middleware/file: Support delegations (#124)

Return a delegation when seeing one while traversing the tree in search of an answer. Put the SOA and NS record in the zone.Apex as these are to be handled somewhat special. Lowercase record on insert to make compares easier. This lowercases all RR that have domain names in their rdata as well.
2025-12-05 09:55:10 -05:00 · 2016-04-16 16:16:52 +01:00
parent f783634174
commit e294c95582
14 changed files with 288 additions and 70 deletions
--- a/middleware/file/closest.go
+++ b/middleware/file/closest.go
@@ -17,7 +17,7 @@ func (z *Zone) ClosestEncloser(qname string, qtype uint16) string {
 		offset, end = dns.NextLabel(qname, offset)
 	}

-	return z.SOA.Header().Name
+	return z.Apex.SOA.Header().Name
 }

 // nameErrorProof finds the closest encloser and return an NSEC that proofs
--- a/middleware/file/delegation_test.go
+++ b/middleware/file/delegation_test.go
@@ -0,0 +1,106 @@
+package file
+
+import (
+	"sort"
+	"strings"
+	"testing"
+
+	"github.com/miekg/coredns/middleware"
+	"github.com/miekg/coredns/middleware/test"
+
+	"github.com/miekg/dns"
+	"golang.org/x/net/context"
+)
+
+var delegationTestCases = []test.Case{
+	{
+		Qname: "a.delegated.miek.nl.", Qtype: dns.TypeTXT,
+		Ns: []dns.RR{
+			test.NS("delegated.miek.nl.	1800	IN	NS	a.delegated.miek.nl."),
+			test.NS("delegated.miek.nl.	1800	IN	NS	ns-ext.nlnetlabs.nl."),
+		},
+		Extra: []dns.RR{
+			test.A("a.delegated.miek.nl. 1800 IN A 139.162.196.78"),
+			test.AAAA("a.delegated.miek.nl. 1800 IN AAAA 2a01:7e00::f03c:91ff:fef1:6735"),
+		},
+	},
+	{
+		Qname: "delegated.miek.nl.", Qtype: dns.TypeNS,
+		Answer: []dns.RR{
+			test.NS("delegated.miek.nl.	1800	IN	NS	a.delegated.miek.nl."),
+			test.NS("delegated.miek.nl.	1800	IN	NS	ns-ext.nlnetlabs.nl."),
+		},
+	},
+}
+
+func TestLookupDelegation(t *testing.T) {
+	zone, err := Parse(strings.NewReader(dbMiekNL_delegation), testzone, "stdin")
+	if err != nil {
+		t.Fatalf("expect no error when reading zone, got %q", err)
+	}
+
+	fm := File{Next: test.ErrorHandler(), Zones: Zones{Z: map[string]*Zone{testzone: zone}, Names: []string{testzone}}}
+	ctx := context.TODO()
+
+	for _, tc := range delegationTestCases {
+		m := tc.Msg()
+
+		rec := middleware.NewResponseRecorder(&test.ResponseWriter{})
+		_, err := fm.ServeDNS(ctx, rec, m)
+		if err != nil {
+			t.Errorf("expected no error, got %v\n", err)
+			return
+		}
+		resp := rec.Msg()
+
+		sort.Sort(test.RRSet(resp.Answer))
+		sort.Sort(test.RRSet(resp.Ns))
+		sort.Sort(test.RRSet(resp.Extra))
+
+		if !test.Header(t, tc, resp) {
+			t.Logf("%v\n", resp)
+			continue
+		}
+		if !test.Section(t, tc, test.Answer, resp.Answer) {
+			t.Logf("%v\n", resp)
+		}
+		if !test.Section(t, tc, test.Ns, resp.Ns) {
+			t.Logf("%v\n", resp)
+		}
+		if !test.Section(t, tc, test.Extra, resp.Extra) {
+			t.Logf("%v\n", resp)
+		}
+	}
+}
+
+const dbMiekNL_delegation = `
+$TTL    30M
+$ORIGIN miek.nl.
+@       IN      SOA     linode.atoom.net. miek.miek.nl. (
+                             1282630057 ; Serial
+                             4H         ; Refresh
+                             1H         ; Retry
+                             7D         ; Expire
+                             4H )       ; Negative Cache TTL
+                IN      NS      linode.atoom.net.
+                IN      NS      ns-ext.nlnetlabs.nl.
+                IN      NS      omval.tednet.nl.
+                IN      NS      ext.ns.whyscream.net.
+
+                IN      MX      1  aspmx.l.google.com.
+                IN      MX      5  alt1.aspmx.l.google.com.
+                IN      MX      5  alt2.aspmx.l.google.com.
+                IN      MX      10 aspmx2.googlemail.com.
+                IN      MX      10 aspmx3.googlemail.com.
+
+delegated	IN	NS      a.delegated
+		IN	NS      ns-ext.nlnetlabs.nl.
+
+a.delegated     IN      TXT     "obscured"
+                IN      A       139.162.196.78
+                IN      AAAA    2a01:7e00::f03c:91ff:fef1:6735
+
+a               IN      A       139.162.196.78
+                IN      AAAA    2a01:7e00::f03c:91ff:fef1:6735
+www             IN      CNAME   a
+archive         IN      CNAME   a`
--- a/middleware/file/file.go
+++ b/middleware/file/file.go
@@ -80,18 +80,15 @@ func (f File) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (i
 	m := new(dns.Msg)
 	m.SetReply(r)
 	m.Authoritative, m.RecursionAvailable, m.Compress = true, true, true
+	m.Answer, m.Ns, m.Extra = answer, ns, extra

 	switch result {
 	case Success:
-		m.Answer = answer
-		m.Ns = ns
-		m.Extra = extra
-	case NameError:
-		m.Ns = ns
-		m.Rcode = dns.RcodeNameError
-		fallthrough
 	case NoData:
-		m.Ns = ns
+	case NameError:
+		m.Rcode = dns.RcodeNameError
+	case Delegation:
+		m.Authoritative = false
 	case ServerFailure:
 		return dns.RcodeServerFailure, nil
 	}
--- a/middleware/file/lookup.go
+++ b/middleware/file/lookup.go
@@ -12,6 +12,7 @@ type Result int
 const (
 	Success Result = iota
 	NameError
+	Delegation
 	NoData
 	ServerFailure
 )
@@ -22,6 +23,9 @@ func (z *Zone) Lookup(qname string, qtype uint16, do bool) ([]dns.RR, []dns.RR,
 	if qtype == dns.TypeSOA {
 		return z.lookupSOA(do)
 	}
+	if qtype == dns.TypeNS && qname == z.origin {
+		return z.lookupNS(do)
+	}

 	elem, res := z.Tree.Search(qname, qtype)
 	if elem == nil {
@@ -30,6 +34,21 @@ func (z *Zone) Lookup(qname string, qtype uint16, do bool) ([]dns.RR, []dns.RR,
 		}
 		return z.nameError(qname, qtype, do)
 	}
+	if res == tree.Delegation {
+		rrs := elem.Types(dns.TypeNS)
+		glue := []dns.RR{}
+		for _, ns := range rrs {
+			if dns.IsSubDomain(ns.Header().Name, ns.(*dns.NS).Ns) {
+				// even with Do, this should be unsigned.
+				elem, res := z.Tree.SearchGlue(ns.(*dns.NS).Ns)
+				if res == tree.Found {
+					glue = append(glue, elem.Types(dns.TypeAAAA)...)
+					glue = append(glue, elem.Types(dns.TypeA)...)
+				}
+			}
+		}
+		return nil, rrs, glue, Delegation
+	}

 	rrs := elem.Types(dns.TypeCNAME)
 	if len(rrs) > 0 { // should only ever be 1 actually; TODO(miek) check for this?
@@ -87,9 +106,9 @@ func (z *Zone) nameError(qname string, qtype uint16, do bool) ([]dns.RR, []dns.R
 	}

 	// name error
-	ret := []dns.RR{z.SOA}
+	ret := []dns.RR{z.Apex.SOA}
 	if do {
-		ret = append(ret, z.SIG...)
+		ret = append(ret, z.Apex.SIGSOA...)
 		ret = append(ret, z.nameErrorProof(qname, qtype)...)
 	}
 	return nil, ret, nil, NameError
@@ -97,10 +116,18 @@ func (z *Zone) nameError(qname string, qtype uint16, do bool) ([]dns.RR, []dns.R

 func (z *Zone) lookupSOA(do bool) ([]dns.RR, []dns.RR, []dns.RR, Result) {
 	if do {
-		ret := append([]dns.RR{z.SOA}, z.SIG...)
+		ret := append([]dns.RR{z.Apex.SOA}, z.Apex.SIGSOA...)
 		return ret, nil, nil, Success
 	}
-	return []dns.RR{z.SOA}, nil, nil, Success
+	return []dns.RR{z.Apex.SOA}, nil, nil, Success
+}
+
+func (z *Zone) lookupNS(do bool) ([]dns.RR, []dns.RR, []dns.RR, Result) {
+	if do {
+		ret := append(z.Apex.NS, z.Apex.SIGNS...)
+		return ret, nil, nil, Success
+	}
+	return z.Apex.NS, nil, nil, Success
 }

 // lookupNSEC looks up nsec and sigs.
--- a/middleware/file/lookup_test.go
+++ b/middleware/file/lookup_test.go
@@ -35,6 +35,12 @@ var dnsTestCases = []test.Case{
 			test.AAAA("miek.nl.	1800	IN	AAAA	2a01:7e00::f03c:91ff:fef1:6735"),
 		},
 	},
+	{
+		Qname: "mIeK.NL.", Qtype: dns.TypeAAAA,
+		Answer: []dns.RR{
+			test.AAAA("miek.nl.	1800	IN	AAAA	2a01:7e00::f03c:91ff:fef1:6735"),
+		},
+	},
 	{
 		Qname: "miek.nl.", Qtype: dns.TypeMX,
 		Answer: []dns.RR{
@@ -166,8 +172,8 @@ $ORIGIN miek.nl.
                IN      MX      10 aspmx2.googlemail.com.
                IN      MX      10 aspmx3.googlemail.com.

-                IN      A       139.162.196.78
-                IN      AAAA    2a01:7e00::f03c:91ff:fef1:6735
+		IN      A       139.162.196.78
+		IN      AAAA    2a01:7e00::f03c:91ff:fef1:6735

 a               IN      A       139.162.196.78
                IN      AAAA    2a01:7e00::f03c:91ff:fef1:6735
--- a/middleware/file/secondary.go
+++ b/middleware/file/secondary.go
@@ -55,8 +55,7 @@ Transfer:
 	}

 	z.Tree = z1.Tree
-	z.SOA = z1.SOA
-	z.SIG = z1.SIG
+	z.Apex = z1.Apex
 	*z.Expired = false
 	log.Printf("[INFO] Transferred: %s from %s", z.origin, tr)
 	return nil
@@ -91,7 +90,7 @@ Transfer:
 	if serial == -1 {
 		return false, Err
 	}
-	return less(z.SOA.Serial, uint32(serial)), Err
+	return less(z.Apex.SOA.Serial, uint32(serial)), Err
 }

 // less return true of a is smaller than b when taking RFC 1982 serial arithmetic into account.
@@ -108,15 +107,15 @@ func less(a, b uint32) bool {
 // will be marked expired.
 func (z *Zone) Update() error {
 	// If we don't have a SOA, we don't have a zone, wait for it to appear.
-	for z.SOA == nil {
+	for z.Apex.SOA == nil {
 		time.Sleep(1 * time.Second)
 	}
 	retryActive := false

 Restart:
-	refresh := time.Second * time.Duration(z.SOA.Refresh)
-	retry := time.Second * time.Duration(z.SOA.Retry)
-	expire := time.Second * time.Duration(z.SOA.Expire)
+	refresh := time.Second * time.Duration(z.Apex.SOA.Refresh)
+	retry := time.Second * time.Duration(z.Apex.SOA.Retry)
+	expire := time.Second * time.Duration(z.Apex.SOA.Expire)

 	if refresh < time.Hour {
 		refresh = time.Hour
--- a/middleware/file/secondary_test.go
+++ b/middleware/file/secondary_test.go
@@ -85,7 +85,7 @@ func TestShouldTransfer(t *testing.T) {
 	z.TransferFrom = []string{addrstr}

 	// Serial smaller
-	z.SOA = test.SOA(fmt.Sprintf("%s IN SOA bla. bla. %d 0 0 0 0 ", testZone, soa.serial-1))
+	z.Apex.SOA = test.SOA(fmt.Sprintf("%s IN SOA bla. bla. %d 0 0 0 0 ", testZone, soa.serial-1))
 	should, err := z.shouldTransfer()
 	if err != nil {
 		t.Fatalf("unable to run shouldTransfer: %v", err)
@@ -94,7 +94,7 @@ func TestShouldTransfer(t *testing.T) {
 		t.Fatalf("shouldTransfer should return true for serial: %q", soa.serial-1)
 	}
 	// Serial equal
-	z.SOA = test.SOA(fmt.Sprintf("%s IN SOA bla. bla. %d 0 0 0 0 ", testZone, soa.serial))
+	z.Apex.SOA = test.SOA(fmt.Sprintf("%s IN SOA bla. bla. %d 0 0 0 0 ", testZone, soa.serial))
 	should, err = z.shouldTransfer()
 	if err != nil {
 		t.Fatalf("unable to run shouldTransfer: %v", err)
@@ -125,7 +125,7 @@ func TestTransferIn(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unable to run TransferIn: %v", err)
 	}
-	if z.SOA.String() != fmt.Sprintf("%s	3600	IN	SOA	bla. bla. 250 0 0 0 0", testZone) {
+	if z.Apex.SOA.String() != fmt.Sprintf("%s	3600	IN	SOA	bla. bla. 250 0 0 0 0", testZone) {
 		t.Fatalf("unknown SOA transferred")
 	}
 }
--- a/middleware/file/tree/elem.go
+++ b/middleware/file/tree/elem.go
@@ -91,7 +91,7 @@ func (e *Elem) Delete(rr dns.RR) (empty bool) {
 	return
 }

-// Less is a tree helper function that calles middleware.Less.
+// Less is a tree helper function that calls middleware.Less.
 func Less(a *Elem, name string) int { return middleware.Less(name, a.Name()) }

 // Assuming the same type and name this will check if the rdata is equal as well.
--- a/middleware/file/tree/tree.go
+++ b/middleware/file/tree/tree.go
@@ -30,6 +30,7 @@ const (
 	Found Result = iota
 	NameError
 	EmptyNonTerminal
+	Delegation
 )

 // Operation mode of the LLRB tree.
@@ -154,16 +155,35 @@ func (t *Tree) Search(qname string, qtype uint16) (*Elem, Result) {
 	if t.Root == nil {
 		return nil, NameError
 	}
-	n, res := t.Root.search(qname, qtype)
+	n, res := t.Root.search(qname, qtype, false)
 	if n == nil {
 		return nil, res
 	}
 	return n.Elem, res
 }

-func (n *Node) search(qname string, qtype uint16) (*Node, Result) {
+// SearchGlue returns the first match of qname/(A/AAAA) in the Tree.
+func (t *Tree) SearchGlue(qname string) (*Elem, Result) {
+	// TODO(miek): shouldn't need this, because when we *find* the delegation, we
+	// know for sure that any glue is under it. Should change the return values
+	// to return the node, so we can resume from those.
+	if t.Root == nil {
+		return nil, NameError
+	}
+	n, res := t.Root.search(qname, dns.TypeA, true)
+	if n == nil {
+		return nil, res
+	}
+	return n.Elem, res
+}
+
+// search searches the tree for qname and type. If glue is true the search *does* not
+// spot when hitting NS records, but descends in search of glue. The qtype for this
+// kind of search can only be AAAA or A.
+func (n *Node) search(qname string, qtype uint16, glue bool) (*Node, Result) {
 	old := n
 	for n != nil {
+
 		switch c := Less(n.Elem, qname); {
 		case c == 0:
 			return n, Found
@@ -171,6 +191,10 @@ func (n *Node) search(qname string, qtype uint16) (*Node, Result) {
 			old = n
 			n = n.Left
 		default:
+			if !glue && n.Elem.Types(dns.TypeNS) != nil {
+				return n, Delegation
+
+			}
 			old = n
 			n = n.Right
 		}
--- a/middleware/file/zone.go
+++ b/middleware/file/zone.go
@@ -5,6 +5,7 @@ import (
 	"log"
 	"os"
 	"path"
+	"strings"
 	"sync"

 	"github.com/miekg/coredns/middleware"
@@ -15,11 +16,10 @@ import (
 )

 type Zone struct {
-	SOA    *dns.SOA
-	SIG    []dns.RR
 	origin string
 	file   string
 	*tree.Tree
+	Apex Apex

 	TransferTo   []string
 	StartupOnce  sync.Once
@@ -31,6 +31,13 @@ type Zone struct {
 	// TODO: shutdown watcher channel
 }

+type Apex struct {
+	SOA    *dns.SOA
+	NS     []dns.RR
+	SIGSOA []dns.RR
+	SIGNS  []dns.RR
+}
+
 // NewZone returns a new zone.
 func NewZone(name, file string) *Zone {
 	z := &Zone{origin: dns.Fqdn(name), file: path.Clean(file), Tree: &tree.Tree{}, Expired: new(bool)}
@@ -44,28 +51,50 @@ func (z *Zone) Copy() *Zone {
 	z1.TransferTo = z.TransferTo
 	z1.TransferFrom = z.TransferFrom
 	z1.Expired = z.Expired
-	z1.SOA = z.SOA
-	z1.SIG = z.SIG
+	z1.Apex = z.Apex
 	return z1
 }

 // Insert inserts r into z.
 func (z *Zone) Insert(r dns.RR) error {
+	r.Header().Name = strings.ToLower(r.Header().Name)
+
 	switch h := r.Header().Rrtype; h {
+	case dns.TypeNS:
+		r.(*dns.NS).Ns = strings.ToLower(r.(*dns.NS).Ns)
+
+		if r.Header().Name == z.origin {
+			z.Apex.NS = append(z.Apex.NS, r)
+			return nil
+		}
 	case dns.TypeSOA:
-		z.SOA = r.(*dns.SOA)
+		r.(*dns.SOA).Ns = strings.ToLower(r.(*dns.SOA).Ns)
+		r.(*dns.SOA).Mbox = strings.ToLower(r.(*dns.SOA).Mbox)
+
+		z.Apex.SOA = r.(*dns.SOA)
 		return nil
 	case dns.TypeNSEC3, dns.TypeNSEC3PARAM:
 		return fmt.Errorf("NSEC3 zone is not supported, dropping")
 	case dns.TypeRRSIG:
-		if x, ok := r.(*dns.RRSIG); ok && x.TypeCovered == dns.TypeSOA {
-			z.SIG = append(z.SIG, x)
+		x := r.(*dns.RRSIG)
+		switch x.TypeCovered {
+		case dns.TypeSOA:
+			z.Apex.SIGSOA = append(z.Apex.SIGSOA, x)
 			return nil
+		case dns.TypeNS:
+			if r.Header().Name == z.origin {
+				z.Apex.SIGNS = append(z.Apex.SIGNS, x)
+				return nil
+			}
 		}
-		fallthrough
-	default:
-		z.Tree.Insert(r)
+	case dns.TypeCNAME:
+		r.(*dns.CNAME).Target = strings.ToLower(r.(*dns.CNAME).Target)
+	case dns.TypeMX:
+		r.(*dns.MX).Mx = strings.ToLower(r.(*dns.MX).Mx)
+	case dns.TypeSRV:
+		r.(*dns.SRV).Target = strings.ToLower(r.(*dns.SRV).Target)
 	}
+	z.Tree.Insert(r)
 	return nil
 }

@@ -88,16 +117,22 @@ func (z *Zone) TransferAllowed(state middleware.State) bool {
 func (z *Zone) All() []dns.RR {
 	z.reloadMu.RLock()
 	defer z.reloadMu.RUnlock()
+
 	records := []dns.RR{}
 	allNodes := z.Tree.All()
 	for _, a := range allNodes {
 		records = append(records, a.All()...)
 	}

-	if len(z.SIG) > 0 {
-		records = append(z.SIG, records...)
+	if len(z.Apex.SIGNS) > 0 {
+		records = append(z.Apex.SIGNS, records...)
 	}
-	return append([]dns.RR{z.SOA}, records...)
+	records = append(z.Apex.NS, records...)
+
+	if len(z.Apex.SIGSOA) > 0 {
+		records = append(z.Apex.SIGSOA, records...)
+	}
+	return append([]dns.RR{z.Apex.SOA}, records...)
 }

 func (z *Zone) Reload(shutdown chan bool) error {
@@ -132,8 +167,7 @@ func (z *Zone) Reload(shutdown chan bool) error {
 						continue
 					}
 					// copy elements we need
-					z.SOA = zone.SOA
-					z.SIG = zone.SIG
+					z.Apex = zone.Apex
 					z.Tree = zone.Tree
 					z.reloadMu.Unlock()
 					log.Printf("[INFO] Successfully reloaded zone `%s'", z.origin)