+ --- 9.4.3-P5 released ---
+
+2828. [security] Cached CNAME or DNAME RR could be returned to clients
+ without DNSSEC validation. [RT #20737]
+
+2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
+
--- 9.4.3-P4 released ---
2772. [security] When validating, track whether pending data was from
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.257.18.46.2.1 2009/11/19 00:25:17 marka Exp $ */
+/* $Id: query.c,v 1.257.18.46.2.2 2009/12/31 21:02:05 each Exp $ */
/*! \file */
isc_boolean_t empty_wild;
dns_rdataset_t *noqname;
isc_boolean_t resuming;
- dns_rdataset_t tmprdataset;
- unsigned int dboptions;
CTRACE("query_find");
/*
* Now look for an answer in the database.
*/
- dboptions = client->query.dboptions;
- if (sigrdataset == NULL && client->view->enablednssec) {
- /*
- * If the client doesn't want DNSSEC we still want to
- * look for any data pending validation to save a remote
- * lookup if possible.
- */
- dns_rdataset_init(&tmprdataset);
- sigrdataset = &tmprdataset;
- dboptions |= DNS_DBFIND_PENDINGOK;
- }
- refind:
result = dns_db_find(db, client->query.qname, version, type,
- dboptions, client->now, &node, fname,
- rdataset, sigrdataset);
- /*
- * If we have found pending data try to validate it.
- * If the data does not validate as secure and we can't
- * use the unvalidated data requery the database with
- * pending disabled to prevent infinite looping.
- */
- if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
- goto validation_done;
- if (validate(client, db, fname, rdataset, sigrdataset))
- goto validation_done;
- if (rdataset->trust != dns_trust_pending_answer ||
- !PENDINGOK(client->query.dboptions)) {
- dns_rdataset_disassociate(rdataset);
- if (sigrdataset != NULL &&
- dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- if (sigrdataset == &tmprdataset)
- sigrdataset = NULL;
- dns_db_detachnode(db, &node);
- dboptions &= ~DNS_DBFIND_PENDINGOK;
- goto refind;
- }
- validation_done:
- if (sigrdataset == &tmprdataset) {
- if (dns_rdataset_isassociated(sigrdataset))
- dns_rdataset_disassociate(sigrdataset);
- sigrdataset = NULL;
- }
+ client->query.dboptions, client->now,
+ &node, fname, rdataset, sigrdataset);
resume:
CTRACE("query_find: resume");
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: conf.sh.in,v 1.27.18.10 2008/01/11 23:45:59 tbox Exp $
+# $Id: conf.sh.in,v 1.27.18.10.4.1 2009/12/31 21:02:05 each Exp $
#
# Common configuration data for system tests, to be sourced into
# load on the machine to make it unusable to other users.
# v6synth
SUBDIRS="acl cacheclean checkconf checknames dnssec forward glue ixfr limits
- lwresd masterfile masterformat notify nsupdate resolver rrsetorder
+ lwresd masterfile masterformat notify nsupdate pending resolver rrsetorder
sortlist stub tkey unknown upforwd views xfer xferquota zonechecks"
# PERL will be an empty string if no perl interpreter was found.
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.13.18.2 2004/05/05 01:32:35 marka Exp $
+; $Id: example.db.in,v 1.13.18.2.68.1 2009/12/31 21:02:05 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
foo TXT "testing"
foo A 10.0.1.0
+bad-cname CNAME a
+bad-dname DNAME @
+
; Used for testing CNAME queries
cname1 CNAME cname1-target
cname1-target TXT "testing cname"
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.24.18.2 2006/01/04 00:37:23 marka Exp $
+# $Id: sign.sh,v 1.24.18.2.68.1 2009/12/31 21:02:05 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
$SIGNER -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+#
+# lower/uppercase the signature bits with the exception of the last characters
+# changing the last 4 characters will lead to a bad base64 encoding.
+#
+$CHECKZONE -D -q -i local $zone $zonefile.signed |
+awk '
+tolower($1) == "bad-cname.example." && $4 == "RRSIG" && $5 == "CNAME" {
+ for (i = 1; i <= NF; i++ ) {
+ if (i <= 12) {
+ printf("%s ", $i);
+ continue;
+ }
+ prefix = substr($i, 1, length($i) - 4);
+ suffix = substr($i, length($i) - 4, 4);
+ if (i > 12 && tolower(prefix) != prefix)
+ printf("%s%s", tolower(prefix), suffix);
+ else if (i > 12 && toupper(prefix) != prefix)
+ printf("%s%s", toupper(prefix), suffix);
+ else
+ printf("%s%s ", prefix, suffix);
+ }
+ printf("\n");
+ next;
+}
+
+tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
+ for (i = 1; i <= NF; i++ ) {
+ if (i <= 12) {
+ printf("%s ", $i);
+ continue;
+ }
+ prefix = substr($i, 1, length($i) - 4);
+ suffix = substr($i, length($i) - 4, 4);
+ if (i > 12 && tolower(prefix) != prefix)
+ printf("%s%s", tolower(prefix), suffix);
+ else if (i > 12 && toupper(prefix) != prefix)
+ printf("%s%s", toupper(prefix), suffix);
+ else
+ printf("%s%s ", prefix, suffix);
+ }
+ printf("\n");
+ next;
+}
+
+{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed
+
+
# Sign the privately secure file
privzone=private.secure.example.
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.44.18.5 2006/02/26 23:49:49 marka Exp $
+# $Id: tests.sh,v 1.44.18.5.68.1 2009/12/31 21:02:05 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
+echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
+ret=0
+#prime
+$DIG $DIGOPTS +cd bad-cname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
+#check: requery with +CD. pending data should be returned even if it's bogus
+expect="a.example.
+10.0.0.1"
+ans=`$DIG $DIGOPTS +cd +nodnssec +short bad-cname.example. @10.53.0.4` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+#check: requery without +CD. bogus cached data should be rejected.
+$DIG $DIGOPTS +nodnssec bad-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:Checking that a bad DNAME signature is caught after a +CD query ($n)"
+ret=0
+#prime
+$DIG $DIGOPTS +cd a.bad-dname.example. @10.53.0.4 > dig.out.ns4.prime$n || ret=1
+#check: requery with +CD. pending data should be returned even if it's bogus
+expect="example.
+a.example.
+10.0.0.1"
+ans=`$DIG $DIGOPTS +cd +nodnssec +short a.bad-dname.example. @10.53.0.4` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+#check: requery without +CD. bogus cached data should be rejected.
+$DIG $DIGOPTS +nodnssec a.bad-dname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
# Check the insecure.secure.example domain (insecurity proof)
echo "I:checking 2-server insecurity proof ($n)"
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.4 2009/12/30 08:02:22 jinmei Exp $
+# $Id: clean.sh,v 1.4.4.1 2009/12/31 21:02:05 each Exp $
rm -rf */*.signed
rm -rf */*.jnl
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: root.db.in,v 1.4 2009/12/30 08:02:22 jinmei Exp $
+; $Id: root.db.in,v 1.4.4.1 2009/12/31 21:02:05 each Exp $
$TTL 30
. IN SOA marka.isc.org. a.root.servers.nil. (
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.3 2009/12/30 08:02:22 jinmei Exp $
+# $Id: sign.sh,v 1.3.4.1 2009/12/31 21:02:05 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
cp ../ns2/dsset-example. .
cp ../ns2/dsset-example.com. .
-keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
-keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -f KSK -n zone $zone`
+keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 2048 -f KSK -n zone $zone`
cat $infile $keyname1.key $keyname2.key > $zonefile
$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.com.db.in,v 1.2 2009/12/30 08:02:22 jinmei Exp $
+; $Id: example.com.db.in,v 1.2.12.1 2009/12/31 21:02:05 each Exp $
$TTL 30
@ IN SOA mname1. . (
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.4 2009/12/30 08:02:22 jinmei Exp $ */
+/* $Id: named.conf,v 1.4.4.1 2009/12/31 21:02:05 each Exp $ */
// NS2
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.4 2009/12/30 08:02:22 jinmei Exp $
+# $Id: sign.sh,v 1.4.4.1 2009/12/31 21:02:05 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
infile=${domain}.db.in
zonefile=${domain}.db
- keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
- keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
+ keyname1=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+ keyname2=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -f KSK -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.2 2009/11/17 23:55:18 marka Exp $ */
+/* $Id: named.conf,v 1.2.44.1 2009/12/31 21:02:05 each Exp $ */
controls { /* empty */ };
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion yes;
+ dnssec-validation yes;
};
zone "." {
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: prereq.sh,v 1.3 2009/11/18 23:48:06 tbox Exp $
+# $Id: prereq.sh,v 1.3.38.1 2009/12/31 21:02:05 each Exp $
-../../../tools/genrandom 400 random.data
-
-if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
+../../genrandom 400 random.data
+if $KEYGEN -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
then
rm -f Kfoo*
else
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: setup.sh,v 1.2 2009/11/17 23:55:18 marka Exp $
+# $Id: setup.sh,v 1.2.44.1 2009/12/31 21:02:05 each Exp $
-../../../tools/genrandom 400 random.data
+../../genrandom 400 random.data
cd ns1 && sh -e sign.sh
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.4 2009/12/30 08:02:22 jinmei Exp $
+# $Id: tests.sh,v 1.4.4.1 2009/12/31 21:02:05 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=`expr $status + $ret`
#
-# Prime cache with pending additional records. These should not be promoted
-# to answer.
+# Prime cache with pending additional records. Technically, these should not
+# be promoted to answer, but it's allowed in BIND 9.4.
#
echo "I:Priming cache (pending additional A and AAAA)"
ret=0
test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
status=`expr $status + $ret`
-echo "I:Checking updated data to be returned (with CD)"
+echo "I:Checking cached data to be returned (with CD, BIND 9.4 only)"
ret=0
-expect="2001:db8::3"
+expect="2001:db8::2"
ans=`$DIG $DIGOPTS_CD @10.53.0.4 mail.example.com AAAA` || ret=1
test "$ans" = "$expect" || ret=1
test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: types.h,v 1.109.18.12.68.1 2009/11/19 00:25:18 marka Exp $ */
+/* $Id: types.h,v 1.109.18.12.68.2 2009/12/31 21:02:05 each Exp $ */
#ifndef DNS_TYPES_H
#define DNS_TYPES_H 1
#define DNS_TRUST_PENDING(x) ((x) == dns_trust_pending_answer || \
(x) == dns_trust_pending_additional)
+#define DNS_TRUST_ADDITIONAL(x) ((x) == dns_trust_additional || \
+ (x) == dns_trust_pending_additional)
#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue)
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.119.18.41.2.2 2009/11/19 00:25:18 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.41.2.3 2009/12/31 21:02:05 each Exp $ */
/*! \file */
if (val->havedlvsep)
dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
else {
+ unsigned int labels;
dns_name_copy(val->event->name, secroot, NULL);
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
- if (val->event->type == dns_rdatatype_ds &&
- dns_name_countlabels(secroot) > 1U)
- dns_name_split(secroot, 1, NULL, secroot);
+
+ labels = dns_name_countlabels(secroot);
+ if (val->event->type == dns_rdatatype_ds && labels > 1U)
+ dns_name_getlabelsequence(secroot, 1, labels - 1,
+ secroot);
result = dns_keytable_finddeepestmatch(val->keytable,
secroot, secroot);
-
if (result == ISC_R_NOTFOUND) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "not beneath secure root");
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
"must be secure failure");
-# $Id: version,v 1.29.134.23.2.4 2009/11/19 00:25:17 marka Exp $
+# $Id: version,v 1.29.134.23.2.5 2009/12/31 21:02:05 each Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
MINORVER=4
PATCHVER=3
RELEASETYPE=-P
-RELEASEVER=4
+RELEASEVER=5
projects / thirdparty / bind9.git / commitdiff
