Add EDE (RFC8914) caching #759
Conversation
There was a problem hiding this comment.
The code has todo items noted in the comments. The allocation of the string needs to be done in the region, when a reply is copied into a region. A reference to the malloced string is a problem when the original gets deleted, and also another new malloced string is a problem that would be leaked when the region is cleared.
- Fix SEGFAULT in load_cache control command. - Change reason_bogus_str to an explicit NULL-terminated string. - Fix potential memory leak when discarding a message for referrals and 0 TTL answers. - Fix reason_bogus initialization in localzone answers. - reply_info creation in validator is always regional.
- Keep EDE information for keys close to key creation. - Fix inconsistencies between reply and cached EDEs. - Incorporate EDE caching checks in EDE tests. - Fix some EDE cases where missing DNSKEY was wrongly reported.
validator/val_sigcrypt.c
Outdated
| @@ -718,9 +718,9 @@ dnskey_verify_rrset(struct module_env* env, struct val_env* ve, | |||
| } | |||
| verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus"); | |||
| if(!numchecked) { | |||
| *reason = "signature missing"; | |||
| *reason = "signatures bogus"; | |||
There was a problem hiding this comment.
I think this should still be signatures missing, and the EDE for MISSING RRSIGS below. But at line 731, after the next else clause, perhaps another else clause could be added. In that else clause, set the ede reason code to EDE_DNSSEC_BOGUS, and also the reason string can be set.
The numchecked refers to the number of signatures inspected, and if that is zero, there are no signatures that matched the keytag. Or no signatures are present.
There was a problem hiding this comment.
I see your point but it is not 100% clear from the rfc if code 10 means there are no RRSIGS at all (we cover that case with num==0 above) or no rrsigs that we are expecting. I interpreted the former, but I see that the later could also be the case. It mostly boils down to the end user looking at the EDE code, I believe it would be confusing to say rrsigs are missing when at least some rrsigs are there.
If you still think that missing rrsigs is the correct code there I have no problem changing this.
There was a problem hiding this comment.
The ede code can be the bogus code. I was thinking the error text itself is not improving, when rrsigs that match certain conditions are absent. But, if the text is more germane for many cases, that would be fine for me.
There was a problem hiding this comment.
Ah, if it is the text then I agree!
- Decrease allocations for "" EDE strings when loading the cachedump. - Check for existence of EDE code before attaching.
- Clear error text when an expected signature is missing.
|
Thanks @wcawijngaards for the review! |
* nlnet/master: (52 commits) - Move a cache reply callback in worker.c closer to the cache reply generation. - Fix to use the now cached EDE, if any, for CD_bit queries. - More braces and formatting for Fix for EDNS EDE size calculation to avoid future bugs. - Fix for EDNS EDE size calculation. - For NLnetLabs#911: Try to trim EXTRA-TEXT (and LDNS_EDE_OTHER options altogether) before giving up on attaching EDE options. - iana portlist update. - Merge NLnetLabs#790 from Tom Carpay: Add support for EDE caching in cachedb and subnetcache. - For NLnetLabs#790: Update formatting in cachedb/cachedb.c - For NLnetLabs#790: clean testcase. - For NLnetLabs#759: fix doc string. - Fix unused variable compile warning for kernel timestamps in netevent.c - Review for NLnetLabs#790: Fix memory leak. - Review for NLnetLabs#790: Address Wouter's comments. - Review for NLnetLabs#790: replace tdir tests with simpler rpl tests. Address review comments for NLnetLabs#759: - Clear error text when an expected signature is missing. Address review comments for NLnetLabs#759: - Decrease allocations for "" EDE strings when loading the cachedump. - Check for existence of EDE code before attaching. - For NLnetLabs#889: Account for num_detached_states before possible mesh_state_delete when erroring out. - For NLnetLabs#889: use netcat-openbsd instead of netcat-traditional. - Cleaner failure code for callback functions in interface.i. Log established connection to Redis ...
No description provided.