From: Evan Hunt Date: Fri, 17 Apr 2026 02:40:40 +0000 (-0700) Subject: remove unneeded options in dns_zonefetch X-Git-Tag: v9.21.22~52^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e3561a477224c3b03f897621acdae60c59cb805;p=thirdparty%2Fbind9.git remove unneeded options in dns_zonefetch In the dns_zonefetch mechanism, some option flags for dns_resolver_createfetch() were used for all fetches, but were actually only needed by the DNSKEY refresh fetches. (Specifially, these options were DNS_FETCHOPT_UNSHARED and DNS_FETCHOPT_NOCACHED, which were used along with DNS_FETCHOPT_NOVALIDATE to ensure we get a new copy of the DNSKEY as it is currently published by the authority, without prior validation. Those conditions are needed for RFC 5011 trust anchor maintenace, but not when looking up parent-NS or DSYNC RRsets.) --- diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 8fecf876516..e5254dd7103 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9763,6 +9763,24 @@ zone_refreshkeys(dns_zone_t *zone) { dns_zonefetch_t *fetch = NULL; dns_keyfetch_t *kfetch = NULL; + /* + * This is a special query for RFC5011 maintenance + * of a trust anchor. We will be validating it + * in keyfetch_done() against a previously-known + * trust anchor; we do not want the normal + * validation process to occur. We set + * DNS_FETCHOPT_NOVALIDATE to suppress validation + * in the resolver, and DNS_FETCHOPT_UNSHARED so + * this fetch isn't combined with another one that + * might be validating. + * + * We must also use DNS_FETCHOPT_NOCACHED, because + * if it was not set and the cache still held a + * non-expired, validated version of the DNSKEY, + * then we'd receive the old, cached version + * instead of the new response - the old version + * would have a higher trust level. + */ fetch = isc_mem_get(zone->mctx, sizeof(dns_zonefetch_t)); *fetch = (dns_zonefetch_t){ @@ -17855,8 +17873,6 @@ zone_checkds(dns_zone_t *zone) { fetch = isc_mem_get(zone->mctx, sizeof(dns_zonefetch_t)); *fetch = (dns_zonefetch_t){ .zone = zone, - .options = DNS_FETCHOPT_UNSHARED | - DNS_FETCHOPT_NOCACHED, .fetchtype = ZONEFETCHTYPE_NS, .fetchmethods = (dns_zonefetch_methods_t){ @@ -18167,8 +18183,6 @@ nsfetch_dsync(dns_zonefetch_t *fetch, isc_result_t eresult) { zfetch = isc_mem_get(zone->mctx, sizeof(dns_zonefetch_t)); *zfetch = (dns_zonefetch_t){ .zone = zone, - .options = DNS_FETCHOPT_UNSHARED | - DNS_FETCHOPT_NOCACHED, .fetchtype = ZONEFETCHTYPE_DSYNC, .fetchmethods = (dns_zonefetch_methods_t){ @@ -18221,8 +18235,6 @@ zone_notifycds(dns_zone_t *zone) { fetch = isc_mem_get(zone->mctx, sizeof(dns_zonefetch_t)); *fetch = (dns_zonefetch_t){ .zone = zone, - .options = DNS_FETCHOPT_UNSHARED | - DNS_FETCHOPT_NOCACHED, .fetchtype = ZONEFETCHTYPE_NS, .fetchmethods = (dns_zonefetch_methods_t){ diff --git a/lib/dns/zonefetch.c b/lib/dns/zonefetch.c index b7f84919225..ff28bff566e 100644 --- a/lib/dns/zonefetch.c +++ b/lib/dns/zonefetch.c @@ -63,17 +63,6 @@ dns_zonefetch_run(void *arg) { "Do fetch for %s/%s request", namebuf, typebuf); } - /* - * Use of DNS_FETCHOPT_NOCACHED is essential here. If it is not - * set and the cache still holds a non-expired, validated version - * of the RRset being queried for by the time the response is - * received, the cached RRset will be passed to dns_zonefetch_done() - * instead of the one received in the response as the latter will - * have a lower trust level due to not being validated until - * dns_zonefetch_done() is called. - */ - INSIST((fetch->options & DNS_FETCHOPT_NOCACHED) != 0); - result = dns_resolver_createfetch( resolver, fetch->qname, fetch->qtype, NULL, NULL, NULL, NULL, 0, fetch->options, 0, NULL, NULL, NULL, loop, dns_zonefetch_done,