2066. [security] Handle SIG queries gracefully. [RT #16330]

diff --git a/CHANGES b/CHANGES
index 46e140891d91cf8dc8075b8d461e05f9fcf3a8e6..cb0d717a866c71201c4b7c6a85dd573e3e3cba3a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2066.  [security]      Handle SIG queries gracefully. [RT #16330]
+
        --- 9.3.2-WFB-3 released ---
 
 2035.  [func]          Make falling back to TCP on UDP refresh failure

diff --git a/bin/named/query.c b/bin/named/query.c
index 0f6410cd1ab69c6a39fd66d1ffc508c935f101bd..72c741430525929e85582596a62f6a24b9a31882 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.198.2.13.4.36.4.3 2006/04/10 22:50:55 marka Exp $ */
+/* $Id: query.c,v 1.198.2.13.4.36.4.4 2006/08/03 23:07:37 marka Exp $ */
 
 #include <config.h>
 
@@ -2407,7 +2407,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
                is_zone = ISC_FALSE;
 
                qtype = event->qtype;
-               if (qtype == dns_rdatatype_rrsig)
+               if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
                        type = dns_rdatatype_any;
                else
                        type = qtype;
@@ -2448,7 +2448,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
        /*
         * If it's a SIG query, we'll iterate the node.
         */
-       if (qtype == dns_rdatatype_rrsig)
+       if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
                type = dns_rdatatype_any;
        else
                type = qtype;

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 12c68d2c4c0c04d3fcabdd8eae9fca0fdae3b86a..7c8c7758665a561b796fa2bd451c482e0654ceb0 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.218.2.18.4.56.2.1 2006/03/31 00:12:24 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.18.4.56.2.2 2006/08/03 23:07:37 marka Exp $ */
 
 #include <config.h>
 
@@ -762,7 +762,8 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
                INSIST(result != ISC_R_SUCCESS ||
                       dns_rdataset_isassociated(event->rdataset) ||
                       fctx->type == dns_rdatatype_any ||
-                      fctx->type == dns_rdatatype_rrsig);
+                      fctx->type == dns_rdatatype_rrsig ||
+                      fctx->type == dns_rdatatype_sig);
 
                isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
        }
@@ -3188,7 +3189,8 @@ validated(isc_task_t *task, isc_event_t *event) {
        if (hevent != NULL) {
                if (!negative && !chaining &&
                    (fctx->type == dns_rdatatype_any ||
-                    fctx->type == dns_rdatatype_rrsig)) {
+                    fctx->type == dns_rdatatype_rrsig ||
+                    fctx->type == dns_rdatatype_sig)) {
                        /*
                         * Don't bind rdatasets; the caller
                         * will iterate the node.
@@ -3306,7 +3308,8 @@ validated(isc_task_t *task, isc_event_t *event) {
        if (!ISC_LIST_EMPTY(fctx->validators)) {
                INSIST(!negative);
                INSIST(fctx->type == dns_rdatatype_any ||
-                      fctx->type == dns_rdatatype_rrsig);
+                      fctx->type == dns_rdatatype_rrsig ||
+                      fctx->type == dns_rdatatype_sig);
                /*
                 * Don't send a response yet - we have
                 * more rdatasets that still need to
@@ -3455,14 +3458,15 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                                return (result);
                        anodep = &event->node;
                        /*
-                        * If this is an ANY or SIG query, we're not going
-                        * to return any rdatasets, unless we encountered
+                        * If this is an ANY, SIG or RRSIG query, we're not
+                        * going to return any rdatasets, unless we encountered
                         * a CNAME or DNAME as "the answer".  In this case,
                         * we're going to return DNS_R_CNAME or DNS_R_DNAME
                         * and we must set up the rdatasets.
                         */
                        if ((fctx->type != dns_rdatatype_any &&
-                           fctx->type != dns_rdatatype_rrsig) ||
+                            fctx->type != dns_rdatatype_rrsig &&
+                            fctx->type != dns_rdatatype_sig) ||
                            (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
                                ardataset = event->rdataset;
                                asigrdataset = event->sigrdataset;
@@ -3521,7 +3525,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                 */
                if (secure_domain && rdataset->trust != dns_trust_glue) {
                        /*
-                        * SIGs are validated as part of validating the
+                        * RRSIGs are validated as part of validating the
                         * type they cover.
                         */
                        if (rdataset->type == dns_rdatatype_rrsig)
@@ -3591,7 +3595,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 
                        if (ANSWER(rdataset) && need_validation) {
                                if (fctx->type != dns_rdatatype_any &&
-                                   fctx->type != dns_rdatatype_rrsig) {
+                                   fctx->type != dns_rdatatype_rrsig &&
+                                   fctx->type != dns_rdatatype_sig) {
                                        /*
                                         * This is The Answer.  We will
                                         * validate it, but first we cache