Enforce presence of query section in reply.

git-svn-id: file:///svn/unbound/trunk@1018 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index a79724e4c0060c099ff8a3a4e8271e249a80d012..06f00cebbe21078760124d07426974572a57d164 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,13 @@
+25 March 2008: Wouter
+       - implemented check that for NXDOMAIN and NOERROR answers a query
+         section must be present in the reply (by the scrubber). And it must
+         be equal to the question sent, at least lowercase folded.
+         Previously this feature happened because the cache code refused
+         to store such messages. However blocking by the scrubber makes 
+         sure nothing gets into the RRset cache. Also, this looks like a
+         timeout (instead of an allocation failure) and this retries are
+         done (which is useful in a spoofing situation).
+
 7 March 2008: Wouter
        - -C config feature for harvest program. 
        - harvest handles CNAMEs too.

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index eedbfcb4d4d316513f3f47a2a2ad9c317c7137bb..6be71cff904994f84342c3e4effc32e0399ce9d1 100644 (file)
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -564,6 +564,14 @@ scrub_message(ldns_buffer* pkt, struct msg_parse* msg,
        if( !(msg->flags&BIT_QR) )
                return 0;
        
+       /* make sure that a query is echoed back when NOERROR or NXDOMAIN */
+       /* this is not required for basic operation but is a forgery 
+        * resistance (security) feature */
+       if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR ||
+               FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) &&
+               msg->qdcount == 0)
+               return 0;
+
        /* if a query is echoed back, make sure it is correct. Otherwise,
         * this may be not a reply to our query. */
        if(msg->qdcount == 1) {

diff --git a/testdata/iter_req_qname.rpl b/testdata/iter_req_qname.rpl
new file mode 100644 (file)
index 0000000..3bdaac2
--- /dev/null
+++ b/testdata/iter_req_qname.rpl
@@ -0,0 +1,91 @@
+; config options
+stub-zone:
+       name: "."
+       stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test a query name in the reply is required by resolver
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+       ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS        K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.    IN      A       193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+com.   IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.    IN      A       192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+       ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com.   IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+; always the same reply since we cannot match anything from the qsection.
+RANGE_BEGIN 0 100
+       ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+; no query section!
+; www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A  10.20.30.40
+SECTION AUTHORITY
+example.com.   IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+
+; the query name is echoed properly to *our* client
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+SCENARIO_END