Merge !1364: policy.STUB: minor improvements

4696db4c · Vladimír Čunát · 9e814847 · fab10d1e · 4696db4c · 4696db4c
Commit 4696db4c authored 2 years ago by Vladimír Čunát
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ Knot Resolver 5.x.y (202y-mm-dd)
 Improvements
 ------------
 - depend on jemalloc, preferably, to improve memory usage (!1353)
+- policy.STUB: avoid applying aggressive DNSSEC denial proofs (!1364)
+- policy.STUB: avoid copying +dnssec flag from client to upstream (!1364)

 Bugfixes
 --------

--- a/lib/cache/peek.c
+++ b/lib/cache/peek.c
@@ -134,6 +134,12 @@ int peek_nosync(kr_layer_t *ctx, knot_pkt_t *pkt)
 		return ctx->state;
 	}

+	/* Avoid aggressive answers in STUB mode.
+	 * As STUB mode doesn't validate, it wouldn't save the necessary records.
+	 * Moreover, this special case avoids unintentional NXDOMAIN on grafted subtrees. */
+	if (qry->flags.STUB)
+		return ctx->state;
+
 	/**** 1b. otherwise, find the longest prefix zone/xNAME (with OK time+rank). [...] */
 	k->zname = qry->sname;
 	ret = kr_dname_lf(k->buf, k->zname, false); /* LATER(optim.): probably remove */

--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -619,11 +619,8 @@ static int query_finalize(struct kr_request *request, struct kr_query *qry, knot
 	ret = edns_create(pkt, request);
 	if (ret) return ret;
 	if (qry->flags.STUB) {
-		/* Stub resolution (ask for +rd and +do) */
+		/* Stub resolution */
 		knot_wire_set_rd(pkt->wire);
-		if (knot_pkt_has_dnssec(request->qsource.packet)) {
-			knot_edns_set_do(pkt->opt_rr);
-		}
 		if (knot_wire_get_cd(request->qsource.packet->wire)) {
 			knot_wire_set_cd(pkt->wire);
 		}

--- a/modules/policy/README.rst
+++ b/modules/policy/README.rst
@@ -620,19 +620,6 @@ and you trust your link to it, you need to use the :func:`policy.STUB` policy
 instead of :func:`policy.FORWARD` to disable DNSSEC validation for those
 *grafted* domains.

-Secondly, after disabling DNSSEC validation you have to solve another issue
-caused by grafting. For example, if you grafted your own top-level domain
-``example.`` onto the public DNS namespace, at some point the root server might
-send proof-of-nonexistence proving e.g. that there are no other top-level
-domain in between names ``events.`` and ``exchange.``, effectively proving
-non-existence of ``example.``.
-
-These proofs-of-nonexistence protect public DNS from spoofing but break
-*grafted* domains because proofs will be latter used by resolver
-(when the positive records for the grafted domain timeout from cache),
-effectively making grafted domain unavailable.
-The easiest work-around is to disable reading from cache for grafted domains.
-
 .. code-block:: lua
   :caption: Example configuration grafting domains onto public DNS namespace

@@ -647,7 +634,9 @@ The easiest work-around is to disable reading from cache for grafted domains.
   -- validated anyway; in some of those cases adding 'NO_0X20' can also help,
   -- though it also lowers defenses against off-path attacks on communication
   -- between the two servers.
-   policy.add(policy.suffix(policy.FLAGS({'NO_CACHE', 'NO_EDNS'}), extraTrees))
+   -- With kresd <= 5.5.3 you also needed 'NO_CACHE' flag to avoid unintentional
+   -- NXDOMAINs that could sometimes happen due to aggressive DNSSEC caching.
+   policy.add(policy.suffix(policy.FLAGS({'NO_EDNS'}), extraTrees))
   policy.add(policy.suffix(policy.STUB({'2001:db8::1'}), extraTrees))

 Response policy zones