Hi Guillame-Jean, On 04/04/18 11:41, Guillaume-Jean Herbiet via Unbound-users wrote: > Hi, > > While doing some experiments, I am facing an issue while mixing > auth-zone and forward-zone.
This bug was just fixed after a redhat bugreport.
The fix is in the code repository, this is the patch below.
If you enable an auth zone and a forward zone, it uses straight answers
from the auth zone. When the auth zone indicates no coverage for the
query with a delegation, it then uses the forward zone to fetch the
information.
Best regards, Wouter
Index: iterator/iterator.c
===================================================================
--- iterator/iterator.c (revision 4598)
+++ iterator/iterator.c (working copy)
@@ -2161,11 +2161,15 @@
log_dns_msg("msg from auth zone",
&iq->response->qinfo, iq->response->rep);
}
- iq->num_current_queries++;
- iq->chase_to_rd = 0;
- iq->dnssec_lame_query = 0;
- iq->auth_zone_response = 1;
- return next_state(iq, QUERY_RESP_STATE);
+ if((iq->chase_flags&BIT_RD) &&
!(iq->response->rep->flags&BIT_AA)) {
+ verbose(VERB_ALGO, "forwarder, ignoring referral from
auth zone");
+ } else {
+ iq->num_current_queries++;
+ iq->chase_to_rd = 0;
+ iq->dnssec_lame_query = 0;
+ iq->auth_zone_response = 1;
+ return next_state(iq, QUERY_RESP_STATE);
+ }
}
iq->auth_zone_response = 0;
if(auth_fallback == 0) {
@@ -2443,7 +2447,8 @@
(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
iq->response, &iq->qchase, iq->dp);
iq->chase_to_rd = 0;
- if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD)) {
+ if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
+ !iq->auth_zone_response) {
/* When forwarding (RD bit is set), we handle referrals
* differently. No queries should be sent elsewhere */
type = RESPONSE_TYPE_ANSWER;
>
> The server I was testing on was originally configured to forward
> requests to other servers (mainly to benefit from their cache):
>
> forward-zone:
> name: "."
> forward-addr: IP1 # redacted
> forward-addr: IP2 # redacted
>
> Then, I added auth-zone directives on order to implement RF7706:
>
> auth-zone:
> name: "."
> for-downstream: no
> for-upstream: yes
> fallback-enabled: yes
> master: c.root-servers.net
> master: iad.xfr.dns.icann.org
> master: lax.xfr.dns.icann.org
>
>>From this point, all responses are nodata.
>
> Both features work separately, but not together.
>
> I know this can be a curious config (frankly, I forgot I added the
> forward-zone on this test server...) but I would have expected unbound :
>
> - either to use the root zone local copy, then to use the forward-addr
> to continue with the recursion
> - or to ignore the auth-zone directives as it is configured as a simple
> forwarder for the zone
>
> Any comment on this?
>
signature.asc
Description: OpenPGP digital signature
