3541. [bug] The parts if libdns was not being properly initialized

                        in when built in libexport mode. [RT #33028]

diff --git a/CHANGES b/CHANGES
index 3ace55107be8ce6314475bb1a0af665060020941..abf2fe8c93507748548b40765577640f41e3f4ed 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3541.  [bug]           The parts if libdns was not being properly initialized
+                       in when built in libexport mode. [RT #33028]
+
 3540.  [bug]           libt_api: t_info and t_assert were not thread safe.
 
 3539.  [port]          win32: timestamp format didn't match other platforms.

diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in
index 2824185b08811167b4fa993900e70a72ec4941bc..3fe0d429fc404ebc82b727d4a5c3af6d8b77f99c 100644 (file)
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -49,6 +49,7 @@ PK11LIST="$TOP/bin/pkcs11/pkcs11-list -s ${SLOT:-0} -p 1234"
 PK11DEL="$TOP/bin/pkcs11/pkcs11-destroy -s ${SLOT:-0} -p 1234"
 JOURNALPRINT=$TOP/bin/tools/named-journalprint
 ARPANAME=$TOP/bin/tools/arpaname
+SAMPLE=$TOP/lib/export/samples/sample
 
 # The "stress" test is not run by default since it creates enough
 # load on the machine to make it unusable to other users.

diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index eb7a17deadbec3a5ab2770ec91e7c4f444b1f4f8..1ad2fb2ecf4bdd515bb9f60f0b725340de7b2d7b 100644 (file)
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -29,6 +29,7 @@ rm -f ns2/single-nsec3.db
 rm -f ns2/nsec3chain-test.db
 rm -f */example.bk
 rm -f dig.out.*
+rm -f sample.out*
 rm -f random.data
 rm -f ns2/dlv.db
 rm -f ns3/multiple.example.db ns3/nsec3-unknown.example.db ns3/nsec3.example.db

diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh
index 3ccaead41638ba8e9ce614fc7ef04687e671d9e6..33e26ef3db531d678db9c9a86f1d7690d055892e 100644 (file)
--- a/bin/tests/system/dnssec/ns1/sign.sh
+++ b/bin/tests/system/dnssec/ns1/sign.sh
@@ -73,3 +73,8 @@ cp managed.conf ../ns4/managed.conf
 keyid=`expr $keyname : 'K.+001+\(.*\)'`
 keyid=`expr $keyid + 0`
 echo "$keyid" > managed.key.id
+cat $keyname.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print "-a $alg -e -k $dn -K $key\n"
+' > sample.key

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 962cda463eed1638dda7dc23008467c1a30d5083..64298930a7e385b64cf4515904494cb295f4fded 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -26,6 +26,7 @@ n=1
 rm -f dig.out.*
 
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+SAMPLEKEY=`cat ns1/sample.key`
 
 # convert private-type records to readable form
 showprivate () {
@@ -102,6 +103,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking postive validation NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.example > sample.out$n || ret=1
+   grep "a.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   grep "a.example..*.RRSIG.A 3 2 300 .*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive validation NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
@@ -114,6 +126,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive validation NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.nsec3.example > sample.out$n || ret=1
+   grep "a.nsec3.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   grep "a.nsec3.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
@@ -126,6 +149,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive validation OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.optout.example > sample.out$n || ret=1
+   grep "a.optout.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   grep "a.optout.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive wildcard validation NSEC ($n)"
 ret=0
 $DIG $DIGOPTS a.wild.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
@@ -137,6 +171,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive wildcard validation NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.example > sample.out$n || ret=1
+   grep "a.wild.example..*10.0.0.27" sample.out$n > /dev/null || ret=1
+   grep "a.wild.example..*RRSIG.A 3 2 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive wildcard answer NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
@@ -148,9 +193,9 @@ status=`expr $status + $ret`
 
 echo "I:checking positive wildcard answer NSEC3 ($n)"
 ret=0
-$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
-grep "AUTHORITY: 4," dig.out.ns3.test$n > /dev/null || ret=1
-grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+$DIG $DIGOPTS a.wild.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "AUTHORITY: 4," dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@@ -166,6 +211,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive wildcard validation NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.nsec3.example > sample.out$n || ret=1
+   grep "a.wild.nsec3.example..*10.0.0.6" sample.out$n > /dev/null || ret=1
+   grep "a.wild.nsec3.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking positive wildcard validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS a.wild.optout.example. \
@@ -179,6 +235,17 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking positive wildcard validation OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.wild.optout.example > sample.out$n || ret=1
+   grep "a.wild.optout.example..*10.0.0.6" sample.out$n > /dev/null || ret=1
+   grep "a.wild.optout.example..*RRSIG.A 7 3 300.*" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NXDOMAIN NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
@@ -190,6 +257,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NXDOMAIN NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NXDOMAIN NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.nsec3.example. \
@@ -203,6 +280,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NXDOMAIN NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NXDOMAIN OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth q.optout.example. \
@@ -217,6 +304,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NXDOMAIN OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.optout.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NODATA NSEC ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
@@ -229,6 +326,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NODATA NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.nsec3.example. \
@@ -243,6 +350,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NODATA NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative validation NODATA OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.optout.example. \
@@ -257,6 +374,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative validation NODATA OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 a.optout.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative wildcard validation NSEC ($n)"
 ret=0
 $DIG $DIGOPTS b.wild.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
@@ -268,6 +395,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative wildcard validation NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.wild.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative wildcard validation NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS b.wild.nsec3.example. @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
@@ -278,6 +415,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative wildcard validation NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.wild.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking negative wildcard validation OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS b.wild.optout.example. \
@@ -292,6 +439,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking negative wildcard validation OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t txt 10.53.0.4 b.optout.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxrrset" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 # Check the insecure.example domain
 
 echo "I:checking 1-server insecurity proof NSEC ($n)"
@@ -306,6 +463,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server insecurity proof NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.example > sample.out$n || ret=1
+   grep "a.insecure.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server insecurity proof NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.insecure.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
@@ -318,6 +485,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server insecurity proof NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.nsec3.example > sample.out$n || ret=1
+   grep "a.insecure.nsec3.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server insecurity proof OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS +noauth a.insecure.optout.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
@@ -330,6 +507,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server insecurity proof OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.insecure.optout.example > sample.out$n || ret=1
+   grep "a.insecure.optout.example..*10.0.0.1" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof NSEC ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
@@ -344,6 +531,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server negative insecurity proof NSEC using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof NSEC3 ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.nsec3.example. a @10.53.0.3 \
@@ -358,6 +555,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server negative insecurity proof NSEC3 using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.nsec3.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof OPTOUT ($n)"
 ret=0
 $DIG $DIGOPTS q.insecure.optout.example. a @10.53.0.3 \
@@ -372,6 +579,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking 1-server negative insecurity proof OPTOUT using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 q.insecure.optout.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking 1-server negative insecurity proof with SOA hack NSEC ($n)"
 ret=0
 $DIG $DIGOPTS r.insecure.example. soa @10.53.0.3 \
@@ -559,6 +776,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking failed validation using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.bogus.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: no valid RRSIG" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 # Try validating with a bad trusted key.
 # This should fail.
 
@@ -594,6 +821,16 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -e ${SAMPLE} ] ; then
+   ret=0
+   echo "I:checking that validation fails when key record is missing using dns_client ($n)"
+   $SAMPLE $SAMPLEKEY -p 5300 -t a 10.53.0.4 a.b.keyless.example > /dev/null 2> sample.out$n || ret=1
+   grep "resolution failed: broken trust chain" sample.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
 ret=0
 #prime
@@ -1434,7 +1671,7 @@ echo "I:testing legacy upper case signer name validation ($n)"
 ret=0
 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa upper.example @10.53.0.4 \
         > dig.out.ns4.test$n 2>&1
-grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1
+grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1
 grep 'RRSIG.*SOA.* UPPER\.EXAMPLE\. ' dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -1444,7 +1681,7 @@ echo "I:testing that we lower case signer name ($n)"
 ret=0
 $DIG +tcp +dnssec -p 5300 +noadd +noauth soa LOWER.EXAMPLE @10.53.0.4 \
         > dig.out.ns4.test$n 2>&1
-grep 'flags:.* ad;' dig.out.ns4.test$n >/dev/null || ret=1
+grep 'flags:.* ad;' dig.out.ns4.test$n > /dev/null || ret=1
 grep 'RRSIG.*SOA.* lower\.example\. ' dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi

diff --git a/bin/tests/system/resolver/clean.sh b/bin/tests/system/resolver/clean.sh
index 38d81afefc4ca741847d3ab868db284d3d8de3c1..a0104b9f1d3161211fd6a0ff9800ba9fc3ea425f 100644 (file)
--- a/bin/tests/system/resolver/clean.sh
+++ b/bin/tests/system/resolver/clean.sh
@@ -31,3 +31,4 @@ rm -f ns6/dsset-example.net. ns6/example.net.db.signed.jnl
 rm -f ns6/to-be-removed.tld.db ns6/to-be-removed.tld.db.jnl
 rm -f ns7/server.db ns7/server.db.jnl
 rm -f random.data
+rm -f sample.out

diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 0a2a316940b27418e629b80a43727307c00f5f08..6bfb3b7d7f3a04e8e6a757e25b9c322d59cb6112 100644 (file)
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -30,17 +30,44 @@ grep "status: NXDOMAIN" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+echo "I:checking non-cachable NXDOMAIN response handling using dns_client"
+   ret=0
+   ${SAMPLE} -p 5300 -t a 10.53.0.1 nxdomain.example.net 2> sample.out || ret=1
+   grep "resolution failed: ncache nxdomain" sample.out > /dev/null || ret=1
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:checking non-cachable NODATA response handling"
 ret=0
 $DIG +tcp nodata.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
 grep "status: NOERROR" dig.out > /dev/null || ret=1
-
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
+
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking non-cachable NODATA response handling using dns_client"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 nodata.example.net 2> sample.out || ret=1
+    grep "resolution failed: ncache nxrrset" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking handling of bogus referrals"
 # If the server has the "INSIST(!external)" bug, this query will kill it.
 $DIG +tcp www.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking handling of bogus referrals using dns_client"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 www.example.com 2> sample.out || ret=1
+    grep "resolution failed: failure" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:check handling of cname + other data / 1"
 $DIG +tcp cname1.example.com. a @10.53.0.1 -p 5300 >/dev/null || status=1
 
@@ -71,6 +98,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking answer IPv4 address filtering using dns_client (accept)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 www.example.org > sample.out || ret=1
+    grep "www.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking answer IPv6 address filtering (accept)"
 ret=0
 $DIG +tcp www.example.org @10.53.0.1 aaaa -p 5300 > dig.out || ret=1
@@ -78,6 +115,15 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking answer IPv6 address filtering using dns_client (accept)"
+    ret=0
+    ${SAMPLE} -p 5300 -t aaaa 10.53.0.1 www.example.org > sample.out || ret=1
+    grep "www.example.org..*.2001:db8:beef::1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking CNAME target filtering (deny)"
 ret=0
 $DIG +tcp badcname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
@@ -92,6 +138,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking CNAME target filtering using dns_client (accept)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 goodcname.example.net > sample.out || ret=1
+    grep "goodcname.example.net..*.goodcname.example.org." sample.out > /dev/null || ret=1
+    grep "goodcname.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking CNAME target filtering (accept due to subdomain)"
 ret=0
 $DIG +tcp cname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
@@ -99,6 +155,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking CNAME target filtering using dns_client (accept due to subdomain)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 cname.sub.example.org > sample.out || ret=1
+    grep "cname.sub.example.org..*.ok.sub.example.org." sample.out > /dev/null || ret=1
+    grep "ok.sub.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking DNAME target filtering (deny)"
 ret=0
 $DIG +tcp foo.baddname.example.net @10.53.0.1 a -p 5300 > dig.out || ret=1
@@ -113,6 +179,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking DNAME target filtering using dns_client (accept)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 foo.gooddname.example.net > sample.out || ret=1
+    grep "foo.gooddname.example.net..*.gooddname.example.org" sample.out > /dev/null || ret=1
+    grep "foo.gooddname.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 echo "I:checking DNAME target filtering (accept due to subdomain)"
 ret=0
 $DIG +tcp www.dname.sub.example.org @10.53.0.1 a -p 5300 > dig.out || ret=1
@@ -120,6 +196,16 @@ grep "status: NOERROR" dig.out > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+if [ -x ${SAMPLE} ] ; then
+    echo "I:checking DNAME target filtering using dns_client (accept due to subdomain)"
+    ret=0
+    ${SAMPLE} -p 5300 -t a 10.53.0.1 www.dname.sub.example.org > sample.out || ret=1
+    grep "www.dname.sub.example.org..*.ok.sub.example.org." sample.out > /dev/null || ret=1
+    grep "www.ok.sub.example.org..*.192.0.2.1" sample.out > /dev/null || ret=1
+    if [ $ret != 0 ]; then echo "I:failed"; fi
+    status=`expr $status + $ret`
+fi
+
 n=`expr $n + 1`
 echo "I: RT21594 regression test check setup ($n)"
 ret=0

diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index 4a9d18e4e8ca815843b55583a1a8fd5bac6c5857..c3ba42d01cf13b049c68df2268803f78493a8b4e 100644 (file)
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -2339,7 +2339,8 @@ destroy(dns_adb_t *adb) {
        adb->magic = 0;
 
        isc_task_detach(&adb->task);
-       isc_task_detach(&adb->excl);
+       if (adb->excl != NULL)
+               isc_task_detach(&adb->excl);
 
        isc_mempool_destroy(&adb->nmp);
        isc_mempool_destroy(&adb->nhmp);

diff --git a/lib/dns/client.c b/lib/dns/client.c
index 7b6d164084856dcacc21fc2d91d527eae7bd5d2c..09998a474ddef25443fba962a0be21bc5ef03ea3 100644 (file)
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@@ -354,6 +354,12 @@ dns_client_create(dns_client_t **clientp, unsigned int options) {
        isc_taskmgr_t *taskmgr = NULL;
        isc_socketmgr_t *socketmgr = NULL;
        isc_timermgr_t *timermgr = NULL;
+#if 0
+       /* XXXMPA add debug logging support */
+       isc_log_t *lctx = NULL;
+       isc_logconfig_t *logconfig = NULL;
+       unsigned int logdebuglevel = 0;
+#endif
 
        result = isc_mem_create(0, 0, &mctx);
        if (result != ISC_R_SUCCESS)
@@ -373,7 +379,18 @@ dns_client_create(dns_client_t **clientp, unsigned int options) {
        result = isc_timermgr_createinctx(mctx, actx, &timermgr);
        if (result != ISC_R_SUCCESS)
                goto cleanup;
-
+#if 0
+        result = isc_log_create(mctx, &lctx, &logconfig);
+       if (result != ISC_R_SUCCESS)
+               goto cleanup;
+        isc_log_setcontext(lctx);
+        dns_log_init(lctx);
+        dns_log_setcontext(lctx);
+        result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
+       if (result != ISC_R_SUCCESS)
+               goto cleanup;
+        isc_log_setdebuglevel(lctx, logdebuglevel);
+#endif
        result = dns_client_createx(mctx, actx, taskmgr, socketmgr, timermgr,
                                    options, clientp);
        if (result != ISC_R_SUCCESS)
@@ -485,6 +502,7 @@ dns_client_createx(isc_mem_t *mctx, isc_appctx_t *actx, isc_taskmgr_t *taskmgr,
        client->update_udpretries = DEF_UPDATE_UDPRETRIES;
        client->find_timeout = DEF_FIND_TIMEOUT;
        client->find_udpretries = DEF_FIND_UDPRETRIES;
+       client->attributes = 0;
 
        client->references = 1;
        client->magic = DNS_CLIENT_MAGIC;

diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
index f1a833fe14038854505db907c7b08f279b8e1cb0..66c2d5b5ec3102d1ecee09a756680e16db923072 100644 (file)
--- a/lib/dns/ecdb.c
+++ b/lib/dns/ecdb.c
@@ -80,8 +80,11 @@ typedef struct rdatasetheader {
 
 /* Copied from rbtdb.c */
 #define RDATASET_ATTR_NXDOMAIN         0x0010
+#define RDATASET_ATTR_NEGATIVE         0x0100
 #define NXDOMAIN(header) \
        (((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
+#define NEGATIVE(header) \
+       (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
 
 static isc_result_t dns_ecdb_create(isc_mem_t *mctx, dns_name_t *origin,
                                    dns_dbtype_t type,
@@ -406,6 +409,8 @@ bind_rdataset(dns_ecdb_t *ecdb, dns_ecdbnode_t *node,
        rdataset->trust = header->trust;
        if (NXDOMAIN(header))
                rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+       if (NEGATIVE(header))
+               rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
 
        rdataset->private1 = ecdb;
        rdataset->private2 = node;
@@ -469,6 +474,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
        header->attributes = 0;
        if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
                header->attributes |= RDATASET_ATTR_NXDOMAIN;
+       if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+               header->attributes |= RDATASET_ATTR_NEGATIVE;
        ISC_LINK_INIT(header, link);
        ISC_LIST_APPEND(ecdbnode->rdatasets, header, link);
 

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 476afad1c495d4849b29281b8034d320f43c11cf..222b60c8802d094980bbdd5b7535276f02ae5739 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4385,6 +4385,14 @@ validated(isc_task_t *task, isc_event_t *event) {
        fctx->attributes |= FCTX_ATTR_HAVEANSWER;
 
        if (hevent != NULL) {
+               /*
+                * Negative results must be indicated in event->result.
+                */
+               if (dns_rdataset_isassociated(hevent->rdataset) &&
+                   NEGATIVE(hevent->rdataset)) {
+                       INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
+                              eresult == DNS_R_NCACHENXRRSET);
+               }
                hevent->result = eresult;
                RUNTIME_CHECK(dns_name_copy(vevent->name,
                              dns_fixedname_name(&hevent->foundname), NULL)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index ff0cfc8ddbd8fffbe4c8411554d40336856ecc0c..3d7518a2bebf84df0d7710913db7a6bf688bc35d 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -981,9 +981,6 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
        if (dns_rdataset_isassociated(&val->fsigrdataset))
                dns_rdataset_disassociate(&val->fsigrdataset);
 
-       if (val->view->zonetable == NULL)
-               return (ISC_R_CANCELED);
-
        if (isc_time_now(&now) == ISC_R_SUCCESS &&
            dns_resolver_getbadcache(val->view->resolver, name, type, &now)) {
 

diff --git a/lib/dns/view.c b/lib/dns/view.c
index c1c47ef68cc547ffc93eddd2915fb3490f05d9b9..5b6ad6587d2095026000f2a3369c82a05abdf620 100644 (file)
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -98,8 +98,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
        if (result != ISC_R_SUCCESS)
                goto cleanup_name;
 
-#ifdef BIND9
        view->zonetable = NULL;
+#ifdef BIND9
        result = dns_zt_create(mctx, rdclass, &view->zonetable);
        if (result != ISC_R_SUCCESS) {
                UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -227,6 +227,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
        ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL,
                       DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown,
                       view, NULL, NULL, NULL);
+       view->viewlist = NULL;
        view->magic = DNS_VIEW_MAGIC;
 
        *viewp = view;
@@ -868,11 +869,14 @@ dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
 
        REQUIRE(DNS_VIEW_VALID(view));
 
-       result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
-       if (result == DNS_R_PARTIALMATCH) {
-               dns_zone_detach(zonep);
+       if (view->zonetable != NULL) {
+               result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
+               if (result == DNS_R_PARTIALMATCH) {
+                       dns_zone_detach(zonep);
+                       result = ISC_R_NOTFOUND;
+               }
+       } else
                result = ISC_R_NOTFOUND;
-       }
 
        return (result);
 }

diff --git a/lib/export/samples/sample.c b/lib/export/samples/sample.c
index c7c542b1e5d8c0c4d6dd3b9da374c850d2aca4e8..4799d5ec45ffce017d46008f08100dff87ec3de2 100644 (file)
--- a/lib/export/samples/sample.c
+++ b/lib/export/samples/sample.c
@@ -172,7 +172,9 @@ set_key(dns_client_t *client, char *keynamestr, char *keystr,
 }
 
 static void
-addserver(dns_client_t *client, const char *addrstr, const char *namespace) {
+addserver(dns_client_t *client, const char *addrstr, const char *port,
+         const char *namespace)
+{
        struct addrinfo hints, *res;
        int gai_error;
        isc_sockaddr_t sa;
@@ -188,7 +190,7 @@ addserver(dns_client_t *client, const char *addrstr, const char *namespace) {
        hints.ai_socktype = SOCK_DGRAM;
        hints.ai_protocol = IPPROTO_UDP;
        hints.ai_flags = AI_NUMERICHOST;
-       gai_error = getaddrinfo(addrstr, "53", &hints, &res);
+       gai_error = getaddrinfo(addrstr, port, &hints, &res);
        if (gai_error != 0) {
                fprintf(stderr, "getaddrinfo failed: %s\n",
                        gai_strerror(gai_error));
@@ -245,8 +247,9 @@ main(int argc, char *argv[]) {
        isc_mem_t *keymctx = NULL;
        unsigned int clientopt, resopt;
        isc_boolean_t is_sep = ISC_FALSE;
+       const char *port = "53";
 
-       while ((ch = getopt(argc, argv, "a:es:t:k:K:")) != -1) {
+       while ((ch = getopt(argc, argv, "a:es:t:k:K:p:")) != -1) {
                switch (ch) {
                case 't':
                        tr.base = optarg;
@@ -279,6 +282,9 @@ main(int argc, char *argv[]) {
                case 'K':
                        keystr = optarg;
                        break;
+               case 'p':
+                       port = optarg;
+                       break;
                default:
                        usage();
                }
@@ -318,11 +324,11 @@ main(int argc, char *argv[]) {
        }
 
        /* Set the nameserver */
-       addserver(client, argv[0], NULL);
+       addserver(client, argv[0], port, NULL);
 
        /* Set the alternate nameserver (when specified) */
        if (altserver != NULL)
-               addserver(client, altserveraddr, altservername);
+               addserver(client, altserveraddr, port, altservername);
 
        /* Install DNSSEC key (if given) */
        if (keynamestr != NULL) {