21 February 2018: Wouter
- Fix #3512: unbound incorrectly reports SERVFAIL for CAA query
when there is a CNAME loop.
+ - Fix validation for CNAME loops. When it detects a cname loop,
+ by finding the cname, cname in the existing list, it returns
+ the partial result with the validation result up to then.
19 February 2018: Wouter
- Fix #3505: Documentation for default local zones references
msg->rep->ns_numrrsets = 0;
msg->rep->ar_numrrsets = 0;
msg->rep->rrset_count = 0;
+ iq->response = msg;
iq->dp = NULL;
iq->refetch_glue = 0;
iq->query_restart_count++;
; Expected result is defined by RFC 1034 section 3.6.2:
; CNAME chains should be followed and CNAME loops signalled as an error
+; but bug#3512: return partial contentes with NOERROR.
STEP 221002 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA DO SERVFAIL
+REPLY QR RD RA DO NOERROR
SECTION QUESTION
cyc2.example.com. IN A
+SECTION ANSWER
+example.com. 0 IN DNAME cyc2.example.net.
+cyc2.example.com. 0 IN CNAME cyc2.cyc2.example.net.
+cyc2.example.net. 0 IN DNAME example.com.
+cyc2.cyc2.example.net. 0 IN CNAME cyc2.example.com.
ENTRY_END
; ns1.example.com.
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
+ trust-anchor-signaling: no
stub-zone:
name: "."
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+ns.example.com. IN NSEC www.example.com. A RRSIG NSEC
+ns.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AE+zfHodyVCTnni/bur8IiUhTUtdac6ip/znrYYN0l1nqll1fon2+kQ=
+ENTRY_END
+
; response to DNSKEY priming query
ENTRY_BEGIN
MATCH opcode qtype qname
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN DS
+SECTION AUTHORITY
+www.example.com. IN NSEC z.example.com. CNAME RRSIG NSEC
+www.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AJ8hqdeoKtvR094y+0KjO6LkCe1SCs6z5YhuY2YZCmzvUiYHP9wiMTw=
+ENTRY_END
+
; response to query of interest
ENTRY_BEGIN
MATCH opcode qtype qname
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA DO SERVFAIL
+REPLY QR RD RA DO AD NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. 3600 IN CNAME www.example.com.
+www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
+ trust-anchor-signaling: no
stub-zone:
name: "."
www.example.com. IN A
SECTION ANSWER
www.example.com. IN CNAME foo.example.com.
-www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
+www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg=
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
foo.example.com. IN A
SECTION ANSWER
foo.example.com. IN CNAME www.example.com.
-foo.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC7kcWPsMnGbjvzj5UNnxQzM0YvnAhUAgxIKgs1huJHvcAP2Xt3p8Adpy/c= ;{id = 2854}
+foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg=
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA DO SERVFAIL
+REPLY QR RD RA DO AD NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. 3600 IN CNAME foo.example.com.
+www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg= ;{id = 2854}
+foo.example.com. 3600 IN CNAME www.example.com.
+foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg= ;{id = 2854}
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
+ trust-anchor-signaling: no
stub-zone:
name: "."
www.example.com. IN A
SECTION ANSWER
www.example.com. IN CNAME foo.example.com.
-www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854}
+www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg=
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
foo.example.com. IN A
SECTION ANSWER
foo.example.com. IN CNAME bar.example.com.
-foo.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFFMlXuWrNL/8aYOl9U9WYjgif8gAAhUAqsC/xOXakHP1SYxMSLANziOik94= ;{id = 2854}
+foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AILRq+NAK+k+qCNJAmByoTAkGNveSHT+au0u360OeUa56b8zU7gi6+I=
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
bar.example.com. IN A
SECTION ANSWER
bar.example.com. IN CNAME www.example.com.
-bar.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFAsalUJJSV86uPlfiGS3kKDc0JB7AhQ+qmHqagY/r36Re/J3Q1OfvcA1dA== ;{id = 2854}
+bar.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKA7eO4DAGPB8vg/OdBLk41/2txpklOJrszT8Gvp+UOVSLYtddNGz+k=
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
-REPLY QR RD RA SERVFAIL
+REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. 3600 IN CNAME foo.example.com.
+foo.example.com. 3600 IN CNAME bar.example.com.
+bar.example.com. 3600 IN CNAME www.example.com.
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
if(verbosity >= VERB_ALGO)
log_dns_msg("chased extract", &vq->qchase,
vq->chase_reply);
+ /* we skipped cnames, and now the reply is empty, is this
+ * a CNAME loop? */
+ if(vq->rrset_skip > 0 && vq->chase_reply->rrset_count == 0) {
+ if(reply_find_rrset_section_an(vq->orig_msg->rep,
+ lookup_name, lookup_len, LDNS_RR_TYPE_CNAME,
+ vq->qchase.qclass)) {
+ if(anchor) {
+ lock_basic_unlock(&anchor->lock);
+ }
+ verbose(VERB_ALGO, "validator: encountered "
+ "CNAME loop - terminating");
+ vq->chase_reply->security = vq->orig_msg->rep->security;
+ vq->state = VAL_FINISHED_STATE;
+ return 1;
+ }
+ }
}
vq->key_entry = key_cache_obtain(ve->kcache, lookup_name, lookup_len,
projects / thirdparty / unbound.git / commitdiff
