From: Vladimír Čunát Date: Wed, 5 Apr 2017 16:03:50 +0000 (+0200) Subject: OK to use non-authoritative sources for NS addresses X-Git-Tag: v1.3.0~23^2~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=810067af12bfd260629a33971701601520655109;p=thirdparty%2Fknot-resolver.git OK to use non-authoritative sources for NS addresses ... *if* we only want to ask the NSs, i.e. not to be put into answer. This fixes iter_cname_cache test. --- diff --git a/daemon/lua/kres-gen.lua b/daemon/lua/kres-gen.lua index 1eb466ffd..9ceb36e69 100644 --- a/daemon/lua/kres-gen.lua +++ b/daemon/lua/kres-gen.lua @@ -162,7 +162,7 @@ struct kr_context { struct kr_zonecut root_hints; char _stub[]; }; -struct query_flag {static const int NO_MINIMIZE = 1; static const int NO_THROTTLE = 2; static const int NO_IPV6 = 4; static const int NO_IPV4 = 8; static const int TCP = 16; static const int RESOLVED = 32; static const int AWAIT_IPV4 = 64; static const int AWAIT_IPV6 = 128; static const int AWAIT_CUT = 256; static const int SAFEMODE = 512; static const int CACHED = 1024; static const int NO_CACHE = 2048; static const int EXPIRING = 4096; static const int ALLOW_LOCAL = 8192; static const int DNSSEC_WANT = 16384; static const int DNSSEC_BOGUS = 32768; static const int DNSSEC_INSECURE = 65536; static const int STUB = 131072; static const int ALWAYS_CUT = 262144; static const int DNSSEC_WEXPAND = 524288; static const int PERMISSIVE = 1048576; static const int STRICT = 2097152; static const int BADCOOKIE_AGAIN = 4194304; static const int CNAME = 8388608; static const int REORDER_RR = 16777216; static const int TRACE = 33554432; static const int NO_0X20 = 67108864; static const int DNSSEC_NODS = 134217728; static const int DNSSEC_OPTOUT = 268435456;}; +struct query_flag {static const int NO_MINIMIZE = 1; static const int NO_THROTTLE = 2; static const int NO_IPV6 = 4; static const int NO_IPV4 = 8; static const int TCP = 16; static const int RESOLVED = 32; static const int AWAIT_IPV4 = 64; static const int AWAIT_IPV6 = 128; static const int AWAIT_CUT = 256; static const int SAFEMODE = 512; static const int CACHED = 1024; static const int NO_CACHE = 2048; static const int EXPIRING = 4096; static const int ALLOW_LOCAL = 8192; static const int DNSSEC_WANT = 16384; static const int DNSSEC_BOGUS = 32768; static const int DNSSEC_INSECURE = 65536; static const int STUB = 131072; static const int ALWAYS_CUT = 262144; static const int DNSSEC_WEXPAND = 524288; static const int PERMISSIVE = 1048576; static const int STRICT = 2097152; static const int BADCOOKIE_AGAIN = 4194304; static const int CNAME = 8388608; static const int REORDER_RR = 16777216; static const int TRACE = 33554432; static const int NO_0X20 = 67108864; static const int DNSSEC_NODS = 134217728; static const int DNSSEC_OPTOUT = 268435456; static const int NOAUTH = 536870912;}; int knot_dname_size(const knot_dname_t *); knot_dname_t *knot_dname_from_str(uint8_t *, const char *, size_t); char *knot_dname_to_str(char *, const knot_dname_t *, size_t); diff --git a/lib/layer/pktcache.c b/lib/layer/pktcache.c index f9eddc170..b3bf34b63 100644 --- a/lib/layer/pktcache.c +++ b/lib/layer/pktcache.c @@ -70,8 +70,14 @@ static int loot_pktcache(struct kr_cache *cache, knot_pkt_t *pkt, return ret; } - if (!knot_wire_get_cd(req->answer->wire) - && entry->rank < (KR_RANK_INSECURE|KR_RANK_AUTH)) { + uint8_t lowest_rank = KR_RANK_INITIAL; + if (!(qry->flags & QUERY_NOAUTH)) { + lowest_rank |= KR_RANK_AUTH; + } + if (!knot_wire_get_cd(req->answer->wire)) { + lowest_rank |= KR_RANK_INSECURE; + } + if (entry->rank < lowest_rank) { return kr_error(ENOENT); } diff --git a/lib/layer/rrcache.c b/lib/layer/rrcache.c index 60df23d5e..cb3770218 100644 --- a/lib/layer/rrcache.c +++ b/lib/layer/rrcache.c @@ -145,7 +145,10 @@ static int loot_rrcache(struct kr_cache *cache, knot_pkt_t *pkt, * TODO: move rank handling into the iterator (QUERY_DNSSEC_* flags)? */ uint8_t rank = 0; uint8_t flags = 0; - uint8_t lowest_rank = KR_RANK_AUTH; + uint8_t lowest_rank = KR_RANK_INITIAL; + if (!(qry->flags & QUERY_NOAUTH)) { + lowest_rank |= KR_RANK_AUTH; + } if (!cdbit) { lowest_rank |= KR_RANK_INSECURE; } diff --git a/lib/resolve.c b/lib/resolve.c index d1757e3a1..47d1c34be 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -341,6 +341,7 @@ static int ns_resolve_addr(struct kr_query *qry, struct kr_request *param) if (!next) { return kr_error(ENOMEM); } + next->flags |= QUERY_NOAUTH; } /* At the root level with no NS addresses, add SBELT subrequest. */ int ret = 0; diff --git a/lib/rplan.h b/lib/rplan.h index 4f7628963..7a519a15f 100644 --- a/lib/rplan.h +++ b/lib/rplan.h @@ -55,6 +55,8 @@ X(NO_0X20, 1 << 26) /**< Disable query case randomization . */ \ X(DNSSEC_NODS, 1 << 27) /**< DS non-existance is proven */ \ X(DNSSEC_OPTOUT, 1 << 28) /**< Closest encloser proof has optout */ \ + X(NOAUTH, 1 << 29) /**< Non-authoritative in-bailiwick records are enough. + * TODO: utilize this also outside cache. */ \ /* 1 << 31 Used by ../modules/dns64/dns64.lua */ /** Query flags */