4580. [bug] 4578 introduced a regression when handling CNAME to

                        referral below the current domain. [RT #44850]

(cherry picked from commit 638c7c635ddab0b717a675f49b1180dbf8ef803e)

diff --git a/CHANGES b/CHANGES
index 82ffab5c8472275444f7a7dbf03bc4b37864723c..12d0ebe3adcc9c33f0d6f50998b0275925904051 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+       --- 9.9.9-P8 released ---
+
+4580.  [bug]           4578 introduced a regression when handling CNAME to
+                       referral below the current domain. [RT #44850]
+
        --- 9.9.9-P7 released ---
 
 4578.  [security]      Some chaining (CNAME or DNAME) responses to upstream

diff --git a/lib/dns/api b/lib/dns/api
index 272e0e1797951a34066cbfc3cce31829f637e0c3..769d234bdcf044a91f8da2115e559643d4b50e0b 100644 (file)
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -7,5 +7,5 @@
 # 9.10: 140-149
 # 9.11: 160-169
 LIBINTERFACE = 172
-LIBREVISION = 6
+LIBREVISION = 7
 LIBAGE = 0

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 3d54ce38cf40b814a0e0a061c7d419471150efb5..fbcc88b10efead16be8a52f0874fa4d5cb69b454 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5875,7 +5875,7 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
 
 static isc_boolean_t
 is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
-                       dns_rdataset_t *rdataset)
+                       dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
 {
        isc_result_t result;
        dns_rbtnode_t *node = NULL;
@@ -5896,8 +5896,11 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
        REQUIRE(rdataset->type == dns_rdatatype_cname ||
                rdataset->type == dns_rdatatype_dname);
 
-       /* By default, we allow any target name. */
-       if (view->denyanswernames == NULL)
+       /*
+        * By default, we allow any target name.
+        * If newqname != NULL we also need to extract the newqname.
+        */
+       if (chainingp == NULL && view->denyanswernames == NULL)
                return (ISC_TRUE);
 
        result = dns_rdataset_first(rdataset);
@@ -5920,7 +5923,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
                dns_name_split(qname, nlabels, &prefix, NULL);
                result = dns_name_concatenate(&prefix, &dname.dname, tname,
                                              NULL);
-               if (result == ISC_R_NOSPACE)
+               if (result == DNS_R_NAMETOOLONG)
                        return (ISC_TRUE);
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
                break;
@@ -5928,6 +5931,12 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
                INSIST(0);
        }
 
+       if (chainingp != NULL)
+               *chainingp = ISC_TRUE;
+
+       if (view->denyanswernames == NULL)
+               return (ISC_TRUE);
+
        /*
         * If the owner name matches one in the exclusion list, either exactly
         * or partially, allow it.
@@ -6621,7 +6630,7 @@ answer_response(fetchctx_t *fctx) {
                        if ((rdataset->type == dns_rdatatype_cname ||
                             rdataset->type == dns_rdatatype_dname) &&
                             !is_answertarget_allowed(fctx, qname, aname,
-                                                     rdataset))
+                                                     rdataset, NULL))
                        {
                                return (DNS_R_SERVFAIL);
                        }
@@ -6644,7 +6653,9 @@ answer_response(fetchctx_t *fctx) {
                }
                if ((ardataset->type == dns_rdatatype_cname ||
                     ardataset->type == dns_rdatatype_dname) &&
-                    !is_answertarget_allowed(fctx, qname, aname, ardataset)) {
+                    !is_answertarget_allowed(fctx, qname, aname, ardataset,
+                                             NULL))
+               {
                        return (DNS_R_SERVFAIL);
                }
                aname->attributes |= DNS_NAMEATTR_CACHE;
@@ -6679,7 +6690,9 @@ answer_response(fetchctx_t *fctx) {
                        log_formerr(fctx, "CNAME response for %s RR", buf);
                        return (DNS_R_FORMERR);
                }
-               if (!is_answertarget_allowed(fctx, qname, cname, crdataset)) {
+               if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
+                                            NULL))
+               {
                        return (DNS_R_SERVFAIL);
                }
                cname->attributes |= DNS_NAMEATTR_CACHE;
@@ -6711,7 +6724,8 @@ answer_response(fetchctx_t *fctx) {
                if (!validinanswer(drdataset, fctx)) {
                        return (DNS_R_FORMERR);
                }
-               if (!is_answertarget_allowed(fctx, qname, dname, drdataset)) {
+               if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
+                                            &chaining)) {
                        return (DNS_R_SERVFAIL);
                }
                dname->attributes |= DNS_NAMEATTR_CACHE;
@@ -6738,7 +6752,6 @@ answer_response(fetchctx_t *fctx) {
                        sigrdataset->trust = trust;
                        break;
                }
-               chaining = ISC_TRUE;
        } else {
                log_formerr(fctx, "reply has no answer");
                return (DNS_R_FORMERR);
@@ -6753,13 +6766,7 @@ answer_response(fetchctx_t *fctx) {
         * Did chaining end before we got the final answer?
         */
        if (chaining) {
-               /*
-                * Yes.  This may be a negative reply, so hand off
-                * authority section processing to the noanswer code.
-                * If it isn't a noanswer response, no harm will be
-                * done.
-                */
-               return (noanswer_response(fctx, qname, 0));
+               return (ISC_R_SUCCESS);
        }
 
        /*

diff --git a/version b/version
index 93af5f087e1036e5935aeb394eec132a404109c4..59ce7f18090d01f2d7c9e2a5218003a87d597508 100644 (file)
--- a/version
+++ b/version
@@ -7,5 +7,5 @@ MAJORVER=9
 MINORVER=9
 PATCHVER=9
 RELEASETYPE=-P
-RELEASEVER=7
+RELEASEVER=8
 EXTENSIONS=