diff --git a/doc/Changelog b/doc/Changelog index 3b62e6c6e..f6933cfbd 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -5,6 +5,8 @@ - Fix #4208: 'stub-no-cache' and 'forward-no-cache' not work. - New and better fix for Fix #4193: Fix that prefetch failure does not overwrite valid cache entry with SERVFAIL. + - auth-zone give SERVFAIL when expired, fallback activates when + expired, and this is documented in the man page. 26 November 2018: Wouter - Fix to not set GLOB_NOSORT so the unbound.conf include: files are diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index e94170292..59698f9bd 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1614,6 +1614,13 @@ lookups of that data. Authority zones can be read from zonefile. And can be kept updated via AXFR and IXFR. After update the zonefile is rewritten. The update mechanism uses the SOA timer values and performs SOA UDP queries to detect zone changes. +.LP +If the update fetch fails, the timers in the SOA record are used to time +another fetch attempt. Until the SOA expiry timer is reached. Then the +zone is expired. When a zone is expired, queries are SERVFAIL, and +any new serial number is accepted from the master (even if older), and if +fallback is enabled, the fallback activates to fetch from the upstream instead +of the SERVFAIL. .TP .B name: \fI Name of the authority zone. diff --git a/services/authzone.c b/services/authzone.c index 18ea6389d..14ae7b74f 100644 --- a/services/authzone.c +++ b/services/authzone.c @@ -3169,6 +3169,11 @@ int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo, *fallback = 1; return 0; } + if(z->zone_expired) { + *fallback = z->fallback_enabled; + lock_rw_unlock(&z->lock); + return 0; + } /* see what answer that zone would generate */ r = auth_zone_generate_answer(z, qinfo, region, msg, fallback); lock_rw_unlock(&z->lock); @@ -3256,6 +3261,16 @@ int auth_zones_answer(struct auth_zones* az, struct module_env* env, lock_rw_unlock(&z->lock); return 0; } + if(z->zone_expired) { + if(z->fallback_enabled) { + lock_rw_unlock(&z->lock); + return 0; + } + lock_rw_unlock(&z->lock); + auth_error_encode(qinfo, env, edns, repinfo, buf, temp, + LDNS_RCODE_SERVFAIL); + return 1; + } /* answer it from zone z */ r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback);