Improve performance for delegation heavy answers and also general query performance (#44029)

This commit is contained in:
Mukund Sivaraman 2017-04-22 08:25:10 +05:30
parent 4c31eda5e1
commit 03be5a6b4e
134 changed files with 1619 additions and 4420 deletions

12
CHANGES
View file

@ -1,3 +1,15 @@
4605. [performance] Improve performance for delegation heavy answers
and also general query performance. Removes the
acache feature that didn't significantly improve
performance. Adds a glue cache. Removes
additional-from-cache and additional-from-auth
features. Enables minimal-responses by
default. Improves performance of compression
code, owner case restoration, hash function,
etc. Uses inline buffer implementation by
default. Many other performance changes and fixes.
[RT #44029]
4604. [bug] Don't use ERR_load_crypto_strings() when building
with OpenSSL 1.1.0. [RT #45117]

View file

@ -94,7 +94,6 @@ options {\n\
"\
recursive-clients 1000;\n\
resolver-query-timeout 10;\n\
rrset-order { order random; };\n\
# serial-queries <obsolete>;\n\
serial-query-rate 20;\n\
server-id none;\n\
@ -140,15 +139,13 @@ options {\n\
# topology <none>\n\
auth-nxdomain false;\n\
minimal-any false;\n\
minimal-responses false;\n\
minimal-responses true;\n\
recursion true;\n\
provide-ixfr true;\n\
request-ixfr true;\n\
request-expire true;\n\
# fetch-glue <obsolete>;\n\
# rfc2308-type1 <obsolete>;\n\
additional-from-auth true;\n\
additional-from-cache true;\n\
query-source address *;\n\
query-source-v6 address *;\n\
notify-source *;\n\
@ -167,9 +164,6 @@ options {\n\
check-dup-records warn;\n\
check-mx warn;\n\
check-spf warn;\n\
acache-enable no;\n\
acache-cleaning-interval 60;\n\
max-acache-size 16M;\n\
dnssec-enable yes;\n\
dnssec-validation yes; \n\
dnssec-accept-expired no;\n\

View file

@ -108,8 +108,6 @@ struct ns_server {
unsigned int dispatchgen;
ns_dispatchlist_t dispatches;
dns_acache_t *acache;
ns_statschannellist_t statschannels;
dns_tsigkey_t *sessionkey;

View file

@ -210,11 +210,6 @@ client_trace(ns_client_t *client, int level, const char *message) {
#define SAVE(a, b) do { INSIST(a == NULL); a = b; b = NULL; } while (0)
#define RESTORE(a, b) SAVE(a, b)
typedef struct client_additionalctx {
ns_client_t *client;
dns_rdataset_t *rdataset;
} client_additionalctx_t;
static isc_boolean_t
validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
@ -1032,10 +1027,11 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name,
* CNAMES or DNAMES into other zones and prevents returning
* additional data from other zones.
*/
if (!client->view->additionalfromauth &&
client->query.authdbset &&
db != client->query.authdb)
if (client->query.rpz_st == NULL &&
client->query.authdbset && db != client->query.authdb)
{
return (DNS_R_REFUSED);
}
/*
* Non recursive query to a static-stub zone is prohibited; its
@ -1580,9 +1576,9 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
isc_buffer_t *dbuf;
isc_buffer_t b;
ns_dbversion_t *dbversion;
dns_dbversion_t *version;
isc_boolean_t added_something, need_addname;
dns_zone_t *zone;
dns_rdatatype_t type;
dns_clientinfomethods_t cm;
dns_clientinfo_t ci;
@ -1609,7 +1605,6 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
node = NULL;
added_something = ISC_FALSE;
need_addname = ISC_FALSE;
zone = NULL;
additionaltype = dns_rdatasetadditional_fromauth;
dns_clientinfomethods_init(&cm, ns_client_sourceip);
@ -1643,14 +1638,26 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
}
/*
* Look for a zone database that might contain authoritative
* If we want only minimal responses and are here, then it must
* be for glue.
*/
if (client->view->minimalresponses == dns_minimal_yes)
goto try_glue;
/*
* Look within the same zone database for authoritative
* additional data.
*/
result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
&zone, &db, &version);
if (result != ISC_R_SUCCESS)
if (!client->query.authdbset || client->query.authdb == NULL)
goto try_cache;
dbversion = query_findversion(client, client->query.authdb);
if (dbversion == NULL)
goto try_cache;
dns_db_attach(client->query.authdb, &db);
version = dbversion->version;
CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: db_find");
/*
@ -1684,13 +1691,17 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
*/
try_cache:
if (!client->view->recursion)
goto try_glue;
additionaltype = dns_rdatasetadditional_fromcache;
result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
if (result != ISC_R_SUCCESS)
if (result != ISC_R_SUCCESS) {
/*
* Most likely the client isn't allowed to query the cache.
*/
goto try_glue;
}
/*
* Attempt to validate glue.
*/
@ -1699,6 +1710,8 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
if (sigrdataset == NULL)
goto cleanup;
}
version = NULL;
result = dns_db_findext(db, name, version, type,
client->query.dboptions |
DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
@ -1744,8 +1757,12 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
goto cleanup;
dns_db_attach(client->query.gluedb, &db);
dbversion = query_findversion(client, client->query.gluedb);
if (dbversion == NULL)
goto cleanup;
dns_db_attach(client->query.gluedb, &db);
version = dbversion->version;
additionaltype = dns_rdatasetadditional_fromglue;
result = dns_db_findext(db, name, version, type,
client->query.dboptions | DNS_DBFIND_GLUEOK,
@ -1826,15 +1843,14 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdatatype_a, 0,
client->now,
rdataset, sigrdataset);
if (result == DNS_R_NCACHENXDOMAIN)
if (result == DNS_R_NCACHENXDOMAIN) {
goto addname;
if (result == DNS_R_NCACHENXRRSET) {
} else if (result == DNS_R_NCACHENXRRSET) {
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
}
if (result == ISC_R_SUCCESS) {
} else if (result == ISC_R_SUCCESS) {
mname = NULL;
#ifdef ALLOW_FILTER_AAAA
have_a = ISC_TRUE;
@ -1887,15 +1903,14 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdatatype_aaaa, 0,
client->now,
rdataset, sigrdataset);
if (result == DNS_R_NCACHENXDOMAIN)
if (result == DNS_R_NCACHENXDOMAIN) {
goto addname;
if (result == DNS_R_NCACHENXRRSET) {
} else if (result == DNS_R_NCACHENXRRSET) {
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
}
if (result == ISC_R_SUCCESS) {
} else if (result == ISC_R_SUCCESS) {
mname = NULL;
/*
* There's an A; check whether we're filtering AAAA
@ -1992,562 +2007,15 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
dns_db_detachnode(db, &node);
if (db != NULL)
dns_db_detach(&db);
if (zone != NULL)
dns_zone_detach(&zone);
CTRACE(ISC_LOG_DEBUG(3), "query_addadditional: done");
return (eresult);
}
static inline void
query_discardcache(ns_client_t *client, dns_rdataset_t *rdataset_base,
dns_rdatasetadditional_t additionaltype,
dns_rdatatype_t type, dns_zone_t **zonep, dns_db_t **dbp,
dns_dbversion_t **versionp, dns_dbnode_t **nodep,
dns_name_t *fname)
{
dns_rdataset_t *rdataset;
while ((rdataset = ISC_LIST_HEAD(fname->list)) != NULL) {
ISC_LIST_UNLINK(fname->list, rdataset, link);
query_putrdataset(client, &rdataset);
}
if (*versionp != NULL)
dns_db_closeversion(*dbp, versionp, ISC_FALSE);
if (*nodep != NULL)
dns_db_detachnode(*dbp, nodep);
if (*dbp != NULL)
dns_db_detach(dbp);
if (*zonep != NULL)
dns_zone_detach(zonep);
(void)dns_rdataset_putadditional(client->view->acache, rdataset_base,
additionaltype, type);
}
static inline isc_result_t
query_iscachevalid(dns_zone_t *zone, dns_db_t *db, dns_db_t *db0,
dns_dbversion_t *version)
{
isc_result_t result = ISC_R_SUCCESS;
dns_dbversion_t *version_current = NULL;
dns_db_t *db_current = db0;
if (db_current == NULL) {
result = dns_zone_getdb(zone, &db_current);
if (result != ISC_R_SUCCESS)
return (result);
}
dns_db_currentversion(db_current, &version_current);
if (db_current != db || version_current != version) {
result = ISC_R_FAILURE;
goto cleanup;
}
cleanup:
dns_db_closeversion(db_current, &version_current, ISC_FALSE);
if (db0 == NULL && db_current != NULL)
dns_db_detach(&db_current);
return (result);
}
static isc_result_t
query_addadditional2(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
client_additionalctx_t *additionalctx = arg;
dns_rdataset_t *rdataset_base;
ns_client_t *client;
isc_result_t result, eresult;
dns_dbnode_t *node, *cnode;
dns_db_t *db, *cdb;
dns_name_t *fname, *mname0, cfname;
dns_rdataset_t *rdataset, *sigrdataset;
dns_rdataset_t *crdataset, *crdataset_next;
isc_buffer_t *dbuf;
isc_buffer_t b;
dns_dbversion_t *version, *cversion;
isc_boolean_t added_something, need_addname, needadditionalcache;
isc_boolean_t need_sigrrset;
dns_zone_t *zone;
dns_rdatatype_t type;
dns_rdatasetadditional_t additionaltype;
dns_clientinfomethods_t cm;
dns_clientinfo_t ci;
/*
* If we don't have an additional cache call query_addadditional.
*/
client = additionalctx->client;
REQUIRE(NS_CLIENT_VALID(client));
if (qtype != dns_rdatatype_a || client->view->acache == NULL) {
/*
* This function is optimized for "address" types. For other
* types, use a generic routine.
* XXX: ideally, this function should be generic enough.
*/
return (query_addadditional(additionalctx->client,
name, qtype));
}
/*
* Initialization.
*/
rdataset_base = additionalctx->rdataset;
eresult = ISC_R_SUCCESS;
fname = NULL;
rdataset = NULL;
sigrdataset = NULL;
db = NULL;
cdb = NULL;
version = NULL;
cversion = NULL;
node = NULL;
cnode = NULL;
added_something = ISC_FALSE;
need_addname = ISC_FALSE;
zone = NULL;
needadditionalcache = ISC_FALSE;
POST(needadditionalcache);
additionaltype = dns_rdatasetadditional_fromauth;
dns_name_init(&cfname, NULL);
dns_clientinfomethods_init(&cm, ns_client_sourceip);
dns_clientinfo_init(&ci, client, NULL);
CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2");
/*
* We treat type A additional section processing as if it
* were "any address type" additional section processing.
* To avoid multiple lookups, we do an 'any' database
* lookup and iterate over the node.
* XXXJT: this approach can cause a suboptimal result when the cache
* DB only has partial address types and the glue DB has remaining
* ones.
*/
type = dns_rdatatype_any;
/*
* Get some resources.
*/
dbuf = query_getnamebuf(client);
if (dbuf == NULL)
goto cleanup;
fname = query_newname(client, dbuf, &b);
if (fname == NULL)
goto cleanup;
dns_name_setbuffer(&cfname, &b); /* share the buffer */
/* Check additional cache */
result = dns_rdataset_getadditional(rdataset_base, additionaltype,
type, client->view->acache, &zone,
&cdb, &cversion, &cnode, &cfname,
client->message, client->now);
if (result != ISC_R_SUCCESS)
goto findauthdb;
if (zone == NULL) {
CTRACE(ISC_LOG_DEBUG(3),
"query_addadditional2: auth zone not found");
goto try_cache;
}
/* Is the cached DB up-to-date? */
result = query_iscachevalid(zone, cdb, NULL, cversion);
if (result != ISC_R_SUCCESS) {
CTRACE(ISC_LOG_DEBUG(3),
"query_addadditional2: old auth additional cache");
query_discardcache(client, rdataset_base, additionaltype,
type, &zone, &cdb, &cversion, &cnode,
&cfname);
goto findauthdb;
}
if (cnode == NULL) {
/*
* We have a negative cache. We don't have to check the zone
* ACL, since the result (not using this zone) would be same
* regardless of the result.
*/
CTRACE(ISC_LOG_DEBUG(3),
"query_addadditional2: negative auth additional cache");
dns_db_closeversion(cdb, &cversion, ISC_FALSE);
dns_db_detach(&cdb);
dns_zone_detach(&zone);
goto try_cache;
}
result = query_validatezonedb(client, name, qtype, DNS_GETDB_NOLOG,
zone, cdb, NULL);
if (result != ISC_R_SUCCESS) {
query_discardcache(client, rdataset_base, additionaltype,
type, &zone, &cdb, &cversion, &cnode,
&cfname);
goto try_cache;
}
/* We've got an active cache. */
CTRACE(ISC_LOG_DEBUG(3),
"query_addadditional2: auth additional cache");
dns_db_closeversion(cdb, &cversion, ISC_FALSE);
db = cdb;
node = cnode;
dns_name_clone(&cfname, fname);
query_keepname(client, fname, dbuf);
goto foundcache;
/*
* Look for a zone database that might contain authoritative
* additional data.
*/
findauthdb:
result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
&zone, &db, &version);
if (result != ISC_R_SUCCESS) {
/* Cache the negative result */
(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
type, client->view->acache,
NULL, NULL, NULL, NULL,
NULL);
goto try_cache;
}
CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: db_find");
/*
* Since we are looking for authoritative data, we do not set
* the GLUEOK flag. Glue will be looked for later, but not
* necessarily in the same database.
*/
node = NULL;
result = dns_db_findext(db, name, version, type,
client->query.dboptions,
client->now, &node, fname, &cm, &ci,
NULL, NULL);
if (result == ISC_R_SUCCESS)
goto found;
/* Cache the negative result */
(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
type, client->view->acache, zone, db,
version, NULL, fname);
if (node != NULL)
dns_db_detachnode(db, &node);
version = NULL;
dns_db_detach(&db);
/*
* No authoritative data was found. The cache is our next best bet.
*/
try_cache:
additionaltype = dns_rdatasetadditional_fromcache;
result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
if (result != ISC_R_SUCCESS)
/*
* Most likely the client isn't allowed to query the cache.
*/
goto try_glue;
result = dns_db_findext(db, name, version, type,
client->query.dboptions |
DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
client->now, &node, fname, &cm, &ci,
NULL, NULL);
if (result == ISC_R_SUCCESS)
goto found;
if (node != NULL)
dns_db_detachnode(db, &node);
dns_db_detach(&db);
try_glue:
/*
* No cached data was found. Glue is our last chance.
* RFC1035 sayeth:
*
* NS records cause both the usual additional section
* processing to locate a type A record, and, when used
* in a referral, a special search of the zone in which
* they reside for glue information.
*
* This is the "special search". Note that we must search
* the zone where the NS record resides, not the zone it
* points to, and that we only do the search in the delegation
* case (identified by client->query.gluedb being set).
*/
if (client->query.gluedb == NULL)
goto cleanup;
/*
* Don't poison caches using the bailiwick protection model.
*/
if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
goto cleanup;
/* Check additional cache */
additionaltype = dns_rdatasetadditional_fromglue;
result = dns_rdataset_getadditional(rdataset_base, additionaltype,
type, client->view->acache, NULL,
&cdb, &cversion, &cnode, &cfname,
client->message, client->now);
if (result != ISC_R_SUCCESS)
goto findglue;
result = query_iscachevalid(zone, cdb, client->query.gluedb, cversion);
if (result != ISC_R_SUCCESS) {
CTRACE(ISC_LOG_DEBUG(3),
"query_addadditional2: old glue additional cache");
query_discardcache(client, rdataset_base, additionaltype,
type, &zone, &cdb, &cversion, &cnode,
&cfname);
goto findglue;
}
if (cnode == NULL) {
/* We have a negative cache. */
CTRACE(ISC_LOG_DEBUG(3),
"query_addadditional2: negative glue additional cache");
dns_db_closeversion(cdb, &cversion, ISC_FALSE);
dns_db_detach(&cdb);
goto cleanup;
}
/* Cache hit. */
CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: glue additional cache");
dns_db_closeversion(cdb, &cversion, ISC_FALSE);
db = cdb;
node = cnode;
dns_name_clone(&cfname, fname);
query_keepname(client, fname, dbuf);
goto foundcache;
findglue:
dns_db_attach(client->query.gluedb, &db);
result = dns_db_findext(db, name, version, type,
client->query.dboptions | DNS_DBFIND_GLUEOK,
client->now, &node, fname, &cm, &ci,
NULL, NULL);
if (!(result == ISC_R_SUCCESS ||
result == DNS_R_ZONECUT ||
result == DNS_R_GLUE)) {
/* cache the negative result */
(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
type, client->view->acache,
NULL, db, version, NULL,
fname);
goto cleanup;
}
found:
/*
* We have found a DB node to iterate over from a DB.
* We are going to look for address RRsets (i.e., A and AAAA) in the DB
* node we've just found. We'll then store the complete information
* in the additional data cache.
*/
dns_name_clone(fname, &cfname);
query_keepname(client, fname, dbuf);
needadditionalcache = ISC_TRUE;
rdataset = query_newrdataset(client);
if (rdataset == NULL)
goto cleanup;
sigrdataset = query_newrdataset(client);
if (sigrdataset == NULL)
goto cleanup;
if (additionaltype == dns_rdatasetadditional_fromcache &&
query_isduplicate(client, fname, dns_rdatatype_a, NULL))
goto aaaa_lookup;
/*
* Find A RRset with sig RRset. Even if we don't find a sig RRset
* for a client using DNSSEC, we'll continue the process to make a
* complete list to be cached. However, we need to cancel the
* caching when something unexpected happens, in order to avoid
* caching incomplete information.
*/
result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
client->now, rdataset, sigrdataset);
/*
* If we can't promote glue/pending from the cache to secure
* then drop it.
*/
if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset)) {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
result = ISC_R_NOTFOUND;
}
if (result == DNS_R_NCACHENXDOMAIN)
goto setcache;
if (result == DNS_R_NCACHENXRRSET) {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
}
if (result == ISC_R_SUCCESS) {
/* Remember the result as a cache */
ISC_LIST_APPEND(cfname.list, rdataset, link);
if (dns_rdataset_isassociated(sigrdataset)) {
ISC_LIST_APPEND(cfname.list, sigrdataset, link);
sigrdataset = query_newrdataset(client);
}
rdataset = query_newrdataset(client);
if (sigrdataset == NULL || rdataset == NULL) {
/* do not cache incomplete information */
goto foundcache;
}
}
aaaa_lookup:
if (additionaltype == dns_rdatasetadditional_fromcache &&
query_isduplicate(client, fname, dns_rdatatype_aaaa, NULL))
goto foundcache;
/* Find AAAA RRset with sig RRset */
result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
0, client->now, rdataset, sigrdataset);
/*
* If we can't promote glue/pending from the cache to secure
* then drop it.
*/
if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset)) {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
result = ISC_R_NOTFOUND;
}
if (result == ISC_R_SUCCESS) {
ISC_LIST_APPEND(cfname.list, rdataset, link);
rdataset = NULL;
if (dns_rdataset_isassociated(sigrdataset)) {
ISC_LIST_APPEND(cfname.list, sigrdataset, link);
sigrdataset = NULL;
}
}
setcache:
/*
* Set the new result in the cache if required. We do not support
* caching additional data from a cache DB.
*/
if (needadditionalcache == ISC_TRUE &&
(additionaltype == dns_rdatasetadditional_fromauth ||
additionaltype == dns_rdatasetadditional_fromglue)) {
(void)dns_rdataset_setadditional(rdataset_base, additionaltype,
type, client->view->acache,
zone, db, version, node,
&cfname);
}
foundcache:
need_sigrrset = ISC_FALSE;
mname0 = NULL;
for (crdataset = ISC_LIST_HEAD(cfname.list);
crdataset != NULL;
crdataset = crdataset_next) {
dns_name_t *mname;
crdataset_next = ISC_LIST_NEXT(crdataset, link);
mname = NULL;
if (crdataset->type == dns_rdatatype_a ||
crdataset->type == dns_rdatatype_aaaa) {
if (!query_isduplicate(client, fname, crdataset->type,
&mname)) {
if (mname != fname) {
if (mname != NULL) {
/*
* A different type of this
* name is already stored
* in the additional
* section. We'll reuse
* the name. Note that
* this should happen at
* most once. Otherwise,
* fname->link could leak
* below.
*/
INSIST(mname0 == NULL);
query_releasename(client,
&fname);
fname = mname;
mname0 = mname;
} else
need_addname = ISC_TRUE;
}
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname->list, crdataset, link);
added_something = ISC_TRUE;
need_sigrrset = ISC_TRUE;
} else
need_sigrrset = ISC_FALSE;
} else if (crdataset->type == dns_rdatatype_rrsig &&
need_sigrrset && WANTDNSSEC(client)) {
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname->list, crdataset, link);
added_something = ISC_TRUE; /* just in case */
need_sigrrset = ISC_FALSE;
}
}
CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: addname");
/*
* If we haven't added anything, then we're done.
*/
if (!added_something)
goto cleanup;
/*
* We may have added our rdatasets to an existing name, if so, then
* need_addname will be ISC_FALSE. Whether we used an existing name
* or a new one, we must set fname to NULL to prevent cleanup.
*/
if (need_addname)
dns_message_addname(client->message, fname,
DNS_SECTION_ADDITIONAL);
fname = NULL;
cleanup:
CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: cleanup");
if (rdataset != NULL)
query_putrdataset(client, &rdataset);
if (sigrdataset != NULL)
query_putrdataset(client, &sigrdataset);
while ((crdataset = ISC_LIST_HEAD(cfname.list)) != NULL) {
ISC_LIST_UNLINK(cfname.list, crdataset, link);
query_putrdataset(client, &crdataset);
}
if (fname != NULL)
query_releasename(client, &fname);
if (node != NULL)
dns_db_detachnode(db, &node);
if (db != NULL)
dns_db_detach(&db);
if (zone != NULL)
dns_zone_detach(&zone);
CTRACE(ISC_LOG_DEBUG(3), "query_addadditional2: done");
return (eresult);
}
static inline void
query_addrdataset(ns_client_t *client, dns_name_t *fname,
dns_rdataset_t *rdataset)
{
client_additionalctx_t additionalctx;
/*
* Add 'rdataset' and any pertinent additional data to
* 'fname', a name in the response message for 'client'.
@ -2566,15 +2034,44 @@ query_addrdataset(ns_client_t *client, dns_name_t *fname,
if (NOADDITIONAL(client))
return;
/*
* Try to process glue directly.
*/
if ((client->view->minimalresponses == dns_minimal_yes) &&
(rdataset->type == dns_rdatatype_ns) &&
(client->query.gluedb != NULL) &&
dns_db_iszone(client->query.gluedb))
{
isc_result_t result;
ns_dbversion_t *dbversion;
unsigned int options = 0;
dbversion = query_findversion(client, client->query.gluedb);
if (dbversion == NULL)
goto regular;
#ifdef ALLOW_FILTER_AAAA
if (client->filter_aaaa == dns_aaaa_filter ||
client->filter_aaaa == dns_aaaa_break_dnssec)
{
options |= DNS_RDATASETADDGLUE_FILTERAAAA;
}
#endif
result = dns_rdataset_addglue(rdataset, dbversion->version,
options, client->message);
if (result == ISC_R_SUCCESS)
return;
}
regular:
/*
* Add additional data.
*
* We don't care if dns_rdataset_additionaldata() fails.
*/
additionalctx.client = client;
additionalctx.rdataset = rdataset;
(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
&additionalctx);
(void)dns_rdataset_additionaldata(rdataset, query_addadditional,
client);
CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
}
@ -9894,8 +9391,7 @@ ns_query_start(ns_client_t *client) {
break;
}
if (client->view->cachedb == NULL || !client->view->additionalfromcache)
{
if (client->view->cachedb == NULL || !client->view->recursion) {
/*
* We don't have a cache. Turn off cache support and
* recursion.

View file

@ -52,7 +52,6 @@
#include <bind9/check.h>
#include <dns/acache.h>
#include <dns/adb.h>
#include <dns/badcache.h>
#include <dns/cache.h>
@ -1279,12 +1278,14 @@ configure_order(dns_order_t *order, const cfg_obj_t *ent) {
#if DNS_RDATASET_FIXED
mode = DNS_RDATASETATTR_FIXEDORDER;
#else
mode = 0;
mode = DNS_RDATASETATTR_CYCLIC;
#endif /* DNS_RDATASET_FIXED */
else if (!strcasecmp(str, "random"))
mode = DNS_RDATASETATTR_RANDOMIZE;
else if (!strcasecmp(str, "cyclic"))
mode = 0;
mode = DNS_RDATASETATTR_CYCLIC;
else if (!strcasecmp(str, "none"))
mode = DNS_RDATASETATTR_NONE;
else
INSIST(0);
@ -2517,8 +2518,6 @@ configure_catz_zone(dns_view_t *view, const cfg_obj_t *config,
RUNTIME_CHECK(tresult == ISC_R_SUCCESS);
dns_zone_setview(dnszone, view);
if (view->acache != NULL)
dns_zone_setacache(dnszone, view->acache);
dns_view_addzone(view, dnszone);
}
@ -3310,7 +3309,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
unsigned int cleaning_interval;
size_t max_cache_size;
isc_uint32_t max_cache_size_percent = 0;
size_t max_acache_size;
size_t max_adb_size;
isc_uint32_t lame_ttl, fail_ttl;
dns_tsig_keyring_t *ring = NULL;
@ -3377,53 +3375,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
CHECKM(ns_config_getport(config, &port), "port");
dns_view_setdstport(view, port);
/*
* Create additional cache for this view and zones under the view
* if explicitly enabled.
* XXX950 default to on.
*/
obj = NULL;
(void)ns_config_get(maps, "acache-enable", &obj);
if (obj != NULL && cfg_obj_asboolean(obj)) {
cmctx = NULL;
CHECK(isc_mem_create(0, 0, &cmctx));
CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
ns_g_timermgr));
isc_mem_setname(cmctx, "acache", NULL);
isc_mem_detach(&cmctx);
}
if (view->acache != NULL) {
obj = NULL;
result = ns_config_get(maps, "acache-cleaning-interval", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_acache_setcleaninginterval(view->acache,
cfg_obj_asuint32(obj) * 60);
obj = NULL;
result = ns_config_get(maps, "max-acache-size", &obj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_isstring(obj)) {
str = cfg_obj_asstring(obj);
INSIST(strcasecmp(str, "unlimited") == 0);
max_acache_size = 0;
} else {
isc_resourcevalue_t value;
value = cfg_obj_asuint64(obj);
if (value > SIZE_MAX) {
cfg_obj_log(obj, ns_g_lctx,
ISC_LOG_WARNING,
"'max-acache-size "
"%" ISC_PRINT_QUADFORMAT "u' "
"is too large for this "
"system; reducing to %lu",
value, (unsigned long)SIZE_MAX);
value = SIZE_MAX;
}
max_acache_size = (size_t) value;
}
dns_acache_setcachesize(view->acache, max_acache_size);
}
CHECK(configure_view_acl(vconfig, config, "allow-query", NULL, actx,
ns_g_mctx, &view->queryacl));
if (view->queryacl == NULL) {
@ -4305,32 +4256,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
INSIST(result == ISC_R_SUCCESS);
view->trust_anchor_telemetry = cfg_obj_asboolean(obj);
/*
* Set sources where additional data and CNAME/DNAME
* targets for authoritative answers may be found.
*/
obj = NULL;
result = ns_config_get(maps, "additional-from-auth", &obj);
INSIST(result == ISC_R_SUCCESS);
view->additionalfromauth = cfg_obj_asboolean(obj);
if (view->recursion && ! view->additionalfromauth) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
"'additional-from-auth no' is only supported "
"with 'recursion no'");
view->additionalfromauth = ISC_TRUE;
}
obj = NULL;
result = ns_config_get(maps, "additional-from-cache", &obj);
INSIST(result == ISC_R_SUCCESS);
view->additionalfromcache = cfg_obj_asboolean(obj);
if (view->recursion && ! view->additionalfromcache) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
"'additional-from-cache no' is only supported "
"with 'recursion no'");
view->additionalfromcache = ISC_TRUE;
}
/*
* Set "allow-query-cache", "allow-query-cache-on",
* "allow-recursion", and "allow-recursion-on" acls if
@ -5600,8 +5525,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
* new view.
*/
dns_zone_setview(zone, view);
if (view->acache != NULL)
dns_zone_setacache(zone, view->acache);
} else {
/*
* We cannot reuse an existing zone, we have
@ -5610,8 +5533,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
CHECK(dns_zonemgr_createzone(ns_g_server->zonemgr, &zone));
CHECK(dns_zone_setorigin(zone, origin));
dns_zone_setview(zone, view);
if (view->acache != NULL)
dns_zone_setacache(zone, view->acache);
CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
dns_zone_setstats(zone, ns_g_server->zonestats);
}
@ -5670,8 +5591,6 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
CHECK(dns_zone_create(&raw, mctx));
CHECK(dns_zone_setorigin(raw, origin));
dns_zone_setview(raw, view);
if (view->acache != NULL)
dns_zone_setacache(raw, view->acache);
dns_zone_setstats(raw, ns_g_server->zonestats);
CHECK(dns_zone_link(zone, raw));
}
@ -5768,9 +5687,6 @@ add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx) {
CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
if (view->acache != NULL)
dns_zone_setacache(zone, view->acache);
CHECK(dns_acl_none(mctx, &none));
dns_zone_setqueryacl(zone, none);
dns_zone_setqueryonacl(zone, none);

View file

@ -13,7 +13,6 @@ options {
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
recursion no;
additional-from-auth no;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };

View file

@ -13,7 +13,6 @@ options {
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
recursion no;
additional-from-auth no;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };

View file

@ -11,7 +11,6 @@ options {
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
recursion no;
additional-from-auth no;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };

View file

@ -11,7 +11,6 @@ options {
notify-source 10.53.0.1;
transfer-source 10.53.0.1;
recursion no;
additional-from-auth no;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.1; };

View file

@ -6,7 +6,8 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk
rm -f */trusted.conf */private.conf
rm -f */core
rm -f */example.bk
rm -f */named.memstats

View file

@ -31,9 +31,19 @@ $DSFROMKEY $kskname.key > dsset-${zone}$TP
zone=private.secure.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
cat $ksk.key | grep -v '^; ' | $PERL -n -e '
local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
local $key = join("", @rest);
print <<EOF
trusted-keys {
"$dn" $flags $proto $alg "$key";
};
EOF
' > private.conf
cp private.conf ../ns4/private.conf
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
# Extract saved keys for the revoke-to-duplicate-key test
zone=bar

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
// NS4
controls { /* empty */ };
@ -21,7 +19,6 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
@ -33,3 +30,4 @@ zone "." {
};
include "trusted.conf";
include "private.conf";

View file

@ -21,7 +21,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
};

View file

@ -692,8 +692,7 @@ $DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
@ -714,13 +713,9 @@ status=`expr $status + $ret`
echo "I:checking privately secure to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.11 2011/08/02 23:47:52 tbox Exp $ */
controls { /* empty */ };
options {
@ -21,6 +19,7 @@ options {
recursion no;
notify yes;
check-integrity no;
minimal-responses no;
};
zone "." {

View file

@ -20,6 +20,7 @@ options {
notify yes;
ixfr-from-differences yes;
check-integrity no;
minimal-responses no;
};
zone "example" {

View file

@ -21,6 +21,7 @@ options {
ixfr-from-differences yes;
check-integrity no;
no-case-compress { 10.53.0.2; };
minimal-responses no;
};
zone "example" {

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
check-names response warn;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
check-names response fail;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
check-names master ignore;
notify yes;
};

View file

@ -24,7 +24,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }

View file

@ -17,7 +17,6 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
acache-enable yes;
send-cookie yes;
nocookie-udp-size 512;
};

View file

@ -24,7 +24,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }

View file

@ -15,7 +15,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { fd92:7065:b8e:ffff::3; };
recursion yes;
acache-enable yes;
dnssec-enable no;
dnssec-validation no;
server-id "ns3";

View file

@ -49,7 +49,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
dnssec-enable yes;
dnssec-validation yes;

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.36 2011/03/21 23:47:21 tbox Exp $ */
// NS2
controls { /* empty */ };
@ -25,6 +23,7 @@ options {
dnssec-enable yes;
dnssec-validation yes;
notify-delay 1;
minimal-responses no;
};
zone "." {

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.49 2011/10/28 06:20:05 each Exp $ */
// NS3
controls { /* empty */ };
@ -25,6 +23,7 @@ options {
dnssec-enable yes;
dnssec-validation yes;
session-keyfile "session.key";
minimal-responses no;
};
key rndc_key {

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named1.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
// NS4
controls { /* empty */ };
@ -21,10 +19,10 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-must-be-secure mustbesecure.example yes;
minimal-responses no;
nta-lifetime 10s;
nta-recheck 7s;

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named2.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
// NS4
controls { /* empty */ };
@ -22,10 +20,10 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
minimal-responses no;
};
key rndc_key {

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named2.conf,v 1.3 2011/01/04 23:47:13 tbox Exp $ */
// NS4
controls { /* empty */ };
@ -21,11 +19,11 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
dnssec-accept-expired yes;
minimal-responses no;
};
key rndc_key {

View file

@ -38,4 +38,48 @@ controls {
zone "." {
type hint;
file "../../common/root.hint";
}
key auth {
secret "1234abcd8765";
algorithm hmac-sha256;
};
include "trusted.conf";
view rec {
match-recursive-only yes;
recursion yes;
dnssec-validation yes;
dnssec-accept-expired yes;
zone "." {
type hint;
file "../../common/root.hint";
};
zone secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
zone insecure.secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
};
view auth {
recursion no;
allow-recursion { none; };
zone secure.example {
type slave;
masters { 10.53.0.3; };
};
zone insecure.secure.example {
type slave;
masters { 10.53.0.2; };
};
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
};

View file

@ -21,7 +21,6 @@ options {
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
disable-algorithms . { DSA; };
dnssec-enable yes;

View file

@ -1187,11 +1187,9 @@ status=`expr $status + $ret`
echo "I:checking privately secure to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`
@ -1200,11 +1198,9 @@ status=`expr $status + $ret`
echo "I:checking privately secure wildcard to nxdomain works ($n)"
ret=0
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.2 \
> dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth a.wild.private.secure.example. SOA @10.53.0.4 \
> dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1`

View file

@ -26,7 +26,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }

View file

@ -26,7 +26,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }

View file

@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v4 yes;
filter-aaaa { 10.53.0.1; };
minimal-responses no;
};
key rndc_key {

View file

@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::1; };
minimal-responses no;
};
key rndc_key {

View file

@ -4,13 +4,17 @@
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: root.db,v 1.4 2012/01/31 23:47:32 tbox Exp $
$TTL 120
@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
@ NS ns.utld
ns.utld A 10.53.0.1
ns.utld AAAA fd92:7065:b8e:ffff::1
;
signed NS ns.utld
unsigned NS ns.utld
signed NS ns.signed
ns.signed A 10.53.0.1
ns.signed AAAA fd92:7065:b8e:ffff::1
unsigned NS ns.unsigned
ns.unsigned A 10.53.0.1
ns.unsigned AAAA fd92:7065:b8e:ffff::1

View file

@ -4,12 +4,14 @@
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: signed.db.in,v 1.4 2012/01/31 23:47:32 tbox Exp $
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
@ SOA ns.signed. hostmaster.ns.signed. ( 1 3600 1200 604800 60 )
@ NS ns
@ MX 10 mx
ns A 10.53.0.1
AAAA fd92:7065:b8e:ffff::1
a-only NS 1.0.0.1
aaaa-only AAAA 2001:db8::2
dual A 1.0.0.3

View file

@ -4,12 +4,14 @@
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: unsigned.db,v 1.4 2012/01/31 23:47:32 tbox Exp $
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
@ SOA ns.unsigned. hostmaster.ns.unsigned. ( 1 3600 1200 604800 60 )
@ NS ns
@ MX 10 mx
ns A 10.53.0.1
AAAA fd92:7065:b8e:ffff::1
a-only NS 1.0.0.4
aaaa-only AAAA 2001:db8::5
dual A 1.0.0.6

View file

@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v4 yes;
filter-aaaa { 10.53.0.2; };
minimal-responses no;
};
key rndc_key {

View file

@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::2; };
minimal-responses no;
};
key rndc_key {

View file

@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { 10.53.0.3; };
minimal-responses no;
};
key rndc_key {

View file

@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v6 break-dnssec;
filter-aaaa { fd92:7065:b8e:ffff::3; };
minimal-responses no;
};
key rndc_key {

View file

@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { 10.53.0.4; };
minimal-responses no;
};
key rndc_key {

View file

@ -22,6 +22,7 @@ options {
notify yes;
filter-aaaa-on-v6 break-dnssec;
filter-aaaa { fd92:7065:b8e:ffff::4; };
minimal-responses no;
};
key rndc_key {

View file

@ -5,12 +5,16 @@
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: root.db,v 1.4 2012/01/31 23:47:32 tbox Exp $
$TTL 120
@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
@ NS ns.utld
ns.utld A 10.53.0.1
ns.utld AAAA fd92:7065:b8e:ffff::1
ns.utld A 10.53.0.4
ns.utld AAAA fd92:7065:b8e:ffff::4
;
signed NS ns.utld
unsigned NS ns.utld
signed NS ns.signed
ns.signed A 10.53.0.4
ns.signed AAAA fd92:7065:b8e:ffff::4
unsigned NS ns.unsigned
ns.unsigned A 10.53.0.4
ns.unsigned AAAA fd92:7065:b8e:ffff::4

View file

@ -4,12 +4,14 @@
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: signed.db.in,v 1.4 2012/01/31 23:47:32 tbox Exp $
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
@ SOA ns.signed. hostmaster.ns.signed. ( 1 3600 1200 604800 60 )
@ NS ns
@ MX 10 mx
ns A 10.53.0.4
AAAA fd92:7065:b8e:ffff::4
a-only NS 1.0.0.1
aaaa-only AAAA 2001:db8::2
dual A 1.0.0.3

View file

@ -4,12 +4,14 @@
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
; $Id: unsigned.db,v 1.4 2012/01/31 23:47:32 tbox Exp $
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
@ SOA ns.unsigned. hostmaster.ns.unsigned. ( 1 3600 1200 604800 60 )
@ NS ns
@ MX 10 mx
ns A 10.53.0.4
AAAA fd92:7065:b8e:ffff::4
a-only NS 1.0.0.4
aaaa-only AAAA 2001:db8::5
dual A 1.0.0.6

View file

@ -55,13 +55,3 @@ NISC.JVNC.NET. 172800 IN A 128.121.50.7
NS.EU.NET. 172800 IN A 192.16.202.11
SPARKY.ARL.MIL. 172800 IN A 128.63.58.18
SUNIC.SUNET.SE. 172800 IN A 192.36.125.2
;
; A hypothetical ccTLD where we are authoritative for the NS glue.
;
xx. 172800 IN NS b.root-servers.nil.
;
; A hypothetical ccTLD where we have cached NS glue.
;
yy. 172800 IN NS ns.zz.

View file

@ -21,14 +21,6 @@ echo "I:testing that a ccTLD referral gets a full glue set from the root zone"
$DIG +norec @10.53.0.1 -p 5300 foo.bar.fi. A >dig.out || status=1
$PERL ../digcomp.pl --lc fi.good dig.out || status=1
echo "I:testing that we find glue A RRs we are authoritative for"
$DIG +norec @10.53.0.1 -p 5300 foo.bar.xx. a >dig.out || status=1
$PERL ../digcomp.pl xx.good dig.out || status=1
echo "I:testing that we find glue A/AAAA RRs in the cache"
$DIG +norec @10.53.0.1 -p 5300 foo.bar.yy. a >dig.out || status=1
$PERL ../digcomp.pl yy.good dig.out || status=1
echo "I:testing that we don't find out-of-zone glue"
$DIG +norec @10.53.0.1 -p 5300 example.net. a > dig.out || status=1
$PERL ../digcomp.pl noglue.good dig.out || status=1

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.14 2007/06/19 23:47:03 tbox Exp $ */
controls { /* empty */ };
options {
@ -20,6 +18,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
minimal-responses no;
};
zone "." {

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -34,7 +34,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.22 2011/07/01 02:25:47 marka Exp $ */
controls { /* empty */ };
options {
@ -21,6 +19,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
minimal-responses no;
};
key rndc_key {

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
deny-answer-addresses { 192.0.2.0/24; 2001:db8:beef::/48; }
except-from { "example.org"; };
deny-answer-aliases { "example.org"; }

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id$ */
controls { /* empty */ };
@ -21,6 +19,7 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
notify no;
minimal-responses no;
};
zone "." {type master; file "root.db";};

View file

@ -6,9 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id$ */
controls { /* empty */ };
@ -22,6 +19,7 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
notify no;
minimal-responses no;
};
key rndc_key {

View file

@ -6,9 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id$ */
/*
* Main rpz test DNS server.
@ -25,6 +22,7 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
notify no;
minimal-responses no;
response-policy {
zone "bl" max-policy-ttl 100;

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id$ */
controls { /* empty */ };
@ -21,6 +19,7 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
notify no;
minimal-responses no;
};
include "../trusted.conf";

View file

@ -6,9 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id$ */
/*
* Test rpz performance.
@ -27,6 +24,7 @@ options {
ixfr-from-differences yes;
notify-delay 1;
notify yes;
minimal-responses no;
# turn rpz on or off
include "rpz-switch";

View file

@ -18,6 +18,7 @@ options {
listen-on-v6 { none; };
forward only;
forwarders { 10.53.0.3; };
minimal-responses no;
response-policy { zone "policy1" min-update-interval 0; };
};

View file

@ -16,6 +16,7 @@ options {
session-keyfile "session.key";
listen-on { 10.53.0.7; };
listen-on-v6 { none; };
minimal-responses no;
response-policy { zone "policy2"; }
qname-wait-recurse no

View file

@ -30,8 +30,6 @@ options {
min-table-size 0;
max-table-size 0;
};
additional-from-cache no;
};
key rndc_key {

View file

@ -30,8 +30,6 @@ options {
// small enough to force a table expansion
min-table-size 75;
};
additional-from-cache no;
};
key rndc_key {

View file

@ -31,8 +31,6 @@ options {
// small enough to force a table expansion
min-table-size 75;
};
additional-from-cache no;
};
key rndc_key {

View file

@ -6,10 +6,8 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# $Id: clean.sh,v 1.10 2011/12/23 23:47:13 tbox Exp $
rm -f dig.out.test*
rm -f dig.out.cyclic dig.out.fixed dig.out.random
rm -f dig.out.cyclic dig.out.fixed dig.out.random dig.out.nomatch
rm -f dig.out.0 dig.out.1 dig.out.2 dig.out.3
rm -f dig.out.cyclic2
rm -f ns2/root.bk

View file

@ -36,3 +36,8 @@ cyclic2.example. A 1.2.3.4
cyclic2.example. A 1.2.3.3
cyclic2.example. A 1.2.3.2
cyclic2.example. A 1.2.3.1
;
nomatch.example. A 1.2.3.1
nomatch.example. A 1.2.3.2
nomatch.example. A 1.2.3.3
nomatch.example. A 1.2.3.4

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
rrset-order {
name "fixed.example" order fixed;

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
rrset-order {
class IN type A name "host.example.com" order random;

View file

@ -438,7 +438,7 @@ echo "I: Random selection return $match of 24 possible orders in 36 samples"
if [ $match -lt 8 ]; then echo ret=1; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
echo "I: Checking default order no match in rrset-order (random)"
echo "I: Checking default order no match in rrset-order (no shuffling)"
ret=0
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
do
@ -447,11 +447,11 @@ done
for i in a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 9
do
$DIG +nosea +nocomm +nocmd +noquest +noadd +noauth +nocomm +nostat +short \
-p 5300 @10.53.0.4 random.example > dig.out.random|| ret=1
-p 5300 @10.53.0.4 nomatch.example > dig.out.nomatch|| ret=1
match=0
for j in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
do
eval "$DIFF dig.out.random dig.out.random.good$j >/dev/null && match$j=1 match=1"
eval "$DIFF dig.out.nomatch dig.out.random.good$j >/dev/null && match$j=1 match=1"
if [ $match -eq 1 ]; then break; fi
done
if [ $match -eq 0 ]; then ret=1; fi
@ -461,8 +461,8 @@ for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
do
eval "match=\`expr \$match + \$match$i\`"
done
echo "I: Random selection return $match of 24 possible orders in 36 samples"
if [ $match -lt 8 ]; then echo ret=1; fi
echo "I: Consistent selection return $match of 24 possible orders in 36 samples"
if [ $match -ne 1 ]; then echo ret=1; fi
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
dnssec-enable yes;
dnssec-validation yes;
servfail-ttl 30;

View file

@ -18,6 +18,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
minimal-responses no;
version none; // make statistics independent of the version number
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.14 2007/06/19 23:47:05 tbox Exp $ */
controls { /* empty */ };
options {
@ -20,6 +18,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
minimal-responses no;
};
zone "." {

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.14 2007/06/19 23:47:05 tbox Exp $ */
controls { /* empty */ };
options {
@ -20,6 +18,7 @@ options {
listen-on-v6 { none; };
recursion no;
notify yes;
minimal-responses no;
};
zone "." {

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf,v 1.16 2007/06/18 23:47:31 tbox Exp $ */
controls { /* empty */ };
options {
@ -19,8 +17,8 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
minimal-responses no;
};
zone "." {

View file

@ -6,8 +6,6 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: named.conf.in,v 1.10 2011/11/03 23:46:26 tbox Exp $ */
controls { /* empty */ };
options {

View file

@ -6,8 +6,6 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
# $Id: tests.sh,v 1.11 2011/11/03 23:46:26 tbox Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
@ -41,7 +39,7 @@ do
echo "I:checking the new key"
ret=0
$DIG $DIGOPTS . ns -k $keyname > dig.out.1 || ret=1
$DIG $DIGOPTS txt txt.example -k $keyname > dig.out.1 || ret=1
grep "status: NOERROR" dig.out.1 > /dev/null || ret=1
grep "TSIG.*hmac-md5.*NOERROR" dig.out.1 > /dev/null || ret=1
grep "Some TSIG could not be validated" dig.out.1 > /dev/null && ret=1
@ -60,7 +58,7 @@ do
echo "I:checking that new key has been deleted"
ret=0
$DIG $DIGOPTS . ns -k $keyname > dig.out.2 || ret=1
$DIG $DIGOPTS txt txt.example -k $keyname > dig.out.2 || ret=1
grep "status: NOERROR" dig.out.2 > /dev/null && ret=1
grep "TSIG.*hmac-md5.*NOERROR" dig.out.2 > /dev/null && ret=1
grep "Some TSIG could not be validated" dig.out.2 > /dev/null || ret=1

View file

@ -24,7 +24,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
allow-v6-synthesis { any; };
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
notify yes;
};

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
recursion no;
acache-enable yes;
};
zone "." {

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
acache-enable yes;
};
zone "example" {

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
recursion yes;
acache-enable yes;
};
zone "." {

View file

@ -19,7 +19,6 @@ options {
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion no;
acache-enable yes;
};
zone "example" {

View file

@ -578,11 +578,6 @@
option can be used to limit the amount of memory used by the cache,
at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
traffic.
Additionally, if additional section caching
(<xref linkend="acache"/>) is enabled,
the <command>max-acache-size</command> option can be used to
limit the amount
of memory used by the mechanism.
It is still good practice to have enough memory to load
all zone and cache data into memory — unfortunately, the best
way
@ -4626,8 +4621,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ <command>nta-recheck</command> <replaceable>duration</replaceable> ; ]
[ <command>port</command> <replaceable>ip_port</replaceable> ; ]
[ <command>dscp</command> <replaceable>ip_dscp</replaceable> ; ]
[ <command>additional-from-auth</command> <replaceable>yes_or_no</replaceable> ; ]
[ <command>additional-from-cache</command> <replaceable>yes_or_no</replaceable> ; ]
[ <command>random-device</command> <replaceable>path_name</replaceable> ; ]
[ <command>max-cache-size</command> <replaceable>size_or_percent</replaceable> ; ]
[ <command>match-mapped-addresses</command> <replaceable>yes_or_no</replaceable> ; ]
@ -4653,9 +4646,6 @@ badresp:1,adberr:0,findfail:0,valfail:0]
[ <command>querylog</command> <replaceable>yes_or_no</replaceable> ; ]
[ <command>disable-algorithms</command> <replaceable>domain</replaceable> <command>{</command> <replaceable>algorithm</replaceable> ; ... <command>}</command> ; ]
[ <command>disable-ds-digests</command> <replaceable>domain</replaceable> <command>{</command> <replaceable>digest_type</replaceable> ; ... <command>}</command> ; ]
[ <command>acache-enable</command> <replaceable>yes_or_no</replaceable> ; ]
[ <command>acache-cleaning-interval</command> <replaceable>number</replaceable> ; ]
[ <command>max-acache-size</command> <replaceable>size_spec</replaceable> ; ]
[ <command>max-recursion-depth</command> <replaceable>number</replaceable> ; ]
[ <command>max-recursion-queries</command> <replaceable>number</replaceable> ; ]
[ <command>masterfile-format</command> ( <option>text</option> | <option>raw</option> | <option>map</option> ) ; ]
@ -6342,7 +6332,7 @@ options {
both authoritative and recursive queries.
</para>
<para>
The default is <userinput>no</userinput>.
The default is <userinput>yes</userinput>.
</para>
</listitem>
</varlistentry>
@ -6733,94 +6723,6 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>additional-from-auth</command></term>
<term><command>additional-from-cache</command></term>
<listitem>
<para>
These options control the behavior of an authoritative
server when
answering queries which have additional data, or when
following CNAME
and DNAME chains.
</para>
<para>
When both of these options are set to <userinput>yes</userinput>
(the default) and a
query is being answered from authoritative data (a zone
configured into the server), the additional data section of
the
reply will be filled in using data from other authoritative
zones
and from the cache. In some situations this is undesirable,
such
as when there is concern over the correctness of the cache,
or
in servers where slave zones may be added and modified by
untrusted third parties. Also, avoiding
the search for this additional data will speed up server
operations
at the possible expense of additional queries to resolve
what would
otherwise be provided in the additional section.
</para>
<para>
For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
if known, even though they are not in the example.com zone.
Setting these options to <command>no</command>
disables this behavior and makes
the server only search for additional data in the zone it
answers from.
</para>
<para>
These options are intended for use in authoritative-only
servers, or in authoritative-only views. Attempts to set
them to <command>no</command> without also
specifying
<command>recursion no</command> will cause the
server to
ignore the options and log a warning message.
</para>
<para>
Specifying <command>additional-from-cache no</command> actually
disables the use of the cache not only for additional data
lookups
but also when looking up the answer. This is usually the
desired
behavior in an authoritative-only server where the
correctness of
the cached data is an issue.
</para>
<para>
When a name server is non-recursively queried for a name
that is not
below the apex of any served zone, it normally answers with
an
"upwards referral" to the root servers or the servers of
some other
known parent of the query name. Since the data in an
upwards referral
comes from the cache, the server will not be able to provide
upwards
referrals when <command>additional-from-cache no</command>
has been specified. Instead, it will respond to such
queries
with REFUSED. This should not cause any problems since
upwards referrals are not required for the resolution
process.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>match-mapped-addresses</command></term>
<listitem>
@ -9055,7 +8957,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<para>
The response to a DNS query may consist of multiple resource
records (RRs) forming a resource records set (RRset).
records (RRs) forming a resource record set (RRset).
The name server will normally return the
RRs within the RRset in an indeterminate order
(but see the <command>rrset-order</command>
@ -9169,17 +9071,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<para>
When multiple records are returned in an answer it may be
useful to configure the order of the records placed into the
response.
The <command>rrset-order</command> statement permits
configuration
of the ordering of the records in a multiple record response.
response. The <command>rrset-order</command> statement permits
configuration of the ordering of the records in a
multiple-record response.
See also the <command>sortlist</command> statement,
<xref linkend="the_sortlist_statement"/>.
</para>
<para>
An <command>order_spec</command> is defined as
follows:
An <command>order_spec</command> is defined as follows:
</para>
<para>
<optional>class <replaceable>class_name</replaceable></optional>
@ -9207,7 +9106,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<entry colname="2">
<para>
Records are returned in the order they
are defined in the zone file.
are defined in the zone file. This option
is only available if <acronym>BIND</acronym>
is configured with "--enable-fixed-rrset" at
compile time.
</para>
</entry>
</row>
@ -9227,29 +9129,45 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</entry>
<entry colname="2">
<para>
Records are returned in a cyclic round-robin order.
Records are returned in a cyclic round-robin order,
rotating by one record per query.
</para>
<para>
If <acronym>BIND</acronym> is configured with the
"--enable-fixed-rrset" option at compile time, then
If <acronym>BIND</acronym> is configured with
"--enable-fixed-rrset" at compile time, then
the initial ordering of the RRset will match the
one specified in the zone file.
one specified in the zone file; otherwise the
initial ordering is indeterminate.
</para>
</entry>
</row>
<row rowsep="0">
<entry colname="1">
<para><command>none</command></para>
</entry>
<entry colname="2">
<para>
Records are returned in whatever order they were
retrieved from the database. This order is
indeterminate, but will be consistent as long as the
database is not modified. When no ordering is
specified, this is the default.
</para>
</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>
</para>
<para>
For example:
</para>
<programlisting>rrset-order {
class IN type A name "host.example.com" order random;
order cyclic;
};
</programlisting>
<para>
will cause any responses for type A records in class IN that
have "<literal>host.example.com</literal>" as a
@ -9261,7 +9179,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
appear, they are not combined — the last one applies.
</para>
<para>
By default, all records are returned in random order.
By default, records are returned in indeterminate but
consistent order (see <command>none</command> above).
</para>
<note>
@ -10020,121 +9939,6 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
</variablelist>
</section>
<section xml:id="acache"><info><title>Additional Section Caching</title></info>
<para>
The additional section cache, also called <command>acache</command>,
is an internal cache to improve the response performance of BIND 9.
When additional section caching is enabled, BIND 9 will
cache an internal short-cut to the additional section content for
each answer RR.
Note that <command>acache</command> is an internal caching
mechanism of BIND 9, and is not related to the DNS caching
server function.
</para>
<para>
Additional section caching does not change the
response content (except the RRsets ordering of the additional
section, see below), but can improve the response performance
significantly.
It is particularly effective when BIND 9 acts as an authoritative
server for a zone that has many delegations with many glue RRs.
</para>
<para>
In order to obtain the maximum performance improvement
from additional section caching, setting
<command>additional-from-cache</command>
to <command>no</command> is recommended, since the current
implementation of <command>acache</command>
does not short-cut of additional section information from the
DNS cache data.
</para>
<para>
One obvious disadvantage of <command>acache</command> is
that it requires much more
memory for the internal cached data.
Thus, if the response performance does not matter and memory
consumption is much more critical, the
<command>acache</command> mechanism can be
disabled by setting <command>acache-enable</command> to
<command>no</command>.
It is also possible to specify the upper limit of memory
consumption
for acache by using <command>max-acache-size</command>.
</para>
<para>
Additional section caching also has a minor effect on the
RRset ordering in the additional section.
Without <command>acache</command>,
<command>cyclic</command> order is effective for the additional
section as well as the answer and authority sections.
However, additional section caching fixes the ordering when it
first caches an RRset for the additional section, and the same
ordering will be kept in succeeding responses, regardless of the
setting of <command>rrset-order</command>.
The effect of this should be minor, however, since an
RRset in the additional section
typically only contains a small number of RRs (and in many cases
it only contains a single RR), in which case the
ordering does not matter much.
</para>
<para>
The following is a summary of options related to
<command>acache</command>.
</para>
<variablelist>
<varlistentry>
<term><command>acache-enable</command></term>
<listitem>
<para>
If <command>yes</command>, additional section caching is
enabled. The default value is <command>no</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>acache-cleaning-interval</command></term>
<listitem>
<para>
The server will remove stale cache entries, based on an LRU
based
algorithm, every <command>acache-cleaning-interval</command> minutes.
The default is 60 minutes.
If set to 0, no periodic cleaning will occur.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>max-acache-size</command></term>
<listitem>
<para>
The maximum amount of memory in bytes to use for the server's acache.
When the amount of data in the acache reaches this limit,
the server
will clean more aggressively so that the limit is not
exceeded.
In a server with multiple views, the limit applies
separately to the
acache of each view.
The default is <literal>16M</literal>.
</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="content_filtering"><info><title>Content Filtering</title></info>
<para>

View file

@ -64,10 +64,10 @@ masters <string> [ port <integer> ] [ dscp
<integer> ] ) [ key <string> ]; ... }; // may occur multiple times
options {
acache-cleaning-interval <integer>;
acache-enable <boolean>;
additional-from-auth <boolean>;
additional-from-cache <boolean>;
acache-cleaning-interval <integer>; // obsolete
acache-enable <boolean>; // obsolete
additional-from-auth <boolean>; // obsolete
additional-from-cache <boolean>; // obsolete
allow-new-zones <boolean>;
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
@ -213,7 +213,7 @@ options {
masterfile-format ( map | raw | text );
masterfile-style ( full | relative );
match-mapped-addresses <boolean>;
max-acache-size ( unlimited | <sizeval> );
max-acache-size ( unlimited | <sizeval> ); // obsolete
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <integer>;
max-clients-per-query <integer>;
@ -418,10 +418,10 @@ trusted-keys { <string> <integer> <integer>
<integer> <quoted_string>; ... }; // may occur multiple times
view <string> [ <class> ] {
acache-cleaning-interval <integer>;
acache-enable <boolean>;
additional-from-auth <boolean>;
additional-from-cache <boolean>;
acache-cleaning-interval <integer>; // obsolete
acache-enable <boolean>; // obsolete
additional-from-auth <boolean>; // obsolete
additional-from-cache <boolean>; // obsolete
allow-new-zones <boolean>;
allow-notify { <address_match_element>; ... };
allow-query { <address_match_element>; ... };
@ -535,7 +535,7 @@ view <string> [ <class> ] {
match-clients { <address_match_element>; ... };
match-destinations { <address_match_element>; ... };
match-recursive-only <boolean>;
max-acache-size ( unlimited | <sizeval> );
max-acache-size ( unlimited | <sizeval> ); // obsolete
max-cache-size ( default | unlimited | <sizeval> | <percentage> );
max-cache-ttl <integer>;
max-clients-per-query <integer>;

View file

@ -133,7 +133,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
"compilation time");
#endif
} else if (strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0 &&
strcasecmp(cfg_obj_asstring(obj), "none") != 0) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"rrset-order: invalid order '%s'",
cfg_obj_asstring(obj));

View file

@ -55,7 +55,7 @@ GEOIPLINKOBJS = geoip.@O@
DNSTAPOBJS = dnstap.@O@ dnstap.pb-c.@O@
# Alphabetically
DNSOBJS = acache.@O@ acl.@O@ adb.@O@ badcache.@O@ byaddr.@O@ \
DNSOBJS = acl.@O@ adb.@O@ badcache.@O@ byaddr.@O@ \
cache.@O@ callbacks.@O@ catz.@O@ clientinfo.@O@ compress.@O@ \
db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
dlz.@O@ dns64.@O@ dnssec.@O@ ds.@O@ dyndb.@O@ ecs.@O@ \
@ -95,7 +95,7 @@ GEOIPLINKSRCS = geoip.c
DNSTAPSRCS = dnstap.c dnstap.pb-c.c
DNSSRCS = acache.c acl.c adb.c badcache. byaddr.c \
DNSSRCS = acl.c adb.c badcache. byaddr.c \
cache.c callbacks.c clientinfo.c compress.c \
db.c dbiterator.c dbtable.c diff.c dispatch.c \
dlz.c dns64.c dnssec.c ds.c dyndb.c ecs.c forward.c \

File diff suppressed because it is too large Load diff

View file

@ -27,16 +27,110 @@
#define DCTX_MAGIC ISC_MAGIC('D', 'C', 'T', 'X')
#define VALID_DCTX(x) ISC_MAGIC_VALID(x, DCTX_MAGIC)
#define TABLE_READY \
do { \
unsigned int i; \
\
if ((cctx->allowed & DNS_COMPRESS_READY) == 0) { \
cctx->allowed |= DNS_COMPRESS_READY; \
for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) \
cctx->table[i] = NULL; \
} \
} while (0)
static unsigned char maptolower[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
};
/*
* The tableindex array below is of size 256, one entry for each
* unsigned char value. The tableindex array elements are dependent on
* DNS_COMPRESS_TABLESIZE. The table was created using the following
* function.
*
* static void
* gentable(unsigned char *table) {
* unsigned int i;
* const unsigned int left = DNS_COMPRESS_TABLESIZE - 38;
* long r;
*
* for (i = 0; i < 26; i++) {
* table['A' + i] = i;
* table['a' + i] = i;
* }
*
* for (i = 0; i <= 9; i++)
* table['0' + i] = i + 26;
*
* table['-'] = 36;
* table['_'] = 37;
*
* for (i = 0; i < 256; i++) {
* if ((i >= 'a' && i <= 'z') ||
* (i >= 'A' && i <= 'Z') ||
* (i >= '0' && i <= '9') ||
* (i == '-') ||
* (i == '_'))
* continue;
* r = random() % left;
* table[i] = 38 + r;
* }
* }
*/
static unsigned char tableindex[256] = {
0x3e, 0x3e, 0x33, 0x2d, 0x30, 0x38, 0x31, 0x3c,
0x2b, 0x33, 0x30, 0x3f, 0x2d, 0x3c, 0x36, 0x3a,
0x28, 0x2c, 0x2a, 0x37, 0x3d, 0x34, 0x35, 0x2d,
0x39, 0x2b, 0x2f, 0x2c, 0x3b, 0x32, 0x2b, 0x39,
0x30, 0x38, 0x28, 0x3c, 0x32, 0x33, 0x39, 0x38,
0x27, 0x2b, 0x39, 0x30, 0x27, 0x24, 0x2f, 0x2b,
0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21,
0x22, 0x3a, 0x29, 0x36, 0x31, 0x3c, 0x35, 0x26,
0x31, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
0x17, 0x18, 0x19, 0x3e, 0x3b, 0x39, 0x2f, 0x25,
0x27, 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e,
0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16,
0x17, 0x18, 0x19, 0x36, 0x3b, 0x2f, 0x2f, 0x2e,
0x29, 0x33, 0x2a, 0x36, 0x28, 0x3f, 0x2e, 0x29,
0x2c, 0x29, 0x36, 0x2d, 0x32, 0x3d, 0x33, 0x2a,
0x2e, 0x2f, 0x3b, 0x30, 0x3d, 0x39, 0x2b, 0x36,
0x2a, 0x2f, 0x2c, 0x26, 0x3a, 0x37, 0x30, 0x3d,
0x2a, 0x36, 0x33, 0x2c, 0x38, 0x3d, 0x32, 0x3e,
0x26, 0x2a, 0x2c, 0x35, 0x27, 0x39, 0x3b, 0x31,
0x2a, 0x37, 0x3c, 0x27, 0x32, 0x29, 0x39, 0x37,
0x34, 0x3f, 0x39, 0x2e, 0x38, 0x2b, 0x2c, 0x3e,
0x3b, 0x3b, 0x2d, 0x33, 0x3b, 0x3b, 0x32, 0x3d,
0x3f, 0x3a, 0x34, 0x26, 0x35, 0x30, 0x31, 0x39,
0x27, 0x2f, 0x3d, 0x35, 0x35, 0x36, 0x2e, 0x29,
0x38, 0x27, 0x34, 0x32, 0x2c, 0x3c, 0x31, 0x28,
0x37, 0x38, 0x37, 0x34, 0x33, 0x29, 0x32, 0x34,
0x3f, 0x26, 0x34, 0x34, 0x32, 0x27, 0x30, 0x33,
0x33, 0x2d, 0x2b, 0x28, 0x3f, 0x33, 0x2b, 0x39,
0x37, 0x39, 0x2c, 0x3d, 0x35, 0x39, 0x27, 0x2f
};
/***
*** Compression
@ -51,7 +145,11 @@ dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx) {
cctx->mctx = mctx;
cctx->count = 0;
cctx->allowed = DNS_COMPRESS_ENABLED;
memset(&cctx->table[0], 0, sizeof(cctx->table));
cctx->magic = CCTX_MAGIC;
return (ISC_R_SUCCESS);
}
@ -62,20 +160,19 @@ dns_compress_invalidate(dns_compress_t *cctx) {
REQUIRE(VALID_CCTX(cctx));
if ((cctx->allowed & DNS_COMPRESS_READY) != 0) {
for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
while (cctx->table[i] != NULL) {
node = cctx->table[i];
cctx->table[i] = cctx->table[i]->next;
if ((node->offset & 0x8000) != 0)
isc_mem_put(cctx->mctx, node->r.base,
node->r.length);
if (node->count < DNS_COMPRESS_INITIALNODES)
continue;
isc_mem_put(cctx->mctx, node, sizeof(*node));
}
for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
while (cctx->table[i] != NULL) {
node = cctx->table[i];
cctx->table[i] = cctx->table[i]->next;
if ((node->offset & 0x8000) != 0)
isc_mem_put(cctx->mctx, node->r.base,
node->r.length);
if (node->count < DNS_COMPRESS_INITIALNODES)
continue;
isc_mem_put(cctx->mctx, node, sizeof(*node));
}
}
cctx->magic = 0;
cctx->allowed = 0;
cctx->edns = -1;
@ -124,14 +221,6 @@ dns_compress_getedns(dns_compress_t *cctx) {
return (cctx->edns);
}
#define NODENAME(node, name) \
do { \
(name)->length = (node)->r.length; \
(name)->labels = (node)->labels; \
(name)->ndata = (node)->r.base; \
(name)->attributes = DNS_NAMEATTR_ABSOLUTE; \
} while (0)
/*
* Find the longest match of name in the table.
* If match is found return ISC_TRUE. prefix, suffix and offset are updated.
@ -141,19 +230,19 @@ isc_boolean_t
dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
dns_name_t *prefix, isc_uint16_t *offset)
{
dns_name_t tname, nname;
dns_name_t tname;
dns_compressnode_t *node = NULL;
unsigned int labels, hash, n;
unsigned int labels, index, n;
unsigned int numlabels;
unsigned char *p;
REQUIRE(VALID_CCTX(cctx));
REQUIRE(dns_name_isabsolute(name) == ISC_TRUE);
REQUIRE(offset != NULL);
if ((cctx->allowed & DNS_COMPRESS_ENABLED) == 0)
if (ISC_UNLIKELY((cctx->allowed & DNS_COMPRESS_ENABLED) == 0))
return (ISC_FALSE);
TABLE_READY;
if (cctx->count == 0)
return (ISC_FALSE);
@ -161,27 +250,101 @@ dns_compress_findglobal(dns_compress_t *cctx, const dns_name_t *name,
INSIST(labels > 0);
dns_name_init(&tname, NULL);
dns_name_init(&nname, NULL);
for (n = 0; n < labels - 1; n++) {
dns_name_getlabelsequence(name, n, labels - n, &tname);
hash = dns_name_hash(&tname, ISC_FALSE) %
DNS_COMPRESS_TABLESIZE;
for (node = cctx->table[hash]; node != NULL; node = node->next)
numlabels = labels > 3U ? 3U : labels;
p = name->ndata;
for (n = 0; n < numlabels - 1; n++) {
unsigned char ch, llen;
unsigned int firstoffset, length;
firstoffset = p - name->ndata;
length = name->length - firstoffset;
/*
* We calculate the table index using the first
* character in the first label of the suffix name.
*/
ch = p[1];
index = tableindex[ch];
if (ISC_LIKELY((cctx->allowed &
DNS_COMPRESS_CASESENSITIVE) != 0))
{
NODENAME(node, &nname);
if ((cctx->allowed & DNS_COMPRESS_CASESENSITIVE) != 0) {
if (dns_name_caseequal(&nname, &tname))
break;
} else {
if (dns_name_equal(&nname, &tname))
break;
for (node = cctx->table[index];
node != NULL;
node = node->next)
{
if (ISC_UNLIKELY(node->name.length != length))
continue;
if (ISC_LIKELY(memcmp(node->name.ndata,
p, length) == 0))
goto found;
}
} else {
for (node = cctx->table[index];
node != NULL;
node = node->next)
{
unsigned int l, count;
unsigned char c;
unsigned char *label1, *label2;
if (ISC_UNLIKELY(node->name.length != length))
continue;
l = labels - n;
if (ISC_UNLIKELY(node->name.labels != l))
continue;
label1 = node->name.ndata;
label2 = p;
while (ISC_LIKELY(l-- > 0)) {
count = *label1++;
if (count != *label2++)
goto cont1;
/* no bitstring support */
INSIST(count <= 63);
/* Loop unrolled for performance */
while (ISC_LIKELY(count > 3)) {
c = maptolower[label1[0]];
if (c != maptolower[label2[0]])
goto cont1;
c = maptolower[label1[1]];
if (c != maptolower[label2[1]])
goto cont1;
c = maptolower[label1[2]];
if (c != maptolower[label2[2]])
goto cont1;
c = maptolower[label1[3]];
if (c != maptolower[label2[3]])
goto cont1;
count -= 4;
label1 += 4;
label2 += 4;
}
while (ISC_LIKELY(count-- > 0)) {
c = maptolower[*label1++];
if (c != maptolower[*label2++])
goto cont1;
}
}
break;
cont1:
continue;
}
}
if (node != NULL)
break;
llen = *p;
p += llen + 1;
}
found:
/*
* If node == NULL, we found no match at all.
*/
@ -212,7 +375,7 @@ dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
unsigned int start;
unsigned int n;
unsigned int count;
unsigned int hash;
unsigned int index;
dns_compressnode_t *node;
unsigned int length;
unsigned int tlength;
@ -223,11 +386,9 @@ dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
REQUIRE(VALID_CCTX(cctx));
REQUIRE(dns_name_isabsolute(name));
if ((cctx->allowed & DNS_COMPRESS_ENABLED) == 0)
if (ISC_UNLIKELY((cctx->allowed & DNS_COMPRESS_ENABLED) == 0))
return;
TABLE_READY;
if (offset >= 0x4000)
return;
dns_name_init(&tname, NULL);
@ -252,10 +413,19 @@ dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
r.base = tmp;
dns_name_fromregion(&xname, &r);
if (count > 2U)
count = 2U;
while (count > 0) {
unsigned char ch;
dns_name_getlabelsequence(&xname, start, n, &tname);
hash = dns_name_hash(&tname, ISC_FALSE) %
DNS_COMPRESS_TABLESIZE;
/*
* We calculate the table index using the first
* character in the first label of tname.
*/
ch = tname.ndata[1];
index = tableindex[ch];
tlength = name_length(&tname);
toffset = (isc_uint16_t)(offset + (length - tlength));
if (toffset >= 0x4000)
@ -280,9 +450,13 @@ dns_compress_add(dns_compress_t *cctx, const dns_name_t *name,
toffset |= 0x8000;
node->offset = toffset;
dns_name_toregion(&tname, &node->r);
node->labels = (isc_uint8_t)dns_name_countlabels(&tname);
node->next = cctx->table[hash];
cctx->table[hash] = node;
dns_name_init(&node->name, NULL);
node->name.length = node->r.length;
node->name.ndata = node->r.base;
node->name.labels = tname.labels;
node->name.attributes = DNS_NAMEATTR_ABSOLUTE;
node->next = cctx->table[index];
cctx->table[index] = node;
start++;
n--;
count--;
@ -299,10 +473,7 @@ dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset) {
REQUIRE(VALID_CCTX(cctx));
if ((cctx->allowed & DNS_COMPRESS_ENABLED) == 0)
return;
if ((cctx->allowed & DNS_COMPRESS_READY) == 0)
if (ISC_UNLIKELY((cctx->allowed & DNS_COMPRESS_ENABLED) == 0))
return;
for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {

View file

@ -101,14 +101,12 @@ static dns_rdatasetmethods_t rdataset_methods = {
NULL, /* getnoqname */
NULL, /* addclosest */
NULL, /* getclosest */
NULL, /* getadditional */
NULL, /* setadditional */
NULL, /* putadditional */
rdataset_settrust, /* settrust */
NULL, /* expire */
NULL, /* clearprefetch */
NULL, /* setownercase */
NULL /* getownercase */
NULL, /* getownercase */
NULL /* addglue */
};
typedef struct ecdb_rdatasetiter {

Some files were not shown because too many files have changed in this diff Show more