upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: usr: Remove deterministic selection of nameserver

Browse source 
When selecting nameserver addresses to be looked up we where
always selecting them in dnssec name order from the start of
the nameserver rrset.  This could lead to resolution failure
despite there being address that could be resolved for the
other names.  Use a random starting point when selecting which
names to lookup.

Closes #5695
 
Closes #5745

Merge branch '5695-add-random-server-selection' into 'main'

See merge request isc-projects/bind9!11395
This commit is contained in:
Ondřej Surý 2026-02-25 10:05:55 +01:00
commit 55e9b72e3c
21 changed files with 665 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
bin/tests/system/randomizens/README Normal file
View file

@ -0,0 +1,21 @@
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
ns1 is root
ns{2-4} are auth server on example. but lame
ns5 is an auth server on example. and works
ns6 is a resolver
Because `getaddresses_allowed()` logic won't allow to query more than 3 NS at
the top-level, only ns{2-4} will be tried without randomization, and example.
couldn't be resolved. However, with randomization, some queries won't start
picking example. NS from ns2, but ns3, ns4 or ns5. This enable to resolver
example.

29
bin/tests/system/randomizens/ns1/named.conf.j2 Normal file
View file

@ -0,0 +1,29 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
zone "." {
type primary;
file "root.db";
};

40
bin/tests/system/randomizens/ns1/root.db Normal file
View file

@ -0,0 +1,40 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
1st. NS ns2.2nd.
1st. NS ns3.2nd.
1st. NS ns5.xxx.
2nd. NS ns2.3rd.
2nd. NS ns5.xxx.
3rd. NS ns2.1st.
3rd. NS ns5.xxx.
xxx. NS ns2.1st.
xxx. NS ns2.xxx.
ns2.xxx. A 10.53.0.2

25
bin/tests/system/randomizens/ns2/1st.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
1st. NS ns2.2nd.
1st. NS ns3.2nd.
1st. NS ns5.xxx.
ns2.1st. A 10.53.0.2
ns3.1st. A 10.53.0.3
ns4.1st. A 10.53.0.4

23
bin/tests/system/randomizens/ns2/2nd.db Normal file
View file

@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
2nd. NS ns2.3rd.
2nd. NS ns5.xxx.
ns2.2nd. A 10.53.0.2
ns3.2nd. A 10.53.0.3

25
bin/tests/system/randomizens/ns2/example.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
foo.example. A 10.53.0.10

53
bin/tests/system/randomizens/ns2/named.conf.j2 Normal file
View file

@ -0,0 +1,53 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "example" {
type primary;
file "example.db";
};
zone "1st" {
type primary;
file "1st.db";
};
zone "2nd" {
type primary;
file "2nd.db";
};
zone "xxx" {
type primary;
file "xxx.db";
};

23
bin/tests/system/randomizens/ns2/xxx.db Normal file
View file

@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
xxx. NS ns2.xxx.
xxx. NS ns2.1st.
ns2.xxx. A 10.53.0.2
ns5.xxx. A 10.53.0.5

25
bin/tests/system/randomizens/ns3/1st.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
1st. NS ns2.2nd.
1st. NS ns3.2nd.
1st. NS ns5.xxx.
ns2.1st. A 10.53.0.2
ns3.1st. A 10.53.0.3
ns4.1st. A 10.53.0.4

25
bin/tests/system/randomizens/ns3/example.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
foo.example. A 10.53.0.10

43
bin/tests/system/randomizens/ns3/named.conf.j2 Normal file
View file

@ -0,0 +1,43 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "1st" {
type primary;
file "1st.db";
};
zone "example" {
type primary;
file "example.db";
};

25
bin/tests/system/randomizens/ns4/example.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
foo.example. A 10.53.0.10

38
bin/tests/system/randomizens/ns4/named.conf.j2 Normal file
View file

@ -0,0 +1,38 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "example" {
type primary;
file "example.db";
};

25
bin/tests/system/randomizens/ns5/1st.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
1st. NS ns2.2nd.
1st. NS ns3.2nd.
1st. NS ns5.xxx.
ns2.1st. A 10.53.0.2
ns3.1st. A 10.53.0.3
ns4.1st. A 10.53.0.4

23
bin/tests/system/randomizens/ns5/2nd.db Normal file
View file

@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
2nd. NS ns2.3rd.
2nd. NS ns5.xxx.
ns2.2nd. A 10.53.0.2
ns3.2nd. A 10.53.0.3

22
bin/tests/system/randomizens/ns5/3rd.db Normal file
View file

@ -0,0 +1,22 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
3rd. NS ns5.xxx.
3rd. NS ns2.1st.
ns2.3rd. A 10.53.0.2

25
bin/tests/system/randomizens/ns5/example.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
foo.example. A 10.53.0.10

53
bin/tests/system/randomizens/ns5/named.conf.j2 Normal file
View file

@ -0,0 +1,53 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "1st" {
type primary;
file "1st.db";
};
zone "2nd" {
type primary;
file "2nd.db";
};
zone "3rd" {
type primary;
file "3rd.db";
};
zone "example" {
type primary;
file "example.db";
};

39
bin/tests/system/randomizens/ns6/named.conf.j2 Normal file
View file

@ -0,0 +1,39 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.6;
notify-source 10.53.0.6;
transfer-source 10.53.0.6;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
recursion yes;
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../_common/root.hint";
};

32
bin/tests/system/randomizens/tests_randomizens.py Normal file
View file

@ -0,0 +1,32 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
import dns.rcode
import isctest
def attempt_query(ns):
ns.rndc("flush")
msg = isctest.query.create("foo.example.", "A")
res = isctest.query.udp(msg, ns.ip)
if msg.rcode() == dns.rcode.NOERROR:
return len(res.answer) == 1
return False
def test_randomizens(ns6):
resolved = False
for _ in range(1, 25):
if attempt_query(ns6):
resolved = True
break
assert resolved

86
lib/dns/resolver.c
View file

@ -3673,49 +3673,65 @@ fctx_getaddresses_nameservers(fetchctx_t *fctx, isc_stdtime_t now,
dns_rdata_ns_t ns;
bool have_address = false;
unsigned int ns_processed = 0;
size_t nscount = dns_rdataset_count(&fctx->nameservers);
size_t maxstartns = nscount > NS_PROCESSING_LIMIT ? NS_PROCESSING_LIMIT
: nscount;
size_t startns = isc_random_uniform(maxstartns);
DNS_RDATASET_FOREACH(&fctx->nameservers) {
isc_result_t result = ISC_R_SUCCESS;
dns_rdata_t rdata = DNS_RDATA_INIT;
bool overquota = false;
unsigned int static_stub = 0;
unsigned int no_fetch = 0;
for (size_t pass = 0; pass < 2; pass++) {
size_t curns = 0;
dns_rdataset_current(&fctx->nameservers, &rdata);
/*
* Extract the name from the NS record.
*/
result = dns_rdata_tostruct(&rdata, &ns, NULL);
if (result != ISC_R_SUCCESS) {
continue;
}
DNS_RDATASET_FOREACH(&fctx->nameservers) {
isc_result_t result = ISC_R_SUCCESS;
dns_rdata_t rdata = DNS_RDATA_INIT;
bool overquota = false;
unsigned int static_stub = 0;
unsigned int no_fetch = 0;
if (STATICSTUB(&fctx->nameservers) &&
dns_name_equal(&ns.name, fctx->domain))
{
static_stub = DNS_ADBFIND_STATICSTUB;
}
if (pass == 0 && curns++ < startns) {
continue;
}
if (pass == 1 && curns++ >= startns) {
break;
}
/*
* Make sure we only launch a limited number of
* outgoing fetches.
*/
if (fctx->pending_running >= fetches_allowed) {
no_fetch = DNS_ADBFIND_NOFETCH;
}
dns_rdataset_current(&fctx->nameservers, &rdata);
/*
* Extract the name from the NS record.
*/
result = dns_rdata_tostruct(&rdata, &ns, NULL);
if (result != ISC_R_SUCCESS) {
continue;
}
findname(fctx, &ns.name, 0, stdoptions | static_stub | no_fetch,
0, now, &overquota, need_alternatep, &have_address);
if (STATICSTUB(&fctx->nameservers) &&
dns_name_equal(&ns.name, fctx->domain))
{
static_stub = DNS_ADBFIND_STATICSTUB;
}
if (!overquota) {
*all_spilledp = false;
}
/*
* Make sure we only launch a limited number of
* outgoing fetches.
*/
if (fctx->pending_running >= fetches_allowed) {
no_fetch = DNS_ADBFIND_NOFETCH;
}
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
findname(fctx, &ns.name, 0,
stdoptions | static_stub | no_fetch, 0, now,
&overquota, need_alternatep, &have_address);
if (++ns_processed >= NS_PROCESSING_LIMIT) {
break;
if (!overquota) {
*all_spilledp = false;
}
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
if (++ns_processed >= NS_PROCESSING_LIMIT) {
break;
}
}
}