fix SERVFAIL in *FORWARD modes with CNAME to sibling zone

author Vladimír Čunát <vladimir.cunat@nic.cz>

Mon, 5 Oct 2020 08:35:16 +0000 (10:35 +0200)

committer Petr Špaček <petr.spacek@nic.cz>

Wed, 21 Oct 2020 19:53:21 +0000 (21:53 +0200)
author Vladimír Čunát <vladimir.cunat@nic.cz>
Mon, 5 Oct 2020 08:35:16 +0000 (10:35 +0200)
committer Petr Špaček <petr.spacek@nic.cz>
Wed, 21 Oct 2020 19:53:21 +0000 (21:53 +0200)
diff --git a/NEWS b/NEWS

index 7f26db736eea2fe0626b93a8ce522c61412325b6..5962f1d3be7f9c06935338859cf516f0cb973951 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -23,6 +23,7 @@ Incompatible changes
  --------------------
  - minor changes in module API; see upgrading guide:
    https://knot-resolver.readthedocs.io/en/stable/upgrading.html
+- fix SERVFAIL while processing forwarded CNAME to a sibling zone (#614, !1070)
  
  
  Knot Resolver 5.1.3 (2020-09-08)
diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c

index 398af594ba8f07e0fdea86e1bf7a6c89f5d1ae3d..4afd5d0fcb72d510ac136ea37b8a7a4f82660936 100644 (file)
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -609,15 +609,17 @@ static int unroll_cname(knot_pkt_t *pkt, struct kr_request *req, bool referral,
                 }
                 /* The validator still can't handle multiple zones in one answer,
                  * so we only follow if a single label is replaced.
-                * TODO: this still isn't 100%, as the target might have a NS+DS,
-                * possibly leading to a SERVFAIL for the in-bailiwick name. */
+                * Forwarding appears to be even more sensitive to this.
+                * TODO: iteration can probably handle the remaining cases,
+                * but overall it would be better to have a smarter validator
+                * (and thus save roundtrips).*/
                 const int pending_labels = knot_dname_labels(pending_cname, NULL);
                 if (pending_labels != cname_labels) {
                         cname = pending_cname;
                         break;
                 }
-               if (knot_dname_matched_labels(pending_cname, cname) !=
-                   (cname_labels - 1)) {
+               if (knot_dname_matched_labels(pending_cname, cname) != cname_labels - 1
+                   || query->flags.FORWARD) {
                         cname = pending_cname;
                         break;
                 }
diff --git a/tests/integration/deckard b/tests/integration/deckard

index 6168c4f31eea1193c202cbb14fe7c34002b53765..5516e290cbd6a578f3ac907d9244ef20ff280bf8 160000 (submodule)
--- a/tests/integration/deckard
+++ b/tests/integration/deckard
@@ -1 +1 @@
-Subproject commit 6168c4f31eea1193c202cbb14fe7c34002b53765
+Subproject commit 5516e290cbd6a578f3ac907d9244ef20ff280bf8
author	Vladimír Čunát <vladimir.cunat@nic.cz>
	Mon, 5 Oct 2020 08:35:16 +0000 (10:35 +0200)
committer	Petr Špaček <petr.spacek@nic.cz>
	Wed, 21 Oct 2020 19:53:21 +0000 (21:53 +0200)
NEWS		patch \| blob \| blame \| history
lib/layer/iterate.c		patch \| blob \| blame \| history
tests/integration/deckard		patch \| blob \| blame \| history