Thank you, Simon.
I see what you mean. As I mentioned earlier I have an internal network with two
DNS servers which ARE authoritative for the domain I use. It will be great if I
can make them recursive, but in this case their logs will be full of warnings
that they couldn't reach particular DNS servers - you know many OS have some
sort of auto update or NTP clients or other reasons to connect to the outside
world by default. By making my DNS servers to be non-recursive I avoid all
those messages.
Basically I can be careless about requests to any other domain names and can
just start using the patch I made, because it will make no harm if some records
will be mistakenly cached as an empty answer.
But still I want comply to standards and to your recommendations as much as I
can.
So, based on your answer:
> Returning that answer to a stub resolver will cause the stub resolver
> to conclude that the name has no values. Caching it in dnsmasq will do
> that same thing.
I modified the patch. Now it will store the answer in cache if server is
non-recursive, BUT the answer IS authoritative. In this case referrals with
empty answers should not make to the cache. Did I get it correct?
What do you think?
Best, Nikolay
----- Original Message -----
From: "Simon Kelley" <si...@thekelleys.org.uk>
To: dnsmasq-discuss@lists.thekelleys.org.uk
Sent: Sunday, February 15, 2015 4:52:34 PM GMT -05:00 US/Canada Eastern
Subject: Re: [Dnsmasq-discuss] non-recursive DNS ansewers patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The risk with this is if you forward a query to a non-recursive
nameserver that it _isn't_ authoritative for. In that case you'll get
a referal - ie a reply packet with an empty answer section, but one or
more DNS servers in the authority section.
Returning that answer to a stub resolver will cause the stub resolver
to conclude that the name has no values. Caching it in dnsmasq will do
that same thing. This is why dnsmasq logs an warning if any of its
upstream nameservers are not recursive.
If you insist on forwarding to an authoritative nameserver, it only
makes sense to do that with queries for domains it is authoritative
for. The patch doesn't make that any more unsafe than it already is,
you'll still get the wrong answer if any replies are CNAMES to domains
that the server doesn't cover.
Dnsmasq really wants recursive upstream servers.
Cheers,
Simon.
On 15/02/15 18:33, Nikolay P wrote:
> This question is for maintainers of Dnsmasq
>
> I want to consult you if the attached patch is safe.
>
> I am trying to develop a workaround for this:
>
> /* Don't put stuff from a truncated packet into the cache. Don't
> cache replies from non-recursive nameservers, since we may get a
> reply containing a CNAME but not its target, even though the
> target does exist. */
>
> As currently implemented in src/rfc1035.c any answer from
> non-recursive DNS servers will not be cached.
>
> if (!(header->hb3 & HB3_TC) && !(header->hb4 & HB4_CD) &&
> (header->hb4 & HB4_RA) && !no_cache_dnssec) cache_end_insert();
>
> The attached patch enables caching of DNS answers from
> non-recursive servers IF the answer DOES NOT contain a CNAME
> record.
>
> Could you check the patch and let me know if I got it right and it
> is safe to implement?
>
> The patched code compiled successfully and worked OK so far.
>
> Best, Nikolay
>
>
>
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJU4RUiAAoJEBXN2mrhkTWibIsP/jKs52JKioUSIrVpNOJhVEph
BB+MAYtqAYbXfomfjcAcjzIAMELReYiwaI9jtqUOhnjTJoFrv27a3vBZnYvTqjQM
E+yE6dUodveaJHUO2WU06Wd3fmVyUS2wqqKVe4PPF/vlxhrVZIibOglCHChCcTSL
9Uia7R0vOQXcjUB5ZovSWaVeImxDOmVSpWUq1zji7kWNS/+YfsckDSb0ignOSWDe
BnznZeNeXkOIdBEA59wTxGa76PxJt4ytYtjR7F+3dK9MHjX2EgLq9oviNlmI+k9R
PnH31XiPEXOQllGddiQjqA31jyZHmdc6ghUUsaem9Ql3SBJ0Eg7RJVuj4x8h8kvd
zgK/MZHxU0O7JLmfmye3G5fNT8lTv9U6AO36If7nTZwbFKvJZ+4LDPkDUUDP3RQb
zGaQN0I7wpoeD4veuLlqzoWUnSK3A5LckOUrXaeYkrtCUe1t9LJ4BsweYu4XENX1
CSPxhYNgdu7ZZy2xI//dAF1EGHXYAYSPFdnjqZ5U5uC7inCsZuvK8fxekxPduJKh
pNbNPccj36awqab/n0pZ47PSEKalPn3wQEAOTL1457MU1p+G8/miAtLT7kCWmqFq
qxDhUEOM7ImM+cibrJPFFOtdHuFY3T2we2t33SnBXhySIJquM0F3u/z9rFT1U8B9
fVNxCFPw0dWF/5rPk31L
=qY65
-----END PGP SIGNATURE-----
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
diff -r -u ./a/src/rfc1035.c ./b/src/rfc1035.c
--- ./a/src/rfc1035.c 2015-02-15 11:22:11.260714301 -0500
+++ ./b/src/rfc1035.c 2015-02-15 17:22:23.016647692 -0500
@@ -1152,7 +1152,7 @@
does exist. */
if (!(header->hb3 & HB3_TC) &&
!(header->hb4 & HB4_CD) &&
- (header->hb4 & HB4_RA) &&
+ ( (header->hb4 & HB4_RA) || ( !(header->hb4 & HB4_RA) && (header->hb3 & HB3_AA) ) ) &&
!no_cache_dnssec)
cache_end_insert();
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
