Return DELEG only with EDNS DE bit set

Author: wtoorop

dns.h

@@ -57,6 +57,13 @@ typedef enum rr_section rr_section_type;
 #define RCODE_NOTAUTH		9	/* server not authoritative */
 #define RCODE_NOTZONE		10	/* name not inside zone */
 
+/* DNSKEY FLAGS */
+
+/* #define DNSKEY_FLAG_ZONE   (1 << (15 - 7)) */
+/* #define DNSKEY_FLAG_REVOKE (1 << (15 - 8)) */
+#define DNSKEY_FLAG_DELEG (1 << (15 - 14))
+/* #define DNSKEY_FLAG_SEP    (1 << (15 - 15)) */
+
 /* Standardized NSD return code.  Partially maps to DNS RCODE values.  */
 enum nsd_rc
 {

edns.c

@@ -69,6 +69,7 @@ edns_init_record(edns_record_type *edns)
 	edns->maxlen = 0;
 	edns->opt_reserved_space = 0;
 	edns->dnssec_ok = 0;
+	edns->deleg_ok = 0;
 	edns->nsid = 0;
 	edns->zoneversion = 0;
 	edns->cookie_status = COOKIE_NOT_PRESENT;
@@ -190,6 +191,7 @@ edns_parse_record(edns_record_type *edns, buffer_type *packet,
 	edns->status = EDNS_OK;
 	edns->maxlen = opt_class;
 	edns->dnssec_ok = opt_flags & DNSSEC_OK_MASK;
+	edns->deleg_ok = opt_flags & DELEG_OK_MASK;
 	return 1;
 }
 

edns.h

@@ -21,7 +21,9 @@ struct query;
 #define COOKIE_CODE    10               /* COOKIE option code */
 #define EDE_CODE       15               /* Extended DNS Errors option code */
 #define ZONEVERSION_CODE 19             /* ZONEVERSION option code */
-#define DNSSEC_OK_MASK  0x8000U         /* do bit mask */
+#define DNSSEC_OK_MASK          0x8000U /* DO bit mask */
+#define COMPACT_ANSWER_OK_MASK  0x4000U /* DO bit mask */
+#define DELEG_OK_MASK           0x2000U /* DE bit mask (DELEG) */
 
 /* https://iana.org/assignments/dns-parameters/#zoneversion-type-values */
 #define ZONEVERSION_SOA_SERIAL 0
@@ -62,6 +64,7 @@ struct edns_record
 	size_t             maxlen;
 	size_t		   opt_reserved_space;
 	int                dnssec_ok;
+	int                deleg_ok;
 	int                nsid;
 	int                zoneversion;
 	cookie_status_type cookie_status;

namedb.c

@@ -577,11 +577,60 @@ domain_find_parent_zone(namedb_type* db, zone_type* zone)
 }
 
 domain_type *
-domain_find_delegation_rrsets(domain_type* domain, zone_type* zone, rrset_type **ns, rrset_type **deleg)
+domain_find_ns_rrsets(domain_type* domain, zone_type* zone, rrset_type **ns)
 {
-	/* return highest NS and/or DELEG RRsets in the zone that is a delegation above */
+	/* return highest NS RRset in the zone that is a delegation above */
 	domain_type* result = NULL;
 	rrset_type* rrset = NULL;
+	while (domain && domain != zone->apex) {
+		rrset = domain_find_rrset(domain, zone, TYPE_NS);
+		if (rrset) {
+			*ns = rrset;
+			result = domain;
+		}
+		domain = domain->parent;
+	}
+
+	if(result)
+		return result;
+
+	*ns = NULL;
+	return NULL;
+}
+
+int
+zone_is_deleg_zone(zone_type* zone)
+{
+	rrset_type* dnskey_set;
+	uint16_t i;
+
+	if(!zone || !zone->apex
+	|| !(dnskey_set = domain_find_rrset(zone->apex, zone, TYPE_DNSKEY)))
+		return 0;
+	for(i = 0; i < dnskey_set->rr_count; i++) {
+		if(dnskey_set->rrs[i].rdata_count > 0
+		&& rdata_atom_size(dnskey_set->rrs[i].rdatas[0])
+				== sizeof(uint16_t)
+		&& read_uint16(rdata_atom_data(dnskey_set->rrs[i].rdatas[0]))
+				& DNSKEY_FLAG_DELEG)
+			return 1;
+	}
+	return 0;
+}
+
+domain_type *
+domain_find_delegation_rrsets(domain_type* domain, zone_type* zone, rrset_type **ns, rrset_type **deleg)
+{
+	/* return highest NS and/or DELEG RRsets in the zone that is a delegation above */
+	domain_type* result;
+	rrset_type* rrset;
+	if(!zone_is_deleg_zone(zone)) {
+		if(deleg)
+			*deleg = NULL;
+		return domain_find_ns_rrsets(domain, zone, ns);
+	}
+	result = NULL;
+	rrset = NULL;
 	while (domain && domain != zone->apex) {
 		if ((rrset = domain_find_rrset(domain, zone, TYPE_NS))) {
 			*ns = rrset;
@@ -617,6 +666,15 @@ find_dname_above(domain_type* domain, zone_type* zone)
 
 int
 domain_is_glue(domain_type* domain, zone_type* zone)
+{
+	rrset_type* unused;
+	domain_type* ns_domain = domain_find_ns_rrsets(domain, zone, &unused);
+	return (ns_domain != NULL &&
+		domain_find_rrset(ns_domain, zone, TYPE_SOA) == NULL);
+}
+
+int
+domain_is_glue_DE(domain_type* domain, zone_type* zone)
 {
 	rrset_type* unused;
 	domain_type* ns_domain = domain_find_delegation_rrsets(domain, zone, &unused, &unused);

namedb.h

@@ -260,11 +260,14 @@ rrset_type* domain_find_any_rrset(domain_type* domain, zone_type* zone);
 zone_type* domain_find_zone(namedb_type* db, domain_type* domain);
 zone_type* domain_find_parent_zone(namedb_type* db, zone_type* zone);
 
+domain_type* domain_find_ns_rrsets(domain_type* domain, zone_type* zone, rrset_type **ns);
+int zone_is_deleg_zone(zone_type* zone);
 domain_type* domain_find_delegation_rrsets(
 		domain_type* domain, zone_type* zone, rrset_type **ns, rrset_type **deleg);
 /* find DNAME rrset in domain->parent or higher and return that domain */
 domain_type * find_dname_above(domain_type* domain, zone_type* zone);
 
+int domain_is_glue_DE(domain_type* domain, zone_type* zone);
 int domain_is_glue(domain_type* domain, zone_type* zone);
 
 rrset_type* domain_find_non_cname_rrset(domain_type* domain, zone_type* zone);

query.c

@@ -696,7 +696,9 @@ add_additional_rrsets(struct query *query, answer_type *answer,
 
 		assert(additional);
 
-		if (!allow_glue && domain_is_glue(match, query->zone))
+		if (!allow_glue && ( query->edns.deleg_ok
+		                   ? domain_is_glue_DE(match, query->zone)
+		                   : domain_is_glue(match, query->zone)))
 			continue;
 
 		/*
@@ -947,12 +949,12 @@ answer_delegation(query_type *query, answer_type *answer)
 			ds_found = 1;
 
 		}
-		if ((rrset = domain_find_rrset(query->delegation_domain, query->zone, TYPE_DELEG))) {
+		if (query->deleg_rrset) {
 			add_rrset(query, answer, AUTHORITY_SECTION,
-				  query->delegation_domain, rrset);
+				  query->delegation_domain, query->deleg_rrset);
 			deleg_found = 1;
 		}
-		if (ds_found && deleg_found) {
+		if (ds_found && (!query->edns.deleg_ok || deleg_found)) {
 			; /* pass; No NSEC needed showing the absence of the other RRset */
 #ifdef NSEC3
 		} else if (query->zone->nsec3_param) {
@@ -1507,8 +1509,17 @@ answer_lookup_zone(struct nsd *nsd, struct query *q, answer_type *answer,
 		}
 		answer_nodata(q, answer, closest_encloser);
 	} else {
-		q->delegation_domain = domain_find_delegation_rrsets(
-			closest_encloser, q->zone, &q->delegation_rrset, &q->deleg_rrset);
+		if(q->edns.deleg_ok)
+			q->delegation_domain =domain_find_delegation_rrsets(
+					closest_encloser, q->zone,
+					&q->delegation_rrset, &q->deleg_rrset);
+		else {
+			q->deleg_rrset = NULL;
+			q->delegation_domain =domain_find_ns_rrsets(
+					closest_encloser, q->zone,
+					&q->delegation_rrset);
+		}
+
 		if(q->delegation_domain && find_dname_above(q->delegation_domain, q->zone)) {
 			q->delegation_domain = NULL; /* use higher DNAME */
 		}