harden-below-nxdomain option taken from draft-vixie-dnsext-resimprove.

Default off (for now), as some older software that gives nxdomain for ENT
would be incompatible.  But that would only happen in the reverse tree, and
such software (nonDNSSEC) may go out of style, so in the future a default yes
could be possible.



git-svn-id: file:///svn/unbound/trunk@2347 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,8 @@
+18 November 2010: Wouter
+	- harden-below-nxdomain option, default off (because very old
+	  software may be incompatible).  We could enable it by default in
+	  the future.
+
 17 November 2010: Wouter
 	- implement draft-vixie-dnsext-resimprove-00, we stop on NXDOMAIN.
 	- make test output nicer.

doc/example.conf.in

@@ -257,6 +257,10 @@ server:
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes
 
+	# Harden against queries that fall under known nxdomain names.
+	# Default off because very old software can be incompatible.
+	# harden-below-nxdomain: no
+
         # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
 	# Default off, because the lookups burden the server.  Experimental 

doc/unbound.conf.5.in

@@ -466,6 +466,13 @@ removes DNSSEC data from packets, or a zone changes from signed to
 unsigned to badly signed often. If turned off you run the risk of a 
 downgrade attack that disables security for a zone. Default is on.
 .TP
+.B harden\-below\-nxdomain: \fI<yes or no>
+From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name
+below another name that is already known to be nxdomain.  DNSSEC mandates
+noerror for empty nonterminals, hence this is possible.  Very old software
+might return nxdomain for empty nonterminals (that usually happen for reverse
+IP address lookups), and thus may be incompatible with this.  Default is off.
+.TP
 .B harden\-referral\-path: \fI<yes or no>
 Harden the referral path by performing additional queries for
 infrastructure data.  Validates the replies if trust anchors are configured

services/cache/dns.c

@@ -49,6 +49,7 @@
 #include "util/module.h"
 #include "util/net_help.h"
 #include "util/regional.h"
+#include "util/config_file.h"
 
 /** store rrsets in the rrset cache. 
  * @param env: module environment with caches.
@@ -675,7 +676,8 @@ dns_cache_lookup(struct module_env* env,
 	 * Empty nonterminals are NOERROR, so an NXDOMAIN for foo
 	 * means bla.foo also does not exist.  The DNSSEC proofs are
 	 * the same.  We search upwards for NXDOMAINs. */
-	while(!dname_is_root(k.qname)) {
+	if(env->cfg->harden_below_nxdomain)
+	    while(!dname_is_root(k.qname)) {
 		dname_remove_label(&k.qname, &k.qname_len);
 		h = query_info_hash(&k);
 		e = slabhash_lookup(env->msg_cache, h, &k, 0);

testdata/stop_nxdomain.rpl

@@ -1,6 +1,7 @@
 ; config options
 server:
 	target-fetch-policy: "0 0 0 0 0"
+	harden-below-nxdomain: yes
 
 stub-zone:
 	name: "."

util/config_file.c

@@ -153,6 +153,7 @@ config_create(void)
 	cfg->harden_large_queries = 0;
 	cfg->harden_glue = 1;
 	cfg->harden_dnssec_stripped = 1;
+	cfg->harden_below_nxdomain = 0;
 	cfg->harden_referral_path = 0;
 	cfg->use_caps_bits_for_id = 0;
 	cfg->private_address = NULL;

util/config_file.h

@@ -156,6 +156,8 @@ struct config_file {
 	int harden_glue;
 	/** harden against receiving no DNSSEC data for trust anchor */
 	int harden_dnssec_stripped;
+	/** harden against queries that fall under known nxdomain names */
+	int harden_below_nxdomain;
 	/** harden the referral path, query for NS,A,AAAA and validate */
 	int harden_referral_path;
 	/** use 0x20 bits in query as random ID bits */

util/configlexer.lex

@@ -168,6 +168,7 @@ harden-short-bufsize{COLON}	{ YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) }
 harden-large-queries{COLON}	{ YDVAR(1, VAR_HARDEN_LARGE_QUERIES) }
 harden-glue{COLON}		{ YDVAR(1, VAR_HARDEN_GLUE) }
 harden-dnssec-stripped{COLON}	{ YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) }
+harden-below-nxdomain{COLON}	{ YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) }
 harden-referral-path{COLON}	{ YDVAR(1, VAR_HARDEN_REFERRAL_PATH) }
 use-caps-for-id{COLON}		{ YDVAR(1, VAR_USE_CAPS_FOR_ID) }
 unwanted-reply-threshold{COLON}	{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) }

util/configparser.h

@@ -153,7 +153,8 @@
      VAR_EDNS_BUFFER_SIZE = 369,
      VAR_PREFETCH = 370,
      VAR_PREFETCH_KEY = 371,
-     VAR_SO_SNDBUF = 372
+     VAR_SO_SNDBUF = 372,
+     VAR_HARDEN_BELOW_NXDOMAIN = 373
    };
 #endif
 /* Tokens.  */
@@ -272,6 +273,7 @@
 #define VAR_PREFETCH 370
 #define VAR_PREFETCH_KEY 371
 #define VAR_SO_SNDBUF 372
+#define VAR_HARDEN_BELOW_NXDOMAIN 373
 
 
 
@@ -288,7 +290,7 @@ typedef union YYSTYPE
 
 
 /* Line 1676 of yacc.c  */
-#line 292 "util/configparser.h"
+#line 294 "util/configparser.h"
 } YYSTYPE;
 # define YYSTYPE_IS_TRIVIAL 1
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */

util/configparser.y

@@ -101,7 +101,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_VAL_SIG_SKEW_MAX VAR_CACHE_MIN_TTL VAR_VAL_LOG_LEVEL
 %token VAR_AUTO_TRUST_ANCHOR_FILE VAR_KEEP_MISSING VAR_ADD_HOLDDOWN 
 %token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
-%token VAR_PREFETCH_KEY VAR_SO_SNDBUF
+%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_HARDEN_BELOW_NXDOMAIN
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -155,7 +155,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_auto_trust_anchor_file | server_add_holddown | 
 	server_del_holddown | server_keep_missing | server_so_rcvbuf |
 	server_edns_buffer_size | server_prefetch | server_prefetch_key |
-	server_so_sndbuf
+	server_so_sndbuf | server_harden_below_nxdomain
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -718,6 +718,16 @@ server_harden_dnssec_stripped: VAR_HARDEN_DNSSEC_STRIPPED STRING_ARG
 		free($2);
 	}
 	;
+server_harden_below_nxdomain: VAR_HARDEN_BELOW_NXDOMAIN STRING_ARG
+	{
+		OUTYY(("P(server_harden_below_nxdomain:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->harden_below_nxdomain = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 server_harden_referral_path: VAR_HARDEN_REFERRAL_PATH STRING_ARG
 	{
 		OUTYY(("P(server_harden_referral_path:%s)\n", $2));