From: Yorgos Thessalonikefs Date: Fri, 20 Jun 2025 12:09:30 +0000 (+0200) Subject: - Fix #1293: EDE 6 is attached to insecure cached answers when client sends X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=2d90d5d7299c3e60ef12210c34475a9e87a2ace2;p=thirdparty%2Funbound.git - Fix #1293: EDE 6 is attached to insecure cached answers when client sends the CD bit. --- diff --git a/testdata/domain_insec_ds.rpl b/testdata/domain_insec_ds.rpl index 2cd6055b3..6fe20a45c 100644 --- a/testdata/domain_insec_ds.rpl +++ b/testdata/domain_insec_ds.rpl @@ -6,6 +6,7 @@ server: val-override-date: "20070916134226" target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" + ede: yes stub-zone: name: "." @@ -210,4 +211,26 @@ SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END +; Check cached response with CD bit +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD CD DO +SECTION QUESTION +www.sub.example.com. IN A +ENTRY_END + +; a bug here would return EDE=6 (default from validator) +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA CD DO NOERROR +SECTION QUESTION +www.sub.example.com. IN A +SECTION ANSWER +www.sub.example.com. 3600 IN A 11.11.11.11 +www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + SCENARIO_END diff --git a/validator/validator.c b/validator/validator.c index 7f8b19263..d43ab6325 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -2593,6 +2593,15 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq, /* Update rep->reason_bogus as it is the one being cached */ update_reason_bogus(vq->orig_msg->rep, errinf_to_reason_bogus(qstate)); + if(vq->orig_msg->rep->security != sec_status_bogus && + vq->orig_msg->rep->security != sec_status_secure_sentinel_fail + && vq->orig_msg->rep->reason_bogus == LDNS_EDE_DNSSEC_BOGUS) { + /* Not interested in any DNSSEC EDE here, validator by default + * uses LDNS_EDE_DNSSEC_BOGUS; + * TODO revisit default value for the module */ + vq->orig_msg->rep->reason_bogus = LDNS_EDE_NONE; + } + /* store results in cache */ if((qstate->query_flags&BIT_RD)) { /* if secure, this will override cache anyway, no need