upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-24 00:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix 0x20 capsforid fallback to omit gratuitous NS and additional

Browse source 
section changes.


git-svn-id: file:///svn/unbound/trunk@3323 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2015-01-30 09:35:38 +00:00
parent d17b312471
commit 3d66ef2b92
4 changed files with 52 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
doc/Changelog
View file

@ -1,3 +1,7 @@
30 January 2015: Wouter
- Fix 0x20 capsforid fallback to omit gratuitous NS and additional
section changes.
29 January 2015: Wouter 29 January 2015: Wouter
- Fix pyunbound byte string representation for python3. - Fix pyunbound byte string representation for python3.

36
iterator/iter_utils.c
View file

@ -714,6 +714,42 @@ reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region)
return 1; return 1;
} }
void
caps_strip_reply(struct reply_info* rep)
{
size_t i;
if(!rep) return;
/* see if message is a referral, in which case the additional and
* NS record cannot be removed */
/* referrals have the AA flag unset (strict check, not elsewhere in
* unbound, but for 0x20 this is very convenient). */
if(!(rep->flags&BIT_AA))
return;
/* remove the additional section from the reply */
if(rep->ar_numrrsets != 0) {
verbose(VERB_ALGO, "caps fallback: removing additional section");
rep->rrset_count -= rep->ar_numrrsets;
rep->ar_numrrsets = 0;
}
/* is there an NS set in the authority section to remove? */
/* the failure case (Cisco firewalls) only has one rrset in authsec */
for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++) {
struct ub_packed_rrset_key* s = rep->rrsets[i];
if(ntohs(s->rk.type) == LDNS_RR_TYPE_NS) {
/* remove NS rrset and break from loop (loop limits
* have changed) */
/* move last rrset into this position (there is no
* additional section any more) */
verbose(VERB_ALGO, "caps fallback: removing NS rrset");
if(i < rep->rrset_count-1)
rep->rrsets[i]=rep->rrsets[rep->rrset_count-1];
rep->rrset_count --;
rep->ns_numrrsets --;
break;
}
}
}
void void
iter_store_parentside_rrset(struct module_env* env, iter_store_parentside_rrset(struct module_env* env,
struct ub_packed_rrset_key* rrset) struct ub_packed_rrset_key* rrset)

9
iterator/iter_utils.h
View file

@ -222,6 +222,15 @@ int iter_msg_from_zone(struct dns_msg* msg, struct delegpt* dp,
*/ */
int reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region); int reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region);
/**
* Remove unused bits from the reply if possible.
* So that caps-for-id (0x20) fallback is more likely to be successful.
* This removes like, the additional section, and NS record in the authority
* section if those records are gratuitous (not for a referral).
* @param rep: the reply to strip stuff out of.
*/
void caps_strip_reply(struct reply_info* rep);
/** /**
* Store parent-side rrset in seperate rrset cache entries for later * Store parent-side rrset in seperate rrset cache entries for later
* last-resort * lookups in case the child-side versions of this information * last-resort * lookups in case the child-side versions of this information

3
iterator/iterator.c
View file

@ -2882,6 +2882,9 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
iq->response->rep); iq->response->rep);
if(event == module_event_capsfail || iq->caps_fallback) { if(event == module_event_capsfail || iq->caps_fallback) {
/* for fallback we care about main answer, not additionals */
/* removing that makes comparison more likely to succeed */
caps_strip_reply(iq->response->rep);
if(!iq->caps_fallback) { if(!iq->caps_fallback) {
/* start fallback */ /* start fallback */
iq->caps_fallback = 1; iq->caps_fallback = 1;