section even when filter-aaaa-on-v4 was in use.
[RT #27292]
unit/atf-src/test-programs/c_helpers
unit/atf-src/test-programs/cpp_helpers
unit/atf-src/test-programs/sh_helpers
+bin/named/named
.libs
-named
named-symtbl.c
lwresd
render_opts = 0;
else
render_opts = DNS_MESSAGERENDER_OMITDNSSEC;
+
+ preferred_glue = 0;
+ if (client->view != NULL) {
+ if (client->view->preferred_glue == dns_rdatatype_a)
+ preferred_glue = DNS_MESSAGERENDER_PREFER_A;
+ else if (client->view->preferred_glue == dns_rdatatype_aaaa)
+ preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
+ }
+
#ifdef ALLOW_FILTER_AAAA_ON_V4
/*
* filter-aaaa-on-v4 yes or break-dnssec option to suppress
* that we have both AAAA and A records,
* and that we either have no signatures that the client wants
* or we are supposed to break DNSSEC.
+ *
+ * Override preferred glue if necessary.
*/
- if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0)
+ if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0) {
render_opts |= DNS_MESSAGERENDER_FILTER_AAAA;
-#endif
- preferred_glue = 0;
- if (client->view != NULL) {
- if (client->view->preferred_glue == dns_rdatatype_a)
+ if (preferred_glue == DNS_MESSAGERENDER_PREFER_AAAA)
preferred_glue = DNS_MESSAGERENDER_PREFER_A;
- else if (client->view->preferred_glue == dns_rdatatype_aaaa)
- preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
}
+#endif
/*
* XXXRTH The following doesn't deal with TCP buffer resizing.
client->recursionquota = NULL;
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ client->filter_aaaa = dns_v4_aaaa_ok;
+#endif
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
NS_EVENT_CLIENTCONTROL, client_start, client, client,
NULL, NULL);
isc_netaddr_t destaddr;
struct in6_pktinfo pktinfo;
isc_event_t ctlevent;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ dns_v4_aaaa_t filter_aaaa;
+#endif
/*%
* Information about recent FORMERR response(s), for
* FORMERR loop avoidance. This is separate for each
}
if (qtype == dns_rdatatype_a) {
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ isc_boolean_t have_a = ISC_FALSE;
+#endif
+
/*
* We now go looking for A and AAAA records, along with
* their signatures.
}
if (result == ISC_R_SUCCESS) {
mname = NULL;
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ have_a = ISC_TRUE;
+#endif
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
if (mname != NULL) {
}
if (result == ISC_R_SUCCESS) {
mname = NULL;
+ /*
+ * There's an A; check whether we're filtering AAAA
+ */
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ if (have_a &&
+ (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
+ (client->filter_aaaa == dns_v4_aaaa_filter &&
+ (!WANTDNSSEC(client) || sigrdataset == NULL ||
+ !dns_rdataset_isassociated(sigrdataset)))))
+ goto addname;
+#endif
if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) {
if (mname != NULL) {
need_wildcardproof = ISC_TRUE;
}
+#ifdef ALLOW_FILTER_AAAA_ON_V4
+ if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
+ is_v4_client(client) &&
+ ns_client_checkaclsilent(client, NULL,
+ client->view->v4_aaaa_acl,
+ ISC_TRUE) == ISC_R_SUCCESS)
+ client->filter_aaaa = client->view->v4_aaaa;
+ else
+ client->filter_aaaa = dns_v4_aaaa_ok;
+
+#endif
+
if (type == dns_rdatatype_any) {
#ifdef ALLOW_FILTER_AAAA_ON_V4
- isc_boolean_t have_aaaa, have_a, have_sig, filter_aaaa;
+ isc_boolean_t have_aaaa, have_a, have_sig;
/*
* The filter-aaaa-on-v4 option should
have_aaaa = ISC_FALSE;
have_a = !authoritative;
have_sig = ISC_FALSE;
- if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
- is_v4_client(client) &&
- ns_client_checkaclsilent(client, NULL,
- client->view->v4_aaaa_acl,
- ISC_TRUE) == ISC_R_SUCCESS)
- filter_aaaa = ISC_TRUE;
- else
- filter_aaaa = ISC_FALSE;
#endif
/*
* XXXRTH Need to handle zonecuts with special case
* Notice the presence of A and AAAAs so
* that AAAAs can be hidden from IPv4 clients.
*/
- if (filter_aaaa) {
+ if (client->filter_aaaa != dns_v4_aaaa_ok) {
if (rdataset->type == dns_rdatatype_aaaa)
have_aaaa = ISC_TRUE;
else if (rdataset->type == dns_rdatatype_a)
* Filter AAAAs if there is an A and there is no signature
* or we are supposed to break DNSSEC.
*/
- if (filter_aaaa && have_aaaa && have_a &&
- (!have_sig || !WANTDNSSEC(client) ||
- client->view->v4_aaaa == dns_v4_aaaa_break_dnssec))
+ if (client->filter_aaaa == dns_v4_aaaa_break_dnssec)
client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
+ else if (client->filter_aaaa != dns_v4_aaaa_ok &&
+ have_aaaa && have_a &&
+ (!have_sig || !WANTDNSSEC(client)))
+ client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
#endif
if (fname != NULL)
dns_message_puttempname(client->message, &fname);
* so fundamentally wrong, unavoidably inaccurate, and
* unneeded that it is best to keep it as short as possible.
*/
- if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
- is_v4_client(client) &&
- ns_client_checkaclsilent(client, NULL,
- client->view->v4_aaaa_acl,
- ISC_TRUE) == ISC_R_SUCCESS &&
- (!WANTDNSSEC(client) ||
- sigrdataset == NULL ||
- !dns_rdataset_isassociated(sigrdataset) ||
- client->view->v4_aaaa == dns_v4_aaaa_break_dnssec)) {
+ if (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
+ (client->filter_aaaa == dns_v4_aaaa_filter &&
+ (!WANTDNSSEC(client) || sigrdataset == NULL ||
+ !dns_rdataset_isassociated(sigrdataset))))
+ {
if (qtype == dns_rdatatype_aaaa) {
trdataset = query_newrdataset(client);
result = dns_db_findrdataset(db, node, version,
@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
@ NS ns.utld
ns.utld A 10.53.0.1
+ns.utld AAAA fd92:7065:b8e:ffff::1
;
signed NS ns.utld
unsigned NS ns.utld
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
+@ MX 0 mx
a-only NS 1.0.0.1
aaaa-only AAAA 2001:db8::2
dual A 1.0.0.3
dual AAAA 2001:db8::3
+mx A 1.0.0.3
+mx AAAA 2001:db8::3
+
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
+@ MX 0 mx
a-only NS 1.0.0.4
aaaa-only AAAA 2001:db8::5
dual A 1.0.0.6
dual AAAA 2001:db8::6
+mx A 1.0.0.3
+mx AAAA 2001:db8::3
+
@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
@ NS ns.utld
ns.utld A 10.53.0.1
+ns.utld AAAA fd92:7065:b8e:ffff::1
;
signed NS ns.utld
unsigned NS ns.utld
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
+@ MX 0 mx
a-only NS 1.0.0.1
aaaa-only AAAA 2001:db8::2
dual A 1.0.0.3
dual AAAA 2001:db8::3
+mx A 1.0.0.3
+mx AAAA 2001:db8::3
+
aaaa-only AAAA 2001:db8::5
dual A 1.0.0.6
dual AAAA 2001:db8::6
+mx A 1.0.0.3
+mx AAAA 2001:db8::3
+
echo "I: skipped."
fi
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)"
+ret=0
+$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::1
+then
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+
#
# Authoritative tests against:
# filter-aaaa-on-v4 break-dnssec;
echo "I: skipped."
fi
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, with break-dnssec ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::4
+then
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+
#
# Recursive tests against:
# filter-aaaa-on-v4 yes;
echo "I: skipped."
fi
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)"
+ret=0
+$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::2
+then
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
+
#
# Recursive tests against:
# filter-aaaa-on-v4 break-dnssec;
echo "I: skipped."
fi
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
+grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)"
+ret=0
+$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, recursive with break-dnssec ($n)"
+if $TESTSOCK6 fd92:7065:b8e:ffff::3
+then
+ret=0
+$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
+grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+else
+echo "I: skipped."
+fi
+
echo "I:exit status: $status"
exit $status
projects / thirdparty / bind9.git / commitdiff
