From: Wouter Wijngaards Date: Wed, 19 Nov 2014 08:43:08 +0000 (+0000) Subject: - Fix cdflag dns64 processing. X-Git-Tag: release-1.5.1rc1~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67a3c4933c9eca157a64383750d34dcc746e6b62;p=thirdparty%2Funbound.git - Fix cdflag dns64 processing. git-svn-id: file:///svn/unbound/trunk@3275 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 98fab2f4c..b1fca5fd5 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +19 November 2014: Wouter + - Fix cdflag dns64 processing. + 18 November 2014: Wouter - Fix that CD flag disables DNS64 processing, returning the DNSSEC signed AAAA denial. diff --git a/iterator/iterator.c b/iterator/iterator.c index 5bd5796b7..843948a2e 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -487,6 +487,7 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qflags = 0; /* OPCODE QUERY, no flags */ struct query_info qinf; int prime = (finalstate == PRIME_RESP_STATE)?1:0; + int valrec = 0; qinf.qname = qname; qinf.qname_len = qnamelen; qinf.qtype = qtype; @@ -500,12 +501,14 @@ generate_sub_request(uint8_t* qname, size_t qnamelen, uint16_t qtype, * the resolution chain, which might have a validator. We are * uninterested in validating things not on the direct resolution * path. */ - if(!v) + if(!v) { qflags |= BIT_CD; + valrec = 1; + } /* attach subquery, lookup existing or make a new one */ fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); - if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, 0, + if(!(*qstate->env->attach_sub)(qstate, &qinf, qflags, prime, valrec, &subq)) { return 0; } diff --git a/services/mesh.c b/services/mesh.c index 780cb3e4d..a69aced22 100644 --- a/services/mesh.c +++ b/services/mesh.c @@ -282,7 +282,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, struct edns_data* edns, struct comm_reply* rep, uint16_t qid) { - struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0, 0); + struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0); int was_detached = 0; int was_noreply = 0; int added = 0; @@ -312,7 +312,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo, #ifdef UNBOUND_DEBUG struct rbnode_t* n; #endif - s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0, 0); + s = mesh_state_create(mesh->env, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0); if(!s) { log_err("mesh_state_create: out of memory; SERVFAIL"); error_encode(rep->c->buffer, LDNS_RCODE_SERVFAIL, @@ -376,7 +376,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, struct edns_data* edns, sldns_buffer* buf, uint16_t qid, mesh_cb_func_t cb, void* cb_arg) { - struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0, 0); + struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0); int was_detached = 0; int was_noreply = 0; int added = 0; @@ -387,7 +387,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, #ifdef UNBOUND_DEBUG struct rbnode_t* n; #endif - s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0, 0); + s = mesh_state_create(mesh->env, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0); if(!s) { return 0; } @@ -429,7 +429,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, time_t leeway) { - struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0, 0); + struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0); #ifdef UNBOUND_DEBUG struct rbnode_t* n; #endif @@ -448,7 +448,7 @@ void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo, mesh->stats_dropped ++; return; } - s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0, 0); + s = mesh_state_create(mesh->env, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0); if(!s) { log_err("prefetch mesh_state_create: out of memory"); return; @@ -688,7 +688,6 @@ int mesh_attach_sub(struct module_qstate* qstate, struct query_info* qinfo, struct mesh_state* sub = mesh_area_find(mesh, qinfo, qflags, prime, valrec); int was_detached; - log_info("mesh attach sub: myvalrec is %d", qstate->is_valrec); if(mesh_detect_cycle_found(qstate, sub)) { verbose(VERB_ALGO, "attach failed, cycle detected"); return 0; diff --git a/validator/validator.c b/validator/validator.c index 1e929572f..9d5d5c390 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -283,12 +283,20 @@ needs_validation(struct module_qstate* qstate, int ret_rc, { int rcode; - /* If the CD bit is on in the original request, then we don't bother to - * validate anything.*/ + /* If the CD bit is on in the original request, then you could think + * that we don't bother to validate anything. + * But this is signalled internally with the valrec flag. + * User queries are validated with BIT_CD to make our cache clean + * so that bogus messages get retried by the upstream also for + * downstream validators that set BIT_CD. + * For DNS64 bit_cd signals no dns64 processing, but we want to + * provide validation there too */ + /* if(qstate->query_flags & BIT_CD) { verbose(VERB_ALGO, "not validating response due to CD bit"); return 0; } + */ if(qstate->is_valrec) { verbose(VERB_ALGO, "not validating response, is valrec" "(validation recursion lookup)");