]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 8cd1082)
3942. [bug] Wildcard responses from a optout range should be
authorMark Andrews <marka@isc.org>
Thu, 4 Sep 2014 03:57:50 +0000 (13:57 +1000)
committerMark Andrews <marka@isc.org>
Thu, 4 Sep 2014 03:58:15 +0000 (13:58 +1000)
                        marked as insecure. [RT #37072]

CHANGES patch | blob | blame | history
bin/tests/system/dnssec/tests.sh patch | blob | blame | history
lib/dns/nsec3.c patch | blob | blame | history
lib/dns/validator.c patch | blob | blame | history

diff --git a/CHANGES b/CHANGES
index 65514c9bc01e58b5c128f034f7059a751e457fe7..5e7fc3adf87b15fac0140908bc0b85ddc4119ba7 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3942.  [bug]           Wildcard responses from a optout range should be
+                       marked as insecure. [RT #37072]
+
 3941.  [doc]           Include the BIND version number in the ARM. [RT #37067]
 
        --- 9.10.1rc1 released ---
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 1ce30187cff0baa7581a221a767d69f4df2657cc..89f67a14a65869b79f30ca189efbe04f271dca69 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -271,7 +271,7 @@ $DIG $DIGOPTS a.wild.optout.example. \
 stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n
 stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n
 $PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index 619cb4e346e016056745d963e44a341822c70390..075fe32567ec4eadc2be662f5e940fed6c77696d 100644 (file)
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -2071,6 +2071,9 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name,
                                if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0)
                                        (*logit)(arg, ISC_LOG_DEBUG(3),
                                                 "NSEC3 indicates optout");
+                               else
+                                       (*logit)(arg, ISC_LOG_DEBUG(3),
+                                                "NSEC3 indicates secure range");
                                *optout =
                                    ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT);
                        }
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 6e09762f60ef9d9754dfd838efc8fe46fb55eb80..f4cc3a91eb07f36298a0356da0a3a2e2cfee81e6 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -2807,7 +2807,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
        if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
                if (!FOUNDNOQNAME(val))
                        findnsec3proofs(val);
-               if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val)) {
+               if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) {
                        validator_log(val, ISC_LOG_DEBUG(3),
                                      "marking as secure, noqname proof found");
                        marksecure(val->event);
Mirror of https://gitlab.isc.org/isc-projects/bind9.git