mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Merge branch 'v9_17_19-release' into 'main'

Browse Source 
Merge 9.17.19 release branch

See merge request isc-projects/bind9!5535
This commit is contained in:
Michał Kępień 2021-10-28 10:10:20 +00:00
commit 11232eb500
11 changed files with 241 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.gitlab/issue_templates/Release.md
View File

@ -76,10 +76,9 @@
- [ ] ***(Support)*** Send eligible customers updated links to the Subscription Edition (update the -S edition delivery tickets, even if those links were provided earlier via an ASN ticket).
- [ ] ***(Support)*** Update tickets in case of waiting support customers.
- [ ] ***(QA)*** Build and test any outstanding private packages.
- [ ] ***(QA)*** Build RPMs, update Cloudsmith repos
- [ ] ***(Ondrej/Sweng) *** Build/update Ubuntu launchpad
- [ ] ***(Ondrej/Sweng) *** Build/update Debian images
- [ ] ***(Ondrej/Sweng) *** Build/update Docker files
- [ ] ***(QA)*** Build public RPMs.
- [ ] ***(SwEng) *** Build Debian/Ubuntu packages.
- [ ] ***(SwEng) *** Update Docker images.
- [ ] ***(QA)*** Inform Marketing of the release.
- [ ] ***(QA)*** Update the internal [BIND release dates wiki page](https://wiki.isc.org/bin/view/Main/BindReleaseDates) when public announcement has been made.
- [ ] ***(Marketing)*** Post short note to Twitter.

147
CHANGES
View File

@ -1,3 +1,6 @@
5752. [bug] Fix an assertion failure caused by missing member zones
during a reload of a catalog zone. [GL #2308]
5751. [port] Add support for OpenSSL 3.0.0. OpenSSL 3.0.0
deprecated 'engine' support. If OpenSSL 3.0.0 has
been built without support for deprecated functionality
@ -65,7 +68,13 @@
5737. [bug] Address Coverity warning in lib/dns/dnssec.c.
[GL #2935]
5736. [placeholder]
--- 9.17.19 released ---
5736. [security] The "lame-ttl" option is now forcibly set to 0. This
effectively disables the lame server cache, as it could
previously be abused by an attacker to significantly
degrade resolver performance. (CVE-2021-25219)
[GL #2899]
5735. [cleanup] The result codes which BIND 9 uses internally are now
all defined as a single list of enum values rather than
@ -74,103 +83,99 @@
functions operating on result codes, and makes result
codes more debugger-friendly. [GL #719]
5734. [bug] Fix "dig" aborting with error in some cases
like when doing zone transfers. [GL #2884]
5734. [bug] Fix intermittent assertion failures in dig which were
triggered during zone transfers. [GL #2884]
5733. [func] Require "dot" ALPN token to be negotiated for
zone transfers over TLS (XoT), as required by RFC9103.
[GL #2794]
5733. [func] Require the "dot" Application-Layer Protocol Negotiation
(ALPN) token to be selected in the TLS handshake for
zone transfers over TLS (XoT), as required by RFC 9103
section 7.1. [GL #2794]
5732. [cleanup] Remove dns_lib_init() and _shutdown() and
ns_lib_init() and _shutdown() functions, as they
5732. [cleanup] Remove the dns_lib_init(), dns_lib_shutdown(),
ns_lib_init(), and ns_lib_shutdown() functions, as they
no longer served any useful purpose. [GL #88]
5731. [bug] Do not allow defining "http" clauses named
"default". [GL #2925]
5731. [bug] Disallow defining "http" configuration clauses called
"default" as they were silently ignored. [GL #2925]
5730. [func] The resolver and the request and dispatch managers
have been substantially refactored, and are now
based on the network manager instead of the old
isc_socket API. All outgoing DNS queries and
requests now use the new API; isc_socket is only
used to monitor for network interface changes.
[GL #2401]
5730. [func] The resolver and the request and dispatch managers have
been substantially refactored, and are now based on the
network manager instead of the old isc_socket API. All
outgoing DNS queries and requests now use the new API;
isc_socket is only used to monitor for network interface
changes. [GL #2401]
5729. [func] Allow finer control over the TLS protocol by
implementing more options within "tls" clauses, namely:
- Diffie-Hellman parameters via
'dhparam-file "<path_to_file>";'
- OpenSSL cipher list string via
'ciphers "<cipher_list>";'
- Server or client ciphers preference via
'prefer-server-ciphers yes|no;'
- Ability to explicitly enable or disable stateless
TLS session tickets via 'session-tickets yes|no;'
The options are enough to implement perfect forward
secrecy in DNS-over-TLS, DNS-over-HTTPS transports.
Most of these options were no-op before this
change. [GL #2796]
5729. [func] Allow finer control over TLS protocol configuration by
implementing new options for "tls" configuration clauses
("dhparam-file", "ciphers", "prefer-server-ciphers",
"session-tickets"). These options make achieving perfect
forward secrecy (PFS) possible for DNS-over-TLS (DoT)
and DNS-over-HTTPS (DoH). [GL #2796]
5728. [func] Allow specifying supported TLS protocol
versions within "tls" clauses
(e.g. protocols { TLSv1.2; TLSv1.3; };). [GL #2795]
5728. [func] Allow specifying supported TLS protocol versions for
each "tls" configuration clause. [GL #2795]
5727. [bug] Ignore the missing zones when doing a reload on a
catalog zone, and make sure to restore them later on.
[GL #2308]
5727. [placeholder]
5726. [bug] Fix heap use after free when cheking for "http"
clauses duplicates. [GL #2924]
5726. [bug] Fix a use-after-free bug which was triggered while
checking for duplicate "http" configuration clauses.
[GL #2924]
5725. [bug] Validate HTTP path passed to dig. [GL #2923]
5725. [bug] Fix an assertion failure triggered by passing an invalid
HTTP path to dig. [GL #2923]
5724. [bug] Address potential dead lock when checking zone
content consistency. [GL #2908]
5724. [bug] Address a potential deadlock when checking zone content
consistency. [GL #2908]
5723. [bug] Backwards compatiblity for 'check-names master' and
'check-names slave' was accidentally broken. [GL #2911]
5723. [bug] Change 5709 broke backward compatibility for the
"check-names master ..." and "check-names slave ..."
options. This has been fixed. [GL #2911]
5722. [bug] Preserve the contents of TCPDNS and TLSDNS receive
buffer when growing the buffer size. [GL #2917]
5722. [bug] Preserve the contents of the receive buffer for TCPDNS
and TLSDNS when growing its size. [GL #2917]
5721. [func] New isc_mem_reget() realloc-like function was
introduced into the libisc API, and zero-sized
allocations now return non-NULL pointers. [GL !5440]
5721. [func] A new realloc()-like function, isc_mem_reget(), was
added to the libisc API for resizing memory chunks
allocated using isc_mem_get(). Memory (re)allocation
functions are now guaranteed to return non-NULL pointers
for zero-sized allocation requests. [GL !5440]
5720. [contrib] Remove old-style DLZ drivers that had to be enabled
during compile time. [GL #2814]
5720. [contrib] Remove old-style DLZ drivers that had to be enabled at
build time. [GL #2814]
5719. [func] The "masterfile-format" format "map" has been removed.
5719. [func] Remove support for the "map" zone file format.
[GL #2882]
5718. [bug] Changing the sig signing type, by specifing
sig-signing-type, failed as the configuration was
incorrectly rejected. [GL #2906]
5718. [bug] The "sig-signing-type" zone configuration option was
processed incorrectly, causing valid configurations to
be rejected. This has been fixed. [GL #2906]
5717. [func] The "cache-file" option, which was documented as
for testing purposes only and not to be used,
has been removed. [GL #2903]
5717. [func] The "cache-file" option, which was documented as "for
testing purposes only" and not to be used, has been
removed. [GL #2903]
5716. [placeholder]
5715. [func] Add a check when the *-source(-v6) clashes with the
global listening port. Such a configuration was already
forbidden, but it failed silently. [GL #2888]
5715. [func] Add a check for ports specified in "*-source(-v6)"
options clashing with a global listening port. Such a
configuration was already unsupported, but it failed
silently; it is now treated as an error. [GL #2888]
5714. [bug] Remove the "adjust interface" mechanism that
set up a listener on interfaces where the *-source(-v6)
address and port were the same as the listening
address and port. Such a configuration is no longer
supported; in practice, this would disable
listening on TCP ports under certain timing conditions.
5714. [bug] Remove the "adjust interface" mechanism which was
responsible for setting up listeners on interfaces when
the "*-source(-v6)" address and port were the same as
the "listen-on(-v6)" address and port. Such a
configuration is no longer supported; under certain
timing conditions, that mechanism could prevent named
from listening on some TCP ports. This has been fixed.
[GL #2852]
5713. [func] Added "primaries" as a synonym for "masters" and
5713. [func] Add "primaries" as a synonym for "masters" and
"default-primaries" as a synonym for "default-masters"
for catalog zones configuration options. [GL #2818]
in catalog zone configuration options. [GL #2818]
5712. [func] Remove native PKCS#11 support in favor of OpenSSL
engine_pkcs11 from the OpenSC project. [GL #2691]
5712. [func] Remove native PKCS#11 support in favor of engine_pkcs11
from the OpenSC project. [GL #2691]
--- 9.17.18 released ---

2
bin/named/config.c
View File

@ -151,7 +151,7 @@ options {\n\
fetches-per-server 0;\n\
fetches-per-zone 0;\n\
glue-cache yes;\n\
lame-ttl 600;\n"
lame-ttl 0;\n"
#ifdef HAVE_LMDB
" lmdb-mapsize 32M;\n"
#endif /* ifdef HAVE_LMDB */

7
bin/named/server.c
View File

@ -4806,8 +4806,11 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
result = named_config_get(maps, "lame-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
lame_ttl = cfg_obj_asduration(obj);
if (lame_ttl > 1800) {
lame_ttl = 1800;
if (lame_ttl > 0) {
cfg_obj_log(obj, named_g_lctx, ISC_LOG_WARNING,
"disabling lame cache despite lame-ttl > 0 as it "
"may cause performance issues");
lame_ttl = 0;
}
dns_resolver_setlamettl(view->resolver, lame_ttl);

2
configure.ac
View File

@ -14,7 +14,7 @@
#
m4_define([bind_VERSION_MAJOR], 9)dnl
m4_define([bind_VERSION_MINOR], 17)dnl
m4_define([bind_VERSION_PATCH], 18)dnl
m4_define([bind_VERSION_PATCH], 19)dnl
m4_define([bind_VERSION_EXTRA], )dnl
m4_define([bind_DESCRIPTION], [(Development Release)])dnl
m4_define([bind_SRCID], [m4_esyscmd_s([git rev-parse --short HEAD | cut -b1-7])])dnl

1
doc/arm/notes.rst
View File

@ -52,6 +52,7 @@ https://www.isc.org/download/. There you will find additional
information about each release, and source code.
.. include:: ../notes/notes-current.rst
.. include:: ../notes/notes-9.17.19.rst
.. include:: ../notes/notes-9.17.18.rst
.. include:: ../notes/notes-9.17.17.rst
.. include:: ../notes/notes-9.17.16.rst

24
doc/arm/pkcs11.rst
View File

@ -22,10 +22,13 @@ library which provides a low-level PKCS#11 interface to drive the HSM
hardware. The PKCS#11 provider library comes from the HSM vendor, and it
is specific to the HSM to be controlled.
BIND 9 uses OpenSSL engine_pkcs11 from the OpenSC project. The engine is
dynamically loaded into OpenSSL and the HSM is operated indirectly; any
cryptographic operations not supported by the HSM can be carried out by OpenSSL
instead.
BIND 9 uses engine_pkcs11 for PKCS#11. engine_pkcs11 is an OpenSSL
engine which is part of the `OpenSC`_ project. The engine is dynamically
loaded into OpenSSL and the HSM is operated indirectly; any
cryptographic operations not supported by the HSM can be carried out by
OpenSSL instead.
.. _OpenSC: https://github.com/OpenSC/libp11
Prerequisites
~~~~~~~~~~~~~
@ -93,22 +96,26 @@ going to copy the global OpenSSL configuration (often found in
``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11.
::
cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf
and export the environment variable:
::
export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf
Now add following line at the top of file, before any sections (in square
brackets) are defined:
::
openssl_conf = openssl_init
And add following lines at the bottom of the file:
::
[openssl_init]
engines=engine_section
@ -153,31 +160,37 @@ name of the PKCS#11 object (called label when generating the keys using
Convert the KSK:
::
dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net
and ZSK:
::
dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "token=bind9;object=example.net-zsk;pin-value=0000" example.net
NOTE: you can use PIN stored on disk, by specifying ``pin-source=<path_to>/<file>``, f.e.:
::
(umask 0700 && echo -n 0000 > /opt/bind9/etc/pin.txt)
and then use in the label specification:
::
pin-source=/opt/bind9/etc/pin.txt
Confirm that you have one KSK and one ZSK present in the current directory:
::
ls -l K*
The output should look like this (the second number will be different):
::
Kexample.net.+008+31729.key
Kexample.net.+008+31729.private
Kexample.net.+008+42231.key
@ -196,6 +209,7 @@ The zone signing commences as usual, with only one small difference. We need to
provide the name of the OpenSSL engine using the -E command line option.
::
dnssec-signzone -E pkcs11 -S -o example.net example.net
Running ``named`` With Automatic Zone Re-signing
@ -205,11 +219,13 @@ The zone can also be signed automatically by named. Again, we need to provide
the name of the OpenSSL engine using the -E command line option.
::
named -E pkcs11 -c named.conf
and the logs should have lines like:
::
Fetching example.net/RSASHA256/31729 (KSK) from key repository.
DNSKEY example.net/RSASHA256/31729 (KSK) is now published
DNSKEY example.net/RSA256SHA256/31729 (KSK) is now active

8
doc/arm/reference.rst
View File

@ -3358,9 +3358,9 @@ Tuning
^^^^^^
``lame-ttl``
This sets the number of seconds to cache a lame server indication. 0
disables caching. (This is **NOT** recommended.) The default is
``600`` (10 minutes) and the maximum value is ``1800`` (30 minutes).
This is always set to 0. More information is available in the
`security advisory for CVE-2021-25219
<https://kb.isc.org/docs/cve-2021-25219>`_.
``servfail-ttl``
This sets the number of seconds to cache a SERVFAIL response due to DNSSEC
@ -4818,6 +4818,7 @@ A Diffie-Hellman parameters file can be generated using e.g. OpenSSL,
like follows:
::
openssl dhparam -out /path/to/dhparam.pem <3072_or_4096>
Ensure that it gets generated on a machine with enough entropy from
@ -6654,6 +6655,7 @@ be converted to ``text`` format by the ``named-compilezone`` command,
then converted back after editing. For example:
::
named-compilezone -f raw -F text -o zonefile.text <origin> zonefile.raw
[edit zonefile.text]
named-compilezone -f text -F raw -o zonefile.raw <origin> zonefile.text

116
doc/notes/notes-9.17.19.rst Normal file
View File

@ -0,0 +1,116 @@
..
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.19
----------------------
Security Fixes
~~~~~~~~~~~~~~
- The ``lame-ttl`` option controls how long ``named`` caches certain
types of broken responses from authoritative servers (see the
`security advisory <https://kb.isc.org/docs/cve-2021-25219>`_ for
details). This caching mechanism could be abused by an attacker to
significantly degrade resolver performance. The vulnerability has been
mitigated by changing the default value of ``lame-ttl`` to ``0`` and
overriding any explicitly set value with ``0``, effectively disabling
this mechanism altogether. ISC's testing has determined that doing
that has a negligible impact on resolver performance while also
preventing abuse. Administrators may observe more traffic towards
servers issuing certain types of broken responses than in previous
BIND 9 releases, depending on client query patterns. (CVE-2021-25219)
ISC would like to thank Kishore Kumar Kothapalli of Infoblox for
bringing this vulnerability to our attention. :gl:`#2899`
New Features
~~~~~~~~~~~~
- It is now possible to specify the TLS protocol versions to support for
each ``tls`` configuration clause (e.g. ``protocols { TLSv1.2;
TLSv1.3; };``). :gl:`#2795`
- New options for ``tls`` configuration clauses were implemented,
namely:
- ``dhparam-file "<path_to_file>";`` for specifying Diffie-Hellman
parameters,
- ``ciphers "<cipher_list>";`` for specifying OpenSSL ciphers to use,
- ``prefer-server-ciphers <yes|no>;`` for specifying whether server
ciphers or client ciphers should be preferred (this controls
OpenSSL's ``SSL_OP_CIPHER_SERVER_PREFERENCE`` option),
- ``session-tickets <yes|no>;`` for enabling/disabling stateless TLS
session tickets (see :rfc:`5077`).
These options allow finer control over TLS protocol configuration and
make achieving perfect forward secrecy (PFS) possible for DNS-over-TLS
(DoT) and DNS-over-HTTPS (DoH). :gl:`#2796`
Removed Features
~~~~~~~~~~~~~~~~
- Native PKCS#11 support has been removed; BIND 9 now :ref:`uses
engine_pkcs11 for PKCS#11<pkcs11>`. engine_pkcs11 is an OpenSSL engine
which is part of the `OpenSC`_ project. :gl:`#2691`
- Old-style Dynamically Loadable Zones (DLZ) drivers that had to be
enabled in ``named`` at build time have been removed. New-style DLZ
modules should be used as a replacement. :gl:`#2814`
- Support for the ``map`` zone file format (``masterfile-format map;``)
has been removed. Users relying on the ``map`` format are advised to
convert their zones to the ``raw`` format with ``named-compilezone``
and change the configuration appropriately prior to upgrading BIND 9.
:gl:`#2882`
.. _OpenSC: https://github.com/OpenSC/libp11
Feature Changes
~~~~~~~~~~~~~~~
- The network manager API is now used for sending all outgoing DNS
queries and requests from ``named`` and related tools, including
``delv``, ``mdig``, and ``nsupdate``. :gl:`#2401`
- ``named`` and ``named-checkconf`` now exit with an error when a single
port configured for ``query-source``, ``transfer-source``,
``notify-source``, ``parental-source``, and/or their respective IPv6
counterparts clashes with a global listening port. This configuration
has not been supported since BIND 9.16.0, but no error was reported
until now (even though sending UDP messages such as NOTIFY failed).
:gl:`#2888`
- ``named`` and ``named-checkconf`` now issue a warning when there is a
single port configured for ``query-source``, ``transfer-source``,
``notify-source``, ``parental-source``, and/or for their respective
IPv6 counterparts. :gl:`#2888`
- Zone transfers over TLS (XoT) now need the ``dot`` Application-Layer
Protocol Negotiation (ALPN) token to be selected in the TLS handshake,
as required by :rfc:`9103` section 7.1. :gl:`#2794`
Bug Fixes
~~~~~~~~~
- A recent change introduced in BIND 9.17.18 inadvertently broke
backward compatibility for the ``check-names master ...`` and
``check-names slave ...`` options, causing them to be silently
ignored. This has been fixed and these options now work properly
again. :gl:`#2911`
- When new IP addresses were set up by the operating system during
``named`` startup, it could fail to listen for TCP connections on the
newly added interfaces. :gl:`#2852`
- Under specific circumstances, zone transfers over TCP and TLS could be
interrupted prematurely. This has been fixed. :gl:`#2917`

52
doc/notes/notes-current.rst
View File

@ -8,7 +8,7 @@
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
Notes for BIND 9.17.18
Notes for BIND 9.17.20
----------------------
Security Fixes
@ -24,18 +24,6 @@ Known Issues
New Features
~~~~~~~~~~~~
- Ability to specify supported TLS protocol versions within ``tls``
clauses (e.g. ``protocols { TLSv1.2; TLSv1.3; };``). :gl:`#2795`
- New options within ``tls`` clauses were implemented, namely:
- ``dhparam-file "<path_to_file>";`` to specify Diffie-Hellman parameters;
- ``ciphers "<cipher_list>";`` to specify OpenSSL ciphers list;
- ``prefer-server-ciphers yes|no;`` to assert server or client ciphers preference;
- ``session-tickets yes|no;`` to explicitly enable or disable stateless TLS session tickets (see RFC5077).
These options allow finer control over TLS protocol features and make it
possible to achieve perfect forward secrecy for DNS-over-TLS and
DNS-over-HTTPS. :gl:`#2796`
- Implement incremental resizing of RBT hash tables to perform the rehashing
gradually instead all-at-once to be able to grow the memory usage gradually
while keeping steady response rate during the rehashing. :gl:`#2941`
@ -48,49 +36,18 @@ New Features
Removed Features
~~~~~~~~~~~~~~~~
- Native PKCS#11 support has been removed; BIND 9 now uses OpenSSL engine_pkcs11 from the
OpenSC project. :gl:`#2691`
- Add support for OpenSSL 3.0.0. OpenSSL 3.0.0 deprecated 'engine' support.
If OpenSSL 3.0.0 has been built without support for deprecated functionality
pkcs11 via engine_pkcs11 is no longer available. At this point in time
there is no replacement ``provider`` for pkcs11 which is the replacement to
the ``engine API``. :gl:`#2843`
- The ``masterfile-format`` format ``map`` has removed. If you are using the
``map`` format, you are advised to convert the zones to ``raw`` format with
``named-compilezone`` and change the configuration prior to BIND 9
upgrade. :gl:`#2882`
- Remove old-style DLZ drivers that had to be enabled in ``named`` during the
compile time. The new-style dynamically loaded DLZ modules should be used
as a replacement. :gl:`#2814`
Feature Changes
~~~~~~~~~~~~~~~
- ``named`` and ``named-checkconf`` now issue a warning when there is a single
configured port in the ``query-source``, ``transfer-source``,
``notify-source``, and ``parental-source``, and/or in their respective IPv6 counterparts.
:gl:`#2888`
- ``named`` and ``named-checkconf`` now return an error when the single configured
port in the ``query-source``, ``transfer-source``, ``notify-source``,
``parental-source``, and/or their respective IPv6 counterparts clashes with the
global listening port. This configuration is no longer supported as of BIND
9.16.0 but no error was reported, although sending UDP messages
(such as notifies) would fail. :gl:`#2888`
- The network manager API is now used by ``named`` and related tools,
including ``nsupdate``, ``delv``, ``mdig``, to send all outgoing DNS
queries and requests. :gl:`#2401`
- Because the old socket manager API has been removed, "socketmgr"
statistics are no longer reported by the statistics channel. :gl:`#2926`
- Zone transfers over TLS (XoT) now need "dot" Application-Layer Protocol
Negotiation (ALPN) tag to be negotiated, as required by the RFC 9103. :gl: `#2794`
- `UseSTD3ASCIIRules`_ is now enabled for IDN support. This enables additional
validation rules for domains and hostnames within dig. :gl:`#1610`
@ -113,13 +70,6 @@ Feature Changes
Bug Fixes
~~~~~~~~~
- When new IP addresses were added to the system during ``named``
startup, ``named`` failed to listen on TCP for the newly added
interfaces. :gl:`#2852`
- Under specific circumstances, zone transfers over TCP and TLS could be
interrupted prematurely. This has been fixed. :gl:`#2917`
- Reloading a catalog zone that referenced a missing/deleted zone
caused a crash. This has been fixed. :gl:`#2308`

23
lib/dns/resolver.c
View File

@ -9655,25 +9655,26 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
*/
static isc_result_t
rctx_lameserver(respctx_t *rctx) {
isc_result_t result;
isc_result_t result = ISC_R_SUCCESS;
fetchctx_t *fctx = rctx->fctx;
resquery_t *query = rctx->query;
if (fctx->res->lame_ttl == 0 || ISFORWARDER(query->addrinfo) ||
!is_lame(fctx, query->rmessage))
{
if (ISFORWARDER(query->addrinfo) || !is_lame(fctx, query->rmessage)) {
return (ISC_R_SUCCESS);
}
inc_stats(fctx->res, dns_resstatscounter_lame);
log_lame(fctx, query->addrinfo);
result = dns_adb_marklame(fctx->adb, query->addrinfo, fctx->name,
fctx->type, rctx->now + fctx->res->lame_ttl);
if (result != ISC_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
"could not mark server as lame: %s",
isc_result_totext(result));
if (fctx->res->lame_ttl != 0) {
result = dns_adb_marklame(fctx->adb, query->addrinfo,
fctx->name, fctx->type,
rctx->now + fctx->res->lame_ttl);
if (result != ISC_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
"could not mark server as lame: %s",
isc_result_totext(result));
}
}
rctx->broken_server = DNS_R_LAME;
rctx->next_server = true;