Remove false positive qname minimisation error

Don't report qname minimisation NXDOMAIN errors when the result is
NXDOMAIN.

(cherry picked from commit f78beca942ce76dde023ef1ec641924b5fe567e8)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 751534d73fd0c7c3959b00b7e00e9459d314aaae..d858fc8636eed4feed413ee66ef28cd596ba80e7 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -383,6 +383,7 @@ struct fetchctx {
        bool minimized;
        unsigned int qmin_labels;
        isc_result_t qmin_warning;
+       bool force_qmin_warning;
        bool ip6arpaskip;
        bool forwarding;
        dns_fixedname_t qminfname;
@@ -4345,6 +4346,24 @@ resume_qmin(isc_task_t *task, isc_event_t *event) {
                        goto cleanup;
                }
                break;
+
+       case ISC_R_SUCCESS:
+       case DNS_R_DELEGATION:
+       case DNS_R_NXRRSET:
+       case DNS_R_NCACHENXRRSET:
+       case DNS_R_CNAME:
+       case DNS_R_DNAME:
+               /*
+                * We have previously detected a possible error of an
+                * incorrect NXDOMAIN and now have a response that
+                * indicates that it was an actual error.
+                */
+               if (fctx->qmin_warning == DNS_R_NCACHENXDOMAIN ||
+                   fctx->qmin_warning == DNS_R_NXDOMAIN)
+               {
+                       fctx->force_qmin_warning = true;
+               }
+               FALLTHROUGH;
        default:
                /*
                 * When DNS_FETCHOPT_NOFOLLOW is set and a delegation
@@ -5688,6 +5707,19 @@ validated(isc_task_t *task, isc_event_t *event) {
                        covers = fctx->type;
                }
 
+               /*
+                * Don't report qname minimisation NXDOMAIN errors
+                * when the result is NXDOMAIN except we have already
+                * confirmed a higher error.
+                */
+               if (!fctx->force_qmin_warning &&
+                   message->rcode == dns_rcode_nxdomain &&
+                   (fctx->qmin_warning == DNS_R_NXDOMAIN ||
+                    fctx->qmin_warning == DNS_R_NCACHENXDOMAIN))
+               {
+                       fctx->qmin_warning = ISC_R_SUCCESS;
+               }
+
                result = dns_db_findnode(fctx->cache, vevent->name, true,
                                         &node);
                if (result != ISC_R_SUCCESS) {
@@ -6831,6 +6863,18 @@ ncache_message(fetchctx_t *fctx, dns_message_t *message,
                goto unlock;
        }
 
+       /*
+        * Don't report qname minimisation NXDOMAIN errors
+        * when the result is NXDOMAIN except we have already
+        * confirmed a higher error.
+        */
+       if (!fctx->force_qmin_warning && message->rcode == dns_rcode_nxdomain &&
+           (fctx->qmin_warning == DNS_R_NXDOMAIN ||
+            fctx->qmin_warning == DNS_R_NCACHENXDOMAIN))
+       {
+               fctx->qmin_warning = ISC_R_SUCCESS;
+       }
+
        /*
         * If we are asking for a SOA record set the cache time
         * to zero to facilitate locating the containing zone of