From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Tue, 20 Feb 2018 14:50:48 +0000 (+0100)
Subject: avoid iterating from a too short zone cut
X-Git-Tag: v2.1.1~4^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f0da0a35;p=thirdparty%2Fknot-resolver.git

avoid iterating from a too short zone cut

Example: after foo.sk query the bar.sk query started iterating from
asking the root again for NS sk.  This bug was present on insecure zones,
and before version 2.0.0 only such that have a secure parent.
(These two parts of the bug correspond to the two changes in this commit.)

Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/246
---

diff --git a/NEWS b/NEWS
index 62cb62082..9cdb5f126 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,12 @@
+Knot Resolver 2.x.y (2018-02-zz)
+================================
+
+Bugfixes
+--------
+- when iterating, avoid unnecessary queries for NS in insecure parent.
+  This problem worsened in 2.0.0. (#246)
+
+
 Knot Resolver 2.1.0 (2018-02-16)
 ================================
 
diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 2843d1dbc..a90afa3b1 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -417,6 +417,22 @@ static int update_delegation(struct kr_request *req, struct kr_query *qry, knot_
 		} else {
 			VERBOSE_MSG(qry, "<= DS doesn't exist, going insecure\n");
 			qry->flags.DNSSEC_NODS = true;
+			/* Rank the corresponding nonauth NS as insecure. */
+			for (int i = 0; i < req->auth_selected.len; ++i) {
+				ranked_rr_array_entry_t *ns = req->auth_selected.at[i];
+				if (ns->qry_uid != qry->uid || !ns->rr
+				    || ns->rr->type != KNOT_RRTYPE_NS) {
+					continue;
+				}
+				/* Found the record.  Note: this is slightly fragile
+				 * in case there were more NS records in the packet.
+				 * As it is now, kr_nsec*_ref_to_unsigned consider
+				 * (only) the first NS record in the packet. */
+				if (!kr_rank_test(ns->rank, KR_RANK_AUTH)) { /* sanity */
+					ns->rank = KR_RANK_INSECURE;
+				}
+				break;
+			}
 		}
 		return ret;
 	} else if (qry->flags.FORWARD && qry->parent) {
diff --git a/lib/zonecut.c b/lib/zonecut.c
index d54a4d114..52ff62491 100644
--- a/lib/zonecut.c
+++ b/lib/zonecut.c
@@ -308,14 +308,16 @@ static int fetch_ns(struct kr_context *ctx, struct kr_zonecut *cut,
 	if (ret != 0) {
 		return ret;
 	}
-	int32_t new_ttl = kr_cache_ttl(&peek, qry, name, KNOT_RRTYPE_NS);
-	if (new_ttl < 0) {
-		return kr_error(ESTALE);
-	}
 	/* Note: we accept *any* rank from the cache.  We assume that nothing
 	 * completely untrustworthy could get into the cache, e.g out-of-bailiwick
 	 * records that weren't validated.
 	 */
+	*rank = peek.rank;
+
+	int32_t new_ttl = kr_cache_ttl(&peek, qry, name, KNOT_RRTYPE_NS);
+	if (new_ttl < 0) {
+		return kr_error(ESTALE);
+	}
 	/* Materialize the rdataset temporarily, for simplicity. */
 	knot_rdataset_t ns_rds = { 0, NULL };
 	ret = kr_cache_materialize(&ns_rds, &peek, new_ttl, cut->pool);