- Added qname-minimisation-strict config option.

git-svn-id: file:///svn/unbound/trunk@3878 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,6 @@
+11 October 2016:
+	- Added qname-minimisation-strict config option.
+
 5 October 2016: Ralph
 	- Added views functionality.
 	- Fix #1117: spelling errors, from Robert Edmonds.

doc/example.conf.in

@@ -346,6 +346,12 @@ server:
 	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
 	# to NS when possible.
 	# qname-minimisation: no
+	
+	# QNAME minimisation in strict mode. Do not fall-back to sending full
+	# QNAME to potentially broken nameservers. A lot of domains will not be
+	# resolvable when this option in enabled.
+	# This option only has effect when qname-minimisation is enabled.
+	# qname-minimisation-strict: no
 
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# This feature is an experimental implementation of draft dns-0x20.

doc/unbound.conf.5.in

@@ -661,8 +661,15 @@ Can be given multiple times, for different domains.
 .B qname\-minimisation: \fI<yes or no>
 Send minimum amount of information to upstream servers to enhance privacy.
 Only sent minimum required labels of the QNAME and set QTYPE to NS when 
-possible. Best effort approach, full QNAME and original QTYPE will be sent when
-upstream replies with a RCODE other than NOERROR. Default is off.
+possible. Best effort approach; full QNAME and original QTYPE will be sent when
+upstream replies with a RCODE other than NOERROR, except when receiving
+NXDOMAIN from a DNSSEC signed zone. Default is off.
+.TP
+.B qname\-minimisation\-strict: \fI<yes or no>
+QNAME minimisation in strict mode. Do not fall-back to sending full QNAME to
+potentially broken nameservers. A lot of domains will not be resolvable when
+this option in enabled. Only use if you know what you are doing.
+This option only has effect when qname-minimisation is enabled. Default is off.
 .TP
 .B private\-address: \fI<IP address or subnet>
 Give IPv4 of IPv6 addresses or classless subnets. These are addresses

iterator/iterator.c

@@ -2088,7 +2088,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 			/* Do not increment qname, continue incrementing next 
 			 * iteration */
 			iq->minimisation_state = MINIMISE_STATE;
-		else
+		else if(!qstate->env->cfg->qname_minimisation_strict)
 			/* Too many time-outs detected for this QNAME and QTYPE.
 			 * We give up, disable QNAME minimisation. */
 			iq->minimisation_state = DONOT_MINIMISE_STATE;
@@ -2275,12 +2275,15 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 				&qstate->reply->addr, qstate->reply->addrlen, 
 				qstate->region);
 		if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
-			/* Best effort qname-minimisation. 
-			 * Stop minimising and send full query when RCODE
-			 * is not NOERROR. */
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
-				LDNS_RCODE_NOERROR)
+				LDNS_RCODE_NOERROR) {
+				if(qstate->env->cfg->qname_minimisation_strict)
+					return final_state(iq);
+				/* Best effort qname-minimisation. 
+				 * Stop minimising and send full query when
+				 * RCODE is not NOERROR. */
 				iq->minimisation_state = DONOT_MINIMISE_STATE;
+			}
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) ==
 				LDNS_RCODE_NXDOMAIN) {
 				/* Stop resolving when NXDOMAIN is DNSSEC
@@ -2527,7 +2530,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 	/* LAME, THROWAWAY and "unknown" all end up here.
 	 * Recycle to the QUERYTARGETS state to hopefully try a 
 	 * different target. */
-	if (qstate->env->cfg->qname_minimisation)
+	if (qstate->env->cfg->qname_minimisation &&
+		!qstate->env->cfg->qname_minimisation_strict)
 		iq->minimisation_state = DONOT_MINIMISE_STATE;
 	return next_state(iq, QUERYTARGETS_STATE);
 }

util/config_file.c

@@ -247,6 +247,7 @@ config_create(void)
 	cfg->ratelimit_below_domain = NULL;
 	cfg->ratelimit_factor = 10;
 	cfg->qname_minimisation = 0;
+	cfg->qname_minimisation_strict = 0;
 	return cfg;
 error_exit:
 	config_delete(cfg); 
@@ -486,6 +487,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_POW2("ratelimit-slabs:", ratelimit_slabs)
 	else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
 	else S_YNO("qname-minimisation:", qname_minimisation)
+	else S_YNO("qname-minimisation-strict:", qname_minimisation_strict)
 	else if(strcmp(opt, "define-tag:") ==0) {
 		return config_add_tag(cfg, val);
 	/* val_sig_skew_min and max are copied into val_env during init,
@@ -791,6 +793,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min)
 	else O_DEC(opt, "val-sig-skew-max", val_sig_skew_max)
 	else O_YNO(opt, "qname-minimisation", qname_minimisation)
+	else O_YNO(opt, "qname-minimisation-strict", qname_minimisation_strict)
 	else O_IFC(opt, "define-tag", num_tags, tagname)
 	else O_LTG(opt, "local-zone-tag", local_zone_tags)
 	else O_LTG(opt, "access-control-tag", acl_tags)

util/config_file.h

@@ -401,6 +401,9 @@ struct config_file {
 	int ratelimit_factor;
 	/** minimise outgoing QNAME and hide original QTYPE if possible */
 	int qname_minimisation;
+	/** minimise QNAME in strict mode, minimise according to RFC.
+	 *  Do not apply fallback */
+	int qname_minimisation_strict;
 };
 
 /** from cfg username, after daemonise setup performed */

util/configlexer.lex

@@ -210,6 +210,7 @@ SQANY     [^\'\n\r\\]|\\.
 	LEXOUT(("comment(%s) ", yytext)); /* ignore */ }
 server{COLON}			{ YDVAR(0, VAR_SERVER) }
 qname-minimisation{COLON}	{ YDVAR(1, VAR_QNAME_MINIMISATION) }
+qname-minimisation-strict{COLON} { YDVAR(1, VAR_QNAME_MINIMISATION_STRICT) }
 num-threads{COLON}		{ YDVAR(1, VAR_NUM_THREADS) }
 verbosity{COLON}		{ YDVAR(1, VAR_VERBOSITY) }
 port{COLON}			{ YDVAR(1, VAR_PORT) }

util/configparser.h

@@ -210,16 +210,17 @@ extern int yydebug;
     VAR_CACHE_MAX_NEGATIVE_TTL = 420,
     VAR_PERMIT_SMALL_HOLDDOWN = 421,
     VAR_QNAME_MINIMISATION = 422,
-    VAR_IP_FREEBIND = 423,
-    VAR_DEFINE_TAG = 424,
-    VAR_LOCAL_ZONE_TAG = 425,
-    VAR_ACCESS_CONTROL_TAG = 426,
-    VAR_LOCAL_ZONE_OVERRIDE = 427,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 428,
-    VAR_ACCESS_CONTROL_TAG_DATA = 429,
-    VAR_VIEW = 430,
-    VAR_ACCESS_CONTROL_VIEW = 431,
-    VAR_VIEW_FIRST = 432
+    VAR_QNAME_MINIMISATION_STRICT = 423,
+    VAR_IP_FREEBIND = 424,
+    VAR_DEFINE_TAG = 425,
+    VAR_LOCAL_ZONE_TAG = 426,
+    VAR_ACCESS_CONTROL_TAG = 427,
+    VAR_LOCAL_ZONE_OVERRIDE = 428,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 429,
+    VAR_ACCESS_CONTROL_TAG_DATA = 430,
+    VAR_VIEW = 431,
+    VAR_ACCESS_CONTROL_VIEW = 432,
+    VAR_VIEW_FIRST = 433
   };
 #endif
 /* Tokens.  */
@@ -388,16 +389,17 @@ extern int yydebug;
 #define VAR_CACHE_MAX_NEGATIVE_TTL 420
 #define VAR_PERMIT_SMALL_HOLDDOWN 421
 #define VAR_QNAME_MINIMISATION 422
-#define VAR_IP_FREEBIND 423
-#define VAR_DEFINE_TAG 424
-#define VAR_LOCAL_ZONE_TAG 425
-#define VAR_ACCESS_CONTROL_TAG 426
-#define VAR_LOCAL_ZONE_OVERRIDE 427
-#define VAR_ACCESS_CONTROL_TAG_ACTION 428
-#define VAR_ACCESS_CONTROL_TAG_DATA 429
-#define VAR_VIEW 430
-#define VAR_ACCESS_CONTROL_VIEW 431
-#define VAR_VIEW_FIRST 432
+#define VAR_QNAME_MINIMISATION_STRICT 423
+#define VAR_IP_FREEBIND 424
+#define VAR_DEFINE_TAG 425
+#define VAR_LOCAL_ZONE_TAG 426
+#define VAR_ACCESS_CONTROL_TAG 427
+#define VAR_LOCAL_ZONE_OVERRIDE 428
+#define VAR_ACCESS_CONTROL_TAG_ACTION 429
+#define VAR_ACCESS_CONTROL_TAG_DATA 430
+#define VAR_VIEW 431
+#define VAR_ACCESS_CONTROL_VIEW 432
+#define VAR_VIEW_FIRST 433
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -408,7 +410,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 412 "util/configparser.h" /* yacc.c:1909  */
+#line 414 "util/configparser.h" /* yacc.c:1909  */
 };
 # define YYSTYPE_IS_TRIVIAL 1
 # define YYSTYPE_IS_DECLARED 1

util/configparser.y

@@ -125,10 +125,11 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE
 %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN VAR_RATELIMIT_FACTOR
 %token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
-%token VAR_QNAME_MINIMISATION VAR_IP_FREEBIND VAR_DEFINE_TAG VAR_LOCAL_ZONE_TAG
-%token VAR_ACCESS_CONTROL_TAG VAR_LOCAL_ZONE_OVERRIDE
-%token VAR_ACCESS_CONTROL_TAG_ACTION VAR_ACCESS_CONTROL_TAG_DATA
-%token VAR_VIEW VAR_ACCESS_CONTROL_VIEW VAR_VIEW_FIRST
+%token VAR_QNAME_MINIMISATION VAR_QNAME_MINIMISATION_STRICT VAR_IP_FREEBIND
+%token VAR_DEFINE_TAG VAR_LOCAL_ZONE_TAG VAR_ACCESS_CONTROL_TAG
+%token VAR_LOCAL_ZONE_OVERRIDE VAR_ACCESS_CONTROL_TAG_ACTION
+%token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
+%token VAR_VIEW_FIRST
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -201,7 +202,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ip_freebind | server_define_tag | server_local_zone_tag |
 	server_disable_dnssec_lame_check | server_access_control_tag |
 	server_local_zone_override | server_access_control_tag_action |
-	server_access_control_tag_data | server_access_control_view
+	server_access_control_tag_data | server_access_control_view |
+	server_qname_minimisation_strict
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -1528,6 +1530,16 @@ server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG
 		free($2);
 	}
 	;
+server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG
+	{
+		OUTYY(("P(server_qname_minimisation_strict:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->qname_minimisation_strict = 
+			(strcmp($2, "yes")==0);
+		free($2);
+	}
+	;
 stub_name: VAR_NAME STRING_ARG
 	{
 		OUTYY(("P(name:%s)\n", $2));