From 657753aac2f46d2cedaf89b0484f10a295673442 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Wed, 31 Jan 2018 08:30:32 +0000 Subject: [PATCH] auth zone for downstream git-svn-id: file:///svn/unbound/trunk@4474 be551aaa-1e26-0410-a405-d3ace91eadb9 --- daemon/worker.c | 17 +++ libunbound/libworker.c | 26 +++++ services/authzone.c | 2 - testdata/auth_zonefile.rpl | 2 + testdata/auth_zonefile_down.rpl | 185 ++++++++++++++++++++++++++++++++ testdata/auth_zonefile_noup.rpl | 1 + 6 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 testdata/auth_zonefile_down.rpl diff --git a/daemon/worker.c b/daemon/worker.c index 233ae38e7..a382bbb89 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -58,6 +58,7 @@ #include "services/cache/rrset.h" #include "services/cache/infra.h" #include "services/cache/dns.h" +#include "services/authzone.h" #include "services/mesh.h" #include "services/localzone.h" #include "util/data/msgparse.h" @@ -1251,6 +1252,22 @@ worker_handle_request(struct comm_point* c, void* arg, int error, server_stats_insrcode(&worker->stats, c->buffer); goto send_reply; } + if(worker->env.auth_zones && + auth_zones_answer(worker->env.auth_zones, &worker->env, + &qinfo, &edns, c->buffer, worker->scratchpad)) { + regional_free_all(worker->scratchpad); + if(sldns_buffer_limit(c->buffer) == 0) { + comm_point_drop_reply(repinfo); + return 0; + } + /* set RA for everyone that can have recursion (based on + * access control list) */ + if(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer)) && + acl != acl_deny_non_local && acl != acl_refuse_non_local) + LDNS_RA_SET(sldns_buffer_begin(c->buffer)); + server_stats_insrcode(&worker->stats, c->buffer); + goto send_reply; + } /* We've looked in our local zones. If the answer isn't there, we * might need to bail out based on ACLs now. */ diff --git a/libunbound/libworker.c b/libunbound/libworker.c index c991d5df3..b7b233677 100644 --- a/libunbound/libworker.c +++ b/libunbound/libworker.c @@ -55,6 +55,7 @@ #include "services/localzone.h" #include "services/cache/rrset.h" #include "services/outbound_list.h" +#include "services/authzone.h" #include "util/fptr_wlist.h" #include "util/module.h" #include "util/regional.h" @@ -604,6 +605,15 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q) free(qinfo.qname); return UB_NOERROR; } + if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones, + w->env, &qinfo, &edns, w->back->udp_buff, w->env->scratch)) { + regional_free_all(w->env->scratch); + libworker_fillup_fg(q, LDNS_RCODE_NOERROR, + w->back->udp_buff, sec_status_insecure, NULL); + libworker_delete(w); + free(qinfo.qname); + return UB_NOERROR; + } /* process new query */ if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, w->back->udp_buff, qid, libworker_fg_done_cb, q)) { @@ -674,6 +684,14 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q, w->back->udp_buff, sec_status_insecure, NULL); return UB_NOERROR; } + if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones, + w->env, &qinfo, &edns, w->back->udp_buff, w->env->scratch)) { + regional_free_all(w->env->scratch); + free(qinfo.qname); + libworker_event_done_cb(q, LDNS_RCODE_NOERROR, + w->back->udp_buff, sec_status_insecure, NULL); + return UB_NOERROR; + } /* process new query */ if(async_id) *async_id = q->querynum; @@ -795,6 +813,14 @@ handle_newq(struct libworker* w, uint8_t* buf, uint32_t len) free(qinfo.qname); return; } + if(w->ctx->env->auth_zones && auth_zones_answer(w->ctx->env->auth_zones, + w->env, &qinfo, &edns, w->back->udp_buff, w->env->scratch)) { + regional_free_all(w->env->scratch); + q->msg_security = sec_status_insecure; + add_bg_result(w, q, w->back->udp_buff, UB_NOERROR, NULL); + free(qinfo.qname); + return; + } q->w = w; /* process new query */ if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, diff --git a/services/authzone.c b/services/authzone.c index b2a9eadd3..406ed8190 100644 --- a/services/authzone.c +++ b/services/authzone.c @@ -3085,8 +3085,6 @@ int auth_zones_answer(struct auth_zones* az, struct module_env* env, struct query_info* qinfo, struct edns_data* edns, struct sldns_buffer* buf, struct regional* temp) { - /* TODO: in handle after localzones, before cache, if az != NULL, - * call this function to answer downstream */ struct dns_msg* msg = NULL; struct auth_zone* z; int r; diff --git a/testdata/auth_zonefile.rpl b/testdata/auth_zonefile.rpl index 5ca6a5cc3..23c4efc60 100644 --- a/testdata/auth_zonefile.rpl +++ b/testdata/auth_zonefile.rpl @@ -13,9 +13,11 @@ auth-zone: ## url: ## queries from downstream clients get authoritative answers. ## for-downstream: yes + for-downstream: no ## queries are used to fetch authoritative answers from this zone, ## instead of unbound itself sending queries there. ## for-upstream: yes + for-upstream: yes ## on failures with for-upstream, fallback to sending queries to ## the authority servers ## fallback-enabled: no diff --git a/testdata/auth_zonefile_down.rpl b/testdata/auth_zonefile_down.rpl new file mode 100644 index 000000000..09e7fd061 --- /dev/null +++ b/testdata/auth_zonefile_down.rpl @@ -0,0 +1,185 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + +auth-zone: + name: "example.com." + ## zonefile (or none). + ## zonefile: "example.com.zone" + ## master by IP address or hostname + ## can list multiple masters, each on one line. + ## master: + ## url for http fetch + ## url: + ## queries from downstream clients get authoritative answers. + ## for-downstream: yes + for-downstream: yes + ## queries are used to fetch authoritative answers from this zone, + ## instead of unbound itself sending queries there. + ## for-upstream: yes + for-upstream: no + ## on failures with for-upstream, fallback to sending queries to + ## the authority servers + ## fallback-enabled: no + + ## this line generates zonefile: \n"/tmp/xxx.example.com"\n + zonefile: +TEMPFILE_NAME example.com + ## this is the inline file /tmp/xxx.example.com + ## the tempfiles are deleted when the testrun is over. +TEMPFILE_CONTENTS example.com +$ORIGIN com. +example 3600 IN SOA dns.example.de. hostmaster.dns.example.de. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.example.com. + 3600 IN NS ns2.example.com. +$ORIGIN example.com. +www 3600 IN A 1.2.3.4 +mail 3600 IN A 1.2.3.5 + 3600 IN AAAA ::5 +ns1 3600 IN A 1.2.3.4 +ns2 3600 IN AAAA ::2 +TEMPFILE_END + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test authority zone with zonefile for downstream responses + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.44 +ENTRY_END +RANGE_END + +; ns.example.net. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.44 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.net. IN NS +SECTION ANSWER +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +ns.example.net. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.net. IN A +SECTION ANSWER +ns.example.net. IN A 1.2.3.44 +SECTION AUTHORITY +example.net. IN NS ns.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.net. IN AAAA +SECTION AUTHORITY +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +www.example.net. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/testdata/auth_zonefile_noup.rpl b/testdata/auth_zonefile_noup.rpl index a1bb2d6e0..da0dd7667 100644 --- a/testdata/auth_zonefile_noup.rpl +++ b/testdata/auth_zonefile_noup.rpl @@ -13,6 +13,7 @@ auth-zone: ## url: ## queries from downstream clients get authoritative answers. ## for-downstream: yes + for-downstream: no ## queries are used to fetch authoritative answers from this zone, ## instead of unbound itself sending queries there. ## for-upstream: yes -- 2.47.3