Fixed DNSKEY NODATA responses not cached (RT #22908).

diff --git a/CHANGES b/CHANGES
index bff39ee9983b1566a82b266f123a03df4f195461..0be9d9274821ec30e842d1d77d0d157d515858e5 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3047.   [bug]           DNSKEY NODATA responses not cached fixed in
+                        validator.c. Tests added to dnssec system test.
+                        [RT #22908]
+
 3046.  [bug]           Use RRSIG original TTL to compute validated RRset
                        and RRSIG TTL. [RT #23332]
 

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 02b42ef11009aa71e0796f3eff9ab9f344fbb1f4..087462a1bfb1d81397e202f0c2c4254df09d9c4d 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.73.14.6 2011/02/28 14:25:16 fdupont Exp $
+# $Id: tests.sh,v 1.73.14.7 2011/03/01 14:42:16 smann Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1204,5 +1204,25 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking dnskey query with no data still gets put in cache ($n)"
+ret=0
+myDIGOPTS="+noadd +nosea +nostat +noquest +nocomm +nocmd -p 5300 @10.53.0.4"
+firstVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'`
+sleep 1
+secondVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'`
+if [ $firstVal -eq $secondVal ]
+then
+       sleep 1
+       thirdVal=`$DIG $myDIGOPTS insecure.example. dnskey|awk '{ print $2 }'`
+       if [ $firstVal -eq $thirdVal ]
+       then
+               echo "I: cannot confirm query answer still in cache"
+               ret=1
+       fi
+fi
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 3e2ff16dc16e59ebd61fa9672307302595ad862f..c233db70a691ec0a883c92ec7890b2b9c986d438 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.197.14.3 2011/02/28 14:25:17 fdupont Exp $ */
+/* $Id: validator.c,v 1.197.14.4 2011/03/01 14:42:16 smann Exp $ */
 
 #include <config.h>
 
@@ -3040,13 +3040,11 @@ validate_authority(dns_validator_t *val, isc_boolean_t resume) {
                         * infinite loop.  Avoid that.
                         */
                        if (val->event->type == dns_rdatatype_dnskey &&
+                           rdataset->type == dns_rdatatype_nsec &&
                            dns_name_equal(name, val->event->name))
                        {
                                dns_rdata_t nsec = DNS_RDATA_INIT;
 
-                               if (rdataset->type != dns_rdatatype_nsec)
-                                       continue;
-
                                result = dns_rdataset_first(rdataset);
                                if (result != ISC_R_SUCCESS)
                                        return (result);
@@ -3120,13 +3118,11 @@ validate_ncache(dns_validator_t *val, isc_boolean_t resume) {
                 * infinite loop.  Avoid that.
                 */
                if (val->event->type == dns_rdatatype_dnskey &&
+                   rdataset->type == dns_rdatatype_nsec &&
                    dns_name_equal(name, val->event->name))
                {
                        dns_rdata_t nsec = DNS_RDATA_INIT;
 
-                       if (rdataset->type != dns_rdatatype_nsec)
-                               continue;
-
                        result = dns_rdataset_first(rdataset);
                        if (result != ISC_R_SUCCESS)
                                return (result);