- More strict scrubber (Thanks to George Barwood for the idea):

         NS set must be pertinent to the query (qname subdomain nsname).

git-svn-id: file:///svn/unbound/trunk@2096 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 9f535452b8ab71ed2ab1c58e5509fcebe86a5f98..72ccc508c1c13d9008f4d32c5d9982ca40dc77f4 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -5,6 +5,8 @@
          it from the event.h header file and link with -lev.
        - configlexer.lex gets config.h, and configyyrename.h added by make,
          no more double include.
+       - More strict scrubber (Thanks to George Barwood for the idea):
+         NS set must be pertinent to the query (qname subdomain nsname).
 
 23 April 2010: Wouter
        - Squelch log message: sendto failed permission denied for

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index f9a88f2b2fd4db7268e100e60392f75cab6fe886..4866793d4394ab47fc3e7948bb9a304bbde35b1a 100644 (file)
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -446,6 +446,12 @@ scrub_normalize(ldns_buffer* pkt, struct msg_parse* msg,
                }
                /* only one NS set allowed in authority section */
                if(rrset->type==LDNS_RR_TYPE_NS) {
+                       /* NS set must be pertinent to the query */
+                       if(!sub_of_pkt(pkt, qinfo->qname, rrset->dname)) {
+                               remove_rrset("normalize: removing irrelevant "
+                                       "RRset:", pkt, msg, prev, &rrset);
+                               continue;
+                       }
                        if(nsset == NULL) {
                                nsset = rrset;
                        } else {

diff --git a/testdata/iter_scrub_ns_side.rpl b/testdata/iter_scrub_ns_side.rpl
new file mode 100644 (file)
index 0000000..98d00fd
--- /dev/null
+++ b/testdata/iter_scrub_ns_side.rpl
@@ -0,0 +1,103 @@
+; config options
+server:
+       target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+       name: "."
+       stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+
+stub-zone:
+       name: "example.com"
+       stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test scrubber to scrub NS record to the side of the query
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+       ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS        K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.    IN      A       193.0.14.129
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+       ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+; must be scrubbed
+www.burritolovers.com. IN A    10.20.30.40
+SECTION AUTHORITY
+example1234.com.       IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+mail.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+; not pertinent to the query
+www.example.com.       IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+mail.example.com. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+mail.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+SCENARIO_END