- Fix edns subnet, so that the subquery without subnet is stored in

  global cache if the querier used 0.0.0.0/0 and the name and address
  do not receive subnet treatment. If the name and address are
  configured for subnet, it is stored in the subnet cache.

diff --git a/doc/Changelog b/doc/Changelog
index e42128f1c281fe312d25bec7644440f763dcd05d..82e4f61ff324a3f8f74e93dfd6a29e3000b64f82 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+6 August 2025: Wouter
+       - Fix edns subnet, so that the subquery without subnet is stored in
+         global cache if the querier used 0.0.0.0/0 and the name and address
+         do not receive subnet treatment. If the name and address are
+         configured for subnet, it is stored in the subnet cache.
+
 5 August 2025: Wouter
        - Fix #1309: incorrectly reclaimed tcp handler can cause data
          corruption and segfault.

diff --git a/testdata/subnet_scopezero_global.crpl b/testdata/subnet_scopezero_global.crpl
new file mode 100644 (file)
index 0000000..1db7cc3
--- /dev/null
+++ b/testdata/subnet_scopezero_global.crpl
@@ -0,0 +1,280 @@
+; config options
+server:
+       target-fetch-policy: "0 0 0 0 0"
+       module-config: "subnetcache validator iterator"
+       verbosity: 4
+       qname-minimisation: no
+       ; the domain is not configured for edns-subnet
+       ;send-client-subnet: 1.2.3.4
+       client-subnet-zone: "ex2.com"
+
+stub-zone:
+       name: "."
+       stub-addr: 193.0.14.129
+
+stub-zone:
+       name: "example.com"
+       stub-addr: 1.2.3.4
+stub-zone:
+       name: "ex2.com"
+       stub-addr: 1.2.3.5
+CONFIG_END
+
+SCENARIO_BEGIN Test subnet cache with scope zero for global cache store.
+
+; the upstream server.
+RANGE_BEGIN 0 100
+       ADDRESS 193.0.14.129
+
+ENTRY_BEGIN
+MATCH opcode qtype qname ednsdata
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+       ;; we expect to receive empty
+HEX_EDNSDATA_END
+K.ROOT-SERVERS.NET.     IN      A       193.0.14.129
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 21
+       ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 20 61
+       ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 90 101
+       ADDRESS 1.2.3.5
+ENTRY_BEGIN
+       MATCH opcode qtype qname ednsdata
+       ADJUST copy_id copy_ednsdata_assume_clientsubnet
+       REPLY QR NOERROR
+       SECTION QUESTION
+               www.ex2.com. IN A
+       SECTION ANSWER
+               www.ex2.com. 10 IN A    10.20.30.42
+       SECTION AUTHORITY
+               ex2.com.        IN NS   ns.ex2.com.
+       SECTION ADDITIONAL
+               HEX_EDNSDATA_BEGIN
+                                       ; client is 127.0.0.1
+                       00 08           ; OPC
+                       00 07           ; option length
+                       00 01           ; Family
+                       18 00           ; source mask, scopemask
+                       7f 00 00        ; address
+               HEX_EDNSDATA_END
+               ns.ex2.com.             IN      A       1.2.3.5
+ENTRY_END
+RANGE_END
+
+; query for 0.0.0.0/0
+STEP 10 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+       00 00 01 00 00 01 00 00         ;ID 0
+       00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+       07 65 78 61 6d 70 6c 65
+       03 63 6f 6d 00 00 01 00
+       01 00 00 29 10 00 00 00
+       80 00 00 08
+
+       00 08 00 04                     ; OPC, optlen
+       00 01 00 00                     ; ip4, scope 0, source 0
+                                       ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+       00 08           ; OPC
+       00 04           ; option length
+       00 01           ; Family
+       00 00           ; source mask, scopemask
+                       ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; That that it is in global cache.
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.40
+ENTRY_END
+
+; With a query where the name is whitelisted, it should not be stored
+; in global cache.
+STEP 50 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+       00 00 01 00 00 01 00 00         ;ID 0
+       00 00 00 01 03 77 77 77         ; www.ex2.com A? (DO)
+       03 65 78 32 03 63 6f 6d
+       00 00 01 00 01 00 00 29
+       10 00 00 00 80 00 00 08
+
+       00 08 00 04                     ; OPC, optlen
+       00 01 00 00                     ; ip4, scope 0, source 0
+                                       ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 60 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+       00 08           ; OPC
+       00 04           ; option length
+       00 01           ; Family
+       00 00           ; source mask, scopemask
+                       ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 70 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+       00 00 01 00 00 01 00 00         ;ID 0
+       00 00 00 01 03 77 77 77         ; www.ex2.com A? (DO)
+       03 65 78 32 03 63 6f 6d
+       00 00 01 00 01 00 00 29
+       10 00 00 00 80 00 00 08
+
+       00 08 00 04                     ; OPC, optlen
+       00 01 00 00                     ; ip4, scope 0, source 0
+                                       ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 80 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+       00 08           ; OPC
+       00 04           ; option length
+       00 01           ; Family
+       00 00           ; source mask, scopemask
+                       ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; www.ex2.com is not in the global cache. and gets subnet treatment
+STEP 90 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+ENTRY_END
+
+STEP 100 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.42
+ENTRY_END
+
+; that result is in the subnet cache
+STEP 110 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+       00 00 01 00 00 01 00 00         ;ID 0
+       00 00 00 01 03 77 77 77         ; www.ex2.com A? (DO)
+       03 65 78 32 03 63 6f 6d
+       00 00 01 00 01 00 00 29
+       10 00 00 00 80 00 00 0b
+
+       00 08 00 07                     ; OPC, optlen
+                       ; ip4 127.0.0.0/24 scope /0
+       00 01           ; Family
+       18 00           ; source mask, scopemask
+       7f 00 00        ; address
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 120 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.42
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+       00 08           ; OPC
+       00 07           ; option length
+                       ; ip4 127.0.0.0/24 scope /24
+       00 01           ; Family
+       18 18           ; source mask, scopemask
+       7f 00 00        ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+SCENARIO_END