diff --git a/bin/tests/system/qmin/clean.sh b/bin/tests/system/qmin/clean.sh index 52c38e68ba..c6ecf76276 100644 --- a/bin/tests/system/qmin/clean.sh +++ b/bin/tests/system/qmin/clean.sh @@ -11,10 +11,11 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -rm -f ns*/named.conf rm -f */named.memstats rm -f */named.run */named.run.prev -rm -f dig.out.* -rm -f ns*/named.lock rm -f ans*/query.log* +rm -f dig.out.* +rm -f named.run.* +rm -f ns*/named.conf +rm -f ns*/named.lock rm -f query*.log diff --git a/bin/tests/system/qmin/ns1/root.db b/bin/tests/system/qmin/ns1/root.db index 325f607ee6..3854fc83c3 100644 --- a/bin/tests/system/qmin/ns1/root.db +++ b/bin/tests/system/qmin/ns1/root.db @@ -39,3 +39,6 @@ ns2.fwd. A 10.53.0.2 $TTL 2 stale. NS ns2.stale. ns2.stale. A 10.53.0.2 + +in-addr.arpa. NS ns5.in-addr.arpa. +ns5.in-addr.arpa. A 10.53.0.5 diff --git a/bin/tests/system/qmin/ns5/in-addr.arpa.db b/bin/tests/system/qmin/ns5/in-addr.arpa.db new file mode 100644 index 0000000000..1866d069b3 --- /dev/null +++ b/bin/tests/system/qmin/ns5/in-addr.arpa.db @@ -0,0 +1,21 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 20 +@ IN SOA wpk.isc.org. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 2 ; minimum + ) +@ NS ns5 +ns5 A 10.53.0.5 diff --git a/bin/tests/system/qmin/ns5/named.conf.in b/bin/tests/system/qmin/ns5/named.conf.in index fac3538387..fb3101279a 100644 --- a/bin/tests/system/qmin/ns5/named.conf.in +++ b/bin/tests/system/qmin/ns5/named.conf.in @@ -26,6 +26,7 @@ options { querylog yes; resolver-query-timeout 30000; # 30 seconds dnssec-validation no; + disable-empty-zone 10.in-addr.arpa; }; key rndc_key { @@ -41,3 +42,8 @@ zone "." { type hint; file "../../_common/root.hint"; }; + +zone "in-addr.arpa" { + type primary; + file "in-addr.arpa.db"; +}; diff --git a/bin/tests/system/qmin/ns7/named.conf.in b/bin/tests/system/qmin/ns7/named.conf.in index 917e3e768c..b6bf4c6c6d 100644 --- a/bin/tests/system/qmin/ns7/named.conf.in +++ b/bin/tests/system/qmin/ns7/named.conf.in @@ -26,6 +26,7 @@ options { querylog yes; resolver-query-timeout 30000; # 30 seconds dnssec-validation no; + disable-empty-zone 10.in-addr.arpa; }; key rndc_key { diff --git a/bin/tests/system/qmin/tests.sh b/bin/tests/system/qmin/tests.sh index d544e88d5a..f8ded241ed 100755 --- a/bin/tests/system/qmin/tests.sh +++ b/bin/tests/system/qmin/tests.sh @@ -533,5 +533,16 @@ for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +n=$((n + 1)) +echo_i "test that \"success resolving\" is not logged for NXDOMAIN final answer when qname-minimization is in relaxed mode ($n)" +ret=0 +nextpart ns7/named.run >/dev/null +$DIG $DIGOPTS 1.0.53.10.in-addr.arpa ptr @10.53.0.7 >dig.out.test$n || ret=1 +nextpart ns7/named.run >named.run.test$n +grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1 +grep "success resolving" named.run.test$n >/dev/null && ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 751534d73f..2bcc68efbb 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -383,6 +383,7 @@ struct fetchctx { bool minimized; unsigned int qmin_labels; isc_result_t qmin_warning; + bool force_qmin_warning; bool ip6arpaskip; bool forwarding; dns_fixedname_t qminfname; @@ -1859,9 +1860,8 @@ fctx__done_detach(fetchctx_t **fctxp, isc_result_t result, const char *file, if (fctx->qmin_warning != ISC_R_SUCCESS) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS, DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO, - "success resolving '%s' " - "after disabling qname minimization due " - "to '%s'", + "success resolving '%s' after disabling " + "qname minimization due to '%s'", fctx->info, isc_result_totext(fctx->qmin_warning)); } @@ -4345,6 +4345,24 @@ resume_qmin(isc_task_t *task, isc_event_t *event) { goto cleanup; } break; + + case ISC_R_SUCCESS: + case DNS_R_DELEGATION: + case DNS_R_NXRRSET: + case DNS_R_NCACHENXRRSET: + case DNS_R_CNAME: + case DNS_R_DNAME: + /* + * We have previously detected a possible error of an + * incorrect NXDOMAIN and now have a response that + * indicates that it was an actual error. + */ + if (fctx->qmin_warning == DNS_R_NCACHENXDOMAIN || + fctx->qmin_warning == DNS_R_NXDOMAIN) + { + fctx->force_qmin_warning = true; + } + FALLTHROUGH; default: /* * When DNS_FETCHOPT_NOFOLLOW is set and a delegation @@ -5688,6 +5706,19 @@ validated(isc_task_t *task, isc_event_t *event) { covers = fctx->type; } + /* + * Don't report qname minimisation NXDOMAIN errors + * when the result is NXDOMAIN except we have already + * confirmed a higher error. + */ + if (!fctx->force_qmin_warning && + message->rcode == dns_rcode_nxdomain && + (fctx->qmin_warning == DNS_R_NXDOMAIN || + fctx->qmin_warning == DNS_R_NCACHENXDOMAIN)) + { + fctx->qmin_warning = ISC_R_SUCCESS; + } + result = dns_db_findnode(fctx->cache, vevent->name, true, &node); if (result != ISC_R_SUCCESS) { @@ -6831,6 +6862,18 @@ ncache_message(fetchctx_t *fctx, dns_message_t *message, goto unlock; } + /* + * Don't report qname minimisation NXDOMAIN errors + * when the result is NXDOMAIN except we have already + * confirmed a higher error. + */ + if (!fctx->force_qmin_warning && message->rcode == dns_rcode_nxdomain && + (fctx->qmin_warning == DNS_R_NXDOMAIN || + fctx->qmin_warning == DNS_R_NCACHENXDOMAIN)) + { + fctx->qmin_warning = ISC_R_SUCCESS; + } + /* * If we are asking for a SOA record set the cache time * to zero to facilitate locating the containing zone of