From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 5 Aug 2010 14:31:52 +0000 (+0000)
Subject:        - Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
X-Git-Tag: release-1.4.7rc1~117
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b701d70147402da14b8a71340149bfd9e43d60f8;p=thirdparty%2Funbound.git

   - Return NXDOMAIN after chain of CNAMEs ends at name-not-found.


git-svn-id: file:///svn/unbound/trunk@2208 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index f524e1b48..8f087a5fd 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+5 August 2010: Wouter
+	- Return NXDOMAIN after chain of CNAMEs ends at name-not-found.
+
 4 August 2010: Wouter
 	- Fix validation in case a trust anchor enters into a zone with
 	  unsupported algorithms.
diff --git a/iterator/iterator.c b/iterator/iterator.c
index f716be15a..bd1fea1d7 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -323,11 +323,8 @@ iter_prepend(struct iter_qstate* iq, struct dns_msg* msg,
 		(msg->rep->ns_numrrsets + msg->rep->ar_numrrsets) *
 		sizeof(struct ub_packed_rrset_key*));
 
-	/* if the rcode was NXDOMAIN, and we prepended DNAME/CNAMEs, then
-	 * it should now be NOERROR. */
-	if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NXDOMAIN) {
-		FLAGS_SET_RCODE(msg->rep->flags, LDNS_RCODE_NOERROR);
-	}
+	/* NXDOMAIN rcode can stay if we prepended DNAME/CNAMEs, because
+	 * this is what recursors should give. */
 	msg->rep->rrset_count += num_an + num_ns;
 	msg->rep->an_numrrsets += num_an;
 	msg->rep->ns_numrrsets += num_ns;
diff --git a/testdata/iter_cname_nx.rpl b/testdata/iter_cname_nx.rpl
index 6a228606f..cb80aa5fc 100644
--- a/testdata/iter_cname_nx.rpl
+++ b/testdata/iter_cname_nx.rpl
@@ -145,7 +145,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA NOERROR
+REPLY QR RD RA NXDOMAIN
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
diff --git a/testdata/ttl_msg.rpl b/testdata/ttl_msg.rpl
index 11c37123c..627f06142 100644
--- a/testdata/ttl_msg.rpl
+++ b/testdata/ttl_msg.rpl
@@ -420,7 +420,7 @@ ENTRY_END
 STEP 41 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all ttl
-REPLY QR RD RA NOERROR
+REPLY QR RD RA NXDOMAIN
 SECTION QUESTION
 www.foo.com. IN A
 SECTION ANSWER
diff --git a/testdata/val_cnamenx_dblnsec.rpl b/testdata/val_cnamenx_dblnsec.rpl
index f9e01b660..0064ab580 100644
--- a/testdata/val_cnamenx_dblnsec.rpl
+++ b/testdata/val_cnamenx_dblnsec.rpl
@@ -157,7 +157,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA AD NXDOMAIN
 SECTION QUESTION
 cname.example.com. IN A
 SECTION ANSWER
diff --git a/testdata/val_cnamenx_rcodenx.rpl b/testdata/val_cnamenx_rcodenx.rpl
index f9f02b629..6676b340f 100644
--- a/testdata/val_cnamenx_rcodenx.rpl
+++ b/testdata/val_cnamenx_rcodenx.rpl
@@ -217,7 +217,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA AD NXDOMAIN
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
diff --git a/testdata/val_cnametonx.rpl b/testdata/val_cnametonx.rpl
index 2bcb62d07..6b041bbc7 100644
--- a/testdata/val_cnametonx.rpl
+++ b/testdata/val_cnametonx.rpl
@@ -217,7 +217,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA AD NXDOMAIN
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
diff --git a/testdata/val_cnamewctonx.rpl b/testdata/val_cnamewctonx.rpl
index c409a8531..5675c42a5 100644
--- a/testdata/val_cnamewctonx.rpl
+++ b/testdata/val_cnamewctonx.rpl
@@ -219,7 +219,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA AD NXDOMAIN
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
diff --git a/testdata/val_nsec3_cname_sub.rpl b/testdata/val_nsec3_cname_sub.rpl
index 72fdb140b..8cc0ee7b1 100644
--- a/testdata/val_nsec3_cname_sub.rpl
+++ b/testdata/val_nsec3_cname_sub.rpl
@@ -201,7 +201,7 @@ ENTRY_END
 STEP 10 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA AD NXDOMAIN
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
diff --git a/validator/val_utils.c b/validator/val_utils.c
index c915e3dfd..7539b815f 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -95,15 +95,14 @@ val_classify_response(uint16_t query_flags, struct query_info* origqinf,
 		return VAL_CLASS_REFERRAL;
 
 	/* dump bad messages */
-	if(rcode != LDNS_RCODE_NOERROR)
+	if(rcode != LDNS_RCODE_NOERROR && rcode != LDNS_RCODE_NXDOMAIN)
 		return VAL_CLASS_UNKNOWN;
-	log_assert(rcode == LDNS_RCODE_NOERROR);
 	/* next check if the skip into the answer section shows no answer */
 	if(skip>0 && rep->an_numrrsets <= skip)
 		return VAL_CLASS_CNAMENOANSWER;
 
 	/* Next is NODATA */
-	if(rep->an_numrrsets == 0)
+	if(rcode == LDNS_RCODE_NOERROR && rep->an_numrrsets == 0)
 		return VAL_CLASS_NODATA;
 	
 	/* We distinguish between CNAME response and other positive/negative
@@ -111,13 +110,14 @@ val_classify_response(uint16_t query_flags, struct query_info* origqinf,
 
 	/* We distinguish between ANY and CNAME or POSITIVE because 
 	 * ANY responses are validated differently. */
-	if(qinf->qtype == LDNS_RR_TYPE_ANY)
+	if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY)
 		return VAL_CLASS_ANY;
 	
 	/* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
 	 * qtype=CNAME, this will yield a CNAME response. */
 	for(i=skip; i<rep->an_numrrsets; i++) {
-		if(ntohs(rep->rrsets[i]->rk.type) == qinf->qtype)
+		if(rcode == LDNS_RCODE_NOERROR &&
+			ntohs(rep->rrsets[i]->rk.type) == qinf->qtype)
 			return VAL_CLASS_POSITIVE;
 		if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_CNAME)
 			return VAL_CLASS_CNAME;