15 October 2008: Wouter
- better documentation for 0x20; remove fallback TODO, it is done.
+ - harden-referral-path feature includes A, AAAA queries for glue,
+ as well as very careful NS caching (only when doing NS query).
+ A, AAAA use the delegation from the NS-query.
14 October 2008: Wouter
- fwd_three.tpkg test was flaky. If the three requests hit the
*** from draft resolver-mitigation
+ option harden-referral-path
+ direct queries for NS records
-* careful caching, only NS query causes referral caching.
-* direct queries for A, AAAA in-bailiwick from a referral.
++ careful caching, only NS query causes referral caching.
++ direct queries for A, AAAA in-bailiwick from a referral.
* trouble counter, cache wipe threshold.
-* off-path validation?
++ off-path validation
* root NS, root glue validation after prime
* ignore bogus nameservers, pretend they always return a servfail.
return 1;
}
+/**
+ * Generate A and AAAA checks for glue that is in-zone for the referral
+ * we just got to obtain authoritative information on the adresses.
+ *
+ * @param qstate: the qtstate that triggered the need to prime.
+ * @param iq: iterator query state.
+ * @param id: module id.
+ */
+static void
+generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
+ int id)
+{
+ struct module_qstate* subq;
+ size_t i;
+ struct reply_info* rep = iq->response->rep;
+ struct ub_packed_rrset_key* s;
+ log_assert(iq->dp);
+
+ /* walk through additional, and check if in-zone,
+ * only relevant A, AAAA are left after scrub anyway */
+ for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
+ s = rep->rrsets[i];
+ /* check *ALL* addresses that are transmitted in additional*/
+ /* is it an address ? */
+ if( !(ntohs(s->rk.type)==LDNS_RR_TYPE_A ||
+ ntohs(s->rk.type)==LDNS_RR_TYPE_AAAA)) {
+ continue;
+ }
+ /* is this query the same as the A/AAAA check for it */
+ if(qstate->qinfo.qtype == ntohs(s->rk.type) &&
+ qstate->qinfo.qclass == ntohs(s->rk.rrset_class) &&
+ query_dname_compare(qstate->qinfo.qname,
+ s->rk.dname)==0 &&
+ (qstate->query_flags&BIT_RD) &&
+ !(qstate->query_flags&BIT_CD))
+ continue;
+
+ /* generate subrequest for it */
+ log_nametypeclass(VERB_ALGO, "must fetch addr", s->rk.dname,
+ ntohs(s->rk.type), ntohs(s->rk.rrset_class));
+ if(!generate_sub_request(s->rk.dname, s->rk.dname_len,
+ ntohs(s->rk.type), ntohs(s->rk.rrset_class),
+ qstate, id, iq,
+ INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
+ log_err("out of memory generating ns check");
+ return;
+ }
+ /* ignore subq - not need for more init */
+ }
+}
+
/**
* Generate a NS check request to obtain authoritative information
* on an NS rrset.
* @param qstate: the qtstate that triggered the need to prime.
* @param iq: iterator query state.
* @param id: module id.
- * @param qclass: the class.
*/
static void
-generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq,
- int id, uint16_t qclass)
+generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
{
struct module_qstate* subq;
log_assert(iq->dp);
- /* avoid the redundant INIT state processing. */
+ /* is this query the same as the nscheck? */
+ if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
+ query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
+ (qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){
+ /* spawn off A, AAAA queries for in-zone glue to check */
+ generate_a_aaaa_check(qstate, iq, id);
+ return;
+ }
+
+ log_nametypeclass(VERB_ALGO, "must fetch ns",
+ iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
- LDNS_RR_TYPE_NS, qclass, qstate, id, iq,
+ LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
log_err("out of memory generating ns check");
return;
struct iter_qstate* subiq =
(struct iter_qstate*)subq->minfo[id];
- /* Set the initial delegation point to mine. */
- /* this means it queries the referral we just got */
/* make copy to avoid use of stub dp by different qs/threads */
+ /* refetch glue to start higher up the tree */
+ subiq->refetch_glue = 1;
subiq->dp = delegpt_copy(iq->dp, subq->region);
if(!subiq->dp) {
log_err("out of memory generating ns check, copydp");
return;
}
}
-
- /* this module stops, our submodule starts, and does the query. */
- qstate->ext_state[id] = module_wait_subquery;
}
/**
* delegation point, and back to the QUERYTARGETS_STATE. */
verbose(VERB_DETAIL, "query response was REFERRAL");
- /* Store the referral under the current query */
- if(!iter_dns_store(qstate->env, &iq->response->qinfo,
- iq->response->rep, 1))
- return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
- if(qstate->env->neg_cache)
- val_neg_addreferral(qstate->env->neg_cache,
- iq->response->rep, iq->dp->name);
+ /* if hardened, only store referral if we asked for it */
+ if(!qstate->env->cfg->harden_referral_path ||
+ ( qstate->qinfo.qtype == LDNS_RR_TYPE_NS
+ && (qstate->query_flags&BIT_RD)
+ && !(qstate->query_flags&BIT_CD)
+ /* we know that all other NS rrsets are scrubbed
+ * away, thus on referral only one is left.
+ * see if that equals the query name... */
+ && reply_find_rrset_section_ns(iq->response->rep,
+ qstate->qinfo.qname, qstate->qinfo.qname_len,
+ LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
+ )) {
+ /* Store the referral under the current query */
+ if(!iter_dns_store(qstate->env, &iq->response->qinfo,
+ iq->response->rep, 1))
+ return error_response(qstate, id,
+ LDNS_RCODE_SERVFAIL);
+ if(qstate->env->neg_cache)
+ val_neg_addreferral(qstate->env->neg_cache,
+ iq->response->rep, iq->dp->name);
+ }
/* Reset the event state, setting the current delegation
* point to the referral. */
iq->dnssec_expected = iter_indicates_dnssec(qstate->env,
iq->dp, iq->response, iq->qchase.qclass);
- /* spawn off a NS query to auth servers for the NS we just
+ /* spawn off NS and addr to auth servers for the NS we just
* got in the referral. This gets authoritative answer
- * (answer section trust level) rrset.
- * right after, we detach subs, we don't want the answer */
+ * (answer section trust level) rrset.
+ * right after, we detach the subs, answer goes to cache. */
if(qstate->env->cfg->harden_referral_path)
- generate_ns_check(qstate, iq, id, iq->qchase.qclass);
+ generate_ns_check(qstate, iq, id);
/* stop current outstanding queries.
* FIXME: should the outstanding queries be waited for and
server:
dlv-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
val-override-date: "20070916134226"
- harden-referral-path: yes
+ harden-referral-path: no
stub-zone:
name: "."
ENTRY_END
; DLV query
-; picked out of the negative cache due to NS queries in between.
-; ENTRY_BEGIN
-; MATCH opcode qtype qname
-; ADJUST copy_id
-; REPLY QR NXDOMAIN
-; SECTION QUESTION
-; example.net.example.com. IN DLV
-; SECTION ANSWER
-; SECTION AUTHORITY
-; example.com. IN NS ns.example.com.
-; example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-; example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-; example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-; SECTION ADDITIONAL
-; ns.example.com. IN A 1.2.3.4
-; ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
-; ENTRY_END
+; could be picked out of the negative cache due to NS queries in between.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NXDOMAIN
+SECTION QUESTION
+www.example.net.example.com. IN DLV
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
+example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
+example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
; config options
server:
- harden-referral-path: yes
+ harden-referral-path: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
ENTRY_END
; answer the NS queries that have been generated
-STEP 62 CHECK_OUT_QUERY
-ENTRY_BEGIN
-MATCH qname qtype opcode
-SECTION QUESTION
-com. IN NS
-ENTRY_END
-
-STEP 63 REPLY
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
+; STEP 62 CHECK_OUT_QUERY
+; ENTRY_BEGIN
+; MATCH qname qtype opcode
+; SECTION QUESTION
+; com. IN NS
+; ENTRY_END
+;
+; STEP 63 REPLY
+; ; ENTRY_BEGIN
+; MATCH opcode qtype qname
+; ADJUST copy_id
+; REPLY QR AA NOERROR
+; SECTION QUESTION
+; com. IN NS
+; SECTION ANSWER
+; com. IN NS a.gtld-servers.net.
+; SECTION ADDITIONAL
+; a.gtld-servers.net. IN A 192.5.6.30
+; ENTRY_END
STEP 70 REPLY
ENTRY_BEGIN
www.example.com. IN A
ENTRY_END
-STEP 82 CHECK_OUT_QUERY
-ENTRY_BEGIN
-MATCH qname qtype opcode
-SECTION QUESTION
-example.com. IN NS
-ENTRY_END
-
-STEP 83 REPLY
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns1.example.com.
-example.com. IN NS ns2.example.com.
-SECTION ADDITIONAL
-ns1.example.com. IN A 168.192.2.2
-ns2.example.com. IN A 168.192.3.3
-ENTRY_END
-
+; STEP 82 CHECK_OUT_QUERY
+; ENTRY_BEGIN
+; MATCH qname qtype opcode
+; SECTION QUESTION
+; example.com. IN NS
+; ENTRY_END
+;
+; STEP 83 REPLY
+; ENTRY_BEGIN
+; MATCH opcode qtype qname
+; ADJUST copy_id
+; REPLY QR AA NOERROR
+; SECTION QUESTION
+; example.com. IN NS
+; SECTION ANSWER
+; example.com. IN NS ns1.example.com.
+; example.com. IN NS ns2.example.com.
+; SECTION ADDITIONAL
+; ns1.example.com. IN A 168.192.2.2
+; ns2.example.com. IN A 168.192.3.3
+; ENTRY_END
+;
STEP 90 REPLY
ENTRY_BEGIN
MATCH opcode qtype qname
ENTRY_END
ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
+MATCH opcode subdomain
+ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
-www.example.com. IN A
+com. IN NS
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
+
+; for simplicity the root server is authoritative for root-servers.net
+; and also for gtld-servers.net
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+K.ROOT-SERVERS.NET. IN A
+SECTION ANSWER
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.gtld-servers.net. IN A
+SECTION ANSWER
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
RANGE_END
; a.gtld-servers.net.
RANGE_BEGIN 0 100
ADDRESS 192.5.6.30
ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
+MATCH opcode subdomain
+ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
-www.example.com. IN A
+example.com. IN NS
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
-com. IN NS
+com. IN NS
SECTION ANSWER
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com. IN A 1.2.3.4
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+ENTRY_END
+
;; answer to the spoofed query ; spoofed reply answer.
; here we put it in the nameserver for ease.
ENTRY_BEGIN
; config options
server:
- harden-referral-path: yes
+ harden-referral-path: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
www.example.com. IN A
ENTRY_END
-STEP 62 CHECK_OUT_QUERY
-ENTRY_BEGIN
-MATCH qname qtype opcode
-SECTION QUESTION
-com. IN NS
-ENTRY_END
-STEP 63 REPLY
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
+; STEP 62 CHECK_OUT_QUERY
+; ENTRY_BEGIN
+; MATCH qname qtype opcode
+; SECTION QUESTION
+; com. IN NS
+; ENTRY_END
+; STEP 63 REPLY
+; ENTRY_BEGIN
+; MATCH opcode qtype qname
+; ADJUST copy_id
+; REPLY QR NOERROR
+; SECTION QUESTION
+; com. IN NS
+; SECTION ANSWER
+; com. IN NS a.gtld-servers.net.
+; SECTION ADDITIONAL
+; a.gtld-servers.net. IN A 192.5.6.30
+; ENTRY_END
STEP 70 REPLY
ENTRY_BEGIN
www.example.com. IN A
ENTRY_END
-STEP 82 CHECK_OUT_QUERY
-ENTRY_BEGIN
-MATCH qname qtype opcode
-SECTION QUESTION
-example.com. IN NS
-ENTRY_END
-STEP 83 REPLY
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns1.example.com.
-SECTION ADDITIONAL
-ns1.example.com. IN A 168.192.2.2
-ENTRY_END
+; STEP 82 CHECK_OUT_QUERY
+; ENTRY_BEGIN
+; MATCH qname qtype opcode
+; SECTION QUESTION
+; example.com. IN NS
+; ENTRY_END
+; STEP 83 REPLY
+; ENTRY_BEGIN
+; MATCH opcode qtype qname
+; ADJUST copy_id
+; REPLY QR NOERROR
+; SECTION QUESTION
+; example.com. IN NS
+; SECTION ANSWER
+; example.com. IN NS ns1.example.com.
+; SECTION ADDITIONAL
+; ns1.example.com. IN A 168.192.2.2
+; ENTRY_END
STEP 90 REPLY
ENTRY_BEGIN
; config options
server:
- harden-referral-path: yes
+ harden-referral-path: no
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
SECTION QUESTION
x.y.example.com. IN A
ENTRY_END
-STEP 62 CHECK_OUT_QUERY
-ENTRY_BEGIN
-MATCH qname qtype opcode
-SECTION QUESTION
-com. IN NS
-ENTRY_END
-STEP 63 REPLY
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com. IN NS a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net. IN A 192.5.6.30
-ENTRY_END
+
+; STEP 62 CHECK_OUT_QUERY
+; ENTRY_BEGIN
+; MATCH qname qtype opcode
+; SECTION QUESTION
+; com. IN NS
+; ENTRY_END
+; STEP 63 REPLY
+; ENTRY_BEGIN
+; MATCH opcode qtype qname
+; ADJUST copy_id
+; REPLY QR NOERROR
+; SECTION QUESTION
+; com. IN NS
+; SECTION ANSWER
+; com. IN NS a.gtld-servers.net.
+; SECTION ADDITIONAL
+; a.gtld-servers.net. IN A 192.5.6.30
+; ENTRY_END
+
STEP 70 REPLY
ENTRY_BEGIN
MATCH opcode qtype qname
SECTION QUESTION
x.y.example.com. IN A
ENTRY_END
-STEP 82 CHECK_OUT_QUERY
-ENTRY_BEGIN
-MATCH qname qtype opcode
-SECTION QUESTION
-example.com. IN NS
-ENTRY_END
-STEP 83 REPLY
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com. IN NS ns1.example.com.
-SECTION ADDITIONAL
-ns1.example.com. IN A 168.192.2.2
-ENTRY_END
+
+; STEP 82 CHECK_OUT_QUERY
+; ENTRY_BEGIN
+; MATCH qname qtype opcode
+; SECTION QUESTION
+; example.com. IN NS
+; ENTRY_END
+; STEP 83 REPLY
+; ENTRY_BEGIN
+; MATCH opcode qtype qname
+; ADJUST copy_id
+; REPLY QR NOERROR
+; SECTION QUESTION
+; example.com. IN NS
+; SECTION ANSWER
+; example.com. IN NS ns1.example.com.
+; SECTION ADDITIONAL
+; ns1.example.com. IN A 168.192.2.2
+; ENTRY_END
+
STEP 90 REPLY
ENTRY_BEGIN
MATCH opcode qtype qname
server:
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
val-override-date: "20070916134226"
- harden-referral-path: yes
+ harden-referral-path: no
access-control: 127.0.0.1 allow_snoop
stub-zone:
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
-ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854}
+www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AD8qRJvXxOtmSuy8Ogyo0roA294qOtNT2E1m05kSU0jbxN4qLYn0OmU= ;{id = 2854}
SECTION AUTHORITY
example.com. IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
projects / thirdparty / unbound.git / commitdiff
