Hello community, here is the log from the commit of package pdns-recursor for openSUSE:Factory checked in at 2019-05-22 11:17:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pdns-recursor (Old) and /work/SRC/openSUSE:Factory/.pdns-recursor.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "pdns-recursor" Wed May 22 11:17:08 2019 rev:28 rq:704461 version:4.1.13 Changes: -------- --- /work/SRC/openSUSE:Factory/pdns-recursor/pdns-recursor.changes 2019-04-26 22:55:51.449260722 +0200 +++ /work/SRC/openSUSE:Factory/.pdns-recursor.new.5148/pdns-recursor.changes 2019-05-22 11:17:09.654483544 +0200 @@ -1,0 +2,8 @@ +Tue May 21 12:17:26 UTC 2019 - Adam Majer <adam.majer@suse.de> + +- update to 4.1.13: + * Add the disable-real-memory-usage setting to skip expensive + collection of detailed memory usage info + * Fix DNSSEC validation of wildcards expanded onto themselves. + +------------------------------------------------------------------- Old: ---- pdns-recursor-4.1.12.tar.bz2 pdns-recursor-4.1.12.tar.bz2.sig New: ---- pdns-recursor-4.1.13.tar.bz2 pdns-recursor-4.1.13.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pdns-recursor.spec ++++++ --- /var/tmp/diff_new_pack.qxZkbG/_old 2019-05-22 11:17:10.166483185 +0200 +++ /var/tmp/diff_new_pack.qxZkbG/_new 2019-05-22 11:17:10.170483183 +0200 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -35,7 +35,7 @@ %endif Name: pdns-recursor -Version: 4.1.12 +Version: 4.1.13 Release: 0 BuildRequires: autoconf BuildRequires: automake ++++++ pdns-recursor-4.1.12.tar.bz2 -> pdns-recursor-4.1.13.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/.version new/pdns-recursor-4.1.13/.version --- old/pdns-recursor-4.1.12/.version 2019-04-02 12:31:34.000000000 +0200 +++ new/pdns-recursor-4.1.13/.version 2019-05-21 07:47:40.000000000 +0200 @@ -1 +1 @@ -4.1.12 +4.1.13 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/configure new/pdns-recursor-4.1.13/configure --- old/pdns-recursor-4.1.12/configure 2019-04-02 12:31:33.000000000 +0200 +++ new/pdns-recursor-4.1.13/configure 2019-05-21 07:47:39.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for pdns-recursor 4.1.12. +# Generated by GNU Autoconf 2.69 for pdns-recursor 4.1.13. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -587,8 +587,8 @@ # Identity of this package. PACKAGE_NAME='pdns-recursor' PACKAGE_TARNAME='pdns-recursor' -PACKAGE_VERSION='4.1.12' -PACKAGE_STRING='pdns-recursor 4.1.12' +PACKAGE_VERSION='4.1.13' +PACKAGE_STRING='pdns-recursor 4.1.13' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -1445,7 +1445,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures pdns-recursor 4.1.12 to adapt to many kinds of systems. +\`configure' configures pdns-recursor 4.1.13 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1515,7 +1515,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pdns-recursor 4.1.12:";; + short | recursive ) echo "Configuration of pdns-recursor 4.1.13:";; esac cat <<\_ACEOF @@ -1677,7 +1677,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pdns-recursor configure 4.1.12 +pdns-recursor configure 4.1.13 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2270,7 +2270,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pdns-recursor $as_me 4.1.12, which was +It was created by pdns-recursor $as_me 4.1.13, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3133,7 +3133,7 @@ # Define the identity of the package. PACKAGE='pdns-recursor' - VERSION='4.1.12' + VERSION='4.1.13' cat >>confdefs.h <<_ACEOF @@ -21846,7 +21846,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pdns-recursor $as_me 4.1.12, which was +This file was extended by pdns-recursor $as_me 4.1.13, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21912,7 +21912,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -pdns-recursor config.status 4.1.12 +pdns-recursor config.status 4.1.13 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/effective_tld_names.dat new/pdns-recursor-4.1.13/effective_tld_names.dat --- old/pdns-recursor-4.1.12/effective_tld_names.dat 2019-04-02 12:32:28.000000000 +0200 +++ new/pdns-recursor-4.1.13/effective_tld_names.dat 2019-05-21 07:48:32.000000000 +0200 @@ -6191,34 +6191,33 @@ edu.to mil.to -// subTLDs: https://www.nic.tr/forms/eng/policies.pdf -// and: https://www.nic.tr/forms/politikalar.pdf -// Submitted by <mehmetgurevin@gmail.com> +// tr : https://nic.tr/ +// https://nic.tr/forms/eng/policies.pdf +// https://nic.tr/index.php?USRACTN=PRICELST tr -com.tr -info.tr -biz.tr -net.tr -org.tr -web.tr -gen.tr -tv.tr av.tr -dr.tr bbs.tr -name.tr -tel.tr -gov.tr bel.tr -pol.tr +biz.tr +com.tr +dr.tr +edu.tr +gen.tr +gov.tr +info.tr mil.tr k12.tr -edu.tr kep.tr - +name.tr +net.tr +org.tr +pol.tr +tel.tr +tsk.tr +tv.tr +web.tr // Used by Northern Cyprus nc.tr - // Used by government agencies of Northern Cyprus gov.nc.tr @@ -7941,9 +7940,6 @@ // dog : 2014-12-04 Binky Moon, LLC dog -// doha : 2014-09-18 Communications Regulatory Authority (CRA) -doha - // domains : 2013-10-17 Binky Moon, LLC domains @@ -10844,6 +10840,10 @@ // Submitted by Anthony Voutas <anthony@backplane.io> backplaneapp.io +// Banzai Cloud +// Submitted by Gabor Kozma <info@banzaicloud.com> +app.banzaicloud.io + // BetaInABox // Submitted by Adrian <adrian@betainabox.com> betainabox.com @@ -10879,6 +10879,7 @@ // Bytemark Hosting : https://www.bytemark.co.uk // Submitted by Paul Cammish <paul.cammish@bytemark.co.uk> +uk0.bigv.io dh.bytemark.co.uk vm.bytemark.co.uk @@ -10947,6 +10948,10 @@ // Submitted by Alex Stoddard <alex.stoddard@citrix.com> xenapponazure.com +// Civilized Discourse Construction Kit, Inc. : https://www.discourse.org/ +// Submitted by Rishabh Nambiar <rishabh.nambiar@discourse.org> +discourse.group + // ClearVox : http://www.clearvox.nl/ // Submitted by Leon Rowland <leon@clearvox.nl> virtueeldomein.nl @@ -11717,6 +11722,11 @@ // Submitted by Alex Hanselka <alex@gitlab.com> gitlab.io +// GOV.UK Platform as a Service : https://www.cloud.service.gov.uk/ +// Submitted by Tom Whitwell <tom.whitwell@digital.cabinet-office.gov.uk> +cloudapps.digital +london.cloudapps.digital + // UKHomeOffice : https://www.gov.uk/government/organisations/home-office // Submitted by Jon Shanks <jon.shanks@digital.homeoffice.gov.uk> homeoffice.gov.uk @@ -12084,6 +12094,10 @@ org.ru pp.ru +// Nabu Casa : https://www.nabucasa.com +// Submitted by Paulus Schoutsen <infra@nabucasa.com> +ui.nabu.casa + // Netlify : https://www.netlify.com // Submitted by Jessica Parsons <jessica@netlify.com> bitballoon.com diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/pdns_recursor.1 new/pdns-recursor-4.1.13/pdns_recursor.1 --- old/pdns-recursor-4.1.12/pdns_recursor.1 2019-04-02 12:32:28.000000000 +0200 +++ new/pdns-recursor-4.1.13/pdns_recursor.1 2019-05-21 07:48:32.000000000 +0200 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "PDNS_RECURSOR" "1" "Apr 02, 2019" "4.1" "PowerDNS Recursor" +.TH "PDNS_RECURSOR" "1" "May 21, 2019" "4.1" "PowerDNS Recursor" .SH NAME pdns_recursor \- The PowerDNS Recursor binary . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/pdns_recursor.cc new/pdns-recursor-4.1.13/pdns_recursor.cc --- old/pdns-recursor-4.1.12/pdns_recursor.cc 2019-04-02 12:31:21.000000000 +0200 +++ new/pdns-recursor-4.1.13/pdns_recursor.cc 2019-05-21 07:47:27.000000000 +0200 @@ -3652,6 +3652,7 @@ ::arg().setSwitch("log-rpz-changes", "Log additions and removals to RPZ zones at Info level")="no"; ::arg().set("distribution-load-factor", "The load factor used when PowerDNS is distributing queries to worker threads")="0.0"; + ::arg().setSwitch("disable-real-memory-usage", "Disable expensive real-memory-usage metric")= "no"; ::arg().setCmd("help","Provide a helpful message"); ::arg().setCmd("version","Print version string"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/pubsuffix.cc new/pdns-recursor-4.1.13/pubsuffix.cc --- old/pdns-recursor-4.1.12/pubsuffix.cc 2019-04-02 12:32:28.000000000 +0200 +++ new/pdns-recursor-4.1.13/pubsuffix.cc 2019-05-21 07:48:32.000000000 +0200 @@ -5015,26 +5015,27 @@ "org.to", "edu.to", "mil.to", -"com.tr", -"info.tr", -"biz.tr", -"net.tr", -"org.tr", -"web.tr", -"gen.tr", -"tv.tr", "av.tr", -"dr.tr", "bbs.tr", -"name.tr", -"tel.tr", -"gov.tr", "bel.tr", -"pol.tr", +"biz.tr", +"com.tr", +"dr.tr", +"edu.tr", +"gen.tr", +"gov.tr", +"info.tr", "mil.tr", "k12.tr", -"edu.tr", "kep.tr", +"name.tr", +"net.tr", +"org.tr", +"pol.tr", +"tel.tr", +"tsk.tr", +"tv.tr", +"web.tr", "nc.tr", "gov.nc.tr", "co.tt", @@ -5588,6 +5589,7 @@ "wpcomstaging.com", "myfritz.net", "backplaneapp.io", +"app.banzaicloud.io", "betainabox.com", "bnr.la", "blackbaudcdn.net", @@ -5600,6 +5602,7 @@ "bplaced.net", "square7.net", "browsersafetymark.io", +"uk0.bigv.io", "dh.bytemark.co.uk", "vm.bytemark.co.uk", "mycd.eu", @@ -5638,6 +5641,7 @@ "c.la", "certmgr.org", "xenapponazure.com", +"discourse.group", "virtueeldomein.nl", "cleverapps.io", "c66.me", @@ -6211,6 +6215,8 @@ "github.io", "githubusercontent.com", "gitlab.io", +"cloudapps.digital", +"london.cloudapps.digital", "homeoffice.gov.uk", "ro.im", "shop.ro", @@ -6436,6 +6442,7 @@ "net.ru", "org.ru", "pp.ru", +"ui.nabu.casa", "bitballoon.com", "netlify.com", "4u.com", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/rec_channel_rec.cc new/pdns-recursor-4.1.13/rec_channel_rec.cc --- old/pdns-recursor-4.1.12/rec_channel_rec.cc 2019-04-02 12:31:21.000000000 +0200 +++ new/pdns-recursor-4.1.13/rec_channel_rec.cc 2019-05-21 07:47:27.000000000 +0200 @@ -884,6 +884,10 @@ return 0; } +uint64_t getFakeMemoryUsage(const std::string&) { + return 0; +} + extern ResponseStats g_rs; void registerAllStats() @@ -1005,7 +1009,11 @@ addGetStat("noedns-outqueries", &g_stats.noEdnsOutQueries); addGetStat("uptime", calculateUptime); - addGetStat("real-memory-usage", boost::bind(getRealMemoryUsage, string())); + if (::arg().mustDo("disable-real-memory-usage")) + addGetStat("real-memory-usage", boost::bind(getFakeMemoryUsage, string())); + else + addGetStat("real-memory-usage", boost::bind(getRealMemoryUsage, string())); + addGetStat("fd-usage", boost::bind(getOpenFileDescriptors, string())); // addGetStat("query-rate", getQueryRate); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/rec_control.1 new/pdns-recursor-4.1.13/rec_control.1 --- old/pdns-recursor-4.1.12/rec_control.1 2019-04-02 12:32:28.000000000 +0200 +++ new/pdns-recursor-4.1.13/rec_control.1 2019-05-21 07:48:32.000000000 +0200 @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "REC_CONTROL" "1" "Apr 02, 2019" "4.1" "PowerDNS Recursor" +.TH "REC_CONTROL" "1" "May 21, 2019" "4.1" "PowerDNS Recursor" .SH NAME rec_control \- Command line tool to control a running Recursor . diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/syncres.cc new/pdns-recursor-4.1.13/syncres.cc --- old/pdns-recursor-4.1.12/syncres.cc 2019-04-02 12:31:21.000000000 +0200 +++ new/pdns-recursor-4.1.13/syncres.cc 2019-05-21 07:47:27.000000000 +0200 @@ -1920,7 +1920,7 @@ return Bogus; } -RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery) +RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery) { bool wasForwardRecurse = wasForwarded && rdQuery; tcache_t tcache; @@ -1946,7 +1946,7 @@ /* if we have a positive answer synthetized from a wildcard, we need to store the corresponding NSEC/NSEC3 records proving that the exact name did not exist in the negative cache */ - if(needWildcardProof) { + if(gatherWildcardProof) { if (nsecTypes.count(rec.d_type)) { authorityRecs.push_back(std::make_shared<DNSRecord>(rec)); } @@ -1964,9 +1964,20 @@ count can be lower than the name's label count if it was synthetized from the wildcard. Note that the difference might be > 1. */ - if (rec.d_name == qname && rrsig->d_labels < labelCount) { - LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl); - needWildcardProof = true; + if (rec.d_name == qname && isWildcardExpanded(labelCount, rrsig)) { + gatherWildcardProof = true; + if (!isWildcardExpandedOntoItself(rec.d_name, labelCount, rrsig)) { + /* if we have a wildcard expanded onto itself, we don't need to prove + that the exact name doesn't exist because it actually does. + We still want to gather the corresponding NSEC/NSEC3 records + to pass them to our client in case it wants to validate by itself. + */ + LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl); + needWildcardProof = true; + } + else { + LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard expanded onto itself, we need to gather wildcard proof"<<endl); + } wildcardLabelsCount = rrsig->d_labels; } @@ -2204,7 +2215,7 @@ return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, expectedState == NXQTYPE); } -bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount) +bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherWildcardProof, const unsigned int wildcardLabelsCount) { bool done = false; @@ -2263,7 +2274,7 @@ /* if we have a positive answer synthetized from a wildcard, we need to return the corresponding NSEC/NSEC3 records from the AUTHORITY section proving that the exact name did not exist */ - else if(needWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) { + else if(gatherWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) { ret.push_back(rec); // enjoy your DNSSEC } // for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively @@ -2538,8 +2549,9 @@ } bool needWildcardProof = false; + bool gatherWildcardProof = false; unsigned int wildcardLabelsCount; - *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, wildcardLabelsCount, sendRDQuery); + *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount, sendRDQuery); if (*rcode != RCode::NoError) { return true; } @@ -2551,7 +2563,7 @@ DNSName newauth; DNSName newtarget; - bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, wildcardLabelsCount); + bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount); if(done){ LOG(prefix<<qname<<": status=got results, this level of recursion done"<<endl); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/syncres.hh new/pdns-recursor-4.1.13/syncres.hh --- old/pdns-recursor-4.1.12/syncres.hh 2019-04-02 12:31:21.000000000 +0200 +++ new/pdns-recursor-4.1.13/syncres.hh 2019-05-21 07:47:27.000000000 +0200 @@ -753,8 +753,9 @@ bool throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery); vector<ComboAddress> retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector<DNSName >::const_iterator& tns, const unsigned int depth, set<GetBestNSAnswer>& beenthere, const vector<DNSName >& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly); - RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask>, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool sendRDQuery); - bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount); + + RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask>, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool sendRDQuery); + bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherwildcardProof, const unsigned int wildcardLabelsCount); bool doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector<DNSRecord> &ret); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/test-syncres_cc.cc new/pdns-recursor-4.1.13/test-syncres_cc.cc --- old/pdns-recursor-4.1.12/test-syncres_cc.cc 2019-04-02 12:31:21.000000000 +0200 +++ new/pdns-recursor-4.1.13/test-syncres_cc.cc 2019-05-21 07:47:27.000000000 +0200 @@ -6153,6 +6153,123 @@ BOOST_CHECK_EQUAL(queriesCount, 9); } +BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_expanded_onto_itself) { + std::unique_ptr<SyncRes> sr; + initSR(sr, true); + + setDNSSECValidation(sr, DNSSECMode::ValidateAll); + + primeHints(); + const DNSName target("*.powerdns.com."); + testkeysset_t keys; + + auto luaconfsCopy = g_luaconfs.getCopy(); + luaconfsCopy.dsAnchors.clear(); + generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); + + g_luaconfs.setState(luaconfsCopy); + + sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res, bool* chained) { + + if (type == QType::DS || type == QType::DNSKEY) { + if (domain == target) { + const auto auth = DNSName("powerdns.com."); + /* we don't want a cut there */ + setLWResult(res, 0, true, false, true); + addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); + addRRSIG(keys, res->d_records, auth, 300); + /* add a NSEC denying the DS */ + std::set<uint16_t> types = { QType::NSEC }; + addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records); + addRRSIG(keys, res->d_records, auth, 300); + return 1; + } + return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); + } + else { + setLWResult(res, 0, true, false, true); + addRecordToLW(res, domain, QType::A, "192.0.2.42"); + addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com")); + /* we don't _really_ need to add the proof that the exact name does not exist because it does, + it's the wildcard itself, but let's do it so other validators don't choke on it */ + addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com")); + return 1; + } + }); + + vector<DNSRecord> ret; + int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + /* A + RRSIG, NSEC + RRSIG */ + BOOST_REQUIRE_EQUAL(ret.size(), 4); +} + +BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_like_expanded_from_wildcard) { + std::unique_ptr<SyncRes> sr; + initSR(sr, true); + + setDNSSECValidation(sr, DNSSECMode::ValidateAll); + + primeHints(); + const DNSName target("*.sub.powerdns.com."); + testkeysset_t keys; + + auto luaconfsCopy = g_luaconfs.getCopy(); + luaconfsCopy.dsAnchors.clear(); + generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); + generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors); + + g_luaconfs.setState(luaconfsCopy); + + sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res, bool* chained) { + + if (type == QType::DS || type == QType::DNSKEY) { + if (domain == target) { + const auto auth = DNSName("powerdns.com."); + /* we don't want a cut there */ + setLWResult(res, 0, true, false, true); + addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); + addRRSIG(keys, res->d_records, auth, 300); + addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com")); + return 1; + } + else if (domain == DNSName("sub.powerdns.com.")) { + const auto auth = DNSName("powerdns.com."); + /* we don't want a cut there */ + setLWResult(res, 0, true, false, true); + addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400); + addRRSIG(keys, res->d_records, auth, 300); + /* add a NSEC denying the DS */ + addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com")); + return 1; + } + return genericDSAndDNSKEYHandler(res, domain, domain, type, keys); + } + else { + setLWResult(res, 0, true, false, true); + addRecordToLW(res, domain, QType::A, "192.0.2.42"); + addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com")); + addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com")); + return 1; + } + }); + + vector<DNSRecord> ret; + int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret); + BOOST_CHECK_EQUAL(res, RCode::NoError); + BOOST_CHECK_EQUAL(sr->getValidationState(), Secure); + /* A + RRSIG, NSEC + RRSIG */ + BOOST_REQUIRE_EQUAL(ret.size(), 4); +} + BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) { std::unique_ptr<SyncRes> sr; initSR(sr, true); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/validate.cc new/pdns-recursor-4.1.13/validate.cc --- old/pdns-recursor-4.1.12/validate.cc 2019-04-02 12:31:21.000000000 +0200 +++ new/pdns-recursor-4.1.13/validate.cc 2019-05-21 07:47:27.000000000 +0200 @@ -116,6 +116,15 @@ Labels field of the covering RRSIG RR, then the RRset and its covering RRSIG RR were created as a result of wildcard expansion." */ +bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign) +{ + if (sign && sign->d_labels < labelCount) { + return true; + } + + return false; +} + static bool isWildcardExpanded(const DNSName& owner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures) { if (signatures.empty()) { @@ -124,13 +133,29 @@ const auto& sign = signatures.at(0); unsigned int labelsCount = owner.countLabels(); - if (sign && sign->d_labels < labelsCount) { + return isWildcardExpanded(labelsCount, sign); +} + +bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign) +{ + if (owner.isWildcard() && (labelCount - 1) == sign->d_labels) { + /* this is a wildcard alright, but it has not been expanded */ return true; } - return false; } +static bool isWildcardExpandedOntoItself(const DNSName& owner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures) +{ + if (signatures.empty()) { + return false; + } + + const auto& sign = signatures.at(0); + unsigned int labelsCount = owner.countLabels(); + return isWildcardExpandedOntoItself(owner, labelsCount, sign); +} + /* if this is a wildcard NSEC, the owner name has been modified to match the name. Make sure we use the original '*' form. */ static DNSName getNSECOwnerName(const DNSName& initialOwner, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures) @@ -385,7 +410,7 @@ /* we know that the name exists (but this qtype doesn't) so except if the answer was generated by a wildcard expansion, no wildcard could have matched (rfc4035 section 5.4 bullet 1) */ - if (!isWildcardExpanded(owner, v.second.signatures)) { + if (!isWildcardExpanded(owner, v.second.signatures) || isWildcardExpandedOntoItself(owner, v.second.signatures)) { needWildcardProof = false; } @@ -399,6 +424,7 @@ /* check if the whole NAME is denied existing */ if(isCoveredByNSEC(qname, owner, nsec->d_next)) { + LOG(qname<<" is covered "); /* if the name is an ENT and we received a NODATA answer, we are fine with a NSEC proving that the name does not exist. */ if (wantsNoDataProof && nsecProvesENT(qname, owner, nsec->d_next)) { @@ -407,15 +433,19 @@ } if (!needWildcardProof) { + LOG("and we did not need a wildcard proof"<<endl); return NXDOMAIN; } + LOG("but we do need a wildcard proof so "); if (wantsNoDataProof) { + LOG("looking for NODATA proof"<<endl); if (provesNoDataWildCard(qname, qtype, validrrsets)) { return NXQTYPE; } } else { + LOG("looking for NO wildcard proof"<<endl); if (provesNoWildCard(qname, qtype, validrrsets)) { return NXDOMAIN; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/validate.hh new/pdns-recursor-4.1.13/validate.hh --- old/pdns-recursor-4.1.12/validate.hh 2019-04-02 12:31:21.000000000 +0200 +++ new/pdns-recursor-4.1.13/validate.hh 2019-05-21 07:47:27.000000000 +0200 @@ -77,3 +77,5 @@ DNSName getSigner(const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures); bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>& dsrecords); bool isRRSIGNotExpired(const time_t now, const shared_ptr<RRSIGRecordContent> sig); +bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign); +bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);