upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix 'unbound-control flush_negative' when reporting removed data;

Browse source 
reported by David 'eqvinox' Lamparter.
This commit is contained in:
Yorgos Thessalonikefs 2025-03-16 09:01:03 +01:00
parent 5c84bb573f
commit 71bb60e586
5 changed files with 43 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
daemon/remote.c
View file

@ -1950,7 +1950,7 @@ bogus_del_rrset(struct lruhash_entry* e, void* arg)
/* entry is locked */ /* entry is locked */
struct del_info* inf = (struct del_info*)arg; struct del_info* inf = (struct del_info*)arg;
struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; struct packed_rrset_data* d = (struct packed_rrset_data*)e->data;
if(d->security == sec_status_bogus) { if(d->security == sec_status_bogus && d->ttl > inf->expired) {
d->ttl = inf->expired; d->ttl = inf->expired;
inf->num_rrsets++; inf->num_rrsets++;
} }
@ -1963,7 +1963,7 @@ bogus_del_msg(struct lruhash_entry* e, void* arg)
/* entry is locked */ /* entry is locked */
struct del_info* inf = (struct del_info*)arg; struct del_info* inf = (struct del_info*)arg;
struct reply_info* d = (struct reply_info*)e->data; struct reply_info* d = (struct reply_info*)e->data;
if(d->security == sec_status_bogus) { if(d->security == sec_status_bogus && d->ttl > inf->expired) {
d->ttl = inf->expired; d->ttl = inf->expired;
d->prefetch_ttl = inf->expired; d->prefetch_ttl = inf->expired;
d->serve_expired_ttl = inf->expired; d->serve_expired_ttl = inf->expired;
@ -1983,7 +1983,7 @@ bogus_del_kcache(struct lruhash_entry* e, void* arg)
/* entry is locked */ /* entry is locked */
struct del_info* inf = (struct del_info*)arg; struct del_info* inf = (struct del_info*)arg;
struct key_entry_data* d = (struct key_entry_data*)e->data; struct key_entry_data* d = (struct key_entry_data*)e->data;
if(d->isbad) { if(d->isbad && d->ttl > inf->expired) {
d->ttl = inf->expired; d->ttl = inf->expired;
inf->num_keys++; inf->num_keys++;
} }
@ -2032,7 +2032,8 @@ negative_del_rrset(struct lruhash_entry* e, void* arg)
/* delete the parentside negative cache rrsets, /* delete the parentside negative cache rrsets,
* these are nameserver rrsets that failed lookup, rdata empty */ * these are nameserver rrsets that failed lookup, rdata empty */
if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 && if((k->rk.flags & PACKED_RRSET_PARENT_SIDE) && d->count == 1 &&
d->rrsig_count == 0 && d->rr_len[0] == 0) { d->rrsig_count == 0 && d->rr_len[0] == 0 &&
d->ttl > inf->expired) {
d->ttl = inf->expired; d->ttl = inf->expired;
inf->num_rrsets++; inf->num_rrsets++;
} }
@ -2047,7 +2048,8 @@ negative_del_msg(struct lruhash_entry* e, void* arg)
struct reply_info* d = (struct reply_info*)e->data; struct reply_info* d = (struct reply_info*)e->data;
/* rcode not NOERROR: NXDOMAIN, SERVFAIL, ..: an nxdomain or error /* rcode not NOERROR: NXDOMAIN, SERVFAIL, ..: an nxdomain or error
* or NOERROR rcode with ANCOUNT==0: a NODATA answer */ * or NOERROR rcode with ANCOUNT==0: a NODATA answer */
if(FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) { if((FLAGS_GET_RCODE(d->flags) != 0 || d->an_numrrsets == 0) &&
d->ttl > inf->expired) {
d->ttl = inf->expired; d->ttl = inf->expired;
d->prefetch_ttl = inf->expired; d->prefetch_ttl = inf->expired;
d->serve_expired_ttl = inf->expired; d->serve_expired_ttl = inf->expired;
@ -2069,7 +2071,7 @@ negative_del_kcache(struct lruhash_entry* e, void* arg)
struct key_entry_data* d = (struct key_entry_data*)e->data; struct key_entry_data* d = (struct key_entry_data*)e->data;
/* could be bad because of lookup failure on the DS, DNSKEY, which /* could be bad because of lookup failure on the DS, DNSKEY, which
* was nxdomain or servfail, and thus a result of negative lookups */ * was nxdomain or servfail, and thus a result of negative lookups */
if(d->isbad) { if(d->isbad && d->ttl > inf->expired) {
d->ttl = inf->expired; d->ttl = inf->expired;
inf->num_keys++; inf->num_keys++;
} }

4
doc/Changelog
View file

@ -1,3 +1,7 @@
16 March 2025: Yorgos
- Fix 'unbound-control flush_negative' when reporting removed data;
reported by David 'eqvinox' Lamparter.
28 February 2025: Wouter 28 February 2025: Wouter
- Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time. - Merge #1238: Prefer SOURCE_DATE_EPOCH over actual time.
Add --help output description for the SOURCE_DATE_EPOCH variable. Add --help output description for the SOURCE_DATE_EPOCH variable.

1
testdata/09-unbound-control.tdir/09-unbound-control.conf vendored
View file

@ -13,6 +13,7 @@ server:
msg-cache-size: 4m msg-cache-size: 4m
rrset-cache-size: 4m rrset-cache-size: 4m
minimal-responses: yes minimal-responses: yes
trust-anchor: "always.empty. 3600 IN DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29 B22446B1" # This is nonsense, just to kick the validator
view: view:
name: testview name: testview
view-first: yes # Allow falling back to global local data view-first: yes # Allow falling back to global local data

12
testdata/09-unbound-control.tdir/09-unbound-control.test vendored
View file

@ -249,6 +249,18 @@ expect_exit_value 1
teststep "clean reload" teststep "clean reload"
clean_reload clean_reload
teststep "Check negative flushing"
query always.empty.
expect_answer "SERVFAIL"
query always.empty. DNSKEY
expect_answer "SERVFAIL"
control_command -c ub.conf flush_negative
expect_exit_value 0
expect_answer "^ok removed .*, 2 messages and 1 key"
control_command -c ub.conf flush_negative
expect_exit_value 0
expect_answer "^ok removed .*, 0 messages and 0 key"
teststep "create a new local zone" teststep "create a new local zone"
control_command -c ub.conf local_zone example.net static control_command -c ub.conf local_zone example.net static
expect_exit_value 0 expect_exit_value 0

21
testdata/09-unbound-control.tdir/09-unbound-control.testns vendored
View file

@ -1,5 +1,4 @@
; nameserver test file ; nameserver test file
$ORIGIN example.com.
$TTL 3600 $TTL 3600
ENTRY_BEGIN ENTRY_BEGIN
@ -7,9 +6,9 @@ MATCH opcode qtype qname
REPLY QR AA NOERROR REPLY QR AA NOERROR
ADJUST copy_id ADJUST copy_id
SECTION QUESTION SECTION QUESTION
www IN A www.example.com. IN A
SECTION ANSWER SECTION ANSWER
www IN A 10.20.30.40 www.example.com. IN A 10.20.30.40
ENTRY_END ENTRY_END
ENTRY_BEGIN ENTRY_BEGIN
@ -19,3 +18,19 @@ ADJUST copy_id
SECTION QUESTION SECTION QUESTION
www.example.net. IN A www.example.net. IN A
ENTRY_END ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
always.empty. IN A
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
REPLY QR AA NOERROR
ADJUST copy_id
SECTION QUESTION
always.empty. IN DNSKEY
ENTRY_END