Commit f0da0a35 authored by Vladimír Čunát's avatar Vladimír Čunát

avoid iterating from a too short zone cut

Example: after foo.sk query the bar.sk query started iterating from
asking the root again for NS sk.  This bug was present on insecure zones,
and before version 2.0.0 only such that have a secure parent.
(These two parts of the bug correspond to the two changes in this commit.)

Fixes knot/knot-resolver#246
parent 7c10e045
Knot Resolver 2.x.y (2018-02-zz)
================================
Bugfixes
--------
- when iterating, avoid unnecessary queries for NS in insecure parent.
This problem worsened in 2.0.0. (#246)
Knot Resolver 2.1.0 (2018-02-16)
================================
......
......@@ -417,6 +417,22 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
} else {
VERBOSE_MSG(qry, "<= DS doesn't exist, going insecure\n");
qry->flags.DNSSEC_NODS = true;
/* Rank the corresponding nonauth NS as insecure. */
for (int i = 0; i < req->auth_selected.len; ++i) {
ranked_rr_array_entry_t *ns = req->auth_selected.at[i];
if (ns->qry_uid != qry->uid || !ns->rr
|| ns->rr->type != KNOT_RRTYPE_NS) {
continue;
}
/* Found the record. Note: this is slightly fragile
* in case there were more NS records in the packet.
* As it is now, kr_nsec*_ref_to_unsigned consider
* (only) the first NS record in the packet. */
if (!kr_rank_test(ns->rank, KR_RANK_AUTH)) { /* sanity */
ns->rank = KR_RANK_INSECURE;
}
break;
}
}
return ret;
} else if (qry->flags.FORWARD && qry->parent) {
......
......@@ -308,14 +308,16 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut,
if (ret != 0) {
return ret;
}
int32_t new_ttl = kr_cache_ttl(&peek, qry, name, KNOT_RRTYPE_NS);
if (new_ttl < 0) {
return kr_error(ESTALE);
}
/* Note: we accept *any* rank from the cache. We assume that nothing
* completely untrustworthy could get into the cache, e.g out-of-bailiwick
* records that weren't validated.
*/
*rank = peek.rank;
int32_t new_ttl = kr_cache_ttl(&peek, qry, name, KNOT_RRTYPE_NS);
if (new_ttl < 0) {
return kr_error(ESTALE);
}
/* Materialize the rdataset temporarily, for simplicity. */
knot_rdataset_t ns_rds = { 0, NULL };
ret = kr_cache_materialize(&ns_rds, &peek, new_ttl, cut->pool);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment