From 9fcc028f5c222faf8ff2f7026816e4ba3debaef3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 17 Feb 2022 17:11:26 +1100 Subject: [PATCH] Skip calling find_coveringnsec if we found a DNAME This is an optimisation as we can skip a lot of pointless work when we know there is a DNAME there. When we have a partial match and a DNAME above the QNAME, the closest encloser has the same owner as the DNAME, will have the DNAME bit set in the type map, and we wouldn't use it as we would return the DNAME + RRSIG(DNAME) instead. So there is no point in looking for it nor in attempting to check that it is valid for the QNAME. --- lib/dns/rbtdb.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 94b557fc05..e2af9a4ea2 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -3101,6 +3101,10 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep, rbtdb_rdatatype_t type; dns_rbtnode_t *node; + REQUIRE(search != NULL); + REQUIRE(search->zonecut != NULL); + REQUIRE(search->zonecut_rdataset != NULL); + /* * The caller MUST NOT be holding any node locks. */ @@ -4914,6 +4918,8 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, search.need_cleanup = false; search.wild = false; search.zonecut = NULL; + search.zonecut_rdataset = NULL; + search.zonecut_sigrdataset = NULL; dns_fixedname_init(&search.zonecut_name); dns_rbtnodechain_init(&search.chain); search.now = now; @@ -4932,7 +4938,14 @@ cache_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version, cache_zonecut_callback, &search); if (result == DNS_R_PARTIALMATCH) { - if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0) { + /* + * If dns_rbt_findnode discovered a covering DNAME skip + * looking for a covering NSEC. + */ + if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0 && + (search.zonecut_rdataset == NULL || + search.zonecut_rdataset->type != dns_rdatatype_dname)) + { result = find_coveringnsec(&search, name, nodep, now, foundname, rdataset, sigrdataset);