- Fix to use the now cached EDE, if any, for CD_bit queries.

author George Thessalonikefs <george@nlnetlabs.nl>

Tue, 1 Aug 2023 13:23:25 +0000 (15:23 +0200)

committer George Thessalonikefs <george@nlnetlabs.nl>

Tue, 1 Aug 2023 13:23:25 +0000 (15:23 +0200)
author George Thessalonikefs <george@nlnetlabs.nl>
Tue, 1 Aug 2023 13:23:25 +0000 (15:23 +0200)
committer George Thessalonikefs <george@nlnetlabs.nl>
Tue, 1 Aug 2023 13:23:25 +0000 (15:23 +0200)
diff --git a/daemon/worker.c b/daemon/worker.c

index 1b988ed36c404174c441ff0fa7ab3afeb668be53..34086ce59b6cbd60cf388c1d33125f033d8aa394 100644 (file)
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -475,7 +475,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
         uint16_t udpsize = edns->udp_size;
         int secure = 0;
         time_t timenow = *worker->env.now;
-       int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd)
+       int has_cd_bit = (flags&BIT_CD);
+       int must_validate = (!has_cd_bit || worker->env.cfg->ignore_cd)
                 && worker->env.need_to_validate;
         struct dns_msg *msg = NULL;
         struct delegpt *dp;
@@ -546,6 +547,16 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
                 worker->env.now_tv))
                         return 0;
         msg->rep->flags |= BIT_QR|BIT_RA;
+       /* Attach the cached EDE (RFC8914) if CD bit is set and the answer is
+        * bogus. */
+       if(worker->env.cfg->ede && has_cd_bit &&
+               (check_delegation_secure(msg->rep) == sec_status_bogus ||
+               check_delegation_secure(msg->rep) == sec_status_secure_sentinel_fail) &&
+               msg->rep->reason_bogus != LDNS_EDE_NONE) {
+               edns_opt_list_append_ede(&edns->opt_list_out,
+                       worker->scratchpad, msg->rep->reason_bogus,
+                       msg->rep->reason_bogus_str);
+       }
         if(!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags,
                 repinfo->c->buffer, 0, 1, worker->scratchpad,
                 udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) {
@@ -636,7 +647,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
         uint16_t udpsize = edns->udp_size;
         struct reply_info* encode_rep = rep;
         struct reply_info* partial_rep = *partial_repp;
-       int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd)
+       int has_cd_bit = (flags&BIT_CD);
+       int must_validate = (!has_cd_bit || worker->env.cfg->ignore_cd)
                 && worker->env.need_to_validate;
         *partial_repp = NULL;  /* avoid accidental further pass */
  
@@ -763,11 +775,20 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
                                 goto bail_out;
                 }
         } else {
-               if (*is_expired_answer == 1 &&
+               if(*is_expired_answer == 1 &&
                         worker->env.cfg->ede_serve_expired && worker->env.cfg->ede) {
                         EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out,
                                 worker->scratchpad, LDNS_EDE_STALE_ANSWER, "");
                 }
+               /* Attach the cached EDE (RFC8914) if CD bit is set and the
+                * answer is bogus. */
+               if(*is_secure_answer == 0 &&
+                       worker->env.cfg->ede && has_cd_bit &&
+                       encode_rep->reason_bogus != LDNS_EDE_NONE) {
+                       edns_opt_list_append_ede(&edns->opt_list_out,
+                               worker->scratchpad, encode_rep->reason_bogus,
+                               encode_rep->reason_bogus_str);
+               }
                 if(!reply_info_answer_encode(qinfo, encode_rep, id, flags,
                         repinfo->c->buffer, timenow, 1, worker->scratchpad,
                         udpsize, edns, (int)(edns->bits & EDNS_DO),
diff --git a/doc/Changelog b/doc/Changelog

index 448eda5f5d4f71c31f975697ecdc290b6a383ff5..48f8bd59f685ca4f8b9875357db81a23a9a1e7c5 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -5,6 +5,7 @@
           altogether) before giving up on attaching EDE options.
         - More braces and formatting for Fix for EDNS EDE size calculation to
           avoid future bugs.
+       - Fix to use the now cached EDE, if any, for CD_bit queries.
  
  1 August 2023: Wouter
         - Fix for EDNS EDE size calculation.
diff --git a/testdata/ede.tdir/ede.test b/testdata/ede.tdir/ede.test

index 7ce05faf93a46a2806671a51c67237dede498c57..e45085ebf1565807aa4fb4675722ca76e18b214b 100644 (file)
--- a/testdata/ede.tdir/ede.test
+++ b/testdata/ede.tdir/ede.test
@@ -84,5 +84,20 @@ then
         exit 1
  fi
  
-# TODO EDE with CD bit set (EDE but no SERVFAIL) for a cached answer
+# EDE with CD bit set (EDE but no SERVFAIL) for a cached answer
+# Same test as above
+dig @127.0.0.1 -p $UNBOUND_PORT cd.dnskey-failures.test +cd > cd_bit_ede.txt
+
+if ! grep -q -e "NXDOMAIN" cd_bit_ede.txt
+then
+       echo "No NXDOMAIN reply with CD bit set for cached answer"
+       cat cd_bit_ede.txt
+       exit 1
+fi
+if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" cd_bit_ede.txt
+then
+       echo "No EDE attached with CD bit set for cached answer"
+       cat cd_bit_ede.txt
+       exit 1
+fi
  # TODO DNSSEC indeterminate when implemented
author	George Thessalonikefs <george@nlnetlabs.nl>
	Tue, 1 Aug 2023 13:23:25 +0000 (15:23 +0200)
committer	George Thessalonikefs <george@nlnetlabs.nl>
	Tue, 1 Aug 2023 13:23:25 +0000 (15:23 +0200)
daemon/worker.c		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history
testdata/ede.tdir/ede.test		patch \| blob \| blame \| history