mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 08:05:21 +00:00
Code Issues Releases Wiki Activity

Ensure delegations inside mirror zones are properly handled for non-recursive queries

Browse Source 
When a resolver is a regular slave (i.e. not a mirror) for some zone,
non-recursive queries for names below that slaved zone will return a
delegation sourced from it.  This behavior is suboptimal for mirror
zones as their contents should rather be treated as validated, cached
DNS responses.  Modify query_delegation() and query_zone_delegation() to
permit clients allowed cache access to check its contents for a better
answer when responding to non-recursive queries.
This commit is contained in:
Michał Kępień
2018-06-28 13:38:39 +02:00
parent c9accfde28
commit 179d5faa28
6 changed files with 60 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bin/tests/system/mirror/ns2/example.db.in
View File

@@ -12,3 +12,4 @@ $TTL 3600
@ NS ns2 @ NS ns2
ns2 A 10.53.0.2 ns2 A 10.53.0.2
foo A 127.0.0.1 foo A 127.0.0.1
sub NS ns2

5
bin/tests/system/mirror/ns2/named.conf.in
View File

@@ -34,6 +34,11 @@ zone "example" {
file "example.db.signed"; file "example.db.signed";
}; };
zone "sub.example" {
type master;
file "sub.example.db.in";
};
zone "verify-axfr" { zone "verify-axfr" {
type master; type master;
file "verify-axfr.db.signed"; file "verify-axfr.db.signed";

13
bin/tests/system/mirror/ns2/sub.example.db.in Normal file
View File

@@ -0,0 +1,13 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ SOA ns2.example. hostmaster 1 3600 1200 604800 3600
@ NS ns2.example.
foo A 127.0.0.1

33
bin/tests/system/mirror/tests.sh
View File

@@ -216,5 +216,38 @@ grep "query 'foo.example/A/IN'" ns1/named.run > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that non-recursive queries for names below mirror zone get responded from cache ($n)"
ret=0
# Issue a non-recursive query for an RRset which is expected to be in cache.
$DIG $DIGOPTS @10.53.0.3 +norec foo.example. A > dig.out.ns3.test$n 2>&1 || ret=1
# Check response code and flags in the answer.
grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
# Ensure the response is not a delegation.
grep "ANSWER: 0" dig.out.ns3.test$n > /dev/null && ret=1
grep "foo.example.*IN.*A.*127.0.0.1" dig.out.ns3.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that delegations from cache which improve mirror zone delegations are properly handled ($n)"
ret=0
# First, issue a recursive query in order to cache an RRset which is not within
# the mirror zone's bailiwick.
$DIG $DIGOPTS @10.53.0.3 sub.example. NS > dig.out.ns3.test$n.1 2>&1 || ret=1
# Ensure the child-side NS RRset is returned.
grep "NOERROR" dig.out.ns3.test$n.1 > /dev/null || ret=1
grep "ANSWER: 1" dig.out.ns3.test$n.1 > /dev/null || ret=1
grep "sub.example.*IN.*NS" dig.out.ns3.test$n.1 > /dev/null || ret=1
# Issue a non-recursive query for something below the cached zone cut.
$DIG $DIGOPTS @10.53.0.3 +norec foo.sub.example. A > dig.out.ns3.test$n.2 2>&1 || ret=1
# Ensure the cached NS RRset is returned in a delegation.
grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
grep "ANSWER: 0" dig.out.ns3.test$n.2 > /dev/null || ret=1
grep "sub.example.*IN.*NS" dig.out.ns3.test$n.2 > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status" echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1

9
lib/ns/query.c
View File

@@ -7765,7 +7765,10 @@ query_zone_delegation(query_ctx_t *qctx) {
} }
} }
if (USECACHE(qctx->client) && RECURSIONOK(qctx->client)) { if (USECACHE(qctx->client) &&
(RECURSIONOK(qctx->client) ||
(qctx->zone != NULL && dns_zone_ismirror(qctx->zone))))
{
/* /*
* We might have a better answer or delegation in the * We might have a better answer or delegation in the
* cache. We'll remember the current values of fname, * cache. We'll remember the current values of fname,
@@ -7983,7 +7986,9 @@ query_delegation(query_ctx_t *qctx) {
qctx->client->query.attributes |= NS_QUERYATTR_CACHEGLUEOK; qctx->client->query.attributes |= NS_QUERYATTR_CACHEGLUEOK;
qctx->client->query.isreferral = ISC_TRUE; qctx->client->query.isreferral = ISC_TRUE;
if (qctx->zdb != NULL && qctx->client->query.gluedb == NULL) { if (qctx->zdb != NULL && qctx->client->query.gluedb == NULL &&
!(qctx->zone != NULL && dns_zone_ismirror(qctx->zone)))
{
dns_db_attach(qctx->zdb, &qctx->client->query.gluedb); dns_db_attach(qctx->zdb, &qctx->client->query.gluedb);
detach = ISC_TRUE; detach = ISC_TRUE;
} }

1
util/copyrights
View File

@@ -1602,6 +1602,7 @@
./bin/tests/system/mirror/ns2/example.db.in ZONE 2018 ./bin/tests/system/mirror/ns2/example.db.in ZONE 2018
./bin/tests/system/mirror/ns2/named.conf.in CONF-C 2018 ./bin/tests/system/mirror/ns2/named.conf.in CONF-C 2018
./bin/tests/system/mirror/ns2/sign.sh SH 2018 ./bin/tests/system/mirror/ns2/sign.sh SH 2018
./bin/tests/system/mirror/ns2/sub.example.db.in ZONE 2018
./bin/tests/system/mirror/ns2/verify.db.in ZONE 2018 ./bin/tests/system/mirror/ns2/verify.db.in ZONE 2018
./bin/tests/system/mirror/ns3/named.conf.in CONF-C 2018 ./bin/tests/system/mirror/ns3/named.conf.in CONF-C 2018
./bin/tests/system/mirror/setup.sh SH 2018 ./bin/tests/system/mirror/setup.sh SH 2018