validate: wildcard expansion -> adjust to_wire

We pushed all authority to the wire, but that was unnecessary,
and in particular it clashed with not validating NS in authority when
forwarding (new change).  Let's only apply this to NSEC* RRs.

diff --git a/NEWS b/NEWS
index 38bffcef0b6d1cb065ef4be9b49946c05bc48d6c..391366dec632a578c704ea8e3b16aecc313bfc60 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,7 @@ Improvements
 - root hints are now loaded from a zonefile; exposed as hints.root_file().
   You can override the path by defining ROOTHINTS during compilation.
 - policy.FORWARD: work around resolvers adding unsigned NS records (#248)
+- reduce unneeded records previously put into authority in wildcarded answers
 
 
 Knot Resolver 1.3.3 (2017-08-09)

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index 079e3585d4efa85179929e98b2f16b272571e004..52e0cec90daa261b035d224667b92af16438c41a 100644 (file)
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -739,7 +739,7 @@ static int process_answer(knot_pkt_t *pkt, struct kr_request *req)
        return KR_STATE_DONE;
 }
 
-/** @internal like process_answer() but for the forwarding mode. */
+/** @internal like process_answer() but for the STUB mode. */
 static int process_stub(knot_pkt_t *pkt, struct kr_request *req)
 {
        struct kr_query *query = req->current_query;

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 8b188e0e701d4409404c07827fcbbcd488465a9a..6169d778e44ff657946c0409adddcc71d0427b4f 100644 (file)
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -782,6 +782,27 @@ static void check_wildcard(kr_layer_t *ctx)
        }
 }
 
+/** Just for wildcard_adjust_to_wire() */
+static bool rr_is_for_wildcard(const ranked_rr_array_entry_t *entry)
+{
+       switch (kr_rrset_type_maysig(entry->rr)) {
+       case KNOT_RRTYPE_NSEC:
+       case KNOT_RRTYPE_NSEC3:
+               return true;
+       default:
+               return false;
+       }
+}
+/** In case of wildcard expansion, mark required authority RRs by to_wire. */
+static int wildcard_adjust_to_wire(struct kr_request *req, const struct kr_query *qry)
+{
+       if (!qry->parent && qry->flags.DNSSEC_WEXPAND) {
+               return kr_ranked_rrarray_set_wire(&req->auth_selected, true,
+                               qry->uid, true, &rr_is_for_wildcard);
+       }
+       return kr_ok();
+}
+
 static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
 {
        int ret = 0;
@@ -838,12 +859,7 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
        /* Pass-through if CD bit is set. */
        if (knot_wire_get_cd(req->answer->wire)) {
                check_wildcard(ctx);
-               /* Check if wildcard expansion happens.
-                * If yes, copy authority. */
-               if ((qry->parent == NULL) &&
-                   (qry->flags.DNSSEC_WEXPAND)) {
-                       kr_ranked_rrarray_set_wire(&req->auth_selected, true, qry->uid, true);
-               }
+               wildcard_adjust_to_wire(req, qry);
                rank_records(ctx, KR_RANK_OMIT);
                return ctx->state;
        }
@@ -984,11 +1000,7 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
                }
        }
 
-       /* Check if wildcard expansion detected for final query.
-        * If yes, copy authority. */
-       if ((qry->parent == NULL) && (qry->flags.DNSSEC_WEXPAND)) {
-               kr_ranked_rrarray_set_wire(&req->auth_selected, true, qry->uid, true);
-       }
+       wildcard_adjust_to_wire(req, qry);
 
        /* Check and update current delegation point security status. */
        ret = update_delegation(req, qry, pkt, has_nsec3);

diff --git a/lib/utils.c b/lib/utils.c
index f88b33f3417ed14a1463299c4c6be094103c1027..8a039d5b111b5dd99ec0dd47ce9e0c6aece1c462 100644 (file)
--- a/lib/utils.c
+++ b/lib/utils.c
@@ -586,13 +586,17 @@ int kr_ranked_rrarray_add(ranked_rr_array_t *array, const knot_rrset_t *rr,
 }
 
 int kr_ranked_rrarray_set_wire(ranked_rr_array_t *array, bool to_wire,
-                              uint32_t qry_uid, bool check_dups)
+                              uint32_t qry_uid, bool check_dups,
+                              bool (*extraCheck)(const ranked_rr_array_entry_t *))
 {
        for (size_t i = 0; i < array->len; ++i) {
                ranked_rr_array_entry_t *entry = array->at[i];
                if (entry->qry_uid != qry_uid) {
                        continue;
                }
+               if (extraCheck != NULL && !extraCheck(entry)) {
+                       continue;
+               }
                entry->to_wire = to_wire;
                if (check_dups) {
                        int ret = to_wire_ensure_unique(array, i);

diff --git a/lib/utils.h b/lib/utils.h
index 3d6945ba39012ad08c735d131913cdda28e90cc1..23c895c206bf37a9653ed66f233ff63ae396b594 100644 (file)
--- a/lib/utils.h
+++ b/lib/utils.h
@@ -252,10 +252,12 @@ int kr_ranked_rrarray_add(ranked_rr_array_t *array, const knot_rrset_t *rr,
  * @param to_wire Records must be\must not be recorded in final answer.
  * @param qry_uid Query uid.
  * @param check_dups When to_wire is true, try to avoid duplicate RRSets.
+ * @param extraCheck optional function checking whether to consider the record
  * @return 0 or an error
  */
 int kr_ranked_rrarray_set_wire(ranked_rr_array_t *array, bool to_wire,
-                              uint32_t qry_uid, bool check_dups);
+                              uint32_t qry_uid, bool check_dups,
+                              bool (*extraCheck)(const ranked_rr_array_entry_t *));
 
 void kr_rrset_print(const knot_rrset_t *rr, const char *prefix);
 void kr_qry_print(const struct kr_query *qry, const char *prefix, const char *postfix);

diff --git a/tests/deckard b/tests/deckard
index 11278dd9604cab43c25b666dec424b2f4817076a..671ecfe2d545f6dc5afa4a2a854a88ed575a5a90 160000 (submodule)
--- a/tests/deckard
+++ b/tests/deckard
@@ -1 +1 @@
-Subproject commit 11278dd9604cab43c25b666dec424b2f4817076a
+Subproject commit 671ecfe2d545f6dc5afa4a2a854a88ed575a5a90