Commit 78e31dd1 authored by Mark Andrews's avatar Mark Andrews

4437. [func] Minimal-responses now has two additional modes

                        no-auth and no-auth-recursive which suppress
                        adding the NS records to the authority section
                        as well as the associated address records for the
                        nameservers. [RT #42005]
parent aaeed646
4437. [func] Minimal-responses now has two additional modes
no-auth and no-auth-recursive which suppress
adding the NS records to the authority section
as well as the associated address records for the
nameservers. [RT #42005]
4436. [func] Return TLSA records as additional data for MX and SRV
lookups. [RT #42894]
......
......@@ -241,7 +241,7 @@ options {
topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
auth-nxdomain <replaceable>boolean</replaceable>; // default changed
minimal-any <replaceable>boolean</replaceable>;
minimal-responses <replaceable>boolean</replaceable>;
minimal-responses ( <replaceable>boolean</replaceable> | no-auth | no-auth-recursive );
recursion <replaceable>boolean</replaceable>;
rrset-order {
<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
......
......@@ -9048,9 +9048,21 @@ ns_query_start(ns_client_t *client) {
if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
if (client->view->minimalresponses)
switch (client->view->minimalresponses) {
case dns_minimal_no:
break;
case dns_minimal_yes:
client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
NS_QUERYATTR_NOADDITIONAL);
break;
case dns_minimal_noauth:
client->query.attributes |= NS_QUERYATTR_NOAUTHORITY;
break;
case dns_minimal_noauthrec:
if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
client->query.attributes |= NS_QUERYATTR_NOAUTHORITY;
break;
}
if ((client->view->cachedb == NULL)
|| (!client->view->additionalfromcache)) {
......
......@@ -4090,7 +4090,20 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = ns_config_get(maps, "minimal-responses", &obj);
INSIST(result == ISC_R_SUCCESS);
view->minimalresponses = cfg_obj_asboolean(obj);
if (cfg_obj_isboolean(obj)) {
if (cfg_obj_asboolean(obj))
view->minimalresponses = dns_minimal_yes;
else
view->minimalresponses = dns_minimal_no;
} else {
str = cfg_obj_asstring(obj);
if (strcasecmp(str, "no-auth") == 0) {
view->minimalresponses = dns_minimal_noauth;
} else if (strcasecmp(str, "no-auth-recursive") == 0) {
view->minimalresponses = dns_minimal_noauthrec;
} else
INSIST(0);
}
obj = NULL;
result = ns_config_get(maps, "transfer-format", &obj);
......
......@@ -18,6 +18,7 @@ options {
listen-on-v6 { none; };
notify no;
minimal-any yes;
minimal-responses no-auth;
};
include "../../common/rndc.key";
......@@ -30,3 +31,23 @@ zone "rt.example" {
type master;
file "rt.db";
};
zone "naptr.example" {
type master;
file "naptr.db";
};
zone "rt2.example" {
type master;
file "rt2.db";
};
zone "naptr2.example" {
type master;
file "naptr2.db";
};
zone "nid.example" {
type master;
file "nid.db";
};
......@@ -11,11 +11,13 @@ options {
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
recursion no;
additional-from-auth no;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
notify no;
minimal-responses no-auth-recursive;
};
include "../../common/rndc.key";
......@@ -33,3 +35,28 @@ zone "srv.example" {
type master;
file "srv.db";
};
zone "rt.example" {
type master;
file "rt.db";
};
zone "naptr.example" {
type master;
file "naptr.db";
};
zone "rt2.example" {
type master;
file "rt2.db";
};
zone "naptr2.example" {
type master;
file "naptr2.db";
};
zone "nid.example" {
type master;
file "nid.db";
};
......@@ -16,81 +16,192 @@ n=0
dotests() {
n=`expr $n + 1`
echo "I:test with RT, single zone ($n)"
echo "I:test with RT, single zone (+rec) ($n)"
ret=0
$DIG -t RT rt.rt.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
$DIG +rec -t RT rt.rt.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with RT, two zones ($n)"
echo "I:test with RT, two zones (+rec) ($n)"
ret=0
$DIG -t RT rt.rt2.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
$DIG +rec -t RT rt.rt2.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with NAPTR, single zone ($n)"
echo "I:test with NAPTR, single zone (+rec) ($n)"
ret=0
$DIG -t NAPTR nap.naptr.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
$DIG +rec -t NAPTR nap.naptr.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with NAPTR, two zones ($n)"
echo "I:test with NAPTR, two zones (+rec) ($n)"
ret=0
$DIG -t NAPTR nap.hang3b.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
$DIG +rec -t NAPTR nap.hang3b.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with LP ($n)"
echo "I:test with LP (+rec) ($n)"
ret=0
$DIG -t LP nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
$DIG +rec -t LP nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
case $minimal in
no)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
;;
yes)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
;;
no-auth)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
;;
no-auth-recursive)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with NID (+rec) ($n)"
ret=0
$DIG +rec -t NID ns1.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
grep "L64" dig.out.$n > /dev/null || ret=1
grep "L32" dig.out.$n > /dev/null || ret=1
# change && to || when we support NID additional processing
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep "L64" dig.out.$n > /dev/null && ret=1
grep "L32" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with NID ($n)"
echo "I:test with NID + LP (+rec) ($n)"
ret=0
$DIG -t NID ns1.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
$DIG +rec -t NID nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep "L64" dig.out.$n > /dev/null && ret=1
grep "L32" dig.out.$n > /dev/null && ret=1
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep "L64" dig.out.$n > /dev/null && ret=1
grep "L32" dig.out.$n > /dev/null && ret=1
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with RT, single zone (+norec) ($n)"
ret=0
$DIG +norec -t RT rt.rt.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with RT, two zones (+norec) ($n)"
ret=0
$DIG +norec -t RT rt.rt2.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with NID + LP ($n)"
echo "I:test with NAPTR, single zone (+norec) ($n)"
ret=0
$DIG -t NID nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
$DIG +norec -t NAPTR nap.naptr.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with NAPTR, two zones (+norec) ($n)"
ret=0
$DIG +norec -t NAPTR nap.hang3b.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with LP (+norec) ($n)"
ret=0
$DIG +norec -t LP nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
case $minimal in
no)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
;;
yes)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
;;
no-auth)
grep -w "NS" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
;;
no-auth-recursive)
grep -w "NS" dig.out.$n > /dev/null || ret=1
grep -w "L64" dig.out.$n > /dev/null || ret=1
grep -w "L32" dig.out.$n > /dev/null || ret=1
;;
esac
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with NID (+norec) ($n)"
ret=0
$DIG +norec -t NID ns1.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep "LP" dig.out.$n > /dev/null && ret=1
grep "L64" dig.out.$n > /dev/null && ret=1
grep "L32" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep "LP" dig.out.$n > /dev/null && ret=1
grep "L64" dig.out.$n > /dev/null && ret=1
grep "L32" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
n=`expr $n + 1`
echo "I:test with NID + LP (+norec) ($n)"
ret=0
$DIG +norec -t NID nid2.nid.example @10.53.0.1 -p 5300 > dig.out.$n || ret=1
if [ $minimal = no ] ; then
# change && to || when we support NID additional processing
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
else
grep -w "LP" dig.out.$n > /dev/null && ret=1
grep -w "L64" dig.out.$n > /dev/null && ret=1
grep -w "L32" dig.out.$n > /dev/null && ret=1
fi
if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
......@@ -133,11 +244,19 @@ if [ $ret -eq 1 ] ; then
echo "I: failed"; status=1
fi
echo "I:testing with 'minimal-responses no-auth;'"
minimal=no-auth
dotests
echo "I:reconfiguring server"
cp ns1/named4.conf ns1/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reconfig 2>&1 | sed 's/^/I:ns1 /'
sleep 2
echo "I:testing with 'minimal-responses no-auth-recursive;'"
minimal=no-auth-recursive
dotests
n=`expr $n + 1`
echo "I:testing returning TLSA records with MX query ($n)"
ret=0
......
......@@ -4429,7 +4429,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
<optional> host-statistics-max <replaceable>number</replaceable>; </optional>
<optional> minimal-any <replaceable>yes_or_no</replaceable>; </optional>
<optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
<optional> minimal-responses (<replaceable>yes_or_no</replaceable> | <constant>no-auth</constant> | <constant>no-auth-recursive</constant>); </optional>
<optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
<optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable>; </optional>
<optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
......@@ -6187,11 +6187,26 @@ options {
<term><command>minimal-responses</command></term>
<listitem>
<para>
If <userinput>yes</userinput>, then when generating
If set to <userinput>yes</userinput>, then when generating
responses the server will only add records to the authority
and additional data sections when they are required (e.g.
delegations, negative responses). This may improve the
performance of the server.
</para>
<para>
When set to <userinput>no-auth</userinput>, the
server will omit records from the authority section
unless they are required, but it may still add
records to the additional section. When set to
<userinput>no-auth-recursive</userinput>, this
is only done if the query is recursive. These
settings are useful when answering stub clients,
which usually ignore the authority section.
<userinput>no-auth-recursive</userinput> is
designed for mixed-mode servers which handle
both authoritative and recursive queries.
</para>
<para>
The default is <userinput>no</userinput>.
</para>
</listitem>
......
......@@ -537,7 +537,7 @@
<listitem>
<para>
An <command>--enable-querytrace</command> configure switch is
now available to enable very verbose query tracelogging. This
now available to enable very verbose query trace logging. This
option can only be set at compile time. This option has a
negative performance impact and should be used only for
debugging. [RT #37520]
......@@ -843,6 +843,15 @@
block the server.
</para>
</listitem>
<listitem>
<para>
<command>minimal-responses</command> now takes two new
arguments: <option>no-auth</option> suppresses
populating the authority section but not the additional
section; <option>no-auth-recursive</option>
does the same but only when answering recursive queries.
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -188,6 +188,13 @@ typedef enum {
dns_notifytype_masteronly = 3
} dns_notifytype_t;
typedef enum {
dns_minimal_no = 0,
dns_minimal_yes = 1,
dns_minimal_noauth = 2,
dns_minimal_noauthrec = 3
} dns_minimaltype_t;
typedef enum {
dns_dialuptype_no = 0,
dns_dialuptype_yes = 1,
......
......@@ -117,7 +117,7 @@ struct dns_view {
isc_boolean_t additionalfromcache;
isc_boolean_t additionalfromauth;
isc_boolean_t minimal_any;
isc_boolean_t minimalresponses;
dns_minimaltype_t minimalresponses;
isc_boolean_t enablednssec;
isc_boolean_t enablevalidation;
isc_boolean_t acceptexpired;
......
......@@ -186,7 +186,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->enablevalidation = ISC_TRUE;
view->acceptexpired = ISC_FALSE;
view->minimal_any = ISC_FALSE;
view->minimalresponses = ISC_FALSE;
view->minimalresponses = dns_minimal_no;
view->transfer_format = dns_one_answer;
view->cacheacl = NULL;
view->cacheonacl = NULL;
......
......@@ -89,14 +89,19 @@ doc_geoip(cfg_printer_t *pctx, const cfg_type_t *type);
static cfg_type_t cfg_type_acl;
static cfg_type_t cfg_type_addrmatchelt;
static cfg_type_t cfg_type_bracketed_aml;
static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
static cfg_type_t cfg_type_bracketed_dscpsockaddrlist;
static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
static cfg_type_t cfg_type_bracketed_sockaddrlist;
static cfg_type_t cfg_type_bracketed_sockaddrnameportlist;
static cfg_type_t cfg_type_controls;
static cfg_type_t cfg_type_controls_sockaddr;
static cfg_type_t cfg_type_destinationlist;
static cfg_type_t cfg_type_dialuptype;
static cfg_type_t cfg_type_dlz;
static cfg_type_t cfg_type_dnstap;
static cfg_type_t cfg_type_dnstapoutput;
static cfg_type_t cfg_type_dyndb;
static cfg_type_t cfg_type_filter_aaaa;
static cfg_type_t cfg_type_ixfrdifftype;
static cfg_type_t cfg_type_key;
static cfg_type_t cfg_type_logfile;
......@@ -105,15 +110,16 @@ static cfg_type_t cfg_type_logseverity;
static cfg_type_t cfg_type_lwres;
static cfg_type_t cfg_type_masterselement;
static cfg_type_t cfg_type_maxttl;
static cfg_type_t cfg_type_minimal;
static cfg_type_t cfg_type_nameportiplist;
static cfg_type_t cfg_type_negated;
static cfg_type_t cfg_type_notifytype;
static cfg_type_t cfg_type_optional_allow;
static cfg_type_t cfg_type_optional_class;
static cfg_type_t cfg_type_optional_dscp;
static cfg_type_t cfg_type_optional_facility;
static cfg_type_t cfg_type_optional_keyref;
static cfg_type_t cfg_type_optional_port;
static cfg_type_t cfg_type_optional_dscp;
static cfg_type_t cfg_type_optional_uint32;
static cfg_type_t cfg_type_options;
static cfg_type_t cfg_type_portiplist;
......@@ -133,11 +139,6 @@ static cfg_type_t cfg_type_view;
static cfg_type_t cfg_type_viewopts;
static cfg_type_t cfg_type_zone;
static cfg_type_t cfg_type_zoneopts;
static cfg_type_t cfg_type_filter_aaaa;
static cfg_type_t cfg_type_dlz;
static cfg_type_t cfg_type_dyndb;
static cfg_type_t cfg_type_dnstap;
static cfg_type_t cfg_type_dnstapoutput;
/*% tkey-dhkey */
......@@ -1715,7 +1716,7 @@ view_clauses[] = {
{ "max-udp-size", &cfg_type_uint32, 0 },
{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
{ "minimal-any", &cfg_type_boolean, 0 },
{ "minimal-responses", &cfg_type_boolean, 0 },
{ "minimal-responses", &cfg_type_minimal, 0 },
{ "nta-recheck", &cfg_type_ttlval, 0 },
{ "nta-lifetime", &cfg_type_ttlval, 0 },
{ "nxdomain-redirect", &cfg_type_astring, 0 },
......@@ -2465,6 +2466,20 @@ static cfg_type_t cfg_type_notifytype = {
&cfg_rep_string, notify_enums,
};
static const char *minimal_enums[] = { "no-auth", "no-auth-recursive", NULL };
static isc_result_t
parse_minimal(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_minimal(cfg_printer_t *pctx, const cfg_type_t *type) {
return (doc_enum_or_other(pctx, type, &cfg_type_boolean));
}
static cfg_type_t cfg_type_minimal = {
"mimimal", parse_minimal, cfg_print_ustring, doc_minimal,
&cfg_rep_string, minimal_enums,
};
static const char *ixfrdiff_enums[] = { "master", "slave", NULL };
static isc_result_t
parse_ixfrdiff_type(cfg_parser_t *pctx, const cfg_type_t *type,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment