new NS queries is not an option (off by default).

git-svn-id: file:///svn/unbound/trunk@1219 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2008-08-29 14:46:08 +00:00 · 2008-08-29 14:46:08 +00:00 · a66e16cb31
commit a66e16cb31
parent 49d295755d
17 changed files with 989 additions and 903 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,5 +1,7 @@
 29 August 2008: Wouter
 	- version 1.1 number in trunk.
 	- harden-referral-path option for query for NS records.
 	  Default turns off expensive, experimental option.
 28 August 2008: Wouter
 	- fixup logfile handling; it is created with correct permissions
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -228,6 +228,12 @@ server:
 	# Default on, which insists on dnssec data for trust-anchored zones.
 	# harden-dnssec-stripped: yes
        # Harden the referral path by performing additional queries for
 	# infrastructure data.  Validates the replies (if possible).
 	# Default off, because it burdens the authority servers, and it is
 	# not RFC standard, and could be slower.  Experimental option.
 	# harden-referral-path: no
 	# Use 0x20-encoded random bits in the query to foil spoof attempts.
 	# Disabled by default, because some caching forwarders may not
 	# support this (if you have forward-zones). Most authority servers do.
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -371,6 +371,16 @@ removes DNSSEC data from packets, or a zone changes from signed to
 unsigned to badly signed often. If turned off you run the risk of a 
 downgrade attack that disables security for a zone. Default is on.
 .TP
 .B harden\-referral\-path: \fI<yes or no>
 Harden the referral path by performing additional queries for
 infrastructure data.  Validates the replies if trust anchors are configured
 and the zones are signed.  This enforces DNSSEC validation on nameserver
 NS sets and the nameserver addresses that are encountered on the referral 
 path to the answer.
 Default off, because it burdens the authority servers, and it is
 not RFC standard, and could lead to performance problems because of the
 extra query load that is generated.  Experimental option.
 .TP
 .B use\-caps\-for\-id: \fI<yes or no>
 Use 0x20-encoded random bits in the query to foil spoof attempts.
 This perturbs the lowercase and uppercase of query names sent to 
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@ -58,6 +58,7 @@
 #include "util/data/dname.h"
 #include "util/data/msgencode.h"
 #include "util/fptr_wlist.h"
 #include "util/config_file.h"
 int 
 iter_init(struct module_env* env, int id)
@ -1330,6 +1331,7 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * got in the referral. This gets authoritative answer
 		 * (answer section trust level) rrset.
 		 * right after, we detach subs, we don't want the answer */
 		if(qstate->env->cfg->harden_referral_path)
 			generate_ns_check(qstate, iq, id, iq->qchase.qclass);
 		/* stop current outstanding queries. 
--- a/testdata/dlv_insecure.rpl
+++ b/testdata/dlv_insecure.rpl
@ -3,6 +3,7 @@
 server:
 	dlv-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	harden-referral-path: yes
 stub-zone:
 	name: "."
@ -139,22 +140,23 @@ ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752
 ENTRY_END
 ; DLV query
-ENTRY_BEGIN
+; picked out of the negative cache due to NS queries in between.
-MATCH opcode qtype qname
+; ENTRY_BEGIN
-ADJUST copy_id
+; MATCH opcode qtype qname
-REPLY QR NXDOMAIN
+; ADJUST copy_id
-SECTION QUESTION
+; REPLY QR NXDOMAIN
-example.net.example.com. IN DLV
+; SECTION QUESTION
-SECTION ANSWER
+; example.net.example.com. IN DLV
-SECTION AUTHORITY
+; SECTION ANSWER
-example.com.	IN NS	ns.example.com.
+; SECTION AUTHORITY
-example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+; example.com.	IN NS	ns.example.com.
-example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
+; example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
-example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
+; example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
-SECTION ADDITIONAL
+; example.com.	3600	IN	RRSIG	NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
-ns.example.com.		IN 	A	1.2.3.4
+; SECTION ADDITIONAL
-ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+; ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
+; ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
 ; ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
--- a/testdata/iter_lame_noaa.rpl
+++ b/testdata/iter_lame_noaa.rpl
@ -1,4 +1,6 @@
 ; config options
 server:
 	harden-referral-path: yes
 stub-zone:
        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
--- a/testdata/iter_ns_spoof.rpl
+++ b/testdata/iter_ns_spoof.rpl
@ -1,4 +1,6 @@
 ; config options
 server:
 	harden-referral-path: yes
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
--- a/testdata/iter_scrub_cname_an.rpl
+++ b/testdata/iter_scrub_cname_an.rpl
@ -1,4 +1,6 @@
 ; config options
 server:
 	harden-referral-path: yes
 stub-zone:
        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
--- a/testdata/iter_scrub_dname_insec.rpl
+++ b/testdata/iter_scrub_dname_insec.rpl
@ -1,4 +1,6 @@
 ; config options
 server:
 	harden-referral-path: yes
 stub-zone:
        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
--- a/testdata/val_referd.rpl
+++ b/testdata/val_referd.rpl
@ -3,6 +3,7 @@
 server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	harden-referral-path: yes
 stub-zone:
 	name: "."
--- a/util/config_file.c
+++ b/util/config_file.c
@ -129,6 +129,7 @@ config_create()
 	cfg->harden_large_queries = 0;
 	cfg->harden_glue = 1;
 	cfg->harden_dnssec_stripped = 1;
 	cfg->harden_referral_path = 0;
 	cfg->use_caps_bits_for_id = 0;
 	cfg->hide_identity = 0;
 	cfg->hide_version = 0;
--- a/util/config_file.h
+++ b/util/config_file.h
@ -143,6 +143,8 @@ struct config_file {
 	int harden_glue;
 	/** harden against receiving no DNSSEC data for trust anchor */
 	int harden_dnssec_stripped;
 	/** harden the referral path, query for NS,A,AAAA and validate */
 	int harden_referral_path;
 	/** use 0x20 bits in query as random ID bits */
 	int use_caps_bits_for_id;
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -147,6 +147,7 @@ harden-short-bufsize{COLON}	{ YDOUT; return VAR_HARDEN_SHORT_BUFSIZE;}
 harden-large-queries{COLON}	{ YDOUT; return VAR_HARDEN_LARGE_QUERIES;}
 harden-glue{COLON}	{ YDOUT; return VAR_HARDEN_GLUE;}
 harden-dnssec-stripped{COLON}	{ YDOUT; return VAR_HARDEN_DNNSEC_STRIPPED;}
 harden-referral-path{COLON}	{ YDOUT; return VAR_HARDEN_REFERRAL_PATH;}
 use-caps-for-id{COLON}	{ YDOUT; return VAR_USE_CAPS_FOR_ID;}
 stub-zone{COLON}	{ YDOUT; return VAR_STUB_ZONE;}
 name{COLON}		{ YDOUT; return VAR_NAME;}
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -120,7 +120,8 @@
     VAR_OUTGOING_PORT_AVOID = 336,
     VAR_DLV_ANCHOR_FILE = 337,
     VAR_DLV_ANCHOR = 338,
-     VAR_NEG_CACHE_SIZE = 339
+     VAR_NEG_CACHE_SIZE = 339,
     VAR_HARDEN_REFERRAL_PATH = 340
   };
 #endif
 /* Tokens.  */
@ -206,6 +207,7 @@
 #define VAR_DLV_ANCHOR_FILE 337
 #define VAR_DLV_ANCHOR 338
 #define VAR_NEG_CACHE_SIZE 339
 #define VAR_HARDEN_REFERRAL_PATH 340
@ -217,7 +219,7 @@ typedef union YYSTYPE
 	char*	str;
 }
 /* Line 1489 of yacc.c.  */
-#line 221 "util/configparser.h"
+#line 223 "util/configparser.h"
 	YYSTYPE;
 # define yystype YYSTYPE /* obsolescent; will be withdrawn */
 # define YYSTYPE_IS_DECLARED 1
--- a/util/configparser.y
+++ b/util/configparser.y
@ -91,7 +91,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_STATISTICS_INTERVAL VAR_DO_DAEMONIZE VAR_USE_CAPS_FOR_ID
 %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT 
 %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR
-%token VAR_NEG_CACHE_SIZE
+%token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -134,7 +134,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_statistics_interval | server_do_daemonize | 
 	server_use_caps_for_id | server_statistics_cumulative |
 	server_outgoing_port_permit | server_outgoing_port_avoid |
-	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size
+	server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size |
 	server_harden_referral_path
 	;
 stubstart: VAR_STUB_ZONE
 	{
@ -626,6 +627,16 @@ server_harden_dnssec_stripped: VAR_HARDEN_DNNSEC_STRIPPED STRING
 		free($2);
 	}
 	;
 server_harden_referral_path: VAR_HARDEN_REFERRAL_PATH STRING
 	{
 		OUTYY(("P(server_harden_referral_path:%s)\n", $2));
 		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
 			yyerror("expected yes or no.");
 		else cfg_parser->cfg->harden_referral_path = 
 			(strcmp($2, "yes")==0);
 		free($2);
 	}
 	;
 server_use_caps_for_id: VAR_USE_CAPS_FOR_ID STRING
 	{
 		OUTYY(("P(server_use_caps_for_id:%s)\n", $2));