listen-on-v6 { none; };
allow-transfer { any; };
minimal-any no;
- minimal-responses no;
+ minimal-responses yes;
recursion no;
notify yes;
dnssec-validation yes;
assert res.authority[0].rdtype == rdatatype.SOA
-def test_insecure_glue():
- # check that for a query against a validating resolver where the
- # authoritative zone is unsigned (insecure delegation), glue is returned
- # in the additional section
- msg = isctest.query.create("a.insecure.example", "A")
- res = isctest.query.tcp(msg, "10.53.0.4")
- isctest.check.noerror(res)
- isctest.check.rr_count_eq(res.answer, 1)
- isctest.check.rr_count_eq(res.authority, 1)
- isctest.check.rr_count_eq(res.additional, 1)
- assert str(res.additional[0].name) == "ns3.insecure.example."
- addrs = [str(a) for a in res.additional[0]]
- assert "10.53.0.3" in addrs
-
-
def test_adflag():
# compare auth and recursive answers
msg = isctest.query.create("a.example", "A", dnssec=False)
isctest.check.same_answer(res1, res2)
isctest.check.noerror(res2)
isctest.check.adflag(res2)
- isctest.check.rr_count_eq(res2.authority, 4)
+ isctest.check.rr_count_eq(res2.authority, 2)
# unknown NSEC3 hash algorithm
msg = isctest.query.create("nsec3-unknown.example", "SOA", dnssec=False)
msg = isctest.query.create("wild.a.too-many-iterations", "A")
res1 = isctest.query.tcp(msg, "10.53.0.2")
res2 = isctest.query.tcp(msg, "10.53.0.4")
- isctest.check.same_data(res1, res2)
+ isctest.check.section_equal(res1.answer, res2.answer)
isctest.check.noadflag(res2)
isctest.check.rr_count_eq(res2.answer, 2)
- isctest.check.rr_count_eq(res2.authority, 4)
+ isctest.check.rr_count_eq(res2.authority, 2)
a, _ = res2.answer
assert str(a.name) == "wild.a.too-many-iterations."
assert str(a[0]) == "10.0.0.3"
msg = isctest.query.create("insecure.example", "DS", cd=True)
res = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.noerror(res)
+ isctest.check.rr_count_eq(res.answer, 0)
isctest.check.rr_count_eq(res.authority, 4)
msg = isctest.query.create("a.insecure.example", "A")
res = isctest.query.tcp(msg, "10.53.0.4")
isctest.check.noerror(res)
isctest.check.rr_count_eq(res.answer, 1)
- isctest.check.rr_count_eq(res.authority, 1)
+ isctest.check.rr_count_eq(res.authority, 0)
isctest.check.noadflag(res)
# information regarding copyright ownership.
-from dns.edns import EDECode
-
+# from dns.edns import EDECode
import pytest
from isctest.util import param
res1 = isctest.query.tcp(msg, "10.53.0.3")
res2 = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.noerror(res1)
- isctest.check.ede(res2, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
+ # This EDE code should be added by the validator, but currently it isn't.
+ # See issue #5832
+ # isctest.check.ede(res2, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
isctest.check.noerror(res2)
isctest.check.noadflag(res2)
res1 = isctest.query.tcp(msg, "10.53.0.3")
res2 = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.noerror(res1)
- isctest.check.ede(res2, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
+ # This EDE code should be added by the validator, but currently it isn't.
+ # See issue #5832
+ # isctest.check.ede(res2, EDECode.UNSUPPORTED_DNSKEY_ALGORITHM)
+ print(res2)
isctest.check.noerror(res2)
isctest.check.noadflag(res2)
hex=$($DNSTAPREAD -x ns3/dnstap.out | tail -1)
echo $hex | $WIRETEST >dnstap.hex
grep 'status: NOERROR' dnstap.hex >/dev/null 2>&1 || ret=1
-grep 'ANSWER: 3, AUTHORITY: 1' dnstap.hex >/dev/null 2>&1 || ret=1
+grep 'ANSWER: 3, AUTHORITY: 0' dnstap.hex >/dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
isctest.log.debug(
f"check that {qtype} is omitted from additional section, qtype=MX, unsigned"
)
- check_additional(addr, addr, "unsigned", "mx", ftype, False, 2)
+ if recursive:
+ check_additional(addr, addr, "unsigned", "mx", ftype, False, 1)
+ else:
+ check_additional(addr, addr, "unsigned", "mx", ftype, False, 2)
isctest.log.debug(
f"check that {qtype} is included in additional section, qtype=MX, signed, unless break-dnssec is enabled"
)
- if break_dnssec:
+ if recursive and break_dnssec:
+ check_additional(addr, addr, "signed", "mx", ftype, False, 2)
+ elif recursive:
+ check_additional(addr, addr, "signed", "mx", ftype, True, 4)
+ elif break_dnssec:
check_additional(addr, addr, "signed", "mx", ftype, False, 4)
else:
check_additional(addr, addr, "signed", "mx", ftype, True, 8)
-def check_filter_other_family(addr, ftype):
+def check_filter_other_family(addr, ftype, recursive):
isctest.log.debug(
"check that the filtered type is returned when both AAAA and A record exists, unsigned, over other family"
)
isctest.log.debug(
"check that the filtered type is included in additional section, qtype=MX, unsigned, over other family"
)
- check_additional(addr, addr, "unsigned", "mx", ftype, True, 4)
+ if recursive:
+ check_additional(addr, addr, "unsigned", "mx", ftype, True, 2)
+ else:
+ check_additional(addr, addr, "unsigned", "mx", ftype, True, 4)
@isctest.mark.with_ipv6
@pytest.mark.parametrize(
- "addr",
+ "addr, recursive",
[
- pytest.param("fd92:7065:b8e:ffff::1", id="auth"),
- pytest.param("fd92:7065:b8e:ffff::4", id="auth-break-dnssec"),
- pytest.param("fd92:7065:b8e:ffff::2", id="recurs"),
- pytest.param("fd92:7065:b8e:ffff::3", id="recurs-break-dnssec"),
+ pytest.param("fd92:7065:b8e:ffff::1", False, id="auth"),
+ pytest.param("fd92:7065:b8e:ffff::4", False, id="auth-break-dnssec"),
+ pytest.param("fd92:7065:b8e:ffff::2", True, id="recurs"),
+ pytest.param("fd92:7065:b8e:ffff::3", True, id="recurs-break-dnssec"),
],
)
-def test_filter_a_on_v4_via_v6(addr):
- check_filter_other_family(addr, "a")
+def test_filter_a_on_v4_via_v6(addr, recursive):
+ check_filter_other_family(addr, "a", recursive)
@pytest.mark.parametrize(
- "addr",
+ "addr, recursive",
[
- pytest.param("10.53.0.1", id="auth"),
- pytest.param("10.53.0.4", id="auth-break-dnssec"),
- pytest.param("10.53.0.2", id="recurs"),
- pytest.param("10.53.0.3", id="recurs-break-dnssec"),
+ pytest.param("10.53.0.1", False, id="auth"),
+ pytest.param("10.53.0.4", False, id="auth-break-dnssec"),
+ pytest.param("10.53.0.2", True, id="recurs"),
+ pytest.param("10.53.0.3", True, id="recurs-break-dnssec"),
],
)
-def test_filter_a_on_v6_via_v4(addr):
- check_filter_other_family(addr, "a")
+def test_filter_a_on_v6_via_v4(addr, recursive):
+ check_filter_other_family(addr, "a", recursive)
@isctest.mark.with_ipv6
@pytest.mark.parametrize(
- "addr",
+ "addr, recursive",
[
- pytest.param("fd92:7065:b8e:ffff::1", id="auth"),
- pytest.param("fd92:7065:b8e:ffff::4", id="auth-break-dnssec"),
- pytest.param("fd92:7065:b8e:ffff::2", id="recurs"),
- pytest.param("fd92:7065:b8e:ffff::3", id="recurs-break-dnssec"),
+ pytest.param("fd92:7065:b8e:ffff::1", False, id="auth"),
+ pytest.param("fd92:7065:b8e:ffff::4", False, id="auth-break-dnssec"),
+ pytest.param("fd92:7065:b8e:ffff::2", True, id="recurs"),
+ pytest.param("fd92:7065:b8e:ffff::3", True, id="recurs-break-dnssec"),
],
)
-def test_filter_aaaa_on_v4_via_v6(addr):
- check_filter_other_family(addr, "aaaa")
+def test_filter_aaaa_on_v4_via_v6(addr, recursive):
+ check_filter_other_family(addr, "aaaa", recursive)
@isctest.mark.with_ipv6
@pytest.mark.parametrize(
- "addr",
+ "addr, recursive",
[
- pytest.param("10.53.0.1", id="auth"),
- pytest.param("10.53.0.4", id="auth-break-dnssec"),
- pytest.param("10.53.0.2", id="recurs"),
- pytest.param("10.53.0.3", id="recurs-break-dnssec"),
+ pytest.param("10.53.0.1", False, id="auth"),
+ pytest.param("10.53.0.4", False, id="auth-break-dnssec"),
+ pytest.param("10.53.0.2", True, id="recurs"),
+ pytest.param("10.53.0.3", True, id="recurs-break-dnssec"),
],
)
-def test_filter_aaaa_on_v6_via_v4(addr):
- check_filter_other_family(addr, "aaaa")
+def test_filter_aaaa_on_v6_via_v4(addr, recursive):
+ check_filter_other_family(addr, "aaaa", recursive)
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
-n=$((n + 1))
-echo_i "checking static-stub synthesised NS is not returned ($n)"
-ret=0
-$DIG $DIGOPTS unsigned. @10.53.0.2 ns >dig.out.ns2.ns.test$n || ret=1
-sleep 2
-$DIG $DIGOPTS data.unsigned @10.53.0.2 txt >dig.out.ns2.txt1.test$n || ret=1
-sleep 4
-$DIG $DIGOPTS data.unsigned @10.53.0.2 txt >dig.out.ns2.txt2.test$n || ret=1
-grep "status: NOERROR" dig.out.ns2.ns.test$n >/dev/null || ret=1
-grep "status: NOERROR" dig.out.ns2.txt1.test$n >/dev/null || ret=1
-# NS RRset from zone is returned
-grep '^unsigned\..*NS.ns\.unsigned\.$' dig.out.ns2.txt1.test$n >/dev/null || ret=1
-grep '^unsigned\..*NS.unsigned\.$' dig.out.ns2.txt1.test$n >/dev/null && ret=1
-# NS expired and synthesised response is not returned
-grep "status: NOERROR" dig.out.ns2.txt2.test$n >/dev/null || ret=1
-grep '^unsigned\..*NS.ns\.unsigned\.$' dig.out.ns2.txt2.test$n >/dev/null && ret=1
-grep '^unsigned\..*NS.unsigned\.$' dig.out.ns2.txt2.test$n >/dev/null && ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
:any:`minimal-responses` takes one of four values:
- ``no``: the server is as complete as possible when generating
- responses.
+ responses from authoritative zones. (Authority records are not
+ added when answering from the cache.)
- ``yes``: the server only adds records to the authority and additional
sections when such records are required by the DNS protocol (for
example, when returning delegations or negative responses). This
provides the best server performance but may result in more client
queries.
- - ``no-auth``: the server omits records from the authority section except
- when they are required, but it may still add records to the
- additional section.
- - ``no-auth-recursive``: the same as ``no-auth`` when recursion is requested
+ - ``no-auth``: is a deprecated alias of ``yes``.
+ - ``no-auth-recursive``: the same as ``yes`` when recursion is requested
in the query (RD=1), or the same as ``no`` if recursion is not requested.
- ``no-auth`` and ``no-auth-recursive`` are useful when answering stub
- clients, which usually ignore the authority section.
- ``no-auth-recursive`` is meant for use in mixed-mode servers that
+ ``no-auth-recursive`` is useful when answering stub clients, which usually
+ ignore the authority section. It is meant for use in mixed-mode servers that
handle both authoritative and recursive queries.
The default is ``no-auth-recursive``.
dns_name_t *fname = NULL, *zfname = NULL;
dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
dns_rdataset_t *zrdataset = NULL, *zsigrdataset = NULL;
- bool is_zone = false, use_zone = false;
+ bool is_zone = false;
isc_buffer_t *dbuf = NULL;
isc_result_t result;
dns_dbversion_t *version = NULL;
is_zone = false;
goto db_find;
}
- } else {
- result = dns_db_findzonecut(db, client->query.qname,
- client->query.dboptions,
- client->inner.now, &node, fname,
- NULL, rdataset, sigrdataset);
- if (result == ISC_R_SUCCESS) {
- if (zfname != NULL &&
- !dns_name_issubdomain(fname, zfname))
- {
- /*
- * We found a zonecut in the cache, but our
- * zone delegation is better.
- */
- use_zone = true;
- }
- } else if (result == ISC_R_NOTFOUND && zfname != NULL) {
- /*
- * We didn't find anything in the cache, but we
- * have a zone delegation, so use it.
- */
- use_zone = true;
- } else {
- goto cleanup;
- }
- }
-
- if (use_zone) {
+ } else if (zfname != NULL) {
ns_client_releasename(client, &fname);
/*
* We've already done ns_client_keepname() on
fname = MOVE_OWNERSHIP(zfname);
rdataset = MOVE_OWNERSHIP(zrdataset);
sigrdataset = MOVE_OWNERSHIP(zsigrdataset);
+ } else {
+ goto cleanup;
}
/*
projects / thirdparty / bind9.git / commitdiff
