From: Yorgos Thessalonikefs Date: Sun, 16 Mar 2025 08:01:03 +0000 (+0100) Subject: - Fix 'unbound-control flush_negative' when reporting removed data; X-Git-Tag: release-1.23.0rc1~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=71bb60e586404d5eab4b79f81d064c0bdd0a9e6e;p=thirdparty%2Funbound.git - Fix 'unbound-control flush_negative' when reporting removed data; reported by David 'eqvinox' Lamparter. --- diff --git a/daemon/remote.c b/daemon/remote.c index abba0f405..3d683afd1 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1950,7 +1950,7 @@ bogus_del_rrset(struct lruhash_entry* e, void* arg) /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; - if(d->security == sec_status_bogus) { + if(d->security == sec_status_bogus && d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_rrsets++; } @@ -1963,7 +1963,7 @@ bogus_del_msg(struct lruhash_entry* e, void* arg) /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct reply_info* d = (struct reply_info*)e->data; - if(d->security == sec_status_bogus) { + if(d->security == sec_status_bogus && d->ttl > inf->expired) { d->ttl = inf->expired; d->prefetch_ttl = inf->expired; d->serve_expired_ttl = inf->expired; @@ -1983,7 +1983,7 @@ bogus_del_kcache(struct lruhash_entry* e, void* arg) /* entry is locked */ struct del_info* inf = (struct del_info*)arg; struct key_entry_data* d = (struct key_entry_data*)e->data; - if(d->isbad) { + if(d->isbad && d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_keys++; } @@ -2032,7 +2032,8 @@ negative_del_rrset(struct lruhash_entry* e, void* arg) /* delete the parentside negative cache rrsets, * these are nameserver rrsets that failed lookup, rdata empty */ if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 && - d->rrsig_count == 0 && d->rr_len[0] == 0) { + d->rrsig_count == 0 && d->rr_len[0] == 0 && + d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_rrsets++; } @@ -2047,7 +2048,8 @@ negative_del_msg(struct lruhash_entry* e, void* arg) struct reply_info* d = (struct reply_info*)e->data; /* rcode not NOERROR: NXDOMAIN, SERVFAIL, ..: an nxdomain or error * or NOERROR rcode with ANCOUNT==0: a NODATA answer */ - if(FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) { + if((FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) && + d->ttl > inf->expired) { d->ttl = inf->expired; d->prefetch_ttl = inf->expired; d->serve_expired_ttl = inf->expired; @@ -2069,7 +2071,7 @@ negative_del_kcache(struct lruhash_entry* e, void* arg) struct key_entry_data* d = (struct key_entry_data*)e->data; /* could be bad because of lookup failure on the DS, DNSKEY, which * was nxdomain or servfail, and thus a result of negative lookups */ - if(d->isbad) { + if(d->isbad && d->ttl > inf->expired) { d->ttl = inf->expired; inf->num_keys++; } diff --git a/doc/Changelog b/doc/Changelog index d2ec41590..bff18592a 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +16 March 2025: Yorgos + - Fix 'unbound-control flush_negative' when reporting removed data; + reported by David 'eqvinox' Lamparter. + 28 February 2025: Wouter - Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time. Add --help output description for the SOURCE_DATE_EPOCH variable. diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.conf b/testdata/09-unbound-control.tdir/09-unbound-control.conf index 719e92309..be65336ea 100644 --- a/testdata/09-unbound-control.tdir/09-unbound-control.conf +++ b/testdata/09-unbound-control.tdir/09-unbound-control.conf @@ -13,6 +13,7 @@ server: msg-cache-size: 4m rrset-cache-size: 4m minimal-responses: yes + trust-anchor: "always.empty. 3600 IN DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29 B22446B1" # This is nonsense, just to kick the validator view: name: testview view-first: yes # Allow falling back to global local data diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.test b/testdata/09-unbound-control.tdir/09-unbound-control.test index 8bd2220f3..80f64c978 100644 --- a/testdata/09-unbound-control.tdir/09-unbound-control.test +++ b/testdata/09-unbound-control.tdir/09-unbound-control.test @@ -249,6 +249,18 @@ expect_exit_value 1 teststep "clean reload" clean_reload +teststep "Check negative flushing" +query always.empty. +expect_answer "SERVFAIL" +query always.empty. DNSKEY +expect_answer "SERVFAIL" +control_command -c ub.conf flush_negative +expect_exit_value 0 +expect_answer "^ok removed .*, 2 messages and 1 key" +control_command -c ub.conf flush_negative +expect_exit_value 0 +expect_answer "^ok removed .*, 0 messages and 0 key" + teststep "create a new local zone" control_command -c ub.conf local_zone example.net static expect_exit_value 0 diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.testns b/testdata/09-unbound-control.tdir/09-unbound-control.testns index 9a5192fab..44466b4da 100644 --- a/testdata/09-unbound-control.tdir/09-unbound-control.testns +++ b/testdata/09-unbound-control.tdir/09-unbound-control.testns @@ -1,5 +1,4 @@ ; nameserver test file -$ORIGIN example.com. $TTL 3600 ENTRY_BEGIN @@ -7,9 +6,9 @@ MATCH opcode qtype qname REPLY QR AA NOERROR ADJUST copy_id SECTION QUESTION -www IN A +www.example.com. IN A SECTION ANSWER -www IN A 10.20.30.40 +www.example.com. IN A 10.20.30.40 ENTRY_END ENTRY_BEGIN @@ -19,3 +18,19 @@ ADJUST copy_id SECTION QUESTION www.example.net. IN A ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +always.empty. IN A +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +always.empty. IN DNSKEY +ENTRY_END