upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 04:42:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

[9.20] fix: usr: Remove deterministic selection of nameserver

Browse source 
When selecting nameserver addresses to be looked up we where
always selecting them in dnssec name order from the start of
the nameserver rrset.  This could lead to resolution failure
despite there being address that could be resolved for the
other names.  Use a random starting point when selecting which
names to lookup.

Closes #5695
 
Closes #5745

Backport of MR !11395

Merge branch 'backport-5695-add-random-server-selection-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11600
This commit is contained in:
Colin Vidal 2026-02-25 11:02:23 +01:00
commit c6c6e490fd
21 changed files with 671 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
bin/tests/system/randomizens/README Normal file
View file

@ -0,0 +1,21 @@
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
SPDX-License-Identifier: MPL-2.0
This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0. If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.
See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
ns1 is root
ns{2-4} are auth server on example. but lame
ns5 is an auth server on example. and works
ns6 is a resolver
Because `getaddresses_allowed()` logic won't allow to query more than 3 NS at
the top-level, only ns{2-4} will be tried without randomization, and example.
couldn't be resolved. However, with randomization, some queries won't start
picking example. NS from ns2, but ns3, ns4 or ns5. This enable to resolver
example.

29
bin/tests/system/randomizens/ns1/named.conf.j2 Normal file
View file

@ -0,0 +1,29 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.1;
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
zone "." {
type primary;
file "root.db";
};

40
bin/tests/system/randomizens/ns1/root.db Normal file
View file

@ -0,0 +1,40 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
1st. NS ns2.2nd.
1st. NS ns3.2nd.
1st. NS ns5.xxx.
2nd. NS ns2.3rd.
2nd. NS ns5.xxx.
3rd. NS ns2.1st.
3rd. NS ns5.xxx.
xxx. NS ns2.1st.
xxx. NS ns2.xxx.
ns2.xxx. A 10.53.0.2

25
bin/tests/system/randomizens/ns2/1st.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
1st. NS ns2.2nd.
1st. NS ns3.2nd.
1st. NS ns5.xxx.
ns2.1st. A 10.53.0.2
ns3.1st. A 10.53.0.3
ns4.1st. A 10.53.0.4

23
bin/tests/system/randomizens/ns2/2nd.db Normal file
View file

@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
2nd. NS ns2.3rd.
2nd. NS ns5.xxx.
ns2.2nd. A 10.53.0.2
ns3.2nd. A 10.53.0.3

25
bin/tests/system/randomizens/ns2/example.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
foo.example. A 10.53.0.10

53
bin/tests/system/randomizens/ns2/named.conf.j2 Normal file
View file

@ -0,0 +1,53 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "example" {
type primary;
file "example.db";
};
zone "1st" {
type primary;
file "1st.db";
};
zone "2nd" {
type primary;
file "2nd.db";
};
zone "xxx" {
type primary;
file "xxx.db";
};

23
bin/tests/system/randomizens/ns2/xxx.db Normal file
View file

@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
xxx. NS ns2.xxx.
xxx. NS ns2.1st.
ns2.xxx. A 10.53.0.2
ns5.xxx. A 10.53.0.5

25
bin/tests/system/randomizens/ns3/1st.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
1st. NS ns2.2nd.
1st. NS ns3.2nd.
1st. NS ns5.xxx.
ns2.1st. A 10.53.0.2
ns3.1st. A 10.53.0.3
ns4.1st. A 10.53.0.4

25
bin/tests/system/randomizens/ns3/example.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
foo.example. A 10.53.0.10

43
bin/tests/system/randomizens/ns3/named.conf.j2 Normal file
View file

@ -0,0 +1,43 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "1st" {
type primary;
file "1st.db";
};
zone "example" {
type primary;
file "example.db";
};

25
bin/tests/system/randomizens/ns4/example.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
foo.example. A 10.53.0.10

38
bin/tests/system/randomizens/ns4/named.conf.j2 Normal file
View file

@ -0,0 +1,38 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "example" {
type primary;
file "example.db";
};

25
bin/tests/system/randomizens/ns5/1st.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
1st. NS ns2.2nd.
1st. NS ns3.2nd.
1st. NS ns5.xxx.
ns2.1st. A 10.53.0.2
ns3.1st. A 10.53.0.3
ns4.1st. A 10.53.0.4

23
bin/tests/system/randomizens/ns5/2nd.db Normal file
View file

@ -0,0 +1,23 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
2nd. NS ns2.3rd.
2nd. NS ns5.xxx.
ns2.2nd. A 10.53.0.2
ns3.2nd. A 10.53.0.3

22
bin/tests/system/randomizens/ns5/3rd.db Normal file
View file

@ -0,0 +1,22 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
3rd. NS ns5.xxx.
3rd. NS ns2.1st.
ns2.3rd. A 10.53.0.2

25
bin/tests/system/randomizens/ns5/example.db Normal file
View file

@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
example. NS ns2.1st.
example. NS ns3.1st.
example. NS ns4.1st.
example. NS ns5.xxx.
foo.example. A 10.53.0.10

53
bin/tests/system/randomizens/ns5/named.conf.j2 Normal file
View file

@ -0,0 +1,53 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion no;
notify yes;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "1st" {
type primary;
file "1st.db";
};
zone "2nd" {
type primary;
file "2nd.db";
};
zone "3rd" {
type primary;
file "3rd.db";
};
zone "example" {
type primary;
file "example.db";
};

39
bin/tests/system/randomizens/ns6/named.conf.j2 Normal file
View file

@ -0,0 +1,39 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.6;
notify-source 10.53.0.6;
transfer-source 10.53.0.6;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
recursion yes;
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../_common/root.hint";
};

32
bin/tests/system/randomizens/tests_randomizens.py Normal file
View file

@ -0,0 +1,32 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
import dns.rcode
import isctest
def attempt_query(ns):
ns.rndc("flush")
msg = isctest.query.create("foo.example.", "A")
res = isctest.query.udp(msg, ns.ip)
if msg.rcode() == dns.rcode.NOERROR:
return len(res.answer) == 1
return False
def test_randomizens(ns6):
resolved = False
for _ in range(1, 25):
if attempt_query(ns6):
resolved = True
break
assert resolved

98
lib/dns/resolver.c
View file

@ -3658,58 +3658,74 @@ normal_nses:
}
for (;;) {
for (result = dns_rdataset_first(&fctx->nameservers);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&fctx->nameservers))
{
dns_rdata_t rdata = DNS_RDATA_INIT;
bool overquota = false;
unsigned int static_stub = 0;
unsigned int no_fetch = 0;
size_t nscount = dns_rdataset_count(&fctx->nameservers);
size_t maxstartns = nscount > NS_PROCESSING_LIMIT
? NS_PROCESSING_LIMIT
: nscount;
size_t startns = isc_random_uniform(maxstartns);
dns_rdataset_current(&fctx->nameservers, &rdata);
/*
* Extract the name from the NS record.
*/
result = dns_rdata_tostruct(&rdata, &ns, NULL);
if (result != ISC_R_SUCCESS) {
continue;
}
for (size_t pass = 0; pass < 2; pass++) {
size_t curns = 0;
if (STATICSTUB(&fctx->nameservers) &&
dns_name_equal(&ns.name, fctx->domain))
for (result = dns_rdataset_first(&fctx->nameservers);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(&fctx->nameservers))
{
static_stub = DNS_ADBFIND_STATICSTUB;
}
dns_rdata_t rdata = DNS_RDATA_INIT;
bool overquota = false;
unsigned int static_stub = 0;
unsigned int no_fetch = 0;
/*
* Make sure we only launch a limited number of
* outgoing fetches.
*/
if (fctx->pending_running >= fetches_allowed) {
no_fetch = DNS_ADBFIND_NOFETCH;
}
if (pass == 0 && curns++ < startns) {
continue;
}
if (pass == 1 && curns++ >= startns) {
break;
}
findname(fctx, &ns.name, 0,
stdoptions | static_stub | no_fetch, 0, now,
&overquota, &need_alternate, &have_address);
dns_rdataset_current(&fctx->nameservers,
&rdata);
/*
* Extract the name from the NS record.
*/
result = dns_rdata_tostruct(&rdata, &ns, NULL);
if (result != ISC_R_SUCCESS) {
continue;
}
if (!overquota) {
all_spilled = false;
}
if (STATICSTUB(&fctx->nameservers) &&
dns_name_equal(&ns.name, fctx->domain))
{
static_stub = DNS_ADBFIND_STATICSTUB;
}
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
/*
* Make sure we only launch a limited number of
* outgoing fetches.
*/
if (fctx->pending_running >= fetches_allowed) {
no_fetch = DNS_ADBFIND_NOFETCH;
}
if (++ns_processed >= NS_PROCESSING_LIMIT) {
result = ISC_R_NOMORE;
break;
findname(fctx, &ns.name, 0,
stdoptions | static_stub | no_fetch, 0,
now, &overquota, &need_alternate,
&have_address);
if (!overquota) {
all_spilled = false;
}
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
if (++ns_processed >= NS_PROCESSING_LIMIT) {
result = ISC_R_NOMORE;
break;
}
}
}
/*
* Don't start alternate fetch if we just started one above.
*/
/*
* Don't start alternate fetch if we just started one above.
*/