qname-minimization: Some post-review style/minor fixes

2026-05-28 04:34:54 -04:00 · 2018-05-29 10:22:34 +02:00 · 2018-05-29 10:22:34 +02:00 · 265052df49
commit 265052df49
parent 9cef87d835
9 changed files with 57 additions and 36 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -183,9 +183,9 @@ options {\n\
 	notify-source-v6 *;\n\
 	nsec3-test-zone no;\n\
 	provide-ixfr true;\n\
+	qname-minimization relaxed;\n\
 	query-source address *;\n\
 	query-source-v6 address *;\n\
-	qname-minimization relaxed;\n\
 	recursion true;\n\
 	request-expire true;\n\
 	request-ixfr true;\n\
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -3690,6 +3690,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	isc_dscp_t dscp4 = -1, dscp6 = -1;
 	dns_dyndbctx_t *dctx = NULL;
 	unsigned int resolver_param;
+	const char * qminmode = NULL;

 	REQUIRE(DNS_VIEW_VALID(view));

@ -4642,7 +4643,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
 	obj = NULL;
 	result = named_config_get(maps, "qname-minimization", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	const char * qminmode = cfg_obj_asstring(obj);
+	qminmode = cfg_obj_asstring(obj);
 	INSIST(qminmode != NULL);
 	if (!strcmp(qminmode, "strict")) {
 		view->qminimization = ISC_TRUE;
--- a/bin/tests/system/conf.sh.win32
+++ b/bin/tests/system/conf.sh.win32
@ -91,8 +91,8 @@ SEQUENTIALDIRS="acl additional addzone autosign builtin \
 	 fetchlimit filter-aaaa formerr forward geoip glue idna inline ixfr \
 	 keepalive @KEYMGR@ legacy limits logfileconfig masterfile \
 	 masterformat metadata mkeys names notify nslookup nsupdate \
-	 nzd2nzf padding pending pipelined @PKCS11_TEST@ qmin
-         reclimit redirect resolver rndc rpz rrchecker rrl \
+	 nzd2nzf padding pending pipelined @PKCS11_TEST@ qmin \
+	 reclimit redirect resolver rndc rpz rrchecker rrl \
 	 rrsetorder rsabigexponent runtime sfcache smartsign sortlist \
 	 spf staticstub statistics statschannel stub tcp tkey tsig \
 	 tsiggss unknown upforwd verify views wildcard xfer xferquota \
--- a/bin/tests/system/qmin/clean.sh
+++ b/bin/tests/system/qmin/clean.sh
@ -15,3 +15,4 @@ rm -f */named.run
 rm -f dig.out.*
 rm -f ns*/named.lock
 rm -f ans*/query.log
+rm -f query*.log
--- a/bin/tests/system/qmin/tests.sh
+++ b/bin/tests/system/qmin/tests.sh
@ -35,6 +35,7 @@ AAAA a.bit.longer.ns.name.good.
 __EOF
 echo "A icky.icky.icky.ptang.zoop.boing.good." | diff ans3/query.log - > /dev/null || ret=1
 echo "A icky.icky.icky.ptang.zoop.boing.good." | diff ans4/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@ -55,6 +56,7 @@ AAAA a.bit.longer.ns.name.bad.
 __EOF
 echo "A icky.icky.icky.ptang.zoop.boing.bad." | diff ans3/query.log - > /dev/null || ret=1
 echo "A icky.icky.icky.ptang.zoop.boing.bad." | diff ans4/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@ -76,6 +78,7 @@ AAAA a.bit.longer.ns.name.slow.
 __EOF
 echo "A icky.icky.icky.ptang.zoop.boing.slow." | diff ans3/query.log - > /dev/null || ret=1
 echo "A icky.icky.icky.ptang.zoop.boing.slow." | diff ans4/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@ -115,6 +118,7 @@ cat << __EOF | diff ans4/query.log - > /dev/null || ret=1
 NS icky.icky.ptang.zoop.boing.good.
 A icky.icky.icky.ptang.zoop.boing.good.
 __EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@ -126,6 +130,7 @@ $RNDCCMD 10.53.0.6 flush
 $DIG $DIGOPTS icky.icky.icky.ptang.zoop.boing.bad. @10.53.0.6 > dig.out.test$n
 grep "status: NXDOMAIN" dig.out.test$n > /dev/null || ret=1
 echo "NS boing.bad." | diff ans2/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@ -149,6 +154,7 @@ AAAA a.bit.longer.ns.name.bad.
 __EOF
 echo "A icky.icky.icky.ptang.zoop.boing.bad." | diff ans3/query.log - > /dev/null || ret=1
 echo "A icky.icky.icky.ptang.zoop.boing.bad." | diff ans4/query.log - > /dev/null || ret=1
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@ -183,6 +189,7 @@ cat << __EOF | diff ans4/query.log - > /dev/null || ret=1
 NS icky.icky.ptang.zoop.boing.slow.
 A icky.icky.icky.ptang.zoop.boing.slow.
 __EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@ -202,6 +209,7 @@ NS 0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.
 NS 0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.
 PTR 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.f.4.0.1.0.0.2.ip6.arpa.
 __EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

@ -254,6 +262,7 @@ cat << __EOF | diff ans4/query.log - > /dev/null || ret=1
 NS icky.icky.ptang.zoop.boing.good.
 A more.icky.icky.icky.ptang.zoop.boing.good.
 __EOF
+for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null || true; done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

--- a/bin/tests/system/resolver/ans2/ans.pl
+++ b/bin/tests/system/resolver/ans2/ans.pl
@ -118,7 +118,7 @@ for (;;) {
 		# expected to be accepted regardless of the filter setting.
 		$packet->push("authority", new Net::DNS::RR("sub.example.org 300 NS ns.sub.example.org"));
 		$packet->push("additional", new Net::DNS::RR("ns.sub.example.org 300 A 10.53.0.3"));
-	} elsif ($qname =~ /broken/) {
+	} elsif ($qname =~ /\.broken/ || $qname =~ /^broken/) {
 		# Delegation to broken TLD.
 		$packet->push("authority", new Net::DNS::RR("broken 300 NS ns.broken"));
 		$packet->push("additional", new Net::DNS::RR("ns.broken 300 A 10.53.0.4"));
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -99,6 +99,15 @@
 	  signatures covering DNSKEY RRsets. [GL #145]
 	</para>
      </listitem>
+      <listitem>
+	<para>
+	  Support for qname minimization was added and enabled by default in
+	  <command>relaxed</command> mode - in which BIND will fall back to
+	  normal resolution should the remote server return something
+	  unexpected during query minimization process. This default setting
+	  might change to <command>strict</command> in the future.
+	</para>
+      </listitem>
    </itemizedlist>
  </section>

--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@ -88,33 +88,33 @@ typedef enum {
 /*
 * Options that modify how a 'fetch' is done.
 */
-#define DNS_FETCHOPT_TCP		0x0001	     /*%< Use TCP. */
-#define DNS_FETCHOPT_UNSHARED		0x0002	     /*%< See below. */
-#define DNS_FETCHOPT_RECURSIVE		0x0004	     /*%< Set RD? */
-#define DNS_FETCHOPT_NOEDNS0		0x0008	     /*%< Do not use EDNS. */
-#define DNS_FETCHOPT_FORWARDONLY	0x0010	     /*%< Only use forwarders. */
-#define DNS_FETCHOPT_NOVALIDATE		0x0020	     /*%< Disable validation. */
-#define DNS_FETCHOPT_EDNS512		0x0040	     /*%< Advertise a 512 byte
-							  UDP buffer. */
-#define DNS_FETCHOPT_WANTNSID		0x0080	     /*%< Request NSID */
-#define DNS_FETCHOPT_PREFETCH		0x0100	     /*%< Do prefetch */
-#define DNS_FETCHOPT_NOCDFLAG		0x0200	     /*%< Don't set CD flag. */
-#define DNS_FETCHOPT_NONTA		0x0400	     /*%< Ignore NTA table. */
-/* RESERVED ECS				0x0000 */
-/* RESERVED ECS				0x1000 */
-/* RESERVED ECS				0x2000 */
-/* RESERVED TCPCLIENT			0x4000 */
-#define DNS_FETCHOPT_NOCACHED		0x8000	     /*%< Force cache update. */
-#define DNS_FETCHOPT_QMINIMIZE		0x00010000   /*%< Use qname
-							  minimization. */
-#define DNS_FETCHOPT_QMIN_STRICT	0x00020000   /*%< Do not work around
-							  servers that return
-							  errors on non-empty
-							  terminals. */
-#define DNS_FETCHOPT_QMIN_SKIP_IP6A	0x00040000   /*%< Skip some labels
-							  when doing qname
-							  minimization on
-							  ip6.arpa. */
+#define DNS_FETCHOPT_TCP		0x00000001 /*%< Use TCP. */
+#define DNS_FETCHOPT_UNSHARED		0x00000002 /*%< See below. */
+#define DNS_FETCHOPT_RECURSIVE		0x00000004 /*%< Set RD? */
+#define DNS_FETCHOPT_NOEDNS0		0x00000008 /*%< Do not use EDNS. */
+#define DNS_FETCHOPT_FORWARDONLY	0x00000010 /*%< Only use forwarders. */
+#define DNS_FETCHOPT_NOVALIDATE		0x00000020 /*%< Disable validation. */
+#define DNS_FETCHOPT_EDNS512		0x00000040 /*%< Advertise a 512 byte
+							UDP buffer. */
+#define DNS_FETCHOPT_WANTNSID		0x00000080 /*%< Request NSID */
+#define DNS_FETCHOPT_PREFETCH		0x00000100 /*%< Do prefetch */
+#define DNS_FETCHOPT_NOCDFLAG		0x00000200 /*%< Don't set CD flag. */
+#define DNS_FETCHOPT_NONTA		0x00000400 /*%< Ignore NTA table. */
+/* RESERVED ECS				0x00000000 */
+/* RESERVED ECS				0x00001000 */
+/* RESERVED ECS				0x00002000 */
+/* RESERVED TCPCLIENT			0x00004000 */
+#define DNS_FETCHOPT_NOCACHED		0x00008000 /*%< Force cache update. */
+#define DNS_FETCHOPT_QMINIMIZE		0x00010000 /*%< Use qname
+							minimization. */
+#define DNS_FETCHOPT_QMIN_STRICT	0x00020000 /*%< Do not work around
+							servers that return
+							errors on non-empty
+							terminals. */
+#define DNS_FETCHOPT_QMIN_SKIP_IP6A	0x00040000 /*%< Skip some labels
+							when doing qname
+							minimization on
+							ip6.arpa. */

 /* Reserved in use by adb.c		0x00400000 */
 #define	DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -3120,8 +3120,9 @@ mark_bad(fetchctx_t *fctx) {
 	isc_boolean_t all_bad = ISC_TRUE;

 #ifdef ENABLE_AFL
-	if (dns_fuzzing_resolver)
-		return ISC_FALSE;
+	if (dns_fuzzing_resolver) {
+		return (ISC_FALSE);
+	}
 #endif

 	/*
@ -8544,7 +8545,7 @@ rctx_answer_none(respctx_t *rctx) {
 	 * the next label to query and restart it.
 	 */
 	if (fctx->minimized && fctx->rmessage->rcode == dns_rcode_noerror) {
-		return rctx_answer_minimized(rctx);
+		return (rctx_answer_minimized(rctx));
 	}
 	/*
 	 * Workaround for broken servers in relaxed mode - if we hit an
@ -8552,7 +8553,7 @@ rctx_answer_none(respctx_t *rctx) {
 	 */
 	if (fctx->minimized && !(fctx->options & DNS_FETCHOPT_QMIN_STRICT)) {
 		fctx->qmin_labels = DNS_MAX_LABELS + 1;
-		return rctx_answer_minimized(rctx);
+		return (rctx_answer_minimized(rctx));
 	}
 	/*
 	 * Since we're not doing a referral, we don't want to cache any