From 5736e55e0d2d8cd9a064b8377e87d08a540cb1b1 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Wed, 14 Jun 2017 13:31:18 +0200 Subject: [PATCH] rec: Use the incoming ECS for cache lookup if `use-incoming-edns-subnet` is set Otherwise we insert into the cache based on the incoming ECS but later do the lookup based on the query's source IP. --- pdns/syncres.cc | 12 ++++++------ pdns/syncres.hh | 7 +++++++ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 95123efdd..c5d5242e1 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -633,7 +633,7 @@ vector SyncRes::getAddrs(const DNSName &qname, unsigned int depth, if(done) { if(j==1 && s_doIPv6) { // we got an A record, see if we have some AAAA lying around vector cset; - if(t_RC->get(d_now.tv_sec, qname, QType(QType::AAAA), false, &cset, d_requestor) > 0) { + if(t_RC->get(d_now.tv_sec, qname, QType(QType::AAAA), false, &cset, d_incomingECSFound ? d_incomingECSNetwork : d_requestor) > 0) { for(auto k=cset.cbegin();k!=cset.cend();++k) { if(k->d_ttl > (unsigned int)d_now.tv_sec ) { if (auto drc = std::dynamic_pointer_cast(k->d_content)) { @@ -687,7 +687,7 @@ void SyncRes::getBestNSFromCache(const DNSName &qname, const QType& qtype, vecto vector ns; *flawedNSSet = false; - if(t_RC->get(d_now.tv_sec, subdomain, QType(QType::NS), false, &ns, d_requestor) > 0) { + if(t_RC->get(d_now.tv_sec, subdomain, QType(QType::NS), false, &ns, d_incomingECSFound ? d_incomingECSNetwork : d_requestor) > 0) { for(auto k=ns.cbegin();k!=ns.cend(); ++k) { if(k->d_ttl > (unsigned int)d_now.tv_sec ) { vector aset; @@ -695,7 +695,7 @@ void SyncRes::getBestNSFromCache(const DNSName &qname, const QType& qtype, vecto const DNSRecord& dr=*k; auto nrr = getRR(dr); if(nrr && (!nrr->getNS().isPartOf(subdomain) || t_RC->get(d_now.tv_sec, nrr->getNS(), s_doIPv6 ? QType(QType::ADDR) : QType(QType::A), - false, doLog() ? &aset : nullptr, d_requestor) > 5)) { + false, doLog() ? &aset : 0, d_incomingECSFound ? d_incomingECSNetwork : d_requestor) > 5)) { bestns.push_back(dr); LOG(prefix< '"<getNS()<<"'"<getNS().isPartOf(subdomain)); @@ -815,7 +815,7 @@ bool SyncRes::doCNAMECacheCheck(const DNSName &qname, const QType &qtype, vector vector> signatures; vector> authorityRecs; bool wasAuth; - if(t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), d_requireAuthData, &cset, d_requestor, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) { + if(t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), d_requireAuthData, &cset, d_incomingECSFound ? d_incomingECSNetwork : d_requestor, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) { for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) { if(j->d_ttl>(unsigned int) d_now.tv_sec) { @@ -972,7 +972,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector> authorityRecs; uint32_t ttl=0; bool wasCachedAuth; - if(t_RC->get(d_now.tv_sec, sqname, sqt, d_requireAuthData, &cset, d_requestor, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &cachedState, &wasCachedAuth) > 0) { + if(t_RC->get(d_now.tv_sec, sqname, sqt, d_requireAuthData, &cset, d_incomingECSFound ? d_incomingECSNetwork : d_requestor, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &cachedState, &wasCachedAuth) > 0) { LOG(prefix< SyncRes::getEDNSSubnetMask(const ComboAddress& local, c /* RFC7871 says we MUST NOT send any ECS if the source scope is 0 */ return result; } - trunc = d_incomingECS->source.getMaskedNetwork(); + trunc = d_incomingECSNetwork; bits = d_incomingECS->source.getBits(); } else if(!local.isIPv4() || local.sin4.sin_addr.s_addr) { // detect unset 'requestor' diff --git a/pdns/syncres.hh b/pdns/syncres.hh index 764856b54..71efffda4 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -618,6 +618,12 @@ public: void setIncomingECS(boost::optional incomingECS) { d_incomingECS = incomingECS; + if (incomingECS) { + d_incomingECSNetwork = incomingECS->source.getMaskedNetwork(); + } + else { + d_incomingECSNetwork = ComboAddress(); + } } #ifdef HAVE_PROTOBUF @@ -755,6 +761,7 @@ private: ostringstream d_trace; shared_ptr d_pdl; boost::optional d_incomingECS; + ComboAddress d_incomingECSNetwork; #ifdef HAVE_PROTOBUF boost::optional d_initialRequestId; #endif -- 2.40.0