upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-22 07:41:16 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

root prime validation

Browse source 
git-svn-id: file:///svn/unbound/trunk@1309 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2008-10-17 15:07:28 +00:00
parent 1275afa125
commit a0d9d48d8f
3 changed files with 26 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/Changelog
View file

@ -1,6 +1,9 @@
17 October 2008: Wouter 17 October 2008: Wouter
- port Leopard/G5: fixup type conversion size_t/uint32. - port Leopard/G5: fixup type conversion size_t/uint32.
please ranlib, stop file without symbols warning. please ranlib, stop file without symbols warning.
- harden referral path now also validates the root after priming.
It looks up the root NS authoritatively as well as the root servers
and attemps to validate the entries.
16 October 2008: Wouter 16 October 2008: Wouter
- Fixup negative TTL values appearing (reported by Attila Nagy). - Fixup negative TTL values appearing (reported by Attila Nagy).

2
doc/plan
View file

@ -80,7 +80,7 @@ not stats on SIGUSR1. perhaps also see which slow auth servers cause >1sec value
* trouble counter, cache wipe threshold. * trouble counter, cache wipe threshold.
+ off-path validation + off-path validation
* root NS, root glue validation after prime + root NS, root glue validation after prime
* ignore bogus nameservers, pretend they always return a servfail. * ignore bogus nameservers, pretend they always return a servfail.

25
iterator/iterator.c
View file

@ -668,8 +668,9 @@ generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
continue; continue;
/* generate subrequest for it */ /* generate subrequest for it */
log_nametypeclass(VERB_ALGO, "must fetch addr", s->rk.dname, log_nametypeclass(VERB_ALGO, "schedule addr fetch",
ntohs(s->rk.type), ntohs(s->rk.rrset_class)); s->rk.dname, ntohs(s->rk.type),
ntohs(s->rk.rrset_class));
if(!generate_sub_request(s->rk.dname, s->rk.dname_len, if(!generate_sub_request(s->rk.dname, s->rk.dname_len,
ntohs(s->rk.type), ntohs(s->rk.rrset_class), ntohs(s->rk.type), ntohs(s->rk.rrset_class),
qstate, id, iq, qstate, id, iq,
@ -704,7 +705,7 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
return; return;
} }
log_nametypeclass(VERB_ALGO, "must fetch ns", log_nametypeclass(VERB_ALGO, "schedule ns fetch",
iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass); iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
if(!generate_sub_request(iq->dp->name, iq->dp->namelen, if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq, LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
@ -1643,6 +1644,24 @@ processPrimeResponse(struct module_qstate* qstate, int id)
qstate->return_msg = NULL; qstate->return_msg = NULL;
} }
/* validate the root or stub after priming (if enabled).
* This is the same query as the prime query, but with validation.
* Now that we are primed, the additional queries that validation
* may need can be resolved, such as DLV. */
if(qstate->env->cfg->harden_referral_path) {
struct module_qstate* subq = NULL;
log_nametypeclass(VERB_ALGO, "schedule prime validation",
qstate->qinfo.qname, qstate->qinfo.qtype,
qstate->qinfo.qclass);
if(!generate_sub_request(qstate->qinfo.qname,
qstate->qinfo.qname_len, qstate->qinfo.qtype,
qstate->qinfo.qclass, qstate, id, iq,
INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
log_err("out of memory generating prime check");
}
generate_a_aaaa_check(qstate, iq, id);
}
/* This event is finished. */ /* This event is finished. */
qstate->ext_state[id] = module_finished; qstate->ext_state[id] = module_finished;
return 0; return 0;