mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-31 14:35:26 +00:00
If possible don't use forwarders when priming the resolver.
If we try to fetch a record from cache and need to look into hints database we assume that the resolver is not primed and start dns_resolver_prime(). Priming query is supposed to return NSes for "." in ANSWER section and glue records for them in ADDITIONAL section, so that we can fill that info in 'regular' cache and not use hints db anymore. However, if we're using a forwarder the priming query goes through it, and if it's configured to return minimal answers we won't get the addresses of root servers in ADDITIONAL section. Since the only records for root servers we have are in hints database we'll try to prime the resolver with every single query. This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using forwarders if possible (that is if we have forward-first policy). Using this flag on priming fetch fixes the problem as we get the proper glue. With forward-only policy the problem is non-existent, as we'll never ask for root server addresses because we'll never have a need to query them. Also added a test to confirm priming queries are not forwarded.
This commit is contained in:
Witold Kręcicki
committed by
Evan Hunt
Evan Hunt
parent
a97a63ad51
commit
b49310ac06
6
CHANGES
6
CHANGES
@@ -1,3 +1,9 @@
|
||||
5139. [bug] If possible, don't use forwarders when priming.
|
||||
This ensures we can get root server IP addresses
|
||||
from priming query response glue, which may not
|
||||
be present if the forwarding server is returning
|
||||
minimal responses. [GL #752]
|
||||
|
||||
5138. [bug] Under some circumstances named could hit an assertion
|
||||
failure when doing qname minimization when using
|
||||
forwarders. [GL #797]
|
||||
|
||||
@@ -19,6 +19,7 @@ options {
|
||||
listen-on-v6 { none; };
|
||||
recursion yes;
|
||||
dnssec-validation yes;
|
||||
minimal-responses yes;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
|
||||
28
bin/tests/system/forward/ns7/named.conf.in
Normal file
28
bin/tests/system/forward/ns7/named.conf.in
Normal file
@@ -0,0 +1,28 @@
|
||||
/*
|
||||
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
*
|
||||
* See the COPYRIGHT file distributed with this work for additional
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
options {
|
||||
query-source address 10.53.0.7;
|
||||
notify-source 10.53.0.7;
|
||||
transfer-source 10.53.0.7;
|
||||
port @PORT@;
|
||||
pid-file "named.pid";
|
||||
listen-on { 10.53.0.7; };
|
||||
listen-on-v6 { none; };
|
||||
forwarders { 10.53.0.4; };
|
||||
forward first;
|
||||
dnssec-validation yes;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "root.db";
|
||||
};
|
||||
28
bin/tests/system/forward/ns7/root.db
Normal file
28
bin/tests/system/forward/ns7/root.db
Normal file
@@ -0,0 +1,28 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 300
|
||||
. IN SOA gson.nominum.com. a.root.servers.nil. (
|
||||
2000042100 ; serial
|
||||
600 ; refresh
|
||||
600 ; retry
|
||||
1200 ; expire
|
||||
600 ; minimum
|
||||
)
|
||||
. NS a.root-servers.nil.
|
||||
a.root-servers.nil. A 10.53.0.1
|
||||
|
||||
example1 NS ns.example1
|
||||
ns.example1 A 10.53.0.1
|
||||
|
||||
example2 NS ns.example2
|
||||
ns.example2 A 10.53.0.1
|
||||
|
||||
example3 NS ns.example3
|
||||
ns.example3 A 10.53.0.1
|
||||
@@ -18,3 +18,4 @@ copy_setports ns2/named.conf.in ns2/named.conf
|
||||
copy_setports ns3/named.conf.in ns3/named.conf
|
||||
copy_setports ns4/named.conf.in ns4/named.conf
|
||||
copy_setports ns5/named.conf.in ns5/named.conf
|
||||
copy_setports ns7/named.conf.in ns7/named.conf
|
||||
|
||||
@@ -147,5 +147,17 @@ if [ $sent -ne 1 ]; then ret=1; fi
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "checking that priming queries are not forwarded"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.f7 || ret=1
|
||||
sent=`sed -n '/sending packet to 10.53.0.1/,/^$/p' ns7/named.run | grep ";.*IN.*NS" | wc -l`
|
||||
[ $sent -eq 1 ] || ret=1
|
||||
sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run | wc -l`
|
||||
[ $sent -eq 0 ] || ret=1
|
||||
sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l`
|
||||
[ $sent -eq 1 ] || ret=1
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo_i "exit status: $status"
|
||||
[ $status -eq 0 ] || exit 1
|
||||
|
||||
@@ -118,6 +118,8 @@ typedef enum {
|
||||
when doing qname
|
||||
minimization on
|
||||
ip6.arpa. */
|
||||
#define DNS_FETCHOPT_NOFORWARD 0x00080000 /*%< Do not use forwarders
|
||||
if possible. */
|
||||
|
||||
/* Reserved in use by adb.c 0x00400000 */
|
||||
#define DNS_FETCHOPT_EDNSVERSIONSET 0x00800000
|
||||
|
||||
@@ -3510,6 +3510,18 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
|
||||
INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
|
||||
|
||||
/*
|
||||
* If we have DNS_FETCHOPT_NOFORWARD set and forwarding policy
|
||||
* allows us to not forward - skip forwarders and go straight
|
||||
* to NSes. This is currently used to make sure that priming query
|
||||
* gets root servers' IP addresses in ADDITIONAL section.
|
||||
*/
|
||||
if ((fctx->options & DNS_FETCHOPT_NOFORWARD) != 0 &&
|
||||
(fctx->fwdpolicy != dns_fwdpolicy_only))
|
||||
{
|
||||
goto normal_nses;
|
||||
}
|
||||
|
||||
/*
|
||||
* If this fctx has forwarders, use them; otherwise use any
|
||||
* selective forwarders specified in the view; otherwise use the
|
||||
@@ -3595,7 +3607,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
|
||||
/*
|
||||
* Normal nameservers.
|
||||
*/
|
||||
|
||||
normal_nses:
|
||||
stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
|
||||
if (fctx->restarts == 1) {
|
||||
/*
|
||||
@@ -10202,12 +10214,11 @@ dns_resolver_prime(dns_resolver_t *res) {
|
||||
LOCK(&res->primelock);
|
||||
result = dns_resolver_createfetch(res, dns_rootname,
|
||||
dns_rdatatype_ns,
|
||||
NULL, NULL, NULL, NULL, 0, 0,
|
||||
0, NULL,
|
||||
res->buckets[0].task,
|
||||
prime_done,
|
||||
res, rdataset, NULL,
|
||||
&res->primefetch);
|
||||
NULL, NULL, NULL, NULL, 0,
|
||||
DNS_FETCHOPT_NOFORWARD, 0,
|
||||
NULL, res->buckets[0].task,
|
||||
prime_done, res, rdataset,
|
||||
NULL, &res->primefetch);
|
||||
UNLOCK(&res->primelock);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
isc_mem_put(res->mctx, rdataset, sizeof(*rdataset));
|
||||
|
||||
Reference in New Issue
Block a user