diff options
| author | Riccardo Spagni <ric@spagni.net> | 2014-12-04 23:10:49 +0200 |
|---|---|---|
| committer | Riccardo Spagni <ric@spagni.net> | 2014-12-04 23:10:49 +0200 |
| commit | 831933425b3406310e70476dc56e822f7ae3c549 (patch) | |
| tree | bd05c1b54f8cff8ef0bc1f769a22232172ec2a96 /external/unbound/validator/validator.c | |
| parent | increased version number for tagged release (diff) | |
| download | monero-831933425b3406310e70476dc56e822f7ae3c549.tar.xz | |
update unbound from upstream
Diffstat (limited to '')
| -rw-r--r-- | external/unbound/validator/validator.c | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/external/unbound/validator/validator.c b/external/unbound/validator/validator.c index aefa26a27..9d5d5c390 100644 --- a/external/unbound/validator/validator.c +++ b/external/unbound/validator/validator.c @@ -283,12 +283,25 @@ needs_validation(struct module_qstate* qstate, int ret_rc, { int rcode; - /* If the CD bit is on in the original request, then we don't bother to - * validate anything.*/ + /* If the CD bit is on in the original request, then you could think + * that we don't bother to validate anything. + * But this is signalled internally with the valrec flag. + * User queries are validated with BIT_CD to make our cache clean + * so that bogus messages get retried by the upstream also for + * downstream validators that set BIT_CD. + * For DNS64 bit_cd signals no dns64 processing, but we want to + * provide validation there too */ + /* if(qstate->query_flags & BIT_CD) { verbose(VERB_ALGO, "not validating response due to CD bit"); return 0; } + */ + if(qstate->is_valrec) { + verbose(VERB_ALGO, "not validating response, is valrec" + "(validation recursion lookup)"); + return 0; + } if(ret_rc != LDNS_RCODE_NOERROR || !ret_msg) rcode = ret_rc; @@ -351,14 +364,20 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name, struct val_qstate* vq = (struct val_qstate*)qstate->minfo[id]; struct module_qstate* newq; struct query_info ask; + int valrec; ask.qname = name; ask.qname_len = namelen; ask.qtype = qtype; ask.qclass = qclass; log_query_info(VERB_ALGO, "generate request", &ask); fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); + /* enable valrec flag to avoid recursion to the same validation + * routine, this lookup is simply a lookup. DLVs need validation */ + if(qtype == LDNS_RR_TYPE_DLV) + valrec = 0; + else valrec = 1; if(!(*qstate->env->attach_sub)(qstate, &ask, - (uint16_t)(BIT_RD|flags), 0, &newq)){ + (uint16_t)(BIT_RD|flags), 0, valrec, &newq)){ log_err("Could not generate request: out of memory"); return 0; } @@ -2005,14 +2024,16 @@ processFinished(struct module_qstate* qstate, struct val_qstate* vq, /* if secure, this will override cache anyway, no need * to check if from parentNS */ if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, - vq->orig_msg->rep, 0, qstate->prefetch_leeway, 0, NULL)) { + vq->orig_msg->rep, 0, qstate->prefetch_leeway, 0, NULL, + qstate->query_flags)) { log_err("out of memory caching validator results"); } } else { /* for a referral, store the verified RRsets */ /* and this does not get prefetched, so no leeway */ if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, - vq->orig_msg->rep, 1, 0, 0, NULL)) { + vq->orig_msg->rep, 1, 0, 0, NULL, + qstate->query_flags)) { log_err("out of memory caching validator results"); } } |