Revert "DNS: Support AFS SRV records and cell db config files"HEADmaster

This reverts commit 0d71523ab58493e1b40e1c80d569ff8ebc5ea27d.

4 files changed, 216 insertions, 448 deletions

diff --git a/Makefile b/Makefile
index d8d4ee3..3de5ace 100644
--- a/Makefile
+++ b/Makefile
@@ -159,12 +159,8 @@ keyctl_watch.o: watch_queue.h
 request-key: request-key.o $(LIB_DEPENDENCY)
 	$(CC) -L. $(CFLAGS) $(LDFLAGS) $(RPATH) -o $@ $< -lkeyutils
 
-key.dns_resolver: key.dns_resolver.o dns.afsdb.o $(LIB_DEPENDENCY)
-	$(CC) -L. $(CFLAGS) $(LDFLAGS) $(RPATH) -o $@ \
-		key.dns_resolver.o dns.afsdb.o -lkeyutils -lresolv
-
-key.dns_resolver.o: key.dns_resolver.c key.dns.h
-dns.afsdb.o: dns.afsdb.c key.dns.h
+key.dns_resolver: key.dns_resolver.o $(LIB_DEPENDENCY)
+	$(CC) -L. $(CFLAGS) $(LDFLAGS) $(RPATH) -o $@ $< -lkeyutils -lresolv
 
 ###############################################################################
 #
diff --git a/dns.afsdb.c b/dns.afsdb.c
deleted file mode 100644
index 986c0f3..0000000
--- a/dns.afsdb.c
+++ /dev/null
@@ -1,333 +0,0 @@
-/*
- * DNS Resolver Module User-space Helper for AFSDB records
- *
- * Copyright (C) Wang Lei (wang840925@gmail.com) 2010
- * Authors: Wang Lei (wang840925@gmail.com)
- *
- * Copyright (C) David Howells (dhowells@redhat.com) 2018
- *
- * This is a userspace tool for querying AFSDB RR records in the DNS on behalf
- * of the kernel, and converting the VL server addresses to IPv4 format so that
- * they can be used by the kAFS filesystem.
- *
- * As some function like res_init() should use the static library, which is a
- * bug of libresolv, that is the reason for cifs.upcall to reimplement.
- *
- * To use this program, you must tell /sbin/request-key how to invoke it.  You
- * need to have the keyutils package installed and something like the following
- * lines added to your /etc/request-key.conf file:
- *
- * 	#OP    TYPE         DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
- * 	====== ============ =========== ============ ==========================
- * 	create dns_resolver afsdb:*     *            /sbin/key.dns_resolver %k
- *
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- */
-#include "key.dns.h"
-
-/*
- *
- */
-static void afsdb_hosts_to_addrs(ns_msg handle, ns_sect section)
-{
-	char *vllist[MAX_VLS];	/* list of name servers	*/
-	int vlsnum = 0;		/* number of name servers in list */
-	int rrnum;
-	ns_rr rr;
-	int subtype, i, ret;
-	unsigned int ttl = UINT_MAX, rr_ttl;
-
-	debug("AFSDB RR count is %d", ns_msg_count(handle, section));
-
-	/* Look at all the resource records in this section. */
-	for (rrnum = 0; rrnum < ns_msg_count(handle, section); rrnum++) {
-		/* Expand the resource record number rrnum into rr. */
-		if (ns_parserr(&handle, section, rrnum, &rr)) {
-			_error("ns_parserr failed : %m");
-			continue;
-		}
-
-		/* We're only interested in AFSDB records */
-		if (ns_rr_type(rr) == ns_t_afsdb) {
-			vllist[vlsnum] = malloc(MAXDNAME);
-			if (!vllist[vlsnum])
-				error("Out of memory");
-
-			subtype = ns_get16(ns_rr_rdata(rr));
-
-			/* Expand the name server's domain name */
-			if (ns_name_uncompress(ns_msg_base(handle),
-					       ns_msg_end(handle),
-					       ns_rr_rdata(rr) + 2,
-					       vllist[vlsnum],
-					       MAXDNAME) < 0)
-				error("ns_name_uncompress failed");
-
-			rr_ttl = ns_rr_ttl(rr);
-			if (ttl > rr_ttl)
-				ttl = rr_ttl;
-
-			/* Check the domain name we've just unpacked and add it to
-			 * the list of VL servers if it is not a duplicate.
-			 * If it is a duplicate, just ignore it.
-			 */
-			for (i = 0; i < vlsnum; i++)
-				if (strcasecmp(vllist[i], vllist[vlsnum]) == 0)
-					goto next_one;
-
-			/* Turn the hostname into IP addresses */
-			ret = dns_resolver(vllist[vlsnum], NULL);
-			if (ret) {
-				debug("AFSDB RR can't resolve."
-				      "subtype:%d, server name:%s, netmask:%u",
-				      subtype, vllist[vlsnum], mask);
-				goto next_one;
-			}
-
-			info("AFSDB RR subtype:%d, server name:%s, ip:%*.*s, ttl:%u",
-			     subtype, vllist[vlsnum],
-			     (int)payload[payload_index - 1].iov_len,
-			     (int)payload[payload_index - 1].iov_len,
-			     (char *)payload[payload_index - 1].iov_base,
-			     ttl);
-
-			/* prepare for the next record */
-			vlsnum++;
-			continue;
-
-		next_one:
-			free(vllist[vlsnum]);
-		}
-	}
-
-	key_expiry = ttl;
-	info("ttl: %u", key_expiry);
-}
-
-/*
- *
- */
-static void srv_hosts_to_addrs(ns_msg handle, ns_sect section)
-{
-	char *vllist[MAX_VLS];	/* list of name servers	*/
-	int vlsnum = 0;		/* number of name servers in list */
-	int rrnum;
-	ns_rr rr;
-	int subtype, i, ret;
-	unsigned short pref, weight, port;
-	unsigned int ttl = UINT_MAX, rr_ttl;
-	char sport[8];
-
-	debug("SRV RR count is %d", ns_msg_count(handle, section));
-
-	/* Look at all the resource records in this section. */
-	for (rrnum = 0; rrnum < ns_msg_count(handle, section); rrnum++) {
-		/* Expand the resource record number rrnum into rr. */
-		if (ns_parserr(&handle, section, rrnum, &rr)) {
-			_error("ns_parserr failed : %m");
-			continue;
-		}
-
-		if (ns_rr_type(rr) == ns_t_srv) {
-			vllist[vlsnum] = malloc(MAXDNAME);
-			if (!vllist[vlsnum])
-				error("Out of memory");
-
-			subtype = ns_get16(ns_rr_rdata(rr));
-
-			/* Expand the name server's domain name */
-			if (ns_name_uncompress(ns_msg_base(handle),
-					       ns_msg_end(handle),
-					       ns_rr_rdata(rr) + 6,
-					       vllist[vlsnum],
-					       MAXDNAME) < 0) {
-				_error("ns_name_uncompress failed");
-				continue;
-			}
-
-			rr_ttl = ns_rr_ttl(rr);
-			if (ttl > rr_ttl)
-				ttl = rr_ttl;
-
-			pref   = ns_get16(ns_rr_rdata(rr));
-			weight = ns_get16(ns_rr_rdata(rr) + 2);
-			port   = ns_get16(ns_rr_rdata(rr) + 4);
-			info("rdata %u %u %u", pref, weight, port);
-
-			sprintf(sport, "+%hu", port);
-
-			/* Check the domain name we've just unpacked and add it to
-			 * the list of VL servers if it is not a duplicate.
-			 * If it is a duplicate, just ignore it.
-			 */
-			for (i = 0; i < vlsnum; i++)
-				if (strcasecmp(vllist[i], vllist[vlsnum]) == 0)
-					goto next_one;
-
-			/* Turn the hostname into IP addresses */
-			ret = dns_resolver(vllist[vlsnum], sport);
-			if (ret) {
-				debug("SRV RR can't resolve."
-				      "subtype:%d, server name:%s, netmask:%u",
-				      subtype, vllist[vlsnum], mask);
-				goto next_one;
-			}
-
-			info("SRV RR subtype:%d, server name:%s, ip:%*.*s, ttl:%u",
-			     subtype, vllist[vlsnum],
-			     (int)payload[payload_index - 1].iov_len,
-			     (int)payload[payload_index - 1].iov_len,
-			     (char *)payload[payload_index - 1].iov_base,
-			     ttl);
-
-			/* prepare for the next record */
-			vlsnum++;
-			continue;
-
-		next_one:
-			free(vllist[vlsnum]);
-		}
-	}
-
-	key_expiry = ttl;
-	info("ttl: %u", key_expiry);
-}
-
-/*
- * Look up an AFSDB record to get the VL server addresses.
- */
-static int dns_query_AFSDB(const char *cell)
-{
-	int	response_len;		/* buffer length */
-	ns_msg	handle;			/* handle for response message */
-	union {
-		HEADER hdr;
-		u_char buf[NS_PACKETSZ];
-	} response;		/* response buffers */
-
-	debug("Get AFSDB RR for cell name:'%s'", cell);
-
-	/* query the dns for an AFSDB resource record */
-	response_len = res_query(cell,
-				 ns_c_in,
-				 ns_t_afsdb,
-				 response.buf,
-				 sizeof(response));
-
-	if (response_len < 0) {
-		/* negative result */
-		_nsError(h_errno, cell);
-		return -1;
-	}
-
-	if (ns_initparse(response.buf, response_len, &handle) < 0)
-		error("ns_initparse: %m");
-
-	/* look up the hostnames we've obtained to get the actual addresses */
-	afsdb_hosts_to_addrs(handle, ns_s_an);
-
-	info("DNS query AFSDB RR results:%u ttl:%u", payload_index, key_expiry);
-	return 0;
-}
-
-/*
- * Look up an SRV record to get the VL server addresses [RFC 5864].
- */
-static int dns_query_VL_SRV(const char *cell)
-{
-	int	response_len;		/* buffer length */
-	ns_msg	handle;			/* handle for response message */
-	union {
-		HEADER hdr;
-		u_char buf[NS_PACKETSZ];
-	} response;
-	char name[1024];
-
-	snprintf(name, sizeof(name), "_afs3-vlserver._udp.%s", cell);
-
-	debug("Get VL SRV RR for name:'%s'", name);
-
-	response_len = res_query(name,
-				 ns_c_in,
-				 ns_t_srv,
-				 response.buf,
-				 sizeof(response));
-
-	if (response_len < 0) {
-		/* negative result */
-		_nsError(h_errno, cell);
-		return -1;
-	}
-
-	if (ns_initparse(response.buf, response_len, &handle) < 0)
-		error("ns_initparse: %m");
-
-	/* look up the hostnames we've obtained to get the actual addresses */
-	srv_hosts_to_addrs(handle, ns_s_an);
-
-	info("DNS query VL SRV RR results:%u ttl:%u", payload_index, key_expiry);
-	return 0;
-}
-
-/*
- * Instantiate the key.
- */
-static __attribute__((noreturn))
-void afs_instantiate(const char *cell)
-{
-	int ret;
-
-	/* set the key's expiry time from the minimum TTL encountered */
-	if (!debug_mode) {
-		ret = keyctl_set_timeout(key, key_expiry);
-		if (ret == -1)
-			error("%s: keyctl_set_timeout: %m", __func__);
-	}
-
-	/* handle a lack of results */
-	if (payload_index == 0)
-		nsError(NO_DATA, cell);
-
-	/* must include a NUL char at the end of the payload */
-	payload[payload_index].iov_base = "";
-	payload[payload_index++].iov_len = 1;
-	dump_payload();
-
-	/* load the key with data key */
-	if (!debug_mode) {
-		ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
-		if (ret == -1)
-			error("%s: keyctl_instantiate: %m", __func__);
-	}
-
-	exit(0);
-}
-
-/*
- * Look up VL servers for AFS.
- */
-void afs_look_up_VL_servers(const char *cell, char *options)
-{
-	/* Is the IP address family limited? */
-	if (strcmp(options, "ipv4") == 0)
-		mask = INET_IP4_ONLY;
-	else if (strcmp(options, "ipv6") == 0)
-		mask = INET_IP6_ONLY;
-
-	if (dns_query_VL_SRV(cell) != 0)
-		dns_query_AFSDB(cell);
-
-	afs_instantiate(cell);
-}
diff --git a/key.dns.h b/key.dns.h
deleted file mode 100644
index 33d0ab3..0000000
--- a/key.dns.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public Licence as published by
- * the Free Software Foundation; either version 2 of the Licence, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public Licence for more details.
- */
-#define _GNU_SOURCE
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <arpa/inet.h>
-#include <limits.h>
-#include <resolv.h>
-#include <getopt.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>
-#include <syslog.h>
-#include <errno.h>
-#include <string.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <keyutils.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <time.h>
-#include <ctype.h>
-
-#define	MAX_VLS			15	/* Max Volume Location Servers Per-Cell */
-#define	INET_IP4_ONLY		0x1
-#define	INET_IP6_ONLY		0x2
-#define	INET_ALL		0xFF
-#define ONE_ADDR_ONLY		0x100
-
-/*
- * key.dns_resolver.c
- */
-extern key_serial_t key;
-extern int debug_mode;
-extern unsigned mask;
-extern unsigned int key_expiry;
-
-#define N_PAYLOAD 256
-extern struct iovec payload[N_PAYLOAD];
-extern int payload_index;
-
-extern __attribute__((format(printf, 1, 2), noreturn))
-void error(const char *fmt, ...);
-extern __attribute__((format(printf, 1, 2)))
-void _error(const char *fmt, ...);
-extern __attribute__((format(printf, 1, 2)))
-void warning(const char *fmt, ...);
-extern __attribute__((format(printf, 1, 2)))
-void info(const char *fmt, ...);
-extern __attribute__((noreturn))
-void nsError(int err, const char *domain);
-extern void _nsError(int err, const char *domain);
-extern __attribute__((format(printf, 1, 2)))
-void debug(const char *fmt, ...);
-
-extern void append_address_to_payload(const char *addr);
-extern void dump_payload(void);
-extern int dns_resolver(const char *server_name, const char *port);
-
-/*
- * dns.afsdb.c
- */
-extern __attribute__((noreturn))
-void afs_look_up_VL_servers(const char *cell, char *options);
diff --git a/key.dns_resolver.c b/key.dns_resolver.c
index 7a7ec42..cf40961 100644
--- a/key.dns_resolver.c
+++ b/key.dns_resolver.c
@@ -38,7 +38,33 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  */
-#include "key.dns.h"
+#define _GNU_SOURCE
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+#include <limits.h>
+#include <resolv.h>
+#include <getopt.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <syslog.h>
+#include <errno.h>
+#include <string.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <keyutils.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <time.h>
+#include <ctype.h>
+
+#define	MAX_VLS			15	/* Max Volume Location Servers Per-Cell */
+#define	INET_IP4_ONLY		0x1
+#define	INET_IP6_ONLY		0x2
+#define	INET_ALL		0xFF
+#define ONE_ADDR_ONLY		0x100
 
 static const char *DNS_PARSE_VERSION = "1.0";
 static const char prog[] = "key.dns_resolver";
@@ -48,16 +74,23 @@ static const char aaaa_query_type[] = "aaaa";
 static const char afsdb_query_type[] = "afsdb";
 static const char *config_file = "/etc/keyutils/key.dns_resolver.conf";
 static bool config_specified = false;
-key_serial_t key;
+static key_serial_t key;
 static int verbose;
-int debug_mode;
+static int debug_mode;
 unsigned mask = INET_ALL;
 unsigned int key_expiry = 5;
 
 
+#define	MAX_VLS			15	/* Max Volume Location Servers Per-Cell */
+#define	INET_IP4_ONLY		0x1
+#define	INET_IP6_ONLY		0x2
+#define	INET_ALL		0xFF
+#define ONE_ADDR_ONLY		0x100
+
 /*
  * segmental payload
  */
+#define N_PAYLOAD 256
 struct iovec payload[N_PAYLOAD];
 int payload_index;
 
@@ -65,6 +98,7 @@ int payload_index;
  * Print an error to stderr or the syslog, negate the key being created and
  * exit
  */
+static __attribute__((format(printf, 1, 2), noreturn))
 void error(const char *fmt, ...)
 {
 	va_list va;
@@ -94,6 +128,7 @@ void error(const char *fmt, ...)
 /*
  * Just print an error to stderr or the syslog
  */
+static __attribute__((format(printf, 1, 2)))
 void _error(const char *fmt, ...)
 {
 	va_list va;
@@ -128,6 +163,7 @@ void warning(const char *fmt, ...)
 /*
  * Print status information
  */
+static __attribute__((format(printf, 1, 2)))
 void info(const char *fmt, ...)
 {
 	va_list va;
@@ -157,10 +193,14 @@ static const int ns_errno_map[] = {
 	[NO_DATA]		= ENODATA,
 };
 
-void _nsError(int err, const char *domain)
+static __attribute__((noreturn))
+void nsError(int err, const char *domain)
 {
+	unsigned timeout = 1 * 60;
+	int ret;
+
 	if (isatty(2))
-		fprintf(stderr, "NS:%s: %s.\n", domain, hstrerror(err));
+		fprintf(stderr, "%s: %s.\n", domain, hstrerror(err));
 	else
 		syslog(LOG_INFO, "%s: %s", domain, hstrerror(err));
 
@@ -170,27 +210,11 @@ void _nsError(int err, const char *domain)
 		err = ns_errno_map[err];
 
 	info("Reject the key with error %d", err);
-}
 
-void nsError(int err, const char *domain)
-{
-	unsigned timeout;
-	int ret;
-
-	_nsError(err, domain);
-
-	switch (err) {
-	case TRY_AGAIN:
+	if (err == EAGAIN)
 		timeout = 1;
-		break;
-	case 0:
-	case NO_RECOVERY:
+	else if (err == ECONNREFUSED)
 		timeout = 10;
-		break;
-	default:
-		timeout = 1 * 60;
-		break;
-	}
 
 	if (!debug_mode) {
 		ret = keyctl_reject(key, timeout, err, KEY_REQKEY_DEFL_DEFAULT);
@@ -203,6 +227,7 @@ void nsError(int err, const char *domain)
 /*
  * Print debugging information
  */
+static __attribute__((format(printf, 1, 2)))
 void debug(const char *fmt, ...)
 {
 	va_list va;
@@ -224,7 +249,7 @@ void debug(const char *fmt, ...)
 /*
  * Append an address to the payload segment list
  */
-void append_address_to_payload(const char *addr)
+static void append_address_to_payload(const char *addr)
 {
 	size_t sz = strlen(addr);
 	char *copy;
@@ -257,7 +282,7 @@ void append_address_to_payload(const char *addr)
 /*
  * Dump the payload when debugging
  */
-void dump_payload(void)
+static void dump_payload(void)
 {
 	size_t plen, n;
 	char *buf, *p;
@@ -300,10 +325,11 @@ void dump_payload(void)
  * Perform address resolution on a hostname and add the resulting address as a
  * string to the list of payload segments.
  */
-int dns_resolver(const char *server_name, const char *port)
+static int
+dns_resolver(const char *server_name, unsigned mask)
 {
 	struct addrinfo hints, *addr, *ai;
-	char buf[INET6_ADDRSTRLEN + 8 + 1];
+	char buf[INET6_ADDRSTRLEN + 1];
 	int ret, len;
 	void *sa;
 
@@ -324,6 +350,8 @@ int dns_resolver(const char *server_name, const char *port)
 		return -1;
 	}
 
+	debug("getaddrinfo = %d", ret);
+
 	for (ai = addr; ai; ai = ai->ai_next) {
 		debug("RR: %x,%x,%x,%x,%x,%s",
 		      ai->ai_flags, ai->ai_family,
@@ -352,8 +380,6 @@ int dns_resolver(const char *server_name, const char *port)
 		if (!inet_ntop(ai->ai_family, sa, buf, len))
 			error("%s: inet_ntop: %m", __func__);
 
-		if (port)
-			strcat(buf, port);
 		append_address_to_payload(buf);
 		if (mask & ONE_ADDR_ONLY)
 			break;
@@ -364,6 +390,160 @@ int dns_resolver(const char *server_name, const char *port)
 }
 
 /*
+ *
+ */
+static void afsdb_hosts_to_addrs(ns_msg handle,
+				 ns_sect section,
+				 unsigned mask,
+				 unsigned long *_ttl)
+{
+	char *vllist[MAX_VLS];	/* list of name servers	*/
+	int vlsnum = 0;		/* number of name servers in list */
+	int rrnum;
+	ns_rr rr;
+	int subtype, i, ret;
+	unsigned int ttl = UINT_MAX, rr_ttl;
+
+	debug("AFSDB RR count is %d", ns_msg_count(handle, section));
+
+	/* Look at all the resource records in this section. */
+	for (rrnum = 0; rrnum < ns_msg_count(handle, section); rrnum++) {
+		/* Expand the resource record number rrnum into rr. */
+		if (ns_parserr(&handle, section, rrnum, &rr)) {
+			_error("ns_parserr failed : %m");
+			continue;
+		}
+
+		/* We're only interested in AFSDB records */
+		if (ns_rr_type(rr) == ns_t_afsdb) {
+			vllist[vlsnum] = malloc(MAXDNAME);
+			if (!vllist[vlsnum])
+				error("Out of memory");
+
+			subtype = ns_get16(ns_rr_rdata(rr));
+
+			/* Expand the name server's domain name */
+			if (ns_name_uncompress(ns_msg_base(handle),
+					       ns_msg_end(handle),
+					       ns_rr_rdata(rr) + 2,
+					       vllist[vlsnum],
+					       MAXDNAME) < 0)
+				error("ns_name_uncompress failed");
+
+			rr_ttl = ns_rr_ttl(rr);
+			if (ttl > rr_ttl)
+				ttl = rr_ttl;
+
+			/* Check the domain name we've just unpacked and add it to
+			 * the list of VL servers if it is not a duplicate.
+			 * If it is a duplicate, just ignore it.
+			 */
+			for (i = 0; i < vlsnum; i++)
+				if (strcasecmp(vllist[i], vllist[vlsnum]) == 0)
+					goto next_one;
+
+			/* Turn the hostname into IP addresses */
+			ret = dns_resolver(vllist[vlsnum], mask);
+			if (ret) {
+				debug("AFSDB RR can't resolve."
+				      "subtype:%d, server name:%s, netmask:%u",
+				      subtype, vllist[vlsnum], mask);
+				goto next_one;
+			}
+
+			info("AFSDB RR subtype:%d, server name:%s, ip:%*.*s, ttl:%u",
+			     subtype, vllist[vlsnum],
+			     (int)payload[payload_index - 1].iov_len,
+			     (int)payload[payload_index - 1].iov_len,
+			     (char *)payload[payload_index - 1].iov_base,
+			     ttl);
+
+			/* prepare for the next record */
+			vlsnum++;
+			continue;
+
+		next_one:
+			free(vllist[vlsnum]);
+		}
+	}
+
+	*_ttl = ttl;
+	info("ttl: %u", ttl);
+}
+
+/*
+ * Look up an AFSDB record to get the VL server addresses.
+ *
+ * The callout_info is parsed for request options.  For instance, "ipv4" to
+ * request only IPv4 addresses and "ipv6" to request only IPv6 addresses.
+ */
+static __attribute__((noreturn))
+int dns_query_afsdb(const char *cell, char *options)
+{
+	int	ret;
+	unsigned mask = INET_ALL;
+	int	response_len;		/* buffer length */
+	ns_msg	handle;			/* handle for response message */
+	unsigned long ttl = ULONG_MAX;
+	union {
+		HEADER hdr;
+		u_char buf[NS_PACKETSZ];
+	} response;		/* response buffers */
+
+	debug("Get AFSDB RR for cell name:'%s', options:'%s'", cell, options);
+
+	/* query the dns for an AFSDB resource record */
+	response_len = res_query(cell,
+				 ns_c_in,
+				 ns_t_afsdb,
+				 response.buf,
+				 sizeof(response));
+
+	if (response_len < 0)
+		/* negative result */
+		nsError(h_errno, cell);
+
+	if (ns_initparse(response.buf, response_len, &handle) < 0)
+		error("ns_initparse: %m");
+
+	/* Is the IP address family limited? */
+	if (strcmp(options, "ipv4") == 0)
+		mask = INET_IP4_ONLY;
+	else if (strcmp(options, "ipv6") == 0)
+		mask = INET_IP6_ONLY;
+
+	/* look up the hostnames we've obtained to get the actual addresses */
+	afsdb_hosts_to_addrs(handle, ns_s_an, mask, &ttl);
+
+	info("DNS query AFSDB RR results:%u ttl:%lu", payload_index, ttl);
+
+	/* set the key's expiry time from the minimum TTL encountered */
+	if (!debug_mode) {
+		ret = keyctl_set_timeout(key, ttl);
+		if (ret == -1)
+			error("%s: keyctl_set_timeout: %m", __func__);
+	}
+
+	/* handle a lack of results */
+	if (payload_index == 0)
+		nsError(NO_DATA, cell);
+
+	/* must include a NUL char at the end of the payload */
+	payload[payload_index].iov_base = "";
+	payload[payload_index++].iov_len = 1;
+	dump_payload();
+
+	/* load the key with data key */
+	if (!debug_mode) {
+		ret = keyctl_instantiate_iov(key, payload, payload_index, 0);
+		if (ret == -1)
+			error("%s: keyctl_instantiate: %m", __func__);
+	}
+
+	exit(0);
+}
+
+/*
  * Look up a A and/or AAAA records to get host addresses
  *
  * The callout_info is parsed for request options.  For instance, "ipv4" to
@@ -373,6 +553,7 @@ int dns_resolver(const char *server_name, const char *port)
 static __attribute__((noreturn))
 int dns_query_a_or_aaaa(const char *hostname, char *options)
 {
+	unsigned mask;
 	int ret;
 
 	debug("Get A/AAAA RR for hostname:'%s', options:'%s'",
@@ -418,7 +599,7 @@ int dns_query_a_or_aaaa(const char *hostname, char *options)
 	}
 
 	/* Turn the hostname into IP addresses */
-	ret = dns_resolver(hostname, NULL);
+	ret = dns_resolver(hostname, mask);
 	if (ret)
 		nsError(NO_DATA, hostname);
 
@@ -636,7 +817,7 @@ int main(int argc, char *argv[])
 
 	openlog(prog, 0, LOG_DAEMON);
 
-	while ((ret = getopt_long(argc, argv, "c:vDV", long_options, NULL)) != -1) {
+	while ((ret = getopt_long(argc, argv, "c:vD", long_options, NULL)) != -1) {
 		switch (ret) {
 		case 'c':
 			config_file = optarg;
@@ -729,8 +910,6 @@ int main(int argc, char *argv[])
 	qtlen = name - keyend;
 	name++;
 
-	info("Query type: '%*.*s'", qtlen, qtlen, keyend);
-
 	if ((qtlen == sizeof(a_query_type) - 1 &&
 	     memcmp(keyend, a_query_type, sizeof(a_query_type) - 1) == 0) ||
 	    (qtlen == sizeof(aaaa_query_type) - 1 &&
@@ -744,9 +923,9 @@ int main(int argc, char *argv[])
 	if (qtlen == sizeof(afsdb_query_type) - 1 &&
 	    memcmp(keyend, afsdb_query_type, sizeof(afsdb_query_type) - 1) == 0
 	    ) {
-		info("Do AFS VL server query for:'%s' mask:'%s'",
+		info("Do DNS query of AFSDB type for:'%s' mask:'%s'",
 		     name, callout_info);
-		afs_look_up_VL_servers(name, callout_info);
+		dns_query_afsdb(name, callout_info);
 	}
 
 	error("Query type: \"%*.*s\" is not supported", qtlen, qtlen, keyend);