If we try to fetch a record from cache and need to look into
hints database we assume that the resolver is not primed and
start dns_resolver_prime(). Priming query is supposed to return
NSes for "." in ANSWER section and glue records for them in
ADDITIONAL section, so that we can fill that info in 'regular'
cache and not use hints db anymore.
However, if we're using a forwarder the priming query goes through
it, and if it's configured to return minimal answers we won't get
the addresses of root servers in ADDITIONAL section. Since the
only records for root servers we have are in hints database we'll
try to prime the resolver with every single query.
This patch adds a DNS_FETCHOPT_NOFORWARD flag which avoids using
forwarders if possible (that is if we have forward-first policy).
Using this flag on priming fetch fixes the problem as we get the
proper glue. With forward-only policy the problem is non-existent,
as we'll never ask for root server addresses because we'll never
have a need to query them.
Also added a test to confirm priming queries are not forwarded.
(cherry picked from commit
b49310ac06ac87733dc2867828e61370a84b2a9a)
+5139. [bug] If possible, don't use forwarders when priming.
+ This ensures we can get root server IP addresses
+ from priming query response glue, which may not
+ be present if the forwarding server is returning
+ minimal responses. [GL #752]
+
5134. [bug] win32: WSAStartup was not called before getservbyname
was called. [GL #590]
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
+ recursion yes;
+ dnssec-validation yes;
+ minimal-responses yes;
};
zone "." {
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+ query-source address 10.53.0.7;
+ notify-source 10.53.0.7;
+ transfer-source 10.53.0.7;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.7; };
+ listen-on-v6 { none; };
+ forwarders { 10.53.0.4; };
+ forward first;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "root.db";
+};
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+
+example1 NS ns.example1
+ns.example1 A 10.53.0.1
+
+example2 NS ns.example2
+ns.example2 A 10.53.0.1
+
+example3 NS ns.example3
+ns.example3 A 10.53.0.1
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns7/named.conf.in ns7/named.conf
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+echo_i "checking that priming queries are not forwarded"
+ret=0
+$DIG $DIGOPTS +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.f7 || ret=1
+sent=`sed -n '/sending packet to 10.53.0.1/,/^$/p' ns7/named.run | grep ";.*IN.*NS" | wc -l`
+[ $sent -eq 1 ] || ret=1
+sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run | wc -l`
+[ $sent -eq 0 ] || ret=1
+sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l`
+[ $sent -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
/*
* Options that modify how a 'fetch' is done.
*/
-#define DNS_FETCHOPT_TCP 0x0001 /*%< Use TCP. */
-#define DNS_FETCHOPT_UNSHARED 0x0002 /*%< See below. */
-#define DNS_FETCHOPT_RECURSIVE 0x0004 /*%< Set RD? */
-#define DNS_FETCHOPT_NOEDNS0 0x0008 /*%< Do not use EDNS. */
-#define DNS_FETCHOPT_FORWARDONLY 0x0010 /*%< Only use forwarders. */
-#define DNS_FETCHOPT_NOVALIDATE 0x0020 /*%< Disable validation. */
-#define DNS_FETCHOPT_EDNS512 0x0040 /*%< Advertise a 512 byte
- UDP buffer. */
-#define DNS_FETCHOPT_WANTNSID 0x0080 /*%< Request NSID */
-#define DNS_FETCHOPT_PREFETCH 0x0100 /*%< Do prefetch */
-#define DNS_FETCHOPT_NOCDFLAG 0x0200 /*%< Don't set CD flag. */
-#define DNS_FETCHOPT_NONTA 0x0400 /*%< Ignore NTA table. */
-/* RESERVED ECS 0x0000 */
-/* RESERVED ECS 0x1000 */
-/* RESERVED ECS 0x2000 */
-/* RESERVED TCPCLIENT 0x4000 */
-#define DNS_FETCHOPT_NOCACHED 0x8000 /*%< Force cache update. */
+#define DNS_FETCHOPT_TCP 0x00001 /*%< Use TCP. */
+#define DNS_FETCHOPT_UNSHARED 0x00002 /*%< See below. */
+#define DNS_FETCHOPT_RECURSIVE 0x00004 /*%< Set RD? */
+#define DNS_FETCHOPT_NOEDNS0 0x00008 /*%< Do not use EDNS. */
+#define DNS_FETCHOPT_FORWARDONLY 0x00010 /*%< Only use forwarders. */
+#define DNS_FETCHOPT_NOVALIDATE 0x00020 /*%< Disable validation. */
+#define DNS_FETCHOPT_EDNS512 0x00040 /*%< Advertise a 512 byte
+ 0 UDP buffer. */
+#define DNS_FETCHOPT_WANTNSID 0x00080 /*%< Request NSID */
+#define DNS_FETCHOPT_PREFETCH 0x00100 /*%< Do prefetch */
+#define DNS_FETCHOPT_NOCDFLAG 0x00200 /*%< Don't set CD flag. */
+#define DNS_FETCHOPT_NONTA 0x00400 /*%< Ignore NTA table. */
+/* RESERVED ECS 0x00000 */
+/* RESERVED ECS 0x01000 */
+/* RESERVED ECS 0x02000 */
+/* RESERVED TCPCLIENT 0x04000 */
+#define DNS_FETCHOPT_NOCACHED 0x08000 /*%< Force cache update. */
+#define DNS_FETCHOPT_NOFORWARD 0x80000 /*%< Do not use forwarders
+ if possible. */
/* Reserved in use by adb.c 0x00400000 */
#define DNS_FETCHOPT_EDNSVERSIONSET 0x00800000
INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
+ /*
+ * If we have DNS_FETCHOPT_NOFORWARD set and forwarding policy
+ * allows us to not forward - skip forwarders and go straight
+ * to NSes. This is currently used to make sure that priming query
+ * gets root servers' IP addresses in ADDITIONAL section.
+ */
+ if ((fctx->options & DNS_FETCHOPT_NOFORWARD) != 0 &&
+ (fctx->fwdpolicy != dns_fwdpolicy_only))
+ {
+ goto normal_nses;
+ }
+
/*
* If this fctx has forwarders, use them; otherwise use any
* selective forwarders specified in the view; otherwise use the
/*
* Normal nameservers.
*/
-
+ normal_nses:
stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
if (fctx->restarts == 1) {
/*
LOCK(&res->primelock);
result = dns_resolver_createfetch(res, dns_rootname,
dns_rdatatype_ns,
- NULL, NULL, NULL, 0,
+ NULL, NULL, NULL,
+ DNS_FETCHOPT_NOFORWARD,
res->buckets[0].task,
prime_done,
res, rdataset, NULL,
./bin/tests/system/forward/ns4/root.db ZONE 2000,2001,2004,2007,2016,2018,2019
./bin/tests/system/forward/ns5/named.conf.in CONF-C 2011,2016,2018,2019
./bin/tests/system/forward/ns5/root.db ZONE 2011,2016,2018,2019
+./bin/tests/system/forward/ns7/named.conf.in CONF-C 2019
+./bin/tests/system/forward/ns7/root.db ZONE 2019
./bin/tests/system/forward/rfc1918-inherited.conf CONF-C 2016,2018,2019
./bin/tests/system/forward/rfc1918-notinherited.conf CONF-C 2016,2018,2019
./bin/tests/system/forward/setup.sh SH 2018,2019
projects / thirdparty / bind9.git / commitdiff
