[9.20] fix: usr: fix false QNAME minimisation error being reported

Remove the false positive "success resolving" log message when QNAME minimisation is in effect and the final result is NXDOMAIN.

Closes #4784

Backport of MR !9117

Merge branch 'backport-4784-false-qname-minimisation-error-being-reported-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!9215

bin/tests/system/qmin/clean.sh

@@ -11,9 +11,10 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-rm -f ns*/named.conf
 rm -f */named.memstats
 rm -f */named.run */named.run.prev
-rm -f dig.out.*
 rm -f ans*/query.log*
+rm -f dig.out.*
+rm -f named.run.*
+rm -f ns*/named.conf
 rm -f query*.log

bin/tests/system/qmin/ns1/root.db

@@ -39,3 +39,6 @@ ns2.fwd.		A	10.53.0.2
 $TTL 2
 stale.			NS	ns2.stale.
 ns2.stale.		A	10.53.0.2
+
+in-addr.arpa.		NS	ns5.in-addr.arpa.
+ns5.in-addr.arpa.	A	10.53.0.5

bin/tests/system/qmin/ns5/in-addr.arpa.db

@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+@ 			IN SOA	wpk.isc.org. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				2       	; minimum
+				)
+@			NS	ns5
+ns5			A	10.53.0.5

bin/tests/system/qmin/ns5/named.conf.in

@@ -26,6 +26,7 @@ options {
 	querylog yes;
 	resolver-query-timeout 30000; # 30 seconds
 	dnssec-validation no;
+	disable-empty-zone 10.in-addr.arpa;
 };
 
 key rndc_key {
@@ -41,3 +42,8 @@ zone "." {
 	type hint;
 	file "../../_common/root.hint";
 };
+
+zone "in-addr.arpa" {
+	type primary;
+	file "in-addr.arpa.db";
+};

bin/tests/system/qmin/ns7/named.conf.in

@@ -26,6 +26,7 @@ options {
 	querylog yes;
 	resolver-query-timeout 30000; # 30 seconds
 	dnssec-validation no;
+	disable-empty-zone 10.in-addr.arpa;
 };
 
 key rndc_key {

bin/tests/system/qmin/tests.sh

@@ -552,5 +552,16 @@ for ans in ans2 ans3 ans4; do mv -f $ans/query.log query-$ans-$n.log 2>/dev/null
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "test that \"success resolving\" is not logged for NXDOMAIN final answer when qname-minimization is in relaxed mode ($n)"
+ret=0
+nextpart ns7/named.run >/dev/null
+$DIG $DIGOPTS 1.0.53.10.in-addr.arpa ptr @10.53.0.7 >dig.out.test$n || ret=1
+nextpart ns7/named.run >named.run.test$n
+grep "status: NXDOMAIN" dig.out.test$n >/dev/null || ret=1
+grep "success resolving" named.run.test$n >/dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

lib/dns/resolver.c

@@ -391,6 +391,7 @@ struct fetchctx {
 	bool minimized;
 	unsigned int qmin_labels;
 	isc_result_t qmin_warning;
+	bool force_qmin_warning;
 	bool ip6arpaskip;
 	bool forwarding;
 	dns_fixedname_t qminfname;
@@ -1673,9 +1674,8 @@ fctx__done(fetchctx_t *fctx, isc_result_t result, const char *func,
 		if (fctx->qmin_warning != ISC_R_SUCCESS) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
 				      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
-				      "success resolving '%s' "
-				      "after disabling qname minimization due "
-				      "to '%s'",
+				      "success resolving '%s' after disabling "
+				      "qname minimization due to '%s'",
 				      fctx->info,
 				      isc_result_totext(fctx->qmin_warning));
 		}
@@ -4180,6 +4180,16 @@ resume_qmin(void *arg) {
 	case DNS_R_NCACHENXRRSET:
 	case DNS_R_CNAME:
 	case DNS_R_DNAME:
+		/*
+		 * We have previously detected a possible error of an
+		 * incorrect NXDOMAIN and now have a response that
+		 * indicates that it was an actual error.
+		 */
+		if (fctx->qmin_warning == DNS_R_NCACHENXDOMAIN ||
+		    fctx->qmin_warning == DNS_R_NXDOMAIN)
+		{
+			fctx->force_qmin_warning = true;
+		}
 		/*
 		 * Any other result will *not* cause a failure in strict
 		 * mode, or cause minimization to be disabled in relaxed
@@ -5289,6 +5299,19 @@ validated(void *arg) {
 			covers = fctx->type;
 		}
 
+		/*
+		 * Don't report qname minimisation NXDOMAIN errors
+		 * when the result is NXDOMAIN except we have already
+		 * confirmed a higher error.
+		 */
+		if (!fctx->force_qmin_warning &&
+		    message->rcode == dns_rcode_nxdomain &&
+		    (fctx->qmin_warning == DNS_R_NXDOMAIN ||
+		     fctx->qmin_warning == DNS_R_NCACHENXDOMAIN))
+		{
+			fctx->qmin_warning = ISC_R_SUCCESS;
+		}
+
 		result = dns_db_findnode(fctx->cache, val->name, true, &node);
 		if (result != ISC_R_SUCCESS) {
 			/* fctx->lock unlocked in noanswer_response */
@@ -6430,6 +6453,18 @@ ncache_message(fetchctx_t *fctx, dns_message_t *message,
 		goto unlock;
 	}
 
+	/*
+	 * Don't report qname minimisation NXDOMAIN errors
+	 * when the result is NXDOMAIN except we have already
+	 * confirmed a higher error.
+	 */
+	if (!fctx->force_qmin_warning && message->rcode == dns_rcode_nxdomain &&
+	    (fctx->qmin_warning == DNS_R_NXDOMAIN ||
+	     fctx->qmin_warning == DNS_R_NCACHENXDOMAIN))
+	{
+		fctx->qmin_warning = ISC_R_SUCCESS;
+	}
+
 	/*
 	 * If we are asking for a SOA record set the cache time
 	 * to zero to facilitate locating the containing zone of