- iana portlist updated.

- queries with CD flag set cause DNSSEC validation, but the answer is
  not withheld if it is bogus.  Thus, unbound will retry if it is bad
  and curb the TTL if it is bad, thus protecting the cache for use by
  downstream validators.

git-svn-id: file:///svn/unbound/trunk@2409 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index af3822a0e73241695afa955eeb5f19cde60d8c20..da9e0767af03e76d593bf6ee5c9fff595731ca28 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+8 April 2011: Wouter
+       - iana portlist updated.
+       - queries with CD flag set cause DNSSEC validation, but the answer is
+         not withheld if it is bogus.  Thus, unbound will retry if it is bad
+         and curb the TTL if it is bad, thus protecting the cache for use by
+         downstream validators.
+
 29 March 2011: Wouter
        - harden-below-nxdomain: changed so that it activates when the
          cached nxdomain is dnssec secure.  This avoids backwards

diff --git a/services/mesh.c b/services/mesh.c
index 04e9cebe43ff6b97fab8b0a81e71184a1f6cfa3d..0fe738c07b66d7e6fc60bf1cc56cca9e7e9eecfa 100644 (file)
--- a/services/mesh.c
+++ b/services/mesh.c
@@ -270,7 +270,11 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
         uint16_t qflags, struct edns_data* edns, struct comm_reply* rep,
         uint16_t qid)
 {
-       struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags, 0);
+       /* do not use CD flag from user for mesh state, we want the CD-query
+        * to receive validation anyway, to protect out cache contents and
+        * avoid bad-data in this cache that a downstream validator cannot
+        * remove from this cache */
+       struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0);
        int was_detached = 0;
        int was_noreply = 0;
        int added = 0;
@@ -298,7 +302,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo,
        /* see if it already exists, if not, create one */
        if(!s) {
                struct rbnode_t* n;
-               s = mesh_state_create(mesh->env, qinfo, qflags, 0);
+               s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0);
                if(!s) {
                        log_err("mesh_state_create: out of memory; SERVFAIL");
                        error_encode(rep->c->buffer, LDNS_RCODE_SERVFAIL,
@@ -357,7 +361,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
        uint16_t qflags, struct edns_data* edns, ldns_buffer* buf, 
        uint16_t qid, mesh_cb_func_t cb, void* cb_arg)
 {
-       struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags, 0);
+       struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0);
        int was_detached = 0;
        int was_noreply = 0;
        int added = 0;
@@ -366,7 +370,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
        /* see if it already exists, if not, create one */
        if(!s) {
                struct rbnode_t* n;
-               s = mesh_state_create(mesh->env, qinfo, qflags, 0);
+               s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0);
                if(!s) {
                        return 0;
                }
@@ -403,7 +407,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo,
 void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
         uint16_t qflags, uint32_t leeway)
 {
-       struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags, 0);
+       struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0);
        struct rbnode_t* n;
        /* already exists, and for a different purpose perhaps.
         * if mesh_no_list, keep it that way. */
@@ -420,7 +424,7 @@ void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo,
                mesh->stats_dropped ++;
                return;
        }
-       s = mesh_state_create(mesh->env, qinfo, qflags, 0);
+       s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0);
        if(!s) {
                log_err("prefetch mesh_state_create: out of memory");
                return;

diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl
index c379c8545753ae9b7302e44305ec7a1711c52b27..fd7e7caa5e81aca19f651f921d4152c40065489d 100644 (file)
--- a/testdata/val_referglue.rpl
+++ b/testdata/val_referglue.rpl
@@ -244,7 +244,6 @@ ENTRY_END
 
 RANGE_END
 
-
 ; first ask for +CD and get the data in the cache.
 STEP 1 QUERY
 ENTRY_BEGIN
@@ -266,7 +265,8 @@ example.com.        IN NS   ns.example.com.
 example.com.   IN NS   ns2.sub.example.com.
 SECTION ADDITIONAL
 ns.example.com.                IN      A       1.2.3.4
-ns2.sub.example.com.   IN      A       100.200.30.40
+; already validated and thus stripped from the answer.
+;ns2.sub.example.com.  IN      A       100.200.30.40
 ENTRY_END
 
 ; now the data is in the cache, validate a referral from cache

diff --git a/util/iana_ports.inc b/util/iana_ports.inc
index 5be49edadd842bd5030cd81fe111c6d645c4f996..539a4489e56ba7f0f07fcc81a90b3bdfe65c8c32 100644 (file)
--- a/util/iana_ports.inc
+++ b/util/iana_ports.inc
@@ -5065,6 +5065,7 @@
 14936,
 14937,
 15000,
+15118,
 15345,
 15363,
 15555,