From: Ralph Dolmans <ralph@nlnetlabs.nl>
Date: Tue, 1 Dec 2015 13:14:00 +0000 (+0000)
Subject: Qname minimisation review fixes
X-Git-Tag: release-1.5.7rc1~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=014142d7bf7dcd6b7eaf257d1d80a0f03948af95;p=thirdparty%2Funbound.git

Qname minimisation review fixes



git-svn-id: file:///svn/unbound/trunk@3561 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index d4788a1bb..d289df147 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+1 December 2015: Ralph
+	- Qname minimisation review fixes
+
 1 December 2015: Wouter
 	- Fixup 724 fix for fname_after_chroot() calls.
 	- Remove stdout printout for unbound-service-install.exe
diff --git a/doc/example.conf.in b/doc/example.conf.in
index ccd675e9b..1c26c25f4 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -296,6 +296,11 @@ server:
 	# to validate the zone.
 	# harden-algo-downgrade: no
 
+	# Sent minimum amount of information to upstream servers to enhance 
+	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+	# to NS when possible.
+	# qname-minimisation: no
+
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.
 	# use-caps-for-id: no
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 5be91cbf3..d29dfa143 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -117,8 +117,7 @@ iter_deinit(struct module_env* env, int id)
 	if(!env || !env->modinfo[id])
 		return;
 	iter_env = (struct iter_env*)env->modinfo[id];
-	if(env->cfg->qname_minimisation)
-		free(iter_env->ip6arpa_dname);
+	free(iter_env->ip6arpa_dname);
 	free(iter_env->target_fetch_policy);
 	priv_delete(iter_env->priv);
 	donotq_delete(iter_env->donotq);
@@ -2010,7 +2009,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 
 	if(iq->minimisation_state == INIT_MINIMISE_STATE) {
 		/* (Re)set qinfo_out to (new) delegation point, except
- 		 * when qinfo_out is already a subdomain op dp. This happens
+ 		 * when qinfo_out is already a subdomain of dp. This happens
 		 * when resolving ip6.arpa dnames. */
 		if(!(iq->qinfo_out.qname_len 
 			&& dname_subdomain_c(iq->qchase.qname, 
@@ -2061,7 +2060,9 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 				iq->qinfo_out.qtype, iq->qinfo_out.qclass, 
 				qstate->query_flags, qstate->region, 
 				qstate->env->scratch);
-			if(msg && msg->rep->an_numrrsets == 0)
+			if(msg && msg->rep->an_numrrsets == 0
+				&& FLAGS_GET_RCODE(msg->rep->flags) == 
+				LDNS_RCODE_NOERROR)
 				/* no need to send query if it is already 
 				 * cached as NOERROR/NODATA */
 				return 1;
diff --git a/util/config_file.h b/util/config_file.h
index d746791ea..8fa163ed7 100644
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -364,7 +364,7 @@ struct config_file {
 	struct config_str2list* ratelimit_below_domain;
 	/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
 	int ratelimit_factor;
-
+	/** minimise outgoing QNAME and hide original QTYPE if possible */
 	int qname_minimisation;
 };