diff options
| author | Stuart Henderson <sthen@cvs.openbsd.org> | 2019-02-08 10:35:15 +0000 |
|---|---|---|
| committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2019-02-08 10:35:15 +0000 |
| commit | 386ccca312e01e4309f25858a2bef1b850e6b5a9 (patch) | |
| tree | 639d15679f00af3ffe0cd77e0019b334f4f20f8e /sbin/unwind/libunbound/services/authzone.c | |
| parent | 801d50e5b54dd7bd2ba3c2a14ca821f84009f4c9 (diff) | |
update unwind's copy of libunbound to match the new 1.9.0 update in
/usr/src/usr.sbin/unbound, diff from florian@
Diffstat (limited to 'sbin/unwind/libunbound/services/authzone.c')
| -rw-r--r-- | sbin/unwind/libunbound/services/authzone.c | 53 |
1 files changed, 40 insertions, 13 deletions
diff --git a/sbin/unwind/libunbound/services/authzone.c b/sbin/unwind/libunbound/services/authzone.c index 0dc88e692a2..a87c2274fb9 100644 --- a/sbin/unwind/libunbound/services/authzone.c +++ b/sbin/unwind/libunbound/services/authzone.c @@ -88,6 +88,9 @@ #define AUTH_HTTPS_PORT 443 /* max depth for nested $INCLUDEs */ #define MAX_INCLUDE_DEPTH 10 +/** number of timeouts before we fallback from IXFR to AXFR, + * because some versions of servers (eg. dnsmasq) drop IXFR packets. */ +#define NUM_TIMEOUTS_FALLBACK_IXFR 3 /** pick up nextprobe task to start waiting to perform transfer actions */ static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, @@ -2743,13 +2746,14 @@ az_nsec3_insert(struct auth_zone* z, struct regional* region, * that is an exact match that should exist for it. * If that does not exist, a higher exact match + nxproof is enabled * (for some sort of opt-out empty nonterminal cases). + * ceproof: include ce proof NSEC3 (omitted for wildcard replies). * nxproof: include denial of the qname. * wcproof: include denial of wildcard (wildcard.ce). */ static int az_add_nsec3_proof(struct auth_zone* z, struct regional* region, struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname, - size_t qname_len, int nxproof, int wcproof) + size_t qname_len, int ceproof, int nxproof, int wcproof) { int algo; size_t iter, saltlen; @@ -2761,11 +2765,13 @@ az_add_nsec3_proof(struct auth_zone* z, struct regional* region, if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen)) return 1; /* no nsec3 */ /* find ce that has an NSEC3 */ - node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce, - algo, iter, salt, saltlen); - if(no_exact_ce) nxproof = 1; - if(!az_nsec3_insert(z, region, msg, node)) - return 0; + if(ceproof) { + node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce, + algo, iter, salt, saltlen); + if(no_exact_ce) nxproof = 1; + if(!az_nsec3_insert(z, region, msg, node)) + return 0; + } if(nxproof) { uint8_t* nx; @@ -2910,7 +2916,7 @@ az_generate_notype_answer(struct auth_zone* z, struct regional* region, /* DNSSEC denial NSEC3 */ if(!az_add_nsec3_proof(z, region, msg, node->name, node->namelen, msg->qinfo.qname, - msg->qinfo.qname_len, 0, 0)) + msg->qinfo.qname_len, 1, 0, 0)) return 0; } return 1; @@ -2937,7 +2943,7 @@ az_generate_referral_answer(struct auth_zone* z, struct regional* region, } else { if(!az_add_nsec3_proof(z, region, msg, ce->name, ce->namelen, msg->qinfo.qname, - msg->qinfo.qname_len, 0, 0)) + msg->qinfo.qname_len, 1, 0, 0)) return 0; } } @@ -3008,9 +3014,12 @@ az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo, if((nsec=az_find_nsec_cover(z, &node)) != NULL) { if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0; } else if(ce) { - if(!az_add_nsec3_proof(z, region, msg, ce->name, - ce->namelen, msg->qinfo.qname, - msg->qinfo.qname_len, 1, 0)) + uint8_t* wildup = wildcard->name; + size_t wilduplen= wildcard->namelen; + dname_remove_label(&wildup, &wilduplen); + if(!az_add_nsec3_proof(z, region, msg, wildup, + wilduplen, msg->qinfo.qname, + msg->qinfo.qname_len, 0, 1, 0)) return 0; } @@ -3036,7 +3045,7 @@ az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region, } else if(ce) { if(!az_add_nsec3_proof(z, region, msg, ce->name, ce->namelen, msg->qinfo.qname, - msg->qinfo.qname_len, 1, 1)) + msg->qinfo.qname_len, 1, 1, 1)) return 0; } return 1; @@ -5630,15 +5639,33 @@ auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err, * and continue task_transfer*/ verbose(VERB_ALGO, "xfr stopped, connection lost to %s", xfr->task_transfer->master->host); + + /* see if IXFR caused the failure, if so, try AXFR */ + if(xfr->task_transfer->on_ixfr) { + xfr->task_transfer->ixfr_possible_timeout_count++; + if(xfr->task_transfer->ixfr_possible_timeout_count >= + NUM_TIMEOUTS_FALLBACK_IXFR) { + verbose(VERB_ALGO, "xfr to %s, fallback " + "from IXFR to AXFR (because of timeouts)", + xfr->task_transfer->master->host); + xfr->task_transfer->ixfr_fail = 1; + gonextonfail = 0; + } + } + failed: /* delete transferred data from list */ auth_chunks_delete(xfr->task_transfer); comm_point_delete(xfr->task_transfer->cp); xfr->task_transfer->cp = NULL; - xfr_transfer_nextmaster(xfr); + if(gonextonfail) + xfr_transfer_nextmaster(xfr); xfr_transfer_nexttarget_or_end(xfr, env); return 0; } + /* note that IXFR worked without timeout */ + if(xfr->task_transfer->on_ixfr) + xfr->task_transfer->ixfr_possible_timeout_count = 0; /* handle returned packet */ /* if it fails, cleanup and end this transfer */ |