- Fix 'unbound-control flush_negative' when reporting removed data;

author Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>

Sun, 16 Mar 2025 08:01:03 +0000 (09:01 +0100)

committer Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>

Sun, 16 Mar 2025 08:02:20 +0000 (09:02 +0100)
author Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Sun, 16 Mar 2025 08:01:03 +0000 (09:01 +0100)
committer Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Sun, 16 Mar 2025 08:02:20 +0000 (09:02 +0100)
diff --git a/daemon/remote.c b/daemon/remote.c

index abba0f4052b9a684ce9d26c673c8eb1df508aa73..3d683afd1ba33a416f9476493d0be0784eae2d8f 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1950,7 +1950,7 @@ bogus_del_rrset(struct lruhash_entry* e, void* arg)
         /* entry is locked */
         struct del_info* inf = (struct del_info*)arg;
         struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
-       if(d->security == sec_status_bogus) {
+       if(d->security == sec_status_bogus && d->ttl > inf->expired) {
                 d->ttl = inf->expired;
                 inf->num_rrsets++;
         }
@@ -1963,7 +1963,7 @@ bogus_del_msg(struct lruhash_entry* e, void* arg)
         /* entry is locked */
         struct del_info* inf = (struct del_info*)arg;
         struct reply_info* d = (struct reply_info*)e->data;
-       if(d->security == sec_status_bogus) {
+       if(d->security == sec_status_bogus && d->ttl > inf->expired) {
                 d->ttl = inf->expired;
                 d->prefetch_ttl = inf->expired;
                 d->serve_expired_ttl = inf->expired;
@@ -1983,7 +1983,7 @@ bogus_del_kcache(struct lruhash_entry* e, void* arg)
         /* entry is locked */
         struct del_info* inf = (struct del_info*)arg;
         struct key_entry_data* d = (struct key_entry_data*)e->data;
-       if(d->isbad) {
+       if(d->isbad && d->ttl > inf->expired) {
                 d->ttl = inf->expired;
                 inf->num_keys++;
         }
@@ -2032,7 +2032,8 @@ negative_del_rrset(struct lruhash_entry* e, void* arg)
         /* delete the parentside negative cache rrsets,
          * these are nameserver rrsets that failed lookup, rdata empty */
         if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 &&
-               d->rrsig_count == 0 && d->rr_len[0] == 0) {
+               d->rrsig_count == 0 && d->rr_len[0] == 0 &&
+               d->ttl > inf->expired) {
                 d->ttl = inf->expired;
                 inf->num_rrsets++;
         }
@@ -2047,7 +2048,8 @@ negative_del_msg(struct lruhash_entry* e, void* arg)
         struct reply_info* d = (struct reply_info*)e->data;
         /* rcode not NOERROR: NXDOMAIN, SERVFAIL, ..: an nxdomain or error
          * or NOERROR rcode with ANCOUNT==0: a NODATA answer */
-       if(FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) {
+       if((FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) &&
+               d->ttl > inf->expired) {
                 d->ttl = inf->expired;
                 d->prefetch_ttl = inf->expired;
                 d->serve_expired_ttl = inf->expired;
@@ -2069,7 +2071,7 @@ negative_del_kcache(struct lruhash_entry* e, void* arg)
         struct key_entry_data* d = (struct key_entry_data*)e->data;
         /* could be bad because of lookup failure on the DS, DNSKEY, which
          * was nxdomain or servfail, and thus a result of negative lookups */
-       if(d->isbad) {
+       if(d->isbad && d->ttl > inf->expired) {
                 d->ttl = inf->expired;
                 inf->num_keys++;
         }
diff --git a/doc/Changelog b/doc/Changelog

index d2ec4159079b9e7b1b8e05497c2fc30d6b40cbe1..bff18592a7c30f4fb02df80bf8731c0a6568b5c7 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+16 March 2025: Yorgos
+       - Fix 'unbound-control flush_negative' when reporting removed data;
+         reported by David 'eqvinox' Lamparter.
+
  28 February 2025: Wouter
         - Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
           Add --help output description for the SOURCE_DATE_EPOCH variable.
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.conf b/testdata/09-unbound-control.tdir/09-unbound-control.conf

index 719e92309513bdb39259f7ba5d269538d354fc79..be65336eaf5e4218ba54c89041787cde663538bd 100644 (file)
--- a/testdata/09-unbound-control.tdir/09-unbound-control.conf
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.conf
@@ -13,6 +13,7 @@ server:
         msg-cache-size: 4m
         rrset-cache-size: 4m
         minimal-responses: yes
+       trust-anchor: "always.empty.    3600    IN      DS       50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29 B22446B1"  # This is nonsense, just to kick the validator
  view:
         name: testview
         view-first: yes  # Allow falling back to global local data
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.test b/testdata/09-unbound-control.tdir/09-unbound-control.test

index 8bd2220f34299dde7483e1efb3baca325f9e03d0..80f64c978196bf5eaf07ded6f677b70c74ca9593 100644 (file)
--- a/testdata/09-unbound-control.tdir/09-unbound-control.test
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.test
@@ -249,6 +249,18 @@ expect_exit_value 1
  teststep "clean reload"
  clean_reload
  
+teststep "Check negative flushing"
+query always.empty.
+expect_answer "SERVFAIL"
+query always.empty. DNSKEY
+expect_answer "SERVFAIL"
+control_command -c ub.conf flush_negative
+expect_exit_value 0
+expect_answer "^ok removed .*, 2 messages and 1 key"
+control_command -c ub.conf flush_negative
+expect_exit_value 0
+expect_answer "^ok removed .*, 0 messages and 0 key"
+
  teststep "create a new local zone"
  control_command -c ub.conf local_zone example.net static
  expect_exit_value 0
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.testns b/testdata/09-unbound-control.tdir/09-unbound-control.testns

index 9a5192fabc4f215d9d88a17bf38841cc30815ba2..44466b4da613b3a32629046923b8eb1aa5ab7542 100644 (file)
--- a/testdata/09-unbound-control.tdir/09-unbound-control.testns
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.testns
@@ -1,5 +1,4 @@
  ; nameserver test file
-$ORIGIN example.com.
  $TTL 3600
  
  ENTRY_BEGIN
@@ -7,9 +6,9 @@ MATCH opcode qtype qname
  REPLY QR AA NOERROR
  ADJUST copy_id
  SECTION QUESTION
-www    IN      A
+www.example.com.       IN      A
  SECTION ANSWER
-www    IN      A       10.20.30.40
+www.example.com.       IN      A       10.20.30.40
  ENTRY_END
  
  ENTRY_BEGIN
@@ -19,3 +18,19 @@ ADJUST copy_id
  SECTION QUESTION
  www.example.net.       IN      A
  ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+always.empty.  IN      A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+always.empty.  IN      DNSKEY
+ENTRY_END
author	Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
	Sun, 16 Mar 2025 08:01:03 +0000 (09:01 +0100)
committer	Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
	Sun, 16 Mar 2025 08:02:20 +0000 (09:02 +0100)
daemon/remote.c		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history
testdata/09-unbound-control.tdir/09-unbound-control.conf		patch \| blob \| blame \| history
testdata/09-unbound-control.tdir/09-unbound-control.test		patch \| blob \| blame \| history
testdata/09-unbound-control.tdir/09-unbound-control.testns		patch \| blob \| blame \| history