Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-11-04 03:03:14 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
723e9b06a439bfce19d689aca7030d95e4dc2c19
coredns/plugin/cache/dnssec.go

47 lines
1.0 KiB
Go
Raw Normal View History

plugin/cache: Fix filtering (#4148) The filtering of DNSSEC records in the cache plugin was not done correctly. Also the change to introduced this bug didn't take into account that the cache - by virtue of differentiating between DNSSEC and no-DNSSEC - relied on not copying the data from the cache. This change copies and then filters the data and factors the filtering into a function that is used in two places (albeit with on ugly boolean parameters to prevent copying things twice). Add tests, do_test.go is moved to test/cache_test.go because the OPT handing is done outside of the cache plugin. The core server re-attaches the correct OPT when replying, so that makes for a better e2e test. Added small unit test for filterRRslice and an explicit test that asks for DNSSEC first and then plain, and vice versa to test cache behavior. Fixes: #4146 Signed-off-by: Miek Gieben <miek@miek.nl>
2020-09-28 16:53:00 +02:00
package cache
import "github.com/miekg/dns"
// isDNSSEC returns true if r is a DNSSEC record. NSEC,NSEC3,DS and RRSIG/SIG
// are DNSSEC records. DNSKEYs is not in this list on the assumption that the
// client explictly asked for it.
func isDNSSEC(r dns.RR) bool {
switch r.Header().Rrtype {
case dns.TypeNSEC:
return true
case dns.TypeNSEC3:
return true
case dns.TypeDS:
return true
case dns.TypeRRSIG:
return true
case dns.TypeSIG:
return true
}
return false
}
// filterRRSlice filters rrs and removes DNSSEC RRs when do is false. In the returned slice
// the TTLs are set to ttl. If dup is true the RRs in rrs are _copied_ into the slice that is
// returned.
func filterRRSlice(rrs []dns.RR, ttl uint32, do, dup bool) []dns.RR {
j := 0
rs := make([]dns.RR, len(rrs), len(rrs))
for _, r := range rrs {
if !do && isDNSSEC(r) {
continue
}
plugin/cache: fix removing OPT (#4190) By checking state.Do() were are checking if the request had DO, but we are _always_ adding Do now - do we need to save the DO from the ORIGINAL request, which must be done in the ResponseWriter. Also skip OPT records in filterDNSSEC as we can't set the TTL on those records, this prevents writing a number to OPT's MBZ. Note none of the tests have changed and still PASS. This is due to the fact that CoreDNSServerAndPorts isn't a full server as we start in main, it lacks the scrubwriter for instance. This is not bad per se, but should be documented in the test code. Signed-off-by: Miek Gieben <miek@miek.nl>
2020-10-14 04:11:22 +02:00
if r.Header().Rrtype == dns.TypeOPT {
continue
}
plugin/cache: Fix filtering (#4148) The filtering of DNSSEC records in the cache plugin was not done correctly. Also the change to introduced this bug didn't take into account that the cache - by virtue of differentiating between DNSSEC and no-DNSSEC - relied on not copying the data from the cache. This change copies and then filters the data and factors the filtering into a function that is used in two places (albeit with on ugly boolean parameters to prevent copying things twice). Add tests, do_test.go is moved to test/cache_test.go because the OPT handing is done outside of the cache plugin. The core server re-attaches the correct OPT when replying, so that makes for a better e2e test. Added small unit test for filterRRslice and an explicit test that asks for DNSSEC first and then plain, and vice versa to test cache behavior. Fixes: #4146 Signed-off-by: Miek Gieben <miek@miek.nl>
2020-09-28 16:53:00 +02:00
r.Header().Ttl = ttl
if dup {
rs[j] = dns.Copy(r)
} else {
rs[j] = r
}
j++
}
return rs[:j]
}
Reference in New Issue Copy Permalink