Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rec: Don't always validate when DNSSEC is set to process #5557

Merged
merged 1 commit into from Aug 10, 2017
Merged

rec: Don't always validate when DNSSEC is set to process #5557

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 5 additions & 1 deletion pdns/pdns_recursor.cc
View file
Open in desktop
Expand Up @@ -765,6 +765,7 @@ static void startDoResolve(void *p)
uint32_t minTTL=std::numeric_limits<uint32_t>::max();

SyncRes sr(dc->d_now);

bool DNSSECOK=false;
if(t_pdl) {
sr.setLuaEngine(t_pdl);
Expand All @@ -782,9 +783,12 @@ static void startDoResolve(void *p)
// Ignore the client-set CD flag
pw.getHeader()->cd=0;
}
sr.setDNSSECValidationRequested(g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || ((dc->d_mdp.d_header.ad || DNSSECOK) && g_dnssecmode==DNSSECMode::Process));

#ifdef HAVE_PROTOBUF
sr.setInitialRequestId(dc->d_uuid);
#endif

if (g_useIncomingECS) {
sr.setIncomingECSFound(dc->d_ecsFound);
if (dc->d_ecsFound) {
Expand Down Expand Up @@ -1030,7 +1034,7 @@ static void startDoResolve(void *p)
pw.getHeader()->rcode=res;

// Does the validation mode or query demand validation?
if(!shouldNotValidate && (g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || ((dc->d_mdp.d_header.ad || DNSSECOK) && g_dnssecmode==DNSSECMode::Process))) {
if(!shouldNotValidate && sr.isDNSSECValidationRequested()) {
try {
if(sr.doLog()) {
L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<"|"<<QType(dc->d_mdp.d_qtype).getName()<<" for "<<dc->d_remote.toStringWithPort()<<endl;
Expand Down
83 changes: 46 additions & 37 deletions pdns/recursordist/test-syncres_cc.cc
View file
Open in desktop
Expand Up @@ -171,13 +171,22 @@ static void initSR(std::unique_ptr<SyncRes>& sr, bool dnssec=false, bool debug=f

sr = std::unique_ptr<SyncRes>(new SyncRes(now));
sr->setDoEDNS0(true);
sr->setDoDNSSEC(dnssec);
if (dnssec) {
sr->setDoDNSSEC(dnssec);
}

sr->setLogMode(debug == false ? SyncRes::LogNone : SyncRes::Log);

SyncRes::setDomainMap(std::make_shared<SyncRes::domainmap_t>());
SyncRes::clearNegCache();
}

static void setDNSSECValidation(std::unique_ptr<SyncRes>& sr, const DNSSECMode& mode)
{
sr->setDNSSECValidationRequested(true);
g_dnssecmode = mode;
}

static void setLWResult(LWResult* res, int rcode, bool aa=false, bool tc=false, bool edns=false)
{
res->d_rcode = rcode;
Expand Down Expand Up @@ -3208,7 +3217,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_csk) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3273,7 +3282,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_root_validation_ksk_zsk) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3359,7 +3368,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_dnskey) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3423,7 +3432,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_dnskey_doesnt_match_ds) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3508,7 +3517,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_rrsig_signed_with_unknown_dnskey) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3583,7 +3592,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_no_rrsig) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3649,7 +3658,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_algorithm) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3730,7 +3739,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_unknown_ds_digest) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3809,7 +3818,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_sig) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3875,7 +3884,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_bad_algo) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -3942,7 +3951,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_various_algos) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -4041,7 +4050,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_a_then_ns) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -4149,7 +4158,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_a_then_ns) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -4253,7 +4262,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_with_nta) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -4357,7 +4366,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_with_nta) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -4445,7 +4454,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -4541,7 +4550,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nxdomain_nsec) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("nx.powerdns.com.");
Expand Down Expand Up @@ -4649,7 +4658,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_nsec_wildcard) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("www.powerdns.com.");
Expand Down Expand Up @@ -4752,7 +4761,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("www.powerdns.com.");
Expand Down Expand Up @@ -4862,7 +4871,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_insecure) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("www.powerdns.com.");
Expand Down Expand Up @@ -4971,7 +4980,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_unsigned_nsec) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -5064,7 +5073,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_validation_bogus_no_nsec) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -5157,7 +5166,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -5264,7 +5273,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_skipped_cut) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("www.sub.powerdns.com.");
Expand Down Expand Up @@ -5382,7 +5391,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_ta_skipped_cut) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("www.sub.powerdns.com.");
Expand Down Expand Up @@ -5498,7 +5507,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_nodata) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -5606,7 +5615,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -5730,7 +5739,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_to_secure_cname) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("power-dns.com.");
Expand Down Expand Up @@ -5851,7 +5860,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_secure_cname) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("power-dns.com.");
Expand Down Expand Up @@ -5952,7 +5961,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_bogus_cname) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("power-dns.com.");
Expand Down Expand Up @@ -6053,7 +6062,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_secure_cname) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("power-dns.com.");
Expand Down Expand Up @@ -6154,7 +6163,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_bogus_to_insecure_cname) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -6271,7 +6280,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -6371,7 +6380,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_insecure_ta_norrsig) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target("powerdns.com.");
Expand Down Expand Up @@ -6471,7 +6480,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_nta) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down Expand Up @@ -6537,7 +6546,7 @@ BOOST_AUTO_TEST_CASE(test_dnssec_no_ta) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);

g_dnssecmode = DNSSECMode::ValidateAll;
setDNSSECValidation(sr, DNSSECMode::ValidateAll);

primeHints();
const DNSName target(".");
Expand Down
5 changes: 4 additions & 1 deletion pdns/secpoll-recursor.cc
View file
Open in desktop
Expand Up @@ -25,8 +25,11 @@ void doSecPoll(time_t* last_secpoll)
struct timeval now;
gettimeofday(&now, 0);
SyncRes sr(now);
if (g_dnssecmode != DNSSECMode::Off)
if (g_dnssecmode != DNSSECMode::Off) {
sr.setDoDNSSEC(true);
sr.setDNSSECValidationRequested(true);
}

vector<DNSRecord> ret;

string version = "recursor-" +pkgv;
Expand Down