From 2cc9563cf8e9ee27bd68ab7091a39fed167a1f49 Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Tue, 1 Aug 2023 15:23:25 +0200 Subject: [PATCH] - Fix to use the now cached EDE, if any, for CD_bit queries. --- daemon/worker.c | 27 ++++++++++++++++++++++++--- doc/Changelog | 1 + testdata/ede.tdir/ede.test | 17 ++++++++++++++++- 3 files changed, 41 insertions(+), 4 deletions(-) diff --git a/daemon/worker.c b/daemon/worker.c index 1b988ed36..34086ce59 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -475,7 +475,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo, uint16_t udpsize = edns->udp_size; int secure = 0; time_t timenow = *worker->env.now; - int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd) + int has_cd_bit = (flags&BIT_CD); + int must_validate = (!has_cd_bit || worker->env.cfg->ignore_cd) && worker->env.need_to_validate; struct dns_msg *msg = NULL; struct delegpt *dp; @@ -546,6 +547,16 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo, worker->env.now_tv)) return 0; msg->rep->flags |= BIT_QR|BIT_RA; + /* Attach the cached EDE (RFC8914) if CD bit is set and the answer is + * bogus. */ + if(worker->env.cfg->ede && has_cd_bit && + (check_delegation_secure(msg->rep) == sec_status_bogus || + check_delegation_secure(msg->rep) == sec_status_secure_sentinel_fail) && + msg->rep->reason_bogus != LDNS_EDE_NONE) { + edns_opt_list_append_ede(&edns->opt_list_out, + worker->scratchpad, msg->rep->reason_bogus, + msg->rep->reason_bogus_str); + } if(!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags, repinfo->c->buffer, 0, 1, worker->scratchpad, udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) { @@ -636,7 +647,8 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, uint16_t udpsize = edns->udp_size; struct reply_info* encode_rep = rep; struct reply_info* partial_rep = *partial_repp; - int must_validate = (!(flags&BIT_CD) || worker->env.cfg->ignore_cd) + int has_cd_bit = (flags&BIT_CD); + int must_validate = (!has_cd_bit || worker->env.cfg->ignore_cd) && worker->env.need_to_validate; *partial_repp = NULL; /* avoid accidental further pass */ @@ -763,11 +775,20 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, goto bail_out; } } else { - if (*is_expired_answer == 1 && + if(*is_expired_answer == 1 && worker->env.cfg->ede_serve_expired && worker->env.cfg->ede) { EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out, worker->scratchpad, LDNS_EDE_STALE_ANSWER, ""); } + /* Attach the cached EDE (RFC8914) if CD bit is set and the + * answer is bogus. */ + if(*is_secure_answer == 0 && + worker->env.cfg->ede && has_cd_bit && + encode_rep->reason_bogus != LDNS_EDE_NONE) { + edns_opt_list_append_ede(&edns->opt_list_out, + worker->scratchpad, encode_rep->reason_bogus, + encode_rep->reason_bogus_str); + } if(!reply_info_answer_encode(qinfo, encode_rep, id, flags, repinfo->c->buffer, timenow, 1, worker->scratchpad, udpsize, edns, (int)(edns->bits & EDNS_DO), diff --git a/doc/Changelog b/doc/Changelog index 448eda5f5..48f8bd59f 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -5,6 +5,7 @@ altogether) before giving up on attaching EDE options. - More braces and formatting for Fix for EDNS EDE size calculation to avoid future bugs. + - Fix to use the now cached EDE, if any, for CD_bit queries. 1 August 2023: Wouter - Fix for EDNS EDE size calculation. diff --git a/testdata/ede.tdir/ede.test b/testdata/ede.tdir/ede.test index 7ce05faf9..e45085ebf 100644 --- a/testdata/ede.tdir/ede.test +++ b/testdata/ede.tdir/ede.test @@ -84,5 +84,20 @@ then exit 1 fi -# TODO EDE with CD bit set (EDE but no SERVFAIL) for a cached answer +# EDE with CD bit set (EDE but no SERVFAIL) for a cached answer +# Same test as above +dig @127.0.0.1 -p $UNBOUND_PORT cd.dnskey-failures.test +cd > cd_bit_ede.txt + +if ! grep -q -e "NXDOMAIN" cd_bit_ede.txt +then + echo "No NXDOMAIN reply with CD bit set for cached answer" + cat cd_bit_ede.txt + exit 1 +fi +if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" cd_bit_ede.txt +then + echo "No EDE attached with CD bit set for cached answer" + cat cd_bit_ede.txt + exit 1 +fi # TODO DNSSEC indeterminate when implemented -- 2.47.3