Bogus SERVFAIL and Test updates

lib/resolver/recursive.js

@@ -143,6 +143,13 @@ class RecursiveResolver extends DNSResolver {
 
     rc.hops = child.hops;
 
+    if (res.code === codes.SERVFAIL) {
+      rc.bogus = true;
+      rc.chain = false;
+      rc.ds = [];
+      return null;
+    }
+
     if (res.code !== codes.NOERROR)
       throw new Error('Authority lookup failed.');
 
@@ -362,6 +369,7 @@ class RecursiveResolver extends DNSResolver {
     if (rc.hit) {
       if (!rc.res.ad) {
         this.log('Trust chain broken due to cache.');
+        rc.bogus = true;
         rc.chain = false;
         rc.ds = [];
         return;
@@ -381,6 +389,7 @@ class RecursiveResolver extends DNSResolver {
 
     if (!await this.checkSignatures(rc.res, rc.auth, rc.ds)) {
       this.log('Trust chain broken due to lack of child verification.');
+      rc.bogus = true;
       rc.chain = false;
       rc.ds = [];
     }
@@ -422,6 +431,7 @@ class RecursiveResolver extends DNSResolver {
 
         if (!nsec3.verifyNoData(rc.qs, nsec)) {
           this.log('Trust chain broken due to missing NSEC coverage.');
+          rc.bogus = true;
           rc.chain = false;
           rc.ds = [];
         } else {
@@ -448,6 +458,7 @@ class RecursiveResolver extends DNSResolver {
 
       if (!nsec3.verifyDelegation(auth.zone, nsec)) {
         this.log('Trust chain broken due to bad delegation.');
+        rc.bogus = true;
         rc.chain = false;
         rc.ds = [];
       } else {
@@ -493,6 +504,7 @@ class RecursiveResolver extends DNSResolver {
 
       if (!nsec3.verifyNameError(rc.qs, nsec)) {
         this.log('Trust chain broken due to bad NX proof.');
+        rc.bogus = true;
         rc.chain = false;
         rc.ds = [];
       } else {
@@ -601,6 +613,7 @@ class ResolveContext {
     this.chased = [];
     this.ds = [];
     this.chain = true;
+    this.bogus = false;
     this.res = null;
     this.hit = false;
     this.maxReferrals = 30;
@@ -642,6 +655,14 @@ class ResolveContext {
     res.ra = true;
     res.ad = this.chain;
     res.question = [this.question];
+
+    // Return SERVFAIL without records if bogus
+    if (this.bogus) {
+      res.code = codes.SERVFAIL;
+      res.ad = false;
+      return res;
+    }
+
     res.answer = this.res.answer.slice();
     res.authority = this.res.authority.slice();
     res.additional = this.res.additional.slice();

lib/resolver/ub.js

@@ -250,6 +250,19 @@ class UnboundResolver extends EventEmitter {
 
     let msg;
 
+    // Return SERVFAIL without records if bogus
+    if (result.bogus) {
+      msg = new Message();
+      msg.id = 0;
+      msg.opcode = opcodes.QUERY;
+      msg.code = constants.codes.SERVFAIL;
+      msg.qr = true;
+      msg.ra = true;
+      msg.ad = false;
+      msg.question = [qs.clone()];
+      return msg;
+    }
+
     if (result.answerPacket) {
       msg = Message.decode(result.answerPacket);
     } else {
@@ -263,7 +276,7 @@ class UnboundResolver extends EventEmitter {
       msg.question = [qs.clone()];
     }
 
-    if (result.secure && !result.bogus)
+    if (result.secure)
       msg.ad = true;
     else
       msg.ad = false;

test/data/com-response.zone

@@ -12,4 +12,4 @@ com. 172800 IN NS k.gtld-servers.net.
 com. 172800 IN NS l.gtld-servers.net.
 com. 172800 IN NS m.gtld-servers.net.
 com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766  ; alg = RSASHA256 ; hash = SHA256
-com. 86400 IN RRSIG DS 8 1 86400 20180815050000 20180802040000 41656 . 0rCZPgC5uy59E8NFIthfPIfD0h0FgIZ7hgOJ3utHZT1FGORI7nkQrtAx MM0y82ZLtjc6mnsC+AJCSVFl1z+t0XI4WGXlMGjfDZujaAe32T+pso0y /nsbqKdeildsye+SLnHL1Ns4c27tWzR5liCKQji6VsN1+ztkZDypZ2M/ EIQRJYHWk9h/3bbJPNwEreSOJZfDfIDbRaRWLbU8MoVUTSXF6IyMruzf mkuo7saOqudtMGGHJcFIaRbwTdXhUQwQQO6u83vDUeXQoh6l7xovGYir l2hdi9zie5HL+S77K2ZZhs7VR+jZ6tS4E+SfjqOuaAb/rJo+qJMQtSLQ m21acw==  ; alg = RSASHA256
+com. 86400 IN RRSIG	DS 8 1 86400 20220602050000 20220520040000 47671 . Va+WNedJ9QRG9sZ4cxvoCAE1deMoKg9c9lEFoSxetL/DG852xwkgdK8g HtXKiaNOlJUyhO3TUwRC1Vc8YaB/pVFmYtaFwUfLMeWfcDw0z9OXrAfa Fd7zRP84vtoiol3FW6rjPur0wKZvFWnb+hvzehiE8hrOcxk6ro1zzStv I+XZkOcRreb2GvwFpVVIB1ZGIB4kJXSk5tp4K8CMy9P0wh59+u/d5kHO tNWDF/7NgcvSt+uh0gEg9+7QT/6BY0nh6Zpx8AtKPfuMPNp3sOc5POJf MDX6iEOMhOfPTy5dRVnkuCvT4U042OG7/GJ9BpoaWY4Jw0yZEMvjRlc1 EWYA1w==  ; alg = RSASHA256

test/data/nx-response.zone

@@ -1,37 +1,47 @@
 . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. (
-  2018080200 1800 900 604800 86400
+  2022052000 ; serial
+  1800       ; refresh (30 minutes)
+  900        ; retry (15 minutes)
+  604800     ; expire (1 week)
+  86400      ; minimum (1 day)
 )
 
-. 86400 IN RRSIG SOA 8 0 86400 20180815050000 20180802040000 41656 . (
-  X/yeZjlX2H6BugnNCekXYRXSNkzq8zW7XKfRyBq0F9Z0aZ+BGcUNSRWG
-  rrHXDWfcTSDTBlWq0Vq7Bec5ZOvDwRm1anCWhG0wejliC3rxhCK4O+Eg
-  LelKscLA99K3jaKL3CKRRVitk08IRGxHCX725kk+GAR3/gWQnhXmO3DM
-  vmC5DVWCMCa3Jywnij4CsoaNqMczm/KKztk/i/lRlw0h+nVND73fgRMc
-  0NDXkv/oJJo9zzk877nfvS1B0fNwmgwRjA6Luj753u5VDYbpxDjUxXXn
-  eklu1LBO0SMvCk2opUvB5ADJ5JCYRvmB4Rll42vaB6gUbuJOoOTnY/tU
-  KgV9gg==
+. 86400 IN RRSIG SOA 8 0 86400 (
+  20220602050000 20220520040000 47671 .
+  bvUewu1um6qEOYW/RfneRkyuHouyMKg0U582CRcfo0hz
+  ehQpxsjQlqNUELR/4XvSFvvkJb7IRHiYz9bbakcM6E36
+  3KFlTuRo0tEmkPIqu6iTQVE45dk2bA4HEOIJMdm3gcHb
+  IzWLEdLkdkNpwOROjmlzUnkpeV3hnBZsjxI2aoRYvYyF
+  f3pek5tUBS5OpaHRBpGJXj6PSx85R6b83EzPWcCJyOR1
+  kYy0mw55aApNj3W+WkaldliLwxcPslbQ5HRuMzu7U9Yf
+  NQruySpjwunHeh3oYPqUVYCbQMyodLyOE8JLrW/nbs4/
+  2lGdQqRCjjH1MKlKkI54DrFNKT4VIuEfog==
 )
 
 id. 86400 IN NSEC ie. NS DS RRSIG NSEC
 
-id. 86400 IN RRSIG NSEC 8 1 86400 20180815050000 20180802040000 41656 . (
-  TkoEX0Eb9ObbVUvZ7CzCTIOSg6dF/IQMWwUFOyXxL2jwZiEGOpMw6YDY
-  yGl1rl5SD3zXd3/Gs0XICu4DA7E3PALCWttwRC5K47qBqx5RgfL53rT9
-  r0wINeuf0hhtYGJKvOxXOxqnzrop48xWbpFBu/ftA1CeRsNxqqyWbGzQ
-  QFoArL+kdbFbivyUDFWHXBdwZ8t7iN1APhHf9R0ZNR2CRMqeTw4C/Bls
-  aF26wviT+6TkkQBcLYPlUnZWj+R1eJjA5hlUvvjY53x9EYapIpr+qf49
-  QyUq/H3QtdNrrU+pNcbxuJby0jB+txvrAQfWXJ0hXYqHUnMqfQIny/gN
-  ihwlkA==
+id. 86400 IN RRSIG NSEC 8 1 86400 (
+  20220602050000 20220520040000 47671 .
+  eB2ROSRfRIq739VKcBWxzLszRPhv+Wsqbrt0s5DDLmQF
+  uKnPm6CBJcYKu0RCpzqZXnbfPmy1r0UHH27FO1lDnKCq
+  lZkb/kFyoBNkaYaNEzmaMFaadiU8J2ts+FB1Dn5AVHFw
+  cJwah83vlM+4UItG3myL18danlw4+qrBe92QyxVO9TD9
+  sGAMWzSAGB3yB1rYCSwbbQi+l86wd1gxC5Zqs/ODO5JJ
+  0riW05+oknXvwOg++3i4squ5u+v3rhkAsrx4OPU5Bj31
+  XNJSdEMQxqjsJdbjnh17kQ3Vn7Musca04EUwDahNEBne
+  9TbOkr4jhJep2boleRMJAI03UBXwce/ZPw==
 )
 
 . 86400 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
 
-. 86400 IN RRSIG NSEC 8 0 86400 20180815050000 20180802040000 41656 . (
-  gyyjLKjueKD4ho7bMZJ5Vvlxf7y0sDz9uzHCV4w06zNtCzMNkrkjKYR+
-  z0UsoNBHaSSKU1HfIVZCr7VDnrT9V68CAG1Ry4qXJZiNudmXNVkNhMJw
-  fBEIhiTiQpW8XxdRuaQz1aPSmI4uViiJ2mxjoBysSqJY3wrjK5sa/7dL
-  T+LEdEBchPDQPQqLFCAfkjgaCXIn8iqtegqSbrjhMXkSq3E43Gw5YHnE
-  rw+dgI4osARUMP1MdsWUH9CAsa0hXsXA/MJUgr2RYmdLdghZHPZPiCwf
-  cGS7GqyJ2LHm+5twVDcsVnQzRDwoaoFG6i49bq75/qAWB1gmKs0kzd6I
-  0kyi7A==
+. 86400 IN RRSIG NSEC 8 0 86400 (
+  20220602050000 20220520040000 47671 .
+  TL8iwe+HyOXXOI+AdqcRM5TFBJvJm4ujN/lCNzrMtz9w
+  BV7V8js7CYWEj6+NCf2i6DMlD4X66u9FEr4Sy+mAqvcJ
+  cyLLAqQ4A0RChxdM94Jcm4lriqsvzYUBB4uJ9kmV4zCg
+  InXGWg9G9it9UZ0Lj9HxOrOhNNf/cp3kHtc4n1TOqZDe
+  p8iawdb6YrVLaAmp1Dvpta0syr6uPEPsCCUfApBmHXbM
+  6F5dDLEOYy34uQiPDDmtx7fJf6mNI6PCKyvK97f9D3JI
+  TlQmHDZP0ru10SAxGAOEBa9cyLpXC8V8GYIsKAdYiPHU
+  FeVfXknrOb0Ze0PJKGwguZeKcPkKmGYfwQ==
 )