4580. [bug] 4578 introduced a regression when handling CNAME to

                        referral below the current domain. [RT #44850]

(cherry picked from commit 638c7c635ddab0b717a675f49b1180dbf8ef803e)

diff --git a/CHANGES b/CHANGES
index 5a18254593bb1c0cbece4a3dbefcab4ab2fc16e5..fd13d9e84b090ccca15752331f40016c790626ff 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+       --- 9.10.4-P8 released ---
+
+4580.  [bug]           4578 introduced a regression when handling CNAME to
+                       referral below the current domain. [RT #44850]
+
        --- 9.10.4-P7 released ---
 
 4578.  [security]      Some chaining (CNAME or DNAME) responses to upstream

diff --git a/lib/dns/api b/lib/dns/api
index 8fa2c191077362da3b04d791732feb6e863ec9de..263a3eceec16174199268b8fb6abd82108193360 100644 (file)
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -6,5 +6,5 @@
 # 9.9-sub: 130-139, 150-159
 # 9.10: 140-149, 160-169
 LIBINTERFACE = 165
-LIBREVISION = 6
+LIBREVISION = 7
 LIBAGE = 0

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 4704ef0c55318a556b2b3356b6815735c8ab1961..1ba7aae1dd62fa02843f1dd1ad71cfea7d952ee9 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6156,7 +6156,7 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
 
 static isc_boolean_t
 is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
-                       dns_rdataset_t *rdataset)
+                       dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
 {
        isc_result_t result;
        dns_rbtnode_t *node = NULL;
@@ -6177,8 +6177,11 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
        REQUIRE(rdataset->type == dns_rdatatype_cname ||
                rdataset->type == dns_rdatatype_dname);
 
-       /* By default, we allow any target name. */
-       if (view->denyanswernames == NULL)
+       /*
+        * By default, we allow any target name.
+        * If newqname != NULL we also need to extract the newqname.
+        */
+       if (chainingp == NULL && view->denyanswernames == NULL)
                return (ISC_TRUE);
 
        result = dns_rdataset_first(rdataset);
@@ -6201,7 +6204,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
                dns_name_split(qname, nlabels, &prefix, NULL);
                result = dns_name_concatenate(&prefix, &dname.dname, tname,
                                              NULL);
-               if (result == ISC_R_NOSPACE)
+               if (result == DNS_R_NAMETOOLONG)
                        return (ISC_TRUE);
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
                break;
@@ -6209,6 +6212,12 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
                INSIST(0);
        }
 
+       if (chainingp != NULL)
+               *chainingp = ISC_TRUE;
+
+       if (view->denyanswernames == NULL)
+               return (ISC_TRUE);
+
        /*
         * If the owner name matches one in the exclusion list, either exactly
         * or partially, allow it.
@@ -6902,7 +6911,7 @@ answer_response(fetchctx_t *fctx) {
                        if ((rdataset->type == dns_rdatatype_cname ||
                             rdataset->type == dns_rdatatype_dname) &&
                             !is_answertarget_allowed(fctx, qname, aname,
-                                                     rdataset))
+                                                     rdataset, NULL))
                        {
                                return (DNS_R_SERVFAIL);
                        }
@@ -6925,7 +6934,9 @@ answer_response(fetchctx_t *fctx) {
                }
                if ((ardataset->type == dns_rdatatype_cname ||
                     ardataset->type == dns_rdatatype_dname) &&
-                    !is_answertarget_allowed(fctx, qname, aname, ardataset)) {
+                    !is_answertarget_allowed(fctx, qname, aname, ardataset,
+                                             NULL))
+               {
                        return (DNS_R_SERVFAIL);
                }
                aname->attributes |= DNS_NAMEATTR_CACHE;
@@ -6960,7 +6971,9 @@ answer_response(fetchctx_t *fctx) {
                        log_formerr(fctx, "CNAME response for %s RR", buf);
                        return (DNS_R_FORMERR);
                }
-               if (!is_answertarget_allowed(fctx, qname, cname, crdataset)) {
+               if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
+                                            NULL))
+               {
                        return (DNS_R_SERVFAIL);
                }
                cname->attributes |= DNS_NAMEATTR_CACHE;
@@ -6992,7 +7005,8 @@ answer_response(fetchctx_t *fctx) {
                if (!validinanswer(drdataset, fctx)) {
                        return (DNS_R_FORMERR);
                }
-               if (!is_answertarget_allowed(fctx, qname, dname, drdataset)) {
+               if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
+                                            &chaining)) {
                        return (DNS_R_SERVFAIL);
                }
                dname->attributes |= DNS_NAMEATTR_CACHE;
@@ -7019,7 +7033,6 @@ answer_response(fetchctx_t *fctx) {
                        sigrdataset->trust = trust;
                        break;
                }
-               chaining = ISC_TRUE;
        } else {
                log_formerr(fctx, "reply has no answer");
                return (DNS_R_FORMERR);
@@ -7034,13 +7047,7 @@ answer_response(fetchctx_t *fctx) {
         * Did chaining end before we got the final answer?
         */
        if (chaining) {
-               /*
-                * Yes.  This may be a negative reply, so hand off
-                * authority section processing to the noanswer code.
-                * If it isn't a noanswer response, no harm will be
-                * done.
-                */
-               return (noanswer_response(fctx, qname, 0));
+               return (ISC_R_SUCCESS);
        }
 
        /*

diff --git a/version b/version
index e394b22aed09735ec29157794e2aab7f6ab08a50..1964d308efd252f317d4ddf9d62bdce2cb27354f 100644 (file)
--- a/version
+++ b/version
@@ -7,5 +7,5 @@ MAJORVER=9
 MINORVER=10
 PATCHVER=4
 RELEASETYPE=-P
-RELEASEVER=7
+RELEASEVER=8
 EXTENSIONS=