[PR #2919] [MERGED] Fix QNAME minimization behavior #3421

New issue

Closed

opened 2026-03-16 11:42:49 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 11:42:49 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hickory-dns/hickory-dns/pull/2919
Author: @divergentdave
Created: 4/9/2025
Status: ✅ Merged
Merged: 4/11/2025
Merged by: @djc

Base: main ← Head: david/rfc9156

📝 Commits (4)

55c9a12 Add test for bug in QNAME minimization handling
7c4ff2f Simplify re-query with longer name, fix CNAME bug
9f8b676 Add a short-circuit for NXDOMAIN responses
7e5a1f1 Add a short-circuit for timeouts

📊 Changes

4 files changed (+104 additions, -38 deletions)

View changed files

📝 conformance/packages/conformance-tests/src/resolver/dns.rs (+1 -0)
➕ conformance/packages/conformance-tests/src/resolver/dns/rfc9156.rs (+54 -0)
📝 crates/recursor/src/error.rs (+13 -0)
📝 crates/recursor/src/recursor_dns_handle.rs (+36 -38)

📄 Description

This simplifies the recursor's logic, and fixes #2788. A conformance test is included that reproduces the original issue.

Currently ns_pool_for_zone() includes a loop that follows "SOA referrals", but this seems to be a non-standard concept. What it was doing, in effect, was taking negative responses for NS queries and using the SOA owner name to get a different name server pool. However, in a well-constructed zone, this should produce an ancestor of the name we just queried for, and the tower of recursive ns_pool_for_zone() calls has already constructed a name server pool for that ancestor. Therefore, we can keep passing the parent zone's pool to the caller until we either get another referral or return to resolve() and run the original query against the pool. We do this when the NS query either returns any error or returns zero NS records (fixing the CNAME-related bug). This now better aligns with the algorithm from RFC 9156, because we effectively try again with a longer name in these cases, via the recursive calls already on the stack.

In the last commit, I implemented a short-circuit for when we get an NXDOMAIN response to one of the minimized NS queries. The algorithm in RFC 9156 mentions this in the context of interactions with RFC 8020.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hickory-dns/hickory-dns/pull/2919 **Author:** [@divergentdave](https://github.com/divergentdave) **Created:** 4/9/2025 **Status:** ✅ Merged **Merged:** 4/11/2025 **Merged by:** [@djc](https://github.com/djc) **Base:** `main` ← **Head:** `david/rfc9156` --- ### 📝 Commits (4) - [`55c9a12`](https://github.com/hickory-dns/hickory-dns/commit/55c9a12db83ba113c8ad477f586b5875174288b2) Add test for bug in QNAME minimization handling - [`7c4ff2f`](https://github.com/hickory-dns/hickory-dns/commit/7c4ff2f2873a29b0423606ecc97aa09f436be022) Simplify re-query with longer name, fix CNAME bug - [`9f8b676`](https://github.com/hickory-dns/hickory-dns/commit/9f8b676defff2340ec88ae1b326f0f6742cbdca7) Add a short-circuit for NXDOMAIN responses - [`7e5a1f1`](https://github.com/hickory-dns/hickory-dns/commit/7e5a1f1ebd0f9fdbacca6cd88f38afa0613c5abc) Add a short-circuit for timeouts ### 📊 Changes **4 files changed** (+104 additions, -38 deletions) <details> <summary>View changed files</summary> 📝 `conformance/packages/conformance-tests/src/resolver/dns.rs` (+1 -0) ➕ `conformance/packages/conformance-tests/src/resolver/dns/rfc9156.rs` (+54 -0) 📝 `crates/recursor/src/error.rs` (+13 -0) 📝 `crates/recursor/src/recursor_dns_handle.rs` (+36 -38) </details> ### 📄 Description This simplifies the recursor's logic, and fixes #2788. A conformance test is included that reproduces the original issue. Currently `ns_pool_for_zone()` includes a loop that follows "SOA referrals", but this seems to be a non-standard concept. What it was doing, in effect, was taking negative responses for NS queries and using the SOA owner name to get a different name server pool. However, in a well-constructed zone, this should produce an ancestor of the name we just queried for, and the tower of recursive `ns_pool_for_zone()` calls has already constructed a name server pool for that ancestor. Therefore, we can keep passing the parent zone's pool to the caller until we either get another referral or return to `resolve()` and run the original query against the pool. We do this when the NS query either returns any error or returns zero NS records (fixing the CNAME-related bug). This now better aligns with the algorithm from [RFC 9156](https://www.rfc-editor.org/rfc/rfc9156.html#section-3), because we effectively try again with a longer name in these cases, via the recursive calls already on the stack. In the last commit, I implemented a short-circuit for when we get an NXDOMAIN response to one of the minimized NS queries. The algorithm in RFC 9156 mentions this in the context of interactions with RFC 8020. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>