add NS RRsets to the additional section or not.
[RT #30479]
+3371. [bug] AD=1 should behave like DO=1 when deciding whether to
+ add NS RRsets to the additional section or not.
+ [RT #30479]
+
3370. [bug] Address use after free while shutting down. [RT #30241]
3369. [bug] nsupdate terminated unexpectedly in interactive mode
#define NS_CLIENT_MAGIC ISC_MAGIC('N','S','C','c')
#define NS_CLIENT_VALID(c) ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
-#define NS_CLIENTATTR_TCP 0x01
-#define NS_CLIENTATTR_RA 0x02 /*%< Client gets recursive service */
-#define NS_CLIENTATTR_PKTINFO 0x04 /*%< pktinfo is valid */
-#define NS_CLIENTATTR_MULTICAST 0x08 /*%< recv'd from multicast */
-#define NS_CLIENTATTR_WANTDNSSEC 0x10 /*%< include dnssec records */
-#define NS_CLIENTATTR_WANTNSID 0x20 /*%< include nameserver ID */
+#define NS_CLIENTATTR_TCP 0x001
+#define NS_CLIENTATTR_RA 0x002 /*%< Client gets recursive service */
+#define NS_CLIENTATTR_PKTINFO 0x004 /*%< pktinfo is valid */
+#define NS_CLIENTATTR_MULTICAST 0x008 /*%< recv'd from multicast */
+#define NS_CLIENTATTR_WANTDNSSEC 0x010 /*%< include dnssec records */
+#define NS_CLIENTATTR_WANTNSID 0x020 /*%< include nameserver ID */
#ifdef ALLOW_FILTER_AAAA
-#define NS_CLIENTATTR_FILTER_AAAA 0x40 /*%< suppress AAAAs */
-#define NS_CLIENTATTR_FILTER_AAAA_RC 0x80 /*%< recursing for A against AAAA */
+#define NS_CLIENTATTR_FILTER_AAAA 0x040 /*%< suppress AAAAs */
+#define NS_CLIENTATTR_FILTER_AAAA_RC 0x080 /*%< recursing for A against AAAA */
#endif
+#define NS_CLIENTATTR_WANTAD 0x100 /*%< want AD in response if possible */
extern unsigned int ns_client_requests;
/*% Want DNSSEC? */
#define WANTDNSSEC(c) (((c)->attributes & \
NS_CLIENTATTR_WANTDNSSEC) != 0)
+/*% Want WANTAD? */
+#define WANTAD(c) (((c)->attributes & \
+ NS_CLIENTATTR_WANTAD) != 0)
+
/*% No authority? */
#define NOAUTHORITY(c) (((c)->query.attributes & \
NS_QUERYATTR_NOAUTHORITY) != 0)
SECURE(client) && WANTDNSSEC(client))
goto cleanup;
+ /*
+ * If the answer is secure only add NS records if they are secure * when the client may be looking for AD in the response.
+ */
+ if (SECURE(client) && (WANTDNSSEC(client) || WANTAD(client)) &&
+ ((rdataset->trust != dns_trust_secure) ||
+ (sigrdataset != NULL && sigrdataset->trust != dns_trust_secure)))
+ goto cleanup;
+
/*
* If the client doesn't want DNSSEC we can discard the sigrdataset
* now.
dns_rdatatype_t qtype;
unsigned int saved_extflags = client->extflags;
unsigned int saved_flags = client->message->flags;
- isc_boolean_t want_ad;
CTRACE("ns_query_start");
client->query.attributes &= ~NS_QUERYATTR_SECURE;
/*
- * Set 'want_ad' if the client has set AD in the query.
+ * Set NS_CLIENTATTR_WANTDNSSEC if the client has set AD in the query.
* This allows AD to be returned on queries without DO set.
*/
if ((message->flags & DNS_MESSAGEFLAG_AD) != 0)
- want_ad = ISC_TRUE;
- else
- want_ad = ISC_FALSE;
+ client->attributes |= NS_CLIENTATTR_WANTAD;
/*
* This is an ordinary query.
* Set AD. We must clear it if we add non-validated data to a
* response.
*/
- if (WANTDNSSEC(client) || want_ad)
+ if (WANTDNSSEC(client) || WANTAD(client))
message->flags |= DNS_MESSAGEFLAG_AD;
qclient = NULL;