From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 28 Oct 2019 13:54:00 +0000 (+0100)
Subject: Enable qname minimization by default.
X-Git-Tag: dnsdist-1.4.0~16^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8949a3e07ab8a2cd956015aafb2987765f40afe9;p=thirdparty%2Fpdns.git

Enable qname minimization by default.

To be able to do that, make sure that qnames that are forwarded or
in and authzone are handled without QM.  Also, some tests are dependent
on specific queries or responses, disable QM for them.
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 5e1d794324..d36625e4d9 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -4706,7 +4706,8 @@ int main(int argc, char **argv)
     ::arg().set("rng", "Specify random number generator to use. Valid values are auto,sodium,openssl,getrandom,arc4random,urandom.")="auto";
     ::arg().set("public-suffix-list-file", "Path to the Public Suffix List file, if any")="";
     ::arg().set("distribution-load-factor", "The load factor used when PowerDNS is distributing queries to worker threads")="0.0";
-    ::arg().setSwitch("qname-minimization", "Use Query Name Minimization")="no";
+
+    ::arg().setSwitch("qname-minimization", "Use Query Name Minimization")="yes";
     ::arg().setSwitch("nothing-below-nxdomain", "When an NXDOMAIN exists in cache for a name with fewer labels than the qname, send NXDOMAIN without doing a lookup (see RFC 8020)")="dnssec";
     ::arg().set("max-generate-steps", "Maximum number of $GENERATE steps when loading a zone from a file")="0";
 
diff --git a/pdns/recursordist/docs/settings.rst b/pdns/recursordist/docs/settings.rst
index aa7ee739c8..ab66bf0fbb 100644
--- a/pdns/recursordist/docs/settings.rst
+++ b/pdns/recursordist/docs/settings.rst
@@ -1239,7 +1239,7 @@ Path to the Public Suffix List file, if any. If set, PowerDNS will try to load t
 .. versionadded:: 4.3.0
 
 -  Boolean
--  Default: no
+-  Default: yes
 
 Enable Query Name Minimization. This is a experimental feature, implementing a relaxed form of Query Name Mimimization as
 described in :rfc:`7816`.
diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 8223bdca09..2c0b68273a 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -170,7 +170,7 @@ void initSR(bool debug)
   ::arg().set("version-string", "string reported on version.pdns or version.bind")="PowerDNS Unit Tests";
   ::arg().set("rng")="auto";
   ::arg().set("entropy-source")="/dev/urandom";
-  ::arg().setSwitch("qname-minimization", "Use Query Name Minimization") = "no";
+  ::arg().setSwitch("qname-minimization", "Use Query Name Minimization") = "yes";
 }
 
 void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec, bool debug, time_t fakeNow)
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 3ffeae0dba..8bd1a6861d 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -404,6 +404,12 @@ bool SyncRes::doOOBResolve(const DNSName &qname, const QType &qtype, vector<DNSR
   return doOOBResolve(iter->second, qname, qtype, ret, res);
 }
 
+bool SyncRes::isForwardOrAuth(const DNSName &qname) const {
+  DNSName authname(qname);
+  domainmap_t::const_iterator iter = getBestAuthZone(&authname);
+  return iter != t_sstorage.domainmap->end();
+}
+
 uint64_t SyncRes::doEDNSDump(int fd)
 {
   auto fp = std::unique_ptr<FILE, int(*)(FILE*)>(fdopen(dup(fd), "w"), fclose);
@@ -587,7 +593,7 @@ int SyncRes::asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, con
 
 int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state) {
 
-  if (!getQNameMinimization()) {
+  if (!getQNameMinimization() || isForwardOrAuth(qname)) {
     return doResolveNoQNameMinimization(qname, qtype, ret, depth, beenthere, state);
   }
 
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index 77af72ba6b..3ce2bf04c0 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -803,6 +803,7 @@ private:
   int doResolveNoQNameMinimization(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, set<GetBestNSAnswer>& beenthere, vState& state, bool* fromCache = NULL, StopAtDelegation* stopAtDelegation = NULL);
   bool doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res);
   bool doOOBResolve(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res);
+  bool isForwardOrAuth(const DNSName &qname) const;
   domainmap_t::const_iterator getBestAuthZone(DNSName* qname) const;
   bool doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res, vState& state, bool wasAuthZone, bool wasForwardRecurse);
   bool doCacheCheck(const DNSName &qname, const DNSName& authname, bool wasForwardedOrAuthZone, bool wasAuthZone, bool wasForwardRecurse, const QType &qtype, vector<DNSRecord>&ret, unsigned int depth, int &res, vState& state);
diff --git a/regression-tests.recursor-dnssec/test_EDNSBufferSize.py b/regression-tests.recursor-dnssec/test_EDNSBufferSize.py
index 8ff69a10b9..b4c9631612 100644
--- a/regression-tests.recursor-dnssec/test_EDNSBufferSize.py
+++ b/regression-tests.recursor-dnssec/test_EDNSBufferSize.py
@@ -47,6 +47,7 @@ class EDNSBufferTest(RecursorTest):
     _qnameSuffix = '.edns-tests.example.'
 
     _config_template = """
+qname-minimization=no
 forward-zones=edns-tests.example=%s.22
 udp-truncation-threshold=%d
 edns-outgoing-bufsize=%d
@@ -173,6 +174,7 @@ class EDNSBufferTest16801681(EDNSBufferTest):
     _qnameSuffix = '.edns-tests.example.'
 
     _config_template = """
+qname-minimization=no
 forward-zones=edns-tests.example=%s.22
 udp-truncation-threshold=%d
 edns-outgoing-bufsize=%d
@@ -196,6 +198,7 @@ class EDNSBufferTest16801679(EDNSBufferTest):
     _qnameSuffix = '.edns-tests.example.'
 
     _config_template = """
+qname-minimization=no
 forward-zones=edns-tests.example=%s.22
 udp-truncation-threshold=%d
 edns-outgoing-bufsize=%d
diff --git a/regression-tests.recursor-dnssec/test_Protobuf.py b/regression-tests.recursor-dnssec/test_Protobuf.py
index 5aa77ed7e0..8bc65007f3 100644
--- a/regression-tests.recursor-dnssec/test_Protobuf.py
+++ b/regression-tests.recursor-dnssec/test_Protobuf.py
@@ -129,7 +129,7 @@ class TestRecursorProtobuf(RecursorTest):
         self.assertEquals(msg.id, query.id)
         self.assertTrue(msg.HasField('inBytes'))
         if normalQueryResponse:
-            # compare inBytes with length of query/response
+            # compare inBytes with length off query/response
             # Note that for responses, the size we received might differ
             # because dnspython might compress labels differently from
             # the recursor
@@ -158,7 +158,7 @@ class TestRecursorProtobuf(RecursorTest):
         if length is not None:
           self.assertEquals(msg.inBytes, length)
         else:
-          # compare inBytes with length of query/response
+          # compare inBytes with length off query/response
           self.assertEquals(msg.inBytes, len(query.to_wire()))
 
     def checkProtobufQuery(self, msg, protocol, query, qclass, qtype, qname, initiator='127.0.0.1'):
@@ -351,7 +351,10 @@ class OutgoingProtobufDefaultTest(TestRecursorProtobuf):
 
     _confdir = 'OutgoingProtobufDefault'
     _config_template = """
-auth-zones=example=configs/%s/example.zone""" % _confdir
+    # Switch of QName Minimization, it generates much more protobuf messages
+    # (or make the test much more smart!)
+    qname-minimization=no
+    auth-zones=example=configs/%s/example.zone""" % _confdir
     _lua_config_file = """
     outgoingProtobufServer({"127.0.0.1:%d", "127.0.0.1:%d"})
     """ % (protobufServersParameters[0].port, protobufServersParameters[1].port)
@@ -380,7 +383,10 @@ class OutgoingProtobufNoQueriesTest(TestRecursorProtobuf):
 
     _confdir = 'OutgoingProtobufNoQueries'
     _config_template = """
-auth-zones=example=configs/%s/example.zone""" % _confdir
+    # Switch of QName Minimization, it generates much more protobuf messages
+    # (or make the test much more smart!)
+    qname-minimization=no
+    auth-zones=example=configs/%s/example.zone""" % _confdir
     _lua_config_file = """
     outgoingProtobufServer({"127.0.0.1:%d", "127.0.0.1:%d"}, { logQueries=false, logResponses=true })
     """ % (protobufServersParameters[0].port, protobufServersParameters[1].port)
diff --git a/regression-tests.recursor-dnssec/test_RootNXTrust.py b/regression-tests.recursor-dnssec/test_RootNXTrust.py
index d4bdd77251..afaf221fd1 100644
--- a/regression-tests.recursor-dnssec/test_RootNXTrust.py
+++ b/regression-tests.recursor-dnssec/test_RootNXTrust.py
@@ -28,6 +28,7 @@ class testRootNXTrustDisabled(RootNXTrustRecursorTest):
 
     _config_template = """
 root-nx-trust=no
+qname-minimization=no
 webserver=yes
 webserver-port=%d
 webserver-address=127.0.0.1
diff --git a/regression-tests.recursor/config.sh b/regression-tests.recursor/config.sh
index da2b47276e..074b2159f9 100755
--- a/regression-tests.recursor/config.sh
+++ b/regression-tests.recursor/config.sh
@@ -289,8 +289,8 @@ if not newDN then
 end
 function prequery ( dnspacket )
     qname, qtype = dnspacket:getQuestion()
-    if (string.sub(tostring(qname), -21) == ".1.ghost.example.net." and posix.stat('drop-1')) or
-       (string.sub(tostring(qname), -21) == ".2.ghost.example.net." and posix.stat('drop-2'))
+    if (string.sub(tostring(qname), -20) == "1.ghost.example.net." and posix.stat('drop-1')) or
+       (string.sub(tostring(qname), -20) == "2.ghost.example.net." and posix.stat('drop-2'))
     then
         dnspacket:setRcode(pdns.NXDOMAIN)
         ret = {}
@@ -322,7 +322,7 @@ end
 function prequery ( dnspacket )
     i = i + 1
     qname, qtype = dnspacket:getQuestion()
-    if qtype == pdns.A and string.sub(tostring(qname), -25) == ".www.1.ghost.example.net."
+    if qtype == pdns.A and string.sub(tostring(qname), -24) == "www.1.ghost.example.net."
     then
         dnspacket:setRcode(pdns.NOERROR)
         ret = {}