From: Mark Andrews Date: Wed, 6 Jul 2016 00:13:15 +0000 (+1000) Subject: 4405. [bug] Change 4342 introduced a regression where you could X-Git-Tag: v9.9.9-P2~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87e3d17e889a38de742e14f5ff9656fee053d9b7;p=thirdparty%2Fbind9.git 4405. [bug] Change 4342 introduced a regression where you could not remove a delegation in a NSEC3 signed zone using OPTOUT via nsupdate. [RT #42702] (cherry picked from commit d811a7d9ef26169be8f60a2149c632ca9e9d49fb) (cherry picked from commit d9cc1ed8ea7083069263257454564af1144b71fd) --- diff --git a/CHANGES b/CHANGES index 359b496dd08..6216c57a825 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4405. [bug] Change 4342 introduced a regression where you could + not remove a delegation in a NSEC3 signed zone using + OPTOUT via nsupdate. [RT #42702] + 4387. [bug] Change 4336 was not complete leading to SERVFAIL being return as NS records expired. [RT #42683] diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh index dcb80d36eca..303d6ea151e 100644 --- a/bin/tests/system/nsupdate/clean.sh +++ b/bin/tests/system/nsupdate/clean.sh @@ -19,20 +19,27 @@ # Clean up after zone transfer tests. # -rm -f ns1/*.jnl ns2/*.jnl +rm -f */named.memstats +rm -f */named.run +rm -f Kxxx.* +rm -f dig.out.* +rm -f jp.out.ns3.* +rm -f ns*/named.lock +rm -f ns1/*.jnl ns2/*.jnl ns3/*.jnl rm -f ns1/example.db ns1/unixtime.db ns1/update.db ns1/other.db ns1/keytests.db +rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db +rm -f ns1/many.test.db rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key rm -f ns1/sha512.key ns1/ddns.key -rm -f nsupdate.out rm -f ns2/example.bk rm -f ns2/update.bk ns2/update.alt.bk -rm -f */named.memstats -rm -f */named.run -rm -f nsupdate.out* -rm -f ns3/example.db.jnl ns3/example.db -rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test. -rm -f ns3/dnskey.test.db.signed.jnl ns3/dnskey.test.db ns3/dnskey.test.db.signed ns3/dsset-dnskey.test. +rm -f ns3/*.signed rm -f ns3/K* -rm -f dig.out.* -rm -f jp.out.ns3.* -rm -f Kxxx.* +rm -f ns3/delegation.test.db +rm -f ns3/dnskey.test.db +rm -f ns3/dsset-* +rm -f ns3/example.db +rm -f ns3/many.test.bk +rm -f ns3/nsec3param.test.db +rm -f nsupdate.out* +rm -f typelist.out.* diff --git a/bin/tests/system/nsupdate/ns3/delegation.test.db.in b/bin/tests/system/nsupdate/ns3/delegation.test.db.in new file mode 100644 index 00000000000..674a7ed8b80 --- /dev/null +++ b/bin/tests/system/nsupdate/ns3/delegation.test.db.in @@ -0,0 +1,10 @@ +; Copyright (C) 2011, 2016 Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. + +$TTL 10 +delegation.test. IN SOA delegation.test. hostmaster.delegation.test. 1 3600 900 2419200 3600 +delegation.test. IN NS delegation.test. +delegation.test. IN A 10.53.0.3 diff --git a/bin/tests/system/nsupdate/ns3/named.conf b/bin/tests/system/nsupdate/ns3/named.conf index 4b43efe4f22..cfb258289b8 100644 --- a/bin/tests/system/nsupdate/ns3/named.conf +++ b/bin/tests/system/nsupdate/ns3/named.conf @@ -60,3 +60,9 @@ zone "dnskey.test" { allow-update { any; }; file "dnskey.test.db.signed"; }; + +zone "delegation.test" { + type master; + allow-update { any; }; + file "delegation.test.db.signed"; +}; diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh index 7b06a6bbcd9..9ed29ada338 100644 --- a/bin/tests/system/nsupdate/ns3/sign.sh +++ b/bin/tests/system/nsupdate/ns3/sign.sh @@ -38,3 +38,14 @@ keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone` cat $infile $keyname1.key $keyname2.key >$zonefile $SIGNER -P -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null + +zone=delegation.test. +infile=delegation.test.db.in +zonefile=delegation.test.db + +keyname1=`$KEYGEN -q -r $RANDFILE -3 -f KSK $zone` +keyname2=`$KEYGEN -q -r $RANDFILE -3 $zone` + +cat $infile $keyname1.key $keyname2.key >$zonefile + +$SIGNER -A -3 - -P -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index 799220d9c37..d3d131d5a63 100644 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -543,5 +543,34 @@ if [ $ret -ne 0 ]; then status=1 fi +n=`expr $n + 1` +echo "I:check adding of delegating NS records processing ($n)" +ret=0 +$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 5300 +zone delegation.test. +update add child.delegation.test. 3600 NS foo.example.net. +update add child.delegation.test. 3600 NS bar.example.net. +send +EOF +$DIG +tcp @10.53.0.3 -p 5300 ns child.delegation.test > dig.out.ns1.test$n +grep "status: NOERROR" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +grep "AUTHORITY: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo I:failed; status=1; } + +n=`expr $n + 1` +echo "I:check deleting of delegating NS records processing ($n)" +ret=0 +$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 5300 +zone delegation.test. +update del child.delegation.test. 3600 NS foo.example.net. +update del child.delegation.test. 3600 NS bar.example.net. +send +EOF +$DIG +tcp @10.53.0.3 -p 5300 ns child.delegation.test > dig.out.ns1.test$n +grep "status: NXDOMAIN" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +[ $ret = 0 ] || { echo I:failed; status=1; } + echo "I:exit status: $status" exit $status diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index 74ab9ddf649..ced4e0270f1 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -1342,7 +1342,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit)); result = dns_dbiterator_seek(dbit, hashname); - if (result == ISC_R_NOTFOUND) + if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) goto success; if (result != ISC_R_SUCCESS) goto failure; @@ -1447,7 +1447,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, &empty, origin, hash, iterations, salt, salt_length)); result = dns_dbiterator_seek(dbit, hashname); - if (result == ISC_R_NOTFOUND) + if (result == ISC_R_NOTFOUND || result == DNS_R_PARTIALMATCH) goto success; if (result != ISC_R_SUCCESS) goto failure; diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 1912c8478d2..82499d85c0e 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -8651,6 +8651,8 @@ dbiterator_first(dns_dbiterator_t *iterator) { dns_name_t *name, *origin; if (rbtdbiter->result != ISC_R_SUCCESS && + rbtdbiter->result != ISC_R_NOTFOUND && + rbtdbiter->result != DNS_R_PARTIALMATCH && rbtdbiter->result != ISC_R_NOMORE) return (rbtdbiter->result); @@ -8704,6 +8706,8 @@ dbiterator_last(dns_dbiterator_t *iterator) { dns_name_t *name, *origin; if (rbtdbiter->result != ISC_R_SUCCESS && + rbtdbiter->result != ISC_R_NOTFOUND && + rbtdbiter->result != DNS_R_PARTIALMATCH && rbtdbiter->result != ISC_R_NOMORE) return (rbtdbiter->result); @@ -8754,6 +8758,7 @@ dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) { if (rbtdbiter->result != ISC_R_SUCCESS && rbtdbiter->result != ISC_R_NOTFOUND && + rbtdbiter->result != DNS_R_PARTIALMATCH && rbtdbiter->result != ISC_R_NOMORE) return (rbtdbiter->result); @@ -8979,6 +8984,8 @@ dbiterator_pause(dns_dbiterator_t *iterator) { rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator; if (rbtdbiter->result != ISC_R_SUCCESS && + rbtdbiter->result != ISC_R_NOTFOUND && + rbtdbiter->result != DNS_R_PARTIALMATCH && rbtdbiter->result != ISC_R_NOMORE) return (rbtdbiter->result);