From e196ba61682694c107d0a6cadf6255da550a69a2 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 23 Oct 2023 13:52:12 +0200 Subject: [PATCH 1/3] Test case for issue #4355 Add a test case where serve-stale is enabled on a server that also servers a local authoritative zone. The particular case tests a lame delegation and checks if falling back to serving stale data does not attempt to retrieve the query by recursing from the root down. --- bin/tests/system/serve-stale/ns1/root.db | 2 + .../system/serve-stale/ns3/named.conf.in | 51 +++++++++++++++++++ .../system/serve-stale/ns3/serve.stale.db | 18 +++++++ .../system/serve-stale/ns6/named.conf.in | 44 ++++++++++++++++ .../system/serve-stale/ns6/serve.stale.db | 16 ++++++ bin/tests/system/serve-stale/ns6/stale.db | 17 +++++++ bin/tests/system/serve-stale/setup.sh | 3 +- bin/tests/system/serve-stale/tests.sh | 34 +++++++++++++ 8 files changed, 184 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/serve-stale/ns3/named.conf.in create mode 100644 bin/tests/system/serve-stale/ns3/serve.stale.db create mode 100644 bin/tests/system/serve-stale/ns6/named.conf.in create mode 100644 bin/tests/system/serve-stale/ns6/serve.stale.db create mode 100644 bin/tests/system/serve-stale/ns6/stale.db diff --git a/bin/tests/system/serve-stale/ns1/root.db b/bin/tests/system/serve-stale/ns1/root.db index aef8e31c7a..e36f2b0562 100644 --- a/bin/tests/system/serve-stale/ns1/root.db +++ b/bin/tests/system/serve-stale/ns1/root.db @@ -16,3 +16,5 @@ example. 300 NS ns.example. ns.example. 300 A 10.53.0.2 slow. 300 NS ns.slow. ns.slow. 300 A 10.53.0.2 +stale. 300 NS ns.stale. +ns.stale. 300 A 10.53.0.6 diff --git a/bin/tests/system/serve-stale/ns3/named.conf.in b/bin/tests/system/serve-stale/ns3/named.conf.in new file mode 100644 index 0000000000..d5f475126d --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/named.conf.in @@ -0,0 +1,51 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation no; + qname-minimization off; + + stale-answer-enable yes; + stale-cache-enable yes; + stale-refresh-time 30; + stale-answer-client-timeout 1800; + max-cache-ttl 24h; +}; + +zone "." { + type hint; + file "root.db"; +}; + +zone "serve.stale" IN { + type primary; + notify no; + file "serve.stale.db"; +}; diff --git a/bin/tests/system/serve-stale/ns3/serve.stale.db b/bin/tests/system/serve-stale/ns3/serve.stale.db new file mode 100644 index 0000000000..704f451012 --- /dev/null +++ b/bin/tests/system/serve-stale/ns3/serve.stale.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +serve.stale. IN SOA ns.serve.stale. matthijs.isc.org. 1 0 0 0 0 +serve.stale. IN NS ns.serve.stale. +ns.serve.stale. IN A 10.53.0.6 + +$ORIGIN serve.stale. +test IN NS nss1.example.nxd. +test IN NS nss2.example.nxd. diff --git a/bin/tests/system/serve-stale/ns6/named.conf.in b/bin/tests/system/serve-stale/ns6/named.conf.in new file mode 100644 index 0000000000..15f5dd6c73 --- /dev/null +++ b/bin/tests/system/serve-stale/ns6/named.conf.in @@ -0,0 +1,44 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + recursion no; +}; + +zone "stale" IN { + type primary; + notify no; + file "stale.db"; +}; + +zone "serve.stale" IN { + type primary; + notify no; + file "serve.stale.db"; +}; diff --git a/bin/tests/system/serve-stale/ns6/serve.stale.db b/bin/tests/system/serve-stale/ns6/serve.stale.db new file mode 100644 index 0000000000..2b17c68047 --- /dev/null +++ b/bin/tests/system/serve-stale/ns6/serve.stale.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +serve.stale. IN SOA ns.serve.stale. matthijs.isc.org. 1 0 0 0 0 +serve.stale. IN NS ns.serve.stale. +ns.serve.stale. IN A 10.53.0.6 + +test IN TXT "Oops, I did it again" diff --git a/bin/tests/system/serve-stale/ns6/stale.db b/bin/tests/system/serve-stale/ns6/stale.db new file mode 100644 index 0000000000..4ae006802b --- /dev/null +++ b/bin/tests/system/serve-stale/ns6/stale.db @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +stale. IN SOA ns.stale. matthijs.isc.org. 1 0 0 0 0 +stale. IN NS ns.stale. +ns.stale. IN A 10.53.0.6 + +serve.stale. IN NS ns.serve.stale. +ns.serve.stale. IN A 10.53.0.6 diff --git a/bin/tests/system/serve-stale/setup.sh b/bin/tests/system/serve-stale/setup.sh index 0a0dc476b5..42e1ac8164 100644 --- a/bin/tests/system/serve-stale/setup.sh +++ b/bin/tests/system/serve-stale/setup.sh @@ -16,6 +16,7 @@ $SHELL clean.sh copy_setports ns1/named1.conf.in ns1/named.conf -copy_setports ns3/named1.conf.in ns3/named.conf +copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf diff --git a/bin/tests/system/serve-stale/tests.sh b/bin/tests/system/serve-stale/tests.sh index a45f85bc85..9d7fb866cc 100755 --- a/bin/tests/system/serve-stale/tests.sh +++ b/bin/tests/system/serve-stale/tests.sh @@ -259,6 +259,29 @@ grep "data\.example\..*4.*IN.*TXT.*A text record with a 2 second ttl" dig.out.te if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +# +# Test interaction with local zone +# + +n=$((n + 1)) +echo_i "check that serve-stale does not recurse for local authoritative zone ($n)" +ret=0 + +num=0 +threshold=10 +while [ $num -lt $threshold ]; do + + echo_i "dig test.serve.stale TXT ($n)" + $DIG -p ${PORT} @10.53.0.3 test.serve.stale TXT >dig.out.test$n.$num + grep "status: SERVFAIL" dig.out.test$n.$num >/dev/null || ret=1 + if [ $ret != 0 ]; then num=$threshold; fi + + sleep 1 + num=$((num + 1)) +done +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + # # Test disabling serve-stale via rndc. # @@ -957,6 +980,17 @@ status=$((status + ret)) # echo_i "test server with no serve-stale options set" +n=$((n + 1)) +echo_i "updating ns3/named.conf ($n)" +ret=0 +copy_setports ns3/named1.conf.in ns3/named.conf +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + +echo_i "restart ns3" +stop_server --use-rndc --port ${CONTROLPORT} ns3 +start_server --noclean --restart --port ${PORT} ns3 + n=$((n + 1)) echo_i "enable responses from authoritative server ($n)" ret=0 From 2322425016298a39d2e48153285aefdfecc9a510 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 30 Oct 2023 19:33:19 +0100 Subject: [PATCH 2/3] Don't ignore auth zones when in serve-stale mode When serve-stale is enabled and recursive resolution fails, the fallback to lookup stale data always happens in the cache database. Any authoritative data is ignored, and only information learned through recursive resolution is examined. If there is data in the cache that could lead to an answer, and this can be just the root delegation, the resolver will iterate further, getting closer to the answer that can be found by recursing down the root, and eventually puts the final response in the cache. Change the fallback to serve-stale to use 'query_getdb()', that finds out the best matching database for the given query. --- lib/ns/query.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/ns/query.c b/lib/ns/query.c index 712bee0871..ff8856127f 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -7653,8 +7653,19 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) { qctx_freedata(qctx); if (dns_view_staleanswerenabled(qctx->client->view)) { - dns_db_attach(qctx->client->view->cachedb, &qctx->db); - qctx->version = NULL; + isc_result_t ret; + ret = query_getdb(qctx->client, qctx->client->query.qname, + qctx->client->query.qtype, qctx->options, + &qctx->zone, &qctx->db, &qctx->version, + &qctx->is_zone); + if (ret != ISC_R_SUCCESS) { + /* + * Failed to get the database, unexpected, but let us + * at least abandon serve-stale. + */ + return (false); + } + qctx->client->query.dboptions |= DNS_DBFIND_STALEOK; if (FETCH_RECTYPE_NORMAL(qctx->client) != NULL) { dns_resolver_destroyfetch( From ac19d43a328cc47e19f9843ab9318951d6a3eee2 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 23 Oct 2023 14:38:47 +0200 Subject: [PATCH 3/3] Add release note and CHANGES for #4355 --- CHANGES | 3 +++ doc/notes/notes-current.rst | 3 +++ 2 files changed, 6 insertions(+) diff --git a/CHANGES b/CHANGES index 2ad34ec4bf..1e461b986e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6277. [bug] Take into account local authoritative zones when + falling back to serve-stale. [GL #4355] + 6276. [cleanup] Remove both lock-file configuration option and the -X argument to named. [GL #4391] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index d3acabc1b4..d90427fdb8 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -70,6 +70,9 @@ Bug Fixes DNSSEC records, it was scheduled to be resigning. This unwanted behavior has been fixed. :gl:`#4350` +- Looking up stale data from the cache did not take into account local + authoritative zones. This has been fixed. :gl:`#4355` + Known Issues ~~~~~~~~~~~~