- Fix dnssec-missing detection that was turned off by server selection.

git-svn-id: file:///svn/unbound/trunk@2107 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,6 @@
+4 May 2010: Wouter
+	- Fix dnssec-missing detection that was turned off by server selection.
+
 29 April 2010: Wouter
 	- Fix for dnssec lameness detection to use the key cache.
 	- infra cache entries that are expired are wiped clean.  Previously

iterator/iter_utils.c

@@ -310,7 +310,7 @@ iter_filter_order(struct iter_env* iter_env, struct module_env* env,
 struct delegpt_addr* 
 iter_server_selection(struct iter_env* iter_env, 
 	struct module_env* env, struct delegpt* dp, 
-	uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_expected,
+	uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame,
 	int* chase_to_rd, int open_target, struct sock_list* blacklist)
 {
 	int sel;
@@ -331,7 +331,7 @@ iter_server_selection(struct iter_env* iter_env,
 		if(selrtt-BLACKLIST_PENALTY > USEFUL_SERVER_TOP_TIMEOUT) {
 			verbose(VERB_ALGO, "chase to "
 				"blacklisted dnssec lame server");
-			*dnssec_expected = 0;
+			*dnssec_lame = 1;
 		}
 	} else {
 		if(selrtt > USEFUL_SERVER_TOP_TIMEOUT*2) {
@@ -340,7 +340,7 @@ iter_server_selection(struct iter_env* iter_env,
 		}
 		if(selrtt > USEFUL_SERVER_TOP_TIMEOUT) {
 			verbose(VERB_ALGO, "chase to dnssec lame server");
-			*dnssec_expected = 0;
+			*dnssec_lame = 1;
 		}
 		if(selrtt == USEFUL_SERVER_TOP_TIMEOUT) {
 			verbose(VERB_ALGO, "chase to blacklisted lame server");

iterator/iter_utils.h

@@ -80,7 +80,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
  * @param name: zone name (for lameness check).
  * @param namelen: length of name.
  * @param qtype: query type that we want to send.
- * @param dnssec_expected: set to 0, if a known dnssec-lame server is selected
+ * @param dnssec_lame: set to 1, if a known dnssec-lame server is selected
  *	these are not preferred, but are used as a last resort.
  * @param chase_to_rd: set to 1 if a known recursion lame server is selected
  * 	these are not preferred, but are used as a last resort.
@@ -92,7 +92,7 @@ int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg);
  */
 struct delegpt_addr* iter_server_selection(struct iter_env* iter_env, 
 	struct module_env* env, struct delegpt* dp, uint8_t* name, 
-	size_t namelen, uint16_t qtype, int* dnssec_expected,
+	size_t namelen, uint16_t qtype, int* dnssec_lame,
 	int* chase_to_rd, int open_target, struct sock_list* blacklist);
 
 /**

iterator/iterator.c

@@ -120,6 +120,7 @@ iter_new(struct module_qstate* qstate, int id)
 	iq->wait_priming_stub = 0;
 	iq->refetch_glue = 0;
 	iq->dnssec_expected = 0;
+	iq->dnssec_lame_query = 0;
 	iq->chase_flags = qstate->query_flags;
 	/* Start with the (current) qname. */
 	iq->qchase = qstate->qinfo;
@@ -1451,8 +1452,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* Select the next usable target, filtering out unsuitable targets. */
 	target = iter_server_selection(ie, qstate->env, iq->dp, 
 		iq->dp->name, iq->dp->namelen, iq->qchase.qtype,
-		&iq->dnssec_expected, &iq->chase_to_rd, iq->num_target_queries,
+		&iq->dnssec_lame_query, &iq->chase_to_rd, 
-		qstate->blacklist);
+		iq->num_target_queries, qstate->blacklist);
 
 	/* If no usable target was selected... */
 	if(!target) {
@@ -1530,10 +1531,14 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	}
 
 	/* We have a valid target. */
-	if(iq->dnssec_expected) verbose(VERB_ALGO, "dnssec is expected");
+	if(verbosity >= VERB_QUERY) {
 		log_query_info(VERB_QUERY, "sending query:", &iq->qchase);
 		log_name_addr(VERB_QUERY, "sending to target:", iq->dp->name, 
 			&target->addr, target->addrlen);
+		verbose(VERB_ALGO, "dnssec status: %s%s",
+			iq->dnssec_expected?"expected": "not expected",
+			iq->dnssec_lame_query?" but lame_query anyway": "");
+	}
 	fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query));
 	outq = (*qstate->env->send_query)(
 		iq->qchase.qname, iq->qchase.qname_len, 
@@ -1587,6 +1592,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 	iq->num_current_queries--;
 	if(iq->response == NULL) {
 		iq->chase_to_rd = 0;
+		iq->dnssec_lame_query = 0;
 		verbose(VERB_ALGO, "query response was timeout");
 		return next_state(iq, QUERYTARGETS_STATE);
 	}
@@ -1599,7 +1605,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * differently. No queries should be sent elsewhere */
 		type = RESPONSE_TYPE_ANSWER;
 	}
-	if(iq->dnssec_expected && !(iq->chase_flags&BIT_RD) 
+	if(iq->dnssec_expected && !iq->dnssec_lame_query &&
+		!(iq->chase_flags&BIT_RD) 
 		&& type != RESPONSE_TYPE_LAME 
 		&& type != RESPONSE_TYPE_REC_LAME 
 		&& type != RESPONSE_TYPE_THROWAWAY 
@@ -1615,7 +1622,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			type = RESPONSE_TYPE_LAME;
 			dnsseclame = 1;
 		}
-	}
+	} else iq->dnssec_lame_query = 0;
 	/* see if referral brings us close to the target */
 	if(type == RESPONSE_TYPE_REFERRAL) {
 		struct ub_packed_rrset_key* ns = find_NS(
@@ -1764,7 +1771,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* Clear the query state, since this is a query restart. */
 		iq->deleg_msg = NULL;
 		iq->dp = NULL;
-		iq->dnssec_expected = 0;
 		/* Note the query restart. */
 		iq->query_restart_count++;
 

iterator/iterator.h

@@ -254,6 +254,12 @@ struct iter_qstate {
 	 */
 	int dnssec_expected;
 
+	/**
+	 * We are expecting dnssec information, but we also know the server
+	 * is DNSSEC lame.  The response need not be marked dnssec-lame again.
+	 */
+	int dnssec_lame_query;
+
 	/**
 	 * This is flag that, if true, means that this event is 
 	 * waiting for a stub priming query.