From: Ondřej Surý Date: Thu, 7 Aug 2025 06:08:24 +0000 (+0200) Subject: Disallow TYPE0 to be queried or inserted into the database X-Git-Tag: v9.21.12~44^2~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=76c027e949bdc94ee37f8f6bbe8eea787b9e2355;p=thirdparty%2Fbind9.git Disallow TYPE0 to be queried or inserted into the database The RR type 0 is a reserved type for SIG[1] resource record. It should not be ever inserted into the database nor queried. Add a special handling to bail out quickly with DNS_R_DISALLOWED when inserting and ISC_R_NOTFOUND when looking up TYPE0. This is also prerequisite for stricter checks in the follow-up commit. 1. https://www.rfc-editor.org/rfc/rfc2535#section-4.1.8.1 --- diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c index 0f10245aa4c..c6ebb0a575d 100644 --- a/lib/dns/qpcache.c +++ b/lib/dns/qpcache.c @@ -2066,7 +2066,7 @@ qpcache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, dns_slabheader_t *header_prev = NULL, *header_next = NULL; dns_slabheader_t *found = NULL, *foundsig = NULL; dns_typepair_t typepair, sigpair, negpair; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; isc_rwlock_t *nlock = NULL; isc_rwlocktype_t nlocktype = isc_rwlocktype_none; qpc_search_t search = (qpc_search_t){ @@ -2078,7 +2078,9 @@ qpcache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, REQUIRE(version == NULL); REQUIRE(type != dns_rdatatype_any); - result = ISC_R_SUCCESS; + if (type == dns_rdatatype_none && covers == dns_rdatatype_none) { + return ISC_R_NOTFOUND; + } nlock = &qpdb->buckets[qpnode->locknum].lock; NODE_RDLOCK(nlock, &nlocktype); diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c index 8253d21dde5..59f80a51131 100644 --- a/lib/dns/qpzone.c +++ b/lib/dns/qpzone.c @@ -1631,6 +1631,10 @@ qpzone_findrdataset(dns_db_t *db, dns_dbnode_t *dbnode, REQUIRE(type != dns_rdatatype_any); INSIST(version == NULL || version->qpdb == qpdb); + if (type == dns_rdatatype_none && covers == dns_rdatatype_none) { + return ISC_R_NOTFOUND; + } + if (version == NULL) { currentversion(db, (dns_dbversion_t **)&version); close_version = true; diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c index 9f862422b93..c12c2904c46 100644 --- a/lib/dns/rdataslab.c +++ b/lib/dns/rdataslab.c @@ -341,6 +341,12 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, isc_region_t *region, uint32_t maxrrperset) { isc_result_t result; + if (rdataset->type == dns_rdatatype_none && + rdataset->covers == dns_rdatatype_none) + { + return DNS_R_DISALLOWED; + } + result = makeslab(rdataset, mctx, region, maxrrperset); if (result == ISC_R_SUCCESS) { dns_slabheader_t *new = (dns_slabheader_t *)region->base; diff --git a/tests/dns/dbversion_test.c b/tests/dns/dbversion_test.c index 4b011d12580..1a50335930f 100644 --- a/tests/dns/dbversion_test.c +++ b/tests/dns/dbversion_test.c @@ -277,15 +277,25 @@ ISC_RUN_TEST_IMPL(deleterdataset) { ISC_RUN_TEST_IMPL(subtract) { isc_result_t res; dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdatalist_t rdatalist; dns_dbnode_t *node = NULL; + char *txt = (char *)"\006text 1"; + size_t len = strlen(txt); - UNUSED(state); + rdata.rdclass = dns_rdataclass_in; + rdata.type = dns_rdatatype_txt; + + rdata.length = len; + rdata.data = (unsigned char *)txt; dns_rdataset_init(&rdataset); dns_rdatalist_init(&rdatalist); rdatalist.rdclass = dns_rdataclass_in; + rdatalist.type = dns_rdatatype_txt; + + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); dns_rdatalist_tordataset(&rdatalist, &rdataset); @@ -316,15 +326,25 @@ ISC_RUN_TEST_IMPL(subtract) { ISC_RUN_TEST_IMPL(addrdataset) { isc_result_t res; dns_rdataset_t rdataset; + dns_rdata_t rdata = DNS_RDATA_INIT; dns_dbnode_t *node = NULL; dns_rdatalist_t rdatalist; + char *txt = (char *)"\006text 1"; + size_t len = strlen(txt); - UNUSED(state); + rdata.rdclass = dns_rdataclass_in; + rdata.type = dns_rdatatype_txt; + + rdata.length = len; + rdata.data = (unsigned char *)txt; dns_rdataset_init(&rdataset); dns_rdatalist_init(&rdatalist); rdatalist.rdclass = dns_rdataclass_in; + rdatalist.type = dns_rdatatype_txt; + + ISC_LIST_APPEND(rdatalist.rdata, &rdata, link); dns_rdatalist_tordataset(&rdatalist, &rdataset);