If possible don't use forwarders when priming the resolver.

If we try to fetch a record from cache and need to look into
hints database we assume that the resolver is not primed and
start dns_resolver_prime(). Priming query is supposed to return
NSes for "." in ANSWER section and glue records for them in
ADDITIONAL section, so that we can fill that info in 'regular'
cache and not use hints db anymore.
However, if we're using a forwarder the priming query goes through
it, and if it's configured to return minimal answers we won't get
the addresses of root servers in ADDITIONAL section. Since the
only records for root servers we have are in hints database we'll
try to prime the resolver with every single query.

This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using
forwarders if possible (that is if we have forward-first policy).
Using this flag on priming fetch fixes the problem as we get the
proper glue. With forward-only policy the problem is non-existent,
as we'll never ask for root server addresses because we'll never
have a need to query them.

Also added a test to confirm priming queries are not forwarded.

diff --git a/CHANGES b/CHANGES
index 201b7f2c248a12d631aba45c0184c932d1d067e7..b6197951e145e32335c2a2ce6aa5dad55ea53790 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+5139.  [bug]           If possible, don't use forwarders when priming.
+                       This ensures we can get root server IP addresses
+                       from priming query response glue, which may not
+                       be present if the forwarding server is returning
+                       minimal responses. [GL #752]
+
 5138.  [bug]           Under some circumstances named could hit an assertion
                        failure when doing qname minimization when using
                        forwarders. [GL #797]

diff --git a/bin/tests/system/forward/ns4/named.conf.in b/bin/tests/system/forward/ns4/named.conf.in
index 971fe0c487e2112609278305f786934b8e19cf7d..643e1271b53ae85e91a169413259afe84dfe1fee 100644 (file)
--- a/bin/tests/system/forward/ns4/named.conf.in
+++ b/bin/tests/system/forward/ns4/named.conf.in
@@ -19,6 +19,7 @@ options {
        listen-on-v6 { none; };
        recursion yes;
        dnssec-validation yes;
+       minimal-responses yes;
 };
 
 zone "." {

diff --git a/bin/tests/system/forward/ns7/named.conf.in b/bin/tests/system/forward/ns7/named.conf.in
new file mode 100644 (file)
index 0000000..d9f5e8a
--- /dev/null
+++ b/bin/tests/system/forward/ns7/named.conf.in
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+       query-source address 10.53.0.7;
+       notify-source 10.53.0.7;
+       transfer-source 10.53.0.7;
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.7; };
+       listen-on-v6 { none; };
+       forwarders { 10.53.0.4; };
+       forward first;
+       dnssec-validation yes;
+};
+
+zone "." {
+       type hint;
+       file "root.db";
+};

diff --git a/bin/tests/system/forward/ns7/root.db b/bin/tests/system/forward/ns7/root.db
new file mode 100644 (file)
index 0000000..7346810
--- /dev/null
+++ b/bin/tests/system/forward/ns7/root.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+.                      IN SOA  gson.nominum.com. a.root.servers.nil. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               600             ; minimum
+                               )
+.                      NS      a.root-servers.nil.
+a.root-servers.nil.    A       10.53.0.1
+
+example1               NS      ns.example1
+ns.example1            A       10.53.0.1
+
+example2               NS      ns.example2
+ns.example2            A       10.53.0.1
+
+example3               NS      ns.example3
+ns.example3            A       10.53.0.1

diff --git a/bin/tests/system/forward/setup.sh b/bin/tests/system/forward/setup.sh
index c63aeb10d2a345e3dba4055bab5ed62de0d54ce3..d64579e590fbbe8db01b4e1d6295aad73c82e23f 100644 (file)
--- a/bin/tests/system/forward/setup.sh
+++ b/bin/tests/system/forward/setup.sh
@@ -18,3 +18,4 @@ copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf

diff --git a/bin/tests/system/forward/tests.sh b/bin/tests/system/forward/tests.sh
index 3e6064a043600189c9f9cddc05aa37a872789f77..8fd22fc837b8fb1573f2134139a42393f424523c 100644 (file)
--- a/bin/tests/system/forward/tests.sh
+++ b/bin/tests/system/forward/tests.sh
@@ -147,5 +147,17 @@ if [ $sent -ne 1 ]; then ret=1; fi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "checking that priming queries are not forwarded"
+ret=0
+$DIG $DIGOPTS +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.f7 || ret=1
+sent=`sed -n '/sending packet to 10.53.0.1/,/^$/p' ns7/named.run | grep ";.*IN.*NS" | wc -l`
+[ $sent -eq 1 ] || ret=1
+sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run | wc -l`
+[ $sent -eq 0 ] || ret=1
+sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l`
+[ $sent -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 5afea8b92b4d1ee257b91d6b1076880bf88bad11..53533723a65425ddc4c802fa4d31dd6ccfa1b522 100644 (file)
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -118,6 +118,8 @@ typedef enum {
                                                        when doing qname
                                                        minimization on
                                                        ip6.arpa. */
+#define DNS_FETCHOPT_NOFORWARD         0x00080000 /*%< Do not use forwarders
+                                                       if possible. */
 
 /* Reserved in use by adb.c            0x00400000 */
 #define        DNS_FETCHOPT_EDNSVERSIONSET     0x00800000

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 1d63e86ec00fd50e2c7932b1344fd49635159167..03b8248fdddc34f51c1a7f1bc6b483ea4f2ed04d 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -3510,6 +3510,18 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
        INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
        INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
 
+       /*
+        * If we have DNS_FETCHOPT_NOFORWARD set and forwarding policy
+        * allows us to not forward - skip forwarders and go straight
+        * to NSes. This is currently used to make sure that priming query
+        * gets root servers' IP addresses in ADDITIONAL section.
+        */
+       if ((fctx->options & DNS_FETCHOPT_NOFORWARD) != 0 &&
+           (fctx->fwdpolicy != dns_fwdpolicy_only))
+       {
+               goto normal_nses;
+       }
+
        /*
         * If this fctx has forwarders, use them; otherwise use any
         * selective forwarders specified in the view; otherwise use the
@@ -3595,7 +3607,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
        /*
         * Normal nameservers.
         */
-
+ normal_nses:
        stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
        if (fctx->restarts == 1) {
                /*
@@ -10202,12 +10214,11 @@ dns_resolver_prime(dns_resolver_t *res) {
                LOCK(&res->primelock);
                result = dns_resolver_createfetch(res, dns_rootname,
                                                  dns_rdatatype_ns,
-                                                 NULL, NULL, NULL, NULL, 0, 0,
-                                                 0, NULL,
-                                                 res->buckets[0].task,
-                                                 prime_done,
-                                                 res, rdataset, NULL,
-                                                 &res->primefetch);
+                                                 NULL, NULL, NULL, NULL, 0,
+                                                 DNS_FETCHOPT_NOFORWARD, 0,
+                                                 NULL, res->buckets[0].task,
+                                                 prime_done, res, rdataset,
+                                                 NULL, &res->primefetch);
                UNLOCK(&res->primelock);
                if (result != ISC_R_SUCCESS) {
                        isc_mem_put(res->mctx, rdataset, sizeof(*rdataset));