From: Vladimír Čunát Date: Tue, 3 Apr 2018 14:15:26 +0000 (+0200) Subject: validator: fix CNAME to NXDOMAIN in a single answer X-Git-Tag: v2.3.0~23^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4162e2da3f6d57c7618daf6c2924eb0b0cf250b9;p=thirdparty%2Fknot-resolver.git validator: fix CNAME to NXDOMAIN in a single answer Real example: cname.nohats.ca This case was handled for forwarding only, presumably because it happened more often (no need to be withing single zone to be within single answer); now the approach is the same. --- diff --git a/NEWS b/NEWS index a32f43b95..93c5eb802 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,9 @@ + +Bugfixes +-------- +- validation: fix SERVFAIL in case of CNAME to NXDOMAIN in a single zone + + Knot Resolver 2.2.0 (2018-03-28) ================================ diff --git a/lib/layer/validate.c b/lib/layer/validate.c index 79be6e4a1..7f5e69659 100644 --- a/lib/layer/validate.c +++ b/lib/layer/validate.c @@ -954,9 +954,11 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt) } } - /* Validate non-existence proof if not positive answer. */ - if (!qry->flags.CACHED && pkt_rcode == KNOT_RCODE_NXDOMAIN && - (!qry->flags.FORWARD || !qry->flags.CNAME)) { + /* Validate non-existence proof if not positive answer. + * In case of CNAME, iterator scheduled a sibling query for the target, + * so we just drop the negative piece of information and don't try to prove it. + * TODO: not ideal; with aggressive cache we'll at least avoid the extra packet. */ + if (!qry->flags.CACHED && pkt_rcode == KNOT_RCODE_NXDOMAIN && !qry->flags.CNAME) { /* @todo If knot_pkt_qname(pkt) is used instead of qry->sname then the tests crash. */ if (!has_nsec3) { ret = kr_nsec_name_error_response_check(pkt, KNOT_AUTHORITY, qry->sname); @@ -979,9 +981,9 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt) /* @todo WTH, this needs API that just tries to find a proof and the caller * doesn't have to worry about NSEC/NSEC3 - * @todo rework this */ - if (!qry->flags.CACHED && (pkt_rcode == KNOT_RCODE_NOERROR) && - (!qry->flags.FORWARD || !qry->flags.CNAME)) { + * @todo rework this + * CNAME: same as the NXDOMAIN case above */ + if (!qry->flags.CACHED && pkt_rcode == KNOT_RCODE_NOERROR && !qry->flags.CNAME) { bool no_data = (an->count == 0 && knot_wire_get_aa(pkt->wire)); if (no_data) { /* @todo