2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]

diff --git a/CHANGES b/CHANGES
index 3e3ee993d356888020c5a29f3724f9b7c9d368da..7948461d08ec9a970ea0ebf82dc167849ada5d56 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2827.  [security]      Bogus NXDOMAIN could be cached as if valid. [RT #20712]
+
 2819.  [cleanup]       Removed unnecessary DNS_POINTER_MAXHOPS define
                        [RT #20771]
 

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index a179b5eed135b7d8abb3154bb4f946439ab281ef..f027e6a1bd6808542e4b851e506deb0d059f0a78 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.155.52.15 2009/11/18 00:09:00 marka Exp $ */
+/* $Id: validator.c,v 1.155.52.16 2009/12/30 06:44:22 each Exp $ */
 
 #include <config.h>
 
@@ -2597,20 +2597,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
        if (val->havedlvsep)
                dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
        else {
+               unsigned int labels;
                dns_name_copy(val->event->name, secroot, NULL);
                /*
                 * If this is a response to a DS query, we need to look in
                 * the parent zone for the trust anchor.
                 */
-               if (val->event->type == dns_rdatatype_ds &&
-                   dns_name_countlabels(secroot) > 1U)
-                       dns_name_split(secroot, 1, NULL, secroot);
+
+               labels = dns_name_countlabels(secroot);
+               if (val->event->type == dns_rdatatype_ds && labels > 1U)
+                       dns_name_getlabelsequence(secroot, 1, labels - 1,
+                                                 secroot);
                result = dns_keytable_finddeepestmatch(val->keytable,
                                                       secroot, secroot);
-
                if (result == ISC_R_NOTFOUND) {
-                       validator_log(val, ISC_LOG_DEBUG(3),
-                                     "not beneath secure root");
                        if (val->mustbesecure) {
                                validator_log(val, ISC_LOG_WARNING,
                                              "must be secure failure");