]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Don't synthesize NXDOMAIN from NSEC for records under a DNAME
authorWitold Kręcicki <wpk@isc.org>
Thu, 5 Jul 2018 10:58:49 +0000 (12:58 +0200)
committerWitold Krecicki <wpk@isc.org>
Tue, 10 Jul 2018 07:20:21 +0000 (03:20 -0400)
CHANGES
bin/tests/system/synthfromdnssec/clean.sh
bin/tests/system/synthfromdnssec/ns1/dnamed.db.in [new file with mode: 0644]
bin/tests/system/synthfromdnssec/ns1/example.db.in
bin/tests/system/synthfromdnssec/ns1/named.conf.in
bin/tests/system/synthfromdnssec/ns1/root.db.in
bin/tests/system/synthfromdnssec/ns1/sign.sh
bin/tests/system/synthfromdnssec/tests.sh
lib/dns/nsec.c
util/copyrights

diff --git a/CHANGES b/CHANGES
index 09b101ea5e7ca530dcccee7698f6a1deb272f8c4..f528315d10f5fdfea5ccac751df2575359f90a98 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4988.  [bug]           Don't synthesize NXDOMAIN from NSEC for records under
+                       a DNAME.
+
        --- 9.13.2 released ---
 
 4987.  [cleanup]       dns_rdataslab_tordataset() and its related
index 1e6e164c1207e9612da267390bf3395c93563f43..705820ab1881c9456223e3b262ae6f3a7c726090 100644 (file)
@@ -16,6 +16,8 @@ rm -f ns1/K*+*+*.private
 rm -f ns1/dsset-*
 rm -f ns1/example.db
 rm -f ns1/example.db.signed
+rm -f ns1/dnamed.db
+rm -f ns1/dnamed.db.signed
 rm -f ns1/root.db
 rm -f ns1/root.db.signed
 rm -f ns1/trusted.conf
diff --git a/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
new file mode 100644 (file)
index 0000000..659403a
--- /dev/null
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@              SOA     ns1 hostmaster 1 3600 1200 604800 3600
+@              NS      ns1
+ns1            A       10.53.0.1
+a              A       10.53.0.1
index 87069cb82a0ad5a132e70e659228972f18522ae8..5300256590b21e5c103498f8b9699ea51e094a06 100644 (file)
@@ -14,3 +14,4 @@ ns1           A       10.53.0.1
 nodata         TXT     nodata
 *.wild-a       A       1.2.3.4
 *.wild-cname   CNAME   ns1
+dnamed         DNAME   dnamed.
index 6b7c575f1e259778527367b8c0f8e99437b0b76d..650cc30f08b444e0f88333b03fe2d3557948e097 100644 (file)
@@ -35,4 +35,9 @@ zone "example" {
        file "example.db.signed";
 };
 
+zone "dnamed" {
+       type master;
+       file "dnamed.db.signed";
+};
+
 include "trusted.conf";
index 8c05adf6a8c9a934ba8fe25573887c861c85ea00..f396106fdb9a757964124abdf35dcbf3a1850806 100644 (file)
@@ -13,3 +13,5 @@ $TTL 3600
 ns1            A       10.53.0.1
 example                NS      ns1.example
 ns1.example    A       10.53.0.1
+dnamed         NS      ns1.dnamed
+ns1.dnamed     A       10.53.0.1
index b82ed7b5bbdf37d2ceb51575e73d98c27eaf08c1..7444b740e6d8daec346757f47cad62be9f7f9c59 100644 (file)
@@ -21,6 +21,15 @@ cat $infile $keyname.key > $zonefile
 
 $SIGNER -P -o $zone $zonefile > /dev/null
 
+zone=dnamed
+infile=dnamed.db.in
+zonefile=dnamed.db
+
+keyname=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone`
+cat $infile $keyname.key > $zonefile
+
+$SIGNER -P -o $zone $zonefile > /dev/null
+
 zone=.
 infile=root.db.in
 zonefile=root.db
index dc9e34f5e9f3e97b8e757e529fc236aba4220abb..4294cc13b390d5e97adc24f9575096ddc3f6f739 100644 (file)
@@ -182,5 +182,15 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+
+echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)"
+ret=0
+$DIG $DIGOPTS dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1
+$DIG $DIGOPTS a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NOERROR," dig.out.ns5-1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
index bbf23f3a1ad8e705d775a429249a559175d15673..991391b7a6f6bfb702a8c9af1f5d2ead5f85c635 100644 (file)
@@ -374,12 +374,14 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
        }
 
        if (relation == dns_namereln_subdomain &&
-           dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
+           (dns_nsec_typepresent(&rdata, dns_rdatatype_dname) ||
+            dns_nsec_typepresent(&rdata, dns_rdatatype_ns)) &&
            !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
        {
                /*
                 * This NSEC record is from somewhere higher in
-                * the DNS, and at the parent of a delegation.
+                * the DNS, and at the parent of a delegation or
+                * at a DNAME.
                 * It can not be legitimately used here.
                 */
                (*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
index 990fc8cb53c6168d2216363f0bd32f19108ab3c9..acb60baa4625d81ca396de01d4b9041fbaa76c48 100644 (file)
 ./bin/tests/system/stub/setup.sh               SH      2018
 ./bin/tests/system/stub/tests.sh               SH      2000,2001,2004,2007,2011,2012,2013,2016,2018
 ./bin/tests/system/synthfromdnssec/clean.sh    SH      2017,2018
+./bin/tests/system/synthfromdnssec/ns1/dnamed.db.in    ZONE    2018
 ./bin/tests/system/synthfromdnssec/ns1/example.db.in   ZONE    2017,2018
 ./bin/tests/system/synthfromdnssec/ns1/named.conf.in   CONF-C  2017,2018
 ./bin/tests/system/synthfromdnssec/ns1/root.db.in      ZONE    2017,2018