middleware/cache: don't cache expired RRSIGs (#641)

Check message for expired sig and don't cache those. Aside: This hack of caching entire messages is probably something we should stop doing at some point in the future and do this on a per RRset basis. Fixes #367 #635
2017-04-29 15:06:42 +01:00 · 2017-04-29 15:06:42 +01:00 · 7d39c2ba51
commit 7d39c2ba51
parent 1f63e639e4
7 changed files with 172 additions and 62 deletions
--- a/middleware/cache/cache_test.go
+++ b/middleware/cache/cache_test.go
@ -21,6 +21,7 @@ type cacheTestCase struct {
 	Authoritative      bool
 	RecursionAvailable bool
 	Truncated          bool
+	shouldCache        bool
 }

 var cacheTestCases = []cacheTestCase{
@ -40,6 +41,7 @@ var cacheTestCases = []cacheTestCase{
 				test.MX("miek.nl.	3601	IN	MX	10 aspmx2.googlemail.com."),
 			},
 		},
+		shouldCache: true,
 	},
 	{
 		RecursionAvailable: true, AuthenticatedData: true, Authoritative: true,
@ -57,6 +59,7 @@ var cacheTestCases = []cacheTestCase{
 				test.MX("mIEK.nL.	3601	IN	MX	10 aspmx2.googlemail.com."),
 			},
 		},
+		shouldCache: true,
 	},
 	{
 		Truncated: true,
@ -64,7 +67,8 @@ var cacheTestCases = []cacheTestCase{
 			Qname: "miek.nl.", Qtype: dns.TypeMX,
 			Answer: []dns.RR{test.MX("miek.nl.	1800	IN	MX	1 aspmx.l.google.com.")},
 		},
-		in: test.Case{},
+		in:          test.Case{},
+		shouldCache: false,
 	},
 	{
 		RecursionAvailable: true, Authoritative: true,
@ -82,6 +86,51 @@ var cacheTestCases = []cacheTestCase{
 				test.SOA("example.org. 3600 IN	SOA	sns.dns.icann.org. noc.dns.icann.org. 2016082540 7200 3600 1209600 3600"),
 			},
 		},
+		shouldCache: true,
+	},
+	{
+		RecursionAvailable: true, Authoritative: true,
+		Case: test.Case{
+			Qname: "miek.nl.", Qtype: dns.TypeMX,
+			Do: true,
+			Answer: []dns.RR{
+				test.MX("miek.nl.	3600	IN	MX	1 aspmx.l.google.com."),
+				test.MX("miek.nl.	3600	IN	MX	10 aspmx2.googlemail.com."),
+				test.RRSIG("miek.nl.	3600	IN	RRSIG	MX 8 2 1800 20160521031301 20160421031301 12051 miek.nl. lAaEzB5teQLLKyDenatmyhca7blLRg9DoGNrhe3NReBZN5C5/pMQk8Jc u25hv2fW23/SLm5IC2zaDpp2Fzgm6Jf7e90/yLcwQPuE7JjS55WMF+HE LEh7Z6AEb+Iq4BWmNhUz6gPxD4d9eRMs7EAzk13o1NYi5/JhfL6IlaYy qkc="),
+			},
+		},
+		in: test.Case{
+			Qname: "miek.nl.", Qtype: dns.TypeMX,
+			Do: true,
+			Answer: []dns.RR{
+				test.MX("miek.nl.	3600	IN	MX	1 aspmx.l.google.com."),
+				test.MX("miek.nl.	3600	IN	MX	10 aspmx2.googlemail.com."),
+				test.RRSIG("miek.nl.	1800	IN	RRSIG	MX 8 2 1800 20160521031301 20160421031301 12051 miek.nl. lAaEzB5teQLLKyDenatmyhca7blLRg9DoGNrhe3NReBZN5C5/pMQk8Jc u25hv2fW23/SLm5IC2zaDpp2Fzgm6Jf7e90/yLcwQPuE7JjS55WMF+HE LEh7Z6AEb+Iq4BWmNhUz6gPxD4d9eRMs7EAzk13o1NYi5/JhfL6IlaYy qkc="),
+			},
+		},
+		shouldCache: false,
+	},
+	{
+		RecursionAvailable: true, Authoritative: true,
+		Case: test.Case{
+			Qname: "example.org.", Qtype: dns.TypeMX,
+			Do: true,
+			Answer: []dns.RR{
+				test.MX("example.org.	3600	IN	MX	1 aspmx.l.google.com."),
+				test.MX("example.org.	3600	IN	MX	10 aspmx2.googlemail.com."),
+				test.RRSIG("example.org.	3600	IN	RRSIG	MX 8 2 1800 20170521031301 20170421031301 12051 miek.nl. lAaEzB5teQLLKyDenatmyhca7blLRg9DoGNrhe3NReBZN5C5/pMQk8Jc u25hv2fW23/SLm5IC2zaDpp2Fzgm6Jf7e90/yLcwQPuE7JjS55WMF+HE LEh7Z6AEb+Iq4BWmNhUz6gPxD4d9eRMs7EAzk13o1NYi5/JhfL6IlaYy qkc="),
+			},
+		},
+		in: test.Case{
+			Qname: "example.org.", Qtype: dns.TypeMX,
+			Do: true,
+			Answer: []dns.RR{
+				test.MX("example.org.	3600	IN	MX	1 aspmx.l.google.com."),
+				test.MX("example.org.	3600	IN	MX	10 aspmx2.googlemail.com."),
+				test.RRSIG("example.org.	1800	IN	RRSIG	MX 8 2 1800 20170521031301 20170421031301 12051 miek.nl. lAaEzB5teQLLKyDenatmyhca7blLRg9DoGNrhe3NReBZN5C5/pMQk8Jc u25hv2fW23/SLm5IC2zaDpp2Fzgm6Jf7e90/yLcwQPuE7JjS55WMF+HE LEh7Z6AEb+Iq4BWmNhUz6gPxD4d9eRMs7EAzk13o1NYi5/JhfL6IlaYy qkc="),
+			},
+		},
+		shouldCache: true,
 	},
 }

@ -93,7 +142,7 @@ func cacheMsg(m *dns.Msg, tc cacheTestCase) *dns.Msg {
 	m.Truncated = tc.Truncated
 	m.Answer = tc.in.Answer
 	m.Ns = tc.in.Ns
-	//	m.Extra = tc.in.Extra , not the OPT record!
+	// m.Extra = tc.in.Extra don't copy Extra, because we don't care and fake EDNS0 DO with tc.Do.
 	return m
 }

@ -107,6 +156,9 @@ func newTestCache(ttl time.Duration) (*Cache, *ResponseWriter) {
 }

 func TestCache(t *testing.T) {
+	now, _ := time.Parse(time.UnixDate, "Fri Apr 21 10:51:21 BST 2017")
+	utc := now.UTC()
+
 	c, crr := newTestCache(maxTTL)

 	log.SetOutput(ioutil.Discard)
@ -116,15 +168,18 @@ func TestCache(t *testing.T) {
 		m = cacheMsg(m, tc)
 		do := tc.in.Do

-		mt, _ := response.Typify(m)
+		mt, _ := response.Typify(m, utc)
 		k := key(m, mt, do)
+
 		crr.set(m, k, mt, c.pttl)

 		name := middleware.Name(m.Question[0].Name).Normalize()
 		qtype := m.Question[0].Qtype
+
 		i, ok, _ := c.get(name, qtype, do)
-		if ok && m.Truncated {
-			t.Errorf("Truncated message should not have been cached")
+
+		if ok != tc.shouldCache {
+			t.Errorf("cached message that should not have been cached: %s", name)
 			continue
 		}