root prime validation

git-svn-id: file:///svn/unbound/trunk@1309 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 382743bc5d2fa5506ccc589d074ba430bc8f65ac..e5032bd6dc4042dacc999daa4d09f13f2a99da2f 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,9 @@
 17 October 2008: Wouter
        - port Leopard/G5: fixup type conversion size_t/uint32.
          please ranlib, stop file without symbols warning.
+       - harden referral path now also validates the root after priming.
+         It looks up the root NS authoritatively as well as the root servers
+         and attemps to validate the entries.
 
 16 October 2008: Wouter
        - Fixup negative TTL values appearing (reported by Attila Nagy).

diff --git a/doc/plan b/doc/plan
index dd2963a68baff4576a80608bd9b4e4222d859415..673ca7238f9ffd095bae28aff0e9d175f5f5f574 100644 (file)
--- a/doc/plan
+++ b/doc/plan
@@ -80,7 +80,7 @@ not   stats on SIGUSR1. perhaps also see which slow auth servers cause >1sec value
 * trouble counter, cache wipe threshold.
 
 + off-path validation
-* root NS, root glue validation after prime
++ root NS, root glue validation after prime
 * ignore bogus nameservers, pretend they always return a servfail.
 
 

diff --git a/iterator/iterator.c b/iterator/iterator.c
index bba487748593799b0065cf20916625d9fe51a746..6f6eab75232672287e021a35e6c1fbdd9dab6867 100644 (file)
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -668,8 +668,9 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
                        continue;
 
                /* generate subrequest for it */
-               log_nametypeclass(VERB_ALGO, "must fetch addr", s->rk.dname, 
-                       ntohs(s->rk.type), ntohs(s->rk.rrset_class));
+               log_nametypeclass(VERB_ALGO, "schedule addr fetch", 
+                       s->rk.dname, ntohs(s->rk.type), 
+                       ntohs(s->rk.rrset_class));
                if(!generate_sub_request(s->rk.dname, s->rk.dname_len, 
                        ntohs(s->rk.type), ntohs(s->rk.rrset_class),
                        qstate, id, iq,
@@ -704,7 +705,7 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
                return;
        }
 
-       log_nametypeclass(VERB_ALGO, "must fetch ns", 
+       log_nametypeclass(VERB_ALGO, "schedule ns fetch", 
                iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
        if(!generate_sub_request(iq->dp->name, iq->dp->namelen, 
                LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
@@ -1643,6 +1644,24 @@ processPrimeResponse(struct module_qstate* qstate, int id)
                qstate->return_msg = NULL;
        }
 
+       /* validate the root or stub after priming (if enabled).
+        * This is the same query as the prime query, but with validation.
+        * Now that we are primed, the additional queries that validation
+        * may need can be resolved, such as DLV. */
+       if(qstate->env->cfg->harden_referral_path) {
+               struct module_qstate* subq = NULL;
+               log_nametypeclass(VERB_ALGO, "schedule prime validation", 
+                       qstate->qinfo.qname, qstate->qinfo.qtype,
+                       qstate->qinfo.qclass);
+               if(!generate_sub_request(qstate->qinfo.qname, 
+                       qstate->qinfo.qname_len, qstate->qinfo.qtype,
+                       qstate->qinfo.qclass, qstate, id, iq,
+                       INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+                       log_err("out of memory generating prime check");
+               }
+               generate_a_aaaa_check(qstate, iq, id);
+       }
+
        /* This event is finished. */
        qstate->ext_state[id] = module_finished;
        return 0;