xref: /openbsd-src/usr.sbin/nsd/query.c (revision 4c1e55dc91edd6e69ccc60ce855900fbc12cf34f) 
1 /*
2  * query.c -- nsd(8) the resolver.
3  *
4  * Copyright (c) 2001-2011, NLnet Labs. All rights reserved.
5  *
6  * See LICENSE for the license.
7  *
8  */
9 
10 #include "config.h"
11 
12 #include <sys/types.h>
13 #include <sys/socket.h>
14 #include <netinet/in.h>
15 #include <arpa/inet.h>
16 #include <assert.h>
17 #include <ctype.h>
18 #include <errno.h>
19 #include <limits.h>
20 #include <netdb.h>
21 #include <stddef.h>
22 #include <stdio.h>
23 #include <stdlib.h>
24 #include <string.h>
25 #include <time.h>
26 #include <unistd.h>
27 #include <netdb.h>
28 
29 #include "answer.h"
30 #include "axfr.h"
31 #include "dns.h"
32 #include "dname.h"
33 #include "nsd.h"
34 #include "namedb.h"
35 #include "query.h"
36 #include "util.h"
37 #include "options.h"
38 #include "nsec3.h"
39 #include "tsig.h"
40 
41 /* [Bug #253] Adding unnecessary NS RRset may lead to undesired truncation.
42  * This function determines if the final response packet needs the NS RRset
43  * included. Currently, it will only return negative if QTYPE == DNSKEY|DS.
44  * This way, resolvers won't fallback to TCP unnecessarily when priming
45  * trust anchors.
46  */
47 static int answer_needs_ns(struct query  *query);
48 
49 static int add_rrset(struct query  *query,
50 		     answer_type    *answer,
51 		     rr_section_type section,
52 		     domain_type    *owner,
53 		     rrset_type     *rrset);
54 
55 static void answer_authoritative(struct nsd	  *nsd,
56 				 struct query     *q,
57 				 answer_type      *answer,
58 				 uint32_t          domain_number,
59 				 int               exact,
60 				 domain_type      *closest_match,
61 				 domain_type      *closest_encloser,
62 				 const dname_type *qname);
63 
64 static void answer_lookup_zone(struct nsd *nsd, struct query *q,
65 			       answer_type *answer, uint32_t domain_number,
66 			       int exact, domain_type *closest_match,
67 			       domain_type *closest_encloser,
68 			       const dname_type *qname);
69 
70 void
71 query_put_dname_offset(struct query *q, domain_type *domain, uint16_t offset)
72 {
73 	assert(q);
74 	assert(domain);
75 	assert(domain->number > 0);
76 
77 	if (offset > MAX_COMPRESSION_OFFSET)
78 		return;
79 	if (q->compressed_dname_count >= MAX_COMPRESSED_DNAMES)
80 		return;
81 
82 	q->compressed_dname_offsets[domain->number] = offset;
83 	q->compressed_dnames[q->compressed_dname_count] = domain;
84 	++q->compressed_dname_count;
85 }
86 
87 void
88 query_clear_dname_offsets(struct query *q, size_t max_offset)
89 {
90 	while (q->compressed_dname_count > 0
91 	       && (q->compressed_dname_offsets[q->compressed_dnames[q->compressed_dname_count - 1]->number]
92 		   >= max_offset))
93 	{
94 		q->compressed_dname_offsets[q->compressed_dnames[q->compressed_dname_count - 1]->number] = 0;
95 		--q->compressed_dname_count;
96 	}
97 }
98 
99 void
100 query_clear_compression_tables(struct query *q)
101 {
102 	uint16_t i;
103 
104 	for (i = 0; i < q->compressed_dname_count; ++i) {
105 		assert(q->compressed_dnames);
106 		q->compressed_dname_offsets[q->compressed_dnames[i]->number] = 0;
107 	}
108 	q->compressed_dname_count = 0;
109 }
110 
111 void
112 query_add_compression_domain(struct query *q, domain_type *domain, uint16_t offset)
113 {
114 	while (domain->parent) {
115 		DEBUG(DEBUG_NAME_COMPRESSION, 2,
116 		      (LOG_INFO, "query dname: %s, number: %lu, offset: %u\n",
117 		       dname_to_string(domain_dname(domain), NULL),
118 		       (unsigned long) domain->number,
119 		       offset));
120 		query_put_dname_offset(q, domain, offset);
121 		offset += label_length(dname_name(domain_dname(domain))) + 1;
122 		domain = domain->parent;
123 	}
124 }
125 
126 /*
127  * Generate an error response with the specified RCODE.
128  */
129 query_state_type
130 query_error (struct query *q, nsd_rc_type rcode)
131 {
132 	if (rcode == NSD_RC_DISCARD) {
133 		return QUERY_DISCARDED;
134 	}
135 
136 	buffer_clear(q->packet);
137 
138 	QR_SET(q->packet);	   /* This is an answer.  */
139 	RCODE_SET(q->packet, (int) rcode); /* Error code.  */
140 
141 	/* Truncate the question as well... */
142 	QDCOUNT_SET(q->packet, 0);
143 	ANCOUNT_SET(q->packet, 0);
144 	NSCOUNT_SET(q->packet, 0);
145 	ARCOUNT_SET(q->packet, 0);
146 	buffer_set_position(q->packet, QHEADERSZ);
147 	return QUERY_PROCESSED;
148 }
149 
150 static query_state_type
151 query_formerr (struct query *query)
152 {
153 	int opcode = OPCODE(query->packet);
154 	FLAGS_SET(query->packet, FLAGS(query->packet) & 0x0100U);
155 			/* Preserve the RD flag. Clear the rest. */
156 	OPCODE_SET(query->packet, opcode);
157 	return query_error(query, NSD_RC_FORMAT);
158 }
159 
160 static void
161 query_cleanup(void *data)
162 {
163 	query_type *query = (query_type *) data;
164 	region_destroy(query->region);
165 }
166 
167 query_type *
168 query_create(region_type *region, uint16_t *compressed_dname_offsets,
169 	uint32_t compressed_dname_size)
170 {
171 	query_type *query
172 		= (query_type *) region_alloc_zero(region, sizeof(query_type));
173 	/* create region with large block size, because the initial chunk
174 	   saves many mallocs in the server */
175 	query->region = region_create_custom(xalloc, free, 16384, 16384/8, 32, 0);
176 	query->compressed_dname_offsets = compressed_dname_offsets;
177 	query->packet = buffer_create(region, QIOBUFSZ);
178 	region_add_cleanup(region, query_cleanup, query);
179 	query->compressed_dname_offsets_size = compressed_dname_size;
180 	tsig_create_record(&query->tsig, region);
181 	query->tsig_prepare_it = 1;
182 	query->tsig_update_it = 1;
183 	query->tsig_sign_it = 1;
184 	return query;
185 }
186 
187 void
188 query_reset(query_type *q, size_t maxlen, int is_tcp)
189 {
190 	/*
191 	 * As long as less than 4Kb (region block size) has been used,
192 	 * this call to free_all is free, the block is saved for re-use,
193 	 * so no malloc() or free() calls are done.
194 	 * at present use of the region is for:
195 	 *   o query qname dname_type (255 max).
196 	 *   o wildcard expansion domain_type (7*ptr+u32+2bytes)+(5*ptr nsec3)
197 	 *   o wildcard expansion for additional section domain_type.
198 	 *   o nsec3 hashed name(s) (3 dnames for a nonexist_proof,
199 	 *     one proof per wildcard and for nx domain).
200 	 */
201 	region_free_all(q->region);
202 	q->addrlen = sizeof(q->addr);
203 	q->maxlen = maxlen;
204 	q->reserved_space = 0;
205 	buffer_clear(q->packet);
206 	edns_init_record(&q->edns);
207 	tsig_init_record(&q->tsig, NULL, NULL);
208 	q->tsig_prepare_it = 1;
209 	q->tsig_update_it = 1;
210 	q->tsig_sign_it = 1;
211 	q->tcp = is_tcp;
212 	q->qname = NULL;
213 	q->qtype = 0;
214 	q->qclass = 0;
215 	q->zone = NULL;
216 	q->domain = NULL;
217 	q->opcode = 0;
218 	q->cname_count = 0;
219 	q->delegation_domain = NULL;
220 	q->delegation_rrset = NULL;
221 	q->compressed_dname_count = 0;
222 	q->number_temporary_domains = 0;
223 
224 	q->axfr_is_done = 0;
225 	q->axfr_zone = NULL;
226 	q->axfr_current_domain = NULL;
227 	q->axfr_current_rrset = NULL;
228 	q->axfr_current_rr = 0;
229 }
230 
231 /* get a temporary domain number (or 0=failure) */
232 static domain_type*
233 query_get_tempdomain(struct query *q)
234 {
235 	static domain_type d[EXTRA_DOMAIN_NUMBERS];
236 	if(q->number_temporary_domains >= EXTRA_DOMAIN_NUMBERS)
237 		return 0;
238 	q->number_temporary_domains ++;
239 	memset(&d[q->number_temporary_domains-1], 0, sizeof(domain_type));
240 	d[q->number_temporary_domains-1].number = q->compressed_dname_offsets_size +
241 		q->number_temporary_domains - 1;
242 	return &d[q->number_temporary_domains-1];
243 }
244 
245 static void
246 query_addtxt(struct query  *q,
247 	     const uint8_t *dname,
248 	     uint16_t       klass,
249 	     uint32_t       ttl,
250 	     const char    *txt)
251 {
252 	size_t txt_length = strlen(txt);
253 	uint8_t len = (uint8_t) txt_length;
254 
255 	assert(txt_length <= UCHAR_MAX);
256 
257 	/* Add the dname */
258 	if (dname >= buffer_begin(q->packet)
259 	    && dname <= buffer_current(q->packet))
260 	{
261 		buffer_write_u16(q->packet,
262 				 0xc000 | (dname - buffer_begin(q->packet)));
263 	} else {
264 		buffer_write(q->packet, dname + 1, *dname);
265 	}
266 
267 	buffer_write_u16(q->packet, TYPE_TXT);
268 	buffer_write_u16(q->packet, klass);
269 	buffer_write_u32(q->packet, ttl);
270 	buffer_write_u16(q->packet, len + 1);
271 	buffer_write_u8(q->packet, len);
272 	buffer_write(q->packet, txt, len);
273 }
274 
275 /*
276  * Parse the question section of a query.  The normalized query name
277  * is stored in QUERY->name, the class in QUERY->klass, and the type
278  * in QUERY->type.
279  */
280 static int
281 process_query_section(query_type *query)
282 {
283 	uint8_t qnamebuf[MAXDOMAINLEN];
284 
285 	buffer_set_position(query->packet, QHEADERSZ);
286 	/* Lets parse the query name and convert it to lower case.  */
287 	if(!packet_read_query_section(query->packet, qnamebuf,
288 		&query->qtype, &query->qclass))
289 		return 0;
290 	query->qname = dname_make(query->region, qnamebuf, 1);
291 	query->opcode = OPCODE(query->packet);
292 	return 1;
293 }
294 
295 
296 /*
297  * Process an optional EDNS OPT record.  Sets QUERY->EDNS to 0 if
298  * there was no EDNS record, to -1 if there was an invalid or
299  * unsupported EDNS record, and to 1 otherwise.  Updates QUERY->MAXLEN
300  * if the EDNS record specifies a maximum supported response length.
301  *
302  * Return NSD_RC_FORMAT on failure, NSD_RC_OK on success.
303  */
304 static nsd_rc_type
305 process_edns(nsd_type* nsd, struct query *q)
306 {
307 	if (q->edns.status == EDNS_ERROR) {
308 		/* The only error is VERSION not implemented */
309 		return NSD_RC_FORMAT;
310 	}
311 
312 	if (q->edns.status == EDNS_OK) {
313 		/* Only care about UDP size larger than normal... */
314 		if (!q->tcp && q->edns.maxlen > UDP_MAX_MESSAGE_LEN) {
315 			size_t edns_size;
316 #if defined(INET6)
317 			if (q->addr.ss_family == AF_INET6) {
318 				edns_size = nsd->ipv6_edns_size;
319 			} else
320 #endif
321 			edns_size = nsd->ipv4_edns_size;
322 
323 			if (q->edns.maxlen < edns_size) {
324 				q->maxlen = q->edns.maxlen;
325 			} else {
326 				q->maxlen = edns_size;
327 			}
328 
329 #if defined(INET6) && !defined(IPV6_USE_MIN_MTU) && !defined(IPV6_MTU)
330 			/*
331 			 * Use IPv6 minimum MTU to avoid sending
332 			 * packets that are too large for some links.
333 			 * IPv6 will not automatically fragment in
334 			 * this case (unlike IPv4).
335 			 */
336 			if (q->addr.ss_family == AF_INET6
337 			    && q->maxlen > IPV6_MIN_MTU)
338 			{
339 				q->maxlen = IPV6_MIN_MTU;
340 			}
341 #endif
342 		}
343 
344 		/* Strip the OPT resource record off... */
345 		buffer_set_position(q->packet, q->edns.position);
346 		buffer_set_limit(q->packet, q->edns.position);
347 		ARCOUNT_SET(q->packet, ARCOUNT(q->packet) - 1);
348 	}
349 	return NSD_RC_OK;
350 }
351 
352 /*
353  * Processes TSIG.
354  * Sets error when tsig does not verify on the query.
355  */
356 static nsd_rc_type
357 process_tsig(struct query* q)
358 {
359 	if(q->tsig.status == TSIG_ERROR)
360 		return NSD_RC_FORMAT;
361 	if(q->tsig.status == TSIG_OK) {
362 		if(!tsig_from_query(&q->tsig)) {
363 			log_msg(LOG_ERR, "query tsig unknown key/algorithm");
364 			return NSD_RC_REFUSE;
365 		}
366 		buffer_set_limit(q->packet, q->tsig.position);
367 		ARCOUNT_SET(q->packet, ARCOUNT(q->packet) - 1);
368 		tsig_prepare(&q->tsig);
369 		tsig_update(&q->tsig, q->packet, buffer_limit(q->packet));
370 		if(!tsig_verify(&q->tsig)) {
371 			log_msg(LOG_ERR, "query: bad tsig signature for key %s",
372 				dname_to_string(q->tsig.key->name, NULL));
373 			return NSD_RC_REFUSE;
374 		}
375 		DEBUG(DEBUG_XFRD,1, (LOG_INFO, "query good tsig signature for %s",
376 			dname_to_string(q->tsig.key->name, NULL)));
377 	}
378 	return NSD_RC_OK;
379 }
380 
381 /*
382  * Check notify acl and forward to xfrd (or return an error).
383  */
384 static query_state_type
385 answer_notify(struct nsd* nsd, struct query *query)
386 {
387 	int acl_num;
388 	acl_options_t *why;
389 	nsd_rc_type rc;
390 
391 	zone_options_t* zone_opt;
392 	DEBUG(DEBUG_XFRD,1, (LOG_INFO, "got notify %s processing acl",
393 		dname_to_string(query->qname, NULL)));
394 
395 	zone_opt = zone_options_find(nsd->options, query->qname);
396 	if(!zone_opt)
397 		return query_error(query, NSD_RC_NXDOMAIN);
398 
399 	if(!nsd->this_child) /* we are in debug mode or something */
400 		return query_error(query, NSD_RC_SERVFAIL);
401 
402 	if(!tsig_find_rr(&query->tsig, query->packet)) {
403 		DEBUG(DEBUG_XFRD,2, (LOG_ERR, "bad tsig RR format"));
404 		return query_error(query, NSD_RC_FORMAT);
405 	}
406 	rc = process_tsig(query);
407 	if(rc != NSD_RC_OK)
408 		return query_error(query, rc);
409 
410 	/* check if it passes acl */
411 	if((acl_num = acl_check_incoming(zone_opt->allow_notify, query,
412 		&why)) != -1)
413 	{
414 		sig_atomic_t mode = NSD_PASS_TO_XFRD;
415 		int s = nsd->this_child->parent_fd;
416 		uint16_t sz;
417 		uint32_t acl_send = htonl(acl_num);
418 		size_t pos;
419 		assert(why);
420 		DEBUG(DEBUG_XFRD,1, (LOG_INFO, "got notify %s passed acl %s %s",
421 			dname_to_string(query->qname, NULL),
422 			why->ip_address_spec,
423 			why->nokey?"NOKEY":
424 			(why->blocked?"BLOCKED":why->key_name)));
425 		sz = buffer_limit(query->packet);
426 		if(buffer_limit(query->packet) > MAX_PACKET_SIZE)
427 			return query_error(query, NSD_RC_SERVFAIL);
428 		/* forward to xfrd for processing
429 		   Note. Blocking IPC I/O, but acl is OK. */
430 		sz = htons(sz);
431 		if(!write_socket(s, &mode, sizeof(mode)) ||
432 			!write_socket(s, &sz, sizeof(sz)) ||
433 			!write_socket(s, buffer_begin(query->packet),
434 				buffer_limit(query->packet)) ||
435 			!write_socket(s, &acl_send, sizeof(acl_send))) {
436 			log_msg(LOG_ERR, "error in IPC notify server2main, %s",
437 				strerror(errno));
438 			return query_error(query, NSD_RC_SERVFAIL);
439 		}
440 
441 		/* create notify reply - keep same query contents */
442 		QR_SET(query->packet);         /* This is an answer.  */
443 		AA_SET(query->packet);	   /* we are authoritative. */
444 		ANCOUNT_SET(query->packet, 0);
445 		NSCOUNT_SET(query->packet, 0);
446 		ARCOUNT_SET(query->packet, 0);
447 		RCODE_SET(query->packet, RCODE_OK); /* Error code.  */
448 		/* position is right after the query */
449 		pos = buffer_position(query->packet);
450 		buffer_clear(query->packet);
451 		buffer_set_position(query->packet, pos);
452 		VERBOSITY(2, (LOG_INFO, "Notify received and accepted, forward to xfrd"));
453 		/* tsig is added in add_additional later (if needed) */
454 		return QUERY_PROCESSED;
455 	}
456 
457 	if (verbosity > 1) {
458 		char address[128];
459 		if (addr2ip(query->addr, address, sizeof(address))) {
460 			DEBUG(DEBUG_XFRD,1, (LOG_INFO, "addr2ip failed"));
461 			strlcpy(address, "[unknown]", sizeof(address));
462 		}
463 
464 		VERBOSITY(1, (LOG_INFO, "notify for zone %s from client %s refused, %s%s",
465 			dname_to_string(query->qname, NULL),
466 			address,
467 			why?why->key_name:"no acl matches",
468 			why?why->ip_address_spec:"."));
469 	}
470 
471 	return query_error(query, NSD_RC_REFUSE);
472 }
473 
474 
475 /*
476  * Answer a query in the CHAOS class.
477  */
478 static query_state_type
479 answer_chaos(struct nsd *nsd, query_type *q)
480 {
481 	AA_CLR(q->packet);
482 	switch (q->qtype) {
483 	case TYPE_ANY:
484 	case TYPE_TXT:
485 		if ((q->qname->name_size == 11
486 		     && memcmp(dname_name(q->qname), "\002id\006server", 11) == 0) ||
487 		    (q->qname->name_size ==  15
488 		     && memcmp(dname_name(q->qname), "\010hostname\004bind", 15) == 0))
489 		{
490 			/* Add ID */
491 			query_addtxt(q,
492 				     buffer_begin(q->packet) + QHEADERSZ,
493 				     CLASS_CH,
494 				     0,
495 				     nsd->identity);
496 			ANCOUNT_SET(q->packet, ANCOUNT(q->packet) + 1);
497 		} else if ((q->qname->name_size == 16
498 			    && memcmp(dname_name(q->qname), "\007version\006server", 16) == 0) ||
499 			   (q->qname->name_size == 14
500 			    && memcmp(dname_name(q->qname), "\007version\004bind", 14) == 0))
501 		{
502 			if(!nsd->options->hide_version) {
503 				/* Add version */
504 				query_addtxt(q,
505 				     buffer_begin(q->packet) + QHEADERSZ,
506 				     CLASS_CH,
507 				     0,
508 				     nsd->version);
509 				ANCOUNT_SET(q->packet, ANCOUNT(q->packet) + 1);
510 			} else {
511 				RCODE_SET(q->packet, RCODE_REFUSE);
512 			}
513 		}
514 		break;
515 	default:
516 		RCODE_SET(q->packet, RCODE_REFUSE);
517 		break;
518 	}
519 
520 	return QUERY_PROCESSED;
521 }
522 
523 
524 /*
525  * Find the covering NSEC for a non-existent domain name.  Normally
526  * the NSEC will be located at CLOSEST_MATCH, except when it is an
527  * empty non-terminal.  In this case the NSEC may be located at the
528  * previous domain name (in canonical ordering).
529  */
530 static domain_type *
531 find_covering_nsec(domain_type *closest_match,
532 		   zone_type   *zone,
533 		   rrset_type **nsec_rrset)
534 {
535 	assert(closest_match);
536 	assert(nsec_rrset);
537 
538 	/* loop away temporary created domains. For real ones it is &RBTREE_NULL */
539 	while (closest_match->node.parent == NULL)
540 		closest_match = closest_match->parent;
541 	while (closest_match) {
542 		*nsec_rrset = domain_find_rrset(closest_match, zone, TYPE_NSEC);
543 		if (*nsec_rrset) {
544 			return closest_match;
545 		}
546 		if (closest_match == zone->apex) {
547 			/* Don't look outside the current zone.  */
548 			return NULL;
549 		}
550 		closest_match = domain_previous(closest_match);
551 	}
552 	return NULL;
553 }
554 
555 
556 struct additional_rr_types
557 {
558 	uint16_t        rr_type;
559 	rr_section_type rr_section;
560 };
561 
562 struct additional_rr_types default_additional_rr_types[] = {
563 	{ TYPE_A, ADDITIONAL_A_SECTION },
564 	{ TYPE_AAAA, ADDITIONAL_AAAA_SECTION },
565 	{ 0, (rr_section_type) 0 }
566 };
567 
568 struct additional_rr_types rt_additional_rr_types[] = {
569 	{ TYPE_A, ADDITIONAL_A_SECTION },
570 	{ TYPE_AAAA, ADDITIONAL_AAAA_SECTION },
571 	{ TYPE_X25, ADDITIONAL_OTHER_SECTION },
572 	{ TYPE_ISDN, ADDITIONAL_OTHER_SECTION },
573 	{ 0, (rr_section_type) 0 }
574 };
575 
576 static void
577 add_additional_rrsets(struct query *query, answer_type *answer,
578 		      rrset_type *master_rrset, size_t rdata_index,
579 		      int allow_glue, struct additional_rr_types types[])
580 {
581 	size_t i;
582 
583 	assert(query);
584 	assert(answer);
585 	assert(master_rrset);
586 	assert(rdata_atom_is_domain(rrset_rrtype(master_rrset), rdata_index));
587 
588 	for (i = 0; i < master_rrset->rr_count; ++i) {
589 		int j;
590 		domain_type *additional = rdata_atom_domain(master_rrset->rrs[i].rdatas[rdata_index]);
591 		domain_type *match = additional;
592 
593 		assert(additional);
594 
595 		if (!allow_glue && domain_is_glue(match, query->zone))
596 			continue;
597 
598 		/*
599 		 * Check to see if we need to generate the dependent
600 		 * based on a wildcard domain.
601 		 */
602 		while (!match->is_existing) {
603 			match = match->parent;
604 		}
605 		if (additional != match && domain_wildcard_child(match)) {
606 			domain_type *wildcard_child = domain_wildcard_child(match);
607 			domain_type *temp = (domain_type *) region_alloc(
608 				query->region, sizeof(domain_type));
609 			memcpy(&temp->node, &additional->node, sizeof(rbnode_t));
610 			temp->number = additional->number;
611 			temp->parent = match;
612 			temp->wildcard_child_closest_match = temp;
613 			temp->rrsets = wildcard_child->rrsets;
614 			temp->is_existing = wildcard_child->is_existing;
615 			additional = temp;
616 		}
617 
618 		for (j = 0; types[j].rr_type != 0; ++j) {
619 			rrset_type *rrset = domain_find_rrset(
620 				additional, query->zone, types[j].rr_type);
621 			if (rrset) {
622 				answer_add_rrset(answer, types[j].rr_section,
623 						 additional, rrset);
624 			}
625 		}
626 	}
627 }
628 
629 static int
630 answer_needs_ns(struct query* query)
631 {
632 	assert(query);
633 	/* Currently, only troublesome for DNSKEY and DS,
634          * cuz their RRSETs are quite large. */
635 	return (query->qtype != TYPE_DNSKEY && query->qtype != TYPE_DS);
636 }
637 
638 static int
639 add_rrset(struct query   *query,
640 	  answer_type    *answer,
641 	  rr_section_type section,
642 	  domain_type    *owner,
643 	  rrset_type     *rrset)
644 {
645 	int result;
646 
647 	assert(query);
648 	assert(answer);
649 	assert(owner);
650 	assert(rrset);
651 	assert(rrset_rrclass(rrset) == CLASS_IN);
652 
653 	result = answer_add_rrset(answer, section, owner, rrset);
654 	switch (rrset_rrtype(rrset)) {
655 	case TYPE_NS:
656 		add_additional_rrsets(query, answer, rrset, 0, 1,
657 				      default_additional_rr_types);
658 		break;
659 	case TYPE_MB:
660 		add_additional_rrsets(query, answer, rrset, 0, 0,
661 				      default_additional_rr_types);
662 		break;
663 	case TYPE_MX:
664 	case TYPE_KX:
665 		add_additional_rrsets(query, answer, rrset, 1, 0,
666 				      default_additional_rr_types);
667 		break;
668 	case TYPE_RT:
669 		add_additional_rrsets(query, answer, rrset, 1, 0,
670 				      rt_additional_rr_types);
671 		break;
672 	default:
673 		break;
674 	}
675 
676 	return result;
677 }
678 
679 
680 /* returns 0 on error, or the domain number for to_name.
681    from_name is changes to to_name by the DNAME rr.
682    DNAME rr is from src to dest.
683    closest encloser encloses the to_name. */
684 static uint32_t
685 query_synthesize_cname(struct query* q, struct answer* answer, const dname_type* from_name,
686 	const dname_type* to_name, domain_type* src, domain_type* to_closest_encloser,
687 	domain_type** to_closest_match)
688 {
689 	/* add temporary domains for from_name and to_name and all
690 	   their (not allocated yet) parents */
691 	/* any domains below src are not_existing (because of DNAME at src) */
692 	int i;
693 	domain_type* cname_domain;
694 	domain_type* cname_dest;
695 	rrset_type* rrset;
696 
697 	/* allocate source part */
698 	domain_type* lastparent = src;
699 	assert(q && answer && from_name && to_name && src && to_closest_encloser);
700 	assert(to_closest_match);
701 	for(i=0; i < from_name->label_count - domain_dname(src)->label_count; i++)
702 	{
703 		domain_type* newdom = query_get_tempdomain(q);
704 		if(!newdom)
705 			return 0;
706 		newdom->is_existing = 1;
707 		newdom->parent = lastparent;
708 		newdom->node.key = dname_partial_copy(q->region,
709 			from_name, domain_dname(src)->label_count + i + 1);
710 		if(dname_compare(domain_dname(newdom), q->qname) == 0) {
711 			/* 0 good for query name, otherwise new number */
712 			newdom->number = 0;
713 		}
714 		DEBUG(DEBUG_QUERY,2, (LOG_INFO, "created temp domain src %d. %s nr %d", i,
715 			dname_to_string(domain_dname(newdom), NULL),
716 			newdom->number));
717 		lastparent = newdom;
718 	}
719 	cname_domain = lastparent;
720 
721 	/* allocate dest part */
722 	lastparent = to_closest_encloser;
723 	for(i=0; i < to_name->label_count - domain_dname(to_closest_encloser)->label_count;
724 		i++)
725 	{
726 		domain_type* newdom = query_get_tempdomain(q);
727 		if(!newdom)
728 			return 0;
729 		newdom->is_existing = 0;
730 		newdom->parent = lastparent;
731 		newdom->node.key = dname_partial_copy(q->region,
732 			to_name, domain_dname(to_closest_encloser)->label_count + i + 1);
733 		DEBUG(DEBUG_QUERY,2, (LOG_INFO, "created temp domain dest %d. %s nr %d", i,
734 			dname_to_string(domain_dname(newdom), NULL),
735 			newdom->number));
736 		lastparent = newdom;
737 	}
738 	cname_dest = lastparent;
739 	*to_closest_match = cname_dest;
740 
741 	/* allocate the CNAME RR */
742 	rrset = (rrset_type*) region_alloc(q->region, sizeof(rrset_type));
743 	memset(rrset, 0, sizeof(rrset_type));
744 	rrset->zone = q->zone;
745 	rrset->rr_count = 1;
746 	rrset->rrs = (rr_type*) region_alloc(q->region, sizeof(rr_type));
747 	memset(rrset->rrs, 0, sizeof(rr_type));
748 	rrset->rrs->owner = cname_domain;
749 	rrset->rrs->ttl = 0;
750 	rrset->rrs->type = TYPE_CNAME;
751 	rrset->rrs->klass = CLASS_IN;
752 	rrset->rrs->rdata_count = 1;
753 	rrset->rrs->rdatas = (rdata_atom_type*)region_alloc(q->region,
754 		sizeof(rdata_atom_type));
755 	rrset->rrs->rdatas->domain = cname_dest;
756 
757 	if(!add_rrset(q, answer, ANSWER_SECTION, cname_domain, rrset)) {
758 		log_msg(LOG_ERR, "could not add synthesized CNAME rrset to packet");
759 	}
760 
761 	return cname_dest->number;
762 }
763 
764 /*
765  * Answer delegation information.
766  *
767  * DNSSEC: Include the DS RRset if present.  Otherwise include an NSEC
768  * record proving the DS RRset does not exist.
769  */
770 static void
771 answer_delegation(query_type *query, answer_type *answer)
772 {
773 	assert(answer);
774 	assert(query->delegation_domain);
775 	assert(query->delegation_rrset);
776 
777 	if (query->cname_count == 0) {
778 		AA_CLR(query->packet);
779 	} else {
780 		AA_SET(query->packet);
781 	}
782 
783 	add_rrset(query,
784 		  answer,
785 		  AUTHORITY_SECTION,
786 		  query->delegation_domain,
787 		  query->delegation_rrset);
788 	if (query->edns.dnssec_ok && zone_is_secure(query->zone)) {
789 		rrset_type *rrset;
790 		if ((rrset = domain_find_rrset(query->delegation_domain, query->zone, TYPE_DS))) {
791 			add_rrset(query, answer, AUTHORITY_SECTION,
792 				  query->delegation_domain, rrset);
793 #ifdef NSEC3
794 		} else if (query->zone->nsec3_soa_rr) {
795 			nsec3_answer_delegation(query, answer);
796 #endif
797 		} else if ((rrset = domain_find_rrset(query->delegation_domain, query->zone, TYPE_NSEC))) {
798 			add_rrset(query, answer, AUTHORITY_SECTION,
799 				  query->delegation_domain, rrset);
800 		}
801 	}
802 	query->domain = query->delegation_domain;
803 }
804 
805 
806 /*
807  * Answer SOA information.
808  */
809 static void
810 answer_soa(struct query *query, answer_type *answer)
811 {
812 	query->domain = query->zone->apex;
813 
814 	if (query->qclass != CLASS_ANY) {
815 		add_rrset(query, answer,
816 			  AUTHORITY_SECTION,
817 			  query->zone->apex,
818 			  query->zone->soa_nx_rrset);
819 	}
820 }
821 
822 
823 /*
824  * Answer that the domain name exists but there is no RRset with the
825  * requested type.
826  *
827  * DNSSEC: Include the correct NSEC record proving that the type does
828  * not exist.  In the wildcard no data (3.1.3.4) case the wildcard IS
829  * NOT expanded, so the ORIGINAL parameter must point to the original
830  * wildcard entry, not to the generated entry.
831  */
832 static void
833 answer_nodata(struct query *query, answer_type *answer, domain_type *original)
834 {
835 	if (query->cname_count == 0) {
836 		answer_soa(query, answer);
837 	}
838 
839 #ifdef NSEC3
840 	if (query->edns.dnssec_ok && query->zone->nsec3_soa_rr) {
841 		nsec3_answer_nodata(query, answer, original);
842 	} else
843 #endif
844 	if (query->edns.dnssec_ok && zone_is_secure(query->zone)) {
845 		domain_type *nsec_domain;
846 		rrset_type *nsec_rrset;
847 
848 		nsec_domain = find_covering_nsec(original, query->zone, &nsec_rrset);
849 		if (nsec_domain) {
850 			add_rrset(query, answer, AUTHORITY_SECTION, nsec_domain, nsec_rrset);
851 		}
852 	}
853 }
854 
855 static void
856 answer_nxdomain(query_type *query, answer_type *answer)
857 {
858 	if (query->cname_count == 0) {
859 		RCODE_SET(query->packet, RCODE_NXDOMAIN);
860 		answer_soa(query, answer);
861 	}
862 }
863 
864 
865 /*
866  * Answer domain information (or SOA if we do not have an RRset for
867  * the type specified by the query).
868  */
869 static void
870 answer_domain(struct nsd* nsd, struct query *q, answer_type *answer,
871 	      domain_type *domain, domain_type *original)
872 {
873 	rrset_type *rrset;
874 
875 	if (q->qtype == TYPE_ANY) {
876 		int added = 0;
877 		for (rrset = domain_find_any_rrset(domain, q->zone); rrset; rrset = rrset->next) {
878 			if (rrset->zone == q->zone
879 #ifdef NSEC3
880 				&& rrset_rrtype(rrset) != TYPE_NSEC3
881 #endif
882 			    /*
883 			     * Don't include the RRSIG RRset when
884 			     * DNSSEC is used, because it is added
885 			     * automatically on an per-RRset basis.
886 			     */
887 			    && !(q->edns.dnssec_ok
888 				 && zone_is_secure(q->zone)
889 				 && rrset_rrtype(rrset) == TYPE_RRSIG))
890 			{
891 				add_rrset(q, answer, ANSWER_SECTION, domain, rrset);
892 				++added;
893 			}
894 		}
895 		if (added == 0) {
896 			answer_nodata(q, answer, original);
897 			return;
898 		}
899 #ifdef NSEC3
900 	} else if (q->qtype == TYPE_NSEC3) {
901 		answer_nodata(q, answer, original);
902 		return;
903 #endif
904 	} else if ((rrset = domain_find_rrset(domain, q->zone, q->qtype))) {
905 		add_rrset(q, answer, ANSWER_SECTION, domain, rrset);
906 	} else if ((rrset = domain_find_rrset(domain, q->zone, TYPE_CNAME))) {
907 		int added;
908 
909 		/*
910 		 * If the CNAME is not added it is already in the
911 		 * answer, so we have a CNAME loop.  Don't follow the
912 		 * CNAME target in this case.
913 		 */
914 		added = add_rrset(q, answer, ANSWER_SECTION, domain, rrset);
915 		assert(rrset->rr_count > 0);
916 		if (added) {
917 			/* only process first CNAME record */
918 			domain_type *closest_match = rdata_atom_domain(rrset->rrs[0].rdatas[0]);
919 			domain_type *closest_encloser = closest_match;
920 			zone_type* origzone = q->zone;
921 			++q->cname_count;
922 
923 			while (!closest_encloser->is_existing)
924 				closest_encloser = closest_encloser->parent;
925 
926 			answer_lookup_zone(nsd, q, answer, closest_match->number,
927 					     closest_match == closest_encloser,
928 					     closest_match, closest_encloser,
929 					     domain_dname(closest_match));
930 			q->zone = origzone;
931 		}
932 		/* example 6.2.7 shows no NS-set from zone in auth (RFC1034) */
933 		q->domain = domain;
934 		return;
935 	} else {
936 		answer_nodata(q, answer, original);
937 		return;
938 	}
939 
940 	q->domain = domain;
941 
942 	if (q->qclass != CLASS_ANY && q->zone->ns_rrset && answer_needs_ns(q)) {
943 		add_rrset(q, answer, OPTIONAL_AUTHORITY_SECTION, q->zone->apex,
944 			  q->zone->ns_rrset);
945 	}
946 }
947 
948 
949 /*
950  * Answer with authoritative data.  If a wildcard is matched the owner
951  * name will be expanded to the domain name specified by
952  * DOMAIN_NUMBER.  DOMAIN_NUMBER 0 (zero) is reserved for the original
953  * query name.
954  *
955  * DNSSEC: Include the necessary NSEC records in case the request
956  * domain name does not exist and/or a wildcard match does not exist.
957  */
958 static void
959 answer_authoritative(struct nsd   *nsd,
960 		     struct query *q,
961 		     answer_type  *answer,
962 		     uint32_t      domain_number,
963 		     int           exact,
964 		     domain_type  *closest_match,
965 		     domain_type  *closest_encloser,
966 		     const dname_type *qname)
967 {
968 	domain_type *match;
969 	domain_type *original = closest_match;
970 	rrset_type *rrset;
971 
972 #ifdef NSEC3
973 	if(exact && domain_has_only_NSEC3(closest_match, q->zone)) {
974 		exact = 0; /* pretend it does not exist */
975 		if(closest_encloser->parent)
976 			closest_encloser = closest_encloser->parent;
977 	}
978 #endif /* NSEC3 */
979 
980 	if (exact) {
981 		match = closest_match;
982 	} else if ((rrset=domain_find_rrset(closest_encloser, q->zone, TYPE_DNAME))) {
983 		/* process DNAME */
984 		const dname_type* name = qname;
985 		domain_type *dest = rdata_atom_domain(rrset->rrs[0].rdatas[0]);
986 		int added;
987 		assert(rrset->rr_count > 0);
988 		if(domain_number != 0) /* we followed CNAMEs or DNAMEs */
989 			name = domain_dname(closest_match);
990 		DEBUG(DEBUG_QUERY,2, (LOG_INFO, "expanding DNAME for q=%s", dname_to_string(name, NULL)));
991 		DEBUG(DEBUG_QUERY,2, (LOG_INFO, "->src is %s",
992 			dname_to_string(domain_dname(closest_encloser), NULL)));
993 		DEBUG(DEBUG_QUERY,2, (LOG_INFO, "->dest is %s",
994 			dname_to_string(domain_dname(dest), NULL)));
995 		/* if the DNAME set is not added we have a loop, do not follow */
996 		added = add_rrset(q, answer, ANSWER_SECTION, closest_encloser, rrset);
997 		if(added) {
998 			domain_type* src = closest_encloser;
999 			const dname_type* newname = dname_replace(q->region, name,
1000 				domain_dname(src), domain_dname(dest));
1001 			uint32_t newnum = 0;
1002 			zone_type* origzone = q->zone;
1003 			++q->cname_count;
1004 			if(!newname) { /* newname too long */
1005 				RCODE_SET(q->packet, RCODE_YXDOMAIN);
1006 				return;
1007 			}
1008 			DEBUG(DEBUG_QUERY,2, (LOG_INFO, "->result is %s", dname_to_string(newname, NULL)));
1009 			/* follow the DNAME */
1010 			exact = namedb_lookup(nsd->db, newname, &closest_match, &closest_encloser);
1011 			/* synthesize CNAME record */
1012 			newnum = query_synthesize_cname(q, answer, name, newname,
1013 				src, closest_encloser, &closest_match);
1014 			if(!newnum) {
1015 				/* could not synthesize the CNAME. */
1016 				/* return previous CNAMEs to make resolver recurse for us */
1017 				return;
1018 			}
1019 
1020 			while (closest_encloser && !closest_encloser->is_existing)
1021 				closest_encloser = closest_encloser->parent;
1022 			answer_lookup_zone(nsd, q, answer, newnum,
1023 				closest_match == closest_encloser,
1024 				closest_match, closest_encloser, newname);
1025 			q->zone = origzone;
1026 		}
1027 		if(!added)  /* log the error so operator can find looping recursors */
1028 			log_msg(LOG_INFO, "DNAME processing stopped due to loop, qname %s",
1029 				dname_to_string(q->qname, NULL));
1030 		return;
1031 	} else if (domain_wildcard_child(closest_encloser)) {
1032 		/* Generate the domain from the wildcard.  */
1033 		domain_type *wildcard_child = domain_wildcard_child(closest_encloser);
1034 
1035 		match = (domain_type *) region_alloc(q->region,
1036 						     sizeof(domain_type));
1037 		memcpy(&match->node, &wildcard_child->node, sizeof(rbnode_t));
1038 		match->parent = closest_encloser;
1039 		match->wildcard_child_closest_match = match;
1040 		match->number = domain_number;
1041 		match->rrsets = wildcard_child->rrsets;
1042 		match->is_existing = wildcard_child->is_existing;
1043 #ifdef NSEC3
1044 		match->nsec3_cover = wildcard_child->nsec3_cover;
1045 #ifdef FULL_PREHASH
1046 		match->nsec3_is_exact = wildcard_child->nsec3_is_exact;
1047 		match->nsec3_wcard_child_cover = wildcard_child->nsec3_wcard_child_cover;
1048 		match->nsec3_ds_parent_is_exact = wildcard_child->nsec3_ds_parent_is_exact;
1049 		match->nsec3_ds_parent_cover = wildcard_child->nsec3_ds_parent_cover;
1050 #endif
1051 		if (q->edns.dnssec_ok && q->zone->nsec3_soa_rr) {
1052 			/* Only add nsec3 wildcard data when do bit is set */
1053 			nsec3_answer_wildcard(q, answer, wildcard_child, nsd->db, qname);
1054 		}
1055 #endif
1056 
1057 		/*
1058 		 * Remember the original domain in case a Wildcard No
1059 		 * Data (3.1.3.4) response needs to be generated.  In
1060 		 * this particular case the wildcard IS NOT
1061 		 * expanded.
1062 		 */
1063 		original = wildcard_child;
1064 	} else {
1065 		match = NULL;
1066 	}
1067 
1068 	/* Authorative zone.  */
1069 #ifdef NSEC3
1070 	if (q->edns.dnssec_ok && q->zone->nsec3_soa_rr) {
1071 		nsec3_answer_authoritative(&match, q, answer,
1072 			closest_encloser, nsd->db, qname);
1073 	} else
1074 #endif
1075 	if (q->edns.dnssec_ok && zone_is_secure(q->zone)) {
1076 		if (match != closest_encloser) {
1077 			domain_type *nsec_domain;
1078 			rrset_type *nsec_rrset;
1079 
1080 			/*
1081 			 * No match found or generated from wildcard,
1082 			 * include NSEC record.
1083 			 */
1084 			nsec_domain = find_covering_nsec(closest_match, q->zone, &nsec_rrset);
1085 			if (nsec_domain) {
1086 				add_rrset(q, answer, AUTHORITY_SECTION, nsec_domain, nsec_rrset);
1087 			}
1088 		}
1089 		if (!match) {
1090 			domain_type *nsec_domain;
1091 			rrset_type *nsec_rrset;
1092 
1093 			/*
1094 			 * No match and no wildcard.  Include NSEC
1095 			 * proving there is no wildcard.
1096 			 */
1097 			nsec_domain = find_covering_nsec(closest_encloser->wildcard_child_closest_match, q->zone, &nsec_rrset);
1098 			if (nsec_domain) {
1099 				add_rrset(q, answer, AUTHORITY_SECTION, nsec_domain, nsec_rrset);
1100 			}
1101 		}
1102 	}
1103 
1104 #ifdef NSEC3
1105 	if (RCODE(q->packet)!=RCODE_OK) {
1106 		return; /* nsec3 collision failure */
1107 	}
1108 #endif
1109 	if (match) {
1110 		answer_domain(nsd, q, answer, match, original);
1111 	} else {
1112 		answer_nxdomain(q, answer);
1113 	}
1114 }
1115 
1116 /*
1117  * qname may be different after CNAMEs have been followed from query->qname.
1118  */
1119 static void
1120 answer_lookup_zone(struct nsd *nsd, struct query *q, answer_type *answer,
1121 	uint32_t domain_number, int exact, domain_type *closest_match,
1122 	domain_type *closest_encloser, const dname_type *qname)
1123 {
1124 	q->zone = domain_find_zone(closest_encloser);
1125 	if (!q->zone) {
1126 		if(q->cname_count == 0)
1127 			RCODE_SET(q->packet, RCODE_SERVFAIL);
1128 		return;
1129 	}
1130 
1131 	/*
1132 	 * See RFC 4035 (DNSSEC protocol) section 3.1.4.1 Responding
1133 	 * to Queries for DS RRs.
1134 	 */
1135 	if (exact && q->qtype == TYPE_DS && closest_encloser == q->zone->apex) {
1136 		/*
1137 		 * Type DS query at a zone cut, use the responsible
1138 		 * parent zone to generate the answer if we are
1139 		 * authoritative for the parent zone.
1140 		 */
1141 		zone_type *zone = domain_find_parent_zone(q->zone);
1142 		if (zone)
1143 			q->zone = zone;
1144 	}
1145 
1146 	/* see if the zone has expired (for secondary zones) */
1147 	if(q->zone && q->zone->opts && zone_is_slave(q->zone->opts)
1148 		&& !q->zone->is_ok) {
1149 		if(q->cname_count == 0)
1150 			RCODE_SET(q->packet, RCODE_SERVFAIL);
1151 		return;
1152 	}
1153 
1154 	if (exact && q->qtype == TYPE_DS && closest_encloser == q->zone->apex) {
1155 		/*
1156 		 * Type DS query at the zone apex (and the server is
1157 		 * not authoratitive for the parent zone).
1158 		 */
1159 		if (q->qclass == CLASS_ANY) {
1160 			AA_CLR(q->packet);
1161 		} else {
1162 			AA_SET(q->packet);
1163 		}
1164 		answer_nodata(q, answer, closest_encloser);
1165 	} else {
1166 		q->delegation_domain = domain_find_ns_rrsets(
1167 			closest_encloser, q->zone, &q->delegation_rrset);
1168 
1169 		if (!q->delegation_domain
1170 		    || (exact && q->qtype == TYPE_DS && closest_encloser == q->delegation_domain))
1171 		{
1172 			if (q->qclass == CLASS_ANY) {
1173 				AA_CLR(q->packet);
1174 			} else {
1175 				AA_SET(q->packet);
1176 			}
1177 			answer_authoritative(nsd, q, answer, domain_number, exact,
1178 					     closest_match, closest_encloser, qname);
1179 		}
1180 		else {
1181 			answer_delegation(q, answer);
1182 		}
1183 	}
1184 }
1185 
1186 static void
1187 answer_query(struct nsd *nsd, struct query *q)
1188 {
1189 	domain_type *closest_match;
1190 	domain_type *closest_encloser;
1191 	int exact;
1192 	uint16_t offset;
1193 	answer_type answer;
1194 
1195 	answer_init(&answer);
1196 
1197 	exact = namedb_lookup(nsd->db, q->qname, &closest_match, &closest_encloser);
1198 	if (!closest_encloser->is_existing) {
1199 		exact = 0;
1200 		while (closest_encloser != NULL && !closest_encloser->is_existing)
1201 			closest_encloser = closest_encloser->parent;
1202 	}
1203 	if(!closest_encloser) {
1204 		RCODE_SET(q->packet, RCODE_SERVFAIL);
1205 		return;
1206 	}
1207 
1208 	q->domain = closest_encloser;
1209 	answer_lookup_zone(nsd, q, &answer, 0, exact, closest_match,
1210 		closest_encloser, q->qname);
1211 
1212 	ZTATUP2(q->zone, opcode, q->opcode);
1213 	ZTATUP2(q->zone, qtype, q->qtype);
1214 	ZTATUP2(q->zone, opcode, q->qclass);
1215 
1216 	offset = dname_label_offsets(q->qname)[domain_dname(closest_encloser)->label_count - 1] + QHEADERSZ;
1217 	query_add_compression_domain(q, closest_encloser, offset);
1218 	encode_answer(q, &answer);
1219 	query_clear_compression_tables(q);
1220 }
1221 
1222 void
1223 query_prepare_response(query_type *q)
1224 {
1225 	uint16_t flags;
1226 
1227 	/*
1228 	 * Preserve the data up-to the current packet's limit.
1229 	 */
1230 	buffer_set_position(q->packet, buffer_limit(q->packet));
1231 	buffer_set_limit(q->packet, buffer_capacity(q->packet));
1232 
1233 	/*
1234 	 * Reserve space for the EDNS records if required.
1235 	 */
1236 	q->reserved_space = edns_reserved_space(&q->edns);
1237 	q->reserved_space += tsig_reserved_space(&q->tsig);
1238 
1239 	/* Update the flags.  */
1240 	flags = FLAGS(q->packet);
1241 	flags &= 0x0100U;	/* Preserve the RD flag.  */
1242 				/* CD flag must be cleared for auth answers */
1243 	flags |= 0x8000U;	/* Set the QR flag.  */
1244 	FLAGS_SET(q->packet, flags);
1245 }
1246 
1247 /*
1248  * Processes the query.
1249  *
1250  */
1251 query_state_type
1252 query_process(query_type *q, nsd_type *nsd)
1253 {
1254 	/* The query... */
1255 	nsd_rc_type rc;
1256 	query_state_type query_state;
1257 	uint16_t arcount;
1258 
1259 	/* Sanity checks */
1260 	if (buffer_limit(q->packet) < QHEADERSZ) {
1261 		/* packet too small to contain DNS header.
1262 		Now packet investigation macros will work without problems. */
1263 		return QUERY_DISCARDED;
1264 	}
1265 	if (QR(q->packet)) {
1266 		/* Not a query? Drop it on the floor. */
1267 		return QUERY_DISCARDED;
1268 	}
1269 
1270 	if (RCODE(q->packet) != RCODE_OK || !process_query_section(q)) {
1271 		return query_formerr(q);
1272 	}
1273 
1274 	/* Update statistics.  */
1275 	STATUP2(nsd, opcode, q->opcode);
1276 	STATUP2(nsd, qtype, q->qtype);
1277 	STATUP2(nsd, qclass, q->qclass);
1278 
1279 	if (q->opcode != OPCODE_QUERY) {
1280 		if (q->opcode == OPCODE_NOTIFY) {
1281 			return answer_notify(nsd, q);
1282 		} else {
1283 			return query_error(q, NSD_RC_IMPL);
1284 		}
1285 	}
1286 
1287 	/* Dont bother to answer more than one question at once... */
1288 	if (QDCOUNT(q->packet) != 1) {
1289 		FLAGS_SET(q->packet, 0);
1290 		return query_formerr(q);
1291 	}
1292 	/* Ignore settings of flags */
1293 
1294 	/* Dont allow any records in the answer or authority section...
1295 	   except for IXFR queries. */
1296 	if (ANCOUNT(q->packet) != 0 ||
1297 		(q->qtype!=TYPE_IXFR && NSCOUNT(q->packet) != 0)) {
1298 		return query_formerr(q);
1299 	}
1300 	if(q->qtype==TYPE_IXFR && NSCOUNT(q->packet) > 0) {
1301 		int i; /* skip ixfr soa information data here */
1302 		for(i=0; i< NSCOUNT(q->packet); i++)
1303 			if(!packet_skip_rr(q->packet, 0))
1304 				return query_formerr(q);
1305 	}
1306 
1307 	arcount = ARCOUNT(q->packet);
1308 	if (arcount > 0) {
1309 		/* see if tsig is before edns record */
1310 		if (!tsig_parse_rr(&q->tsig, q->packet))
1311 			return query_formerr(q);
1312 		if(q->tsig.status != TSIG_NOT_PRESENT)
1313 			--arcount;
1314 	}
1315 	if (arcount > 0) {
1316 		if (edns_parse_record(&q->edns, q->packet))
1317 			--arcount;
1318 	}
1319 	if (arcount > 0 && q->tsig.status == TSIG_NOT_PRESENT) {
1320 		/* see if tsig is after the edns record */
1321 		if (!tsig_parse_rr(&q->tsig, q->packet))
1322 			return query_formerr(q);
1323 		if(q->tsig.status != TSIG_NOT_PRESENT)
1324 			--arcount;
1325 	}
1326 	if (arcount > 0) {
1327 		return query_formerr(q);
1328 	}
1329 
1330 	/* Do we have any trailing garbage? */
1331 #ifdef	STRICT_MESSAGE_PARSE
1332 	if (buffer_remaining(q->packet) > 0) {
1333 		/* If we're strict.... */
1334 		return query_formerr(q);
1335 	}
1336 #endif
1337 	/* Remove trailing garbage.  */
1338 	buffer_set_limit(q->packet, buffer_position(q->packet));
1339 
1340 	rc = process_tsig(q);
1341 	if (rc != NSD_RC_OK) {
1342 		return query_error(q, rc);
1343 	}
1344 	rc = process_edns(nsd, q);
1345 	if (rc != NSD_RC_OK) {
1346 		/* We should not return FORMERR, but BADVERS (=16).
1347 		 * BADVERS is created with Ext. RCODE, followed by RCODE.
1348 		 * Ext. RCODE is set to 1, RCODE must be 0 (getting 0x10 = 16).
1349 		 * Thus RCODE = NOERROR = NSD_RC_OK. */
1350 		return query_error(q, NSD_RC_OK);
1351 	}
1352 
1353 	query_prepare_response(q);
1354 
1355 	if (q->qclass != CLASS_IN && q->qclass != CLASS_ANY) {
1356 		if (q->qclass == CLASS_CH) {
1357 			return answer_chaos(nsd, q);
1358 		} else {
1359 			return query_error(q, NSD_RC_REFUSE);
1360 		}
1361 	}
1362 
1363 	query_state = answer_axfr_ixfr(nsd, q);
1364 	if (query_state == QUERY_PROCESSED || query_state == QUERY_IN_AXFR) {
1365 		return query_state;
1366 	}
1367 
1368 	answer_query(nsd, q);
1369 
1370 	return QUERY_PROCESSED;
1371 }
1372 
1373 void
1374 query_add_optional(query_type *q, nsd_type *nsd)
1375 {
1376 	struct edns_data *edns = &nsd->edns_ipv4;
1377 #if defined(INET6)
1378 	if (q->addr.ss_family == AF_INET6) {
1379 		edns = &nsd->edns_ipv6;
1380 	}
1381 #endif
1382 	switch (q->edns.status) {
1383 	case EDNS_NOT_PRESENT:
1384 		break;
1385 	case EDNS_OK:
1386 		if (q->edns.dnssec_ok)	edns->ok[7] = 0x80;
1387 		else			edns->ok[7] = 0x00;
1388 		buffer_write(q->packet, edns->ok, OPT_LEN);
1389 		if (nsd->nsid_len > 0 && q->edns.nsid == 1 &&
1390 				!query_overflow_nsid(q, nsd->nsid_len)) {
1391 			/* rdata length */
1392 			buffer_write(q->packet, edns->rdata_nsid, OPT_RDATA);
1393 			/* nsid opt header */
1394 			buffer_write(q->packet, edns->nsid, OPT_HDR);
1395 			/* nsid payload */
1396 			buffer_write(q->packet, nsd->nsid, nsd->nsid_len);
1397 		}  else {
1398 			/* fill with NULLs */
1399 			buffer_write(q->packet, edns->rdata_none, OPT_RDATA);
1400 		}
1401 		ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
1402 		STATUP(nsd, edns);
1403 		ZTATUP(q->zone, edns);
1404 		break;
1405 	case EDNS_ERROR:
1406 		if (q->edns.dnssec_ok)	edns->error[7] = 0x80;
1407 		else			edns->error[7] = 0x00;
1408 		buffer_write(q->packet, edns->error, OPT_LEN);
1409 		buffer_write(q->packet, edns->rdata_none, OPT_RDATA);
1410 		ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
1411 		STATUP(nsd, ednserr);
1412 		ZTATUP(q->zone, ednserr);
1413 		break;
1414 	}
1415 
1416 	if (q->tsig.status != TSIG_NOT_PRESENT) {
1417 		if (q->tsig.status == TSIG_ERROR ||
1418 			q->tsig.error_code != TSIG_ERROR_NOERROR) {
1419 			tsig_error_reply(&q->tsig);
1420 			tsig_append_rr(&q->tsig, q->packet);
1421 			ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
1422 		} else if(q->tsig.status == TSIG_OK &&
1423 			q->tsig.error_code == TSIG_ERROR_NOERROR)
1424 		{
1425 			if(q->tsig_prepare_it)
1426 				tsig_prepare(&q->tsig);
1427 			if(q->tsig_update_it)
1428 				tsig_update(&q->tsig, q->packet, buffer_position(q->packet));
1429 			if(q->tsig_sign_it) {
1430 				tsig_sign(&q->tsig);
1431 				tsig_append_rr(&q->tsig, q->packet);
1432 				ARCOUNT_SET(q->packet, ARCOUNT(q->packet) + 1);
1433 			}
1434 		}
1435 	}
1436 }
1437