Merge pull request #1221 from NLnetLabs/bugfix/consider-auth-zones-wh…

…en-forwarding

Consider auth zones when checking for forwarders

iterator/iter_fwd.c

@@ -331,6 +331,30 @@ make_stub_holes(struct iter_forwards* fwd, struct config_file* cfg)
 	return 1;
 }
 
+/** make NULL entries for auths */
+static int
+make_auth_holes(struct iter_forwards* fwd, struct config_file* cfg)
+{
+	struct config_auth* a;
+	uint8_t* dname;
+	size_t dname_len;
+	for(a = cfg->auths; a; a = a->next) {
+		if(!a->name) continue;
+		dname = sldns_str2wire_dname(a->name, &dname_len);
+		if(!dname) {
+			log_err("cannot parse auth name '%s'", a->name);
+			return 0;
+		}
+		if(!fwd_add_stub_hole(fwd, LDNS_RR_CLASS_IN, dname)) {
+			free(dname);
+			log_err("out of memory");
+			return 0;
+		}
+		free(dname);
+	}
+	return 1;
+}
+
 int 
 forwards_apply_cfg(struct iter_forwards* fwd, struct config_file* cfg)
 {
@@ -353,6 +377,16 @@ forwards_apply_cfg(struct iter_forwards* fwd, struct config_file* cfg)
 		lock_rw_unlock(&fwd->lock);
 		return 0;
 	}
+	/* TODO: Now we punch holes for auth zones as well so that in
+	 *       iterator:forward_request() we see the configured
+	 *       delegation point, but code flow/naming is hard to follow.
+	 *       Consider having a single tree with configured
+	 *       delegation points for all categories
+	 *       (stubs, forwards, auths). */
+	if(!make_auth_holes(fwd, cfg)) {
+		lock_rw_unlock(&fwd->lock);
+		return 0;
+	}
 	fwd_init_parents(fwd);
 	lock_rw_unlock(&fwd->lock);
 	return 1;

iterator/iter_utils.c

@@ -1489,14 +1489,15 @@ iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf,
 
 	/* check stub */
 	if (stub != NULL && stub->dp != NULL) {
+		enum verbosity_value level = VERB_ALGO;
 		int stub_no_cache = stub->dp->no_cache;
 		lock_rw_unlock(&qstate->env->fwds->lock);
-		if(stub_no_cache) {
+		if(verbosity >= level && stub_no_cache) {
 			char qname[LDNS_MAX_DOMAINLEN];
 			char dpname[LDNS_MAX_DOMAINLEN];
 			dname_str(qinf->qname, qname);
 			dname_str(stub->dp->name, dpname);
-			verbose(VERB_ALGO, "stub for %s %s has no_cache", qname, dpname);
+			verbose(level, "stub for %s %s has no_cache", qname, dpname);
 		}
 		if(retdpname) {
 			if(stub->dp->namelen > dpname_storage_len) {
@@ -1517,14 +1518,15 @@ iter_stub_fwd_no_cache(struct module_qstate *qstate, struct query_info *qinf,
 
 	/* Check for forward. */
 	if (dp) {
+		enum verbosity_value level = VERB_ALGO;
 		int dp_no_cache = dp->no_cache;
 		lock_rw_unlock(&qstate->env->hints->lock);
-		if(dp_no_cache) {
+		if(verbosity >= level && dp_no_cache) {
 			char qname[LDNS_MAX_DOMAINLEN];
 			char dpname[LDNS_MAX_DOMAINLEN];
 			dname_str(qinf->qname, qname);
 			dname_str(dp->name, dpname);
-			verbose(VERB_ALGO, "forward for %s %s has no_cache", qname, dpname);
+			verbose(level, "forward for %s %s has no_cache", qname, dpname);
 		}
 		if(retdpname) {
 			if(dp->namelen > dpname_storage_len) {

testdata/iter_fwdstubauth.rpl

@@ -0,0 +1,155 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+
+auth-zone:
+	name: "example.tld."
+	for-upstream: yes
+	for-downstream: no
+	fallback-enabled: no
+	## this line generates zonefile: "/tmp/xxx.example.tld"
+	zonefile:
+TEMPFILE_NAME example.tld
+	## this is the inline file /tmp/xxx.example.tld
+	## the tempfiles are deleted when the testrun is over.
+TEMPFILE_CONTENTS example.tld
+$ORIGIN tld.
+example	3600	IN	SOA	a b 1 2 3 4 5
+	3600	IN	NS	ns.example.tld.
+$ORIGIN example.tld.
+ns	3600	IN	A	1.2.3.4
+www	3600	IN	A	3.3.3.3
+more	3600	IN	NS	ns.more.tld.
+TEMPFILE_END
+
+forward-zone:
+	name: "."
+	forward-addr: 9.9.9.9
+
+stub-zone:
+	name: "tld"
+	stub-addr: 2.3.4.5
+stub-zone:
+	name: "more.example.tld"
+	stub-addr: 2.3.4.7
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator's ability to route the request to the correct, configured delegation point
+; Preference should be auth-zone > stub-zone > forward-zone
+; But configuration-wise, since everything is an entry on the forwards tree
+; (or a hole in the case of stub/auth), forwards cannot be replaced by
+; stubs/auth.
+; Also stub/auth zones end the part of the tree that gets forwarded, e.g.,
+; delegations from an auth/stub cannot be caught by a higher forwarder, it will
+; be recursively resolved instead.
+
+; '.' forwarder
+RANGE_BEGIN 0 100
+	ADDRESS 9.9.9.9
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.deleg.tld. IN A
+SECTION ANSWER
+www.deleg.tld. IN A 3.3.3.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.more.example.tld. IN A
+SECTION ANSWER
+www.more.example.tld. IN A 3.3.3.3
+ENTRY_END
+RANGE_END
+
+; 'tld.' stub server
+RANGE_BEGIN 0 100
+	ADDRESS 2.3.4.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.tld. IN A
+SECTION ANSWER
+www.tld. IN A 3.3.3.3
+ENTRY_END
+RANGE_END
+
+; 'more.example.tld.' stub server
+RANGE_BEGIN 0 100
+	ADDRESS 2.3.4.7
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.more.example.tld. IN A
+SECTION ANSWER
+www.more.example.tld. IN A 3.3.3.3
+ENTRY_END
+RANGE_END
+
+; query www.tld ...
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.tld. IN A
+ENTRY_END
+
+; ... answer should come from 'tld.' stub zone
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.tld. IN A
+SECTION ANSWER
+www.tld. IN A 3.3.3.3
+ENTRY_END
+
+; query www.example.tld ...
+STEP 3 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.tld. IN A
+ENTRY_END
+
+; ... answer should come from 'example.tld.' auth zone
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.tld. IN A
+SECTION ANSWER
+www.example.tld. IN A 3.3.3.3
+ENTRY_END
+
+; query www.more.example.tld ...
+STEP 5 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.more.example.tld. IN A
+ENTRY_END
+
+; ... answer should come from 'more.example.tld.' stub zone
+STEP 6 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.more.example.tld. IN A
+SECTION ANSWER
+www.more.example.tld. IN A 3.3.3.3
+ENTRY_END
+
+SCENARIO_END