From: Vladimír Čunát Date: Fri, 24 Nov 2017 13:45:01 +0000 (+0100) Subject: temporarily enable packet caching for NSEC3 answers X-Git-Tag: v2.0.0~6^2~46 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cf67f7c0b64daebe707bb89c2e1bcc1b316b8790;p=thirdparty%2Fknot-resolver.git temporarily enable packet caching for NSEC3 answers Work up to this commit was squashed into cache-aggr 36302052. --- diff --git a/lib/cache.c b/lib/cache.c index fdda9da60..b74446ed3 100644 --- a/lib/cache.c +++ b/lib/cache.c @@ -190,8 +190,11 @@ struct entry_h * entry_h_consistent(knot_db_val_t data, uint16_t ktype) || eh->has_dname); break; default: + /* doesn't hold, because of temporary NSEC3 packet caching if (eh->is_packet) ok = ok && !kr_rank_test(eh->rank, KR_RANK_SECURE); + */ + break; } //LATER: rank sanity diff --git a/lib/cache/entry_pkt.c b/lib/cache/entry_pkt.c index c33ca7ba0..cf8777e57 100644 --- a/lib/cache/entry_pkt.c +++ b/lib/cache/entry_pkt.c @@ -70,7 +70,23 @@ void stash_pkt(const knot_pkt_t *pkt, const struct kr_query *qry, & (PKT_NODATA|PKT_NXDOMAIN); const bool want_pkt = qry->flags.DNSSEC_BOGUS || (is_negative && (qry->flags.DNSSEC_INSECURE || !qry->flags.DNSSEC_WANT)); - if (!want_pkt || !knot_wire_get_aa(pkt->wire)) { + + /* TMP: also stash packets that contain an NSEC3. + * To be removed when aggressive NSEC3 works. */ + bool with_nsec3 = false; + if (!want_pkt && qry->flags.DNSSEC_WANT && !qry->flags.DNSSEC_BOGUS + && !qry->flags.DNSSEC_INSECURE) { + const knot_pktsection_t *sec = knot_pkt_section(pkt, KNOT_AUTHORITY); + for (unsigned k = 0; k < sec->count; ++k) { + if (knot_pkt_rr(sec, k)->type == KNOT_RRTYPE_NSEC3) { + with_nsec3 = true; + VERBOSE_MSG(qry, "NSEC3 found\n"); + break; + } + } + } + + if (!(want_pkt || with_nsec3) || !knot_wire_get_aa(pkt->wire)) { return; } @@ -90,6 +106,8 @@ void stash_pkt(const knot_pkt_t *pkt, const struct kr_query *qry, kr_rank_set(&rank, KR_RANK_INSECURE); } else if (!qry->flags.DNSSEC_WANT) { /* no TAs at all, leave _RANK_AUTH */ + } else if (with_nsec3) { + // FIXME: not optimal, but safer choice and possibly OK for now. } else assert(false); }