From: Wouter Wijngaards Date: Mon, 9 Jun 2008 08:29:59 +0000 (+0000) Subject: Fixup Richard Doty reported lameness detection fault. X-Git-Tag: release-1.0.1~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8527bd4affc68b68ea0e04b61c2065fe91d64972;p=thirdparty%2Funbound.git Fixup Richard Doty reported lameness detection fault. git-svn-id: file:///svn/unbound/trunk@1111 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 20a709938..0c221a695 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,10 @@ +9 June 2008: Wouter + - in iteration response type code + * first check for SOA record (negative answer) before NS record + and lameness. + * check if no AA bit for non-forwarder, and thus lame zone. + In response to error report by Richard Doty for mail.opusnet.com. + 8 June 2008: Wouter - if multiple CNAMEs, use the first one. Fixup akamai CNAME bug. Reported by Robert Edmonds. diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c index bad8e393a..17d546986 100644 --- a/iterator/iter_resptype.c +++ b/iterator/iter_resptype.c @@ -104,6 +104,7 @@ response_type_from_server(int rdset, struct dns_msg* msg, struct query_info* request, struct delegpt* dp) { uint8_t* origzone = (uint8_t*)"\000"; /* the default */ + struct ub_packed_rrset_key* s; size_t origzonelen = 1; size_t i; @@ -188,12 +189,10 @@ response_type_from_server(int rdset, } /* Looking at the authority section, we just look and see if - * there is a delegation NS set, turning it into a delegation. - * Otherwise, we will have to conclude ANSWER (either it is - * NOERROR/NODATA, or an non-authoritative answer). */ + * there is a SOA record, that means a NOERROR/NODATA */ for(i = msg->rep->an_numrrsets; i < (msg->rep->an_numrrsets + msg->rep->ns_numrrsets); i++) { - struct ub_packed_rrset_key* s = msg->rep->rrsets[i]; + s = msg->rep->rrsets[i]; /* The normal way of detecting NOERROR/NODATA. */ if(ntohs(s->rk.type) == LDNS_RR_TYPE_SOA && @@ -204,19 +203,32 @@ response_type_from_server(int rdset, return RESPONSE_TYPE_LAME; return RESPONSE_TYPE_ANSWER; } + } + /* Looking at the authority section, we just look and see if + * there is a delegation NS set, turning it into a delegation. + * Otherwise, we will have to conclude ANSWER (either it is + * NOERROR/NODATA, or an non-authoritative answer). */ + for(i = msg->rep->an_numrrsets; i < (msg->rep->an_numrrsets + + msg->rep->ns_numrrsets); i++) { + s = msg->rep->rrsets[i]; /* Detect REFERRAL/LAME/ANSWER based on the relationship * of the NS set to the originating zone name. */ if(ntohs(s->rk.type) == LDNS_RR_TYPE_NS) { /* If we are getting an NS set for the zone we * thought we were contacting, then it is an answer.*/ - /* FIXME: is this correct? */ if(query_dname_compare(s->rk.dname, origzone) == 0) { /* see if mistakenly a recursive server was * deployed and is responding nonAA */ if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset) return RESPONSE_TYPE_LAME; + /* Or if a lame server is deployed, + * which gives ns==zone delegation from cache + * without AA bit as well, with nodata nosoa*/ + if(msg->rep->an_numrrsets==0 && + !(msg->rep->flags&BIT_AA) && !rdset) + return RESPONSE_TYPE_LAME; return RESPONSE_TYPE_ANSWER; } /* If we are getting a referral upwards (or to diff --git a/testdata/iter_lame_noaa.rpl b/testdata/iter_lame_noaa.rpl new file mode 100644 index 000000000..0e11ac8d8 --- /dev/null +++ b/testdata/iter_lame_noaa.rpl @@ -0,0 +1,150 @@ +; config options +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test lame detection if AA bit is omitted +; the query is answered with a reply that has +; no AA bit +; no SOA record +; noanswer/noerror +; NS record in there which is not a down delegation (==). +; the query is not sent to a forward zone + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; root prime is sent +STEP 20 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH qname qtype opcode +SECTION QUESTION +. IN NS +ENTRY_END +STEP 30 REPLY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +; query sent to root server +STEP 40 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH qname qtype opcode +SECTION QUESTION +www.example.com. IN A +ENTRY_END +STEP 50 REPLY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +; query sent to .com server +STEP 60 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH qname qtype opcode +SECTION QUESTION +www.example.com. IN A +ENTRY_END +STEP 70 REPLY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns1.example.com. +example.com. IN NS ns2.example.com. +SECTION ADDITIONAL +ns1.example.com. IN A 168.192.2.2 +ns2.example.com. IN A 168.192.3.3 +ENTRY_END + +; no matter which one the iterator tries first, we present it as 'lame' +; query to ns1.example.com or ns2.example.com. +STEP 80 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH qname qtype opcode +SECTION QUESTION +www.example.com. IN A +ENTRY_END +STEP 90 REPLY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +; This is the BROKEN ANSWER here. +; it is lame. A delegation to example.com. itself. +example.com. IN NS ns1.example.com. +example.com. IN NS ns2.example.com. +SECTION ADDITIONAL +ns1.example.com. IN A 168.192.2.2 +ns2.example.com. IN A 168.192.3.3 +ENTRY_END + +; iterator should try again and ask the other nameserver. +STEP 100 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH qname qtype opcode +SECTION QUESTION +www.example.com. IN A +ENTRY_END +STEP 110 REPLY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns1.example.com. +example.com. IN NS ns2.example.com. +SECTION ADDITIONAL +ns1.example.com. IN A 168.192.2.2 +ns2.example.com. IN A 168.192.3.3 +ENTRY_END + +; is the final answer correct? +STEP 200 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns1.example.com. +example.com. IN NS ns2.example.com. +SECTION ADDITIONAL +ns1.example.com. IN A 168.192.2.2 +ns2.example.com. IN A 168.192.3.3 +ENTRY_END + +SCENARIO_END