From 784d659e915552ca82e41418d6f6553b1632de9e Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Tue, 10 May 2011 12:34:47 +0000 Subject: [PATCH] - Fix TTL of SOA so negative TTL is separately cached from normal TTL. git-svn-id: file:///svn/unbound/trunk@2416 be551aaa-1e26-0410-a405-d3ace91eadb9 --- daemon/remote.c | 3 + doc/Changelog | 1 + testdata/iter_soamin.rpl | 208 ++++++++++++++++++++++++++++++++ testdata/val_negcache_dssoa.rpl | 32 +++-- util/data/msgparse.c | 6 +- util/data/packed_rrset.h | 5 + validator/val_neg.c | 2 +- 7 files changed, 242 insertions(+), 15 deletions(-) create mode 100644 testdata/iter_soamin.rpl diff --git a/daemon/remote.c b/daemon/remote.c index a5e10b4ff..2f842be50 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -1063,6 +1063,9 @@ do_cache_remove(struct worker* worker, uint8_t* nm, size_t nmlen, hashvalue_t h; struct query_info k; rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c, 0); + if(t == LDNS_RR_TYPE_SOA) + rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c, + PACKED_RRSET_SOA_NEG); k.qname = nm; k.qname_len = nmlen; k.qtype = t; diff --git a/doc/Changelog b/doc/Changelog index 2c0211104..547fcbd01 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,7 @@ and reduces install size significantly. - feature, ignore-cd-flag: yesno to provide dnssec to legacy servers. - iana portlist updated. + - Fix TTL of SOA so negative TTL is separately cached from normal TTL. 14 April 2011: Wouter - configure created with newer autoconf 2.66. diff --git a/testdata/iter_soamin.rpl b/testdata/iter_soamin.rpl new file mode 100644 index 000000000..42eb80827 --- /dev/null +++ b/testdata/iter_soamin.rpl @@ -0,0 +1,208 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test cache of SOA with minimum ttl and normal ttl. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example.com. IN SOA +SECTION ANSWER +example.com. 86400 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600 +SECTION AUTHORITY +example.com. 3600 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 3600 IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +nx.example.com. IN A +SECTION AUTHORITY +example.com. 3600 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600 +ENTRY_END + +RANGE_END + +; put both queries with SOA records into the cache and then query them from +; the cache. +; first the nxdomain, so that the positive SOA answer later overrides the +; SOA from the authority section from that nxdomain. + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +nx.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +nx.example.com. IN A +SECTION AUTHORITY +example.com. 3600 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600 +ENTRY_END + +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +example.com. IN SOA +ENTRY_END + +; recursion happens here. +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NOERROR +SECTION QUESTION +example.com. IN SOA +SECTION ANSWER +example.com. 86400 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600 +SECTION AUTHORITY +example.com. 3600 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 3600 IN A 1.2.3.4 +ENTRY_END + +; now check them from the cache (no seconds elapsed). + +STEP 110 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +nx.example.com. IN A +ENTRY_END + +STEP 120 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +nx.example.com. IN A +SECTION AUTHORITY +example.com. 3600 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600 +ENTRY_END + +STEP 130 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +example.com. IN SOA +ENTRY_END + +STEP 140 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NOERROR +SECTION QUESTION +example.com. IN SOA +SECTION ANSWER +example.com. 86400 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600 +SECTION AUTHORITY +example.com. 3600 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 3600 IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END diff --git a/testdata/val_negcache_dssoa.rpl b/testdata/val_negcache_dssoa.rpl index b312a9f13..7040af830 100644 --- a/testdata/val_negcache_dssoa.rpl +++ b/testdata/val_negcache_dssoa.rpl @@ -140,12 +140,16 @@ ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id -REPLY QR AA NOERROR +REPLY QR AA NXDOMAIN SECTION QUESTION -example.com. IN SOA -SECTION ANSWER -example.com. IN SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200 -example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854} +nx.example.com. IN A +SECTION AUTHORITY +example.com. 7200 IN SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200 +example.com. 7200 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854} +nw.example.com. 7200 IN NSEC ny.example.com. A RRSIG +nw.example.com. 7200 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AHMp+sqWyR3JL6P0LhJ10fufMFSkW9+DM3QghOokyqgbRu54Q1XrHoE= ;{id = 2854} +!.example.com. 7200 IN NSEC +.example.com. A RRSIG +!.example.com. 7200 IN RRSIG NSEC 3 3 7200 20070926134150 20070829134150 2854 example.com. AJsNy2VkFTJEMShfEcvIkBe+UViVYDJbNNuGnwf/QecOrhONaVpIXy4= ;{id = 2854} ENTRY_END RANGE_END @@ -204,19 +208,23 @@ STEP 14 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION -example.com. IN SOA +nx.example.com. IN A ENTRY_END STEP 15 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA AD NOERROR +REPLY QR RD RA AD NXDOMAIN SECTION QUESTION -example.com. IN SOA +nx.example.com. IN A SECTION ANSWER -example.com. IN SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200 -example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854} SECTION AUTHORITY +example.com. 7200 IN SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200 +example.com. 7200 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854} +nw.example.com. 7200 IN NSEC ny.example.com. A RRSIG +nw.example.com. 7200 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AHMp+sqWyR3JL6P0LhJ10fufMFSkW9+DM3QghOokyqgbRu54Q1XrHoE= ;{id = 2854} +!.example.com. 7200 IN NSEC +.example.com. A RRSIG +!.example.com. 7200 IN RRSIG NSEC 3 3 7200 20070926134150 20070829134150 2854 example.com. AJsNy2VkFTJEMShfEcvIkBe+UViVYDJbNNuGnwf/QecOrhONaVpIXy4= ;{id = 2854} SECTION ADDITIONAL ENTRY_END @@ -238,8 +246,8 @@ SECTION ANSWER SECTION AUTHORITY sub.example.com. IN NSEC www.example.com. NS RRSIG NSEC sub.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFDCaiDM6G+glwNW276HWdH+McmjgAhRSwF5OfimNQCqkWgnYotLOwUghKQ== ;{id = 2854} -example.com. IN SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200 -example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854} +example.com. 7200 IN SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200 +example.com. 7200 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854} ENTRY_END SCENARIO_END diff --git a/util/data/msgparse.c b/util/data/msgparse.c index 68ca4ebab..db5f4147e 100644 --- a/util/data/msgparse.c +++ b/util/data/msgparse.c @@ -145,11 +145,13 @@ nsec_at_apex(ldns_buffer* pkt) /** Calculate rrset flags */ static uint32_t -pkt_rrset_flags(ldns_buffer* pkt, uint16_t type) +pkt_rrset_flags(ldns_buffer* pkt, uint16_t type, ldns_pkt_section sec) { uint32_t f = 0; if(type == LDNS_RR_TYPE_NSEC && nsec_at_apex(pkt)) { f |= PACKED_RRSET_NSEC_AT_APEX; + } else if(type == LDNS_RR_TYPE_SOA && sec == LDNS_SECTION_AUTHORITY) { + f |= PACKED_RRSET_SOA_NEG; } return f; } @@ -482,7 +484,7 @@ find_rrset(struct msg_parse* msg, ldns_buffer* pkt, uint8_t* dname, } } /* find by hashing and lookup in hashtable */ - *rrset_flags = pkt_rrset_flags(pkt, type); + *rrset_flags = pkt_rrset_flags(pkt, type, section); /* if rrsig - try to lookup matching data set first */ if(type == LDNS_RR_TYPE_RRSIG && pkt_rrsig_covered(pkt, diff --git a/util/data/packed_rrset.h b/util/data/packed_rrset.h index 2171ecbb0..f2dd6e877 100644 --- a/util/data/packed_rrset.h +++ b/util/data/packed_rrset.h @@ -54,6 +54,10 @@ typedef uint64_t rrset_id_t; #define PACKED_RRSET_NSEC_AT_APEX 0x1 /** this rrset is A/AAAA and is in-zone-glue (from parent side of zonecut) */ #define PACKED_RRSET_PARENT_SIDE 0x2 +/** this rrset is SOA and has the negative ttl (from nxdomain or nodata), + * this is set on SOA rrsets in the authority section, to keep its TTL separate + * from the SOA in the answer section from a direct SOA query or ANY query. */ +#define PACKED_RRSET_SOA_NEG 0x4 /** * The identifying information for an RRset. @@ -73,6 +77,7 @@ struct packed_rrset_key { * Flags. 32bit to be easy for hashing: * o PACKED_RRSET_NSEC_AT_APEX * o PACKED_RRSET_PARENT_SIDE + * o PACKED_RRSET_SOA_NEG */ uint32_t flags; /** the rrset type in network format */ diff --git a/validator/val_neg.c b/validator/val_neg.c index e58cfbdc6..60434db03 100644 --- a/validator/val_neg.c +++ b/validator/val_neg.c @@ -1371,7 +1371,7 @@ static int add_soa(struct rrset_cache* rrset_cache, uint32_t now, return 0; } soa = rrset_cache_lookup(rrset_cache, nm, nmlen, LDNS_RR_TYPE_SOA, - dclass, 0, now, 0); + dclass, PACKED_RRSET_SOA_NEG, now, 0); if(!soa) return 0; if(!dns_msg_authadd(msg, region, soa, now)) { -- 2.47.2