Merge pull request #2392 from poettering/dnssec18

eightteenth dnssec patch
author: Tom Gundersen <teg@jklm.no> 2016-01-25 20:28:38 +0100
committer: Tom Gundersen <teg@jklm.no> 2016-01-25 20:28:38 +0100
commit: f49ce89edf37a20abed923782dd8176d6c0e7166 (patch)
tree: 5174563e958ef5be22eebd7d9b848d37e724a911 /src/resolve/resolved-dns-cache.c
parent: 164228707d7785a27316e2f28be7068044127016 (diff)
parent: 6c1e69f9456d022f14dd00737126cfa4d9cca10c (diff)
1 files changed, 32 insertions, 1 deletions
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index fdb34d11df..9267b67f79 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -579,6 +579,28 @@ static void dns_cache_remove_previous(
         }
 }
 
+static bool rr_eligible(DnsResourceRecord *rr) {
+        assert(rr);
+
+        /* When we see an NSEC/NSEC3 RR, we'll only cache it if it is from the lower zone, not the upper zone, since
+         * that's where the interesting bits are (with exception of DS RRs). Of course, this way we cannot derive DS
+         * existence from any cached NSEC/NSEC3, but that should be fine. */
+
+        switch (rr->key->type) {
+
+        case DNS_TYPE_NSEC:
+                return !bitmap_isset(rr->nsec.types, DNS_TYPE_NS) ||
+                        bitmap_isset(rr->nsec.types, DNS_TYPE_SOA);
+
+        case DNS_TYPE_NSEC3:
+                return !bitmap_isset(rr->nsec3.types, DNS_TYPE_NS) ||
+                        bitmap_isset(rr->nsec3.types, DNS_TYPE_SOA);
+
+        default:
+                return true;
+        }
+}
+
 int dns_cache_put(
                 DnsCache *c,
                 DnsResourceKey *key,
@@ -635,6 +657,12 @@ int dns_cache_put(
                 if ((flags & DNS_ANSWER_CACHEABLE) == 0)
                         continue;
 
+                r = rr_eligible(rr);
+                if (r < 0)
+                        return r;
+                if (r == 0)
+                        continue;
+
                 r = dns_cache_put_positive(
                                 c,
                                 rr,
@@ -835,7 +863,10 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r
                         have_non_authenticated = true;
         }
 
-        if (nsec && key->type != DNS_TYPE_NSEC) {
+        if (nsec && !IN_SET(key->type, DNS_TYPE_NSEC, DNS_TYPE_DS)) {
+                /* Note that we won't derive information for DS RRs from an NSEC, because we only cache NSEC RRs from
+                 * the lower-zone of a zone cut, but the DS RRs are on the upper zone. */
+
                 if (log_get_max_level() >= LOG_DEBUG) {
                         r = dns_resource_key_to_string(key, &key_str);
                         if (r < 0)
author	Tom Gundersen <teg@jklm.no>	2016-01-25 20:28:38 +0100
committer	Tom Gundersen <teg@jklm.no>	2016-01-25 20:28:38 +0100
commit	f49ce89edf37a20abed923782dd8176d6c0e7166 (patch)
tree	5174563e958ef5be22eebd7d9b848d37e724a911 /src/resolve/resolved-dns-cache.c
parent	164228707d7785a27316e2f28be7068044127016 (diff)
parent	6c1e69f9456d022f14dd00737126cfa4d9cca10c (diff)