From: Mark Andrews <marka@isc.org>
Date: Sat, 15 Oct 2011 05:00:15 +0000 (+0000)
Subject: 3173.   [port]          Correctly validate root DS responses. [RT #25726]
X-Git-Tag: v9.9.0b1~2^3~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=020c4484fe510434c1b3aaac040ab6cfb3340115;p=thirdparty%2Fbind9.git

3173.   [port]          Correctly validate root DS responses. [RT #25726]
---

diff --git a/CHANGES b/CHANGES
index 5b30554e2d9..5796340c84a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3173.	[port]		Correctly validate root DS responses. [RT #25726]
+
 3172.	[port]		darwin 10.* and freebsd [89] are now built threaded by
 			default.
 
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 1d8c5c524e3..605cd54842a 100644
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.34 2011/07/26 04:42:20 marka Exp $
+# $Id: tests.sh,v 1.35 2011/10/15 05:00:15 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -700,7 +700,8 @@ status=`expr $status + $ret`
 echo "I:checking that revoked key is present ($n)"
 ret=0
 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
-id=`expr $id + 128 % 65536`
+id=`expr $id + 128`
+[ $id -gt 65535 ] && id=`expr $id % 65536 + 1`
 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
 n=`expr $n + 1`
@@ -710,7 +711,8 @@ status=`expr $status + $ret`
 echo "I:checking that revoked key self-signs ($n)"
 ret=0
 id=`sed 's/^K.+007+0*\([0-9]\)/\1/' < rev.key`
-id=`expr $id + 128 % 65536`
+id=`expr $id + 128`
+[ $id -gt 65535 ] && id=`expr $id % 65536 + 1`
 $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
 n=`expr $n + 1`
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 5dd4e01f86d..8e7c65e4d29 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.97 2011/10/11 19:26:06 each Exp $
+# $Id: tests.sh,v 1.98 2011/10/15 05:00:15 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1236,6 +1236,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that root DS queries validate ($n)"
+ret=0
+$DIG $DIGOPTS +noauth . @10.53.0.1 ds > dig.out.ns1.test$n || ret=1
+$DIG $DIGOPTS +noauth . @10.53.0.4 ds > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
 ret=0
 $DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns2.test$n || ret=1
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 35928a6f75f..4049b1ccab1 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.204 2011/06/08 22:13:51 each Exp $ */
+/* $Id: validator.c,v 1.205 2011/10/15 05:00:15 marka Exp $ */
 
 #include <config.h>
 
@@ -846,7 +846,7 @@ cnamevalidated(isc_task_t *task, isc_event_t *event) {
  * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
  */
 static isc_result_t
-nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
+nsecnoexistnodata(dns_validator_t *val, dns_name_t *name, dns_name_t *nsecname,
 		  dns_rdataset_t *nsecset, isc_boolean_t *exists,
 		  isc_boolean_t *data, dns_name_t *wild)
 {
@@ -887,9 +887,11 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 
 	if (order == 0) {
 		/*
-		 * The names are the same.
+		 * The names are the same.   If we are validating "."
+		 * then atparent should not be set as there is no parent.
 		 */
-		atparent = dns_rdatatype_atparent(val->event->type);
+		atparent = (olabels != 1) &&
+			   dns_rdatatype_atparent(val->event->type);
 		ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
 		soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
 		if (ns && !soa) {