-2037. [doc] Update COPYRIGHT to contain all the individual
+3040. [bug] Named failed to validate insecure zones where a node
+ with a CNAME existed between the trust anchor and the
+ top of the zone. [RT #23338]
+
+3037. [doc] Update COPYRIGHT to contain all the individual
copyright notices that cover various parts.
3014. [bug] Fix the zonechecks system test to match expected
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: example.db.in,v 1.13.18.4 2009/12/30 23:46:03 tbox Exp $
+; $Id: example.db.in,v 1.13.18.5 2011/02/23 13:15:38 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
ns.keyless A 10.53.0.3
*.wild A 10.0.0.27
+
+below-cname CNAME some.where.else.
+
+insecure.below-cname NS ns.insecure.below-cname
+ns.insecure.below-cname A 10.53.0.3
+
+secure.below-cname NS ns.secure.below-cname
+ns.secure.below-cname A 10.53.0.3
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.24.18.6 2010/11/16 23:45:23 tbox Exp $
+# $Id: sign.sh,v 1.24.18.7 2011/02/23 13:15:38 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
( cd ../ns3 && sh sign.sh )
-for subdomain in secure bogus dynamic keyless
+for subdomain in secure bogus dynamic keyless secure.below-cname
do
cp ../ns3/keyset-$subdomain.example. .
done
--- /dev/null
+; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2000, 2001 Internet Software Consortium.
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: insecure.below-cname.example.db,v 1.2.10.2 2011/02/23 13:15:38 marka Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: named.conf,v 1.25.18.4 2006/03/10 00:23:20 marka Exp $ */
+/* $Id: named.conf,v 1.25.18.5 2011/02/23 13:15:38 marka Exp $ */
// NS3
file "rfc2335.example.bk";
};
+zone "insecure.below-cname.example" {
+ type master;
+ file "insecure.below-cname.example.db";
+};
+
+zone "secure.below-cname.example" {
+ type master;
+ file "secure.below-cname.example.db.signed";
+};
+
include "trusted.conf";
--- /dev/null
+; Copyright (C) 2004, 2007 Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2000, 2001 Internet Software Consortium.
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: secure.below-cname.example.db.in,v 1.2.10.2 2011/02/23 13:15:38 marka Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.18.18.3 2006/03/06 01:38:00 marka Exp $
+# $Id: sign.sh,v 1.18.18.4 2011/02/23 13:15:39 marka Exp $
RANDFILE=../random.data
<$zonefile.tmp perl -p -e 's/ keyless.example/ b.keyless.example/
if /^a.b.keyless.example/../NXT/;' >$zonefile.signed
rm -f $zonefile.tmp
+
+#
+# Secure below cname test zone.
+#
+zone=secure.below-cname.example.
+infile=secure.below-cname.example.db.in
+zonefile=secure.below-cname.example.db
+keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+cat $infile $keyname.key >$zonefile
+$SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.44.18.9 2010/11/16 23:45:23 tbox Exp $
+# $Id: tests.sh,v 1.44.18.10 2011/02/23 13:15:38 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
echo "I:The DNSSEC update test requires the Net::DNS library." >&2
fi
+echo "I:checking that a insecure zone beneath a cname resolves ($n)"
+ret=0
+$DIG $DIGOPTS soa insecure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 1," dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that a secure zone beneath a cname resolves ($n)"
+ret=0
+$DIG $DIGOPTS soa secure.below-cname.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
echo "I:exit status: $status"
exit $status
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.119.18.60 2010/11/16 04:17:44 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.61 2011/02/23 13:15:39 marka Exp $ */
/*! \file */
result = validatezonekey(val);
if (result != DNS_R_WAIT)
validator_done(val, result);
- } else if (eresult == DNS_R_NXRRSET ||
+ } else if (eresult == DNS_R_CNAME ||
+ eresult == DNS_R_NXRRSET ||
eresult == DNS_R_NCACHENXRRSET ||
eresult == DNS_R_SERVFAIL) /* RFC 1034 parent? */
{
LOCK(&val->lock);
if (CANCELED(val)) {
validator_done(val, ISC_R_CANCELED);
- } else if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
+ } else if (eresult == DNS_R_CNAME ||
+ eresult == DNS_R_NXRRSET ||
+ eresult == DNS_R_NCACHENXRRSET)
+ {
/*
* There is no DS. If this is a delegation, we're done.
*/
tname = dns_fixedname_name(&devent->foundname);
- if (isdelegation(tname, &val->frdataset, eresult)) {
+ if (eresult != DNS_R_CNAME &&
+ isdelegation(tname, &val->frdataset, eresult)) {
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
"must be secure failure");
destroy(val);
}
+/*%
+ * Callback when the CNAME record has been validated.
+ *
+ * Resumes validation of the unsecure zone proof.
+ */
+static void
+cnamevalidated(isc_task_t *task, isc_event_t *event) {
+ dns_validatorevent_t *devent;
+ dns_validator_t *val;
+ isc_boolean_t want_destroy;
+ isc_result_t result;
+ isc_result_t eresult;
+
+ UNUSED(task);
+ INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+ devent = (dns_validatorevent_t *)event;
+ val = devent->ev_arg;
+ eresult = devent->result;
+
+ isc_event_free(&event);
+ dns_validator_destroy(&val->subvalidator);
+
+ INSIST(val->event != NULL);
+ INSIST((val->attributes & VALATTR_INSECURITY) != 0);
+
+ validator_log(val, ISC_LOG_DEBUG(3), "in cnamevalidated");
+ LOCK(&val->lock);
+ if (CANCELED(val)) {
+ validator_done(val, ISC_R_CANCELED);
+ } else if (eresult == ISC_R_SUCCESS) {
+ validator_log(val, ISC_LOG_DEBUG(3), "cname with trust %d",
+ val->frdataset.trust);
+ result = proveunsecure(val, ISC_FALSE, ISC_TRUE);
+ if (result != DNS_R_WAIT)
+ validator_done(val, result);
+ } else {
+ if (eresult != DNS_R_BROKENCHAIN) {
+ if (dns_rdataset_isassociated(&val->frdataset))
+ dns_rdataset_expire(&val->frdataset);
+ if (dns_rdataset_isassociated(&val->fsigrdataset))
+ dns_rdataset_expire(&val->fsigrdataset);
+ }
+ validator_log(val, ISC_LOG_DEBUG(3),
+ "cnamevalidated: got %s",
+ isc_result_totext(eresult));
+ validator_done(val, DNS_R_BROKENCHAIN);
+ }
+ want_destroy = exit_check(val);
+ UNLOCK(&val->lock);
+ if (want_destroy)
+ destroy(val);
+}
+
/*%
* Return ISC_R_SUCCESS if we can determine that the name doesn't exist
* or we can determine whether there is data or not at the name.
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
- } else if (result == DNS_R_NCACHENXDOMAIN ||
+ } else if (result == DNS_R_NCACHENXDOMAIN ||
result == DNS_R_NCACHENXRRSET ||
result == DNS_R_EMPTYNAME ||
result == DNS_R_NXDOMAIN ||
- result == DNS_R_NXRRSET)
+ result == DNS_R_NXRRSET ||
+ result == DNS_R_CNAME)
{
/*
* The DS does not exist.
return (startfinddlvsep(val, tname));
}
continue;
+ } else if (result == DNS_R_CNAME) {
+ if (DNS_TRUST_PENDING(val->frdataset.trust) ||
+ DNS_TRUST_ANSWER(val->frdataset.trust)) {
+ result = create_validator(val, tname,
+ dns_rdatatype_cname,
+ &val->frdataset,
+ NULL, cnamevalidated,
+ "proveunsecure "
+ "(cname)");
+ if (result != ISC_R_SUCCESS)
+ goto out;
+ return (DNS_R_WAIT);
+ }
+ continue;
} else if (result == ISC_R_SUCCESS) {
/*
* There is a DS here. Verify that it's secure and
projects / thirdparty / bind9.git / commitdiff
