From: Mark Andrews Date: Fri, 26 Nov 2021 23:41:38 +0000 (+1100) Subject: Add synthesis of NODATA at wildcard X-Git-Tag: v9.17.21~5^2~12 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3fa3b11ef86a1613f901b94bde3e8649c82c7412;p=thirdparty%2Fbind9.git Add synthesis of NODATA at wildcard The old code rejected NSEC that proved the wildcard name existed (exists). The new code rejects NSEC that prove that the wildcard name exists and that the type exists (exists && data) but accept NSEC that prove the wildcard name exists. query_synthnxdomain (renamed query_synthnxdomainnodata) already took the NSEC records and added the correct records to the message body for NXDOMAIN or NODATA responses with the above change. The only additional change needed was to ensure the correct RCODE is set. --- diff --git a/lib/ns/query.c b/lib/ns/query.c index ce88b2df51c..c1242d004e7 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -9856,17 +9856,18 @@ query_synthcnamewildcard(query_ctx_t *qctx, dns_rdataset_t *rdataset, } /* - * Synthesize a NXDOMAIN response from qctx (which contains the - * NODATA proof), nowild + nowildrdataset + signowildrdataset (which - * contains the NOWILDCARD proof) and signer + soardatasetp + sigsoardatasetp - * which contain the SOA record + RRSIG for the negative answer. + * Synthesize a NXDOMAIN or NODATA response from qctx (which contains the + * NOQNAME proof), nowild + nowildrdataset + signowildrdataset (which + * contains the NOWILDCARD proof or NODATA at wildcard) and + * signer + soardatasetp + sigsoardatasetp which contain the + * SOA record + RRSIG for the negative answer. */ static isc_result_t -query_synthnxdomain(query_ctx_t *qctx, dns_name_t *nowild, - dns_rdataset_t *nowildrdataset, - dns_rdataset_t *signowildrdataset, dns_name_t *signer, - dns_rdataset_t **soardatasetp, - dns_rdataset_t **sigsoardatasetp) { +query_synthnxdomainnodata(query_ctx_t *qctx, bool nodata, dns_name_t *nowild, + dns_rdataset_t *nowildrdataset, + dns_rdataset_t *signowildrdataset, dns_name_t *signer, + dns_rdataset_t **soardatasetp, + dns_rdataset_t **sigsoardatasetp) { dns_name_t *name = NULL; dns_ttl_t ttl; isc_buffer_t *dbuf, b; @@ -9954,9 +9955,13 @@ query_synthnxdomain(query_ctx_t *qctx, dns_name_t *nowild, DNS_SECTION_AUTHORITY); } - qctx->client->message->rcode = dns_rcode_nxdomain; + if (nodata) { + inc_stats(qctx->client, ns_statscounter_nodatasynth); + } else { + qctx->client->message->rcode = dns_rcode_nxdomain; + inc_stats(qctx->client, ns_statscounter_nxdomainsynth); + } result = ISC_R_SUCCESS; - inc_stats(qctx->client, ns_statscounter_nxdomainsynth); cleanup: if (name != NULL) { @@ -10176,7 +10181,7 @@ query_coveringnsec(query_ctx_t *qctx) { result = dns_nsec_noexistnodata(qctx->qtype, wild, nowild, &rdataset, &exists, &data, NULL, log_noexistnodata, qctx); - if (result != ISC_R_SUCCESS || exists) { + if (result != ISC_R_SUCCESS || (exists && data)) { goto cleanup; } break; @@ -10240,9 +10245,9 @@ query_coveringnsec(query_ctx_t *qctx) { if (result != ISC_R_SUCCESS) { goto cleanup; } - - (void)query_synthnxdomain(qctx, nowild, &rdataset, &sigrdataset, signer, - &soardataset, &sigsoardataset); + (void)query_synthnxdomainnodata(qctx, exists, nowild, &rdataset, + &sigrdataset, signer, &soardataset, + &sigsoardataset); done = true; cleanup: