Fix validation of qtype ANY responses with CNAMEs (thanks Cathy Zhang and Luo Ce).

git-svn-id: file:///svn/unbound/trunk@2477 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 2cfd137fb9ed2e880143573b9cda4da3b6260ab8..676eb4d587f08c9d17a9e90f9de0155d843665ee 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,11 @@
+22 August 2011: Wouter
+       - Fix validation of qtype ANY responses with CNAMEs (thanks Cathy
+         Zhang and Luo Ce).  Unbound responds with the RR types that are
+         available at the name for qtype ANY and validates those RR types.
+         It does not test for completeness (i.e. with NSEC or NSEC3 query),
+         and it does not follow the CNAME or DNAME to another name (with
+         even more data for the already large response).
+
 18 August 2011: Wouter
        - fix autoconf call in makedist crosscompile to RC or snapshot.
 

diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c
index a41ee55aec47dd00dcfe4c7e78c68289a14bfc40..3137411743fb052cfd332852dc998b9c4af19e61 100644 (file)
--- a/iterator/iter_resptype.c
+++ b/iterator/iter_resptype.c
@@ -54,6 +54,8 @@ response_type_from_cache(struct dns_msg* msg,
        /* If the message is NXDOMAIN, then it is an ANSWER. */
        if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NXDOMAIN)
                return RESPONSE_TYPE_ANSWER;
+       if(request->qtype == LDNS_RR_TYPE_ANY)
+               return RESPONSE_TYPE_ANSWER;
        
        /* First we look at the answer section. This can tell us if this is
         * CNAME or positive ANSWER. */
@@ -179,6 +181,9 @@ response_type_from_server(int rdset,
                                get_cname_target(s, &mname, &mname_len);
                        }
                }
+               /* not a referral, and qtype any, thus an answer */
+               if(request->qtype == LDNS_RR_TYPE_ANY)
+                       return RESPONSE_TYPE_ANSWER;
                /* if we encountered a CNAME (or a bunch of CNAMEs), and 
                 * still got to here, then it is a CNAME response. 
                 * (This is regardless of the AA bit at this point) */

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index af4192267ae93d64c99e619d246cc861443c7148..b6cc16ce6162768741525de80550925646413b43 100644 (file)
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -405,10 +405,21 @@ scrub_normalize(ldns_buffer* pkt, struct msg_parse* msg,
 
                /* Follow the CNAME chain. */
                if(rrset->type == LDNS_RR_TYPE_CNAME) {
+                       uint8_t* oldsname = sname;
                        if(!parse_get_cname_target(rrset, &sname, &snamelen))
                                return 0;
                        prev = rrset;
                        rrset = rrset->rrset_all_next;
+                       /* in CNAME ANY response, can have data after CNAME */
+                       if(qinfo->qtype == LDNS_RR_TYPE_ANY) {
+                               while(rrset && rrset->section ==
+                                       LDNS_SECTION_ANSWER &&
+                                       dname_pkt_compare(pkt, oldsname,
+                                       rrset->dname) == 0) {
+                                       prev = rrset;
+                                       rrset = rrset->rrset_all_next;
+                               }
+                       }
                        /* internally we have CNAME'd/DNAME'd chains ending
                         * in nxdomain with NOERROR rcode, change rcode
                         * to reflect this (if needed) */

diff --git a/testdata/val_any_cname.rpl b/testdata/val_any_cname.rpl
new file mode 100644 (file)
index 0000000..925bc92
--- /dev/null
+++ b/testdata/val_any_cname.rpl
@@ -0,0 +1,161 @@
+; config options
+; The island of trust is at example.com
+server:
+       trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+       val-override-date: "20070916134226"
+       target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+       name: "."
+       stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with response to qtype ANY that includes CNAME
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+       ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS        K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.    IN      A       193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN ANY
+SECTION AUTHORITY
+com.   IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.    IN      A       192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+       ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN ANY
+SECTION AUTHORITY
+example.com.   IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+       ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com.    3600    IN      RRSIG   DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com.   IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN ANY
+SECTION ANSWER
+www.example.com.       3600    IN      CNAME   serf.example.com.
+www.example.com.       3600    IN      RRSIG   CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AH/qSA7et6tXS08u4UUsWmXbIedGFpBKhiCqqVAgV8Z95dgn/vrB5ag= ;{id = 2854}
+www.example.com.       18000   IN      NSEC    example.com. CNAME RRSIG NSEC 
+www.example.com.       18000   IN      RRSIG   NSEC 3 3 18000 20070926134150 20070829134150 2854 example.com. ACqeCl/aLq90zkeSfneQY+HnvJTUAeyTF03HWdXr3WhnYzupKAdnuQ4= ;{id = 2854}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+serf.example.com. IN ANY
+SECTION ANSWER
+serf.example.com.      3600    IN      A       192.0.2.1
+serf.example.com.      3600    IN      RRSIG   A 3 3 3600 20070926134150 20070829134150 2854 example.com. AGLOiUcDNkSCplT07hT8szlUfMHNfPh6/104ydBt4bJ6UcfXUiM3pV8= ;{id = 2854}
+serf.example.com.      18000   IN      NSEC    www.example.com. A RRSIG NSEC 
+serf.example.com.      18000   IN      RRSIG   NSEC 3 3 18000 20070926134150 20070829134150 2854 example.com. AEBNiqg7Uz+NfNvoyA4KjkqJPb7hrjyS7oPE2MGNgVwUgQrcRIxd7DA= ;{id = 2854}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN ANY
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+www.example.com. IN ANY
+SECTION ANSWER
+www.example.com.       3600    IN      CNAME   serf.example.com.
+www.example.com.       3600    IN      RRSIG   CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AH/qSA7et6tXS08u4UUsWmXbIedGFpBKhiCqqVAgV8Z95dgn/vrB5ag= ;{id = 2854}
+www.example.com.       18000   IN      NSEC    example.com. CNAME RRSIG NSEC 
+www.example.com.       18000   IN      RRSIG   NSEC 3 3 18000 20070926134150 20070829134150 2854 example.com. ACqeCl/aLq90zkeSfneQY+HnvJTUAeyTF03HWdXr3WhnYzupKAdnuQ4= ;{id = 2854}
+ENTRY_END
+
+SCENARIO_END