policy.STUB: avoid applying aggressive DNSSEC denial proofs

In particular, avoids unintentional NXDOMAIN on grafted subtrees.
Consequently the users can drop 'NO_CACHE' flag and get caching.

diff --git a/NEWS b/NEWS
index 59526db78b42ba6cb35747bde50ad5455bf51501..4d0b009d0e4a0174f84ac6a26b717f9d01770753 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,7 @@ Knot Resolver 5.x.y (202y-mm-dd)
 Improvements
 ------------
 - depend on jemalloc, preferably, to improve memory usage (!1353)
+- policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364)
 
 Bugfixes
 --------

diff --git a/lib/cache/peek.c b/lib/cache/peek.c
index 860ba86b1b039071680a45e4d4388e3da6eba9a9..ef97a5206ac45d12a16cf1920d153069d53c377f 100644 (file)
--- a/lib/cache/peek.c
+++ b/lib/cache/peek.c
@@ -134,6 +134,12 @@ int peek_nosync(kr_layer_t *ctx, knot_pkt_t *pkt)
                return ctx->state;
        }
 
+       /* Avoid aggressive answers in STUB mode.
+        * As STUB mode doesn't validate, it wouldn't save the necessary records.
+        * Moreover, this special case avoids unintentional NXDOMAIN on grafted subtrees. */
+       if (qry->flags.STUB)
+               return ctx->state;
+
        /**** 1b. otherwise, find the longest prefix zone/xNAME (with OK time+rank). [...] */
        k->zname = qry->sname;
        ret = kr_dname_lf(k->buf, k->zname, false); /* LATER(optim.): probably remove */

diff --git a/modules/policy/README.rst b/modules/policy/README.rst
index 0d37b1f6c9c8fb20a0aaf8fe7e357410e76a1f9c..202aabab7aa3236fbdc72ebaa22e4787f089e125 100644 (file)
--- a/modules/policy/README.rst
+++ b/modules/policy/README.rst
@@ -620,19 +620,6 @@ and you trust your link to it, you need to use the :func:`policy.STUB` policy
 instead of :func:`policy.FORWARD` to disable DNSSEC validation for those
 *grafted* domains.
 
-Secondly, after disabling DNSSEC validation you have to solve another issue
-caused by grafting. For example, if you grafted your own top-level domain
-``example.`` onto the public DNS namespace, at some point the root server might
-send proof-of-nonexistence proving e.g. that there are no other top-level
-domain in between names ``events.`` and ``exchange.``, effectively proving
-non-existence of ``example.``.
-
-These proofs-of-nonexistence protect public DNS from spoofing but break
-*grafted* domains because proofs will be latter used by resolver
-(when the positive records for the grafted domain timeout from cache),
-effectively making grafted domain unavailable.
-The easiest work-around is to disable reading from cache for grafted domains.
-
 .. code-block:: lua
    :caption: Example configuration grafting domains onto public DNS namespace
 
@@ -647,7 +634,9 @@ The easiest work-around is to disable reading from cache for grafted domains.
    -- validated anyway; in some of those cases adding 'NO_0X20' can also help,
    -- though it also lowers defenses against off-path attacks on communication
    -- between the two servers.
-   policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), extraTrees))
+   -- With kresd <= 5.5.3 you also needed 'NO_CACHE' flag to avoid unintentional
+   -- NXDOMAINs that could sometimes happen due to aggressive DNSSEC caching.
+   policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), extraTrees))
    policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees))
 
 Response policy zones