From: Marek Vavruša Date: Fri, 29 May 2015 00:33:01 +0000 (+0200) Subject: layer/iterate: ignore bad NS, don’t fail the packet X-Git-Tag: v1.0.0-beta1~125^2~3^2~4^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4ba2884dc7cd5f80314bbf9b2e9579cfc29c5756;p=thirdparty%2Fknot-resolver.git layer/iterate: ignore bad NS, don’t fail the packet if an authoritative answer comes and the server responds correctly, but appends out-of-bailiwick NS records, ignore them but resolve the query --- diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c index 406aef902..da49252d1 100644 --- a/lib/layer/iterate.c +++ b/lib/layer/iterate.c @@ -192,8 +192,8 @@ static int update_cut(knot_pkt_t *pkt, const knot_rrset_t *rr, struct kr_request /* Authority MUST be at/below the authority of the nameserver, otherwise * possible cache injection attempt. */ if (!knot_dname_in(cut->name, rr->owner)) { - DEBUG_MSG("<= authority: ns outside bailiwick, rejecting\n"); - return KNOT_STATE_FAIL; + DEBUG_MSG("<= authority: ns outside bailiwick, ignoring\n"); + return state; } /* Update zone cut name */ diff --git a/lib/layer/rrcache.c b/lib/layer/rrcache.c index 821da0688..8001452b0 100644 --- a/lib/layer/rrcache.c +++ b/lib/layer/rrcache.c @@ -192,7 +192,7 @@ static int write_cache_answer(knot_pkt_t *pkt, struct kr_cache_txn *txn, mm_ctx_ } /** Cache stub nameservers. */ -static int write_cache_authority(knot_pkt_t *pkt, struct kr_cache_txn *txn, mm_ctx_t *pool, uint32_t timestamp) +static int write_cache_authority(struct kr_zonecut *cut, knot_pkt_t *pkt, struct kr_cache_txn *txn, mm_ctx_t *pool, uint32_t timestamp) { knot_rrset_t glue_rr = { NULL, 0, 0 }; knot_rrset_t cache_rr = { NULL, 0, 0 }; @@ -204,6 +204,10 @@ static int write_cache_authority(knot_pkt_t *pkt, struct kr_cache_txn *txn, mm_c for (unsigned i = 0; i < ns->count; ++i) { const knot_rrset_t *rr = knot_pkt_rr(ns, i); if (rr->type == KNOT_RRTYPE_NS) { + /* Cache in-bailiwick data only */ + if (!knot_dname_in(cut->name, rr->owner)) { + return KNOT_ENOENT; + } /* Cache glue (if contains) */ for (unsigned i = 0; i < sizeof(type_list)/sizeof(uint16_t); ++i) { knot_dname_t *owner = (knot_dname_t *)knot_ns_name(&rr->rrs, 0); @@ -254,7 +258,7 @@ static int stash(knot_layer_t *ctx, knot_pkt_t *pkt) ret = write_cache_answer(pkt, &txn, pool, timestamp); } if (ret == KNOT_EOK) { - ret = write_cache_authority(pkt, &txn, pool, timestamp); + ret = write_cache_authority(&query->zone_cut, pkt, &txn, pool, timestamp); } /* Cache full, do what we must. */