[9.20] new: usr: Add support for EDE 20 (Not Authoritative)

Support was added for EDE codes 20 (Not Authoritative) when client requests recursion (RD) but the server has recursion disabled. RFC 8914 mention EDE 20 should also be returned if the client doesn't have the RD bit set (and recursion is needed) but it doesn't apply for BIND as BIND would try to resolve from the "deepest" referral in AUTHORITY section. For example, if the client asks for "www.isc.org/A" but the server only knows the root domain, it will return NOERROR but no answer for "www.isc.og/A", just the list of other servers to ask. See #1836 Backport of MR !10228 Merge branch 'backport-1836-not-authoritative-9.20' into 'bind-9.20' See merge request isc-projects/bind9!10243
2025-08-30 14:07:59 +00:00 · 2025-03-13 16:19:26 +00:00
parent 27442c3104 9e35e7dcb9
commit f8a293aa11
4 changed files with 37 additions and 0 deletions
--- a/bin/tests/system/resolver/ns11/named.conf.in
+++ b/bin/tests/system/resolver/ns11/named.conf.in
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	query-source address 10.53.0.11;
+	notify-source 10.53.0.11;
+	transfer-source 10.53.0.11;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.11; };
+	listen-on-v6 { none; };
+	recursion no;
+	dnssec-validation no;
+};
--- a/bin/tests/system/resolver/setup.sh
+++ b/bin/tests/system/resolver/setup.sh
@@ -24,5 +24,6 @@ copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 copy_setports ns7/named1.conf.in ns7/named.conf
 copy_setports ns9/named.conf.in ns9/named.conf
+copy_setports ns11/named.conf.in ns11/named.conf

 (cd ns6 && $SHELL keygen.sh)
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -1016,5 +1016,14 @@ ttl=$(awk '{print $2}' dig.ns1.out.${n})
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "client requests recursion but it is disabled - expect EDE 20 code with REFUSED($n)"
+ret=0
+dig_with_opts +recurse www.isc.org @10.53.0.11 a >dig.out.ns11.test${n} || ret=1
+grep "status: REFUSED" dig.out.ns11.test${n} >/dev/null || ret=1
+grep -F "EDE: 20 (Not Authoritative)" dig.out.ns11.test${n} >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5855,6 +5855,9 @@ ns__query_start(query_ctx_t *qctx) {
 	if (result != ISC_R_SUCCESS) {
 		if (result == DNS_R_REFUSED) {
 			if (WANTRECURSION(qctx->client)) {
+				dns_ede_add(&qctx->client->edectx,
+					    DNS_EDE_NOTAUTH,
+					    "recursion disabled");
 				inc_stats(qctx->client,
 					  ns_statscounter_recurserej);
 			} else {