From: Mark Andrews Date: Wed, 6 May 2020 23:36:50 +0000 (+1000) Subject: Ignore attempts to add DS records at zone apex X-Git-Tag: v9.17.2~16^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae55fbbe9cacb1a2c275bab48a611a0e174410d9;p=thirdparty%2Fbind9.git Ignore attempts to add DS records at zone apex DS records belong in the parent zone at a zone cut and are not retrievable with modern recursive servers. --- diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh index f190f7f4105..055161b4b74 100755 --- a/bin/tests/system/nsupdate/tests.sh +++ b/bin/tests/system/nsupdate/tests.sh @@ -32,6 +32,8 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" status=0 n=0 +nextpartreset ns3/named.run + # wait for zone transfer to complete tries=0 while true; do @@ -1087,6 +1089,25 @@ then echo_i "failed"; status=1 fi +echo_i "check that DS to the zone apex is ignored ($n)" +$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.pre.test$n || ret=1 +grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.pre.test$n > /dev/null || ret=1 +nextpart ns3/named.run > /dev/null +# specify zone to override the default of adding to parent zone +$NSUPDATE -d < nsupdate.out-$n 2>&1 || ret=1 +server 10.53.0.3 ${PORT} +zone example +update add example 0 in DS 14364 10 2 FD03B2312C8F0FE72C1751EFA1007D743C94EC91594FF0047C23C37CE119BA0C +send +END +msg=": attempt to add a DS record at zone apex ignored" +nextpart ns3/named.run | grep "$msg" > /dev/null || ret=1 +$DIG $DIGOPTS +tcp +norec example DS @10.53.0.3 > dig.out.post.test$n || ret=1 +grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1 +grep "ANSWER: 0," dig.out.post.test$n > /dev/null || ret=1 +[ $ret = 0 ] || { echo_i "failed"; status=1; } + if $FEATURETEST --gssapi ; then n=`expr $n + 1` ret=0 diff --git a/lib/ns/update.c b/lib/ns/update.c index 790b10eb6ee..9b780a62b90 100644 --- a/lib/ns/update.c +++ b/lib/ns/update.c @@ -2969,6 +2969,19 @@ update_action(isc_task_t *task, isc_event_t *event) { soa_serial_changed = true; } + if (dns_rdatatype_atparent(rdata.type) && + dns_name_equal(name, zonename)) { + char typebuf[DNS_RDATATYPE_FORMATSIZE]; + + dns_rdatatype_format(rdata.type, typebuf, + sizeof(typebuf)); + update_log(client, zone, LOGLEVEL_PROTOCOL, + "attempt to add a %s record at " + "zone apex ignored", + typebuf); + continue; + } + if (rdata.type == privatetype) { update_log(client, zone, LOGLEVEL_PROTOCOL, "attempt to add a private type "