remove unneeded options in dns_zonefetch

In the dns_zonefetch mechanism, some option flags for
dns_resolver_createfetch() were used for all fetches, but
were actually only needed by the DNSKEY refresh fetches.

(Specifially, these options were DNS_FETCHOPT_UNSHARED
and DNS_FETCHOPT_NOCACHED, which were used along with
DNS_FETCHOPT_NOVALIDATE to ensure we get a new copy of
the DNSKEY as it is currently published by the authority,
without prior validation.  Those conditions are needed
for RFC 5011 trust anchor maintenace, but not when looking
up parent-NS or DSYNC RRsets.)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 8fecf876516352a73093a9feac5b00dcd436187b..e5254dd710305aa6eca9bfe83b6aa899968d6a9a 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -9763,6 +9763,24 @@ zone_refreshkeys(dns_zone_t *zone) {
                        dns_zonefetch_t *fetch = NULL;
                        dns_keyfetch_t *kfetch = NULL;
 
+                       /*
+                        * This is a special query for RFC5011 maintenance
+                        * of a trust anchor. We will be validating it
+                        * in keyfetch_done() against a previously-known
+                        * trust anchor; we do not want the normal
+                        * validation process to occur.  We set
+                        * DNS_FETCHOPT_NOVALIDATE to suppress validation
+                        * in the resolver, and DNS_FETCHOPT_UNSHARED so
+                        * this fetch isn't combined with another one that
+                        * might be validating.
+                        *
+                        * We must also use DNS_FETCHOPT_NOCACHED, because
+                        * if it was not set and the cache still held a
+                        * non-expired, validated version of the DNSKEY,
+                        * then we'd receive the old, cached version
+                        * instead of the new response - the old version
+                        * would have a higher trust level.
+                        */
                        fetch = isc_mem_get(zone->mctx,
                                            sizeof(dns_zonefetch_t));
                        *fetch = (dns_zonefetch_t){
@@ -17855,8 +17873,6 @@ zone_checkds(dns_zone_t *zone) {
                fetch = isc_mem_get(zone->mctx, sizeof(dns_zonefetch_t));
                *fetch = (dns_zonefetch_t){
                        .zone = zone,
-                       .options = DNS_FETCHOPT_UNSHARED |
-                                  DNS_FETCHOPT_NOCACHED,
                        .fetchtype = ZONEFETCHTYPE_NS,
                        .fetchmethods =
                                (dns_zonefetch_methods_t){
@@ -18167,8 +18183,6 @@ nsfetch_dsync(dns_zonefetch_t *fetch, isc_result_t eresult) {
                zfetch = isc_mem_get(zone->mctx, sizeof(dns_zonefetch_t));
                *zfetch = (dns_zonefetch_t){
                        .zone = zone,
-                       .options = DNS_FETCHOPT_UNSHARED |
-                                  DNS_FETCHOPT_NOCACHED,
                        .fetchtype = ZONEFETCHTYPE_DSYNC,
                        .fetchmethods =
                                (dns_zonefetch_methods_t){
@@ -18221,8 +18235,6 @@ zone_notifycds(dns_zone_t *zone) {
                fetch = isc_mem_get(zone->mctx, sizeof(dns_zonefetch_t));
                *fetch = (dns_zonefetch_t){
                        .zone = zone,
-                       .options = DNS_FETCHOPT_UNSHARED |
-                                  DNS_FETCHOPT_NOCACHED,
                        .fetchtype = ZONEFETCHTYPE_NS,
                        .fetchmethods =
                                (dns_zonefetch_methods_t){

diff --git a/lib/dns/zonefetch.c b/lib/dns/zonefetch.c
index b7f84919225073c94feb4b86cf929598432ab8f2..ff28bff566ec3f8c8e68fe4e5bb3bc584ba95ab9 100644 (file)
--- a/lib/dns/zonefetch.c
+++ b/lib/dns/zonefetch.c
@@ -63,17 +63,6 @@ dns_zonefetch_run(void *arg) {
                              "Do fetch for %s/%s request", namebuf, typebuf);
        }
 
-       /*
-        * Use of DNS_FETCHOPT_NOCACHED is essential here.  If it is not
-        * set and the cache still holds a non-expired, validated version
-        * of the RRset being queried for by the time the response is
-        * received, the cached RRset will be passed to dns_zonefetch_done()
-        * instead of the one received in the response as the latter will
-        * have a lower trust level due to not being validated until
-        * dns_zonefetch_done() is called.
-        */
-       INSIST((fetch->options & DNS_FETCHOPT_NOCACHED) != 0);
-
        result = dns_resolver_createfetch(
                resolver, fetch->qname, fetch->qtype, NULL, NULL, NULL, NULL, 0,
                fetch->options, 0, NULL, NULL, NULL, loop, dns_zonefetch_done,