From: Wouter Wijngaards Date: Tue, 4 Mar 2008 11:00:49 +0000 (+0000) Subject: Fixup trust for CNAME chains. (and also DNAME). X-Git-Tag: release-0.11~57 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=85af59c734a2f7c2a761e0b74c40234d85398fd2;p=thirdparty%2Funbound.git Fixup trust for CNAME chains. (and also DNAME). git-svn-id: file:///svn/unbound/trunk@1013 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 24b9009ec..c6d6fbb9b 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +4 March 2008: Wouter + - From report by Jinmei Tatuya, rfc2181 trust value for remainder + of a cname trust chain is lower; not full answer_AA. + - test for this fix. + 3 March 2008: Wouter - Create 0.10 svn tag. - 0.11 version in trunk. diff --git a/testdata/trust_cname_chain.rpl b/testdata/trust_cname_chain.rpl new file mode 100644 index 000000000..df73c626a --- /dev/null +++ b/testdata/trust_cname_chain.rpl @@ -0,0 +1,158 @@ +; config options +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test trust in cname chain answer + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN CNAME xxx.example.com. +xxx.example.com. IN CNAME yyy.example.com. +yyy.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +qqq.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +example.com. IN NS ns.example.com. +yyy.example.com. IN A 10.20.30.42 +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + + +; This stores it into cache. +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN CNAME xxx.example.com. +xxx.example.com. IN CNAME yyy.example.com. +yyy.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; This query creates and overwrites the cache +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +qqq.example.com. IN A +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +qqq.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +example.com. IN NS ns.example.com. +yyy.example.com. IN A 10.20.30.42 +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; get it again from cache. +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN CNAME xxx.example.com. +xxx.example.com. IN CNAME yyy.example.com. +yyy.example.com. IN A 10.20.30.42 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/util/data/msgreply.c b/util/data/msgreply.c index 924ba64e3..5d732a759 100644 --- a/util/data/msgreply.c +++ b/util/data/msgreply.c @@ -292,7 +292,25 @@ get_rrset_trust(struct msg_parse* msg, struct rrset_parse* rrset) { uint16_t AA = msg->flags & BIT_AA; if(rrset->section == LDNS_SECTION_ANSWER) { - if(AA) return rrset_trust_ans_AA; + if(AA) { + /* RFC2181 says remainder of CNAME chain is nonauth*/ + if(msg->rrset_first && + msg->rrset_first->section==LDNS_SECTION_ANSWER + && msg->rrset_first->type==LDNS_RR_TYPE_CNAME){ + if(rrset == msg->rrset_first) + return rrset_trust_ans_AA; + else return rrset_trust_ans_noAA; + } + if(msg->rrset_first && + msg->rrset_first->section==LDNS_SECTION_ANSWER + && msg->rrset_first->type==LDNS_RR_TYPE_DNAME){ + if(rrset == msg->rrset_first || + rrset == msg->rrset_first->rrset_all_next) + return rrset_trust_ans_AA; + else return rrset_trust_ans_noAA; + } + return rrset_trust_ans_AA; + } else return rrset_trust_ans_noAA; } else if(rrset->section == LDNS_SECTION_AUTHORITY) { if(AA) return rrset_trust_auth_AA;