diff --git a/bin/tests/system/legacy/clean.sh b/bin/tests/system/legacy/clean.sh index 79432ec397..ad7ef8540d 100644 --- a/bin/tests/system/legacy/clean.sh +++ b/bin/tests/system/legacy/clean.sh @@ -8,9 +8,9 @@ # information regarding copyright ownership. rm -f dig.out.* -rm -f ns?/named.conf -rm -f ns?/named.memstats -rm -f ns?/named.run +rm -f ns*/named.conf +rm -f ns*/named.memstats +rm -f ns*/named.run rm -f ns*/named.lock # build.sh diff --git a/bin/tests/system/legacy/ns1/root.db b/bin/tests/system/legacy/ns1/root.db index 78ae65b8a1..e4889a8f2a 100644 --- a/bin/tests/system/legacy/ns1/root.db +++ b/bin/tests/system/legacy/ns1/root.db @@ -23,3 +23,9 @@ edns512. NS ns.edns512. ns.edns512. A 10.53.0.6 edns512-notcp. NS ns.edns512-notcp. ns.edns512-notcp. A 10.53.0.7 +ednsformerr. NS ns.ednsformerr. +ns.ednsformerr. A 10.53.0.8 +ednsnotimp. NS ns.ednsnotimp. +ns.ednsnotimp. A 10.53.0.9 +ednsrefused. NS ns.ednsrefused. +ns.ednsrefused. A 10.53.0.10 diff --git a/bin/tests/system/legacy/ns10/ednsrefused.db b/bin/tests/system/legacy/ns10/ednsrefused.db new file mode 100644 index 0000000000..caac70d26a --- /dev/null +++ b/bin/tests/system/legacy/ns10/ednsrefused.db @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.8 diff --git a/bin/tests/system/legacy/ns10/named.conf.in b/bin/tests/system/legacy/ns10/named.conf.in new file mode 100644 index 0000000000..e7bf8b256a --- /dev/null +++ b/bin/tests/system/legacy/ns10/named.conf.in @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "ednsrefused" { + type master; + file "ednsrefused.db"; +}; diff --git a/bin/tests/system/legacy/ns10/named.ednsrefused b/bin/tests/system/legacy/ns10/named.ednsrefused new file mode 100644 index 0000000000..6b43ac06d0 --- /dev/null +++ b/bin/tests/system/legacy/ns10/named.ednsrefused @@ -0,0 +1 @@ +ednsrefused diff --git a/bin/tests/system/legacy/ns8/ednsformerr.db b/bin/tests/system/legacy/ns8/ednsformerr.db new file mode 100644 index 0000000000..caac70d26a --- /dev/null +++ b/bin/tests/system/legacy/ns8/ednsformerr.db @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.8 diff --git a/bin/tests/system/legacy/ns8/named.conf.in b/bin/tests/system/legacy/ns8/named.conf.in new file mode 100644 index 0000000000..dc4ce6b37b --- /dev/null +++ b/bin/tests/system/legacy/ns8/named.conf.in @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.8; + notify-source 10.53.0.8; + transfer-source 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "ednsformerr" { + type master; + file "ednsformerr.db"; +}; diff --git a/bin/tests/system/legacy/ns8/named.ednsformerr b/bin/tests/system/legacy/ns8/named.ednsformerr new file mode 100644 index 0000000000..e35cb0253a --- /dev/null +++ b/bin/tests/system/legacy/ns8/named.ednsformerr @@ -0,0 +1 @@ +ednsformerr diff --git a/bin/tests/system/legacy/ns9/ednsnotimp.db b/bin/tests/system/legacy/ns9/ednsnotimp.db new file mode 100644 index 0000000000..caac70d26a --- /dev/null +++ b/bin/tests/system/legacy/ns9/ednsnotimp.db @@ -0,0 +1,12 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +@ 60 SOA ns marka.isc.org. 1 0 0 0 0 +@ 60 NS ns +ns 60 A 10.53.0.8 diff --git a/bin/tests/system/legacy/ns9/named.conf.in b/bin/tests/system/legacy/ns9/named.conf.in new file mode 100644 index 0000000000..34ac3af85e --- /dev/null +++ b/bin/tests/system/legacy/ns9/named.conf.in @@ -0,0 +1,27 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +options { + query-source address 10.53.0.9; + notify-source 10.53.0.9; + transfer-source 10.53.0.9; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.9; }; + listen-on-v6 { none; }; + recursion no; + dnssec-validation no; +}; + +zone "ednsnotimp" { + type master; + file "ednsnotimp.db"; +}; diff --git a/bin/tests/system/legacy/ns9/named.ednsnotimp b/bin/tests/system/legacy/ns9/named.ednsnotimp new file mode 100644 index 0000000000..4e6424dc6f --- /dev/null +++ b/bin/tests/system/legacy/ns9/named.ednsnotimp @@ -0,0 +1 @@ +ednsnotimp diff --git a/bin/tests/system/legacy/setup.sh b/bin/tests/system/legacy/setup.sh index b41da9eb86..0770f46290 100644 --- a/bin/tests/system/legacy/setup.sh +++ b/bin/tests/system/legacy/setup.sh @@ -15,10 +15,12 @@ SYSTEMTESTTOP=.. $SHELL clean.sh copy_setports ns1/named1.conf.in ns1/named.conf - copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf +copy_setports ns9/named.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf diff --git a/bin/tests/system/legacy/tests.sh b/bin/tests/system/legacy/tests.sh index 09728e098a..1f860bcd29 100755 --- a/bin/tests/system/legacy/tests.sh +++ b/bin/tests/system/legacy/tests.sh @@ -17,6 +17,60 @@ DIGOPTS="-p ${PORT}" status=0 n=0 +n=`expr $n + 1` +echo_i "checking formerr edns server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.8 ednsformerr soa > dig.out.1.test$n || ret=1 +grep "status: FORMERR" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noedns @10.53.0.8 ednsformerr soa > dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to formerr edns server succeeds ($n)" +ret=0 +$DIG $DIGOPTS +tcp @10.53.0.1 ednsformerr soa > dig.out.test$n || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking notimp edns server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.9 ednsnotimp soa > dig.out.1.test$n || ret=1 +grep "status: NOTIMP" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noedns @10.53.0.9 ednsnotimp soa > dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to notimp edns server fails ($n)" +ret=0 +$DIG $DIGOPTS +tcp @10.53.0.1 ednsnotimp soa > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking refused edns server setup ($n)" +ret=0 +$DIG $DIGOPTS +edns @10.53.0.10 ednsrefused soa > dig.out.1.test$n || ret=1 +grep "status: REFUSED" dig.out.1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +noedns @10.53.0.10 ednsrefused soa > dig.out.2.test$n || ret=1 +grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo_i "checking recursive lookup to refused edns server fails ($n)" +ret=0 +$DIG $DIGOPTS +tcp @10.53.0.1 ednsrefused soa > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + n=`expr $n + 1` echo_i "checking drop edns server setup ($n)" ret=0 @@ -34,10 +88,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking recursive lookup to drop edns server succeeds ($n)" +echo_i "checking recursive lookup to drop edns server fails ($n)" ret=0 -$DIG $DIGOPTS +tcp @10.53.0.1 dropedns soa > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.1 dropedns soa > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -55,10 +109,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking recursive lookup to drop edns + no tcp server succeeds ($n)" +echo_i "checking recursive lookup to drop edns + no tcp server fails ($n)" ret=0 -$DIG $DIGOPTS +tcp @10.53.0.1 dropedns-notcp soa > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +tcp @10.53.0.1 dropedns-notcp soa > dig.out.test$n +grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` @@ -135,10 +189,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` n=`expr $n + 1` -echo_i "checking recursive lookup to edns 512 + no tcp server succeeds ($n)" +echo_i "checking recursive lookup to edns 512 + no tcp server fails ($n)" ret=0 $DIG $DIGOPTS +tcp @10.53.0.1 edns512-notcp soa > dig.out.test$n || ret=1 -grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` diff --git a/bin/tests/system/start.pl b/bin/tests/system/start.pl index 6380ccb154..dc790bc607 100755 --- a/bin/tests/system/start.pl +++ b/bin/tests/system/start.pl @@ -195,14 +195,20 @@ sub start_server { $command .= "-X named.lock "; $command .= "-m record,size,mctx "; $command .= "-T clienttest "; - $command .= "-T nosoa " - if (-e "$testdir/$server/named.nosoa"); + $command .= "-T dropedns " + if (-e "$testdir/$server/named.dropedns"); + $command .= "-T ednsformerr " + if (-e "$testdir/$server/named.ednsformerr"); + $command .= "-T ednsnotimp " + if (-e "$testdir/$server/named.ednsnotimp"); + $command .= "-T ednsrefused " + if (-e "$testdir/$server/named.ednsrefused"); $command .= "-T noaa " if (-e "$testdir/$server/named.noaa"); $command .= "-T noedns " if (-e "$testdir/$server/named.noedns"); - $command .= "-T dropedns " - if (-e "$testdir/$server/named.dropedns"); + $command .= "-T nosoa " + if (-e "$testdir/$server/named.nosoa"); $command .= "-T maxudp512 " if (-e "$testdir/$server/named.maxudp512"); $command .= "-T maxudp1460 " diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index cbc1aa8348..b4aa094630 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -2327,26 +2327,6 @@ issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type, return (dns_view_issecuredomain(view, name, now, checknta, issecure)); } -static bool -wouldvalidate(fetchctx_t *fctx) { - bool secure_domain; - isc_result_t result; - isc_stdtime_t now; - - if (!fctx->res->view->enablevalidation) - return (false); - - if (fctx->res->view->dlv != NULL) - return (true); - - isc_stdtime_get(&now); - result = dns_view_issecuredomain(fctx->res->view, &fctx->name, - now, true, &secure_domain); - if (result != ISC_R_SUCCESS) - return (false); - return (secure_domain); -} - static isc_result_t resquery_send(resquery_t *query) { fetchctx_t *fctx; @@ -2514,25 +2494,11 @@ resquery_send(resquery_t *query) { if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0) query->options |= DNS_FETCHOPT_NOEDNS0; - /* See if response history indicates that EDNS is not supported. */ - if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0 && - dns_adb_noedns(fctx->adb, query->addrinfo)) - query->options |= DNS_FETCHOPT_NOEDNS0; - if (fctx->timeout && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) { isc_sockaddr_t *sockaddr = &query->addrinfo->sockaddr; struct tried *tried; - if (fctx->timeouts > (MAX_EDNS0_TIMEOUTS * 2) && - (!EDNSOK(query->addrinfo) || !wouldvalidate(fctx))) { - query->options |= DNS_FETCHOPT_NOEDNS0; - fctx->reason = "disabling EDNS"; - } else if ((tried = triededns512(fctx, sockaddr)) != NULL && - tried->count >= 2U && - (!EDNSOK(query->addrinfo) || !wouldvalidate(fctx))) { - query->options |= DNS_FETCHOPT_NOEDNS0; - fctx->reason = "disabling EDNS"; - } else if ((tried = triededns(fctx, sockaddr)) != NULL) { + if ((tried = triededns(fctx, sockaddr)) != NULL) { if (tried->count == 1U) { hint = dns_adb_getudpsize(fctx->adb, query->addrinfo); @@ -2619,15 +2585,6 @@ resquery_send(resquery_t *query) { ednsopts[ednsopt].value = NULL; ednsopt++; } -#if DNS_EDNS_VERSION > 0 - /* - * Some EDNS(0) servers don't ignore unknown options - * as it was not a explict requirement of RFC 2671. - * Only send COOKIE to EDNS(1) servers. - */ - if (version < 1) - sendcookie = false; -#endif if (sendcookie) { INSIST(ednsopt < DNS_EDNSOPTIONS); ednsopts[ednsopt].code = DNS_OPT_COOKIE; @@ -9402,7 +9359,6 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { resquery_t *query = rctx->query; isc_buffer_t b; char code[64]; - unsigned char cookie[64]; if (fctx->rmessage->rcode == dns_rcode_noerror || fctx->rmessage->rcode == dns_rcode_yxdomain || @@ -9423,24 +9379,7 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { " due to bad server", fctx->info); fctx->qmin_labels = DNS_MAX_LABELS + 1; result = rctx_answer_minimized(rctx); - } else if (!NOCOOKIE(query->addrinfo) && - (fctx->rmessage->rcode == dns_rcode_formerr || - fctx->rmessage->rcode == dns_rcode_notimp || - fctx->rmessage->rcode == dns_rcode_refused) && - dns_adb_getcookie(fctx->adb, query->addrinfo, - cookie, sizeof(cookie)) == 0U) - { - /* - * Some servers do not ignore unknown EDNS options. - */ - dns_adb_changeflags(fctx->adb, query->addrinfo, - FCTX_ADDRINFO_NOCOOKIE, - FCTX_ADDRINFO_NOCOOKIE); - rctx->resend = true; - } else if ((fctx->rmessage->rcode == dns_rcode_formerr || - fctx->rmessage->rcode == dns_rcode_notimp || - (fctx->rmessage->rcode == dns_rcode_servfail && - dns_message_getopt(fctx->rmessage) == NULL)) && + } else if ((fctx->rmessage->rcode == dns_rcode_formerr) && (rctx->retryopts & DNS_FETCHOPT_NOEDNS0) == 0) { /* @@ -9485,28 +9424,8 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { unsigned int version; #if DNS_EDNS_VERSION > 0 unsigned int flags, mask; -#else - bool setnocookie = false; #endif - /* - * Some servers return BADVERS to unknown - * EDNS options. This cannot be long term - * strategy. Do not disable COOKIE if we have - * already have received a COOKIE from this - * server. - */ - if (dns_adb_getcookie(fctx->adb, query->addrinfo, - cookie, sizeof(cookie)) == 0U) { -#if DNS_EDNS_VERSION <= 0 - if (!NOCOOKIE(query->addrinfo)) - setnocookie = true; -#endif - dns_adb_changeflags(fctx->adb, query->addrinfo, - FCTX_ADDRINFO_NOCOOKIE, - FCTX_ADDRINFO_NOCOOKIE); - } - INSIST(rctx->opt != NULL); version = (rctx->opt->ttl >> 16) & 0xff; #if DNS_EDNS_VERSION > 0 @@ -9544,12 +9463,8 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) { rctx->next_server = true; } #else - if (version == 0U && setnocookie) { - rctx->resend = true; - } else { - rctx->broken_server = DNS_R_BADVERS; - rctx->next_server = true; - } + rctx->broken_server = DNS_R_BADVERS; + rctx->next_server = true; #endif } else if (fctx->rmessage->rcode == dns_rcode_badcookie && fctx->rmessage->cc_ok) diff --git a/util/copyrights b/util/copyrights index a8c7e77ecb..4b2dfd62d1 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1433,6 +1433,9 @@ ./bin/tests/system/legacy/ns1/named2.conf.in CONF-C 2014,2016,2018 ./bin/tests/system/legacy/ns1/root.db ZONE 2014,2016,2018 ./bin/tests/system/legacy/ns1/trusted.conf X 2014,2018 +./bin/tests/system/legacy/ns10/ednsrefused.db ZONE 2018 +./bin/tests/system/legacy/ns10/named.conf.in CONF-C 2018 +./bin/tests/system/legacy/ns10/named.ednsrefused X 2018 ./bin/tests/system/legacy/ns2/dropedns.db ZONE 2014,2016,2018 ./bin/tests/system/legacy/ns2/named.conf.in CONF-C 2014,2016,2018 ./bin/tests/system/legacy/ns2/named.dropedns X 2014,2018 @@ -1458,6 +1461,12 @@ ./bin/tests/system/legacy/ns7/named.conf.in CONF-C 2014,2016,2018 ./bin/tests/system/legacy/ns7/named.notcp X 2014,2018 ./bin/tests/system/legacy/ns7/sign.sh SH 2014,2016,2018 +./bin/tests/system/legacy/ns8/ednsformerr.db ZONE 2018 +./bin/tests/system/legacy/ns8/named.conf.in CONF-C 2018 +./bin/tests/system/legacy/ns8/named.ednsformerr X 2018 +./bin/tests/system/legacy/ns9/ednsnotimp.db ZONE 2018 +./bin/tests/system/legacy/ns9/named.conf.in CONF-C 2018 +./bin/tests/system/legacy/ns9/named.ednsnotimp X 2018 ./bin/tests/system/legacy/setup.sh SH 2014,2016,2018 ./bin/tests/system/legacy/tests.sh SH 2014,2015,2016,2018 ./bin/tests/system/limits/clean.sh SH 2000,2001,2004,2007,2012,2014,2015,2016,2018