- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry

This commit is contained in:
Paul Wouters 2018-03-21 22:01:22 +00:00
parent 5a52aae95e
commit 7760424284
2 changed files with 207 additions and 1 deletions

View File

@ -0,0 +1,199 @@
diff --git a/cachedb/cachedb.c b/cachedb/cachedb.c
index 7eb0df43..43abdc1b 100644
--- a/cachedb/cachedb.c
+++ b/cachedb/cachedb.c
@@ -589,7 +589,8 @@ cachedb_intcache_lookup(struct module_qstate* qstate)
qstate->region, qstate->env->scratch,
1 /* no partial messages with only a CNAME */
);
- if(!msg && qstate->env->neg_cache) {
+ if(!msg && qstate->env->neg_cache &&
+ iter_qname_indicates_dnssec(qstate->env, &iq->qchase)) {
/* lookup in negative cache; may result in
* NOERROR/NODATA or NXDOMAIN answers that need validation */
msg = val_neg_getmsg(qstate->env->neg_cache, &qstate->qinfo,
diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c
index 70cab40f..54844825 100644
--- a/iterator/iter_utils.c
+++ b/iterator/iter_utils.c
@@ -625,7 +625,7 @@ iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
}
int
-iter_indicates_dnssec_fwd(struct module_env* env, struct query_info *qinfo)
+iter_qname_indicates_dnssec(struct module_env* env, struct query_info *qinfo)
{
struct trust_anchor* a;
if(!env || !env->anchors || !qinfo || !qinfo->qname)
diff --git a/iterator/iter_utils.h b/iterator/iter_utils.h
index 602fa6db..a866d2c1 100644
--- a/iterator/iter_utils.h
+++ b/iterator/iter_utils.h
@@ -174,15 +174,14 @@ int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags,
struct delegpt* dp);
/**
- * See if qname has DNSSEC needs in the forwarding case. This is true if
- * there is a trust anchor above it. Whether there is an insecure delegation
- * to the data is unknown, but CD-retry is needed.
+ * See if qname has DNSSEC needs. This is true if there is a trust anchor above
+ * it. Whether there is an insecure delegation to the data is unknown.
* @param env: environment with anchors.
* @param qinfo: query name and class.
* @return true if trust anchor above qname, false if no anchor or insecure
* point above qname.
*/
-int iter_indicates_dnssec_fwd(struct module_env* env,
+int iter_qname_indicates_dnssec(struct module_env* env,
struct query_info *qinfo);
/**
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 7f3c6573..57fa839b 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -1206,7 +1206,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
iq->qchase.qname_len, iq->qchase.qtype,
iq->qchase.qclass, qstate->query_flags,
qstate->region, qstate->env->scratch, 0);
- if(!msg && qstate->env->neg_cache) {
+ if(!msg && qstate->env->neg_cache &&
+ iter_qname_indicates_dnssec(qstate->env, &iq->qchase)) {
/* lookup in negative cache; may result in
* NOERROR/NODATA or NXDOMAIN answers that need validation */
msg = val_neg_getmsg(qstate->env->neg_cache, &iq->qchase,
@@ -2366,7 +2367,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
* (blacklist nonempty) and no trust-anchors are configured
* above the qname or on the first attempt when dnssec is on */
EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&&
- !qstate->blacklist&&(!iter_indicates_dnssec_fwd(qstate->env,
+ !qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env,
&iq->qinfo_out)||target->attempts==1)?0:BIT_CD),
iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted(
ie, iq), &target->addr, target->addrlen,
diff --git a/testdata/val_negcache_nta.rpl b/testdata/val_negcache_nta.rpl
new file mode 100755
index 00000000..2331643f
--- /dev/null
+++ b/testdata/val_negcache_nta.rpl
@@ -0,0 +1,120 @@
+; config options
+; The island of trust is at testzone.nlnetlabs.nl
+server:
+ trust-anchor: "testzone.nlnetlabs.nl. IN DS 2926 8 2 6f8512d1e82eecbd684fc4a76f39f8c5b411af385494873bdead663ddb78a88b"
+ val-override-date: "20180213111425"
+ target-fetch-policy: "0 0 0 0 0"
+ trust-anchor-signaling: no
+ aggressive-nsec: yes
+ domain-insecure: "ant.testzone.nlnetlabs.nl"
+
+stub-zone:
+ name: "testzone.nlnetlabs.nl"
+ stub-addr: 185.49.140.60
+stub-zone:
+ name: "ant.testzone.nlnetlabs.nl"
+ stub-addr: 185.49.140.61
+CONFIG_END
+
+SCENARIO_BEGIN Test to not do aggressive NSEC for domains under NTA
+
+; testzone.nlnetlabs.nl nameserver
+RANGE_BEGIN 0 100
+ ADDRESS 185.49.140.60
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+testzone.nlnetlabs.nl. IN DNSKEY
+SECTION ANSWER
+testzone.nlnetlabs.nl. 3600 IN DNSKEY 256 3 8 AwEAAbrNEg01ByEpUUiip+GNAkNVjUfeX7sl9kPUssR3JQvhCJWVs7aBY0Ae1cNtQWgzCmidGorlXvEY2nNBiMM4l7IXqopJsgyj+Cb3nQPVLi/7yVwUb+AIwSJw1gRFElMYonsMOL9qUrJi8BBCnCR0EqkL+X4slmtkXSJbzQAwvHI7
+testzone.nlnetlabs.nl. 3600 IN DNSKEY 257 3 8 AwEAAbn0eGV0wqMBQNSVTY//BoiOD7bexC7FcVv0fH9bwjKOA8I+ob377E14vZN2xRLC2b1GG5iBckjeI+N2dB9eC2KRnScU3Gbmtw75BBYfm/y4Hu72zEjEZ0ZGv6gjSZRv/1o87ODAwQaxN8/dQD+5U/5xu12XM39bCJZx2GWTbf5L
+testzone.nlnetlabs.nl. 3600 IN RRSIG DNSKEY 8 3 3600 20180313101254 20180213101254 2926 testzone.nlnetlabs.nl. gSLZb/dSKutRlAKSo8ZCC1R+SkvABMYBRQsms77WPfYCDbt5GbXeuGqwGdadjEN8gGSU+qrYNxBZRhlYY6d2vtl+DGh67qwteHSwOCw0VvU64eVh38maJA1U673U4JtlBALzBOA/UHmXPlCgPPoW3BG0U3T2Qir/mqOmegmpBcw=
+SECTION AUTHORITY
+testzone.nlnetlabs.nl. 3600 IN NS ns.nlnetlabs.nl.
+testzone.nlnetlabs.nl. 3600 IN RRSIG NS 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. Ox0iKc+z3i1qR1wMr8TBPYzuYO5UTaLrBsDagJAd25fvCkGN+h3HPmWlCIW0cBHsS+IaHXr1JhWutjSCc4UBcY+sT7Y7Fw3V1qdZW2KzbSgWUyPkTXoYcIIVLacSUTXEyltW6jj61WEI/RaUGUCJortvwH5iv1Hzee343isxObI=
+SECTION ADDITIONAL
+ENTRY_END
+
+; response for antelope.testzone.nlnetlabs.nl.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NXDOMAIN
+SECTION QUESTION
+antelope.testzone.nlnetlabs.nl. IN TXT
+SECTION ANSWER
+SECTION AUTHORITY
+testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
+testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
+alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
+alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
+testzone.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
+testzone.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
+SECTION ADDITIONAL
+ENTRY_END
+
+RANGE_END
+
+; ant.testzone.nlnetlabs.nl nameserver
+RANGE_BEGIN 0 100
+ ADDRESS 185.49.140.61
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ant.testzone.nlnetlabs.nl. IN TXT
+SECTION ANSWER
+ant.testzone.nlnetlabs.nl. 10 IN TXT "domain under NTA"
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+antelope.testzone.nlnetlabs.nl. IN TXT
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO AD NXDOMAIN
+SECTION QUESTION
+antelope.testzone.nlnetlabs.nl. IN TXT
+SECTION ANSWER
+SECTION AUTHORITY
+testzone.nlnetlabs.nl. 3600 IN NSEC alligator.testzone.nlnetlabs.nl. NS SOA RRSIG NSEC DNSKEY
+testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. gTKn6U1nal9oA79IRxLa/7zexl6A0yJZzeEGBbZ5rh5feyAr2X4LTR9bPCgcHeMVggf4FP+kD1L/sxzj/YLwB1ZKGKlwnzsHtPFTlmvDClaqQ76DRZq5Vejr2ZfnclBUb2vtxaXywTRW8oueaaq9flcShEQ/cQ+KRU8sc344qd0=
+alligator.testzone.nlnetlabs.nl. 3600 IN NSEC cheetah.testzone.nlnetlabs.nl. TXT RRSIG NSEC
+alligator.testzone.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 4 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. QAgQ0AsMoYG02+VPfoOctSPlTHdQOkQt5fFkSkzIbVhUzNOqa+dB/Qkc81AwFeJosA+PvYjt6utcVkIWmK2Djy9eXC49gILtVF79vUe4G7ZrybO5NXjqNa5ANoUGM+yew4wkjeNOMVAsvs+1kvFY7S8RAa/0AIYlZHQ8vNBPNaI=
+testzone.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600
+testzone.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20180313102201 20180213102201 44940 testzone.nlnetlabs.nl. GhmXNFQktZIgaBpGKwj9Q2mfq5+jcbRPK+PPgtRVicUPZga/d/iGEL8PV/8DzGwkaZbM14pamSUMgdJibW4zNhLz/ukjPilbjoj6giH1jtbdZLAQ6iK9pZ/4jKUEq4txviTczZNnDeolgPEEl4xo4NclQmi7zj1XBlQRbjvG0/0=
+SECTION ADDITIONAL
+ENTRY_END
+
+; query for ant.testzone.nlnetlabs.nl, which is below an NTA
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+ant.testzone.nlnetlabs.nl. IN TXT
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO NOERROR
+SECTION QUESTION
+ant.testzone.nlnetlabs.nl. IN TXT
+SECTION ANSWER
+ant.testzone.nlnetlabs.nl. 10 IN TXT "domain under NTA"
+ENTRY_END
+
+SCENARIO_END

View File

@ -21,7 +21,7 @@
Summary: Validating, recursive, and caching DNS(SEC) resolver Summary: Validating, recursive, and caching DNS(SEC) resolver
Name: unbound Name: unbound
Version: 1.7.0 Version: 1.7.0
Release: 1%{?extra_version:.%{extra_version}}%{?dist} Release: 2%{?extra_version:.%{extra_version}}%{?dist}
License: BSD License: BSD
Url: https://www.unbound.net/ Url: https://www.unbound.net/
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@ -42,6 +42,8 @@ Source15: unbound-anchor.timer
Source16: unbound-munin.README Source16: unbound-munin.README
Source17: unbound-anchor.service Source17: unbound-anchor.service
Patch1: unbound-1.7.0-aggrnsec.patch
Group: System Environment/Daemons Group: System Environment/Daemons
BuildRequires: flex, openssl-devel BuildRequires: flex, openssl-devel
BuildRequires: libevent-devel expat-devel BuildRequires: libevent-devel expat-devel
@ -139,8 +141,10 @@ Python 3 modules and extensions for unbound
%if 0%{with_python} %if 0%{with_python}
mv %{pkgname} %{pkgname}_python2 mv %{pkgname} %{pkgname}_python2
pushd %{pkgname}_python2 pushd %{pkgname}_python2
%patch1 -p1
%else %else
pushd %{pkgname} pushd %{pkgname}
%patch1 -p1
%endif # with_python %endif # with_python
# only for snapshots # only for snapshots
@ -435,6 +439,9 @@ popd
%attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
%changelog %changelog
* Wed Mar 21 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-2
- Patch for broken Aggressive NSEC + stub-zone configuration causing NXDOMAIN at TTL expiry
* Thu Mar 15 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-1 * Thu Mar 15 2018 Paul Wouters <pwouters@redhat.com> - 1.7.0-1
- Updated to 1.7.0 (aggressive nsec, local root support, bugfixes) - Updated to 1.7.0 (aggressive nsec, local root support, bugfixes)