+3689. [bug] Fixed a bug causing an insecure delegation from one
+ static-stub zone to another to fail with a broken
+ trust chain. [RT #35081]
+
--- 9.8.7b1 released ---
3688. [bug] loadnode could return a freed node on out of memory.
foo.dname2-target TXT "testing dname"
; A secure subdomain
-secure NS ns.secure
-ns.secure A 10.53.0.3
+secure NS ns3.secure
+ns3.secure A 10.53.0.3
; An insecure subdomain
insecure NS ns.insecure
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: insecure.secure.example.db,v 1.9 2007/06/19 23:47:02 tbox Exp $
-
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
- NS ns
-ns A 10.53.0.3
+ NS ns2
+ns2 A 10.53.0.2
a A 10.0.0.1
b A 10.0.0.2
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: secure.example.db.in,v 1.16 2010/07/15 01:17:45 jinmei Exp $
-
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
- NS ns
-ns A 10.53.0.3
+ NS ns3
+ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
private NS ns.private
ns.private A 10.53.0.2
-insecure NS ns.insecure
-ns.insecure A 10.53.0.2
+insecure NS ns2.insecure
+ns2.insecure A 10.53.0.2
nosoa NS ns.nosoa
ns.nosoa A 10.53.0.7
--- /dev/null
+/*
+ * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+// NS4
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
+};
+
+key auth {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+include "trusted.conf";
+
+view rec {
+ match-recursive-only yes;
+ recursion yes;
+ acache-enable yes;
+ dnssec-validation yes;
+ dnssec-accept-expired yes;
+
+ zone "." {
+ type hint;
+ file "../../common/root.hint";
+ };
+
+ zone secure.example {
+ type static-stub;
+ server-addresses { 10.53.0.4; };
+ };
+
+ zone insecure.secure.example {
+ type static-stub;
+ server-addresses { 10.53.0.4; };
+ };
+};
+
+view auth {
+ recursion no;
+ allow-recursion { none; };
+
+ zone secure.example {
+ type slave;
+ masters { 10.53.0.3; };
+ };
+
+ zone insecure.secure.example {
+ type slave;
+ masters { 10.53.0.2; };
+ };
+};
if test "$before" = "$after" ; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret`
+cp ns4/named4.conf ns4/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
+sleep 3
+
+echo "I:check insecure delegation between static-stub zones ($n)"
+ret=0
+$DIG $DIGOPTS ns insecure.secure.example \
+ @10.53.0.4 > dig.out.ns4.1.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.1.test$n > /dev/null && ret=1
+$DIG $DIGOPTS ns secure.example \
+ @10.53.0.4 > dig.out.ns4.2.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.2.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
*/
if (dns_rdatatype_atparent(fctx->type))
findoptions |= DNS_DBFIND_NOEXACT;
- result = dns_view_findzonecut(res->view, name, domain,
- 0, findoptions, ISC_TRUE,
+ result = dns_view_findzonecut(res->view, fwdname,
+ domain, 0, findoptions,
+ ISC_TRUE,
&fctx->nameservers,
NULL);
if (result != ISC_R_SUCCESS)
goto cleanup_name;
+
result = dns_name_dup(domain, mctx, &fctx->domain);
if (result != ISC_R_SUCCESS) {
dns_rdataset_disassociate(&fctx->nameservers);
* NXDOMAIN, NXRDATASET, or referral.
*/
result = noanswer_response(fctx, NULL, 0);
- if (result == DNS_R_CHASEDSSERVERS) {
- } else if (result == DNS_R_DELEGATION) {
- force_referral:
+ switch (result) {
+ case ISC_R_SUCCESS:
+ case DNS_R_CHASEDSSERVERS:
+ break;
+ case DNS_R_DELEGATION:
+ force_referral:
/*
* We don't have the answer, but we know a better
* place to look.
fctx->adberr = 0;
result = ISC_R_SUCCESS;
- } else if (result != ISC_R_SUCCESS) {
+ break;
+ default:
/*
* Something has gone wrong.
*/
projects / thirdparty / bind9.git / commitdiff
