- Validate QNAME minimised NXDOMAIN responses.

- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
   harden-below-nxdomain.



git-svn-id: file:///svn/unbound/trunk@3682 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,8 @@
+18 March 2016: Ralph
+	- Validate QNAME minimised NXDOMAIN responses.
+	- If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
+	  harden-below-nxdomain.
+
 17 March 2016: Ralph
 	- Limit number of QNAME minimisation iterations.
 

iterator/iterator.c

@@ -2265,6 +2265,26 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
 				LDNS_RCODE_NOERROR)
 				iq->minimisation_state = DONOT_MINIMISE_STATE;
+			/* Make subrequest to validate intermediate NXDOMAIN if
+			 * harden-below-nxdomain is enabled. */
+			if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
+				LDNS_RCODE_NXDOMAIN &&
+				qstate->env->cfg->harden_below_nxdomain) {
+				struct module_qstate* subq = NULL;
+				log_query_info(VERB_QUERY,
+					"schedule NXDOMAIN validation:",
+					&iq->response->qinfo);
+				if(!generate_sub_request(
+					iq->response->qinfo.qname,
+					iq->response->qinfo.qname_len,
+					iq->response->qinfo.qtype,
+					iq->response->qinfo.qclass,
+					qstate, id, iq, INIT_REQUEST_STATE,
+					FINISHED_STATE, &subq, 1)) {
+					verbose(VERB_ALGO,
+					"could not validate NXDOMAIN response");
+				}
+			}
 			return next_state(iq, QUERYTARGETS_STATE);
 		}
 		return final_state(iq);

services/cache/dns.c

@@ -795,6 +795,12 @@ dns_cache_lookup(struct module_env* env,
 		dname_remove_label(&k.qname, &k.qname_len);
 		h = query_info_hash(&k, flags);
 		e = slabhash_lookup(env->msg_cache, h, &k, 0);
+		if(!e && k.qtype != LDNS_RR_TYPE_NS &&
+			env->cfg->qname_minimisation) {
+			k.qtype = LDNS_RR_TYPE_NS;
+			h = query_info_hash(&k, flags);
+			e = slabhash_lookup(env->msg_cache, h, &k, 0);
+		}
 		if(e) {
 			struct reply_info* data = (struct reply_info*)e->data;
 			struct dns_msg* msg;
@@ -810,6 +816,7 @@ dns_cache_lookup(struct module_env* env,
 			}
 			lock_rw_unlock(&e->lock);
 		}
+		k.qtype = qtype;
 	}
 
 	/* fill common RR types for ANY response to avoid requery */