91.100.in-addr.arpa. transparent", 295 "92.100.in-addr.arpa. transparent", 296 "93.100.in-addr.arpa. transparent", 297 "94.100.in-addr.arpa. transparent", 298 "95.100.in-addr.arpa. transparent", 299 "96.100.in-addr.arpa. transparent", 300 "97.100.in-addr.arpa. transparent", 301 "98.100.in-addr.arpa. transparent", 302 "99.100.in-addr.arpa. transparent", 303 "100.100.in-addr.arpa. transparent", 304 "101.100.in-addr.arpa. transparent", 305 "102.100.in-addr.arpa. transparent", 306 "103.100.in-addr.arpa. transparent", 307 "104.100.in-addr.arpa. transparent", 308 "105.100.in-addr.arpa. transparent", 309 "106.100.in-addr.arpa. transparent", 310 "107.100.in-addr.arpa. transparent", 311 "108.100.in-addr.arpa. transparent", 312 "109.100.in-addr.arpa. transparent", 313 "110.100.in-addr.arpa. transparent", 314 "111.100.in-addr.arpa. transparent", 315 "112.100.in-addr.arpa. transparent", 316 "113.100.in-addr.arpa. transparent", 317 "114.100.in-addr.arpa. transparent", 318 "115.100.in-addr.arpa. transparent", 319 "116.100.in-addr.arpa. transparent", 320 "117.100.in-addr.arpa. transparent", 321 "118.100.in-addr.arpa. transparent", 322 "119.100.in-addr.arpa. transparent", 323 "120.100.in-addr.arpa. transparent", 324 "121.100.in-addr.arpa. transparent", 325 "122.100.in-addr.arpa. transparent", 326 "123.100.in-addr.arpa. transparent", 327 "124.100.in-addr.arpa. transparent", 328 "125.100.in-addr.arpa. transparent", 329 "126.100.in-addr.arpa. transparent", 330 "127.100.in-addr.arpa. transparent", 331 332 /* RFC4291 */ 333 "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0." 334 "ip6.arpa. transparent", 335 336 /* RFC4193 */ 337 "D.F.ip6.arpa. transparent", 338 339 /* RFC4291 */ 340 "8.E.F.ip6.arpa. transparent", 341 "9.E.F.ip6.arpa. transparent", 342 "A.E.F.ip6.arpa. transparent", 343 "B.E.F.ip6.arpa. transparent", 344 345 /* RFC3849 */ 346 "8.B.D.0.1.0.0.2.ip6.arpa. transparent", 347 348 /* RFC8375 */ 349 "home.arpa. transparent", 350 }; 351 352 const char bogus_past[] = "validation failure <. NS IN>: signature " 353 "expired"; 354 const char bogus_future[] = "validation failure <. NS IN>: signature " 355 "before inception date"; 356 357 void 358 resolver_sig_handler(int sig, short event, void *arg) 359 { 360 /* 361 * Normal signal handler rules don't apply because libevent 362 * decouples for us. 363 */ 364 365 switch (sig) { 366 case SIGINT: 367 case SIGTERM: 368 resolver_shutdown(); 369 default: 370 fatalx("unexpected signal"); 371 } 372 } 373 374 void 375 resolver(int debug, int verbose) 376 { 377 struct event ev_sigint, ev_sigterm; 378 struct passwd *pw; 379 struct timeval tv = {DECAY_PERIOD, 0}; 380 struct alloc_cache cache_alloc_test; 381 382 resolver_conf = config_new_empty(); 383 384 log_init(debug, LOG_DAEMON); 385 log_setverbose(verbose); 386 387 if ((pw = getpwnam(UNWIND_USER)) == NULL) 388 fatal("getpwnam"); 389 390 setproctitle("%s", "resolver"); 391 log_procinit("resolver"); 392 393 if (setgroups(1, &pw->pw_gid) || 394 setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || 395 setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) 396 fatal("can't drop privileges"); 397 398 if (unveil(TLS_DEFAULT_CA_CERT_FILE, "r") == -1) 399 fatal("unveil %s", TLS_DEFAULT_CA_CERT_FILE); 400 401 if (pledge("stdio inet dns rpath recvfd", NULL) == -1) 402 fatal("pledge"); 403 404 ev_base = event_init(); 405 406 /* Setup signal handler(s). */ 407 signal_set(&ev_sigint, SIGINT, resolver_sig_handler, NULL); 408 signal_set(&ev_sigterm, SIGTERM, resolver_sig_handler, NULL); 409 signal_add(&ev_sigint, NULL); 410 signal_add(&ev_sigterm, NULL); 411 signal(SIGPIPE, SIG_IGN); 412 signal(SIGHUP, SIG_IGN); 413 414 /* Setup pipe and event handler to the main process. */ 415 if ((iev_main = malloc(sizeof(struct imsgev))) == NULL) 416 fatal(NULL); 417 418 if (imsgbuf_init(&iev_main->ibuf, 3) == -1) 419 fatal(NULL); 420 imsgbuf_allow_fdpass(&iev_main->ibuf); 421 iev_main->handler = resolver_dispatch_main; 422 423 /* Setup event handlers. */ 424 iev_main->events = EV_READ; 425 event_set(&iev_main->ev, iev_main->ibuf.fd, iev_main->events, 426 iev_main->handler, iev_main); 427 event_add(&iev_main->ev, NULL); 428 429 evtimer_set(&trust_anchor_timer, trust_anchor_timo, NULL); 430 evtimer_set(&decay_timer, decay_latest_histograms, NULL); 431 evtimer_add(&decay_timer, &tv); 432 433 clock_gettime(CLOCK_MONOTONIC, &last_network_change); 434 435 alloc_init(&cache_alloc_test, NULL, 0); 436 if (cache_alloc_test.max_reg_blocks != 10) 437 fatalx("local libunbound/util/alloc.c diff lost"); 438 alloc_clear(&cache_alloc_test); 439 440 #ifdef UNIFIED_CACHE 441 setup_unified_caches(); 442 #endif /* UNIFIED_CACHE */ 443 444 TAILQ_INIT(&autoconf_forwarder_list); 445 TAILQ_INIT(&trust_anchors); 446 TAILQ_INIT(&new_trust_anchors); 447 TAILQ_INIT(&running_queries); 448 449 event_dispatch(); 450 451 resolver_shutdown(); 452 } 453 454 __dead void 455 resolver_shutdown(void) 456 { 457 /* Close pipes. */ 458 imsgbuf_clear(&iev_frontend->ibuf); 459 close(iev_frontend->ibuf.fd); 460 imsgbuf_clear(&iev_main->ibuf); 461 close(iev_main->ibuf.fd); 462 463 config_clear(resolver_conf); 464 465 free(iev_frontend); 466 free(iev_main); 467 468 log_info("resolver exiting"); 469 exit(0); 470 } 471 472 int 473 resolver_imsg_compose_main(int type, pid_t pid, void *data, uint16_t datalen) 474 { 475 return (imsg_compose_event(iev_main, type, 0, pid, -1, data, datalen)); 476 } 477 478 int 479 resolver_imsg_compose_frontend(int type, pid_t pid, void *data, 480 uint16_t datalen) 481 { 482 return (imsg_compose_event(iev_frontend, type, 0, pid, -1, 483 data, datalen)); 484 } 485 486 void 487 resolver_dispatch_frontend(int fd, short event, void *bula) 488 { 489 struct imsgev *iev = bula; 490 struct imsgbuf *ibuf; 491 struct imsg imsg; 492 struct query_imsg *query_imsg; 493 ssize_t n; 494 int shut = 0, verbose, i, new_available_afs; 495 char *ta; 496 497 ibuf = &iev->ibuf; 498 499 if (event & EV_READ) { 500 if ((n = imsgbuf_read(ibuf)) == -1) 501 fatal("imsgbuf_read error"); 502 if (n == 0) /* Connection closed. */ 503 shut = 1; 504 } 505 if (event & EV_WRITE) { 506 if (imsgbuf_write(ibuf) == -1) { 507 if (errno == EPIPE) /* Connection closed. */ 508 shut = 1; 509 else 510 fatal("imsgbuf_write"); 511 } 512 } 513 514 for (;;) { 515 if ((n = imsg_get(ibuf, &imsg)) == -1) 516 fatal("%s: imsg_get error", __func__); 517 if (n == 0) /* No more messages. */ 518 break; 519 520 switch (imsg.hdr.type) { 521 case IMSG_CTL_LOG_VERBOSE: 522 if (IMSG_DATA_SIZE(imsg) != sizeof(verbose)) 523 fatalx("%s: IMSG_CTL_LOG_VERBOSE wrong length: " 524 "%lu", __func__, 525 IMSG_DATA_SIZE(imsg)); 526 memcpy(&verbose, imsg.data, sizeof(verbose)); 527 if (log_getdebug() && (log_getverbose() & OPT_VERBOSE3) 528 != (verbose & OPT_VERBOSE3)) 529 restart_ub_resolvers(0); 530 log_setverbose(verbose); 531 break; 532 case IMSG_QUERY: 533 if (IMSG_DATA_SIZE(imsg) != sizeof(*query_imsg)) 534 fatalx("%s: IMSG_QUERY wrong length: %lu", 535 __func__, IMSG_DATA_SIZE(imsg)); 536 if ((query_imsg = malloc(sizeof(*query_imsg))) == 537 NULL) { 538 log_warn("cannot allocate query"); 539 break; 540 } 541 memcpy(query_imsg, imsg.data, sizeof(*query_imsg)); 542 setup_query(query_imsg); 543 break; 544 case IMSG_CTL_STATUS: 545 if (IMSG_DATA_SIZE(imsg) != 0) 546 fatalx("%s: IMSG_CTL_STATUS wrong length: %lu", 547 __func__, IMSG_DATA_SIZE(imsg)); 548 show_status(imsg.hdr.pid); 549 break; 550 case IMSG_CTL_AUTOCONF: 551 if (IMSG_DATA_SIZE(imsg) != 0) 552 fatalx("%s: IMSG_CTL_AUTOCONF wrong length: " 553 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 554 show_autoconf(imsg.hdr.pid); 555 break; 556 case IMSG_CTL_MEM: 557 if (IMSG_DATA_SIZE(imsg) != 0) 558 fatalx("%s: IMSG_CTL_AUTOCONF wrong length: " 559 "%lu", __func__, IMSG_DATA_SIZE(imsg)); 560 show_mem(imsg.hdr.pid); 561 break; 562 case IMSG_NEW_TA: 563 if (((char *)imsg.data)[IMSG_DATA_SIZE(imsg) - 1] != 564 '\0') 565 fatalx("Invalid trust anchor"); 566 ta = imsg.data; 567 add_new_ta(&new_trust_anchors, ta); 568 break; 569 case IMSG_NEW_TAS_ABORT: 570 free_tas(&new_trust_anchors); 571 break; 572 case IMSG_NEW_TAS_DONE: 573 if (merge_tas(&new_trust_anchors, &trust_anchors)) 574 restart_ub_resolvers(1); 575 break; 576 case IMSG_NETWORK_CHANGED: 577 clock_gettime(CLOCK_MONOTONIC, &last_network_change); 578 schedule_recheck_all_resolvers(); 579 for (i = 0; i < UW_RES_NONE; i++) { 580 if (resolvers[i] == NULL) 581 continue; 582 memset(resolvers[i]->latest_histogram, 0, 583 sizeof(resolvers[i]->latest_histogram)); 584 resolvers[i]->median = histogram_median( 585 resolvers[i]->latest_histogram); 586 } 587 588 break; 589 case IMSG_REPLACE_DNS: 590 if (IMSG_DATA_SIZE(imsg) != 591 sizeof(struct imsg_rdns_proposal)) 592 fatalx("%s: IMSG_ADD_DNS wrong length: %lu", 593 __func__, IMSG_DATA_SIZE(imsg)); 594 replace_autoconf_forwarders((struct 595 imsg_rdns_proposal *)imsg.data); 596 break; 597 case IMSG_CHANGE_AFS: 598 if (IMSG_DATA_SIZE(imsg) != 599 sizeof(new_available_afs)) 600 fatalx("%s: IMSG_CHANGE_AFS wrong length: %lu", 601 __func__, IMSG_DATA_SIZE(imsg)); 602 memcpy(&new_available_afs, imsg.data, 603 sizeof(new_available_afs)); 604 if (new_available_afs != available_afs) { 605 available_afs = new_available_afs; 606 restart_ub_resolvers(1); 607 } 608 break; 609 default: 610 log_debug("%s: unexpected imsg %d", __func__, 611 imsg.hdr.type); 612 break; 613 } 614 imsg_free(&imsg); 615 } 616 if (!shut) 617 imsg_event_add(iev); 618 else { 619 /* This pipe is dead. Remove its event handler. */ 620 event_del(&iev->ev); 621 event_loopexit(NULL); 622 } 623 } 624 625 void 626 resolver_dispatch_main(int fd, short event, void *bula) 627 { 628 static struct uw_conf *nconf; 629 struct imsg imsg; 630 struct imsgev *iev = bula; 631 struct imsgbuf *ibuf; 632 ssize_t n; 633 int shut = 0, i, *restart; 634 635 ibuf = &iev->ibuf; 636 637 if (event & EV_READ) { 638 if ((n = imsgbuf_read(ibuf)) == -1) 639 fatal("imsgbuf_read error"); 640 if (n == 0) /* Connection closed. */ 641 shut = 1; 642 } 643 if (event & EV_WRITE) { 644 if (imsgbuf_write(ibuf) == -1) { 645 if (errno == EPIPE) /* Connection closed. */ 646 shut = 1; 647 else 648 fatal("imsgbuf_write"); 649 } 650 } 651 652 for (;;) { 653 if ((n = imsg_get(ibuf, &imsg)) == -1) 654 fatal("%s: imsg_get error", __func__); 655 if (n == 0) /* No more messages. */ 656 break; 657 658 switch (imsg.hdr.type) { 659 case IMSG_SOCKET_IPC_FRONTEND: 660 /* 661 * Setup pipe and event handler to the frontend 662 * process. 663 */ 664 if (iev_frontend) 665 fatalx("%s: received unexpected imsg fd " 666 "to resolver", __func__); 667 668 if ((fd = imsg_get_fd(&imsg)) == -1) 669 fatalx("%s: expected to receive imsg fd to " 670 "resolver but didn't receive any", __func__); 671 672 iev_frontend = malloc(sizeof(struct imsgev)); 673 if (iev_frontend == NULL) 674 fatal(NULL); 675 676 if (imsgbuf_init(&iev_frontend->ibuf, fd) == -1) 677 fatal(NULL); 678 iev_frontend->handler = resolver_dispatch_frontend; 679 iev_frontend->events = EV_READ; 680 681 event_set(&iev_frontend->ev, iev_frontend->ibuf.fd, 682 iev_frontend->events, iev_frontend->handler, 683 iev_frontend); 684 event_add(&iev_frontend->ev, NULL); 685 break; 686 687 case IMSG_STARTUP: 688 if (pledge("stdio inet dns rpath", NULL) == -1) 689 fatal("pledge"); 690 break; 691 case IMSG_RECONF_CONF: 692 case IMSG_RECONF_BLOCKLIST_FILE: 693 case IMSG_RECONF_FORWARDER: 694 case IMSG_RECONF_DOT_FORWARDER: 695 case IMSG_RECONF_FORCE: 696 imsg_receive_config(&imsg, &nconf); 697 break; 698 case IMSG_RECONF_END: 699 if (nconf == NULL) 700 fatalx("%s: IMSG_RECONF_END without " 701 "IMSG_RECONF_CONF", __func__); 702 restart = resolvers_to_restart(resolver_conf, nconf); 703 merge_config(resolver_conf, nconf); 704 nconf = NULL; 705 for (i = 0; i < UW_RES_NONE; i++) 706 if (restart[i]) 707 new_resolver(i, UNKNOWN); 708 break; 709 default: 710 log_debug("%s: unexpected imsg %d", __func__, 711 imsg.hdr.type); 712 break; 713 } 714 imsg_free(&imsg); 715 } 716 if (!shut) 717 imsg_event_add(iev); 718 else { 719 /* This pipe is dead. Remove its event handler. */ 720 event_del(&iev->ev); 721 event_loopexit(NULL); 722 } 723 } 724 725 int 726 sort_resolver_types(struct resolver_preference *dst) 727 { 728 memcpy(dst, &resolver_conf->res_pref, sizeof(*dst)); 729 730 /* 731 * Sort by resolver quality, validating > resolving etc. 732 * mergesort is stable and keeps the configured preference order 733 */ 734 return mergesort(dst->types, dst->len, sizeof(dst->types[0]), 735 resolver_cmp); 736 } 737 738 void 739 setup_query(struct query_imsg *query_imsg) 740 { 741 struct running_query *rq; 742 struct uw_resolver *res; 743 744 if (find_running_query(query_imsg->id) != NULL) { 745 free(query_imsg); 746 return; 747 } 748 749 if ((rq = calloc(1, sizeof(*rq))) == NULL) { 750 log_warnx(NULL); 751 free(query_imsg); 752 return; 753 } 754 755 clock_gettime(CLOCK_MONOTONIC, &rq->tp); 756 rq->query_imsg = query_imsg; 757 rq->next_resolver = 0; 758 759 find_force(&resolver_conf->force, query_imsg->qname, &res); 760 761 if (res != NULL && res->state != DEAD && res->state != UNKNOWN) { 762 rq->res_pref.len = 1; 763 rq->res_pref.types[0] = res->type; 764 } else if (sort_resolver_types(&rq->res_pref) == -1) { 765 log_warn("mergesort"); 766 free(rq->query_imsg); 767 free(rq); 768 return; 769 } 770 771 evtimer_set(&rq->timer_ev, try_resolver_timo, rq); 772 773 TAILQ_INSERT_TAIL(&running_queries, rq, entry); 774 try_next_resolver(rq); 775 } 776 777 struct running_query * 778 find_running_query(uint64_t id) 779 { 780 struct running_query *rq; 781 782 TAILQ_FOREACH(rq, &running_queries, entry) { 783 if (rq->query_imsg->id == id) 784 return rq; 785 } 786 return NULL; 787 } 788 789 void 790 try_resolver_timo(int fd, short events, void *arg) 791 { 792 struct running_query *rq = arg; 793 794 try_next_resolver(rq); 795 } 796 797 int 798 try_next_resolver(struct running_query *rq) 799 { 800 struct uw_resolver *res = NULL; 801 struct query_imsg *query_imsg = NULL; 802 struct timespec tp, elapsed; 803 struct timeval tv = {0, 0}; 804 int64_t ms; 805 int i; 806 807 while(rq->next_resolver < rq->res_pref.len && 808 ((res = resolvers[rq->res_pref.types[rq->next_resolver]]) == NULL || 809 res->state == DEAD || res->state == UNKNOWN)) 810 rq->next_resolver++; 811 812 if (res == NULL) { 813 evtimer_del(&rq->timer_ev); /* we are not going to find one */ 814 log_debug("%s: could not find (any more) working resolvers", 815 __func__); 816 goto err; 817 } 818 819 rq->next_resolver++; 820 clock_gettime(CLOCK_MONOTONIC, &tp); 821 timespecsub(&tp, &rq->tp, &elapsed); 822 ms = elapsed.tv_sec * 1000 + elapsed.tv_nsec / 1000000; 823 824 log_debug("%s[+%lldms]: %s[%s] %s", __func__, ms, 825 uw_resolver_type_str[res->type], uw_resolver_state_str[res->state], 826 query_imsg2str(rq->query_imsg)); 827 828 if ((query_imsg = malloc(sizeof(*query_imsg))) == NULL) { 829 log_warnx("%s", __func__); 830 goto err; 831 } 832 memcpy(query_imsg, rq->query_imsg, sizeof(*query_imsg)); 833 clock_gettime(CLOCK_MONOTONIC, &query_imsg->tp); 834 835 ms = res->median; 836 if (ms > NEXT_RES_MAX) 837 ms = NEXT_RES_MAX; 838 839 /* skip over unavailable resolvers in preferences */ 840 for (i = 0; i < resolver_conf->res_pref.len && 841 resolvers[resolver_conf->res_pref.types[i]] == NULL; i++) 842 ; 843 if (res->type == resolver_conf->res_pref.types[i]) 844 tv.tv_usec = 1000 * (PREF_RESOLVER_MEDIAN_SKEW + ms); 845 else 846 tv.tv_usec = 1000 * ms; 847 848 while (tv.tv_usec >= 1000000) { 849 tv.tv_sec++; 850 tv.tv_usec -= 1000000; 851 } 852 evtimer_add(&rq->timer_ev, &tv); 853 854 rq->running++; 855 if (resolve(res, query_imsg->qname, query_imsg->t, 856 query_imsg->c, query_imsg, resolve_done) != 0) { 857 rq->running--; 858 goto err; 859 } 860 861 return 0; 862 863 err: 864 free(query_imsg); 865 if (rq->running == 0) { 866 TAILQ_REMOVE(&running_queries, rq, entry); 867 evtimer_del(&rq->timer_ev); 868 free(rq->query_imsg); 869 free(rq); 870 } 871 return 1; 872 } 873 874 int 875 resolve(struct uw_resolver *res, const char* name, int rrtype, int rrclass, 876 void *mydata, resolve_cb_t cb) 877 { 878 struct resolver_cb_data *cb_data = NULL; 879 struct asr_query *aq = NULL; 880 int err; 881 882 resolver_ref(res); 883 884 if ((cb_data = malloc(sizeof(*cb_data))) == NULL) 885 goto err; 886 cb_data->cb = cb; 887 cb_data->data = mydata; 888 cb_data->res = res; 889 890 switch(res->type) { 891 case UW_RES_ASR: 892 if ((aq = res_query_async(name, rrclass, rrtype, res->asr_ctx)) 893 == NULL) { 894 log_warn("%s: res_query_async", __func__); 895 goto err; 896 } 897 if (event_asr_run(aq, asr_resolve_done, cb_data) == NULL) { 898 log_warn("%s: res_query_async", __func__); 899 goto err; 900 } 901 break; 902 case UW_RES_RECURSOR: 903 case UW_RES_AUTOCONF: 904 case UW_RES_ODOT_AUTOCONF: 905 case UW_RES_FORWARDER: 906 case UW_RES_ODOT_FORWARDER: 907 case UW_RES_DOT: 908 if ((err = ub_resolve_event(res->ctx, name, rrtype, rrclass, 909 cb_data, ub_resolve_done, NULL)) != 0) { 910 log_warn("%s: ub_resolve_event: err: %d, %s", __func__, 911 err, ub_strerror(err)); 912 goto err; 913 } 914 break; 915 default: 916 fatalx("unknown resolver type %d", res->type); 917 break; 918 } 919 920 return 0; 921 err: 922 free(cb_data); 923 free(aq); 924 resolver_unref(res); 925 return 1; 926 } 927 928 void 929 resolve_done(struct uw_resolver *res, void *arg, int rcode, 930 void *answer_packet, int answer_len, int sec, char *why_bogus) 931 { 932 struct uw_resolver *tmp_res; 933 struct ub_result *result = NULL; 934 sldns_buffer *buf = NULL; 935 struct regional *region = NULL; 936 struct query_imsg *query_imsg; 937 struct answer_header *answer_header; 938 struct running_query *rq; 939 struct timespec tp, elapsed; 940 int64_t ms; 941 size_t i; 942 int running_res, asr_pref_pos, force_acceptbogus; 943 char *str; 944 char rcode_buf[16]; 945 uint8_t *p, *data; 946 uint8_t answer_imsg[MAX_IMSGSIZE - IMSG_HEADER_SIZE]; 947 948 clock_gettime(CLOCK_MONOTONIC, &tp); 949 950 query_imsg = (struct query_imsg *)arg; 951 952 answer_header = (struct answer_header *)answer_imsg; 953 data = answer_imsg + sizeof(*answer_header); 954 answer_header->id = query_imsg->id; 955 answer_header->srvfail = 0; 956 answer_header->answer_len = 0; 957 958 timespecsub(&tp, &query_imsg->tp, &elapsed); 959 960 ms = elapsed.tv_sec * 1000 + elapsed.tv_nsec / 1000000; 961 962 for (i = 0; i < nitems(histogram_limits); i++) { 963 if (ms < histogram_limits[i]) 964 break; 965 } 966 if (i == nitems(histogram_limits)) 967 log_debug("histogram bucket error"); 968 else { 969 res->histogram[i]++; 970 /* latest_histogram is in units of 1000 to avoid rounding 971 down when decaying */ 972 res->latest_histogram[i] += 1000; 973 res->median = histogram_median(res->latest_histogram); 974 } 975 976 if ((rq = find_running_query(query_imsg->id)) == NULL) 977 goto out; 978 979 running_res = --rq->running; 980 981 if (rcode == LDNS_RCODE_SERVFAIL) { 982 if (res->stop != 1) 983 check_resolver(res); 984 goto servfail; 985 } 986 987 if (answer_len < LDNS_HEADER_SIZE) { 988 log_warnx("bad packet: too short"); 989 goto servfail; 990 } 991 992 if (answer_len > UINT16_MAX) { 993 log_warnx("bad packet: too large: %d - %s", answer_len, 994 query_imsg2str(query_imsg)); 995 goto servfail; 996 } 997 answer_header->answer_len = answer_len; 998 999 if ((result = calloc(1, sizeof(*result))) == NULL) 1000 goto servfail; 1001 if ((buf = sldns_buffer_new(answer_len)) == NULL) 1002 goto servfail; 1003 if ((region = regional_create()) == NULL) 1004 goto servfail; 1005 1006 result->rcode = LDNS_RCODE_SERVFAIL; 1007 1008 sldns_buffer_clear(buf); 1009 sldns_buffer_write(buf, answer_packet, answer_len); 1010 sldns_buffer_flip(buf); 1011 libworker_enter_result(result, buf, region, sec); 1012 result->answer_packet = NULL; 1013 result->answer_len = 0; 1014 1015 sldns_wire2str_rcode_buf(result->rcode, rcode_buf, sizeof(rcode_buf)); 1016 log_debug("%s[%s]: %s rcode: %s[%d], elapsed: %lldms, running: %d", 1017 __func__, uw_resolver_type_str[res->type], 1018 query_imsg2str(query_imsg), rcode_buf, result->rcode, ms, 1019 running_query_cnt()); 1020 1021 force_acceptbogus = find_force(&resolver_conf->force, query_imsg->qname, 1022 &tmp_res); 1023 if (tmp_res != NULL && tmp_res->type != res->type) 1024 force_acceptbogus = 0; 1025 1026 timespecsub(&tp, &last_network_change, &elapsed); 1027 if (sec != SECURE && elapsed.tv_sec < DOUBT_NXDOMAIN_SEC && 1028 !force_acceptbogus && res->type != UW_RES_ASR && 1029 (result->rcode == LDNS_RCODE_NXDOMAIN || sec == BOGUS)) { 1030 /* 1031 * Doubt NXDOMAIN or BOGUS if we just switched networks, we 1032 * might be behind a captive portal. 1033 */ 1034 log_debug("%s: doubt NXDOMAIN or BOGUS from %s, network change" 1035 " %llds ago", __func__, uw_resolver_type_str[res->type], 1036 elapsed.tv_sec); 1037 1038 /* search for ASR */ 1039 asr_pref_pos = -1; 1040 for (i = 0; i < (size_t)rq->res_pref.len; i++) 1041 if (rq->res_pref.types[i] == UW_RES_ASR) { 1042 asr_pref_pos = i; 1043 break; 1044 } 1045 1046 if (asr_pref_pos != -1 && resolvers[UW_RES_ASR] != NULL) { 1047 /* go to ASR if not yet scheduled */ 1048 if (asr_pref_pos >= rq->next_resolver) { 1049 rq->next_resolver = asr_pref_pos; 1050 try_next_resolver(rq); 1051 } 1052 goto out; 1053 } 1054 log_debug("%s: using NXDOMAIN or BOGUS, couldn't find working " 1055 "ASR", __func__); 1056 } 1057 1058 if (log_getverbose() & OPT_VERBOSE2 && (str = 1059 sldns_wire2str_pkt(answer_packet, answer_len)) != NULL) { 1060 log_debug("%s", str); 1061 free(str); 1062 } 1063 1064 if (result->rcode == LDNS_RCODE_SERVFAIL) 1065 goto servfail; 1066 1067 if (sec == SECURE && res->state != VALIDATING && res->stop != -1) 1068 check_resolver(res); 1069 1070 if (res->state == VALIDATING && sec == BOGUS) { 1071 answer_header->bogus = !force_acceptbogus; 1072 if (answer_header->bogus && why_bogus != NULL) 1073 log_warnx("%s", why_bogus); 1074 } else 1075 answer_header->bogus = 0; 1076 1077 p = answer_packet; 1078 do { 1079 int len; 1080 1081 if ((size_t)answer_len > sizeof(answer_imsg) - 1082 sizeof(*answer_header)) 1083 len = sizeof(answer_imsg) - sizeof(*answer_header); 1084 else 1085 len = answer_len; 1086 memcpy(data, p, len); 1087 if (resolver_imsg_compose_frontend(IMSG_ANSWER, 0, 1088 &answer_imsg, sizeof(*answer_header) + len) == -1) 1089 fatalx("IMSG_ANSWER failed for \"%s\"", 1090 query_imsg2str(query_imsg)); 1091 answer_len -= len; 1092 p += len; 1093 } while (answer_len > 0); 1094 1095 TAILQ_REMOVE(&running_queries, rq, entry); 1096 evtimer_del(&rq->timer_ev); 1097 free(rq->query_imsg); 1098 free(rq); 1099 goto out; 1100 1101 servfail: 1102 /* try_next_resolver() might free rq */ 1103 if (try_next_resolver(rq) != 0 && running_res == 0) { 1104 /* we are the last one, send SERVFAIL */ 1105 answer_header->srvfail = 1; 1106 resolver_imsg_compose_frontend(IMSG_ANSWER, 0, 1107 answer_imsg, sizeof(*answer_header)); 1108 } 1109 out: 1110 free(query_imsg); 1111 sldns_buffer_free(buf); 1112 regional_destroy(region); 1113 ub_resolve_free(result); 1114 } 1115 1116 void 1117 new_resolver(enum uw_resolver_type type, enum uw_resolver_state state) 1118 { 1119 free_resolver(resolvers[type]); 1120 resolvers[type] = NULL; 1121 1122 if (!resolver_conf->enabled_resolvers[type]) 1123 return; 1124 1125 switch (type) { 1126 case UW_RES_ASR: 1127 case UW_RES_AUTOCONF: 1128 case UW_RES_ODOT_AUTOCONF: 1129 if (TAILQ_EMPTY(&autoconf_forwarder_list)) 1130 return; 1131 break; 1132 case UW_RES_RECURSOR: 1133 break; 1134 case UW_RES_FORWARDER: 1135 case UW_RES_ODOT_FORWARDER: 1136 if (TAILQ_EMPTY(&resolver_conf->uw_forwarder_list)) 1137 return; 1138 break; 1139 case UW_RES_DOT: 1140 if (TAILQ_EMPTY(&resolver_conf->uw_dot_forwarder_list)) 1141 return; 1142 break; 1143 case UW_RES_NONE: 1144 fatalx("cannot create UW_RES_NONE resolver"); 1145 } 1146 1147 switch (type) { 1148 case UW_RES_RECURSOR: 1149 case UW_RES_AUTOCONF: 1150 case UW_RES_ODOT_AUTOCONF: 1151 case UW_RES_FORWARDER: 1152 case UW_RES_ODOT_FORWARDER: 1153 case UW_RES_DOT: 1154 if (TAILQ_EMPTY(&trust_anchors)) 1155 return; 1156 break; 1157 case UW_RES_ASR: 1158 break; 1159 case UW_RES_NONE: 1160 fatalx("cannot create UW_RES_NONE resolver"); 1161 } 1162 1163 if ((resolvers[type] = create_resolver(type)) == NULL) 1164 return; 1165 1166 switch (state) { 1167 case DEAD: 1168 case UNKNOWN: 1169 check_resolver(resolvers[type]); 1170 break; 1171 case VALIDATING: 1172 #ifdef UNIFIED_CACHE 1173 set_unified_cache(resolvers[type]); 1174 #endif /* UNIFIED_CACHE */ 1175 /* FALLTHROUGH */ 1176 case RESOLVING: 1177 resolvers[type]->state = state; 1178 if (type == UW_RES_ASR) 1179 check_dns64(); 1180 break; 1181 } 1182 } 1183 1184 #ifdef UNIFIED_CACHE 1185 void 1186 set_unified_cache(struct uw_resolver *res) 1187 { 1188 if (res == NULL || res->ctx == NULL) 1189 return; 1190 1191 if (res->ctx->env->msg_cache != NULL) { 1192 /* XXX we are currently not using this */ 1193 if (res->ctx->env->msg_cache != unified_msg_cache || 1194 res->ctx->env->rrset_cache != unified_rrset_cache || 1195 res->ctx->env->key_cache != unified_key_cache || 1196 res->ctx->env->neg_cache != unified_neg_cache) 1197 fatalx("wrong unified cache set on resolver"); 1198 else 1199 /* we are upgrading from UNKNOWN back to VALIDATING */ 1200 return; 1201 } 1202 1203 res->ctx->env->msg_cache = unified_msg_cache; 1204 res->ctx->env->rrset_cache = unified_rrset_cache; 1205 res->ctx->env->key_cache = unified_key_cache; 1206 res->ctx->env->neg_cache = unified_neg_cache; 1207 1208 context_finalize(res->ctx); 1209 1210 if (res->ctx->env->msg_cache != unified_msg_cache || 1211 res->ctx->env->rrset_cache != unified_rrset_cache || 1212 res->ctx->env->key_cache != unified_key_cache || 1213 res->ctx->env->neg_cache != unified_neg_cache) 1214 fatalx("failed to set unified caches, libunbound/validator/" 1215 "validator.c diff lost"); 1216 } 1217 #endif /* UNIFIED_CACHE */ 1218 1219 static const struct { 1220 const char *name; 1221 const char *value; 1222 } options[] = { 1223 { "aggressive-nsec:", "yes" }, 1224 { "fast-server-permil:", "950" }, 1225 { "edns-buffer-size:", "1232" }, 1226 { "target-fetch-policy:", "0 0 0 0 0" }, 1227 { "outgoing-range:", "64" }, 1228 { "val-max-restart:", "0" }, 1229 { "infra-keep-probing", "yes" }, 1230 }; 1231 1232 struct uw_resolver * 1233 create_resolver(enum uw_resolver_type type) 1234 { 1235 struct uw_resolver *res; 1236 struct trust_anchor *ta; 1237 size_t i; 1238 int err; 1239 char *resolv_conf; 1240 1241 if ((res = calloc(1, sizeof(*res))) == NULL) { 1242 log_warn("%s", __func__); 1243 return (NULL); 1244 } 1245 1246 res->type = type; 1247 res->state = UNKNOWN; 1248 res->check_tv.tv_sec = RESOLVER_CHECK_SEC; 1249 res->check_tv.tv_usec = arc4random() % 1000000; /* modulo bias is ok */ 1250 1251 switch (type) { 1252 case UW_RES_ASR: 1253 if (TAILQ_EMPTY(&autoconf_forwarder_list)) { 1254 free(res); 1255 return (NULL); 1256 } 1257 if ((resolv_conf = gen_resolv_conf()) == NULL) { 1258 free(res); 1259 log_warnx("could not create asr context"); 1260 return (NULL); 1261 } 1262 if ((res->asr_ctx = asr_resolver_from_string(resolv_conf)) == 1263 NULL) { 1264 free(res); 1265 free(resolv_conf); 1266 log_warnx("could not create asr context"); 1267 return (NULL); 1268 } 1269 free(resolv_conf); 1270 break; 1271 case UW_RES_RECURSOR: 1272 case UW_RES_AUTOCONF: 1273 case UW_RES_ODOT_AUTOCONF: 1274 case UW_RES_FORWARDER: 1275 case UW_RES_ODOT_FORWARDER: 1276 case UW_RES_DOT: 1277 if ((res->ctx = ub_ctx_create_event(ev_base)) == NULL) { 1278 free(res); 1279 log_warnx("could not create unbound context"); 1280 return (NULL); 1281 } 1282 1283 ub_ctx_debuglevel(res->ctx, log_getverbose() & OPT_VERBOSE3 ? 1284 UB_LOG_VERBOSE : UB_LOG_BRIEF); 1285 1286 TAILQ_FOREACH(ta, &trust_anchors, entry) { 1287 if ((err = ub_ctx_add_ta(res->ctx, ta->ta)) != 0) { 1288 ub_ctx_delete(res->ctx); 1289 free(res); 1290 log_warnx("error adding trust anchor: %s", 1291 ub_strerror(err)); 1292 return (NULL); 1293 } 1294 } 1295 1296 for (i = 0; i < nitems(options); i++) { 1297 if ((err = ub_ctx_set_option(res->ctx, options[i].name, 1298 options[i].value)) != 0) { 1299 ub_ctx_delete(res->ctx); 1300 free(res); 1301 log_warnx("error setting %s: %s: %s", 1302 options[i].name, options[i].value, 1303 ub_strerror(err)); 1304 return (NULL); 1305 } 1306 } 1307 1308 if (!(available_afs & HAVE_IPV4)) { 1309 if((err = ub_ctx_set_option(res->ctx, "do-ip4:", 1310 "no")) != 0) { 1311 ub_ctx_delete(res->ctx); 1312 free(res); 1313 log_warnx("error setting do-ip4: no: %s", 1314 ub_strerror(err)); 1315 return (NULL); 1316 } 1317 } 1318 1319 if (!(available_afs & HAVE_IPV6)) { 1320 if((err = ub_ctx_set_option(res->ctx, "do-ip6:", 1321 "no")) != 0) { 1322 ub_ctx_delete(res->ctx); 1323 free(res); 1324 log_warnx("error setting do-ip6: no: %s", 1325 ub_strerror(err)); 1326 return (NULL); 1327 } 1328 } 1329 1330 if (!log_getdebug()) { 1331 if((err = ub_ctx_set_option(res->ctx, "use-syslog:", 1332 "no")) != 0) { 1333 ub_ctx_delete(res->ctx); 1334 free(res); 1335 log_warnx("error setting use-syslog: no: %s", 1336 ub_strerror(err)); 1337 return (NULL); 1338 } 1339 ub_ctx_debugout(res->ctx, NULL); 1340 } 1341 1342 break; 1343 default: 1344 fatalx("unknown resolver type %d", type); 1345 break; 1346 } 1347 1348 evtimer_set(&res->check_ev, resolver_check_timo, res); 1349 1350 switch(res->type) { 1351 case UW_RES_ASR: 1352 break; 1353 case UW_RES_RECURSOR: 1354 break; 1355 case UW_RES_AUTOCONF: 1356 set_forwarders(res, &autoconf_forwarder_list, 0); 1357 break; 1358 case UW_RES_ODOT_AUTOCONF: 1359 set_forwarders(res, &autoconf_forwarder_list, 853); 1360 ub_ctx_set_option(res->ctx, "tls-cert-bundle:", 1361 TLS_DEFAULT_CA_CERT_FILE); 1362 ub_ctx_set_tls(res->ctx, 1); 1363 break; 1364 case UW_RES_FORWARDER: 1365 set_forwarders(res, &resolver_conf->uw_forwarder_list, 0); 1366 break; 1367 case UW_RES_ODOT_FORWARDER: 1368 set_forwarders(res, &resolver_conf->uw_forwarder_list, 853); 1369 ub_ctx_set_option(res->ctx, "tls-cert-bundle:", 1370 TLS_DEFAULT_CA_CERT_FILE); 1371 ub_ctx_set_tls(res->ctx, 1); 1372 break; 1373 case UW_RES_DOT: 1374 set_forwarders(res, &resolver_conf->uw_dot_forwarder_list, 0); 1375 ub_ctx_set_option(res->ctx, "tls-cert-bundle:", 1376 TLS_DEFAULT_CA_CERT_FILE); 1377 ub_ctx_set_tls(res->ctx, 1); 1378 break; 1379 default: 1380 fatalx("unknown resolver type %d", type); 1381 break; 1382 } 1383 1384 /* for the forwarder cases allow AS112 and special-use zones */ 1385 switch(res->type) { 1386 case UW_RES_AUTOCONF: 1387 case UW_RES_ODOT_AUTOCONF: 1388 case UW_RES_FORWARDER: 1389 case UW_RES_ODOT_FORWARDER: 1390 case UW_RES_DOT: 1391 for (i = 0; i < nitems(forward_transparent_zones); i++) { 1392 if((err = ub_ctx_set_option(res->ctx, "local-zone:", 1393 forward_transparent_zones[i])) != 0) { 1394 ub_ctx_delete(res->ctx); 1395 free(res); 1396 log_warnx("error setting local-zone: %s: %s", 1397 forward_transparent_zones[i], 1398 ub_strerror(err)); 1399 return (NULL); 1400 } 1401 } 1402 break; 1403 default: 1404 break; 1405 } 1406 1407 return (res); 1408 } 1409 1410 void 1411 free_resolver(struct uw_resolver *res) 1412 { 1413 if (res == NULL) 1414 return; 1415 1416 if (res->ref_cnt > 0) 1417 res->stop = 1; 1418 else { 1419 evtimer_del(&res->check_ev); 1420 #ifdef UNIFIED_CACHE 1421 if (res->ctx != NULL) { 1422 if (res->ctx->env->msg_cache == unified_msg_cache) { 1423 struct val_env *val_env; 1424 1425 val_env = (struct val_env*) 1426 res->ctx->env->modinfo[val_id]; 1427 res->ctx->env->msg_cache = NULL; 1428 res->ctx->env->rrset_cache = NULL; 1429 val_env->kcache = NULL; 1430 res->ctx->env->key_cache = NULL; 1431 val_env->neg_cache = NULL; 1432 res->ctx->env->neg_cache = NULL; 1433 } 1434 } 1435 #endif /* UNIFIED_CACHE */ 1436 ub_ctx_delete(res->ctx); 1437 asr_resolver_free(res->asr_ctx); 1438 free(res); 1439 } 1440 } 1441 1442 #ifdef UNIFIED_CACHE 1443 void 1444 setup_unified_caches(void) 1445 { 1446 struct ub_ctx *ctx; 1447 struct val_env *val_env; 1448 size_t i; 1449 int err, j; 1450 1451 if ((ctx = ub_ctx_create_event(ev_base)) == NULL) 1452 fatalx("could not create unbound context"); 1453 1454 for (i = 0; i < nitems(options); i++) { 1455 if ((err = ub_ctx_set_option(ctx, options[i].name, 1456 options[i].value)) != 0) { 1457 fatalx("error setting %s: %s: %s", options[i].name, 1458 options[i].value, ub_strerror(err)); 1459 } 1460 } 1461 1462 context_finalize(ctx); 1463 1464 if (ctx->env->msg_cache == NULL || ctx->env->rrset_cache == NULL || 1465 ctx->env->key_cache == NULL || ctx->env->neg_cache == NULL) 1466 fatalx("could not setup unified caches"); 1467 1468 unified_msg_cache = ctx->env->msg_cache; 1469 unified_rrset_cache = ctx->env->rrset_cache; 1470 unified_key_cache = ctx->env->key_cache; 1471 unified_neg_cache = ctx->env->neg_cache; 1472 1473 if (val_id == -1) { 1474 for (j = 0; j < ctx->mods.num; j++) { 1475 if (strcmp(ctx->mods.mod[j]->name, "validator") == 0) { 1476 val_id = j; 1477 break; 1478 } 1479 } 1480 if (val_id == -1) 1481 fatalx("cannot find validator module"); 1482 } 1483 1484 val_env = (struct val_env*)ctx->env->modinfo[val_id]; 1485 ctx->env->msg_cache = NULL; 1486 ctx->env->rrset_cache = NULL; 1487 ctx->env->key_cache = NULL; 1488 val_env->kcache = NULL; 1489 ctx->env->neg_cache = NULL; 1490 val_env->neg_cache = NULL; 1491 ub_ctx_delete(ctx); 1492 } 1493 #endif /* UNIFIED_CACHE */ 1494 1495 void 1496 set_forwarders(struct uw_resolver *res, struct uw_forwarder_head 1497 *uw_forwarder_list, int port_override) 1498 { 1499 struct uw_forwarder *uw_forwarder; 1500 int ret; 1501 char fwd[FWD_MAX]; 1502 1503 TAILQ_FOREACH(uw_forwarder, uw_forwarder_list, entry) { 1504 if (uw_forwarder->auth_name[0] != '\0') 1505 ret = snprintf(fwd, sizeof(fwd), "%s@%d#%s", 1506 uw_forwarder->ip, port_override ? port_override : 1507 uw_forwarder->port, uw_forwarder->auth_name); 1508 else 1509 ret = snprintf(fwd, sizeof(fwd), "%s@%d", 1510 uw_forwarder->ip, port_override ? port_override : 1511 uw_forwarder->port); 1512 1513 if (ret < 0 || (size_t)ret >= sizeof(fwd)) { 1514 log_warnx("forwarder too long"); 1515 continue; 1516 } 1517 1518 ub_ctx_set_fwd(res->ctx, fwd); 1519 } 1520 } 1521 1522 void 1523 resolver_check_timo(int fd, short events, void *arg) 1524 { 1525 check_resolver((struct uw_resolver *)arg); 1526 } 1527 1528 void 1529 resolver_free_timo(int fd, short events, void *arg) 1530 { 1531 free_resolver((struct uw_resolver *)arg); 1532 } 1533 1534 void 1535 check_resolver(struct uw_resolver *resolver_to_check) 1536 { 1537 struct uw_resolver *res; 1538 1539 if (resolver_to_check == NULL) 1540 return; 1541 1542 if (resolver_to_check->check_running) 1543 return; 1544 1545 if ((res = create_resolver(resolver_to_check->type)) == NULL) 1546 return; 1547 1548 resolver_ref(resolver_to_check); 1549 1550 resolver_to_check->check_running++; 1551 if (resolve(res, ".", LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN, 1552 resolver_to_check, check_resolver_done) != 0) { 1553 resolver_to_check->check_running--; 1554 resolver_to_check->state = UNKNOWN; 1555 resolver_unref(resolver_to_check); 1556 resolver_to_check->check_tv.tv_sec = RESOLVER_CHECK_SEC; 1557 evtimer_add(&resolver_to_check->check_ev, 1558 &resolver_to_check->check_tv); 1559 } 1560 } 1561 1562 void 1563 check_resolver_done(struct uw_resolver *res, void *arg, int rcode, 1564 void *answer_packet, int answer_len, int sec, char *why_bogus) 1565 { 1566 struct uw_resolver *checked_resolver = arg; 1567 struct timeval tv = {0, 1}; 1568 enum uw_resolver_state prev_state; 1569 int bogus_time = 0; 1570 char *str; 1571 1572 checked_resolver->check_running--; 1573 1574 if (checked_resolver != resolvers[checked_resolver->type]) { 1575 log_debug("%s: %s: ignoring late check result", __func__, 1576 uw_resolver_type_str[checked_resolver->type]); 1577 goto ignore_late; 1578 } 1579 1580 prev_state = checked_resolver->state; 1581 1582 if (rcode == LDNS_RCODE_SERVFAIL) { 1583 log_debug("%s: %s rcode: SERVFAIL", __func__, 1584 uw_resolver_type_str[checked_resolver->type]); 1585 1586 checked_resolver->state = DEAD; 1587 goto out; 1588 } 1589 1590 if (answer_len < LDNS_HEADER_SIZE) { 1591 checked_resolver->state = DEAD; 1592 log_warnx("%s: bad packet: too short", __func__); 1593 goto out; 1594 } 1595 1596 if (sec == SECURE) { 1597 if (dns64_present && (res->type == UW_RES_AUTOCONF || 1598 res->type == UW_RES_ODOT_AUTOCONF)) { 1599 /* do not upgrade to validating, DNS64 breaks DNSSEC */ 1600 if (prev_state != RESOLVING) 1601 new_resolver(checked_resolver->type, 1602 RESOLVING); 1603 } else { 1604 if (prev_state != VALIDATING) 1605 new_resolver(checked_resolver->type, 1606 VALIDATING); 1607 if (!(evtimer_pending(&trust_anchor_timer, NULL))) 1608 evtimer_add(&trust_anchor_timer, &tv); 1609 } 1610 } else if (rcode == LDNS_RCODE_NOERROR && 1611 LDNS_RCODE_WIRE((uint8_t*)answer_packet) == LDNS_RCODE_NOERROR) { 1612 if (why_bogus) { 1613 bogus_time = strncmp(why_bogus, bogus_past, 1614 sizeof(bogus_past) - 1) == 0 || strncmp(why_bogus, 1615 bogus_future, sizeof(bogus_future) - 1) == 0; 1616 1617 log_warnx("%s: %s", uw_resolver_type_str[ 1618 checked_resolver->type], why_bogus); 1619 } 1620 if (prev_state != RESOLVING) 1621 new_resolver(checked_resolver->type, RESOLVING); 1622 } else 1623 checked_resolver->state = DEAD; /* we know the root exists */ 1624 1625 log_debug("%s: %s: %s", __func__, 1626 uw_resolver_type_str[checked_resolver->type], 1627 uw_resolver_state_str[checked_resolver->state]); 1628 1629 if (log_getverbose() & OPT_VERBOSE2 && (str = 1630 sldns_wire2str_pkt(answer_packet, answer_len)) != NULL) { 1631 log_debug("%s", str); 1632 free(str); 1633 } 1634 1635 out: 1636 if (!checked_resolver->stop && (checked_resolver->state == DEAD || 1637 bogus_time)) { 1638 if (prev_state == DEAD || bogus_time) 1639 checked_resolver->check_tv.tv_sec *= 2; 1640 else 1641 checked_resolver->check_tv.tv_sec = RESOLVER_CHECK_SEC; 1642 1643 if (checked_resolver->check_tv.tv_sec > RESOLVER_CHECK_MAXSEC) 1644 checked_resolver->check_tv.tv_sec = 1645 RESOLVER_CHECK_MAXSEC; 1646 1647 evtimer_add(&checked_resolver->check_ev, 1648 &checked_resolver->check_tv); 1649 } 1650 1651 ignore_late: 1652 resolver_unref(checked_resolver); 1653 res->stop = 1; /* do not free in callback */ 1654 } 1655 1656 void 1657 asr_resolve_done(struct asr_result *ar, void *arg) 1658 { 1659 struct resolver_cb_data *cb_data = arg; 1660 cb_data->cb(cb_data->res, cb_data->data, ar->ar_errno == 0 ? 1661 ar->ar_rcode : LDNS_RCODE_SERVFAIL, ar->ar_data, ar->ar_datalen, 0, 1662 NULL); 1663 free(ar->ar_data); 1664 resolver_unref(cb_data->res); 1665 free(cb_data); 1666 } 1667 1668 void 1669 ub_resolve_done(void *arg, int rcode, void *answer_packet, int answer_len, 1670 int sec, char *why_bogus, int was_ratelimited) 1671 { 1672 struct resolver_cb_data *cb_data = arg; 1673 cb_data->cb(cb_data->res, cb_data->data, rcode, answer_packet, 1674 answer_len, sec, why_bogus); 1675 resolver_unref(cb_data->res); 1676 free(cb_data); 1677 } 1678 1679 void 1680 schedule_recheck_all_resolvers(void) 1681 { 1682 struct timeval tv; 1683 int i; 1684 1685 tv.tv_sec = 0; 1686 1687 for (i = 0; i < UW_RES_NONE; i++) { 1688 if (resolvers[i] == NULL) 1689 continue; 1690 tv.tv_usec = arc4random() % 1000000; /* modulo bias is ok */ 1691 resolvers[i]->state = UNKNOWN; 1692 evtimer_add(&resolvers[i]->check_ev, &tv); 1693 } 1694 } 1695 1696 int 1697 check_forwarders_changed(struct uw_forwarder_head *list_a, 1698 struct uw_forwarder_head *list_b) 1699 { 1700 struct uw_forwarder *a, *b; 1701 1702 a = TAILQ_FIRST(list_a); 1703 b = TAILQ_FIRST(list_b); 1704 1705 while(a != NULL && b != NULL) { 1706 if (strcmp(a->ip, b->ip) != 0) 1707 return 1; 1708 if (a->port != b->port) 1709 return 1; 1710 if (strcmp(a->auth_name, b->auth_name) != 0) 1711 return 1; 1712 a = TAILQ_NEXT(a, entry); 1713 b = TAILQ_NEXT(b, entry); 1714 } 1715 1716 if (a != NULL || b != NULL) 1717 return 1; 1718 return 0; 1719 } 1720 1721 void 1722 resolver_ref(struct uw_resolver *res) 1723 { 1724 if (res->ref_cnt == INT_MAX) 1725 fatalx("%s: INT_MAX references", __func__); 1726 res->ref_cnt++; 1727 } 1728 1729 void 1730 resolver_unref(struct uw_resolver *res) 1731 { 1732 struct timeval tv = { 0, 1}; 1733 1734 if (res->ref_cnt == 0) 1735 fatalx("%s: unreferenced resolver", __func__); 1736 1737 res->ref_cnt--; 1738 1739 /* 1740 * Decouple from libunbound event callback. 1741 * If we free the ctx inside of resolve_done or check_resovler_done 1742 * we are cutting of the branch we are sitting on and hit a 1743 * user-after-free 1744 */ 1745 if (res->stop && res->ref_cnt == 0) { 1746 evtimer_set(&res->free_ev, resolver_free_timo, res); 1747 evtimer_add(&res->free_ev, &tv); 1748 } 1749 } 1750 1751 void 1752 replace_forwarders(struct uw_forwarder_head *new_list, struct 1753 uw_forwarder_head *old_list) 1754 { 1755 struct uw_forwarder *uw_forwarder; 1756 1757 while ((uw_forwarder = 1758 TAILQ_FIRST(old_list)) != NULL) { 1759 TAILQ_REMOVE(old_list, uw_forwarder, entry); 1760 free(uw_forwarder); 1761 } 1762 1763 TAILQ_CONCAT(old_list, new_list, entry); 1764 } 1765 1766 int 1767 resolver_cmp(const void *_a, const void *_b) 1768 { 1769 const enum uw_resolver_type a = *(const enum uw_resolver_type *)_a; 1770 const enum uw_resolver_type b = *(const enum uw_resolver_type *)_b; 1771 int64_t a_median, b_median; 1772 1773 if (resolvers[a] == NULL && resolvers[b] == NULL) 1774 return 0; 1775 1776 if (resolvers[b] == NULL) 1777 return -1; 1778 1779 if (resolvers[a] == NULL) 1780 return 1; 1781 1782 if (resolvers[a]->state < resolvers[b]->state) 1783 return 1; 1784 else if (resolvers[a]->state > resolvers[b]->state) 1785 return -1; 1786 else { 1787 a_median = resolvers[a]->median; 1788 b_median = resolvers[b]->median; 1789 if (resolvers[a]->type == resolver_conf->res_pref.types[0]) 1790 a_median -= PREF_RESOLVER_MEDIAN_SKEW; 1791 else if (resolvers[b]->type == resolver_conf->res_pref.types[0]) 1792 b_median -= PREF_RESOLVER_MEDIAN_SKEW; 1793 if (a_median < b_median) 1794 return -1; 1795 else if (a_median > b_median) 1796 return 1; 1797 else 1798 return 0; 1799 } 1800 } 1801 1802 void 1803 restart_ub_resolvers(int recheck) 1804 { 1805 int i; 1806 enum uw_resolver_state state; 1807 1808 for (i = 0; i < UW_RES_NONE; i++) { 1809 if (i == UW_RES_ASR) 1810 continue; 1811 if (recheck || resolvers[i] == NULL) 1812 state = UNKNOWN; 1813 else 1814 state = resolvers[i]->state; 1815 new_resolver(i, state); 1816 } 1817 } 1818 1819 void 1820 show_status(pid_t pid) 1821 { 1822 struct resolver_preference res_pref; 1823 int i; 1824 1825 if (sort_resolver_types(&res_pref) == -1) 1826 log_warn("mergesort"); 1827 1828 for (i = 0; i < resolver_conf->res_pref.len; i++) 1829 send_resolver_info(resolvers[res_pref.types[i]], pid); 1830 1831 resolver_imsg_compose_frontend(IMSG_CTL_END, pid, NULL, 0); 1832 } 1833 1834 void 1835 show_autoconf(pid_t pid) 1836 { 1837 struct uw_forwarder *uw_forwarder; 1838 struct ctl_forwarder_info cfi; 1839 1840 TAILQ_FOREACH(uw_forwarder, &autoconf_forwarder_list, entry) { 1841 memset(&cfi, 0, sizeof(cfi)); 1842 cfi.if_index = uw_forwarder->if_index; 1843 cfi.src = uw_forwarder->src; 1844 /* no truncation, structs are in sync */ 1845 memcpy(cfi.ip, uw_forwarder->ip, sizeof(cfi.ip)); 1846 resolver_imsg_compose_frontend( 1847 IMSG_CTL_AUTOCONF_RESOLVER_INFO, 1848 pid, &cfi, sizeof(cfi)); 1849 } 1850 1851 resolver_imsg_compose_frontend(IMSG_CTL_END, pid, NULL, 0); 1852 } 1853 1854 void 1855 show_mem(pid_t pid) 1856 { 1857 struct ctl_mem_info cmi; 1858 1859 memset(&cmi, 0, sizeof(cmi)); 1860 #ifdef UNIFIED_CACHE 1861 cmi.msg_cache_used = slabhash_get_mem(unified_msg_cache); 1862 cmi.msg_cache_max = slabhash_get_size(unified_msg_cache); 1863 cmi.rrset_cache_used = slabhash_get_mem(&unified_rrset_cache->table); 1864 cmi.rrset_cache_max = slabhash_get_size(&unified_rrset_cache->table); 1865 cmi.key_cache_used = slabhash_get_mem(unified_key_cache->slab); 1866 cmi.key_cache_max = slabhash_get_size(unified_key_cache->slab); 1867 cmi.neg_cache_used = unified_neg_cache->use; 1868 cmi.neg_cache_max = unified_neg_cache->max; 1869 #endif /* UNIFIED_CACHE */ 1870 resolver_imsg_compose_frontend(IMSG_CTL_MEM_INFO, pid, &cmi, 1871 sizeof(cmi)); 1872 1873 } 1874 1875 void 1876 send_resolver_info(struct uw_resolver *res, pid_t pid) 1877 { 1878 struct ctl_resolver_info cri; 1879 size_t i; 1880 1881 if (res == NULL) 1882 return; 1883 1884 cri.state = res->state; 1885 cri.type = res->type; 1886 cri.median = res->median; 1887 1888 memcpy(cri.histogram, res->histogram, sizeof(cri.histogram)); 1889 memcpy(cri.latest_histogram, res->latest_histogram, 1890 sizeof(cri.latest_histogram)); 1891 for (i = 0; i < nitems(histogram_limits); i++) 1892 cri.latest_histogram[i] = 1893 (cri.latest_histogram[i] + 500) / 1000; 1894 1895 resolver_imsg_compose_frontend(IMSG_CTL_RESOLVER_INFO, pid, &cri, 1896 sizeof(cri)); 1897 } 1898 1899 void 1900 trust_anchor_resolve(void) 1901 { 1902 struct resolver_preference res_pref; 1903 struct uw_resolver *res; 1904 struct timeval tv = {TRUST_ANCHOR_RETRY_INTERVAL, 0}; 1905 1906 if (sort_resolver_types(&res_pref) == -1) 1907 log_warn("mergesort"); 1908 1909 res = resolvers[res_pref.types[0]]; 1910 1911 if (res == NULL || res->state < VALIDATING) 1912 goto err; 1913 1914 if (resolve(res, ".", LDNS_RR_TYPE_DNSKEY, LDNS_RR_CLASS_IN, NULL, 1915 trust_anchor_resolve_done) != 0) 1916 goto err; 1917 1918 return; 1919 err: 1920 evtimer_add(&trust_anchor_timer, &tv); 1921 } 1922 1923 void 1924 trust_anchor_timo(int fd, short events, void *arg) 1925 { 1926 trust_anchor_resolve(); 1927 } 1928 1929 void 1930 trust_anchor_resolve_done(struct uw_resolver *res, void *arg, int rcode, 1931 void *answer_packet, int answer_len, int sec, char *why_bogus) 1932 { 1933 struct ub_result *result = NULL; 1934 sldns_buffer *buf = NULL; 1935 struct regional *region = NULL; 1936 struct timeval tv = {TRUST_ANCHOR_RETRY_INTERVAL, 0}; 1937 int i, tas, n; 1938 uint16_t dnskey_flags; 1939 char rdata_buf[1024], *ta; 1940 1941 if (rcode == LDNS_RCODE_SERVFAIL) { 1942 log_debug("%s: rcode: SERVFAIL", __func__); 1943 goto out; 1944 } 1945 1946 if (answer_len < LDNS_HEADER_SIZE) { 1947 log_warnx("bad packet: too short"); 1948 goto out; 1949 } 1950 1951 if ((result = calloc(1, sizeof(*result))) == NULL) 1952 goto out; 1953 1954 if (sec != SECURE) 1955 goto out; 1956 1957 if ((buf = sldns_buffer_new(answer_len)) == NULL) 1958 goto out; 1959 if ((region = regional_create()) == NULL) 1960 goto out; 1961 result->rcode = LDNS_RCODE_SERVFAIL; 1962 1963 sldns_buffer_clear(buf); 1964 sldns_buffer_write(buf, answer_packet, answer_len); 1965 sldns_buffer_flip(buf); 1966 libworker_enter_result(result, buf, region, sec); 1967 result->answer_packet = NULL; 1968 result->answer_len = 0; 1969 1970 if (result->rcode != LDNS_RCODE_NOERROR) 1971 goto out; 1972 1973 i = 0; 1974 tas = 0; 1975 while(result->data[i] != NULL) { 1976 if (result->len[i] < 2) { 1977 if (tas > 0) 1978 resolver_imsg_compose_frontend( 1979 IMSG_NEW_TAS_ABORT, 0, NULL, 0); 1980 goto out; 1981 } 1982 n = sldns_wire2str_rdata_buf(result->data[i], result->len[i], 1983 rdata_buf, sizeof(rdata_buf), LDNS_RR_TYPE_DNSKEY); 1984 1985 if (n < 0 || (size_t)n >= sizeof(rdata_buf)) { 1986 log_warnx("trust anchor buffer to small"); 1987 resolver_imsg_compose_frontend(IMSG_NEW_TAS_ABORT, 0, 1988 NULL, 0); 1989 goto out; 1990 } 1991 1992 memcpy(&dnskey_flags, result->data[i], 2); 1993 dnskey_flags = ntohs(dnskey_flags); 1994 if ((dnskey_flags & LDNS_KEY_SEP_KEY) && !(dnskey_flags & 1995 LDNS_KEY_REVOKE_KEY)) { 1996 asprintf(&ta, ".\t%d\tIN\tDNSKEY\t%s", ROOT_DNSKEY_TTL, 1997 rdata_buf); 1998 resolver_imsg_compose_frontend(IMSG_NEW_TA, 0, ta, 1999 strlen(ta) + 1); 2000 tas++; 2001 free(ta); 2002 } 2003 i++; 2004 } 2005 if (tas > 0) { 2006 resolver_imsg_compose_frontend(IMSG_NEW_TAS_DONE, 0, NULL, 0); 2007 tv.tv_sec = TRUST_ANCHOR_QUERY_INTERVAL; 2008 } 2009 out: 2010 sldns_buffer_free(buf); 2011 regional_destroy(region); 2012 ub_resolve_free(result); 2013 evtimer_add(&trust_anchor_timer, &tv); 2014 } 2015 2016 void 2017 replace_autoconf_forwarders(struct imsg_rdns_proposal *rdns_proposal) 2018 { 2019 struct uw_forwarder_head new_forwarder_list; 2020 struct uw_forwarder *uw_forwarder, *tmp; 2021 size_t addrsz; 2022 int i, rdns_count, af, changed = 0; 2023 char hostbuf[INET6_ADDRSTRLEN], *src; 2024 2025 TAILQ_INIT(&new_forwarder_list); 2026 af = rdns_proposal->rtdns.sr_family; 2027 src = rdns_proposal->rtdns.sr_dns; 2028 2029 switch (af) { 2030 case AF_INET: 2031 addrsz = sizeof(struct in_addr); 2032 break; 2033 case AF_INET6: 2034 addrsz = sizeof(struct in6_addr); 2035 break; 2036 default: 2037 log_warnx("%s: unsupported address family: %d", __func__, af); 2038 return; 2039 } 2040 2041 if ((rdns_proposal->rtdns.sr_len - 2) % addrsz != 0) { 2042 log_warnx("ignoring invalid RTM_PROPOSAL"); 2043 return; 2044 } 2045 rdns_count = (rdns_proposal->rtdns.sr_len - 2046 offsetof(struct sockaddr_rtdns, sr_dns)) / addrsz; 2047 2048 for (i = 0; i < rdns_count; i++) { 2049 struct sockaddr_storage ss; 2050 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&ss; 2051 struct sockaddr_in *sin = (struct sockaddr_in *)&ss; 2052 int err; 2053 2054 memset(&ss, 0, sizeof(ss)); 2055 ss.ss_family = af; 2056 switch (af) { 2057 case AF_INET: 2058 memcpy(&sin->sin_addr, src, addrsz); 2059 if (sin->sin_addr.s_addr == htonl(INADDR_LOOPBACK)) 2060 goto skip; 2061 ss.ss_len = sizeof(*sin); 2062 break; 2063 case AF_INET6: 2064 memcpy(&sin6->sin6_addr, src, addrsz); 2065 if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr)) 2066 goto skip; 2067 if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) 2068 sin6->sin6_scope_id = rdns_proposal->if_index; 2069 ss.ss_len = sizeof(*sin6); 2070 break; 2071 } 2072 if ((err = getnameinfo((struct sockaddr *)&ss, ss.ss_len, 2073 hostbuf, sizeof(hostbuf), NULL, 0, NI_NUMERICHOST)) != 0) { 2074 log_warnx("getnameinfo: %s", gai_strerror(err)); 2075 goto skip; 2076 } 2077 2078 if ((uw_forwarder = calloc(1, sizeof(struct uw_forwarder))) == 2079 NULL) 2080 fatal(NULL); 2081 if (strlcpy(uw_forwarder->ip, hostbuf, sizeof(uw_forwarder->ip)) 2082 >= sizeof(uw_forwarder->ip)) 2083 fatalx("strlcpy"); 2084 uw_forwarder->port = 53; 2085 uw_forwarder->if_index = rdns_proposal->if_index; 2086 uw_forwarder->src = rdns_proposal->src; 2087 TAILQ_INSERT_TAIL(&new_forwarder_list, uw_forwarder, entry); 2088 2089 skip: 2090 src += addrsz; 2091 } 2092 2093 TAILQ_FOREACH(tmp, &autoconf_forwarder_list, entry) { 2094 /* 2095 * if_index of zero signals to clear all proposals 2096 * src of zero signals interface gone 2097 */ 2098 if ((rdns_proposal->src == 0 || rdns_proposal->src == 2099 tmp->src) && (rdns_proposal->if_index == 0 || 2100 rdns_proposal->if_index == tmp->if_index)) 2101 continue; 2102 if ((uw_forwarder = calloc(1, sizeof(struct uw_forwarder))) == 2103 NULL) 2104 fatal(NULL); 2105 if (strlcpy(uw_forwarder->ip, tmp->ip, 2106 sizeof(uw_forwarder->ip)) >= sizeof(uw_forwarder->ip)) 2107 fatalx("strlcpy"); 2108 uw_forwarder->port = tmp->port; 2109 uw_forwarder->src = tmp->src; 2110 uw_forwarder->if_index = tmp->if_index; 2111 TAILQ_INSERT_TAIL(&new_forwarder_list, uw_forwarder, entry); 2112 } 2113 2114 changed = check_forwarders_changed(&new_forwarder_list, 2115 &autoconf_forwarder_list); 2116 2117 if (changed) { 2118 replace_forwarders(&new_forwarder_list, 2119 &autoconf_forwarder_list); 2120 new_resolver(UW_RES_ASR, UNKNOWN); 2121 new_resolver(UW_RES_AUTOCONF, UNKNOWN); 2122 new_resolver(UW_RES_ODOT_AUTOCONF, UNKNOWN); 2123 } else { 2124 while ((tmp = TAILQ_FIRST(&new_forwarder_list)) != NULL) { 2125 TAILQ_REMOVE(&new_forwarder_list, tmp, entry); 2126 free(tmp); 2127 } 2128 } 2129 } 2130 2131 int 2132 force_tree_cmp(struct force_tree_entry *a, struct force_tree_entry *b) 2133 { 2134 return strcasecmp(a->domain, b->domain); 2135 } 2136 2137 int 2138 find_force(struct force_tree *tree, char *qname, struct uw_resolver **res) 2139 { 2140 struct force_tree_entry *n, e; 2141 char *p; 2142 2143 if (res) 2144 *res = NULL; 2145 if (RB_EMPTY(tree)) 2146 return 0; 2147 2148 p = qname; 2149 do { 2150 if (strlcpy(e.domain, p, sizeof(e.domain)) >= sizeof(e.domain)) 2151 fatal("qname too large"); 2152 n = RB_FIND(force_tree, tree, &e); 2153 if (n != NULL) { 2154 log_debug("%s: %s -> %s[%s]", __func__, qname, p, 2155 uw_resolver_type_str[n->type]); 2156 if (res) 2157 *res = resolvers[n->type]; 2158 return n->acceptbogus; 2159 } 2160 if (*p == '.') 2161 p++; 2162 p = strchr(p, '.'); 2163 if (p != NULL && p[1] != '\0') 2164 p++; 2165 } while (p != NULL); 2166 return 0; 2167 2168 } 2169 2170 int64_t 2171 histogram_median(int64_t *histogram) 2172 { 2173 size_t i; 2174 int64_t sample_count = 0, running_count = 0; 2175 2176 /* skip first bucket, it contains cache hits */ 2177 for (i = 1; i < nitems(histogram_limits); i++) 2178 sample_count += histogram[i]; 2179 2180 if (sample_count == 0) 2181 return 0; 2182 2183 for (i = 1; i < nitems(histogram_limits); i++) { 2184 running_count += histogram[i]; 2185 if (running_count >= sample_count / 2) 2186 break; 2187 } 2188 2189 if (i >= nitems(histogram_limits) - 1) 2190 return INT64_MAX; 2191 return (histogram_limits[i - 1] + histogram_limits[i]) / 2; 2192 } 2193 2194 void 2195 decay_latest_histograms(int fd, short events, void *arg) 2196 { 2197 enum uw_resolver_type i; 2198 size_t j; 2199 struct uw_resolver *res; 2200 struct timeval tv = {DECAY_PERIOD, 0}; 2201 2202 for (i = 0; i < UW_RES_NONE; i++) { 2203 res = resolvers[i]; 2204 if (res == NULL) 2205 continue; 2206 for (j = 0; j < nitems(res->latest_histogram); j++) 2207 /* multiply then divide, avoiding truncating to 0 */ 2208 res->latest_histogram[j] = res->latest_histogram[j] * 2209 DECAY_NOMINATOR / DECAY_DENOMINATOR; 2210 res->median = histogram_median(res->latest_histogram); 2211 } 2212 evtimer_add(&decay_timer, &tv); 2213 } 2214 2215 int 2216 running_query_cnt(void) 2217 { 2218 struct running_query *e; 2219 int cnt = 0; 2220 2221 TAILQ_FOREACH(e, &running_queries, entry) 2222 cnt++; 2223 return cnt; 2224 } 2225 2226 int * 2227 resolvers_to_restart(struct uw_conf *oconf, struct uw_conf *nconf) 2228 { 2229 static int restart[UW_RES_NONE]; 2230 int i; 2231 2232 memset(&restart, 0, sizeof(restart)); 2233 if (check_forwarders_changed(&oconf->uw_forwarder_list, 2234 &nconf->uw_forwarder_list)) { 2235 restart[UW_RES_FORWARDER] = 1; 2236 restart[UW_RES_ODOT_FORWARDER] = 1; 2237 } 2238 if (check_forwarders_changed(&oconf->uw_dot_forwarder_list, 2239 &nconf->uw_dot_forwarder_list)) { 2240 restart[UW_RES_DOT] = 1; 2241 } 2242 2243 for (i = 0; i < UW_RES_NONE; i++) { 2244 if (oconf->enabled_resolvers[i] != nconf->enabled_resolvers[i]) 2245 restart[i] = 1; 2246 } 2247 return restart; 2248 } 2249 2250 const char * 2251 query_imsg2str(struct query_imsg *query_imsg) 2252 { 2253 static char buf[sizeof(query_imsg->qname) + 1 + 16 + 1 + 16]; 2254 char qclass_buf[16]; 2255 char qtype_buf[16]; 2256 2257 sldns_wire2str_class_buf(query_imsg->c, qclass_buf, sizeof(qclass_buf)); 2258 sldns_wire2str_type_buf(query_imsg->t, qtype_buf, sizeof(qtype_buf)); 2259 2260 snprintf(buf, sizeof(buf), "%s %s %s", query_imsg->qname, qclass_buf, 2261 qtype_buf); 2262 return buf; 2263 } 2264 2265 char * 2266 gen_resolv_conf(void) 2267 { 2268 struct uw_forwarder *uw_forwarder; 2269 char *resolv_conf = NULL, *tmp = NULL; 2270 2271 TAILQ_FOREACH(uw_forwarder, &autoconf_forwarder_list, entry) { 2272 tmp = resolv_conf; 2273 if (asprintf(&resolv_conf, "%snameserver %s\n", tmp == 2274 NULL ? "" : tmp, uw_forwarder->ip) == -1) { 2275 free(tmp); 2276 return (NULL); 2277 } 2278 free(tmp); 2279 } 2280 return resolv_conf; 2281 } 2282 2283 void 2284 check_dns64(void) 2285 { 2286 struct asr_query *aq = NULL; 2287 char *resolv_conf; 2288 void *asr_ctx; 2289 2290 if (TAILQ_EMPTY(&autoconf_forwarder_list)) 2291 return; 2292 2293 if ((resolv_conf = gen_resolv_conf()) == NULL) { 2294 log_warnx("could not create asr context"); 2295 return; 2296 } 2297 2298 if ((asr_ctx = asr_resolver_from_string(resolv_conf)) != NULL) { 2299 if ((aq = res_query_async("ipv4only.arpa.", LDNS_RR_CLASS_IN, 2300 LDNS_RR_TYPE_AAAA, asr_ctx)) == NULL) { 2301 log_warn("%s: res_query_async", __func__); 2302 asr_resolver_free(asr_ctx); 2303 } 2304 if (event_asr_run(aq, check_dns64_done, asr_ctx) == NULL) { 2305 log_warn("%s: event_asr_run", __func__); 2306 free(aq); 2307 asr_resolver_free(asr_ctx); 2308 } 2309 } else 2310 log_warnx("%s: could not create asr context", __func__); 2311 2312 free(resolv_conf); 2313 } 2314 2315 void 2316 check_dns64_done(struct asr_result *ar, void *arg) 2317 { 2318 /* RFC 7050: ipv4only.arpa resolves to 192.0.0.170 and 192.9.0.171 */ 2319 const uint8_t wka1[] = {192, 0, 0, 170}; 2320 const uint8_t wka2[] = {192, 0, 0, 171}; 2321 struct query_info skip, qinfo; 2322 struct reply_info *rinfo = NULL; 2323 struct regional *region = NULL; 2324 struct sldns_buffer *buf = NULL; 2325 struct ub_packed_rrset_key *an_rrset = NULL; 2326 struct packed_rrset_data *an_rrset_data; 2327 struct alloc_cache alloc; 2328 struct edns_data edns; 2329 struct dns64_prefix *prefixes = NULL; 2330 size_t i; 2331 int preflen, count = 0; 2332 void *asr_ctx = arg; 2333 2334 if (ar->ar_errno != 0) 2335 goto fail; 2336 2337 memset(&qinfo, 0, sizeof(qinfo)); 2338 alloc_init(&alloc, NULL, 0); 2339 2340 if (ar->ar_datalen < LDNS_HEADER_SIZE) { 2341 log_warnx("%s: bad packet: too short: %d", __func__, 2342 ar->ar_datalen); 2343 goto out; 2344 } 2345 2346 if (ar->ar_datalen > UINT16_MAX) { 2347 log_warnx("%s: bad packet: too large: %d", __func__, 2348 ar->ar_datalen); 2349 goto out; 2350 } 2351 2352 if (ar->ar_rcode == LDNS_RCODE_NXDOMAIN) { 2353 /* XXX this means that the autoconf resolver is broken */ 2354 log_debug("%s: NXDOMAIN", __func__); 2355 goto out; 2356 } 2357 2358 if ((buf = sldns_buffer_new(ar->ar_datalen)) == NULL) 2359 goto out; 2360 2361 if ((region = regional_create()) == NULL) 2362 goto out; 2363 2364 sldns_buffer_write(buf, ar->ar_data, ar->ar_datalen); 2365 sldns_buffer_flip(buf); 2366 2367 /* read past query section, no memory is allocated */ 2368 if (!query_info_parse(&skip, buf)) 2369 goto out; 2370 2371 if (reply_info_parse(buf, &alloc, &qinfo, &rinfo, region, &edns) != 0) 2372 goto out; 2373 2374 if ((an_rrset = reply_find_answer_rrset(&qinfo, rinfo)) == NULL) 2375 goto out; 2376 2377 an_rrset_data = (struct packed_rrset_data*)an_rrset->entry.data; 2378 2379 prefixes = calloc(an_rrset_data->count, sizeof(struct dns64_prefix)); 2380 if (prefixes == NULL) 2381 goto out; 2382 2383 for (i = 0; i < an_rrset_data->count; i++) { 2384 struct in6_addr in6; 2385 2386 /* check for AAAA record */ 2387 if (an_rrset_data->rr_len[i] != 18) /* 2 + 128/8 */ 2388 continue; 2389 if (an_rrset_data->rr_data[i][0] != 0 && 2390 an_rrset_data->rr_data[i][1] != 16) 2391 continue; 2392 2393 memcpy(&in6, &an_rrset_data->rr_data[i][2], 2394 sizeof(in6)); 2395 if ((preflen = dns64_prefixlen(&in6, wka1)) != -1) 2396 add_dns64_prefix(&in6, preflen, prefixes, 2397 an_rrset_data->count, WKA1_FOUND); 2398 if ((preflen = dns64_prefixlen(&in6, wka2)) != -1) 2399 add_dns64_prefix(&in6, preflen, prefixes, 2400 an_rrset_data->count, WKA2_FOUND); 2401 } 2402 2403 for (i = 0; i < an_rrset_data->count && prefixes[i].flags != 0; i++) 2404 if ((prefixes[i].flags & (WKA1_FOUND | WKA2_FOUND)) == 2405 (WKA1_FOUND | WKA2_FOUND)) 2406 count++; 2407 2408 dns64_present = count > 0; 2409 2410 if (dns64_present) { 2411 /* downgrade SLAAC resolvers, DNS64 breaks DNSSEC */ 2412 if (resolvers[UW_RES_AUTOCONF] != NULL && 2413 resolvers[UW_RES_AUTOCONF]->state == VALIDATING) 2414 new_resolver(UW_RES_AUTOCONF, RESOLVING); 2415 if (resolvers[UW_RES_ODOT_AUTOCONF] != NULL && 2416 resolvers[UW_RES_ODOT_AUTOCONF]->state == VALIDATING) 2417 new_resolver(UW_RES_ODOT_AUTOCONF, RESOLVING); 2418 } 2419 2420 resolver_imsg_compose_frontend(IMSG_NEW_DNS64_PREFIXES_START, 0, 2421 &count, sizeof(count)); 2422 for (i = 0; i < an_rrset_data->count && prefixes[i].flags != 0; i++) { 2423 if ((prefixes[i].flags & (WKA1_FOUND | WKA2_FOUND)) == 2424 (WKA1_FOUND | WKA2_FOUND)) { 2425 resolver_imsg_compose_frontend(IMSG_NEW_DNS64_PREFIX, 2426 0, &prefixes[i], sizeof(struct dns64_prefix)); 2427 } 2428 } 2429 resolver_imsg_compose_frontend(IMSG_NEW_DNS64_PREFIXES_DONE, 0, NULL, 2430 0); 2431 out: 2432 free(prefixes); 2433 query_info_clear(&qinfo); 2434 reply_info_parsedelete(rinfo, &alloc); 2435 alloc_clear(&alloc); 2436 regional_destroy(region); 2437 sldns_buffer_free(buf); 2438 fail: 2439 free(ar->ar_data); 2440 asr_resolver_free(asr_ctx); 2441 } 2442 2443 int 2444 dns64_prefixlen(const struct in6_addr *in6, const uint8_t *wka) 2445 { 2446 /* RFC 6052, 2.2 */ 2447 static const int possible_prefixes[] = {32, 40, 48, 56, 64, 96}; 2448 size_t i, j; 2449 int found, pos; 2450 2451 for (i = 0; i < nitems(possible_prefixes); i++) { 2452 pos = possible_prefixes[i] / 8; 2453 found = 1; 2454 for (j = 0; j < 4 && found; j++, pos++) { 2455 if (pos == 8) { 2456 if (in6->s6_addr[pos] != 0) 2457 found = 0; 2458 pos++; 2459 } 2460 if (in6->s6_addr[pos] != wka[j]) 2461 found = 0; 2462 } 2463 if (found) 2464 return possible_prefixes[i]; 2465 } 2466 return -1; 2467 } 2468 2469 void 2470 add_dns64_prefix(const struct in6_addr *in6, int prefixlen, 2471 struct dns64_prefix *prefixes, int prefixes_size, int flag) 2472 { 2473 struct in6_addr tmp; 2474 int i; 2475 2476 tmp = *in6; 2477 2478 for(i = prefixlen / 8; i < 16; i++) 2479 tmp.s6_addr[i] = 0; 2480 2481 for (i = 0; i < prefixes_size; i++) { 2482 if (prefixes[i].flags == 0) { 2483 prefixes[i].in6 = tmp; 2484 prefixes[i].prefixlen = prefixlen; 2485 prefixes[i].flags |= flag; 2486 break; 2487 } else if (prefixes[i].prefixlen == prefixlen && 2488 memcmp(&prefixes[i].in6, &tmp, sizeof(tmp)) == 0) { 2489 prefixes[i].flags |= flag; 2490 break; 2491 } 2492 } 2493 } 2494