4587. [bug] named-checkzone failed to handle occulted data below

                        DNAMEs correctly. [RT #44877]

diff --git a/CHANGES b/CHANGES
index e9a50b55ed13b6e04b1936ded812456220ed7e02..3608b29ccf917a1f3dd1bd65b6d062831b287a84 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4587.  [bug]           named-checkzone failed to handle occulted data below
+                       DNAMEs correctly. [RT #44877]
+
 4586.  [func]          dig, host and nslookup now use TCP for ANY queries.
                        [RT #44687]
 

diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh
index 34401750afa7d90adcc911c5bc45d8ca4dc826f1..125626d20a1025ea61f3de375aff89d65ffa7952 100644 (file)
--- a/bin/tests/system/checkzone/tests.sh
+++ b/bin/tests/system/checkzone/tests.sh
@@ -162,5 +162,21 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that nameserver below DNAME is reported even with occulted address record present ($n)"
+ret=0
+$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1
+grep "is below a DNAME" test.out.$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)"
+ret=0
+$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1
+grep "is below a DNAME" test.out.$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1

diff --git a/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
new file mode 100644 (file)
index 0000000..ec13ffa
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
@@ -0,0 +1,13 @@
+$TTL 300
+example.com.           SOA     marka.isc.org. a.root.servers.nil. (
+                               2026    ; serial
+                               600     ; refresh
+                               600     ; retry
+                               1200    ; expire
+                               600     ; minimum
+                               )
+example.com.            NS     ns.example.com.
+ns.example.com.                A       192.168.0.2
+sub.example.com.        NS      ns.sub2.example.com.
+sub2.example.com.       DNAME   example.net.
+ns.sub2.example.com.   A       192.168.0.2

diff --git a/bin/tests/system/checkzone/zones/ns-address-below-dname.db b/bin/tests/system/checkzone/zones/ns-address-below-dname.db
new file mode 100644 (file)
index 0000000..b6d7c41
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/ns-address-below-dname.db
@@ -0,0 +1,11 @@
+$TTL 300
+example.com.           SOA     marka.isc.org. a.root.servers.nil. (
+                               2026    ; serial
+                               600     ; refresh
+                               600     ; retry
+                               1200    ; expire
+                               600     ; minimum
+                               )
+example.com.           DNAME   example.net.
+example.com.           NS      ns.example.com
+ns.example.com.                A       192.168.0.2

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index e503039b81282103f7dacb091fed07854d1f1dfa..f477efc7650a9927c61217aaed6bf9db0a9cea05 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -2702,10 +2702,24 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
        dns_rdataset_init(&a);
        dns_rdataset_init(&aaaa);
 
+       /*
+        * Perform a regular lookup to catch DNAME records then look
+        * for glue.
+        */
        result = dns_db_find(db, name, NULL, dns_rdatatype_a,
-                            DNS_DBFIND_GLUEOK, 0, NULL,
-                            foundname, &a, NULL);
-
+                            0, 0, NULL, foundname, &a, NULL);
+       switch (result) {
+       case ISC_R_SUCCESS:
+       case DNS_R_DNAME:
+       case DNS_R_CNAME:
+               break;
+       default:
+               if (dns_rdataset_isassociated(&a))
+                       dns_rdataset_disassociate(&a);
+               result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+                                    DNS_DBFIND_GLUEOK, 0, NULL,
+                                    foundname, &a, NULL);
+       }
        if (result == ISC_R_SUCCESS) {
                dns_rdataset_disassociate(&a);
                return (ISC_TRUE);
@@ -2723,7 +2737,7 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
                        dns_rdataset_disassociate(&aaaa);
                        return (ISC_TRUE);
                }
-               if (tresult == DNS_R_DELEGATION)
+               if (tresult == DNS_R_DELEGATION || tresult == DNS_R_DNAME)
                        dns_rdataset_disassociate(&aaaa);
                if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
                        /*