upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixup Richard Doty reported lameness detection fault.

Browse source 
git-svn-id: file:///svn/unbound/trunk@1111 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2008-06-09 08:29:59 +00:00
parent 1dec098624
commit 8527bd4aff
3 changed files with 174 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
doc/Changelog
View file

@ -1,3 +1,10 @@
9 June 2008: Wouter
- in iteration response type code
* first check for SOA record (negative answer) before NS record
and lameness.
* check if no AA bit for non-forwarder, and thus lame zone.
In response to error report by Richard Doty for mail.opusnet.com.
8 June 2008: Wouter 8 June 2008: Wouter
- if multiple CNAMEs, use the first one. Fixup akamai CNAME bug. - if multiple CNAMEs, use the first one. Fixup akamai CNAME bug.
Reported by Robert Edmonds. Reported by Robert Edmonds.

22
iterator/iter_resptype.c
View file

@ -104,6 +104,7 @@ response_type_from_server(int rdset,
struct dns_msg* msg, struct query_info* request, struct delegpt* dp) struct dns_msg* msg, struct query_info* request, struct delegpt* dp)
{ {
uint8_t* origzone = (uint8_t*)"\000"; /* the default */ uint8_t* origzone = (uint8_t*)"\000"; /* the default */
struct ub_packed_rrset_key* s;
size_t origzonelen = 1; size_t origzonelen = 1;
size_t i; size_t i;
@ -188,12 +189,10 @@ response_type_from_server(int rdset,
} }
/* Looking at the authority section, we just look and see if /* Looking at the authority section, we just look and see if
* there is a delegation NS set, turning it into a delegation. * there is a SOA record, that means a NOERROR/NODATA */
* Otherwise, we will have to conclude ANSWER (either it is
* NOERROR/NODATA, or an non-authoritative answer). */
for(i = msg->rep->an_numrrsets; i < (msg->rep->an_numrrsets + for(i = msg->rep->an_numrrsets; i < (msg->rep->an_numrrsets +
msg->rep->ns_numrrsets); i++) { msg->rep->ns_numrrsets); i++) {
struct ub_packed_rrset_key* s = msg->rep->rrsets[i]; s = msg->rep->rrsets[i];
/* The normal way of detecting NOERROR/NODATA. */ /* The normal way of detecting NOERROR/NODATA. */
if(ntohs(s->rk.type) == LDNS_RR_TYPE_SOA && if(ntohs(s->rk.type) == LDNS_RR_TYPE_SOA &&
@ -204,19 +203,32 @@ response_type_from_server(int rdset,
return RESPONSE_TYPE_LAME; return RESPONSE_TYPE_LAME;
return RESPONSE_TYPE_ANSWER; return RESPONSE_TYPE_ANSWER;
} }
}
/* Looking at the authority section, we just look and see if
* there is a delegation NS set, turning it into a delegation.
* Otherwise, we will have to conclude ANSWER (either it is
* NOERROR/NODATA, or an non-authoritative answer). */
for(i = msg->rep->an_numrrsets; i < (msg->rep->an_numrrsets +
msg->rep->ns_numrrsets); i++) {
s = msg->rep->rrsets[i];
/* Detect REFERRAL/LAME/ANSWER based on the relationship /* Detect REFERRAL/LAME/ANSWER based on the relationship
* of the NS set to the originating zone name. */ * of the NS set to the originating zone name. */
if(ntohs(s->rk.type) == LDNS_RR_TYPE_NS) { if(ntohs(s->rk.type) == LDNS_RR_TYPE_NS) {
/* If we are getting an NS set for the zone we /* If we are getting an NS set for the zone we
* thought we were contacting, then it is an answer.*/ * thought we were contacting, then it is an answer.*/
/* FIXME: is this correct? */
if(query_dname_compare(s->rk.dname, origzone) == 0) { if(query_dname_compare(s->rk.dname, origzone) == 0) {
/* see if mistakenly a recursive server was /* see if mistakenly a recursive server was
* deployed and is responding nonAA */ * deployed and is responding nonAA */
if( (msg->rep->flags&BIT_RA) && if( (msg->rep->flags&BIT_RA) &&
!(msg->rep->flags&BIT_AA) && !rdset) !(msg->rep->flags&BIT_AA) && !rdset)
return RESPONSE_TYPE_LAME; return RESPONSE_TYPE_LAME;
/* Or if a lame server is deployed,
* which gives ns==zone delegation from cache
* without AA bit as well, with nodata nosoa*/
if(msg->rep->an_numrrsets==0 &&
!(msg->rep->flags&BIT_AA) && !rdset)
return RESPONSE_TYPE_LAME;
return RESPONSE_TYPE_ANSWER; return RESPONSE_TYPE_ANSWER;
} }
/* If we are getting a referral upwards (or to /* If we are getting a referral upwards (or to

150
testdata/iter_lame_noaa.rpl vendored Normal file
View file

@ -0,0 +1,150 @@
; config options
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
SCENARIO_BEGIN Test lame detection if AA bit is omitted
; the query is answered with a reply that has
; no AA bit
; no SOA record
; noanswer/noerror
; NS record in there which is not a down delegation (==).
; the query is not sent to a forward zone
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
; root prime is sent
STEP 20 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode
SECTION QUESTION
. IN NS
ENTRY_END
STEP 30 REPLY
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END
; query sent to root server
STEP 40 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 50 REPLY
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
; query sent to .com server
STEP 60 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 70 REPLY
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION AUTHORITY
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.
SECTION ADDITIONAL
ns1.example.com. IN A 168.192.2.2
ns2.example.com. IN A 168.192.3.3
ENTRY_END
; no matter which one the iterator tries first, we present it as 'lame'
; query to ns1.example.com or ns2.example.com.
STEP 80 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 90 REPLY
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION AUTHORITY
; This is the BROKEN ANSWER here.
; it is lame. A delegation to example.com. itself.
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.
SECTION ADDITIONAL
ns1.example.com. IN A 168.192.2.2
ns2.example.com. IN A 168.192.3.3
ENTRY_END
; iterator should try again and ask the other nameserver.
STEP 100 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 110 REPLY
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
SECTION AUTHORITY
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.
SECTION ADDITIONAL
ns1.example.com. IN A 168.192.2.2
ns2.example.com. IN A 168.192.3.3
ENTRY_END
; is the final answer correct?
STEP 200 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
SECTION AUTHORITY
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.
SECTION ADDITIONAL
ns1.example.com. IN A 168.192.2.2
ns2.example.com. IN A 168.192.3.3
ENTRY_END
SCENARIO_END