From: Wouter Wijngaards Date: Tue, 6 Oct 2009 08:31:47 +0000 (+0000) Subject: Data retry on validation failure. X-Git-Tag: release-1.4.0rc1~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=455c3d130d654a84042f243f0e7dda26fa381040;p=thirdparty%2Funbound.git Data retry on validation failure. git-svn-id: file:///svn/unbound/trunk@1859 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 4c68f8eb4..f87bd8e03 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,12 @@ +6 October 2009: Wouter + - Test set updated to provide additional ns lookup result. + The retry would attempt to fetch the data from other nameservers + for bogus data, and this needed to be provisioned in the tests. + +5 October 2009: Wouter + - first validation failure retry code. Retries for data failures. + And unit test. + 2 October 2009: Wouter - improve 5011 modularization. - fix unbound-host so -d can be given before -C. diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c index e28fcf413..4c5d4da15 100644 --- a/iterator/iter_utils.c +++ b/iterator/iter_utils.c @@ -63,6 +63,8 @@ /** time when nameserver glue is said to be 'recent' */ #define SUSPICION_RECENT_EXPIRY 86400 +/** penalty to validation failed blacklisted IPs */ +#define BLACKLIST_PENALTY (USEFUL_SERVER_TOP_TIMEOUT*3) /** fillup fetch policy array */ static void @@ -163,6 +165,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) * UNKNOWN_SERVER_NICENESS * If no information is known about the server, this is * returned. 376 msec or so. + * +BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*3) for dnssec failed IPs. * * When a final value is chosen that is dnsseclame ; dnsseclameness checking * is turned off (so we do not discard the reply). @@ -215,7 +218,7 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env, static int iter_fill_rtt(struct iter_env* iter_env, struct module_env* env, uint8_t* name, size_t namelen, uint16_t qtype, uint32_t now, - struct delegpt* dp, int* best_rtt) + struct delegpt* dp, int* best_rtt, struct sock_list* blacklist) { int got_it = 0; struct delegpt_addr* a; @@ -225,6 +228,9 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env, a->sel_rtt = iter_filter_unsuitable(iter_env, env, name, namelen, qtype, now, a); if(a->sel_rtt != -1) { + if(sock_list_find(blacklist, &a->addr, a->addrlen)) + a->sel_rtt += BLACKLIST_PENALTY; + if(!got_it) { *best_rtt = a->sel_rtt; got_it = 1; @@ -241,14 +247,15 @@ iter_fill_rtt(struct iter_env* iter_env, struct module_env* env, static int iter_filter_order(struct iter_env* iter_env, struct module_env* env, uint8_t* name, size_t namelen, uint16_t qtype, uint32_t now, - struct delegpt* dp, int* selected_rtt, int open_target) + struct delegpt* dp, int* selected_rtt, int open_target, + struct sock_list* blacklist) { int got_num = 0, low_rtt = 0, swap_to_front; struct delegpt_addr* a, *n, *prev=NULL; /* fillup sel_rtt and find best rtt in the bunch */ got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp, - &low_rtt); + &low_rtt, blacklist); if(got_num == 0) return 0; if(low_rtt >= USEFUL_SERVER_TOP_TIMEOUT && @@ -294,13 +301,13 @@ struct delegpt_addr* iter_server_selection(struct iter_env* iter_env, struct module_env* env, struct delegpt* dp, uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_expected, - int* chase_to_rd, int open_target) + int* chase_to_rd, int open_target, struct sock_list* blacklist) { int sel; int selrtt; struct delegpt_addr* a, *prev; int num = iter_filter_order(iter_env, env, name, namelen, qtype, - *env->now, dp, &selrtt, open_target); + *env->now, dp, &selrtt, open_target, blacklist); if(num == 0) return NULL; diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h index a4bf06fbb..0cb106fae 100644 --- a/iterator/iter_utils.h +++ b/iterator/iter_utils.h @@ -54,6 +54,7 @@ struct ub_randstate; struct query_info; struct reply_info; struct module_qstate; +struct sock_list; /** * Process config options and set iterator module state. @@ -81,13 +82,14 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg); * these are not preferred, but are used as a last resort. * @param open_target: number of currently outstanding target queries. * If we wait for these, perhaps more server addresses become available. + * @param blacklist: the IP blacklist to use. * @return best target or NULL if no target. * if not null, that target is removed from the result list in the dp. */ struct delegpt_addr* iter_server_selection(struct iter_env* iter_env, struct module_env* env, struct delegpt* dp, uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_expected, - int* chase_to_rd, int open_target); + int* chase_to_rd, int open_target, struct sock_list* blacklist); /** * Allocate dns_msg from parsed msg, in regional. diff --git a/iterator/iterator.c b/iterator/iterator.c index c5d0851da..1a754d08b 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -858,15 +858,22 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, /* This either results in a query restart (CNAME cache response), a * terminating response (ANSWER), or a cache miss (null). */ - msg = dns_cache_lookup(qstate->env, iq->qchase.qname, - iq->qchase.qname_len, iq->qchase.qtype, - iq->qchase.qclass, qstate->region, qstate->env->scratch); - if(!msg && qstate->env->neg_cache) { - /* lookup in negative cache; may result in - * NOERROR/NODATA or NXDOMAIN answers that need validation */ - msg = val_neg_getmsg(qstate->env->neg_cache, &iq->qchase, - qstate->region, qstate->env->rrset_cache, - qstate->env->scratch_buffer, *qstate->env->now); + if(qstate->blacklist) { + /* if cache, or anything else, was blacklisted then + * getting older results from cache is a bad idea, no cache */ + verbose(VERB_ALGO, "cache blacklisted, going to the network"); + msg = NULL; + } else { + msg = dns_cache_lookup(qstate->env, iq->qchase.qname, + iq->qchase.qname_len, iq->qchase.qtype, + iq->qchase.qclass, qstate->region, qstate->env->scratch); + if(!msg && qstate->env->neg_cache) { + /* lookup in negative cache; may result in + * NOERROR/NODATA or NXDOMAIN answers that need validation */ + msg = val_neg_getmsg(qstate->env->neg_cache, &iq->qchase, + qstate->region, qstate->env->rrset_cache, + qstate->env->scratch_buffer, *qstate->env->now); + } } if(msg) { /* handle positive cache response */ @@ -894,9 +901,13 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, iq->dp = NULL; iq->refetch_glue = 0; iq->query_restart_count++; + sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region); return next_state(iq, INIT_REQUEST_STATE); } + /* if from cache, NULL, else insert 'cache IP' len=0 */ + if(qstate->reply_origin) + sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region); /* it is an answer, response, to final state */ verbose(VERB_ALGO, "returning answer from cache."); iq->response = msg; @@ -1101,6 +1112,8 @@ processInitRequest3(struct module_qstate* qstate, struct iter_qstate* iq) if(verbosity >= VERB_ALGO) log_dns_msg("no RD requested, using delegation msg", &iq->response->qinfo, iq->response->rep); + if(qstate->reply_origin) + sock_list_insert(&qstate->reply_origin, NULL, 0, qstate->region); return final_state(iq); } @@ -1349,7 +1362,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, /* Select the next usable target, filtering out unsuitable targets. */ target = iter_server_selection(ie, qstate->env, iq->dp, iq->dp->name, iq->dp->namelen, iq->qchase.qtype, - &iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries); + &iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries, + qstate->blacklist); /* If no usable target was selected... */ if(!target) { @@ -1534,6 +1548,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, qstate->env->detach_subs)); (*qstate->env->detach_subs)(qstate); iq->num_target_queries = 0; + if(qstate->reply) + sock_list_insert(&qstate->reply_origin, + &qstate->reply->addr, qstate->reply->addrlen, + qstate->region); return final_state(iq); } else if(type == RESPONSE_TYPE_REFERRAL) { /* REFERRAL type responses get a reset of the @@ -1643,6 +1661,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, qstate->env->detach_subs)); (*qstate->env->detach_subs)(qstate); iq->num_target_queries = 0; + if(qstate->reply) + sock_list_insert(&qstate->reply_origin, + &qstate->reply->addr, qstate->reply->addrlen, + qstate->region); verbose(VERB_ALGO, "cleared outbound list for query restart"); /* go to INIT_REQUEST_STATE for new qname. */ return next_state(iq, INIT_REQUEST_STATE); diff --git a/services/mesh.c b/services/mesh.c index af5427ca5..1b408e826 100644 --- a/services/mesh.c +++ b/services/mesh.c @@ -851,7 +851,7 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate, &mstate->s.qinfo); s = module_error; } - if(s == module_wait_module) { + if(s == module_wait_module || s == module_restart_next) { /* start next module */ mstate->s.curmod++; if(mesh->mods.num == mstate->s.curmod) { @@ -861,6 +861,13 @@ mesh_continue(struct mesh_area* mesh, struct mesh_state* mstate, mstate->s.curmod--; return mesh_continue(mesh, mstate, module_error, ev); } + if(s == module_restart_next) { + fptr_ok(fptr_whitelist_mod_clear( + mesh->mods.mod[mstate->s.curmod]->clear)); + (*mesh->mods.mod[mstate->s.curmod]->clear) + (&mstate->s, mstate->s.curmod); + mstate->s.minfo[mstate->s.curmod] = NULL; + } *ev = module_event_pass; return 1; } diff --git a/testdata/autotrust_addpend_early.rpl b/testdata/autotrust_addpend_early.rpl index fd6fdd5c6..0835ec657 100644 --- a/testdata/autotrust_addpend_early.rpl +++ b/testdata/autotrust_addpend_early.rpl @@ -137,6 +137,14 @@ example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoR example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 30899 example.com. nDlOZCE24pNtuoYkmmy9cVvtCn7ykdmlhJX9hYcI9b3DzqJjOrGz3GD5RQvti3uxD74gFcFho0g76NwOKFx/qQ== ;{id = 30899} example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 60946 example.com. qBHDZu0XQmr6kpt51r1DxT5tuyfwSHcoL8qLpwwhyyNFF13OPlvxgmCVl+1v27A9+h8tcuqaNls5f+tcFBwtRg== ;{id = 60946} ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END RANGE_END @@ -213,7 +221,7 @@ FILE_BEGIN ;;last_queried: ${$t4} ;;${ctime $t4} ;;last_success: ${$t2} ;;${ctime $t2} ;;next_probe_time: ${$t4 + $probe4} ;;${ctime $t4 + $probe4} -;;query_failed: 1 +;;query_failed: 6 ;;query_interval: 5400 ;;retry_time: 3600 example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=2 ;;lastchange=${$t1} ;;${ctime $t1} diff --git a/testdata/autotrust_addpend_nosign.rpl b/testdata/autotrust_addpend_nosign.rpl index afd1d150b..76aaf748f 100644 --- a/testdata/autotrust_addpend_nosign.rpl +++ b/testdata/autotrust_addpend_nosign.rpl @@ -142,6 +142,13 @@ example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921 example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 60946 example.com. o+Cbs7DcYPYlSLd4hi3vkSVQpXGnKgKSi9MpHGfu1Uahv5190U2DUOxP1du/HOYbf+IHYL8zLbMZjVEG5wgnTg== ;{id = 60946} ENTRY_END +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END RANGE_END ; set date/time to Aug 24 09:46:40 (2009). @@ -197,7 +204,7 @@ FILE_BEGIN ;;last_queried: ${$t2} ;;${ctime $t2} ;;last_success: ${$t1} ;;${ctime $t1} ;;next_probe_time: ${$t2 + $probe2} ;;${ctime $t2 + $probe2} -;;query_failed: 1 +;;query_failed: 6 ;;query_interval: 5400 ;;retry_time: 3600 example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1} diff --git a/testdata/autotrust_addpend_nosignnew.rpl b/testdata/autotrust_addpend_nosignnew.rpl index 677861889..f230fe8ab 100644 --- a/testdata/autotrust_addpend_nosignnew.rpl +++ b/testdata/autotrust_addpend_nosignnew.rpl @@ -143,6 +143,13 @@ example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 30899 example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 60946 example.com. rOxbAROwiW21OR8HjINk3IBs9bsxJKjipQ5EU4wWutiF/jr6KNT6LgtZv0TaFSiBHN/Jqz1wB2ODD2HXwLQ4DQ== ;{id = 60946} ENTRY_END +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END RANGE_END ; set date/time to Aug 24 09:46:40 (2009). @@ -198,7 +205,7 @@ FILE_BEGIN ;;last_queried: ${$t2} ;;${ctime $t2} ;;last_success: ${$t1} ;;${ctime $t1} ;;next_probe_time: ${$t2 + $probe2} ;;${ctime $t2 + $probe2} -;;query_failed: 1 +;;query_failed: 6 ;;query_interval: 5400 ;;retry_time: 3600 example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1} diff --git a/testdata/autotrust_addpend_once.rpl b/testdata/autotrust_addpend_once.rpl index 13e5cb052..148e04839 100644 --- a/testdata/autotrust_addpend_once.rpl +++ b/testdata/autotrust_addpend_once.rpl @@ -140,6 +140,14 @@ example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 30899 ;example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 55582 example.com. v/HJbdpeVMpbhwYXrT1EDGpAFMvEgdKQII1cAbP6o8KHYNKDh8TIJ25/pXe3daEXfej6/Z5kpqJ79okPKUoi1Q== ;{id = 55582} example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 60946 example.com. HgXol1hdvbomOM1CFRW8qsHd3D0qOnN72EeMHTcpxIBBiuNLKZn4n1M14Voxj3vo0eAMNuG/y7EjQkxKvSsaDA== ;{id = 60946} ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END RANGE_END ; ns.example.com. KSK 55582-REVOKED and 60946 @@ -165,6 +173,14 @@ example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 55710 ;example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 55582 example.com. nH/6HauVJI4GGz78UoK/38cOOrEqsYZP0jFzfCC3OyIlclVTjAFvjVPlVMGK7sA5Nw1v20YtFTQkXZgbrRuInQ== ;{id = 55582} example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 60946 example.com. xKSBZr4vOsEUKlVoNb6SOV69DM7xFOJI4gPFKq5Tv4APIMJ/9G3odoDmNcLCVyYGzhoDik5hciJnZio6UHgzAA== ;{id = 60946} ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END RANGE_END ; ns.example.com. KSK 60946 @@ -242,7 +258,7 @@ FILE_BEGIN ;;last_queried: ${$t4} ;;${ctime $t4} ;;last_success: ${$t1} ;;${ctime $t1} ;;next_probe_time: ${$t4 + $probe4} ;;${ctime $t4 + $probe4} -;;query_failed: 1 +;;query_failed: 6 ;;query_interval: 5400 ;;retry_time: 3600 example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1} diff --git a/testdata/autotrust_probefailsig.rpl b/testdata/autotrust_probefailsig.rpl index e1602ab43..bb9de3d29 100644 --- a/testdata/autotrust_probefailsig.rpl +++ b/testdata/autotrust_probefailsig.rpl @@ -106,6 +106,13 @@ www.example.com. IN A 10.20.30.40 ENTRY_END RANGE_END +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END RANGE_END ; set date/time to Mon Nov 23 10:46:40 2009 @@ -123,7 +130,7 @@ FILE_BEGIN ;;last_queried: ${$t0} ;;${ctime $t0} ;;last_success: 1258962400 ;;Mon Nov 23 08:46:40 2009 ;;next_probe_time: ${$t0+$probe0} ;;${ctime $t0+$probe0} -;;query_failed: 1 +;;query_failed: 6 ;;query_interval: 5400 ;;retry_time: 3600 example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009 diff --git a/testdata/autotrust_revoked_use.rpl b/testdata/autotrust_revoked_use.rpl index b4004598c..0f9b53c74 100644 --- a/testdata/autotrust_revoked_use.rpl +++ b/testdata/autotrust_revoked_use.rpl @@ -187,6 +187,14 @@ example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 30899 example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 60946 example.com. p6lOsJpkmZUbj1KCSwzxip0NbK0SnjV1LKLayqkWTDiVNkTYHHLHHJfOU8Grb63SDTsZ5lyDocIwJSUBiKuhig== ;{id = 60946} example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 55582 example.com. NsC5s2quifzA7yQBnbroWHJ9rHfSrBo0V7+c+kZoii2cViOm8636uqcWlaNTqNtD5UI6vzQ5zXF4P8JGoac6ZQ== ;{id = 55582} +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA ENTRY_END RANGE_END @@ -211,6 +219,14 @@ example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoR example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 30899 example.com. jTB+ID5gp3U+cxedEPpRvM3tegrBFuVjGR7y9IL+olrtbs5Yr3qeANJwbfO1WVAWiG+EtG876uHny9epo/tlhQ== ;{id = 30899} example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 55582 example.com. NsC5s2quifzA7yQBnbroWHJ9rHfSrBo0V7+c+kZoii2cViOm8636uqcWlaNTqNtD5UI6vzQ5zXF4P8JGoac6ZQ== ;{id = 55582} ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END RANGE_END ; set date/time to Aug 24 09:46:40 (2009). @@ -361,7 +377,7 @@ FILE_BEGIN ;;last_queried: ${$t7} ;;${ctime $t7} ;;last_success: ${$t6} ;;${ctime $t6} ;;next_probe_time: ${$t7 + $probe7} ;;${ctime $t7 + $probe7} -;;query_failed: 1 +;;query_failed: 6 ;;query_interval: 5400 ;;retry_time: 3600 example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t4} ;;${ctime $t4} diff --git a/testdata/autotrust_revoked_with_invalid.rpl b/testdata/autotrust_revoked_with_invalid.rpl index ffae7374d..81dbd8e32 100644 --- a/testdata/autotrust_revoked_with_invalid.rpl +++ b/testdata/autotrust_revoked_with_invalid.rpl @@ -84,6 +84,14 @@ example.com. 10800 IN DNSKEY 257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/ example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 55710 example.com. nu+W3T0afsJc2MrrsnBZ3adysi39TLUJ0o8GYaR/PFYsYSOigSCnr3xo05aKoNZ2oeQXhmwQVAxfwU1M/jXngQ== ;{id = 55710} example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 16486 example.com. LDW5an/v6YzgUhpTm8VJnBCko56WDvzzoqCmjXBwpoGjWXThO2hUyO6w00K90swQvKwgIWsC4y00zFlOgLayJw== ;{id = 16486} +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA ENTRY_END RANGE_END @@ -102,7 +110,7 @@ FILE_BEGIN ;;last_queried: ${$t0} ;;${ctime $t0} ;;last_success: ${$tp} ;;${ctime $tp} ;;next_probe_time: ${$t0 + $probe0} ;;${ctime $t0 + $probe0} -;;query_failed: 1 +;;query_failed: 6 ;;query_interval: 5400 ;;retry_time: 3600 example.com. 10800 IN DNSKEY 385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} diff --git a/testdata/val_cnametoposnowc.rpl b/testdata/val_cnametoposnowc.rpl index 2df719bfb..99e1f5eed 100644 --- a/testdata/val_cnametoposnowc.rpl +++ b/testdata/val_cnametoposnowc.rpl @@ -81,22 +81,22 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.net. IN A +example.net. IN A SECTION AUTHORITY example.net. IN NS ns.example.net. SECTION ADDITIONAL @@ -152,6 +152,14 @@ www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END RANGE_END ; ns.example.net. @@ -206,6 +214,14 @@ SECTION AUTHORITY ;wab.example.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. gl8vkI3xfSWx4Pyv5OdOthiewE6u/13kclY7UG9ptuFBddamdJO3RQqyxM6Xcmq+ToO4kMCCyaKijp01gTDoGg== ;{id = 30899} SECTION ADDITIONAL ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.net. IN AAAA +ENTRY_END RANGE_END STEP 1 QUERY diff --git a/testdata/val_dnamewc.rpl b/testdata/val_dnamewc.rpl index 5a9110663..e4c0b5b3b 100644 --- a/testdata/val_dnamewc.rpl +++ b/testdata/val_dnamewc.rpl @@ -81,22 +81,22 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.sub.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.net. IN A +example.net. IN A SECTION AUTHORITY example.net. IN NS ns.example.net. SECTION ADDITIONAL @@ -107,6 +107,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -163,6 +171,14 @@ RANGE_END ; ns.example.net. RANGE_BEGIN 0 100 ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.net. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_ds_gost_downgrade.rpl b/testdata/val_ds_gost_downgrade.rpl index 41192f1cb..e9e8bef75 100644 --- a/testdata/val_ds_gost_downgrade.rpl +++ b/testdata/val_ds_gost_downgrade.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.sub.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -183,6 +191,15 @@ www.sub.example.com. 3600 IN RRSIG A 211 4 3600 20070926134150 2007 SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.sub.example.com. IN AAAA +ENTRY_END + RANGE_END STEP 1 QUERY diff --git a/testdata/val_ds_sha2_downgrade.rpl b/testdata/val_ds_sha2_downgrade.rpl index f544bf059..6ca56b6c4 100644 --- a/testdata/val_ds_sha2_downgrade.rpl +++ b/testdata/val_ds_sha2_downgrade.rpl @@ -180,6 +180,15 @@ www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 200708 SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.sub.example.com. IN AAAA +ENTRY_END + RANGE_END STEP 1 QUERY diff --git a/testdata/val_nodata_failsig.rpl b/testdata/val_nodata_failsig.rpl index e06bfef8d..88f875d5b 100644 --- a/testdata/val_nodata_failsig.rpl +++ b/testdata/val_nodata_failsig.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nodata_hasdata.rpl b/testdata/val_nodata_hasdata.rpl index 1ffb60038..d8dda5cd5 100644 --- a/testdata/val_nodata_hasdata.rpl +++ b/testdata/val_nodata_hasdata.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nodata_zonecut.rpl b/testdata/val_nodata_zonecut.rpl index c3e420be7..ae4e052ac 100644 --- a/testdata/val_nodata_zonecut.rpl +++ b/testdata/val_nodata_zonecut.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nodatawc_badce.rpl b/testdata/val_nodatawc_badce.rpl index 059611668..5a50e073b 100644 --- a/testdata/val_nodatawc_badce.rpl +++ b/testdata/val_nodatawc_badce.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nodatawc_nodeny.rpl b/testdata/val_nodatawc_nodeny.rpl index 5c5b76753..a388545a0 100644 --- a/testdata/val_nodatawc_nodeny.rpl +++ b/testdata/val_nodatawc_nodeny.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nsec3_b1_nameerror_noce.rpl b/testdata/val_nsec3_b1_nameerror_noce.rpl index 500e864f2..21061b608 100644 --- a/testdata/val_nsec3_b1_nameerror_noce.rpl +++ b/testdata/val_nsec3_b1_nameerror_noce.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query diff --git a/testdata/val_nsec3_b1_nameerror_nonc.rpl b/testdata/val_nsec3_b1_nameerror_nonc.rpl index c821b8923..d7943fbe1 100644 --- a/testdata/val_nsec3_b1_nameerror_nonc.rpl +++ b/testdata/val_nsec3_b1_nameerror_nonc.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query diff --git a/testdata/val_nsec3_b1_nameerror_nowc.rpl b/testdata/val_nsec3_b1_nameerror_nowc.rpl index f10883818..21c33eda8 100644 --- a/testdata/val_nsec3_b1_nameerror_nowc.rpl +++ b/testdata/val_nsec3_b1_nameerror_nowc.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query diff --git a/testdata/val_nsec3_b21_nodataent_wr.rpl b/testdata/val_nsec3_b21_nodataent_wr.rpl index 339d39348..cc62842aa 100644 --- a/testdata/val_nsec3_b21_nodataent_wr.rpl +++ b/testdata/val_nsec3_b21_nodataent_wr.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query diff --git a/testdata/val_nsec3_b2_nodata_nons.rpl b/testdata/val_nsec3_b2_nodata_nons.rpl index 6ef6753d1..5ff2b91c1 100644 --- a/testdata/val_nsec3_b2_nodata_nons.rpl +++ b/testdata/val_nsec3_b2_nodata_nons.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query diff --git a/testdata/val_nsec3_b3_optout_noce.rpl b/testdata/val_nsec3_b3_optout_noce.rpl index 870e3345f..c16ba2e8b 100644 --- a/testdata/val_nsec3_b3_optout_noce.rpl +++ b/testdata/val_nsec3_b3_optout_noce.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query @@ -74,11 +83,8 @@ MATCH opcode qtype qname ADJUST copy_id REPLY QR AA DO NOERROR SECTION QUESTION -mc.c.example. IN MX +c.example. IN DS SECTION AUTHORITY -c.example. NS ns1.c.example. -c.example. NS ns2.c.example. - ;; NSEC3 RR that covers the "next closer" name (c.example) ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) @@ -86,22 +92,20 @@ c.example. NS ns2.c.example. ;; NSEC3 RR that matches the closest encloser (example) ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom -; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) -; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== ) - -SECTION ADDITIONAL -ns1.c.example. A 192.0.2.7 -ns2.c.example. A 192.0.2.8 - +;0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) +;0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== ) ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR AA DO NOERROR SECTION QUESTION -c.example. IN DS +c.example. IN MX SECTION AUTHORITY +c.example. NS ns1.c.example. +c.example. NS ns2.c.example. + ;; NSEC3 RR that covers the "next closer" name (c.example) ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) @@ -109,15 +113,35 @@ SECTION AUTHORITY ;; NSEC3 RR that matches the closest encloser (example) ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom -;0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) -;0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== ) -ENTRY_END +; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) +; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== ) + +SECTION ADDITIONAL +ns1.c.example. A 192.0.2.7 +ns2.c.example. A 192.0.2.8 +ENTRY_END RANGE_END ; ns1.c.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.7 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns1.c.example. IN AAAA +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns2.c.example. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -152,6 +176,22 @@ RANGE_END ; ns2.c.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.8 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns1.c.example. IN AAAA +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns2.c.example. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nsec3_b3_optout_nonc.rpl b/testdata/val_nsec3_b3_optout_nonc.rpl index 9cca4dcf7..5ef749f25 100644 --- a/testdata/val_nsec3_b3_optout_nonc.rpl +++ b/testdata/val_nsec3_b3_optout_nonc.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query @@ -74,43 +83,43 @@ MATCH opcode qtype qname ADJUST copy_id REPLY QR AA DO NOERROR SECTION QUESTION -mc.c.example. IN MX +c.example. IN DS SECTION AUTHORITY -c.example. NS ns1.c.example. -c.example. NS ns2.c.example. - ;; NSEC3 RR that covers the "next closer" name (c.example) ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck -; 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) -; 35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== ) +;35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) +;35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== ) ;; NSEC3 RR that matches the closest encloser (example) ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== ) - -SECTION ADDITIONAL -ns1.c.example. A 192.0.2.7 -ns2.c.example. A 192.0.2.8 - ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR AA DO NOERROR SECTION QUESTION -c.example. IN DS +c.example. IN MX SECTION AUTHORITY +c.example. NS ns1.c.example. +c.example. NS ns2.c.example. + ;; NSEC3 RR that covers the "next closer" name (c.example) ;; H(c.example) = 4g6p9u5gvfshp30pqecj98b3maqbn1ck -;35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) -;35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== ) +; 35mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) +; 35mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== ) ;; NSEC3 RR that matches the closest encloser (example) ;; H(example) = 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG ) 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== ) + +SECTION ADDITIONAL +ns1.c.example. A 192.0.2.7 +ns2.c.example. A 192.0.2.8 + ENTRY_END RANGE_END @@ -118,6 +127,22 @@ RANGE_END ; ns1.c.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.7 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns1.c.example. IN AAAA +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns2.c.example. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -152,6 +177,22 @@ RANGE_END ; ns2.c.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.8 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns1.c.example. IN AAAA +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns2.c.example. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nsec3_b4_wild_wr.rpl b/testdata/val_nsec3_b4_wild_wr.rpl index 8aab0868d..547aade90 100644 --- a/testdata/val_nsec3_b4_wild_wr.rpl +++ b/testdata/val_nsec3_b4_wild_wr.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query diff --git a/testdata/val_nsec3_b5_wcnodata_noce.rpl b/testdata/val_nsec3_b5_wcnodata_noce.rpl index 8ad659ab4..26a161f21 100644 --- a/testdata/val_nsec3_b5_wcnodata_noce.rpl +++ b/testdata/val_nsec3_b5_wcnodata_noce.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query diff --git a/testdata/val_nsec3_b5_wcnodata_nonc.rpl b/testdata/val_nsec3_b5_wcnodata_nonc.rpl index 4b92a7f15..0aec8fa31 100644 --- a/testdata/val_nsec3_b5_wcnodata_nonc.rpl +++ b/testdata/val_nsec3_b5_wcnodata_nonc.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query diff --git a/testdata/val_nsec3_b5_wcnodata_nowc.rpl b/testdata/val_nsec3_b5_wcnodata_nowc.rpl index 6335ea3e1..1f6e0e9f5 100644 --- a/testdata/val_nsec3_b5_wcnodata_nowc.rpl +++ b/testdata/val_nsec3_b5_wcnodata_nowc.rpl @@ -27,11 +27,11 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -. IN A +example. IN A SECTION AUTHORITY example. IN NS ns1.example. ; leave out to make unbound take ns1 @@ -46,6 +46,15 @@ RANGE_END ; ns1.example. RANGE_BEGIN 0 100 ADDRESS 192.0.2.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id copy_query +REPLY QR REFUSED +SECTION QUESTION +ns1.example. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id copy_query diff --git a/testdata/val_nsec3_nodatawccname.rpl b/testdata/val_nsec3_nodatawccname.rpl index 56439c9e9..61f33e69f 100644 --- a/testdata/val_nsec3_nodatawccname.rpl +++ b/testdata/val_nsec3_nodatawccname.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nsec3_nods_badopt.rpl b/testdata/val_nsec3_nods_badopt.rpl index 59f94d72d..6ff56cb72 100644 --- a/testdata/val_nsec3_nods_badopt.rpl +++ b/testdata/val_nsec3_nods_badopt.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.sub.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -120,15 +128,13 @@ s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. 3600 IN RRSIG NSEC3 3 ENTRY_END -; refer to server one down ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION -www.sub.example.com. IN A +sub.example.com. IN DS SECTION AUTHORITY -sub.example.com. IN NS ns.sub.example.com. ; proof that there is no DS here. ;sub.example.com. 3600 IN DS 2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31 ;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854} @@ -138,18 +144,17 @@ b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 ; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd. 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS RRSIG 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCategdxsiQTpOMHED1ehjPT7PO2gIUDJ9f/zGCEUHy/UVp97aOh0RRoks= ;{id = 2854} - -SECTION ADDITIONAL -ns.sub.example.com. IN A 1.2.3.10 ENTRY_END +; refer to server one down ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -sub.example.com. IN DS +sub.example.com. IN A SECTION AUTHORITY +sub.example.com. IN NS ns.sub.example.com. ; proof that there is no DS here. ;sub.example.com. 3600 IN DS 2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31 ;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854} @@ -159,12 +164,24 @@ b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 ; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd. 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS RRSIG 8r1f0ieoutlnjc03meng9e3bn1n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCategdxsiQTpOMHED1ehjPT7PO2gIUDJ9f/zGCEUHy/UVp97aOh0RRoks= ;{id = 2854} + +SECTION ADDITIONAL +ns.sub.example.com. IN A 1.2.3.10 ENTRY_END + RANGE_END ; ns.sub.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.10 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.sub.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nsec3_nods_soa.rpl b/testdata/val_nsec3_nods_soa.rpl index 3d47601bb..6270bc7e4 100644 --- a/testdata/val_nsec3_nods_soa.rpl +++ b/testdata/val_nsec3_nods_soa.rpl @@ -121,45 +121,54 @@ s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. 3600 IN RRSIG NSEC3 3 ENTRY_END -; refer to server one down ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION -www.sub.example.com. IN A +sub.example.com. IN DS SECTION AUTHORITY -sub.example.com. IN NS ns.sub.example.com. ; proof that there is no DS here. ;sub.example.com. 3600 IN DS 2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31 ;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854} ; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd. 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS SOA DNSKEY RRSIG 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC4CFQCeKcyw76yvOvfa2+qtxv8bKcEyJwIVAJBeIGST4Y8Tk8YkQI0suee3Bxb1 ;{id = 2854} - -SECTION ADDITIONAL -ns.sub.example.com. IN A 1.2.3.10 ENTRY_END +; refer to server one down ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -sub.example.com. IN DS +sub.example.com. IN A SECTION AUTHORITY +sub.example.com. IN NS ns.sub.example.com. ; proof that there is no DS here. ;sub.example.com. 3600 IN DS 2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31 ;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854} ; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd. 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS SOA DNSKEY RRSIG 8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC4CFQCeKcyw76yvOvfa2+qtxv8bKcEyJwIVAJBeIGST4Y8Tk8YkQI0suee3Bxb1 ;{id = 2854} + +SECTION ADDITIONAL +ns.sub.example.com. IN A 1.2.3.10 ENTRY_END RANGE_END ; ns.sub.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.10 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.sub.example.com. IN AAAA +SECTION ANSWER +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nsec3_wcany_nodeny.rpl b/testdata/val_nsec3_wcany_nodeny.rpl index e245a7b64..f13c5e208 100644 --- a/testdata/val_nsec3_wcany_nodeny.rpl +++ b/testdata/val_nsec3_wcany_nodeny.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN ANY +example.com. IN ANY SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nx_nodeny.rpl b/testdata/val_nx_nodeny.rpl index de5525f0e..a055495ee 100644 --- a/testdata/val_nx_nodeny.rpl +++ b/testdata/val_nx_nodeny.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nx_nowc.rpl b/testdata/val_nx_nowc.rpl index 47e07368f..433597669 100644 --- a/testdata/val_nx_nowc.rpl +++ b/testdata/val_nx_nowc.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_nx_overreach.rpl b/testdata/val_nx_overreach.rpl index f0cb10be5..17852776a 100644 --- a/testdata/val_nx_overreach.rpl +++ b/testdata/val_nx_overreach.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/testdata/val_positive_wc_nodeny.rpl b/testdata/val_positive_wc_nodeny.rpl index 6cf8b1a25..515e6d9ed 100644 --- a/testdata/val_positive_wc_nodeny.rpl +++ b/testdata/val_positive_wc_nodeny.rpl @@ -56,11 +56,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -71,6 +71,14 @@ RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA REFUSED +SECTION QUESTION +ns.example.com. IN AAAA +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id diff --git a/util/module.c b/util/module.c index 2079eecfe..b45ec6fc8 100644 --- a/util/module.c +++ b/util/module.c @@ -47,6 +47,7 @@ strextstate(enum module_ext_state s) case module_state_initial: return "module_state_initial"; case module_wait_reply: return "module_wait_reply"; case module_wait_module: return "module_wait_module"; + case module_restart_next: return "module_restart_next"; case module_wait_subquery: return "module_wait_subquery"; case module_error: return "module_error"; case module_finished: return "module_finished"; diff --git a/util/module.h b/util/module.h index 3f228314d..aebd34b67 100644 --- a/util/module.h +++ b/util/module.h @@ -233,6 +233,8 @@ enum module_ext_state { module_wait_reply, /** module is waiting for another module */ module_wait_module, + /** module is waiting for another module; that other is restarted */ + module_restart_next, /** module is waiting for sub-query */ module_wait_subquery, /** module could not finish the query */ @@ -261,6 +263,16 @@ enum module_ev { module_event_error }; +/** Linked list of sockaddrs */ +struct sock_list { + /** next in list */ + struct sock_list* next; + /** sockaddr */ + struct sockaddr_storage addr; + /** length of addr */ + socklen_t len; +}; + /** * Module state, per query. */ @@ -278,6 +290,10 @@ struct module_qstate { struct dns_msg* return_msg; /** the rcode, in case of error, instead of a reply message */ int return_rcode; + /** origin of the reply (can be NULL from cache, list for cnames) */ + struct sock_list* reply_origin; + /** IP blacklist for queries */ + struct sock_list* blacklist; /** region for this query. Cleared when query process finishes. */ struct regional* region; diff --git a/util/net_help.c b/util/net_help.c index 66276b519..d54038ce4 100644 --- a/util/net_help.c +++ b/util/net_help.c @@ -41,6 +41,8 @@ #include "util/net_help.h" #include "util/log.h" #include "util/data/dname.h" +#include "util/module.h" +#include "util/regional.h" #include /** max length of an IP address (the address portion) that we allow */ @@ -488,3 +490,44 @@ addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen) s = (uint8_t*)&((struct sockaddr_in6*)addr)->sin6_addr; return (memcmp(s, map_prefix, 12) == 0); } + +void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, + socklen_t len, struct regional* region) +{ + struct sock_list* add = (struct sock_list*)regional_alloc(region, + sizeof(*add)); + if(!add) { + log_err("out of memory in socketlist insert"); + return; + } + log_assert(list); + add->next = *list; + add->len = len; + memcpy(&add->addr, addr, len); + *list = add; +} + +void sock_list_prepend(struct sock_list** list, struct sock_list* add) +{ + struct sock_list* last = add; + if(!last) + return; + while(last->next) + last = last->next; + last->next = *list; + *list = add; +} + +int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, + socklen_t len) +{ + while(list) { + if(len == list->len) { + if(len == 0 || sockaddr_cmp_addr(addr, len, + &list->addr, list->len) == 0) + return 1; + } + list = list->next; + } + return 0; +} diff --git a/util/net_help.h b/util/net_help.h index 8fa486722..cd8dd84bf 100644 --- a/util/net_help.h +++ b/util/net_help.h @@ -42,6 +42,8 @@ #ifndef NET_HELP_H #define NET_HELP_H #include "util/log.h" +struct sock_list; +struct regional; /** DNS constants for uint16_t style flag manipulation. host byteorder. * 1 1 1 1 1 1 @@ -277,4 +279,31 @@ void addr_to_str(struct sockaddr_storage* addr, socklen_t addrlen, */ int addr_is_ip4mapped(struct sockaddr_storage* addr, socklen_t addrlen); +/** + * Insert new socket list item. If fails logs error. + * @param list: pointer to pointer to first item. + * @param addr: address or NULL if 'cache'. + * @param len: length of addr, or 0 if 'cache'. + * @param region: where to allocate + */ +void sock_list_insert(struct sock_list** list, struct sockaddr_storage* addr, + socklen_t len, struct regional* region); + +/** + * Append one list to another. Must both be from same qstate(regional). + * @param list: pointer to result list that is modified. + * @param add: item(s) to add. They are prepended to list. + */ +void sock_list_prepend(struct sock_list** list, struct sock_list* add); + +/** + * Find addr in list. + * @param list: to search in + * @param addr: address to look for. + * @param len: length. Can be 0, look for 'cache entry'. + * @return true if found. + */ +int sock_list_find(struct sock_list* list, struct sockaddr_storage* addr, + socklen_t len); + #endif /* NET_HELP_H */ diff --git a/validator/validator.c b/validator/validator.c index 27f3fea93..bbb536a79 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -188,18 +188,10 @@ val_deinit(struct module_env* env, int id) env->modinfo[id] = NULL; } -/** allocate new validator query state */ +/** fill in message structure */ static struct val_qstate* -val_new(struct module_qstate* qstate, int id) +val_new_getmsg(struct module_qstate* qstate, struct val_qstate* vq) { - struct val_qstate* vq = (struct val_qstate*)regional_alloc( - qstate->region, sizeof(*vq)); - log_assert(!qstate->minfo[id]); - if(!vq) - return NULL; - memset(vq, 0, sizeof(*vq)); - qstate->minfo[id] = vq; - vq->state = VAL_INIT_STATE; if(!qstate->return_msg || qstate->return_rcode != LDNS_RCODE_NOERROR) { /* create a message to verify */ verbose(VERB_ALGO, "constructing reply for validation"); @@ -235,6 +227,21 @@ val_new(struct module_qstate* qstate, int id) return vq; } +/** allocate new validator query state */ +static struct val_qstate* +val_new(struct module_qstate* qstate, int id) +{ + struct val_qstate* vq = (struct val_qstate*)regional_alloc( + qstate->region, sizeof(*vq)); + log_assert(!qstate->minfo[id]); + if(!vq) + return NULL; + memset(vq, 0, sizeof(*vq)); + qstate->minfo[id] = vq; + vq->state = VAL_INIT_STATE; + return val_new_getmsg(qstate, vq); +} + /** * Exit validation with an error status * @@ -1175,6 +1182,10 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq, enum val_classification subtype = val_classify_response( qstate->query_flags, &qstate->qinfo, &vq->qchase, vq->orig_msg->rep, vq->rrset_skip); + if(vq->restart_count > VAL_MAX_RESTART_COUNT) { + verbose(VERB_ALGO, "restart count exceeded"); + return val_error(qstate, id); + } verbose(VERB_ALGO, "validator classification %s", val_classification_to_string(subtype)); if(subtype == VAL_CLASS_REFERRAL && @@ -1825,6 +1836,47 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq, /* if the result is bogus - set message ttl to bogus ttl to avoid * endless bogus revalidation */ if(vq->orig_msg->rep->security == sec_status_bogus) { + /* see if we can try again to fetch data */ + if(vq->restart_count < VAL_MAX_RESTART_COUNT) { + int restart_count = vq->restart_count+1; + verbose(VERB_ALGO, "validation failed, " + "blacklist and retry to fetch data"); + /* debug printout */ + if(verbosity >= VERB_ALGO) { + struct sock_list* p; + if(!qstate->reply_origin) + verbose(VERB_ALGO, "new blacklist: " + "cache"); + for(p=qstate->reply_origin; p; p=p->next) + if(p->len) + log_addr(VERB_ALGO, + "new blacklist IP", + &p->addr, p->len); + else verbose(VERB_ALGO, "new " + "blacklist: cache"); + for(p=qstate->blacklist; p; p=p->next) + if(p->len) + log_addr(VERB_ALGO, + "blacklist IP", + &p->addr, p->len); + else verbose(VERB_ALGO, "blacklist " + "cache"); + } + /* blacklist the IPs or the cache */ + if(qstate->reply_origin) + sock_list_prepend(&qstate->blacklist, + qstate->reply_origin); + else sock_list_insert(&qstate->blacklist, NULL, 0, + qstate->region); + qstate->reply_origin = NULL; + memset(vq, 0, sizeof(*vq)); + vq->restart_count = restart_count; + vq->state = VAL_INIT_STATE; + verbose(VERB_ALGO, "pass back to next module"); + qstate->ext_state[id] = module_restart_next; + return 0; + } + vq->orig_msg->rep->ttl = ve->bogus_ttl; if(qstate->env->cfg->val_log_level >= 1) { log_query_info(0, "validation failure", &qstate->qinfo); @@ -2044,6 +2096,12 @@ val_operate(struct module_qstate* qstate, enum module_ev event, int id, qstate->ext_state[id] = module_error; return; } + } else if(!vq->orig_msg) { + if(!val_new_getmsg(qstate, vq)) { + log_err("validator: malloc failure"); + qstate->ext_state[id] = module_error; + return; + } } val_handle(qstate, vq, ve, id); return; diff --git a/validator/validator.h b/validator/validator.h index 9587fedae..60bebd0dc 100644 --- a/validator/validator.h +++ b/validator/validator.h @@ -56,6 +56,9 @@ struct val_neg_cache; */ #define NULL_KEY_TTL 900 /* seconds */ +/** max number of query restarts, number of IPs to probe */ +#define VAL_MAX_RESTART_COUNT 5 + /** * Global state for the validator. */ @@ -150,6 +153,11 @@ struct val_qstate { */ struct dns_msg* orig_msg; + /** + * The query restart count + */ + int restart_count; + /** * The query name we have chased to; qname after following CNAMEs */