From 153fd4a7f6a231a1c2fdc6f8cec54e659b3fc45c Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Mon, 31 May 2010 13:03:58 +0000 Subject: [PATCH] - parentside names are dispreferred but not said to be dnssec-lame. - parentside check for cached newname glue. git-svn-id: file:///svn/unbound/trunk@2122 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 2 + iterator/iter_utils.c | 33 ++--- iterator/iterator.c | 8 ++ testdata/iter_pcname.rpl | 277 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 305 insertions(+), 15 deletions(-) create mode 100644 testdata/iter_pcname.rpl diff --git a/doc/Changelog b/doc/Changelog index a9c23af67..2205f9462 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,8 @@ flag from upstream servers. - alloc_special_obtain out of memory is not a fatal error any more, enabling unbound to continue longer in out of memory conditions. + - parentside names are dispreferred but not said to be dnssec-lame. + - parentside check for cached newname glue. 28 May 2010: Wouter - iana portlist updated. diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c index 8d539a82a..1594463df 100644 --- a/iterator/iter_utils.c +++ b/iterator/iter_utils.c @@ -66,7 +66,7 @@ /** time when nameserver glue is said to be 'recent' */ #define SUSPICION_RECENT_EXPIRY 86400 /** penalty to validation failed blacklisted IPs */ -#define BLACKLIST_PENALTY (USEFUL_SERVER_TOP_TIMEOUT*3) +#define BLACKLIST_PENALTY (USEFUL_SERVER_TOP_TIMEOUT*4) /** fillup fetch policy array */ static void @@ -160,15 +160,17 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) * This value exactly is given for unresponsive blacklisted. * USEFUL_SERVER_TOP_TIMEOUT+1 * For non-blacklisted servers: huge timeout, but has traffic. - * USEFUL_SERVER_TOP_TIMEOUT .. - * dnsseclame servers get penalty - * also for parent-side lame servers (lame in delegpt). + * USEFUL_SERVER_TOP_TIMEOUT*1 .. + * parent-side lame servers get this penalty. A dispreferential + * server. (lame in delegpt). * USEFUL_SERVER_TOP_TIMEOUT*2 .. + * dnsseclame servers get penalty + * USEFUL_SERVER_TOP_TIMEOUT*3 .. * recursion lame servers get penalty * UNKNOWN_SERVER_NICENESS * If no information is known about the server, this is * returned. 376 msec or so. - * +BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*3) for dnssec failed IPs. + * +BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*4) for dnssec failed IPs. * * When a final value is chosen that is dnsseclame ; dnsseclameness checking * is turned off (so we do not discard the reply). @@ -206,19 +208,20 @@ iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env, lost >= USEFUL_SERVER_MAX_LOST) /* server is unresponsive, but keep trying slowly */ return USEFUL_SERVER_TOP_TIMEOUT+1; + /* select remainder from worst to best */ + else if(reclame) + return rtt+USEFUL_SERVER_TOP_TIMEOUT*3; /* nonpref */ + else if(dnsseclame ) + return rtt+USEFUL_SERVER_TOP_TIMEOUT*2; /* nonpref */ else if(a->lame) return rtt+USEFUL_SERVER_TOP_TIMEOUT+1; /* nonpref */ else if(rtt >= USEFUL_SERVER_TOP_TIMEOUT) /* not blacklisted*/ - return USEFUL_SERVER_TOP_TIMEOUT+1; - else if(reclame) - return rtt+USEFUL_SERVER_TOP_TIMEOUT*2; /* nonpref */ - else if(dnsseclame ) - return rtt+USEFUL_SERVER_TOP_TIMEOUT; /* nonpref */ + return USEFUL_SERVER_TOP_TIMEOUT+1; else return rtt; } /* no server information present */ if(a->lame) - return USEFUL_SERVER_TOP_TIMEOUT+1; /* nonpref */ + return USEFUL_SERVER_TOP_TIMEOUT+1+UNKNOWN_SERVER_NICENESS; /* nonpref */ return UNKNOWN_SERVER_NICENESS; } @@ -323,22 +326,22 @@ iter_server_selection(struct iter_env* iter_env, return NULL; verbose(VERB_ALGO, "selrtt %d", selrtt); if(selrtt > BLACKLIST_PENALTY) { - if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*2) { + if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*3) { verbose(VERB_ALGO, "chase to " "blacklisted recursion lame server"); *chase_to_rd = 1; } - if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) { + if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT*2) { verbose(VERB_ALGO, "chase to " "blacklisted dnssec lame server"); *dnssec_lame = 1; } } else { - if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) { + if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*3) { verbose(VERB_ALGO, "chase to recursion lame server"); *chase_to_rd = 1; } - if(selrtt > USEFUL_SERVER_TOP_TIMEOUT) { + if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) { verbose(VERB_ALGO, "chase to dnssec lame server"); *dnssec_lame = 1; } diff --git a/iterator/iterator.c b/iterator/iterator.c index c9815fb56..602ace026 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -1406,6 +1406,14 @@ processLastResort(struct module_qstate* qstate, struct iter_qstate* iq, return next_state(iq, INIT_REQUEST_STATE); } } + /* see if that makes new names available */ + if(!cache_fill_missing(qstate->env, iq->qchase.qclass, + qstate->region, iq->dp)) + log_err("out of memory in cache_fill_missing"); + if(iq->dp->usable_list) { + verbose(VERB_ALGO, "try parent-side-name, w. glue from cache"); + return next_state(iq, QUERYTARGETS_STATE); + } /* try to fill out parent glue from cache */ if(iter_lookup_parent_glue_from_cache(qstate->env, iq->dp, qstate->region, &qstate->qinfo)) { diff --git a/testdata/iter_pcname.rpl b/testdata/iter_pcname.rpl new file mode 100644 index 000000000..037b6426f --- /dev/null +++ b/testdata/iter_pcname.rpl @@ -0,0 +1,277 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test resolution with parent child differ in names. +; the parent has an extra name that is the only working one. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +net. IN NS +SECTION AUTHORITY +net. IN NS e.gtld-servers.net. +SECTION ADDITIONAL +e.gtld-servers.net. IN A 192.12.94.30 +ENTRY_END + +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. IN NS ns.example.net. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.55 +ENTRY_END +RANGE_END + +; e.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.12.94.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +net. IN NS +SECTION ANSWER +net. IN NS e.gtld-servers.net. +SECTION ADDITIONAL +e.gtld-servers.net. IN A 192.12.94.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.net. IN NS +SECTION AUTHORITY +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +ns.example.net. IN A 1.2.3.44 +ENTRY_END + +RANGE_END + +; ns.example.net. +; the working version. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.44 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY AA QR NOERROR +SECTION QUESTION +example.net. IN NS +SECTION ANSWER +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +ns.example.net. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY AA QR NOERROR +SECTION QUESTION +ns.example.net. IN A +SECTION ANSWER +ns.example.net. IN A 1.2.3.44 +SECTION AUTHORITY +example.net. IN NS ns.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY AA QR NOERROR +SECTION QUESTION +ns.example.net. IN AAAA +SECTION AUTHORITY +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +ns.example.net. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY AA QR NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.55 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY AA QR NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.55 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY AA QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.55 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY AA QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.55 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY AA QR NOERROR +SECTION QUESTION +mail.example.com. IN A +SECTION ANSWER +mail.example.com. IN A 10.20.30.20 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.55 +ENTRY_END +RANGE_END + +; ns.example.net +; Broken. Does not respond to anything (servfail instead +; of timeouts since this is easier to encode in .rpl file format). +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.55 +ENTRY_BEGIN +MATCH opcode +ADJUST copy_id copy_query +REPLY QR SERVFAIL +SECTION QUESTION +example.net. IN NS +SECTION ANSWER +ENTRY_END + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.55 +ENTRY_END + +; now that the bad child NS record is in cache, ask something else. +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +mail.example.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +mail.example.com. IN A +SECTION ANSWER +mail.example.com. IN A 10.20.30.20 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.55 +ENTRY_END + +SCENARIO_END -- 2.47.2