+9 June 2008: Wouter
+ - in iteration response type code
+ * first check for SOA record (negative answer) before NS record
+ and lameness.
+ * check if no AA bit for non-forwarder, and thus lame zone.
+ In response to error report by Richard Doty for mail.opusnet.com.
+
8 June 2008: Wouter
- if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
Reported by Robert Edmonds.
struct dns_msg* msg, struct query_info* request, struct delegpt* dp)
{
uint8_t* origzone = (uint8_t*)"\000"; /* the default */
+ struct ub_packed_rrset_key* s;
size_t origzonelen = 1;
size_t i;
}
/* Looking at the authority section, we just look and see if
- * there is a delegation NS set, turning it into a delegation.
- * Otherwise, we will have to conclude ANSWER (either it is
- * NOERROR/NODATA, or an non-authoritative answer). */
+ * there is a SOA record, that means a NOERROR/NODATA */
for(i = msg->rep->an_numrrsets; i < (msg->rep->an_numrrsets +
msg->rep->ns_numrrsets); i++) {
- struct ub_packed_rrset_key* s = msg->rep->rrsets[i];
+ s = msg->rep->rrsets[i];
/* The normal way of detecting NOERROR/NODATA. */
if(ntohs(s->rk.type) == LDNS_RR_TYPE_SOA &&
return RESPONSE_TYPE_LAME;
return RESPONSE_TYPE_ANSWER;
}
+ }
+ /* Looking at the authority section, we just look and see if
+ * there is a delegation NS set, turning it into a delegation.
+ * Otherwise, we will have to conclude ANSWER (either it is
+ * NOERROR/NODATA, or an non-authoritative answer). */
+ for(i = msg->rep->an_numrrsets; i < (msg->rep->an_numrrsets +
+ msg->rep->ns_numrrsets); i++) {
+ s = msg->rep->rrsets[i];
/* Detect REFERRAL/LAME/ANSWER based on the relationship
* of the NS set to the originating zone name. */
if(ntohs(s->rk.type) == LDNS_RR_TYPE_NS) {
/* If we are getting an NS set for the zone we
* thought we were contacting, then it is an answer.*/
- /* FIXME: is this correct? */
if(query_dname_compare(s->rk.dname, origzone) == 0) {
/* see if mistakenly a recursive server was
* deployed and is responding nonAA */
if( (msg->rep->flags&BIT_RA) &&
!(msg->rep->flags&BIT_AA) && !rdset)
return RESPONSE_TYPE_LAME;
+ /* Or if a lame server is deployed,
+ * which gives ns==zone delegation from cache
+ * without AA bit as well, with nodata nosoa*/
+ if(msg->rep->an_numrrsets==0 &&
+ !(msg->rep->flags&BIT_AA) && !rdset)
+ return RESPONSE_TYPE_LAME;
return RESPONSE_TYPE_ANSWER;
}
/* If we are getting a referral upwards (or to
--- /dev/null
+; config options
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test lame detection if AA bit is omitted
+; the query is answered with a reply that has
+; no AA bit
+; no SOA record
+; noanswer/noerror
+; NS record in there which is not a down delegation (==).
+; the query is not sent to a forward zone
+
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; root prime is sent
+STEP 20 CHECK_OUT_QUERY
+ENTRY_BEGIN
+MATCH qname qtype opcode
+SECTION QUESTION
+. IN NS
+ENTRY_END
+STEP 30 REPLY
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+; query sent to root server
+STEP 40 CHECK_OUT_QUERY
+ENTRY_BEGIN
+MATCH qname qtype opcode
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+STEP 50 REPLY
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+; query sent to .com server
+STEP 60 CHECK_OUT_QUERY
+ENTRY_BEGIN
+MATCH qname qtype opcode
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+STEP 70 REPLY
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+example.com. IN NS ns1.example.com.
+example.com. IN NS ns2.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ns2.example.com. IN A 168.192.3.3
+ENTRY_END
+
+; no matter which one the iterator tries first, we present it as 'lame'
+; query to ns1.example.com or ns2.example.com.
+STEP 80 CHECK_OUT_QUERY
+ENTRY_BEGIN
+MATCH qname qtype opcode
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+STEP 90 REPLY
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION AUTHORITY
+; This is the BROKEN ANSWER here.
+; it is lame. A delegation to example.com. itself.
+example.com. IN NS ns1.example.com.
+example.com. IN NS ns2.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ns2.example.com. IN A 168.192.3.3
+ENTRY_END
+
+; iterator should try again and ask the other nameserver.
+STEP 100 CHECK_OUT_QUERY
+ENTRY_BEGIN
+MATCH qname qtype opcode
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+STEP 110 REPLY
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns1.example.com.
+example.com. IN NS ns2.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ns2.example.com. IN A 168.192.3.3
+ENTRY_END
+
+; is the final answer correct?
+STEP 200 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns1.example.com.
+example.com. IN NS ns2.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ns2.example.com. IN A 168.192.3.3
+ENTRY_END
+
+SCENARIO_END
projects / thirdparty / unbound.git / commitdiff
