From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Fri, 28 Jan 2022 08:45:13 +0000 (+0100)
Subject: Allow disabling of processing the root hints
X-Git-Tag: auth-4.7.0-alpha1~21^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e46b0f2f7f4f20f92190a9202a7823ffe2123d98;p=thirdparty%2Fpdns.git

Allow disabling of processing the root hints

This also make sure we use the right dnssec mode for processing hints
and changes a few log levels to Debug to be less verbose.
---

diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index 78c34fcae1..d20a5c2826 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -879,8 +879,11 @@ If set, EDNS options in incoming queries are extracted and passed to the :func:`
 ``hint-file``
 -------------
 -  Path
+-  Default: empty
 
-If set, the root-hints are read from this file. If unset, default root hints are used.
+If set, the root-hints are read from this file. If empty, the default built-in root hints are used.
+In some special cases, processing the root hints is not needed, for example when forwarding all queries to another recursor.
+For these special cases, it is possible to disable the processing of root hints by setting the value to ``no``.
 
 .. _setting-ignore-unknown-settings:
 
diff --git a/pdns/recursordist/rec-main.cc b/pdns/recursordist/rec-main.cc
index c9505adb64..30887dce4a 100644
--- a/pdns/recursordist/rec-main.cc
+++ b/pdns/recursordist/rec-main.cc
@@ -1828,10 +1828,10 @@ static void houseKeeping(void*)
       // Divide by 12 to get the original 2 hour cycle if s_maxcachettl is default (1 day)
       if (now.tv_sec - t_last_rootupdate > max(SyncRes::s_maxcachettl / 12, 10U)) {
         int res = SyncRes::getRootNS(g_now, nullptr, 0);
-        if (!res) {
+        if (res == 0) {
           t_last_rootupdate = now.tv_sec;
           try {
-            primeRootNSZones(g_dnssecmode != DNSSECMode::Off, 0);
+            primeRootNSZones(g_dnssecmode, 0);
           }
           catch (const std::exception& e) {
             g_log << Logger::Error << "Exception while priming the root NS zones: " << e.what() << endl;
@@ -1925,7 +1925,7 @@ try {
       g_log << Logger::Critical << "Priming cache failed, stopping" << endl;
       return nullptr;
     }
-    g_log << Logger::Warning << "Done priming cache with root hints" << endl;
+    g_log << Logger::Debug << "Done priming cache with root hints" << endl;
   }
 
   t_packetCache = std::make_unique<RecursorPacketCache>();
diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 8836275b18..7b5d47c61a 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -27,7 +27,7 @@ ArgvMap& arg()
   return theArg;
 }
 
-void primeRootNSZones(bool, unsigned int)
+void primeRootNSZones(DNSSECMode, unsigned int)
 {
 }
 
diff --git a/pdns/reczones.cc b/pdns/reczones.cc
index 10418a6b2d..384c7661f9 100644
--- a/pdns/reczones.cc
+++ b/pdns/reczones.cc
@@ -53,7 +53,12 @@ bool primeHints(time_t ignored)
 
   time_t now = time(nullptr);
 
-  if (::arg()["hint-file"].empty()) {
+  const string hintfile = ::arg()["hint-file"];
+  if (hintfile == "no") {
+    g_log << Logger::Debug << "Priming root disabled by hint-file=no" << endl;
+    return true;
+  }
+  if (hintfile.empty()) {
     DNSRecord arr, aaaarr, nsrr;
     nsrr.d_name = g_rootdnsname;
     arr.d_type = QType::A;
@@ -97,7 +102,7 @@ bool primeHints(time_t ignored)
     }
   }
   else {
-    ZoneParserTNG zpt(::arg()["hint-file"]);
+    ZoneParserTNG zpt(hintfile);
     zpt.setMaxGenerateSteps(::arg().asNum("max-generate-steps"));
     zpt.setMaxIncludes(::arg().asNum("max-include-depth"));
     DNSResourceRecord rr;
@@ -168,16 +173,14 @@ bool primeHints(time_t ignored)
 // servers are authoritative for root-servers.net, and some
 // implementations reply not with a delegation on a root-servers.net
 // DS query, but with a NODATA response (the domain is unsigned).
-void primeRootNSZones(bool dnssecmode, unsigned int depth)
+void primeRootNSZones(DNSSECMode mode, unsigned int depth)
 {
   struct timeval now;
   gettimeofday(&now, 0);
   SyncRes sr(now);
 
-  if (dnssecmode) {
-    sr.setDoDNSSEC(true);
-    sr.setDNSSECValidationRequested(true);
-  }
+  sr.setDoDNSSEC(mode != DNSSECMode::Off);
+  sr.setDNSSECValidationRequested(mode != DNSSECMode::Off && mode != DNSSECMode::ProcessNoValidate);
 
   // beginResolve() can yield to another mthread that could trigger t_rootNSZones updates,
   // so make a local copy
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 3358831a44..d9cfd7edee 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1336,7 +1336,7 @@ void SyncRes::getBestNSFromCache(const DNSName &qname, const QType qtype, vector
       LOG(prefix<<qname<<": reprimed the root"<<endl);
       /* let's prevent an infinite loop */
       if (!d_updatingRootNS) {
-        primeRootNSZones(g_dnssecmode != DNSSECMode::Off, depth);
+        primeRootNSZones(g_dnssecmode, depth);
         getRootNS(d_now, d_asyncResolve, depth);
       }
     }
@@ -4666,9 +4666,9 @@ int SyncRes::getRootNS(struct timeval now, asyncresolve_t asyncCallback, unsigne
   sr.setAsyncCallback(asyncCallback);
 
   vector<DNSRecord> ret;
-  int res=-1;
+  int res = -1;
   try {
-    res=sr.beginResolve(g_rootdnsname, QType::NS, 1, ret, depth + 1);
+    res = sr.beginResolve(g_rootdnsname, QType::NS, 1, ret, depth + 1);
     if (g_dnssecmode != DNSSECMode::Off && g_dnssecmode != DNSSECMode::ProcessNoValidate) {
       auto state = sr.getValidationState();
       if (vStateIsBogus(state)) {
@@ -4693,11 +4693,11 @@ int SyncRes::getRootNS(struct timeval now, asyncresolve_t asyncCallback, unsigne
     g_log<<Logger::Error<<"Failed to update . records, got an exception"<<endl;
   }
 
-  if(!res) {
-    g_log<<Logger::Notice<<"Refreshed . records"<<endl;
+  if (res == 0) {
+    g_log<<Logger::Debug<<"Refreshed . records"<<endl;
+  }
+  else {
+    g_log<<Logger::Warning<<"Failed to update root NS records, RCODE="<<res<<endl;
   }
-  else
-    g_log<<Logger::Warning<<"Failed to update . records, RCODE="<<res<<endl;
-
   return res;
 }
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index 90b0259b43..4c63acc339 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -45,7 +45,7 @@
 #include <boost/tuple/tuple_comparison.hpp>
 #include "mtasker.hh"
 #include "iputils.hh"
-#include "validate.hh"
+#include "validate-recursor.hh"
 #include "ednssubnet.hh"
 #include "filterpo.hh"
 #include "negcache.hh"
@@ -1201,7 +1201,7 @@ uint64_t* pleaseGetPacketCacheHits();
 uint64_t* pleaseGetPacketCacheSize();
 void doCarbonDump(void*);
 bool primeHints(time_t now = time(nullptr));
-void primeRootNSZones(bool, unsigned int depth);
+void primeRootNSZones(DNSSECMode, unsigned int depth);
 
 struct WipeCacheResult
 {