auth zone for downstream

git-svn-id: file:///svn/unbound/trunk@4474 be551aaa-1e26-0410-a405-d3ace91eadb9
2024-09-21 06:37:08 +00:00 · 2018-01-31 08:30:32 +00:00 · 2018-01-31 08:30:32 +00:00 · 657753aac2
commit 657753aac2
parent 7de2b4e047
6 changed files with 231 additions and 2 deletions
--- a/daemon/worker.c
+++ b/daemon/worker.c
@ -58,6 +58,7 @@
 #include "services/cache/rrset.h"
 #include "services/cache/infra.h"
 #include "services/cache/dns.h"
+#include "services/authzone.h"
 #include "services/mesh.h"
 #include "services/localzone.h"
 #include "util/data/msgparse.h"
@ -1251,6 +1252,22 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		server_stats_insrcode(&worker->stats, c->buffer);
 		goto send_reply;
 	}
+	if(worker->env.auth_zones &&
+		auth_zones_answer(worker->env.auth_zones, &worker->env,
+		&qinfo, &edns, c->buffer, worker->scratchpad)) {
+		regional_free_all(worker->scratchpad);
+		if(sldns_buffer_limit(c->buffer) == 0) {
+			comm_point_drop_reply(repinfo);
+			return 0;
+		}
+		/* set RA for everyone that can have recursion (based on
+		 * access control list) */
+		if(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer)) &&
+		   acl != acl_deny_non_local && acl != acl_refuse_non_local)
+			LDNS_RA_SET(sldns_buffer_begin(c->buffer));
+		server_stats_insrcode(&worker->stats, c->buffer);
+		goto send_reply;
+	}

 	/* We've looked in our local zones. If the answer isn't there, we
 	 * might need to bail out based on ACLs now. */
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@ -55,6 +55,7 @@
 #include "services/localzone.h"
 #include "services/cache/rrset.h"
 #include "services/outbound_list.h"
+#include "services/authzone.h"
 #include "util/fptr_wlist.h"
 #include "util/module.h"
 #include "util/regional.h"
@ -604,6 +605,15 @@ int libworker_fg(struct ub_ctx* ctx, struct ctx_query* q)
 		free(qinfo.qname);
 		return UB_NOERROR;
 	}
+	if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
+		w->env, &qinfo, &edns, w->back->udp_buff, w->env->scratch)) {
+		regional_free_all(w->env->scratch);
+		libworker_fillup_fg(q, LDNS_RCODE_NOERROR, 
+			w->back->udp_buff, sec_status_insecure, NULL);
+		libworker_delete(w);
+		free(qinfo.qname);
+		return UB_NOERROR;
+	}
 	/* process new query */
 	if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, 
 		w->back->udp_buff, qid, libworker_fg_done_cb, q)) {
@ -674,6 +684,14 @@ int libworker_attach_mesh(struct ub_ctx* ctx, struct ctx_query* q,
 			w->back->udp_buff, sec_status_insecure, NULL);
 		return UB_NOERROR;
 	}
+	if(ctx->env->auth_zones && auth_zones_answer(ctx->env->auth_zones,
+		w->env, &qinfo, &edns, w->back->udp_buff, w->env->scratch)) {
+		regional_free_all(w->env->scratch);
+		free(qinfo.qname);
+		libworker_event_done_cb(q, LDNS_RCODE_NOERROR,
+			w->back->udp_buff, sec_status_insecure, NULL);
+		return UB_NOERROR;
+	}
 	/* process new query */
 	if(async_id)
 		*async_id = q->querynum;
@ -795,6 +813,14 @@ handle_newq(struct libworker* w, uint8_t* buf, uint32_t len)
 		free(qinfo.qname);
 		return;
 	}
+	if(w->ctx->env->auth_zones && auth_zones_answer(w->ctx->env->auth_zones,
+		w->env, &qinfo, &edns, w->back->udp_buff, w->env->scratch)) {
+		regional_free_all(w->env->scratch);
+		q->msg_security = sec_status_insecure;
+		add_bg_result(w, q, w->back->udp_buff, UB_NOERROR, NULL);
+		free(qinfo.qname);
+		return;
+	}
 	q->w = w;
 	/* process new query */
 	if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, 
--- a/services/authzone.c
+++ b/services/authzone.c
@ -3085,8 +3085,6 @@ int auth_zones_answer(struct auth_zones* az, struct module_env* env,
 	struct query_info* qinfo, struct edns_data* edns, struct sldns_buffer* buf,
 	struct regional* temp)
 {
-	/* TODO: in handle after localzones, before cache, if az != NULL,
-	 * call this function to answer downstream */
 	struct dns_msg* msg = NULL;
 	struct auth_zone* z;
 	int r;
--- a/testdata/auth_zonefile.rpl
+++ b/testdata/auth_zonefile.rpl
@ -13,9 +13,11 @@ auth-zone:
 	## url:
 	## queries from downstream clients get authoritative answers.
 	## for-downstream: yes
+	for-downstream: no
 	## queries are used to fetch authoritative answers from this zone,
 	## instead of unbound itself sending queries there.
 	## for-upstream: yes
+	for-upstream: yes
 	## on failures with for-upstream, fallback to sending queries to
 	## the authority servers
 	## fallback-enabled: no
--- a/testdata/auth_zonefile_down.rpl
+++ b/testdata/auth_zonefile_down.rpl
@ -0,0 +1,185 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+
+auth-zone:
+	name: "example.com."
+	## zonefile (or none).
+	## zonefile: "example.com.zone"
+	## master by IP address or hostname
+	## can list multiple masters, each on one line.
+	## master:
+	## url for http fetch
+	## url:
+	## queries from downstream clients get authoritative answers.
+	## for-downstream: yes
+	for-downstream: yes
+	## queries are used to fetch authoritative answers from this zone,
+	## instead of unbound itself sending queries there.
+	## for-upstream: yes
+	for-upstream: no
+	## on failures with for-upstream, fallback to sending queries to
+	## the authority servers
+	## fallback-enabled: no
+
+	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
+	zonefile:
+TEMPFILE_NAME example.com
+	## this is the inline file /tmp/xxx.example.com
+	## the tempfiles are deleted when the testrun is over.
+TEMPFILE_CONTENTS example.com
+$ORIGIN com.
+example	3600	IN	SOA	dns.example.de. hostmaster.dns.example.de. (
+		1379078166 28800 7200 604800 7200 )
+	3600	IN	NS	ns1.example.com.
+	3600	IN	NS	ns2.example.com.
+$ORIGIN example.com.
+www	3600	IN	A	1.2.3.4
+mail	3600	IN	A	1.2.3.5
+	3600	IN	AAAA	::5
+ns1	3600	IN	A	1.2.3.4
+ns2	3600	IN	AAAA	::2
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test authority zone with zonefile for downstream responses
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+ns.example.net.		IN 	A	1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN A
+SECTION ANSWER
+ns.example.net. IN A	1.2.3.44
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN AAAA
+SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+SECTION ADDITIONAL
+www.example.net. IN A	1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	IN NS	ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	1.2.3.4
+ENTRY_END
+
+SCENARIO_END
--- a/testdata/auth_zonefile_noup.rpl
+++ b/testdata/auth_zonefile_noup.rpl
@ -13,6 +13,7 @@ auth-zone:
 	## url:
 	## queries from downstream clients get authoritative answers.
 	## for-downstream: yes
+	for-downstream: no
 	## queries are used to fetch authoritative answers from this zone,
 	## instead of unbound itself sending queries there.
 	## for-upstream: yes