Commit 615ebc39 authored by Mark Andrews's avatar Mark Andrews Committed by Evan Hunt

remove EDNS workarounds, update legacy test

parent e7e4603f
......@@ -8,9 +8,9 @@
# information regarding copyright ownership.
rm -f dig.out.*
rm -f ns?/named.conf
rm -f ns?/named.memstats
rm -f ns?/named.run
rm -f ns*/named.conf
rm -f ns*/named.memstats
rm -f ns*/named.run
rm -f ns*/named.lock
# build.sh
......
......@@ -23,3 +23,9 @@ edns512. NS ns.edns512.
ns.edns512. A 10.53.0.6
edns512-notcp. NS ns.edns512-notcp.
ns.edns512-notcp. A 10.53.0.7
ednsformerr. NS ns.ednsformerr.
ns.ednsformerr. A 10.53.0.8
ednsnotimp. NS ns.ednsnotimp.
ns.ednsnotimp. A 10.53.0.9
ednsrefused. NS ns.ednsrefused.
ns.ednsrefused. A 10.53.0.10
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
@ 60 SOA ns marka.isc.org. 1 0 0 0 0
@ 60 NS ns
ns 60 A 10.53.0.8
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.10;
notify-source 10.53.0.10;
transfer-source 10.53.0.10;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.10; };
listen-on-v6 { none; };
recursion no;
dnssec-validation no;
};
zone "ednsrefused" {
type master;
file "ednsrefused.db";
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
@ 60 SOA ns marka.isc.org. 1 0 0 0 0
@ 60 NS ns
ns 60 A 10.53.0.8
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.8;
notify-source 10.53.0.8;
transfer-source 10.53.0.8;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.8; };
listen-on-v6 { none; };
recursion no;
dnssec-validation no;
};
zone "ednsformerr" {
type master;
file "ednsformerr.db";
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
@ 60 SOA ns marka.isc.org. 1 0 0 0 0
@ 60 NS ns
ns 60 A 10.53.0.8
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.9;
notify-source 10.53.0.9;
transfer-source 10.53.0.9;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.9; };
listen-on-v6 { none; };
recursion no;
dnssec-validation no;
};
zone "ednsnotimp" {
type master;
file "ednsnotimp.db";
};
......@@ -15,10 +15,12 @@ SYSTEMTESTTOP=..
$SHELL clean.sh
copy_setports ns1/named1.conf.in ns1/named.conf
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
copy_setports ns8/named.conf.in ns8/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
copy_setports ns10/named.conf.in ns10/named.conf
......@@ -17,6 +17,60 @@ DIGOPTS="-p ${PORT}"
status=0
n=0
n=`expr $n + 1`
echo_i "checking formerr edns server setup ($n)"
ret=0
$DIG $DIGOPTS +edns @10.53.0.8 ednsformerr soa > dig.out.1.test$n || ret=1
grep "status: FORMERR" dig.out.1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noedns @10.53.0.8 ednsformerr soa > dig.out.2.test$n || ret=1
grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking recursive lookup to formerr edns server succeeds ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.1 ednsformerr soa > dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking notimp edns server setup ($n)"
ret=0
$DIG $DIGOPTS +edns @10.53.0.9 ednsnotimp soa > dig.out.1.test$n || ret=1
grep "status: NOTIMP" dig.out.1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noedns @10.53.0.9 ednsnotimp soa > dig.out.2.test$n || ret=1
grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking recursive lookup to notimp edns server fails ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.1 ednsnotimp soa > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking refused edns server setup ($n)"
ret=0
$DIG $DIGOPTS +edns @10.53.0.10 ednsrefused soa > dig.out.1.test$n || ret=1
grep "status: REFUSED" dig.out.1.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noedns @10.53.0.10 ednsrefused soa > dig.out.2.test$n || ret=1
grep "status: NOERROR" dig.out.2.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking recursive lookup to refused edns server fails ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.1 ednsrefused soa > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking drop edns server setup ($n)"
ret=0
......@@ -34,10 +88,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking recursive lookup to drop edns server succeeds ($n)"
echo_i "checking recursive lookup to drop edns server fails ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.1 dropedns soa > dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.1 dropedns soa > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -55,10 +109,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking recursive lookup to drop edns + no tcp server succeeds ($n)"
echo_i "checking recursive lookup to drop edns + no tcp server fails ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.1 dropedns-notcp soa > dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
$DIG $DIGOPTS +tcp @10.53.0.1 dropedns-notcp soa > dig.out.test$n
grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......@@ -135,10 +189,10 @@ if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking recursive lookup to edns 512 + no tcp server succeeds ($n)"
echo_i "checking recursive lookup to edns 512 + no tcp server fails ($n)"
ret=0
$DIG $DIGOPTS +tcp @10.53.0.1 edns512-notcp soa > dig.out.test$n || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
grep "status: NOERROR" dig.out.test$n > /dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
......
......@@ -195,14 +195,20 @@ sub start_server {
$command .= "-X named.lock ";
$command .= "-m record,size,mctx ";
$command .= "-T clienttest ";
$command .= "-T nosoa "
if (-e "$testdir/$server/named.nosoa");
$command .= "-T dropedns "
if (-e "$testdir/$server/named.dropedns");
$command .= "-T ednsformerr "
if (-e "$testdir/$server/named.ednsformerr");
$command .= "-T ednsnotimp "
if (-e "$testdir/$server/named.ednsnotimp");
$command .= "-T ednsrefused "
if (-e "$testdir/$server/named.ednsrefused");
$command .= "-T noaa "
if (-e "$testdir/$server/named.noaa");
$command .= "-T noedns "
if (-e "$testdir/$server/named.noedns");
$command .= "-T dropedns "
if (-e "$testdir/$server/named.dropedns");
$command .= "-T nosoa "
if (-e "$testdir/$server/named.nosoa");
$command .= "-T maxudp512 "
if (-e "$testdir/$server/named.maxudp512");
$command .= "-T maxudp1460 "
......
......@@ -2327,26 +2327,6 @@ issecuredomain(dns_view_t *view, const dns_name_t *name, dns_rdatatype_t type,
return (dns_view_issecuredomain(view, name, now, checknta, issecure));
}
static bool
wouldvalidate(fetchctx_t *fctx) {
bool secure_domain;
isc_result_t result;
isc_stdtime_t now;
if (!fctx->res->view->enablevalidation)
return (false);
if (fctx->res->view->dlv != NULL)
return (true);
isc_stdtime_get(&now);
result = dns_view_issecuredomain(fctx->res->view, &fctx->name,
now, true, &secure_domain);
if (result != ISC_R_SUCCESS)
return (false);
return (secure_domain);
}
static isc_result_t
resquery_send(resquery_t *query) {
fetchctx_t *fctx;
......@@ -2514,25 +2494,11 @@ resquery_send(resquery_t *query) {
if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0)
query->options |= DNS_FETCHOPT_NOEDNS0;
/* See if response history indicates that EDNS is not supported. */
if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0 &&
dns_adb_noedns(fctx->adb, query->addrinfo))
query->options |= DNS_FETCHOPT_NOEDNS0;
if (fctx->timeout && (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
isc_sockaddr_t *sockaddr = &query->addrinfo->sockaddr;
struct tried *tried;
if (fctx->timeouts > (MAX_EDNS0_TIMEOUTS * 2) &&
(!EDNSOK(query->addrinfo) || !wouldvalidate(fctx))) {
query->options |= DNS_FETCHOPT_NOEDNS0;
fctx->reason = "disabling EDNS";
} else if ((tried = triededns512(fctx, sockaddr)) != NULL &&
tried->count >= 2U &&
(!EDNSOK(query->addrinfo) || !wouldvalidate(fctx))) {
query->options |= DNS_FETCHOPT_NOEDNS0;
fctx->reason = "disabling EDNS";
} else if ((tried = triededns(fctx, sockaddr)) != NULL) {
if ((tried = triededns(fctx, sockaddr)) != NULL) {
if (tried->count == 1U) {
hint = dns_adb_getudpsize(fctx->adb,
query->addrinfo);
......@@ -2619,15 +2585,6 @@ resquery_send(resquery_t *query) {
ednsopts[ednsopt].value = NULL;
ednsopt++;
}
#if DNS_EDNS_VERSION > 0
/*
* Some EDNS(0) servers don't ignore unknown options
* as it was not a explict requirement of RFC 2671.
* Only send COOKIE to EDNS(1) servers.
*/
if (version < 1)
sendcookie = false;
#endif
if (sendcookie) {
INSIST(ednsopt < DNS_EDNSOPTIONS);
ednsopts[ednsopt].code = DNS_OPT_COOKIE;
......@@ -9402,7 +9359,6 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
resquery_t *query = rctx->query;
isc_buffer_t b;
char code[64];
unsigned char cookie[64];
if (fctx->rmessage->rcode == dns_rcode_noerror ||
fctx->rmessage->rcode == dns_rcode_yxdomain ||
......@@ -9423,24 +9379,7 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
" due to bad server", fctx->info);
fctx->qmin_labels = DNS_MAX_LABELS + 1;
result = rctx_answer_minimized(rctx);
} else if (!NOCOOKIE(query->addrinfo) &&
(fctx->rmessage->rcode == dns_rcode_formerr ||
fctx->rmessage->rcode == dns_rcode_notimp ||
fctx->rmessage->rcode == dns_rcode_refused) &&
dns_adb_getcookie(fctx->adb, query->addrinfo,
cookie, sizeof(cookie)) == 0U)
{
/*
* Some servers do not ignore unknown EDNS options.
*/
dns_adb_changeflags(fctx->adb, query->addrinfo,
FCTX_ADDRINFO_NOCOOKIE,
FCTX_ADDRINFO_NOCOOKIE);
rctx->resend = true;
} else if ((fctx->rmessage->rcode == dns_rcode_formerr ||
fctx->rmessage->rcode == dns_rcode_notimp ||
(fctx->rmessage->rcode == dns_rcode_servfail &&
dns_message_getopt(fctx->rmessage) == NULL)) &&
} else if ((fctx->rmessage->rcode == dns_rcode_formerr) &&
(rctx->retryopts & DNS_FETCHOPT_NOEDNS0) == 0)
{
/*
......@@ -9485,27 +9424,7 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
unsigned int version;
#if DNS_EDNS_VERSION > 0
unsigned int flags, mask;
#else
bool setnocookie = false;
#endif
/*
* Some servers return BADVERS to unknown
* EDNS options. This cannot be long term
* strategy. Do not disable COOKIE if we have
* already have received a COOKIE from this
* server.
*/
if (dns_adb_getcookie(fctx->adb, query->addrinfo,
cookie, sizeof(cookie)) == 0U) {
#if DNS_EDNS_VERSION <= 0
if (!NOCOOKIE(query->addrinfo))
setnocookie = true;
#endif
dns_adb_changeflags(fctx->adb, query->addrinfo,
FCTX_ADDRINFO_NOCOOKIE,
FCTX_ADDRINFO_NOCOOKIE);
}
INSIST(rctx->opt != NULL);
version = (rctx->opt->ttl >> 16) & 0xff;
......@@ -9544,12 +9463,8 @@ rctx_badserver(respctx_t *rctx, isc_result_t result) {
rctx->next_server = true;
}
#else
if (version == 0U && setnocookie) {
rctx->resend = true;
} else {
rctx->broken_server = DNS_R_BADVERS;
rctx->next_server = true;
}
rctx->broken_server = DNS_R_BADVERS;
rctx->next_server = true;
#endif
} else if (fctx->rmessage->rcode == dns_rcode_badcookie &&
fctx->rmessage->cc_ok)
......
......@@ -1433,6 +1433,9 @@
./bin/tests/system/legacy/ns1/named2.conf.in CONF-C 2014,2016,2018
./bin/tests/system/legacy/ns1/root.db ZONE 2014,2016,2018
./bin/tests/system/legacy/ns1/trusted.conf X 2014,2018
./bin/tests/system/legacy/ns10/ednsrefused.db ZONE 2018
./bin/tests/system/legacy/ns10/named.conf.in CONF-C 2018
./bin/tests/system/legacy/ns10/named.ednsrefused X 2018
./bin/tests/system/legacy/ns2/dropedns.db ZONE 2014,2016,2018
./bin/tests/system/legacy/ns2/named.conf.in CONF-C 2014,2016,2018
./bin/tests/system/legacy/ns2/named.dropedns X 2014,2018
......@@ -1458,6 +1461,12 @@
./bin/tests/system/legacy/ns7/named.conf.in CONF-C 2014,2016,2018
./bin/tests/system/legacy/ns7/named.notcp X 2014,2018
./bin/tests/system/legacy/ns7/sign.sh SH 2014,2016,2018
./bin/tests/system/legacy/ns8/ednsformerr.db ZONE 2018
./bin/tests/system/legacy/ns8/named.conf.in CONF-C 2018
./bin/tests/system/legacy/ns8/named.ednsformerr X 2018
./bin/tests/system/legacy/ns9/ednsnotimp.db ZONE 2018
./bin/tests/system/legacy/ns9/named.conf.in CONF-C 2018
./bin/tests/system/legacy/ns9/named.ednsnotimp X 2018
./bin/tests/system/legacy/setup.sh SH 2014,2016,2018
./bin/tests/system/legacy/tests.sh SH 2014,2015,2016,2018
./bin/tests/system/limits/clean.sh SH 2000,2001,2004,2007,2012,2014,2015,2016,2018
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment