From 5d061f13f90de3e61ddbcb88ad481c8a25e07709 Mon Sep 17 00:00:00 2001
From: Ralph Dolmans <ralph@nlnetlabs.nl>
Date: Fri, 18 Mar 2016 15:44:41 +0000
Subject: [PATCH]  - Validate QNAME minimised NXDOMAIN responses.  - If QNAME
 minimisation is enabled, do cache lookup for QTYPE NS in   
 harden-below-nxdomain.

git-svn-id: file:///svn/unbound/trunk@3682 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog        |  5 +++++
 iterator/iterator.c  | 20 ++++++++++++++++++++
 services/cache/dns.c |  7 +++++++
 3 files changed, 32 insertions(+)

diff --git a/doc/Changelog b/doc/Changelog
index 3834d9d75..f73c37133 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,8 @@
+18 March 2016: Ralph
+	- Validate QNAME minimised NXDOMAIN responses.
+	- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
+	  harden-below-nxdomain.
+
 17 March 2016: Ralph
 	- Limit number of QNAME minimisation iterations.
 
diff --git a/iterator/iterator.c b/iterator/iterator.c
index 38f79699a..421ddf5b1 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2265,6 +2265,26 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
 				LDNS_RCODE_NOERROR)
 				iq->minimisation_state = DONOT_MINIMISE_STATE;
+			/* Make subrequest to validate intermediate NXDOMAIN if
+			 * harden-below-nxdomain is enabled. */
+			if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
+				LDNS_RCODE_NXDOMAIN &&
+				qstate->env->cfg->harden_below_nxdomain) {
+				struct module_qstate* subq = NULL;
+				log_query_info(VERB_QUERY,
+					"schedule NXDOMAIN validation:",
+					&iq->response->qinfo);
+				if(!generate_sub_request(
+					iq->response->qinfo.qname,
+					iq->response->qinfo.qname_len,
+					iq->response->qinfo.qtype,
+					iq->response->qinfo.qclass,
+					qstate, id, iq, INIT_REQUEST_STATE,
+					FINISHED_STATE, &subq, 1)) {
+					verbose(VERB_ALGO,
+					"could not validate NXDOMAIN response");
+				}
+			}
 			return next_state(iq, QUERYTARGETS_STATE);
 		}
 		return final_state(iq);
diff --git a/services/cache/dns.c b/services/cache/dns.c
index e14e636db..84db7a778 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -795,6 +795,12 @@ dns_cache_lookup(struct module_env* env,
 		dname_remove_label(&k.qname, &k.qname_len);
 		h = query_info_hash(&k, flags);
 		e = slabhash_lookup(env->msg_cache, h, &k, 0);
+		if(!e && k.qtype != LDNS_RR_TYPE_NS &&
+			env->cfg->qname_minimisation) {
+			k.qtype = LDNS_RR_TYPE_NS;
+			h = query_info_hash(&k, flags);
+			e = slabhash_lookup(env->msg_cache, h, &k, 0);
+		}
 		if(e) {
 			struct reply_info* data = (struct reply_info*)e->data;
 			struct dns_msg* msg;
@@ -810,6 +816,7 @@ dns_cache_lookup(struct module_env* env,
 			}
 			lock_rw_unlock(&e->lock);
 		}
+		k.qtype = qtype;
 	}
 
 	/* fill common RR types for ANY response to avoid requery */