2597. [bug] Handle a validation failure with a insecure delegation

                        from a NSEC3 signed master/slave zone.  [RT #19464]

diff --git a/CHANGES b/CHANGES
index f6d76172eaaf9df9e98ee7b0558f8b10d18ab4e1..5ee6badb7219c170c8dd7d00dbb24cc20cf38e06 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2597.  [bug]           Handle a validation failure with a insecure delegation
+                       from a NSEC3 signed master/slave zone.  [RT #19464]
+
 2596.  [bug]           Stale tree nodes of cache/dynamic rbtdb could stay
                        long, leading to inefficient memory usage or rejecting
                        newer cache entries in the worst case. [RT #19563]

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 0ee7eeef368e0bde78055300b50079f36cdf9e15..c38a92e554a0531628ff8cc42f321b672eb590ea 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.164.12.7 2009/03/17 23:47:29 tbox Exp $ */
+/* $Id: validator.c,v 1.164.12.8 2009/05/07 02:39:42 marka Exp $ */
 
 #include <config.h>
 
@@ -3232,9 +3232,13 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
        dns_name_t *secroot;
        dns_name_t *tname;
        char namebuf[DNS_NAME_FORMATSIZE];
+       dns_name_t *found;
+       dns_fixedname_t fixedfound;
 
        dns_fixedname_init(&fixedsecroot);
        secroot = dns_fixedname_name(&fixedsecroot);
+       dns_fixedname_init(&fixedfound);
+       found = dns_fixedname_name(&fixedfound);
        if (val->havedlvsep)
                dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
        else {
@@ -3342,6 +3346,28 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
                                        goto out;
                                return (DNS_R_WAIT);
                        }
+                       /*
+                        * Zones using NSEC3 don't return a NSEC RRset so
+                        * we need to use dns_view_findzonecut2 to find
+                        * the zone cut.
+                        */
+                       if (result == DNS_R_NXRRSET &&
+                           !dns_rdataset_isassociated(&val->frdataset) &&
+                           dns_view_findzonecut2(val->view, tname, found,
+                                                 0, 0, ISC_FALSE, ISC_FALSE,
+                                                 NULL, NULL) == ISC_R_SUCCESS &&
+                           dns_name_equal(tname, found)) {
+                               if (val->mustbesecure) {
+                                       validator_log(val, ISC_LOG_WARNING,
+                                                     "must be secure failure");
+                                       return (DNS_R_MUSTBESECURE);
+                               }
+                               if (val->view->dlv == NULL || DLVTRIED(val)) {
+                                       markanswer(val);
+                                       return (ISC_R_SUCCESS);
+                               }
+                               return (startfinddlvsep(val, tname));
+                       }
                        if (val->frdataset.trust < dns_trust_secure) {
                                /*
                                 * This shouldn't happen, since the negative