When serve_stale is enabled, a cached SERVFAIL in ncache shadows a valid
positive entry in pcache because ncache is always checked first. SERVFAIL
is transient and should not mask a known-good answer.
When the ncache hit is a SERVFAIL, check pcache for a valid entry before
returning the SERVFAIL. NXDOMAIN and NODATA are unaffected and still
follow the existing ncache-first lookup per RFC 2308.
Fixes#7956
Signed-off-by: umut-polat <52835619+umut-polat@users.noreply.github.com>
* Added fs.FileInfo.ModTime() based reload feature
Signed-off-by: Endre Szabo <git@end.re>
* Updated the plugin documentation.
Signed-off-by: Endre Szabo <git@end.re>
---------
Signed-off-by: Endre Szabo <git@end.re>
* plugin/dnstap: added incoming connection support feature to dnstap plugin
Signed-off-by: Endre Szabo <git@end.re>
* fixed problems pointed out by ci linter
Signed-off-by: Endre Szabo <git@end.re>
---------
Signed-off-by: Endre Szabo <git@end.re>
The miekg/dns zone parser preserves whichever text form the input
used for an escaped byte. RFC 1035 §5.1 lets the same byte appear
as \DDD (decimal) or \c (literal character), so a zone file
written with has\046dot.campus.edu. is stored under that literal
string. Incoming queries, by contrast, arrive on the wire and are
unpacked by miekg/dns into the canonical form has\.dot.campus.edu.
The two strings don't compare equal in the tree, so the record is
silently unreachable.
Pack-then-unpack the owner name on Insert so the stored key uses
the same canonical form as anything that comes off the wire. Only
runs when the name contains a backslash, so the common case is a
no-op string compare.
Fixes#8012
Signed-off-by: Charlie Tonneslan <cst0520@gmail.com>
* core: Add full TSIG verification in DoH transport
This PR add full TSIG verification in DoH using dns.TsigVerify()
7943
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
When using the view plugin, filtered and unfiltered server blocks can
share the same zone and port. The zone overlap validation rejected this
configuration when the unfiltered block was not declared last, because
filtered configs treated an already-registered zone as an error.
Skip the 'already defined' check for configs that have filter functions,
since they are expected to coexist with an unfiltered catch-all block on
the same zone/port.
Fixes#7733
Signed-off-by: umut-polat <52835619+umut-polat@users.noreply.github.com>
Extend the tsig plugin to require TSIG signatures based on DNS opcodes,
similar to the existing qtype-based requirement.
The new require_opcode directive accepts opcode names (QUERY, IQUERY,
STATUS, NOTIFY, UPDATE) or the special values "all" and "none".
This is useful for requiring TSIG on dynamic update (UPDATE) or zone
transfer notification (NOTIFY) requests while allowing unsigned queries.
Example:
```
tsig {
secret key. NoTCJU+DMqFWywaPyxSijrDEA/eC3nK0xi3AMEZuPVk=
require_opcode UPDATE NOTIFY
}
```
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
* plugin/transfter: Fix longestMatch to select the most specific zone correctly.
This PR Fix longestMatch to select the most specific zone correctly.The previous implementation used lexicographic string comparison, which could choose the wrong zone; this change selects the longest matching zone instead.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Tie breaker
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* core: Reject oversized GET dns query parameter of DoH
The DoH POST path limits request size using http.MaxBytesReader(..., 65536), but the GET path passes the dns query value directly to base64ToMsg() with no equivalent bound.
This PR adds length check.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Fix
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
---------
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This PR fixes Fix case-sensitive zone handling in the transfer plugin for AXFR/IXFR, raised in 7898
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
