Handle query retry on REFUSED or SERVFAIL for DNSSEC-generated queries.

a0088e83 · Simon Kelley · 34e26e14 · a0088e83
Commit a0088e83 authored May 10, 2018 by Simon Kelley
Show whitespace changes
Inline Side-by-side

Showing with 40 additions and 6 deletions

src/forward.c src/forward.c +40 -6

No files found.
--- a/src/forward.c
+++ b/src/forward.c
@@ -298,7 +298,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
 		fd = forward->rfd4->fd;
 	    }
 	  
-	  while (retry_send( sendto(fd, (char *)header, plen, 0,
+	  while (retry_send(sendto(fd, (char *)header, plen, 0,
 				   &forward->sentto->addr.sa,
 				   sa_len(&forward->sentto->addr))));
 	  
@@ -805,7 +805,6 @@ void reply_query(int fd, int family, time_t now)
 	      (void *)header, n, &serveraddr, NULL);
 #endif

-  
  /* log_query gets called indirectly all over the place, so 
     pass these in global variables - sorry. */
  daemon->log_display_id = forward->log_id;
@@ -826,6 +825,40 @@ void reply_query(int fd, int family, time_t now)
      size_t plen;
      int is_sign;

+      /* For DNSSEC originated queries, just retry the query to the same server. */
+      if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY))
+	{
+	  blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
+	  plen = forward->stash_len;
+
+	  forward->forwardall = 2; /* only retry once */
+	  
+	  if (forward->sentto->addr.sa.sa_family == AF_INET) 
+	    log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec");
+#ifdef HAVE_IPV6
+	  else
+	    log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec");
+#endif
+  
+	  if (forward->sentto->sfd)
+	    fd = forward->sentto->sfd->fd;
+	  else
+	    {
+#ifdef HAVE_IPV6
+	      if (forward->sentto->addr.sa.sa_family == AF_INET6)
+		fd = forward->rfd6->fd;
+	      else
+#endif
+		fd = forward->rfd4->fd;
+	    }
+	  
+	  while (retry_send(sendto(fd, (char *)header, plen, 0,
+				   &forward->sentto->addr.sa,
+				   sa_len(&forward->sentto->addr))));
+	  
+	  return;
+	}
+	  
      /* In strict order mode, there must be a server later in the chain
 	 left to send to, otherwise without the forwardall mechanism,
 	 code further on will cycle around the list forwever if they
@@ -1017,7 +1050,8 @@ void reply_query(int fd, int family, time_t now)
 #ifdef HAVE_IPV6
 		      new->rfd6 = NULL;
 #endif
-		      new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY);
+		      new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA);
+		      new->forwardall = 0;
 		      
 		      new->dependent = forward; /* to find query awaiting new one. */
 		      forward->blocking_query = new; /* for garbage cleaning */