auth-zone and forward-zone on unbound-1.7.0

Wed Apr 4 09:49:24 UTC 2018

Hi Guillame-Jean,

On 04/04/18 11:41, Guillaume-Jean Herbiet via Unbound-users wrote:
> Hi,
> 
> While doing some experiments, I am facing an issue while mixing
> auth-zone and forward-zone.

This bug was just fixed after a redhat bugreport.

The fix is in the code repository, this is the patch below.

If you enable an auth zone and a forward zone, it uses straight answers
from the auth zone.  When the auth zone indicates no coverage for the
query with a delegation, it then uses the forward zone to fetch the
information.

Best regards, Wouter


Index: iterator/iterator.c
===================================================================

--- iterator/iterator.c	(revision 4598)
+++ iterator/iterator.c	(working copy)
@@ -2161,11 +2161,15 @@
 			log_dns_msg("msg from auth zone",
 				&iq->response->qinfo, iq->response->rep);
 		}
-		iq->num_current_queries++;
-		iq->chase_to_rd = 0;
-		iq->dnssec_lame_query = 0;
-		iq->auth_zone_response = 1;
-		return next_state(iq, QUERY_RESP_STATE);
+		if((iq->chase_flags&BIT_RD) && !(iq->response->rep->flags&BIT_AA)) {
+			verbose(VERB_ALGO, "forwarder, ignoring referral from auth zone");
+		} else {
+			iq->num_current_queries++;
+			iq->chase_to_rd = 0;
+			iq->dnssec_lame_query = 0;
+			iq->auth_zone_response = 1;
+			return next_state(iq, QUERY_RESP_STATE);
+		}
 	}
 	iq->auth_zone_response = 0;
 	if(auth_fallback == 0) {
@@ -2443,7 +2447,8 @@
 		(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
 		iq->response, &iq->qchase, iq->dp);
 	iq->chase_to_rd = 0;
-	if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD)) {
+	if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
+		!iq->auth_zone_response) {
 		/* When forwarding (RD bit is set), we handle referrals
 		 * differently. No queries should be sent elsewhere */
 		type = RESPONSE_TYPE_ANSWER;


> 
> The server I was testing on was originally configured to forward
> requests to other servers (mainly to benefit from their cache):
> 
> forward-zone:
>   name: "."
>   forward-addr: IP1	# redacted
>   forward-addr: IP2	# redacted
> 
> Then, I added auth-zone directives on order to implement RF7706:
> 
> auth-zone:
>   name: "."
>   for-downstream: no
>   for-upstream: yes
>   fallback-enabled: yes
>   master: c.root-servers.net
>   master: iad.xfr.dns.icann.org
>   master: lax.xfr.dns.icann.org
> 
>>From this point, all responses are nodata.
> 
> Both features work separately, but not together.
> 
> I know this can be a curious config (frankly, I forgot I added the
> forward-zone on this test server...) but I would have expected unbound :
> 
> - either to use the root zone local copy, then to use the forward-addr
> to continue with the recursion
> - or to ignore the auth-zone directives as it is configured as a simple
> forwarder for the zone
> 
> Any comment on this?
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180404/e7c157ea/attachment.bin>
