--- 9.4.3-P5 released ---
+2831. [security] Do not attempt to validate or cache
+ out-of-bailiwick data returned with a secure
+ answer; it must be re-fetched from its original
+ source and validated in that context. [RT #20819]
+
2828. [security] Cached CNAME or DNAME RR could be returned to clients
without DNSSEC validation. [RT #20737]
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db.in,v 1.4.4.1 2009/12/31 21:02:05 each Exp $
+; $Id: root.db.in,v 1.4.4.2 2010/01/07 17:18:49 each Exp $
$TTL 30
. IN SOA marka.isc.org. a.root.servers.nil. (
ns2.example.com. A 10.53.0.2
hostile. NS ns3.hostile.
ns3.hostile. A 10.53.0.3
+nice.good. A 10.10.10.10
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.3.4.1 2009/12/31 21:02:05 each Exp $
+# $Id: sign.sh,v 1.3.4.2 2010/01/07 17:18:49 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
keyname2=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 2048 -f KSK -n zone $zone`
cat $infile $keyname1.key $keyname2.key > $zonefile
-$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null
+$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
# Configure the resolving server with a trusted key.
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.2 2009/11/17 23:55:18 marka Exp $
+; $Id: example.db.in,v 1.2.44.2 2010/01/07 17:18:49 each Exp $
$TTL 30
+$ORIGIN example.
@ IN SOA mname1. . (
2009110300 ; serial
20 ; refresh (20 seconds)
MX 10 mail
ns2 A 10.53.0.2
mail A 10.0.0.2
+bad CNAME nice.good.
+worse A 6.6.6.6
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.4.4.1 2009/12/31 21:02:05 each Exp $ */
+/* $Id: named.conf,v 1.4.4.2 2010/01/07 17:18:49 each Exp $ */
// NS2
file "example.com.db.signed";
allow-update { 10.53.0.0/8; };
};
+
+zone "good" {
+ type master;
+ file "forgery.db";
+ allow-query { any; };
+};
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.4.4.1 2009/12/31 21:02:05 each Exp $
+# $Id: sign.sh,v 1.4.4.2 2010/01/07 17:18:49 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
cat $infile $keyname1.key $keyname2.key >$zonefile
- $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null
+ $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
done
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.4.4.1 2009/12/31 21:02:05 each Exp $
+# $Id: tests.sh,v 1.4.4.2 2010/01/07 17:18:49 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
status=`expr $status + $ret`
+#
+# Try to fool the resolver with an out-of-bailiwick CNAME
+#
+echo I:Trying to Prime out-of-bailiwick pending answer with CD
+ret=0
+expect="10.10.10.10"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 bad.example. A` || ret=1
+ans=`echo $ans | awk '{print $NF}'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Confirming the out-of-bailiwick answer is not cached or reused with CD
+ret=0
+expect="10.10.10.10"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 nice.good. A` || ret=1
+ans=`echo $ans | awk '{print $NF}'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.284.18.79.2.1 2009/11/19 00:25:17 marka Exp $ */
+/* $Id: resolver.c,v 1.284.18.79.2.2 2010/01/07 17:18:49 each Exp $ */
/*! \file */
rdataset->ttl = res->view->maxcachettl;
/*
- * If this rrset is in a secure domain, do DNSSEC validation
- * for it, unless it is glue.
+ * If this RRset is in a secure domain, is in bailiwick,
+ * and is not glue, attempt DNSSEC validation. (We do not
+ * attempt to validate glue or out-of-bailiwick data--even
+ * though there might be some performance benefit to doing
+ * so--because it makes it simpler and safer to ensure that
+ * records from a secure domain are only cached if validated
+ * within the context of a query to the domain that owns
+ * them.)
*/
- if (secure_domain && rdataset->trust != dns_trust_glue) {
+ if (secure_domain && rdataset->trust != dns_trust_glue &&
+ !EXTERNAL(rdataset)) {
dns_trust_t trust;
+
/*
* RRSIGs are validated as part of validating the
* type they cover.
}
/*
- * Reject out of bailiwick additional records
- * without RRSIGs as they can't possibly validate
- * as "secure" and as we will never never want to
- * store these as "answers" after validation.
- */
- if (rdataset->trust == dns_trust_additional &&
- sigrdataset == NULL && EXTERNAL(rdataset))
- continue;
-
- /*
- * XXXMPA: If we store as "answer" after validating
- * then we need to do bailiwick processing and
- * also need to track whether RRsets are in or
- * out of bailiwick. This will require a another
- * pending trust level.
- *
* Cache this rdataset/sigrdataset pair as
* pending data. Track whether it was additional
* or not.
/*
* This data is outside of
* our query domain, and
- * may only be cached if it
- * comes from a secure zone
- * and validates.
+ * may not be cached.
*/
rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
projects / thirdparty / bind9.git / commitdiff
