From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 6 Aug 2025 10:08:44 +0000 (+0200)
Subject: - Fix edns subnet, so that the subquery without subnet is stored in
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;ds=inline;p=thirdparty%2Funbound.git

- Fix edns subnet, so that the subquery without subnet is stored in
  global cache if the querier used 0.0.0.0/0 and the name and address
  do not receive subnet treatment. If the name and address are
  configured for subnet, it is stored in the subnet cache.
---

diff --git a/doc/Changelog b/doc/Changelog
index e42128f1c..82e4f61ff 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+6 August 2025: Wouter
+	- Fix edns subnet, so that the subquery without subnet is stored in
+	  global cache if the querier used 0.0.0.0/0 and the name and address
+	  do not receive subnet treatment. If the name and address are
+	  configured for subnet, it is stored in the subnet cache.
+
 5 August 2025: Wouter
 	- Fix #1309: incorrectly reclaimed tcp handler can cause data
 	  corruption and segfault.
diff --git a/testdata/subnet_scopezero_global.crpl b/testdata/subnet_scopezero_global.crpl
new file mode 100644
index 000000000..1db7cc322
--- /dev/null
+++ b/testdata/subnet_scopezero_global.crpl
@@ -0,0 +1,280 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+	module-config: "subnetcache validator iterator"
+	verbosity: 4
+	qname-minimisation: no
+	; the domain is not configured for edns-subnet
+	;send-client-subnet: 1.2.3.4
+	client-subnet-zone: "ex2.com"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+stub-zone:
+	name: "ex2.com"
+	stub-addr: 1.2.3.5
+CONFIG_END
+
+SCENARIO_BEGIN Test subnet cache with scope zero for global cache store.
+
+; the upstream server.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129
+
+ENTRY_BEGIN
+MATCH opcode qtype qname ednsdata
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+	;; we expect to receive empty
+HEX_EDNSDATA_END
+K.ROOT-SERVERS.NET.     IN      A       193.0.14.129
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 21
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 20 61
+	ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 90 101
+	ADDRESS 1.2.3.5
+ENTRY_BEGIN
+	MATCH opcode qtype qname ednsdata
+	ADJUST copy_id copy_ednsdata_assume_clientsubnet
+	REPLY QR NOERROR
+	SECTION QUESTION
+		www.ex2.com. IN A
+	SECTION ANSWER
+		www.ex2.com. 10 IN A	10.20.30.42
+	SECTION AUTHORITY
+		ex2.com.	IN NS	ns.ex2.com.
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+					; client is 127.0.0.1
+			00 08 		; OPC
+			00 07 		; option length
+			00 01 		; Family
+			18 00 		; source mask, scopemask
+			7f 00 00 	; address
+		HEX_EDNSDATA_END
+		ns.ex2.com.		IN 	A	1.2.3.5
+ENTRY_END
+RANGE_END
+
+; query for 0.0.0.0/0
+STEP 10 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.example.com A? (DO)
+	07 65 78 61 6d 70 6c 65
+	03 63 6f 6d 00 00 01 00
+	01 00 00 29 10 00 00 00
+	80 00 00 08
+
+	00 08 00 04                     ; OPC, optlen
+	00 01 00 00                     ; ip4, scope 0, source 0
+	                                ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.40
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+	00 08           ; OPC
+	00 04           ; option length
+	00 01           ; Family
+	00 00           ; source mask, scopemask
+	                ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; That that it is in global cache.
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A   10.20.30.40
+ENTRY_END
+
+; With a query where the name is whitelisted, it should not be stored
+; in global cache.
+STEP 50 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.ex2.com A? (DO)
+	03 65 78 32 03 63 6f 6d
+	00 00 01 00 01 00 00 29
+	10 00 00 00 80 00 00 08
+
+	00 08 00 04                     ; OPC, optlen
+	00 01 00 00                     ; ip4, scope 0, source 0
+	                                ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 60 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+	00 08           ; OPC
+	00 04           ; option length
+	00 01           ; Family
+	00 00           ; source mask, scopemask
+	                ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 70 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.ex2.com A? (DO)
+	03 65 78 32 03 63 6f 6d
+	00 00 01 00 01 00 00 29
+	10 00 00 00 80 00 00 08
+
+	00 08 00 04                     ; OPC, optlen
+	00 01 00 00                     ; ip4, scope 0, source 0
+	                                ;0.0.0.0/0
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 80 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.41
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+	00 08           ; OPC
+	00 04           ; option length
+	00 01           ; Family
+	00 00           ; source mask, scopemask
+	                ; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+; www.ex2.com is not in the global cache. and gets subnet treatment
+STEP 90 QUERY
+ENTRY_BEGIN
+REPLY RD NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+ENTRY_END
+
+STEP 100 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.42
+ENTRY_END
+
+; that result is in the subnet cache
+STEP 110 QUERY
+ENTRY_BEGIN
+HEX_ANSWER_BEGIN
+	00 00 01 00 00 01 00 00         ;ID 0
+	00 00 00 01 03 77 77 77         ; www.ex2.com A? (DO)
+	03 65 78 32 03 63 6f 6d
+	00 00 01 00 01 00 00 29
+	10 00 00 00 80 00 00 0b
+
+	00 08 00 07                     ; OPC, optlen
+			; ip4 127.0.0.0/24 scope /0
+	00 01 		; Family
+	18 00 		; source mask, scopemask
+	7f 00 00 	; address
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 120 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ednsdata
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.ex2.com. IN A
+SECTION ANSWER
+www.ex2.com. IN A   10.20.30.42
+SECTION AUTHORITY
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+	00 08           ; OPC
+	00 07           ; option length
+			; ip4 127.0.0.0/24 scope /24
+	00 01 		; Family
+	18 18 		; source mask, scopemask
+	7f 00 00 	; address
+HEX_EDNSDATA_END
+ENTRY_END
+
+SCENARIO_END