Commit a053234c authored by Vladimír Čunát's avatar Vladimír Čunát

validate: wildcard expansion -> adjust to_wire

We pushed all authority to the wire, but that was unnecessary,
and in particular it clashed with not validating NS in authority when
forwarding (new change).  Let's only apply this to NSEC* RRs.
parent e9554a37
......@@ -20,6 +20,7 @@ Improvements
- root hints are now loaded from a zonefile; exposed as hints.root_file().
You can override the path by defining ROOTHINTS during compilation.
- policy.FORWARD: work around resolvers adding unsigned NS records (#248)
- reduce unneeded records previously put into authority in wildcarded answers
Knot Resolver 1.3.3 (2017-08-09)
......
......@@ -739,7 +739,7 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req)
return KR_STATE_DONE;
}
/** @internal like process_answer() but for the forwarding mode. */
/** @internal like process_answer() but for the STUB mode. */
static int process_stub(knot_pkt_t *pkt, struct kr_request *req)
{
struct kr_query *query = req->current_query;
......
......@@ -782,6 +782,27 @@ static void check_wildcard(kr_layer_t *ctx)
}
}
/** Just for wildcard_adjust_to_wire() */
static bool rr_is_for_wildcard(const ranked_rr_array_entry_t *entry)
{
switch (kr_rrset_type_maysig(entry->rr)) {
case KNOT_RRTYPE_NSEC:
case KNOT_RRTYPE_NSEC3:
return true;
default:
return false;
}
}
/** In case of wildcard expansion, mark required authority RRs by to_wire. */
static int wildcard_adjust_to_wire(struct kr_request *req, const struct kr_query *qry)
{
if (!qry->parent && qry->flags.DNSSEC_WEXPAND) {
return kr_ranked_rrarray_set_wire(&req->auth_selected, true,
qry->uid, true, &rr_is_for_wildcard);
}
return kr_ok();
}
static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
{
int ret = 0;
......@@ -838,12 +859,7 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
/* Pass-through if CD bit is set. */
if (knot_wire_get_cd(req->answer->wire)) {
check_wildcard(ctx);
/* Check if wildcard expansion happens.
* If yes, copy authority. */
if ((qry->parent == NULL) &&
(qry->flags.DNSSEC_WEXPAND)) {
kr_ranked_rrarray_set_wire(&req->auth_selected, true, qry->uid, true);
}
wildcard_adjust_to_wire(req, qry);
rank_records(ctx, KR_RANK_OMIT);
return ctx->state;
}
......@@ -984,11 +1000,7 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
}
}
/* Check if wildcard expansion detected for final query.
* If yes, copy authority. */
if ((qry->parent == NULL) && (qry->flags.DNSSEC_WEXPAND)) {
kr_ranked_rrarray_set_wire(&req->auth_selected, true, qry->uid, true);
}
wildcard_adjust_to_wire(req, qry);
/* Check and update current delegation point security status. */
ret = update_delegation(req, qry, pkt, has_nsec3);
......
......@@ -586,13 +586,17 @@ int kr_ranked_rrarray_add(ranked_rr_array_t *array, const knot_rrset_t *rr,
}
int kr_ranked_rrarray_set_wire(ranked_rr_array_t *array, bool to_wire,
uint32_t qry_uid, bool check_dups)
uint32_t qry_uid, bool check_dups,
bool (*extraCheck)(const ranked_rr_array_entry_t *))
{
for (size_t i = 0; i < array->len; ++i) {
ranked_rr_array_entry_t *entry = array->at[i];
if (entry->qry_uid != qry_uid) {
continue;
}
if (extraCheck != NULL && !extraCheck(entry)) {
continue;
}
entry->to_wire = to_wire;
if (check_dups) {
int ret = to_wire_ensure_unique(array, i);
......
......@@ -252,10 +252,12 @@ int kr_ranked_rrarray_add(ranked_rr_array_t *array, const knot_rrset_t *rr,
* @param to_wire Records must be\must not be recorded in final answer.
* @param qry_uid Query uid.
* @param check_dups When to_wire is true, try to avoid duplicate RRSets.
* @param extraCheck optional function checking whether to consider the record
* @return 0 or an error
*/
int kr_ranked_rrarray_set_wire(ranked_rr_array_t *array, bool to_wire,
uint32_t qry_uid, bool check_dups);
uint32_t qry_uid, bool check_dups,
bool (*extraCheck)(const ranked_rr_array_entry_t *));
void kr_rrset_print(const knot_rrset_t *rr, const char *prefix);
void kr_qry_print(const struct kr_query *qry, const char *prefix, const char *postfix);
......
Subproject commit 11278dd9604cab43c25b666dec424b2f4817076a
Subproject commit 671ecfe2d545f6dc5afa4a2a854a88ed575a5a90
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment