Do not cache minimal NSEC records (NSEC + RRSIG only)

these are not useful for dnssec synthesis as they can result in false NODATA responses and just consume cache memory
2025-08-31 06:25:31 +00:00 · 2021-10-19 14:40:27 +11:00
parent e906fefb7d
commit 6fae151c9d
1 changed files with 45 additions and 0 deletions
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5141,6 +5141,47 @@ unlock:
 	}
 }

+/*
+ * typemap with just RRSIG(46) and NSEC(47) bits set.
+ *
+ * Bitmap calculation from dns_nsec_setbit:
+ *
+ *					46	47
+ *	shift = 7 - (type % 8);		0	1
+ *	mask = 1 << shift;		0x02	0x01
+ *	array[type / 8] |= mask;
+ *
+ * Window (0), bitmap length (6), and bitmap.
+ */
+static const unsigned char minimal_typemap[] = { 0, 6, 0, 0, 0, 0, 0, 0x03 };
+
+static bool
+is_minimal_nsec(dns_rdataset_t *nsecset) {
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_clone(nsecset, &rdataset);
+
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_nsec_t nsec;
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (nsec.len == sizeof(minimal_typemap) &&
+		    memcmp(nsec.typebits, minimal_typemap, nsec.len) == 0)
+		{
+			dns_rdataset_disassociate(&rdataset);
+			return (true);
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	return (false);
+}
+
 /*
 * The validator has finished.
 */
@@ -5530,6 +5571,10 @@ answer_response:
 			    sigrdataset->trust != dns_trust_secure) {
 				continue;
 			}
+			if (rdataset->type == dns_rdatatype_nsec &&
+			    is_minimal_nsec(rdataset)) {
+				continue;
+			}
 			result = dns_db_findnode(fctx->cache, name, true,
 						 &nsnode);
 			if (result != ISC_R_SUCCESS) {