From: Mark Andrews <marka@isc.org>
Date: Fri, 22 Aug 2014 06:32:19 +0000 (+1000)
Subject: 3925.   [bug]           DS lookup of RFC 1918 empty zones failed. [RT #36917
X-Git-Tag: v9.8.8rc1~16
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=814a219f7ed4f7505e466f3d35cecc5c09df334c;p=thirdparty%2Fbind9.git

3925.   [bug]           DS lookup of RFC 1918 empty zones failed. [RT #36917

(cherry picked from commit 840d6a4614f6a561fc076d0797d144e9f28e06bc)
---

diff --git a/CHANGES b/CHANGES
index 48864d8cd1d..9eedc4622a7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3925.	[bug]		DS lookup of RFC 1918 empty zones failed. [RT #36917]
+
 3924.	[bug]		Improve 'rndc addzone' error reporting. [RT #35187]
 
 3923.	[bug]		Sanity check the xml2-config output. [RT #22246]
diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index 1b389ee1b00..8cf407ca3bc 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -25,6 +25,7 @@ rm -f ns2/private.secure.example.db
 rm -f ns2/badparam.db ns2/badparam.db.bad
 rm -f ns2/single-nsec3.db
 rm -f ns2/nsec3chain-test.db
+rm -f ns2/in-addr.arpa.db
 rm -f */example.bk
 rm -f dig.out.*
 rm -f sample.out*
diff --git a/bin/tests/system/dnssec/ns1/root.db.in b/bin/tests/system/dnssec/ns1/root.db.in
index a00b69f409f..6efbef16742 100644
--- a/bin/tests/system/dnssec/ns1/root.db.in
+++ b/bin/tests/system/dnssec/ns1/root.db.in
@@ -34,3 +34,4 @@ algroll			NS	ns2.algroll
 ns2.algroll.		A	10.53.0.2
 optout-tld		NS	ns6.optout-tld.
 ns6.optout-tld.		A	10.53.0.6
+in-addr.arpa.		NS	ns2.example.
diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index e5f2b2976bb..29fc26e06e8 100644
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -28,6 +28,8 @@ zonefile=root.db
 
 cp ../ns2/dsset-example. .
 cp ../ns2/dsset-dlv. .
+cp ../ns2/dsset-in-addr.arpa. .
+
 grep "8 [12] " ../ns2/dsset-algroll. > dsset-algroll.
 cp ../ns6/dsset-optout-tld. .
 
diff --git a/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in
new file mode 100644
index 00000000000..d60b717ef1e
--- /dev/null
+++ b/bin/tests/system/dnssec/ns2/in-addr.arpa.db.in
@@ -0,0 +1,8 @@
+$TTL 3600
+@	SOA	ns2.example. . 1 3600 1200 86400 1200
+@	NS	ns2.example.
+;
+;	As we are testing empty zone behaviour ns3 doesn't need to be
+;	configured to serve 10.in-addr.arpa.
+;
+10	NS	ns3.example.
diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf
index 9e44698aea0..9b9cfbcee11 100644
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -102,4 +102,9 @@ zone "nsec3chain-test" {
 	allow-update {any;};
 };
 
+zone "in-addr.arpa" {
+	type master;
+	file "in-addr.arpa.db.signed";
+};
+
 include "trusted.conf";
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index a7a3ac9fdf2..9c46092946c 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -88,6 +88,18 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
 
 { print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed
 
+#
+# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned.
+#
+zone=in-addr.arpa.
+infile=in-addr.arpa.db.in
+zonefile=in-addr.arpa.db
+
+keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
 # Sign the privately secure file
 
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index caa36d54548..326dd8968af 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1520,6 +1520,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that DS at a RFC 1918 empty zone lookup succeeds ($n)"
+ret=0
+$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
+grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
 ret=0
 $DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
diff --git a/lib/dns/view.c b/lib/dns/view.c
index e0d5864967c..3c2f1306ac2 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -1198,6 +1198,7 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 	dns_name_t *zfname;
 	dns_rdataset_t zrdataset, zsigrdataset;
 	dns_fixedname_t zfixedname;
+	unsigned int ztoptions = 0;
 
 #ifndef BIND9
 	UNUSED(zone);
@@ -1224,9 +1225,12 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
 #ifdef BIND9
 	zone = NULL;
 	LOCK(&view->lock);
-	if (view->zonetable != NULL)
-		result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
-	else
+	if (view->zonetable != NULL) {
+		if ((options & DNS_DBFIND_NOEXACT) != 0)
+			ztoptions |= DNS_ZTFIND_NOEXACT;
+		result = dns_zt_find(view->zonetable, name, ztoptions,
+				     NULL, &zone);
+	} else
 		result = ISC_R_NOTFOUND;
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		result = dns_zone_getdb(zone, &db);