2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]

diff --git a/CHANGES b/CHANGES
index 1c99810845cb591516fd341042534ce2c541a073..4310ac811670623b1c2010f2f2f851a282c6413f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2827.  [security]      Bogus NXDOMAIN could be cached as if valid. [RT #20712]
+
 2826.  [bug]           NSEC3->NSEC transitions could fail due to a lock not
                        being released.  [RT #20740]
 

diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
index a818fe63cce54782484c659af369e99dca0e156a..4ab32c8c8d43ca4e26cb5231c2ea4a88815dfe20 100644 (file)
--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.h,v 1.25 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: ncache.h,v 1.26 2009/12/30 06:46:58 each Exp $ */
 
 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
@@ -76,7 +76,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
  * The 'covers' argument is the RR type whose nonexistence we are caching,
  * or dns_rdatatype_any when caching a NXDOMAIN response.
  *
- * 'optout' indicates a DNS_RATASETATTR_OPTOUT should be set.
+ * 'optout' indicates a DNS_RDATASETATTR_OPTOUT should be set.
  *
  * Note:
  *\li  If 'addedrdataset' is not NULL, then it will be attached to the added

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 2fd0bc1c8638cf4c66d5620b26e940aa21828af3..027e23605be34dc59972cb25fb82479d0aba3faa 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.182 2009/11/17 23:55:18 marka Exp $ */
+/* $Id: validator.c,v 1.183 2009/12/30 06:46:58 each Exp $ */
 
 #include <config.h>
 
@@ -3276,20 +3276,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
        if (val->havedlvsep)
                dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
        else {
+               unsigned int labels;
                dns_name_copy(val->event->name, secroot, NULL);
                /*
                 * If this is a response to a DS query, we need to look in
                 * the parent zone for the trust anchor.
                 */
-               if (val->event->type == dns_rdatatype_ds &&
-                   dns_name_countlabels(secroot) > 1U)
-                       dns_name_split(secroot, 1, NULL, secroot);
+
+               labels = dns_name_countlabels(secroot);
+               if (val->event->type == dns_rdatatype_ds && labels > 1U)
+                       dns_name_getlabelsequence(secroot, 1, labels - 1,
+                                                 secroot);
                result = dns_keytable_finddeepestmatch(val->keytable,
                                                       secroot, secroot);
-
                if (result == ISC_R_NOTFOUND) {
-                       validator_log(val, ISC_LOG_DEBUG(3),
-                                     "not beneath secure root");
                        if (val->mustbesecure) {
                                validator_log(val, ISC_LOG_WARNING,
                                              "must be secure failure, "