From: Evan Hunt Date: Fri, 8 Jun 2018 18:14:14 +0000 (-0700) Subject: ensure we try to validate glue records so RRSIG TTLs will be capped X-Git-Tag: v9.11.4rc1~6^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a00ce2e7751120a3a3b422a01698d7549f9307f;p=thirdparty%2Fbind9.git ensure we try to validate glue records so RRSIG TTLs will be capped --- diff --git a/CHANGES b/CHANGES index 3ba3146f7b0..fd579f15824 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4968. [bug] If glue records are signed, attempt to validate them. + [GL #209] + 4966. [func] Add the ability to not return a DNS COOKIE option when one is present in the request (answer-cookie no;). [GL #173] diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h index 52dc218d038..31425cfec98 100644 --- a/bin/named/bind9.xsl.h +++ b/bin/named/bind9.xsl.h @@ -5,11 +5,14 @@ static char xslmsg[] = "\n" "\n" "\n" "\n" diff --git a/bin/named/query.c b/bin/named/query.c index 5d53cda504e..accbf3b24d7 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -1632,18 +1632,18 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (additionaltype == dns_rdatasetadditional_fromcache && (DNS_TRUST_PENDING(rdataset->trust) || - DNS_TRUST_GLUE(rdataset->trust)) && - !validate(client, db, fname, rdataset, sigrdataset)) + DNS_TRUST_GLUE(rdataset->trust))) { - invalid = ISC_TRUE; + /* validate() may change rdataset->trust */ + invalid = ISC_TF(!validate(client, db, fname, + rdataset, + sigrdataset)); } - if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - /* treat as if not found */ } else if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { @@ -1709,18 +1709,18 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (additionaltype == dns_rdatasetadditional_fromcache && (DNS_TRUST_PENDING(rdataset->trust) || - DNS_TRUST_GLUE(rdataset->trust)) && - !validate(client, db, fname, rdataset, sigrdataset)) + DNS_TRUST_GLUE(rdataset->trust))) { - invalid = ISC_TRUE; + /* validate() may change rdataset->trust */ + invalid = ISC_TF(!validate(client, db, fname, + rdataset, + sigrdataset)); } - if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { dns_rdataset_disassociate(rdataset); if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - /* treat as if not found */ } else if (!query_isduplicate(client, fname, dns_rdatatype_aaaa, &mname)) { @@ -2185,10 +2185,10 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (result == ISC_R_SUCCESS && additionaltype == dns_rdatasetadditional_fromcache && (DNS_TRUST_PENDING(rdataset->trust) || - DNS_TRUST_GLUE(rdataset->trust)) && - !validate(client, db, fname, rdataset, sigrdataset)) + DNS_TRUST_GLUE(rdataset->trust))) { - invalid = ISC_TRUE; + invalid = ISC_TF(!validate(client, db, fname, + rdataset, sigrdataset)); } if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { dns_rdataset_disassociate(rdataset); @@ -2233,10 +2233,10 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (result == ISC_R_SUCCESS && additionaltype == dns_rdatasetadditional_fromcache && (DNS_TRUST_PENDING(rdataset->trust) || - DNS_TRUST_GLUE(rdataset->trust)) && - !validate(client, db, fname, rdataset, sigrdataset)) + DNS_TRUST_GLUE(rdataset->trust))) { - invalid = ISC_TRUE; + invalid = ISC_TF(!validate(client, db, fname, + rdataset, sigrdataset)); } if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { dns_rdataset_disassociate(rdataset); diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 7431351e4bf..bb2315fbf36 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -18,6 +18,7 @@ n=1 rm -f dig.out.* DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" +ADDITIONALOPTS="+noall +additional +dnssec -p ${PORT}" ANSWEROPTS="+noall +answer +dnssec -p ${PORT}" DELVOPTS="-a ns1/trusted.conf -p ${PORT}" RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" @@ -2780,12 +2781,30 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section ($n)" +echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)" ret=0 $RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i sleep 1 -$DIG $ANSWEROPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -$DIG $ANSWEROPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +$DIG $ADDITIONALOPTS +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ADDITIONALOPTS expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n +ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` +ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` +for ttl in ${ttls:-300}; do + [ ${ttl:-0} -eq 300 ] || ret=1 +done +for ttl in ${ttls2:-0}; do + [ ${ttl:-0} -le 60 ] || ret=1 +done +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)" +ret=0 +$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +sleep 1 +$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` for ttl in ${ttls:-300}; do @@ -2842,8 +2861,8 @@ sleep 3 echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" ret=0 $RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i -$DIG $ANSWEROPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -$DIG $ANSWEROPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` for ttl in ${ttls:-300}; do @@ -2858,9 +2877,9 @@ status=`expr $status + $ret` echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with acache off; ($n)" ret=0 -$RNDCCMD 10.53.0.4 flush -$DIG $DIGOPTS +noall +additional +dnssec +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n -$DIG $DIGOPTS +noall +additional +dnssec expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n +$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i +$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n +$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` for ttl in ${ttls:-300}; do diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 79c4d655985..6a24305ed2f 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -9831,7 +9831,7 @@ zone_refreshkeys(dns_zone_t *zone) { */ #ifdef ENABLE_AFL - if (dns_fuzzing_resolver == ISC_FALSE) { + if (dns_fuzzing_resolver == ISC_FALSE) { #endif result = dns_resolver_createfetch(zone->view->resolver, kname, dns_rdatatype_dnskey, @@ -9845,9 +9845,9 @@ zone_refreshkeys(dns_zone_t *zone) { &kfetch->dnskeysigset, &kfetch->fetch); #ifdef ENABLE_AFL - } else { - result = ISC_R_FAILURE; - } + } else { + result = ISC_R_FAILURE; + } #endif if (result == ISC_R_SUCCESS) fetching = ISC_TRUE; diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index 540cc981aeb..acfa036760b 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -636,8 +636,8 @@ cfg_parse_buffer3(cfg_parser_t *pctx, isc_buffer_t *buffer, isc_result_t cfg_parse_buffer4(cfg_parser_t *pctx, isc_buffer_t *buffer, - const char *file, unsigned int line, - const cfg_type_t *type, unsigned int flags, + const char *file, unsigned int line, + const cfg_type_t *type, unsigned int flags, cfg_obj_t **ret) { isc_result_t result; @@ -1728,19 +1728,19 @@ cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) (clause->flags & CFG_CLAUSEFLAG_DEPRECATED) != 0) { cfg_parser_warning(pctx, 0, "option '%s' is deprecated", - clause->name); + clause->name); } if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) { cfg_parser_warning(pctx, 0, "option '%s' is obsolete", - clause->name); + clause->name); } if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0) { cfg_parser_warning(pctx, 0, "option '%s' is " - "not implemented", clause->name); + "not implemented", clause->name); } if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) { cfg_parser_warning(pctx, 0, "option '%s' is " - "not implemented", clause->name); + "not implemented", clause->name); } if ((clause->flags & CFG_CLAUSEFLAG_NOOP) != 0) { cfg_parser_warning(pctx, 0, "option '%s' was not "