* cache: default to DNSSEC
This change does away with the DNS/DNSSEC distinction the cache
currently makes. Cache will always make coredns perform a DNSSEC query
and store that result. If a client just needs plain DNS, the DNSSEC
records are stripped from the response.
It should also be more memory efficient, because we store a reply once
and not one DNS and another for DNSSEC.
Fixes: #3836
Signed-off-by: Miek Gieben <miek@miek.nl>
* Change OPT RR when one is present in the msg.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Fix comment for isDNSSEC
Signed-off-by: Miek Gieben <miek@miek.nl>
* Update plugin/cache/handler.go
Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
* Update plugin/cache/item.go
Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
* Code review; fix comment for isDNSSEC
Signed-off-by: Miek Gieben <miek@miek.nl>
* Update doc and set AD to false
Set Authenticated Data to false when DNSSEC was not wanted. Also update
the readme with the new behavior.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Update plugin/cache/handler.go
Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
* Make request.Request smaller
This makes the request struct smaller and removes the pointer to the do
boolean (tri-bool) as size == 0 will indicate if we have cached it.
Family can be a int8 because it only carries 3 values, Size itself is
just a uint16 under the covers.
This is a more comprehensive fix than #3292Closes#3292
Signed-off-by: Miek Gieben <miek@miek.nl>
* cache: fix test
this now needs a valid response writter
Signed-off-by: Miek Gieben <miek@miek.nl>
Ditch our truncation code and use the upstream one in miekg/dns.
This saves code on our end, end upstream is also more efficient as every
RR is Len-ed only once. With our bin-search this is not guaranteed.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Remove context.Context from request.Request
This removes the context from request.Request and makes all the changes
in the code to make it compile again. It's all mechanical. It did
unearth some weirdness in that the context was kept in handler structs
which may cause havoc with concurrently handling of requests.
Fixes#2721
Signed-off-by: Miek Gieben <miek@miek.nl>
* Make test compile
Signed-off-by: Miek Gieben <miek@miek.nl>
* core: edns0 tweaks
Per comment thread in https://github.com/coredns/coredns/pull/2357 which
spotted a bug; updated the code and added some comments.
This function should probably be redone as some point or made obsolete.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Remove setting options when m is EDNS0 record
Assume upstream set them correctly or a plugin.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Fix EDNS0 compliance
Do SizeAndDo in the server (ScrubWriter) and remove all uses of this
from the plugins. Also *always* do it. This is to get into compliance
for https://dnsflagday.net/.
The pkg/edns0 now exports the EDNS0 options we understand; this is
exported to allow plugins add things there. The *rewrite* plugin used
this to add custom EDNS0 option codes that the server needs to
understand.
This also needs a new release of miekg/dns because it triggered a
race-condition that was basicly there forever.
See:
* https://github.com/miekg/dns/issues/857
* https://github.com/miekg/dns/pull/859
Running a test instance and pointing the https://ednscomp.isc.org/ednscomp
to it shows the tests are now fixed:
~~~
EDNS Compliance Tester
Checking: 'miek.nl' as at 2018-12-01T17:53:15Z
miek.nl. @147.75.204.203 (drone.coredns.io.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok
miek.nl. @2604:1380:2002:a000::1 (drone.coredns.io.): dns=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok optlist=ok
All Ok
Codes
ok - test passed.
~~~
Signed-off-by: Miek Gieben <miek@miek.nl>
Signed-off-by: Miek Gieben <miek@miek.nl>
* typos in comments
Signed-off-by: Miek Gieben <miek@miek.nl>
* fix truncation bug
* Generate records with generic RRs
* Remove SoundCloud from test name
* Comment for binary-search -1 adjustment
Explain why the binary search may have exited with
a reply size that is too large by one record.
* Refactor to remove sub variable
patch suggested by miek removes unnecessary sub
variable for removing a single line from the
reply.Extra length.
* server: actually scrub response
Did all the worked, hooked it up wrongly :(
This also needs test, but those are hard(er) because we only receive
packets after they have been decoded; i.e. we never see the wirefmt.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Add tests
Add a test for checking is compression pointers are set in the packet.
This also adds an undocumented 'large' feature to the erratic plugin to
send large responses that should be compressed.
Commenting the Scrub out in server results in:
=== RUN TestCompressScrub
--- FAIL: TestCompressScrub (0.00s)
compression_scrub_test.go:41: Expected returned packet to be < 512, got 839
FAIL
exit status 1
FAIL github.com/coredns/coredns/test 0.036s
Actually checking the size might be easier, but lets be thorough here
and check the pointers them selves.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Fix tests
Signed-off-by: Miek Gieben <miek@miek.nl>
* plugin erratic: fix e.large
always put an rr in the reply, fix e.large in erractic and add test to
check for it.
Signed-off-by: Miek Gieben <miek@miek.nl>
Every plugin needs to deal with EDNS0 and should call Scrub to make a
message fit the client's buffer. Move this functionality into the server
and wrapping the ResponseWriter into a ScrubWriter that handles these
bits for us. Result:
Less code and faster, because multiple chained plugins could all be
calling scrub and SizeAndDo - now there is just one place.
Most tests in file/* and dnssec/* needed adjusting because in those unit
tests you don't see OPT RRs anymore. The DNSSEC signer was also looking
at the returned OPT RR to see if it needed to sign - as those are now
added by the server (and thus later), this needed to change slightly.
Scrub itself still exist (for backward compat reasons), but has been
made a noop. Scrub has been renamed to scrub as it should not be used by
external plugins.
Fixes: #2010
Signed-off-by: Miek Gieben <miek@miek.nl>
* Add regression test for broken DNS truncation
With the latest changes to the implementation, request.Scrub() returns
invalid response messages which are larger than the advertised buffer
size. This commit adds a failing test for that.
* Add benchmark for response truncation
* request: re-adjust size for edns0 RR
Cherry-picked the test and benchmark commits from #1962 and make the
failing test not fail, by adding minimal fix in request.go.
This makes size 12 bytes smaller if we need to add back the OPT RR in
the message.
Closes: #1962
Signed-off-by: Miek Gieben <miek@miek.nl>
* Scrub: correctly check for EDNS0, not only Do
Make Scrub check for EDNS0, not only if the Do bit is set.
Signed-off-by: Miek Gieben <miek@miek.nl>
* request: add LocalIP
Fix TODO that was added: Add LocalIP and test the Clear() method.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Move to Errorf
PR feedback and move to Errorf instead Fatalf.
Signed-off-by: Miek Gieben <miek@miek.nl>
This was done anyway, but only deep in the functions, just do this
everywhere; allows for shorter code and request.Request allows for
caching as well.
Cleanups, make it more Go like.
* remove unneeded switches
* remove testdir (why was this there??)
* simplify the logic
* remove unneeded variables
* put short functions on a single line
* fix documentation.
* spin off wire funcs in wire.go, make them functions.
Signed-off-by: Miek Gieben <miek@miek.nl>
* Remove Compress by default
Set Compress = true in Scrub only when the message doesn not fit the
advertized buffer. Doing compression is expensive, so try to avoid it.
Master vs this branch
pkg: github.com/coredns/coredns/plugin/cache
BenchmarkCacheResponse-2 50000 24774 ns/op
pkg: github.com/coredns/coredns/plugin/cache
BenchmarkCacheResponse-2 100000 21960 ns/op
* and make it compile
* request.Scrub: test for rl==size case
Make a test case for the new break statement in Scrub and also
account for the OPT record that may get re-added in SizeAndDo() -
otherwise we may break clients that expect this.
* Fix comment
* doc: some function/vars/const/package level updates
Various update that stood out while reading godoc.org for CoreDNS.
* Fix some misspellings as well
Use binary search to find the minimal message size, that contains whole
RRs and fits the client's buffer. This is better then just setting
entire sections to `nil`. Extend the tests to test for additional and
answer section truncation. In the first case we *don't* set the TC bit.
This function now also set Compression to true.
* Fix truncation of messages longer than permitted by the client
CoreDNS currently doesn't respect the maximum response size advertised
by the client and returns the full answer on a message with the TC bit
set. This breaks client implementations which rely on DNS servers
respecting the advertised size limit, for example the Ruby stdlib
client. It also has negative network performance implications, as large
messages will be split up into multiple UDP packets, even though the
client will discard the truncated response anyway.
While RFC 2181 permits the response of partial RRSets, finding the
correct number of records fitting into the advertised response size is
non-trivial. As clients should ignore truncated messages, this change
simply removes the full RRSet on truncated messages.
* Remove incorrect etcd test assertion
If a client requests a TXT record larger than its advertised buffer
size, a DNS server should _not_ respond with the answer, but truncate
the message and set the TC bit, so that the client can retry using TCP.
* Rename middleware to plugin
first pass; mostly used 'sed', few spots where I manually changed
text.
This still builds a coredns binary.
* fmt error
* Rename AddMiddleware to AddPlugin
* Readd AddMiddleware to remain backwards compat
Check for a nil message and if we have a question section. Request is
usually called with an external Msg that already saw validation checks,
but we may also call it from message we create of our own, that may or
may not adhire to this. Just be more robust in this case.
This PR reverts a previous commit that was applied to master.
* Add unit tests & cnames
* more progress
* fix
* next mw dependent unit tests
* add tests for OnNXDOMAIN
* Add AAAA and ndots unit tests; fix request.NewWithQuestion
* Correct default value in README
* add CNAMEs to readme
* review
* fix autopath examples
* fix and test CNAME response order
Fix the unknown flags handling when receiving such message. We should
zero out all of the Z bits in the OPT record before returning.
Current behavior:
dig +norec +noad +ednsflags=0x80 soa miek.nl @deb.atoom.net
...
; EDNS: version: 0, flags:; MBZ: 0080 , udp: 4096
New:
dig +norec +noad +ednsflags=0x80 soa miek.nl @localhost -p 2053
...
; EDNS: version: 0, flags:; udp: 4096
Take care no to overwrite the Do bit.
We still accept *all* EDNS option; I do not consider that a bug in
itself.
Fixes#306
Cleanup the errors and removed deadcode along the way. The leaves
some error laying around, mostly about commenting exported identifier.
We should look hard if those really are needed.
Move all (almost all) Go files in middleware into their
own packages. This makes for better naming and discoverability.
Lot of changes elsewhere to make this change.
The middleware.State was renamed to request.Request which is better,
but still does not cover all use-cases. It was also moved out middleware
because it is used by `dnsserver` as well.
A pkg/dnsutil packages was added for shared, handy, dns util functions.
All normalize functions are now put in normalize.go
