From: Mark Andrews Date: Tue, 19 Oct 2021 22:22:50 +0000 (+1100) Subject: Allow "black lies" to be cached X-Git-Tag: v9.17.21~5^2~27 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c8a7f92b9e881c509b35eae915c6f4a1403dc39c;p=thirdparty%2Fbind9.git Allow "black lies" to be cached "black lies" differ from "white lies" in that the owner name of the NSEC record matches the QNAME and the intent is to return NODATA instead of NXDOMAIN for all types. Caching this NSEC does not lead to unexpected behaviour on synthesis when the QNAME matches the NSEC owner which it does for the the general "white lie" response. "black lie" QNAME NSEC \000.QNAME NSEC RRSIG "white lie" QNAME- NSEC QNAME+ NSEC RRSIG where QNAME- is a name that is close to QNAME but sorts before QNAME and QNAME+ is a that is close to QNAME but sorts after QNAME. Black lies are safe to cache as they don't bring into existence names that are not intended to exist. "Black lies" intentional change NXDOMAIN to NODATA. "White lies" bring QNAME- into existence and named would synthesis NODATA for QNAME+ if it is queried for that name instead of discovering the, presumable, NXDOMAIN response. Note rejection NSEC RRsets with NEXT names starting with the label '\000' renders this change ineffective (see reject-000-label). --- diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 04d57b7c3a5..6c6c67d5aae 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -5571,8 +5571,15 @@ answer_response: sigrdataset->trust != dns_trust_secure) { continue; } + + /* + * Don't cache "white lies" but do cache + * "black lies". + */ if (rdataset->type == dns_rdatatype_nsec && - is_minimal_nsec(rdataset)) { + !dns_name_equal(fctx->name, name) && + is_minimal_nsec(rdataset)) + { continue; } result = dns_db_findnode(fctx->cache, name, true,