From: Matthijs Mekking Date: Fri, 13 Jan 2023 13:20:53 +0000 (+0100) Subject: Set RD bit on checkds requests X-Git-Tag: v9.19.10~29^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e34722ed43442f4c856d0f29a48886e741cc5699;p=thirdparty%2Fbind9.git Set RD bit on checkds requests It is allowed to point parental-agents to a resolver. Therefore, the RD bit should be set on requests. Upon receiving a DS response, ensure that the message has either the AA or the RA bit set. --- diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 9cf2bd49f75..eb5224d0ad4 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -20308,6 +20308,7 @@ checkds_done(isc_task_t *task, isc_event_t *event) { /* Validate response. */ CHECK(validate_ds(zone, message)); + /* Check RCODE. */ if (message->rcode != dns_rcode_noerror) { dns_zone_log(zone, ISC_LOG_NOTICE, "checkds: bad DS response from %s: %.*s", addrbuf, @@ -20315,6 +20316,17 @@ checkds_done(isc_task_t *task, isc_event_t *event) { goto failure; } + /* Make sure that either AA or RA bit is set. */ + if ((message->flags & DNS_MESSAGEFLAG_AA) == 0 && + (message->flags & DNS_MESSAGEFLAG_RA) == 0) + { + dns_zone_log(zone, ISC_LOG_NOTICE, + "checkds: bad DS response from %s: expected AA or " + "RA bit set", + addrbuf); + goto failure; + } + /* Lookup DS RRset. */ result = dns_message_firstname(message, DNS_SECTION_ANSWER); while (result == ISC_R_SUCCESS) { @@ -20535,6 +20547,7 @@ checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep) { message->opcode = dns_opcode_query; message->rdclass = zone->rdclass; + message->flags |= DNS_MESSAGEFLAG_RD; dns_message_gettempname(message, &tempname);