Commit 4a827494 authored by Evan Hunt's avatar Evan Hunt

Merge branch '752-disable-forwarders-when-priming' into 'master'

If possible don't use forwarders when priming the resolver.

Closes #752

See merge request !1296
parents a97a63ad b49310ac
Pipeline #8820 passed with stages
in 7 minutes and 52 seconds
5139. [bug] If possible, don't use forwarders when priming.
This ensures we can get root server IP addresses
from priming query response glue, which may not
be present if the forwarding server is returning
minimal responses. [GL #752]
5138. [bug] Under some circumstances named could hit an assertion
failure when doing qname minimization when using
forwarders. [GL #797]
......
......@@ -19,6 +19,7 @@ options {
listen-on-v6 { none; };
recursion yes;
dnssec-validation yes;
minimal-responses yes;
};
zone "." {
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.7;
notify-source 10.53.0.7;
transfer-source 10.53.0.7;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
forwarders { 10.53.0.4; };
forward first;
dnssec-validation yes;
};
zone "." {
type hint;
file "root.db";
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
. IN SOA gson.nominum.com. a.root.servers.nil. (
2000042100 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
. NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.1
example1 NS ns.example1
ns.example1 A 10.53.0.1
example2 NS ns.example2
ns.example2 A 10.53.0.1
example3 NS ns.example3
ns.example3 A 10.53.0.1
......@@ -18,3 +18,4 @@ copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
......@@ -147,5 +147,17 @@ if [ $sent -ne 1 ]; then ret=1; fi
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking that priming queries are not forwarded"
ret=0
$DIG $DIGOPTS +noadd +noauth txt.example1. txt @10.53.0.7 > dig.out.f7 || ret=1
sent=`sed -n '/sending packet to 10.53.0.1/,/^$/p' ns7/named.run | grep ";.*IN.*NS" | wc -l`
[ $sent -eq 1 ] || ret=1
sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns4/named.run | wc -l`
[ $sent -eq 0 ] || ret=1
sent=`grep "10.53.0.7#.* (.): query '\./NS/IN' approved" ns1/named.run | wc -l`
[ $sent -eq 1 ] || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -118,6 +118,8 @@ typedef enum {
when doing qname
minimization on
ip6.arpa. */
#define DNS_FETCHOPT_NOFORWARD 0x00080000 /*%< Do not use forwarders
if possible. */
/* Reserved in use by adb.c 0x00400000 */
#define DNS_FETCHOPT_EDNSVERSIONSET 0x00800000
......
......@@ -3510,6 +3510,18 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
/*
* If we have DNS_FETCHOPT_NOFORWARD set and forwarding policy
* allows us to not forward - skip forwarders and go straight
* to NSes. This is currently used to make sure that priming query
* gets root servers' IP addresses in ADDITIONAL section.
*/
if ((fctx->options & DNS_FETCHOPT_NOFORWARD) != 0 &&
(fctx->fwdpolicy != dns_fwdpolicy_only))
{
goto normal_nses;
}
/*
* If this fctx has forwarders, use them; otherwise use any
* selective forwarders specified in the view; otherwise use the
......@@ -3595,7 +3607,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
/*
* Normal nameservers.
*/
normal_nses:
stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
if (fctx->restarts == 1) {
/*
......@@ -10202,12 +10214,11 @@ dns_resolver_prime(dns_resolver_t *res) {
LOCK(&res->primelock);
result = dns_resolver_createfetch(res, dns_rootname,
dns_rdatatype_ns,
NULL, NULL, NULL, NULL, 0, 0,
0, NULL,
res->buckets[0].task,
prime_done,
res, rdataset, NULL,
&res->primefetch);
NULL, NULL, NULL, NULL, 0,
DNS_FETCHOPT_NOFORWARD, 0,
NULL, res->buckets[0].task,
prime_done, res, rdataset,
NULL, &res->primefetch);
UNLOCK(&res->primelock);
if (result != ISC_R_SUCCESS) {
isc_mem_put(res->mctx, rdataset, sizeof(*rdataset));
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment