From: Vladimír Čunát Date: Wed, 5 Apr 2017 16:41:16 +0000 (+0200) Subject: extend NONAUTH even to non-validated records X-Git-Tag: v1.3.0~23^2~20 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3cb60b6ee0161be589d42dd93cdc2e44160d451c;p=thirdparty%2Fknot-resolver.git extend NONAUTH even to non-validated records Also rename NOAUTH->NONAUTH. --- diff --git a/daemon/lua/kres-gen.lua b/daemon/lua/kres-gen.lua index 9ceb36e69..ff1fcfd9b 100644 --- a/daemon/lua/kres-gen.lua +++ b/daemon/lua/kres-gen.lua @@ -162,7 +162,7 @@ struct kr_context { struct kr_zonecut root_hints; char _stub[]; }; -struct query_flag {static const int NO_MINIMIZE = 1; static const int NO_THROTTLE = 2; static const int NO_IPV6 = 4; static const int NO_IPV4 = 8; static const int TCP = 16; static const int RESOLVED = 32; static const int AWAIT_IPV4 = 64; static const int AWAIT_IPV6 = 128; static const int AWAIT_CUT = 256; static const int SAFEMODE = 512; static const int CACHED = 1024; static const int NO_CACHE = 2048; static const int EXPIRING = 4096; static const int ALLOW_LOCAL = 8192; static const int DNSSEC_WANT = 16384; static const int DNSSEC_BOGUS = 32768; static const int DNSSEC_INSECURE = 65536; static const int STUB = 131072; static const int ALWAYS_CUT = 262144; static const int DNSSEC_WEXPAND = 524288; static const int PERMISSIVE = 1048576; static const int STRICT = 2097152; static const int BADCOOKIE_AGAIN = 4194304; static const int CNAME = 8388608; static const int REORDER_RR = 16777216; static const int TRACE = 33554432; static const int NO_0X20 = 67108864; static const int DNSSEC_NODS = 134217728; static const int DNSSEC_OPTOUT = 268435456; static const int NOAUTH = 536870912;}; +struct query_flag {static const int NO_MINIMIZE = 1; static const int NO_THROTTLE = 2; static const int NO_IPV6 = 4; static const int NO_IPV4 = 8; static const int TCP = 16; static const int RESOLVED = 32; static const int AWAIT_IPV4 = 64; static const int AWAIT_IPV6 = 128; static const int AWAIT_CUT = 256; static const int SAFEMODE = 512; static const int CACHED = 1024; static const int NO_CACHE = 2048; static const int EXPIRING = 4096; static const int ALLOW_LOCAL = 8192; static const int DNSSEC_WANT = 16384; static const int DNSSEC_BOGUS = 32768; static const int DNSSEC_INSECURE = 65536; static const int STUB = 131072; static const int ALWAYS_CUT = 262144; static const int DNSSEC_WEXPAND = 524288; static const int PERMISSIVE = 1048576; static const int STRICT = 2097152; static const int BADCOOKIE_AGAIN = 4194304; static const int CNAME = 8388608; static const int REORDER_RR = 16777216; static const int TRACE = 33554432; static const int NO_0X20 = 67108864; static const int DNSSEC_NODS = 134217728; static const int DNSSEC_OPTOUT = 268435456; static const int NONAUTH = 536870912;}; int knot_dname_size(const knot_dname_t *); knot_dname_t *knot_dname_from_str(uint8_t *, const char *, size_t); char *knot_dname_to_str(char *, const knot_dname_t *, size_t); diff --git a/lib/layer/pktcache.c b/lib/layer/pktcache.c index b3bf34b63..f744cebcb 100644 --- a/lib/layer/pktcache.c +++ b/lib/layer/pktcache.c @@ -70,12 +70,10 @@ static int loot_pktcache(struct kr_cache *cache, knot_pkt_t *pkt, return ret; } - uint8_t lowest_rank = KR_RANK_INITIAL; - if (!(qry->flags & QUERY_NOAUTH)) { - lowest_rank |= KR_RANK_AUTH; - } - if (!knot_wire_get_cd(req->answer->wire)) { - lowest_rank |= KR_RANK_INSECURE; + uint8_t lowest_rank = KR_RANK_AUTH | KR_RANK_INSECURE; + /* There's probably little sense for NONAUTH in pktcache. */ + if (knot_wire_get_cd(req->answer->wire)) { + lowest_rank &= ~KR_RANK_INSECURE; } if (entry->rank < lowest_rank) { return kr_error(ENOENT); diff --git a/lib/layer/rrcache.c b/lib/layer/rrcache.c index cb3770218..dd66f311c 100644 --- a/lib/layer/rrcache.c +++ b/lib/layer/rrcache.c @@ -145,12 +145,17 @@ static int loot_rrcache(struct kr_cache *cache, knot_pkt_t *pkt, * TODO: move rank handling into the iterator (QUERY_DNSSEC_* flags)? */ uint8_t rank = 0; uint8_t flags = 0; - uint8_t lowest_rank = KR_RANK_INITIAL; - if (!(qry->flags & QUERY_NOAUTH)) { - lowest_rank |= KR_RANK_AUTH; - } - if (!cdbit) { - lowest_rank |= KR_RANK_INSECURE; + uint8_t lowest_rank = KR_RANK_AUTH | KR_RANK_INSECURE; + if (qry->flags & QUERY_NONAUTH) { + lowest_rank &= ~KR_RANK_AUTH; + lowest_rank &= ~KR_RANK_INSECURE; + /* Note: there's little sense in validation status for non-auth records. + * In case of using NONAUTH to get NS IPs, knowing that you ask correct + * IP doesn't matter much for security; it matters whether you can + * validate the answers from the NS. */ + } + if (cdbit) { + lowest_rank &= ~KR_RANK_INSECURE; } int ret = loot_rr(cache, pkt, qry->sname, qry->sclass, rrtype, qry, diff --git a/lib/resolve.c b/lib/resolve.c index 47d1c34be..a766230e3 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -341,7 +341,7 @@ static int ns_resolve_addr(struct kr_query *qry, struct kr_request *param) if (!next) { return kr_error(ENOMEM); } - next->flags |= QUERY_NOAUTH; + next->flags |= QUERY_NONAUTH; } /* At the root level with no NS addresses, add SBELT subrequest. */ int ret = 0; diff --git a/lib/rplan.h b/lib/rplan.h index 7a519a15f..99344a43a 100644 --- a/lib/rplan.h +++ b/lib/rplan.h @@ -55,7 +55,7 @@ X(NO_0X20, 1 << 26) /**< Disable query case randomization . */ \ X(DNSSEC_NODS, 1 << 27) /**< DS non-existance is proven */ \ X(DNSSEC_OPTOUT, 1 << 28) /**< Closest encloser proof has optout */ \ - X(NOAUTH, 1 << 29) /**< Non-authoritative in-bailiwick records are enough. + X(NONAUTH, 1 << 29) /**< Non-authoritative in-bailiwick records are enough. * TODO: utilize this also outside cache. */ \ /* 1 << 31 Used by ../modules/dns64/dns64.lua */