flag from upstream servers.
- alloc_special_obtain out of memory is not a fatal error any more,
enabling unbound to continue longer in out of memory conditions.
+ - parentside names are dispreferred but not said to be dnssec-lame.
+ - parentside check for cached newname glue.
28 May 2010: Wouter
- iana portlist updated.
/** time when nameserver glue is said to be 'recent' */
#define SUSPICION_RECENT_EXPIRY 86400
/** penalty to validation failed blacklisted IPs */
-#define BLACKLIST_PENALTY (USEFUL_SERVER_TOP_TIMEOUT*3)
+#define BLACKLIST_PENALTY (USEFUL_SERVER_TOP_TIMEOUT*4)
/** fillup fetch policy array */
static void
* This value exactly is given for unresponsive blacklisted.
* USEFUL_SERVER_TOP_TIMEOUT+1
* For non-blacklisted servers: huge timeout, but has traffic.
- * USEFUL_SERVER_TOP_TIMEOUT ..
- * dnsseclame servers get penalty
- * also for parent-side lame servers (lame in delegpt).
+ * USEFUL_SERVER_TOP_TIMEOUT*1 ..
+ * parent-side lame servers get this penalty. A dispreferential
+ * server. (lame in delegpt).
* USEFUL_SERVER_TOP_TIMEOUT*2 ..
+ * dnsseclame servers get penalty
+ * USEFUL_SERVER_TOP_TIMEOUT*3 ..
* recursion lame servers get penalty
* UNKNOWN_SERVER_NICENESS
* If no information is known about the server, this is
* returned. 376 msec or so.
- * +BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*3) for dnssec failed IPs.
+ * +BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*4) for dnssec failed IPs.
*
* When a final value is chosen that is dnsseclame ; dnsseclameness checking
* is turned off (so we do not discard the reply).
lost >= USEFUL_SERVER_MAX_LOST)
/* server is unresponsive, but keep trying slowly */
return USEFUL_SERVER_TOP_TIMEOUT+1;
+ /* select remainder from worst to best */
+ else if(reclame)
+ return rtt+USEFUL_SERVER_TOP_TIMEOUT*3; /* nonpref */
+ else if(dnsseclame )
+ return rtt+USEFUL_SERVER_TOP_TIMEOUT*2; /* nonpref */
else if(a->lame)
return rtt+USEFUL_SERVER_TOP_TIMEOUT+1; /* nonpref */
else if(rtt >= USEFUL_SERVER_TOP_TIMEOUT) /* not blacklisted*/
- return USEFUL_SERVER_TOP_TIMEOUT+1;
- else if(reclame)
- return rtt+USEFUL_SERVER_TOP_TIMEOUT*2; /* nonpref */
- else if(dnsseclame )
- return rtt+USEFUL_SERVER_TOP_TIMEOUT; /* nonpref */
+ return USEFUL_SERVER_TOP_TIMEOUT+1;
else return rtt;
}
/* no server information present */
if(a->lame)
- return USEFUL_SERVER_TOP_TIMEOUT+1; /* nonpref */
+ return USEFUL_SERVER_TOP_TIMEOUT+1+UNKNOWN_SERVER_NICENESS; /* nonpref */
return UNKNOWN_SERVER_NICENESS;
}
return NULL;
verbose(VERB_ALGO, "selrtt %d", selrtt);
if(selrtt > BLACKLIST_PENALTY) {
- if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*2) {
+ if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*3) {
verbose(VERB_ALGO, "chase to "
"blacklisted recursion lame server");
*chase_to_rd = 1;
}
- if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
+ if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*2) {
verbose(VERB_ALGO, "chase to "
"blacklisted dnssec lame server");
*dnssec_lame = 1;
}
} else {
- if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
+ if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*3) {
verbose(VERB_ALGO, "chase to recursion lame server");
*chase_to_rd = 1;
}
- if(selrtt > USEFUL_SERVER_TOP_TIMEOUT) {
+ if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
verbose(VERB_ALGO, "chase to dnssec lame server");
*dnssec_lame = 1;
}
return next_state(iq, INIT_REQUEST_STATE);
}
}
+ /* see if that makes new names available */
+ if(!cache_fill_missing(qstate->env, iq->qchase.qclass,
+ qstate->region, iq->dp))
+ log_err("out of memory in cache_fill_missing");
+ if(iq->dp->usable_list) {
+ verbose(VERB_ALGO, "try parent-side-name, w. glue from cache");
+ return next_state(iq, QUERYTARGETS_STATE);
+ }
/* try to fill out parent glue from cache */
if(iter_lookup_parent_glue_from_cache(qstate->env, iq->dp,
qstate->region, &qstate->qinfo)) {
--- /dev/null
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test resolution with parent child differ in names.
+; the parent has an extra name that is the only working one.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION AUTHORITY
+net. IN NS e.gtld-servers.net.
+SECTION ADDITIONAL
+e.gtld-servers.net. IN A 192.12.94.30
+ENTRY_END
+
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.55
+ENTRY_END
+RANGE_END
+
+; e.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.12.94.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION ANSWER
+net. IN NS e.gtld-servers.net.
+SECTION ADDITIONAL
+e.gtld-servers.net. IN A 192.12.94.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION AUTHORITY
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 1.2.3.44
+ENTRY_END
+
+RANGE_END
+
+; ns.example.net.
+; the working version.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.example.net. IN A
+SECTION ANSWER
+ns.example.net. IN A 1.2.3.44
+SECTION AUTHORITY
+example.net. IN NS ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.example.net. IN AAAA
+SECTION AUTHORITY
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com. IN A 1.2.3.55
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.55
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.55
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.55
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+mail.example.com. IN A
+SECTION ANSWER
+mail.example.com. IN A 10.20.30.20
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.55
+ENTRY_END
+RANGE_END
+
+; ns.example.net
+; Broken. Does not respond to anything (servfail instead
+; of timeouts since this is easier to encode in .rpl file format).
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.55
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.55
+ENTRY_END
+
+; now that the bad child NS record is in cache, ask something else.
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+mail.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+mail.example.com. IN A
+SECTION ANSWER
+mail.example.com. IN A 10.20.30.20
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.55
+ENTRY_END
+
+SCENARIO_END
projects / thirdparty / unbound.git / commitdiff
