middleware/cache: don't cache expired RRSIGs (#641)

Check message for expired sig and don't cache those. Aside: This hack of caching entire messages is probably something we should stop doing at some point in the future and do this on a per RRset basis. Fixes #367 #635
2025-11-02 10:13:14 -05:00 · 2017-04-29 15:06:42 +01:00
parent 1f63e639e4
commit 7d39c2ba51
7 changed files with 172 additions and 62 deletions
--- a/middleware/pkg/response/classify.go
+++ b/middleware/pkg/response/classify.go
@@ -1,10 +1,6 @@
 package response

-import (
-	"fmt"
-
-	"github.com/miekg/dns"
-)
+import "fmt"

 // Class holds sets of Types
 type Class int
@@ -50,14 +46,8 @@ func ClassFromString(s string) (Class, error) {
 	return All, fmt.Errorf("invalid Class: %s", s)
 }

-// Classify classifies a dns message: it returns its Class.
-func Classify(m *dns.Msg) (Class, *dns.OPT) {
-	t, o := Typify(m)
-	return classify(t), o
-}
-
-// Does need to be exported?
-func classify(t Type) Class {
+// Classify classifies the Type t, it returns its Class.
+func Classify(t Type) Class {
 	switch t {
 	case NoError, Delegation:
 		return Success
--- a/middleware/pkg/response/typify.go
+++ b/middleware/pkg/response/typify.go
@@ -2,11 +2,12 @@ package response

 import (
 	"fmt"
+	"time"

 	"github.com/miekg/dns"
 )

-// Type is the type of the message
+// Type is the type of the message.
 type Type int

 const (
@@ -26,54 +27,39 @@ const (
 	OtherError
 )

-func (t Type) String() string {
-	switch t {
-	case NoError:
-		return "NOERROR"
-	case NameError:
-		return "NXDOMAIN"
-	case NoData:
-		return "NODATA"
-	case Delegation:
-		return "DELEGATION"
-	case Meta:
-		return "META"
-	case Update:
-		return "UPDATE"
-	case OtherError:
-		return "OTHERERROR"
-	}
-	return ""
+var toString = map[Type]string{
+	NoError:    "NOERROR",
+	NameError:  "NXDOMAIN",
+	NoData:     "NODATA",
+	Delegation: "DELEGATION",
+	Meta:       "META",
+	Update:     "UPDATE",
+	OtherError: "OTHERERROR",
 }

+func (t Type) String() string { return toString[t] }
+
 // TypeFromString returns the type from the string s. If not type matches
 // the OtherError type and an error are returned.
 func TypeFromString(s string) (Type, error) {
-	switch s {
-	case "NOERROR":
-		return NoError, nil
-	case "NXDOMAIN":
-		return NameError, nil
-	case "NODATA":
-		return NoData, nil
-	case "DELEGATION":
-		return Delegation, nil
-	case "META":
-		return Meta, nil
-	case "UPDATE":
-		return Update, nil
-	case "OTHERERROR":
-		return OtherError, nil
+	for t, str := range toString {
+		if s == str {
+			return t, nil
+		}
 	}
 	return NoError, fmt.Errorf("invalid Type: %s", s)
 }

 // Typify classifies a message, it returns the Type.
-func Typify(m *dns.Msg) (Type, *dns.OPT) {
+func Typify(m *dns.Msg, t time.Time) (Type, *dns.OPT) {
 	if m == nil {
 		return OtherError, nil
 	}
 	opt := m.IsEdns0()
+	do := false
+	if opt != nil {
+		do = opt.Do()
+	}

 	if m.Opcode == dns.OpcodeUpdate {
 		return Update, opt
@@ -90,6 +76,13 @@ func Typify(m *dns.Msg) (Type, *dns.OPT) {
 		}
 	}

+	// If our message contains any expired sigs and we care about that, we should return expired
+	if do {
+		if expired := typifyExpired(m, t); expired {
+			return OtherError, opt
+		}
+	}
+
 	if len(m.Answer) > 0 && m.Rcode == dns.RcodeSuccess {
 		return NoError, opt
 	}
@@ -107,6 +100,7 @@ func Typify(m *dns.Msg) (Type, *dns.OPT) {
 	}

 	// Check length of different sections, and drop stuff that is just to large? TODO(miek).
+
 	if soa && m.Rcode == dns.RcodeSuccess {
 		return NoData, opt
 	}
@@ -114,7 +108,7 @@ func Typify(m *dns.Msg) (Type, *dns.OPT) {
 		return NameError, opt
 	}

-	if ns > 0 && ns == len(m.Ns) && m.Rcode == dns.RcodeSuccess {
+	if ns > 0 && ns > 0 && m.Rcode == dns.RcodeSuccess {
 		return Delegation, opt
 	}

@@ -124,3 +118,29 @@ func Typify(m *dns.Msg) (Type, *dns.OPT) {

 	return OtherError, opt
 }
+
+func typifyExpired(m *dns.Msg, t time.Time) bool {
+	if expired := typifyExpiredRRSIG(m.Answer, t); expired {
+		return true
+	}
+	if expired := typifyExpiredRRSIG(m.Ns, t); expired {
+		return true
+	}
+	if expired := typifyExpiredRRSIG(m.Extra, t); expired {
+		return true
+	}
+	return false
+}
+
+func typifyExpiredRRSIG(rrs []dns.RR, t time.Time) bool {
+	for _, r := range rrs {
+		if r.Header().Rrtype != dns.TypeRRSIG {
+			continue
+		}
+		ok := r.(*dns.RRSIG).ValidityPeriod(t)
+		if !ok {
+			return true
+		}
+	}
+	return false
+}
--- a/middleware/pkg/response/typify_test.go
+++ b/middleware/pkg/response/typify_test.go
@@ -2,6 +2,7 @@ package response

 import (
 	"testing"
+	"time"

 	"github.com/coredns/coredns/middleware/test"

@@ -11,17 +12,39 @@ import (
 func TestTypifyNilMsg(t *testing.T) {
 	var m *dns.Msg

-	ty, _ := Typify(m)
+	ty, _ := Typify(m, time.Now().UTC())
 	if ty != OtherError {
-		t.Errorf("message wrongly typified, expected OtherError, got %d", ty)
+		t.Errorf("message wrongly typified, expected OtherError, got %s", ty)
 	}
 }

-func TestClassifyDelegation(t *testing.T) {
+func TestTypifyDelegation(t *testing.T) {
 	m := delegationMsg()
-	mt, _ := Typify(m)
+	mt, _ := Typify(m, time.Now().UTC())
 	if mt != Delegation {
-		t.Errorf("message is wrongly classified, expected delegation, got %d", mt)
+		t.Errorf("message is wrongly typified, expected Delegation, got %s", mt)
+	}
+}
+
+func TestTypifyRRSIG(t *testing.T) {
+	now, _ := time.Parse(time.UnixDate, "Fri Apr 21 10:51:21 BST 2017")
+	utc := now.UTC()
+
+	m := delegationMsgRRSIGOK()
+	if mt, _ := Typify(m, utc); mt != Delegation {
+		t.Errorf("message is wrongly typified, expected Delegation, got %s", mt)
+	}
+
+	// Still a Delegation because EDNS0 OPT DO bool is not set, so we won't check the sigs.
+	m = delegationMsgRRSIGFail()
+	if mt, _ := Typify(m, utc); mt != Delegation {
+		t.Errorf("message is wrongly typified, expected Delegation, got %s", mt)
+	}
+
+	m = delegationMsgRRSIGFail()
+	m = addOpt(m)
+	if mt, _ := Typify(m, utc); mt != OtherError {
+		t.Errorf("message is wrongly typified, expected OtherError, got %s", mt)
 	}
 }

@@ -38,3 +61,24 @@ func delegationMsg() *dns.Msg {
 		},
 	}
 }
+
+func delegationMsgRRSIGOK() *dns.Msg {
+	del := delegationMsg()
+	del.Ns = append(del.Ns,
+		test.RRSIG("miek.nl.		1800	IN	RRSIG	NS 8 2 1800 20170521031301 20170421031301 12051 miek.nl. PIUu3TKX/sB/N1n1E1yWxHHIcPnc2q6Wq9InShk+5ptRqChqKdZNMLDm gCq+1bQAZ7jGvn2PbwTwE65JzES7T+hEiqR5PU23DsidvZyClbZ9l0xG JtKwgzGXLtUHxp4xv/Plq+rq/7pOG61bNCxRyS7WS7i7QcCCWT1BCcv+ wZ0="),
+	)
+	return del
+}
+
+func delegationMsgRRSIGFail() *dns.Msg {
+	del := delegationMsg()
+	del.Ns = append(del.Ns,
+		test.RRSIG("miek.nl.		1800	IN	RRSIG	NS 8 2 1800 20160521031301 20160421031301 12051 miek.nl. PIUu3TKX/sB/N1n1E1yWxHHIcPnc2q6Wq9InShk+5ptRqChqKdZNMLDm gCq+1bQAZ7jGvn2PbwTwE65JzES7T+hEiqR5PU23DsidvZyClbZ9l0xG JtKwgzGXLtUHxp4xv/Plq+rq/7pOG61bNCxRyS7WS7i7QcCCWT1BCcv+ wZ0="),
+	)
+	return del
+}
+
+func addOpt(m *dns.Msg) *dns.Msg {
+	m.Extra = append(m.Extra, test.OPT(4096, true))
+	return m
+}