269 lines
9.2 KiB
Diff
269 lines
9.2 KiB
Diff
From f59faf9d92acde0be9510e7d182fc1735b9f4a7e Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
|
Date: Wed, 8 Jan 2025 16:46:48 +0100
|
|
Subject: [PATCH 1/2] Isolate using the -T noaa flag only for part of the
|
|
resolver test
|
|
|
|
Instead of running the whole resolver/ns4 server with -T noaa flag,
|
|
use it only for the part where it is actually needed. The -T noaa
|
|
could interfere with other parts of the test because the answers don't
|
|
have the authoritative-answer bit set, and we could have false
|
|
positives (or false negatives) in the test because the authoritative
|
|
server doesn't follow the DNS protocol for all the tests in the resolver
|
|
system test.
|
|
|
|
(cherry picked from commit e51d4d3b88af00d6667f2055087ebfc47fb3107c)
|
|
---
|
|
bin/tests/system/resolver/ns4/named.noaa | 5 -----
|
|
1 file changed, 5 deletions(-)
|
|
delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
|
|
|
|
diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
|
|
deleted file mode 100644
|
|
index 3b121ad9da7..00000000000
|
|
--- a/bin/tests/system/resolver/ns4/named.noaa
|
|
+++ /dev/null
|
|
@@ -1,5 +0,0 @@
|
|
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
-
|
|
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
|
|
-
|
|
-Add -T noaa.
|
|
--
|
|
GitLab
|
|
|
|
|
|
From 89b256efae2d7ed61690fc241a661194481c815d Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
|
|
Date: Thu, 19 Dec 2024 16:40:52 +0100
|
|
Subject: [PATCH 2/2] Limit the additional processing for large RDATA sets
|
|
|
|
When answering queries, don't add data to the additional section if
|
|
the answer has more than 13 names in the RDATA. This limits the
|
|
number of lookups into the database(s) during a single client query,
|
|
reducing query processing load.
|
|
|
|
Also, don't append any additional data to type=ANY queries. The
|
|
answer to ANY is already big enough.
|
|
|
|
(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
|
|
---
|
|
bin/named/query.c | 8 +++++---
|
|
bin/tests/system/additional/tests.sh | 2 +-
|
|
bin/tests/system/resolver/tests.sh | 8 ++++++++
|
|
lib/dns/include/dns/rdataset.h | 10 +++++++++-
|
|
lib/dns/rdataset.c | 8 +++++++-
|
|
lib/dns/resolver.c | 16 ++++++++++------
|
|
6 files changed, 40 insertions(+), 12 deletions(-)
|
|
|
|
diff --git a/bin/named/query.c b/bin/named/query.c
|
|
index 897beb7313e..5cba4a22c6b 100644
|
|
--- a/bin/named/query.c
|
|
+++ b/bin/named/query.c
|
|
@@ -1827,7 +1827,8 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
|
|
*/
|
|
eresult = dns_rdataset_additionaldata(trdataset,
|
|
query_addadditional,
|
|
- client);
|
|
+ client,
|
|
+ DNS_RDATASET_MAXADDITIONAL);
|
|
}
|
|
|
|
cleanup:
|
|
@@ -2422,7 +2423,7 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
|
|
rdataset->rdclass);
|
|
rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
|
|
|
|
- if (NOADDITIONAL(client))
|
|
+ if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any)
|
|
return;
|
|
|
|
/*
|
|
@@ -2433,7 +2434,8 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
|
|
additionalctx.client = client;
|
|
additionalctx.rdataset = rdataset;
|
|
(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
|
|
- &additionalctx);
|
|
+ &additionalctx,
|
|
+ DNS_RDATASET_MAXADDITIONAL);
|
|
CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
|
|
}
|
|
|
|
diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
|
|
index 6400723a557..a33cc8aed26 100644
|
|
--- a/bin/tests/system/additional/tests.sh
|
|
+++ b/bin/tests/system/additional/tests.sh
|
|
@@ -261,7 +261,7 @@ n=`expr $n + 1`
|
|
echo_i "testing with 'minimal-any no;' ($n)"
|
|
ret=0
|
|
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
|
|
-grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
|
|
+grep "ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1" dig.out.$n > /dev/null || ret=1
|
|
if [ $ret -eq 1 ] ; then
|
|
echo_i "failed"; status=`expr status + 1`
|
|
fi
|
|
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
|
|
index b3c9f2179c7..e727c887bf2 100755
|
|
--- a/bin/tests/system/resolver/tests.sh
|
|
+++ b/bin/tests/system/resolver/tests.sh
|
|
@@ -281,6 +281,10 @@ done
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
status=`expr $status + $ret`
|
|
|
|
+$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
|
|
+touch ns4/named.noaa
|
|
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
|
|
+
|
|
n=`expr $n + 1`
|
|
echo_i "RT21594 regression test check setup ($n)"
|
|
ret=0
|
|
@@ -317,6 +321,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} > /dev/null || ret=1
|
|
if [ $ret != 0 ]; then echo_i "failed"; fi
|
|
status=`expr $status + $ret`
|
|
|
|
+$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
|
|
+rm ns4/named.noaa
|
|
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
|
|
+
|
|
n=`expr $n + 1`
|
|
echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)"
|
|
ret=0
|
|
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
|
|
index ed9119a62d4..cd9b014205e 100644
|
|
--- a/lib/dns/include/dns/rdataset.h
|
|
+++ b/lib/dns/include/dns/rdataset.h
|
|
@@ -53,6 +53,8 @@
|
|
#include <dns/types.h>
|
|
#include <dns/rdatastruct.h>
|
|
|
|
+#define DNS_RDATASET_MAXADDITIONAL 13
|
|
+
|
|
ISC_LANG_BEGINDECLS
|
|
|
|
typedef enum {
|
|
@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
|
|
|
|
isc_result_t
|
|
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
|
|
- dns_additionaldatafunc_t add, void *arg);
|
|
+ dns_additionaldatafunc_t add, void *arg,
|
|
+ size_t limit);
|
|
/*%<
|
|
* For each rdata in rdataset, call 'add' for each name and type in the
|
|
* rdata which is subject to additional section processing.
|
|
@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
|
|
*\li If a call to dns_rdata_additionaldata() is not successful, the
|
|
* result returned will be the result of dns_rdataset_additionaldata().
|
|
*
|
|
+ *\li If 'limit' is non-zero and the number of the rdatasets is larger
|
|
+ * than 'limit', no additional data will be processed.
|
|
+ *
|
|
* Returns:
|
|
*
|
|
*\li #ISC_R_SUCCESS
|
|
*
|
|
+ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
|
|
+ *
|
|
*\li Any error that dns_rdata_additionaldata() can return.
|
|
*/
|
|
|
|
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
|
|
index b42dea5cd37..75f07c9e579 100644
|
|
--- a/lib/dns/rdataset.c
|
|
+++ b/lib/dns/rdataset.c
|
|
@@ -28,6 +28,7 @@
|
|
#include <dns/ncache.h>
|
|
#include <dns/rdata.h>
|
|
#include <dns/rdataset.h>
|
|
+#include <dns/result.h>
|
|
|
|
static const char *trustnames[] = {
|
|
"none",
|
|
@@ -607,7 +608,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
|
|
|
|
isc_result_t
|
|
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
|
|
- dns_additionaldatafunc_t add, void *arg)
|
|
+ dns_additionaldatafunc_t add, void *arg,
|
|
+ size_t limit)
|
|
{
|
|
dns_rdata_t rdata = DNS_RDATA_INIT;
|
|
isc_result_t result;
|
|
@@ -620,6 +622,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
|
|
REQUIRE(DNS_RDATASET_VALID(rdataset));
|
|
REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
|
|
|
|
+ if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
|
|
+ return (DNS_R_TOOMANYRECORDS);
|
|
+ }
|
|
+
|
|
result = dns_rdataset_first(rdataset);
|
|
if (result != ISC_R_SUCCESS)
|
|
return (result);
|
|
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
|
index a4e4f4c6f6a..ed3d0b1b95f 100644
|
|
--- a/lib/dns/resolver.c
|
|
+++ b/lib/dns/resolver.c
|
|
@@ -6472,7 +6472,7 @@ chase_additional(fetchctx_t *fctx, dns_message_t *rmessage) {
|
|
rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
|
|
(void)dns_rdataset_additionaldata(rdataset,
|
|
check_related,
|
|
- &chkarg);
|
|
+ &chkarg, 0);
|
|
rescan = true;
|
|
}
|
|
}
|
|
@@ -7106,8 +7106,12 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
|
|
FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING);
|
|
chkarg.fctx = fctx;
|
|
chkarg.rmessage = message;
|
|
+
|
|
+ /*
|
|
+ * Mark the glue records in the additional section to be cached.
|
|
+ */
|
|
(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
|
|
- &chkarg);
|
|
+ &chkarg, 0);
|
|
#if CHECK_FOR_GLUE_IN_ANSWER
|
|
/*
|
|
* Look in the answer section for "glue" that is incorrectly
|
|
@@ -7123,7 +7127,7 @@ noanswer_response(fetchctx_t *fctx, dns_message_t *message,
|
|
chkarg.fcx = fctx;
|
|
chkarg.rmessage = message;
|
|
(void)dns_rdataset_additionaldata(ns_rdataset,
|
|
- check_answer, &chkarg);
|
|
+ check_answer, &chkarg, 0);
|
|
}
|
|
#endif
|
|
FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
|
|
@@ -7365,7 +7369,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
|
chkarg.rmessage = message;
|
|
(void)dns_rdataset_additionaldata(rdataset,
|
|
check_related,
|
|
- &chkarg);
|
|
+ &chkarg, 0);
|
|
}
|
|
} else if (aname != NULL) {
|
|
dns_chkarg_t chkarg;
|
|
@@ -7393,7 +7397,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
|
chkarg.fctx = fctx;
|
|
chkarg.rmessage = message;
|
|
(void)dns_rdataset_additionaldata(ardataset, check_related,
|
|
- &chkarg);
|
|
+ &chkarg, 0);
|
|
for (sigrdataset = ISC_LIST_HEAD(aname->list);
|
|
sigrdataset != NULL;
|
|
sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
|
|
@@ -7556,7 +7560,7 @@ answer_response(fetchctx_t *fctx, dns_message_t *message) {
|
|
(void)dns_rdataset_additionaldata(
|
|
rdataset,
|
|
check_related,
|
|
- &chkarg);
|
|
+ &chkarg, 0);
|
|
done = true;
|
|
}
|
|
}
|
|
--
|
|
GitLab
|
|
|