- Fix TTL of SOA so negative TTL is separately cached from normal TTL.

git-svn-id: file:///svn/unbound/trunk@2416 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/remote.c

@@ -1063,6 +1063,9 @@ do_cache_remove(struct worker* worker, uint8_t* nm, size_t nmlen,
 	hashvalue_t h;
 	struct query_info k;
 	rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c, 0);
+	if(t == LDNS_RR_TYPE_SOA)
+		rrset_cache_remove(worker->env.rrset_cache, nm, nmlen, t, c,
+			PACKED_RRSET_SOA_NEG);
 	k.qname = nm;
 	k.qname_len = nmlen;
 	k.qtype = t;

doc/Changelog

@@ -3,6 +3,7 @@
 	  and reduces install size significantly.
 	- feature, ignore-cd-flag: yesno to provide dnssec to legacy servers.
 	- iana portlist updated.
+	- Fix TTL of SOA so negative TTL is separately cached from normal TTL.
 
 14 April 2011: Wouter
 	- configure created with newer autoconf 2.66.

testdata/iter_soamin.rpl

@@ -0,0 +1,208 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test cache of SOA with minimum ttl and normal ttl.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN SOA
+SECTION ANSWER
+example.com. 86400 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600
+SECTION AUTHORITY
+example.com. 3600 IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.	3600 IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+nx.example.com. IN A
+SECTION AUTHORITY
+example.com. 3600 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600
+ENTRY_END
+
+RANGE_END
+
+; put both queries with SOA records into the cache and then query them from
+; the cache.
+; first the nxdomain, so that the positive SOA answer later overrides the
+; SOA from the authority section from that nxdomain.
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+nx.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+nx.example.com. IN A
+SECTION AUTHORITY
+example.com. 3600 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.com. IN SOA
+ENTRY_END
+
+; recursion happens here.
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+example.com. IN SOA
+SECTION ANSWER
+example.com. 86400 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600
+SECTION AUTHORITY
+example.com. 3600 IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.	3600 IN 	A	1.2.3.4
+ENTRY_END
+
+; now check them from the cache (no seconds elapsed).
+
+STEP 110 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+nx.example.com. IN A
+ENTRY_END
+
+STEP 120 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+nx.example.com. IN A
+SECTION AUTHORITY
+example.com. 3600 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600
+ENTRY_END
+
+STEP 130 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.com. IN SOA
+ENTRY_END
+
+STEP 140 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+example.com. IN SOA
+SECTION ANSWER
+example.com. 86400 IN SOA dns1.icann.org. hostmaster.icann.org. 2010074630 7200 3600 1209600 3600
+SECTION AUTHORITY
+example.com. 3600 IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.	3600 IN 	A	1.2.3.4
+ENTRY_END
+
+SCENARIO_END

testdata/val_negcache_dssoa.rpl

@@ -140,12 +140,16 @@ ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
-REPLY QR AA NOERROR
+REPLY QR AA NXDOMAIN
 SECTION QUESTION
-example.com. IN SOA
-SECTION ANSWER
-example.com.	IN	SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200
-example.com.    3600    IN      RRSIG   SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854}
+nx.example.com. IN A
+SECTION AUTHORITY
+example.com.	7200 IN	SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200
+example.com.    7200 IN      RRSIG   SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854}
+nw.example.com.	7200	IN	NSEC	ny.example.com. A RRSIG 
+nw.example.com.	7200	IN	RRSIG	NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AHMp+sqWyR3JL6P0LhJ10fufMFSkW9+DM3QghOokyqgbRu54Q1XrHoE= ;{id = 2854}
+!.example.com. 7200 IN NSEC +.example.com. A RRSIG
+!.example.com.	7200	IN	RRSIG	NSEC 3 3 7200 20070926134150 20070829134150 2854 example.com. AJsNy2VkFTJEMShfEcvIkBe+UViVYDJbNNuGnwf/QecOrhONaVpIXy4= ;{id = 2854}
 ENTRY_END
 
 RANGE_END
@@ -204,19 +208,23 @@ STEP 14 QUERY
 ENTRY_BEGIN
 REPLY RD DO
 SECTION QUESTION
-example.com. IN SOA
+nx.example.com. IN A
 ENTRY_END
 
 STEP 15 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA AD NOERROR
+REPLY QR RD RA AD NXDOMAIN
 SECTION QUESTION
-example.com. IN SOA
+nx.example.com. IN A
 SECTION ANSWER
-example.com.	IN	SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200
-example.com.    3600    IN      RRSIG   SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854}
 SECTION AUTHORITY
+example.com.	7200 IN	SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200
+example.com.    7200    IN      RRSIG   SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854}
+nw.example.com.	7200	IN	NSEC	ny.example.com. A RRSIG 
+nw.example.com.	7200	IN	RRSIG	NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AHMp+sqWyR3JL6P0LhJ10fufMFSkW9+DM3QghOokyqgbRu54Q1XrHoE= ;{id = 2854}
+!.example.com. 7200 IN NSEC +.example.com. A RRSIG
+!.example.com.	7200	IN	RRSIG	NSEC 3 3 7200 20070926134150 20070829134150 2854 example.com. AJsNy2VkFTJEMShfEcvIkBe+UViVYDJbNNuGnwf/QecOrhONaVpIXy4= ;{id = 2854}
 SECTION ADDITIONAL
 ENTRY_END
 
@@ -238,8 +246,8 @@ SECTION ANSWER
 SECTION AUTHORITY
 sub.example.com. IN	NSEC www.example.com. NS RRSIG NSEC
 sub.example.com.        3600    IN      RRSIG   NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFDCaiDM6G+glwNW276HWdH+McmjgAhRSwF5OfimNQCqkWgnYotLOwUghKQ== ;{id = 2854}
-example.com.	IN	SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200
-example.com.    3600    IN      RRSIG   SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854}
+example.com.	7200 IN	SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200
+example.com.    7200 IN RRSIG   SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854}
 ENTRY_END
 
 SCENARIO_END

util/data/msgparse.c

@@ -145,11 +145,13 @@ nsec_at_apex(ldns_buffer* pkt)
 
 /** Calculate rrset flags */
 static uint32_t
-pkt_rrset_flags(ldns_buffer* pkt, uint16_t type)
+pkt_rrset_flags(ldns_buffer* pkt, uint16_t type, ldns_pkt_section sec)
 {
 	uint32_t f = 0;
 	if(type == LDNS_RR_TYPE_NSEC && nsec_at_apex(pkt)) {
 		f |= PACKED_RRSET_NSEC_AT_APEX;
+	} else if(type == LDNS_RR_TYPE_SOA && sec == LDNS_SECTION_AUTHORITY) {
+		f |= PACKED_RRSET_SOA_NEG;
 	}
 	return f;
 }
@@ -482,7 +484,7 @@ find_rrset(struct msg_parse* msg, ldns_buffer* pkt, uint8_t* dname,
 		}
 	}
 	/* find by hashing and lookup in hashtable */
-	*rrset_flags = pkt_rrset_flags(pkt, type);
+	*rrset_flags = pkt_rrset_flags(pkt, type, section);
 	
 	/* if rrsig - try to lookup matching data set first */
 	if(type == LDNS_RR_TYPE_RRSIG && pkt_rrsig_covered(pkt, 

util/data/packed_rrset.h

@@ -54,6 +54,10 @@ typedef uint64_t rrset_id_t;
 #define PACKED_RRSET_NSEC_AT_APEX 0x1
 /** this rrset is A/AAAA and is in-zone-glue (from parent side of zonecut) */
 #define PACKED_RRSET_PARENT_SIDE 0x2
+/** this rrset is SOA and has the negative ttl (from nxdomain or nodata),
+ * this is set on SOA rrsets in the authority section, to keep its TTL separate
+ * from the SOA in the answer section from a direct SOA query or ANY query. */
+#define PACKED_RRSET_SOA_NEG 0x4
 
 /**
  * The identifying information for an RRset.
@@ -73,6 +77,7 @@ struct packed_rrset_key {
 	 * Flags. 32bit to be easy for hashing:
 	 * 	o PACKED_RRSET_NSEC_AT_APEX
 	 * 	o PACKED_RRSET_PARENT_SIDE
+	 * 	o PACKED_RRSET_SOA_NEG
 	 */
 	uint32_t flags;
 	/** the rrset type in network format */

validator/val_neg.c

@@ -1371,7 +1371,7 @@ static int add_soa(struct rrset_cache* rrset_cache, uint32_t now,
 			return 0;
 	}
 	soa = rrset_cache_lookup(rrset_cache, nm, nmlen, LDNS_RR_TYPE_SOA, 
-		dclass, 0, now, 0);
+		dclass, PACKED_RRSET_SOA_NEG, now, 0);
 	if(!soa)
 		return 0;
 	if(!dns_msg_authadd(msg, region, soa, now)) {