resource: fix aa flag when querying root

handshake-org · Nov 27, 2021 · 7c4e472 · 7c4e472
1 parent b933210
commit 7c4e472
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 56 deletions.
diff --git a/src/resource.c b/src/resource.c
@@ -974,6 +974,9 @@ hsk_resource_to_dns(const hsk_resource_t *rs, const char *name, uint16_t type) {
           ns
         );
       }
+
+      msg->flags |= HSK_DNS_AA;
+
       hsk_dnssec_sign_zsk(ns, HSK_DNS_NSEC);
       // Needs SOA.
       hsk_resource_root_to_soa(ns);
@@ -986,32 +989,27 @@ hsk_resource_to_dns(const hsk_resource_t *rs, const char *name, uint16_t type) {
   // Record types actually on-chain for HNS TLDs.
   switch (type) {
     case HSK_DNS_DS:
+      msg->flags |= HSK_DNS_AA;
       hsk_resource_to_ds(rs, name, an);
       hsk_dnssec_sign_zsk(an, HSK_DNS_DS);
       break;
-    case HSK_DNS_NS:
-      // Includes SYNTH and GLUE records.
-      hsk_resource_to_ns(rs, name, ns);
-      hsk_resource_to_glue(rs, name, ar);
-      hsk_dnssec_sign_zsk(ns, HSK_DNS_NS);
-      break;
     case HSK_DNS_TXT:
-      hsk_resource_to_txt(rs, name, an);
-      hsk_dnssec_sign_zsk(an, HSK_DNS_TXT);
+      if (!hsk_resource_has_ns(rs)) {
+        msg->flags |= HSK_DNS_AA;
+        hsk_resource_to_txt(rs, name, an);
+        hsk_dnssec_sign_zsk(an, HSK_DNS_TXT);
+      }
       break;
   }
 
-  if (an->size > 0)
-    msg->flags |= HSK_DNS_AA;
-
   // Attempt to force a referral if we don't have an answer.
   if (an->size == 0 && ns->size == 0) {
-    if (hsk_resource_has_ns(rs)) {
+    // No referrals for DS or without NS to refer to!
+    if (hsk_resource_has_ns(rs) && type != HSK_DNS_DS) {
       hsk_resource_to_ns(rs, name, ns);
       hsk_resource_to_ds(rs, name, ns);
       hsk_resource_to_glue(rs, name, ar);
       if (!hsk_resource_has(rs, HSK_DS)) {
-          hsk_dnssec_sign_zsk(ns, HSK_DNS_NS);
           // No DS proof:
           // This allows unbound to treat the zone as unsigned (and not bogus)
           hsk_resource_to_nsec(
@@ -1026,9 +1024,17 @@ hsk_resource_to_dns(const hsk_resource_t *rs, const char *name, uint16_t type) {
           hsk_dnssec_sign_zsk(ns, HSK_DNS_DS);
       }
     } else {
-      // Domain has no NS
-      // We can prove there is a TXT or empty and sign NSEC
-      if (hsk_resource_has(rs, HSK_TEXT)) {
+      if (hsk_resource_has_ns(rs)) {
+        // If NS is present, prove it
+        hsk_resource_to_nsec(
+          tld,
+          next,
+          hsk_type_map_ns,
+          sizeof(hsk_type_map_ns),
+          ns
+        );
+      } else if (hsk_resource_has(rs, HSK_TEXT)) {
+        // No NS means we can prove TXT if applicable
         hsk_resource_to_nsec(
           tld,
           next,
@@ -1037,6 +1043,7 @@ hsk_resource_to_dns(const hsk_resource_t *rs, const char *name, uint16_t type) {
           ns
         );
       } else {
+        // Otherwise, we prove there is nothing
         hsk_resource_to_nsec(
           tld,
           next,
@@ -1047,6 +1054,7 @@ hsk_resource_to_dns(const hsk_resource_t *rs, const char *name, uint16_t type) {
       }
       hsk_dnssec_sign_zsk(ns, HSK_DNS_NSEC);
       // Needs SOA.
+      msg->flags |= HSK_DNS_AA;
       hsk_resource_root_to_soa(ns);
       hsk_dnssec_sign_zsk(ns, HSK_DNS_SOA);
     }

diff --git a/test/data/resource_vectors.h b/test/data/resource_vectors.h
@@ -11,6 +11,7 @@ typedef struct type_vector {
   uint8_t ns_size;
   uint8_t ar_size;
   bool nsec;
+  bool aa;
 } type_vector_t;
 
 typedef struct resource_vector {
@@ -43,10 +44,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     6,
     {
-      {HSK_DNS_DS,  "DS",  0, 4, 1, true},
-      {HSK_DNS_NS,  "NS",  0, 2, 1, false},
-      {HSK_DNS_TXT, "TXT", 0, 4, 1, true},
-      {HSK_DNS_A,   "A",   0, 4, 1, true}
+      {HSK_DNS_DS,  "DS",  0, 4, 0, true, true},
+      {HSK_DNS_NS,  "NS",  0, 3, 1, true, false},
+      {HSK_DNS_TXT, "TXT", 0, 3, 1, true, false},
+      {HSK_DNS_A,   "A",   0, 3, 1, true, false}
     },
     sizeof(hsk_type_map_ns),
     hsk_type_map_ns
@@ -68,10 +69,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     18,
     {
-      {HSK_DNS_DS,  "DS",  0, 4, 1, true},
-      {HSK_DNS_NS,  "NS",  0, 2, 1, false},
-      {HSK_DNS_TXT, "TXT", 0, 4, 1, true},
-      {HSK_DNS_A,   "A",   0, 4, 1, true}
+      {HSK_DNS_DS,  "DS",  0, 4, 0, true, true},
+      {HSK_DNS_NS,  "NS",  0, 3, 1, true, false},
+      {HSK_DNS_TXT, "TXT", 0, 3, 1, true, false},
+      {HSK_DNS_A,   "A",   0, 3, 1, true, false}
     },
     sizeof(hsk_type_map_ns),
     hsk_type_map_ns
@@ -94,10 +95,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     15,
     {
-      {HSK_DNS_DS,  "DS",  0, 4, 0, true},
-      {HSK_DNS_NS,  "NS",  0, 2, 0, false},
-      {HSK_DNS_TXT, "TXT", 0, 4, 0, true},
-      {HSK_DNS_A,   "A",   0, 4, 0, true}
+      {HSK_DNS_DS,  "DS",  0, 4, 0, true, true},
+      {HSK_DNS_NS,  "NS",  0, 3, 0, true, false},
+      {HSK_DNS_TXT, "TXT", 0, 3, 0, true, false},
+      {HSK_DNS_A,   "A",   0, 3, 0, true, false}
     },
     sizeof(hsk_type_map_ns),
     hsk_type_map_ns
@@ -121,10 +122,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     27,
     {
-      {HSK_DNS_DS,  "DS",  0, 4, 1, true},
-      {HSK_DNS_NS,  "NS",  0, 2, 1, false},
-      {HSK_DNS_TXT, "TXT", 0, 4, 1, true},
-      {HSK_DNS_A,   "A",   0, 4, 1, true}
+      {HSK_DNS_DS,  "DS",  0, 4, 0, true, true},
+      {HSK_DNS_NS,  "NS",  0, 3, 1, true, false},
+      {HSK_DNS_TXT, "TXT", 0, 3, 1, true, false},
+      {HSK_DNS_A,   "A",   0, 3, 1, true, false}
     },
     sizeof(hsk_type_map_ns),
     hsk_type_map_ns
@@ -148,10 +149,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     27,
     {
-      {HSK_DNS_DS,  "DS",  0, 4, 0, true},
-      {HSK_DNS_NS,  "NS",  0, 2, 0, false},
-      {HSK_DNS_TXT, "TXT", 0, 4, 0, true},
-      {HSK_DNS_A,   "A",   0, 4, 0, true}
+      {HSK_DNS_DS,  "DS",  0, 4, 0, true, true},
+      {HSK_DNS_NS,  "NS",  0, 3, 0, true, false},
+      {HSK_DNS_TXT, "TXT", 0, 3, 0, true, false},
+      {HSK_DNS_A,   "A",   0, 3, 0, true, false}
     },
     sizeof(hsk_type_map_ns),
     hsk_type_map_ns
@@ -176,10 +177,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     39,
     {
-      {HSK_DNS_DS,  "DS",  0, 4, 1, true},
-      {HSK_DNS_NS,  "NS",  0, 2, 1, false},
-      {HSK_DNS_TXT, "TXT", 0, 4, 1, true},
-      {HSK_DNS_A,   "A",   0, 4, 1, true}
+      {HSK_DNS_DS,  "DS",  0, 4, 0, true, true},
+      {HSK_DNS_NS,  "NS",  0, 3, 1, true, false},
+      {HSK_DNS_TXT, "TXT", 0, 3, 1, true, false},
+      {HSK_DNS_A,   "A",   0, 3, 1, true, false}
     },
     sizeof(hsk_type_map_ns),
     hsk_type_map_ns
@@ -200,10 +201,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     11,
     {
-      {HSK_DNS_DS,  "DS",  0, 4, 0, true},
-      {HSK_DNS_NS,  "NS",  0, 2, 0, false},
-      {HSK_DNS_TXT, "TXT", 0, 4, 0, true},
-      {HSK_DNS_A,   "A",   0, 4, 0, true}
+      {HSK_DNS_DS,  "DS",  0, 4, 0, true, true},
+      {HSK_DNS_NS,  "NS",  0, 3, 0, true, false},
+      {HSK_DNS_TXT, "TXT", 0, 3, 0, true, false},
+      {HSK_DNS_A,   "A",   0, 3, 0, true, false}
     },
     sizeof(hsk_type_map_ns),
     hsk_type_map_ns
@@ -225,10 +226,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     20,
     {
-      {HSK_DNS_DS,  "DS",  0, 4, 0, true},
-      {HSK_DNS_NS,  "NS",  0, 2, 0, false},
-      {HSK_DNS_TXT, "TXT", 0, 4, 0, true},
-      {HSK_DNS_A,   "A",   0, 4, 0, true}
+      {HSK_DNS_DS,  "DS",  0, 4, 0, true, true},
+      {HSK_DNS_NS,  "NS",  0, 3, 0, true, false},
+      {HSK_DNS_TXT, "TXT", 0, 3, 0, true, false},
+      {HSK_DNS_A,   "A",   0, 3, 0, true, false}
     },
     sizeof(hsk_type_map_ns),
     hsk_type_map_ns
@@ -255,10 +256,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     39,
     {
-      {HSK_DNS_DS,  "DS",  2, 0, 0, false},
-      {HSK_DNS_NS,  "NS",  0, 4, 0, true},
-      {HSK_DNS_TXT, "TXT", 0, 4, 0, true},
-      {HSK_DNS_A,   "A",   0, 4, 0, true}
+      {HSK_DNS_DS,  "DS",  2, 0, 0, false, true},
+      {HSK_DNS_NS,  "NS",  0, 4, 0, true, true},
+      {HSK_DNS_TXT, "TXT", 0, 4, 0, true, true},
+      {HSK_DNS_A,   "A",   0, 4, 0, true, true}
     },
     sizeof(hsk_type_map_empty),
     hsk_type_map_empty
@@ -284,10 +285,10 @@ static const resource_vector_t resource_vectors[10] = {
     },
     27,
     {
-      {HSK_DNS_DS,  "DS",  0, 4, 0, true},
-      {HSK_DNS_NS,  "NS",  0, 4, 0, true},
-      {HSK_DNS_TXT, "TXT", 2, 0, 0, false},
-      {HSK_DNS_A,   "A",   0, 4, 0, true}
+      {HSK_DNS_DS,  "DS",  0, 4, 0, true, true},
+      {HSK_DNS_NS,  "NS",  0, 4, 0, true, true},
+      {HSK_DNS_TXT, "TXT", 2, 0, 0, false, true},
+      {HSK_DNS_A,   "A",   0, 4, 0, true, true}
     },
     sizeof(hsk_type_map_txt),
     hsk_type_map_txt

diff --git a/test/hnsd-test.c b/test/hnsd-test.c
@@ -125,6 +125,9 @@ test_decode_resource() {
       assert(msg->ns.size == type_vector.ns_size);
       assert(msg->ar.size == type_vector.ar_size);
 
+      // Check `aa` bit
+      assert((bool)(msg->flags & HSK_DNS_AA) == type_vector.aa);
+
       // Sanity check: NSEC never appears in ANSWER or ADDITIONAL
       for (int i = 0; i < msg->an.size; i++) {
         hsk_dns_rr_t *rr = msg->an.items[i];