diff --git a/doc/Changelog b/doc/Changelog index af3822a0e..da9e0767a 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,10 @@ +8 April 2011: Wouter + - iana portlist updated. + - queries with CD flag set cause DNSSEC validation, but the answer is + not withheld if it is bogus. Thus, unbound will retry if it is bad + and curb the TTL if it is bad, thus protecting the cache for use by + downstream validators. + 29 March 2011: Wouter - harden-below-nxdomain: changed so that it activates when the cached nxdomain is dnssec secure. This avoids backwards diff --git a/services/mesh.c b/services/mesh.c index 04e9cebe4..0fe738c07 100644 --- a/services/mesh.c +++ b/services/mesh.c @@ -270,7 +270,11 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, struct edns_data* edns, struct comm_reply* rep, uint16_t qid) { - struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags, 0); + /* do not use CD flag from user for mesh state, we want the CD-query + * to receive validation anyway, to protect out cache contents and + * avoid bad-data in this cache that a downstream validator cannot + * remove from this cache */ + struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0); int was_detached = 0; int was_noreply = 0; int added = 0; @@ -298,7 +302,7 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo, /* see if it already exists, if not, create one */ if(!s) { struct rbnode_t* n; - s = mesh_state_create(mesh->env, qinfo, qflags, 0); + s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0); if(!s) { log_err("mesh_state_create: out of memory; SERVFAIL"); error_encode(rep->c->buffer, LDNS_RCODE_SERVFAIL, @@ -357,7 +361,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, struct edns_data* edns, ldns_buffer* buf, uint16_t qid, mesh_cb_func_t cb, void* cb_arg) { - struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags, 0); + struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0); int was_detached = 0; int was_noreply = 0; int added = 0; @@ -366,7 +370,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, /* see if it already exists, if not, create one */ if(!s) { struct rbnode_t* n; - s = mesh_state_create(mesh->env, qinfo, qflags, 0); + s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0); if(!s) { return 0; } @@ -403,7 +407,7 @@ mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, uint32_t leeway) { - struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags, 0); + struct mesh_state* s = mesh_area_find(mesh, qinfo, qflags&BIT_RD, 0); struct rbnode_t* n; /* already exists, and for a different purpose perhaps. * if mesh_no_list, keep it that way. */ @@ -420,7 +424,7 @@ void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo, mesh->stats_dropped ++; return; } - s = mesh_state_create(mesh->env, qinfo, qflags, 0); + s = mesh_state_create(mesh->env, qinfo, qflags&BIT_RD, 0); if(!s) { log_err("prefetch mesh_state_create: out of memory"); return; diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl index c379c8545..fd7e7caa5 100644 --- a/testdata/val_referglue.rpl +++ b/testdata/val_referglue.rpl @@ -244,7 +244,6 @@ ENTRY_END RANGE_END - ; first ask for +CD and get the data in the cache. STEP 1 QUERY ENTRY_BEGIN @@ -266,7 +265,8 @@ example.com. IN NS ns.example.com. example.com. IN NS ns2.sub.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 -ns2.sub.example.com. IN A 100.200.30.40 +; already validated and thus stripped from the answer. +;ns2.sub.example.com. IN A 100.200.30.40 ENTRY_END ; now the data is in the cache, validate a referral from cache diff --git a/util/iana_ports.inc b/util/iana_ports.inc index 5be49edad..539a4489e 100644 --- a/util/iana_ports.inc +++ b/util/iana_ports.inc @@ -5065,6 +5065,7 @@ 14936, 14937, 15000, +15118, 15345, 15363, 15555,