From efb9c02d54f493a65e52ef39a01f4d1606b6586c Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Fri, 8 Apr 2011 13:58:41 +0000 Subject: [PATCH] - iana portlist updated. - queries with CD flag set cause DNSSEC validation, but the answer is not withheld if it is bogus. Thus, unbound will retry if it is bad and curb the TTL if it is bad, thus protecting the cache for use by downstream validators. git-svn-id: file:///svn/unbound/trunk@2409 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 7 +++++++ services/mesh.c | 16 ++++++++++------ testdata/val_referglue.rpl | 4 ++-- util/iana_ports.inc | 1 + 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index af3822a0e..da9e0767a 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,10 @@ +8 April 2011: Wouter + - iana portlist updated. + - queries with CD flag set cause DNSSEC validation, but the answer is + not withheld if it is bogus. Thus, unbound will retry if it is bad + and curb the TTL if it is bad, thus protecting the cache for use by + downstream validators. + 29 March 2011: Wouter - harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards diff --git a/services/mesh.c b/services/mesh.c index 04e9cebe4..0fe738c07 100644 --- a/services/mesh.c +++ b/services/mesh.c @@ -270,7 +270,11 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, struct edns_data* edns, struct comm_reply* rep, uint16_t qid) { - struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags, 0); + /* do not use CD flag from user for mesh state, we want the CD-query + * to receive validation anyway, to protect out cache contents and + * avoid bad-data in this cache that a downstream validator cannot + * remove from this cache */ + struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0); int was_detached = 0; int was_noreply = 0; int added = 0; @@ -298,7 +302,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo, /* see if it already exists, if not, create one */ if(!s) { struct rbnode_t* n; - s = mesh_state_create(mesh->env, qinfo, qflags, 0); + s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0); if(!s) { log_err("mesh_state_create: out of memory; SERVFAIL"); error_encode(rep->c->buffer, LDNS_RCODE_SERVFAIL, @@ -357,7 +361,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, struct edns_data* edns, ldns_buffer* buf, uint16_t qid, mesh_cb_func_t cb, void* cb_arg) { - struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags, 0); + struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0); int was_detached = 0; int was_noreply = 0; int added = 0; @@ -366,7 +370,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, /* see if it already exists, if not, create one */ if(!s) { struct rbnode_t* n; - s = mesh_state_create(mesh->env, qinfo, qflags, 0); + s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0); if(!s) { return 0; } @@ -403,7 +407,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, uint32_t leeway) { - struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags, 0); + struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0); struct rbnode_t* n; /* already exists, and for a different purpose perhaps. * if mesh_no_list, keep it that way. */ @@ -420,7 +424,7 @@ void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo, mesh->stats_dropped ++; return; } - s = mesh_state_create(mesh->env, qinfo, qflags, 0); + s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0); if(!s) { log_err("prefetch mesh_state_create: out of memory"); return; diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl index c379c8545..fd7e7caa5 100644 --- a/testdata/val_referglue.rpl +++ b/testdata/val_referglue.rpl @@ -244,7 +244,6 @@ ENTRY_END RANGE_END - ; first ask for +CD and get the data in the cache. STEP 1 QUERY ENTRY_BEGIN @@ -266,7 +265,8 @@ example.com. IN NS ns.example.com. example.com. IN NS ns2.sub.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns2.sub.example.com. IN A 100.200.30.40 +; already validated and thus stripped from the answer. +;ns2.sub.example.com. IN A 100.200.30.40 ENTRY_END ; now the data is in the cache, validate a referral from cache diff --git a/util/iana_ports.inc b/util/iana_ports.inc index 5be49edad..539a4489e 100644 --- a/util/iana_ports.inc +++ b/util/iana_ports.inc @@ -5065,6 +5065,7 @@ 14936, 14937, 15000, +15118, 15345, 15363, 15555, -- 2.47.2