2579. [bug] DNSSEC lookaside validation failed to handle unknown

                        algorithms. [RT #19479]

diff --git a/CHANGES b/CHANGES
index 2066d1a6dcabdf2410691e587c0ffe08be8f7942..11325fb8abb6e7b7a4bd4c0eb0cb14f7db6e7a34 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,7 @@
 2573.  [bug]           Replacing a non-CNAME record with a CNAME record in a
+2579.  [bug]           DNSSEC lookaside validation failed to handle unknown
+                       algorithms. [RT #19479]
+
                        single transaction in a signed zone failed. [RT #19397]
 
 2568.  [bug]           Report when the write to indicate a otherwise

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index f7e0630cd7873a315e3b44a687e29e3767d2de9a..d68e563aadfe6d634b3a92902dd4d2856dc23760 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.119.18.47 2009/02/15 23:39:53 marka Exp $ */
+/* $Id: validator.c,v 1.119.18.48 2009/03/17 01:32:04 marka Exp $ */
 
 /*! \file */
 
@@ -211,6 +211,37 @@ exit_check(dns_validator_t *val) {
        return (ISC_TRUE);
 }
 
+/*
+ * Check that we have atleast one supported algorithm in the DLV RRset.
+ */
+static inline isc_boolean_t
+dlv_algorithm_supported(dns_validator_t *val) {
+       dns_rdata_t rdata = DNS_RDATA_INIT;
+       dns_rdata_dlv_t dlv;
+       isc_result_t result;
+
+       for (result = dns_rdataset_first(&val->dlv);
+            result == ISC_R_SUCCESS;
+            result = dns_rdataset_next(&val->dlv)) {
+               dns_rdata_reset(&rdata);
+               dns_rdataset_current(&val->dlv, &rdata);
+               result = dns_rdata_tostruct(&rdata, &dlv, NULL);
+               RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+               if (!dns_resolver_algorithm_supported(val->view->resolver,
+                                                     val->event->name,
+                                                     dlv.algorithm))
+                       continue;
+
+               if (dlv.digest_type != DNS_DSDIGEST_SHA256 &&
+                   dlv.digest_type != DNS_DSDIGEST_SHA1)
+                       continue;
+
+               return (ISC_TRUE);
+       }
+       return (ISC_FALSE);
+}
+
 /*%
  * Look in the NSEC record returned from a DS query to see if there is
  * a NS RRset at this name.  If it is found we are at a delegation point.
@@ -2324,19 +2355,36 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
                                sizeof(namebuf));
                dns_rdataset_clone(&val->frdataset, &val->dlv);
                val->havedlvsep = ISC_TRUE;
-               validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-               dlv_validator_start(val);
+               if (dlv_algorithm_supported(val)) {
+                       validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
+                                     namebuf);
+                       dlv_validator_start(val);
+               } else {
+                       validator_log(val, ISC_LOG_DEBUG(3),
+                                     "DLV %s found with no supported algorithms",
+                                     namebuf);
+                       markanswer(val);
+                       validator_done(val, ISC_R_SUCCESS);
+               }
        } else if (eresult == DNS_R_NXRRSET ||
                   eresult == DNS_R_NXDOMAIN ||
                   eresult == DNS_R_NCACHENXRRSET ||
                   eresult == DNS_R_NCACHENXDOMAIN) {
-                  result = finddlvsep(val, ISC_TRUE);
+               result = finddlvsep(val, ISC_TRUE);
                if (result == ISC_R_SUCCESS) {
-                       dns_name_format(dns_fixedname_name(&val->dlvsep),
-                                       namebuf, sizeof(namebuf));
-                       validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found",
-                                     namebuf);
-                       dlv_validator_start(val);
+                       if (dlv_algorithm_supported(val)) {
+                               dns_name_format(dns_fixedname_name(&val->dlvsep),
+                                               namebuf, sizeof(namebuf));
+                               validator_log(val, ISC_LOG_DEBUG(3),
+                                             "DLV %s found", namebuf);
+                               dlv_validator_start(val);
+                       } else {
+                               validator_log(val, ISC_LOG_DEBUG(3),
+                                             "DLV %s found with no supported "
+                                             "algorithms", namebuf);
+                               markanswer(val);
+                               validator_done(val, ISC_R_SUCCESS);
+                       }
                } else if (result == ISC_R_NOTFOUND) {
                        validator_log(val, ISC_LOG_DEBUG(3), "DLV not found");
                        markanswer(val);
@@ -2399,9 +2447,16 @@ startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
        }
        dns_name_format(dns_fixedname_name(&val->dlvsep), namebuf,
                        sizeof(namebuf));
-       validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
-       dlv_validator_start(val);
-       return (DNS_R_WAIT);
+       if (dlv_algorithm_supported(val)) {
+               validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
+               dlv_validator_start(val);
+               return (DNS_R_WAIT);
+       } 
+       validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
+                     "algorithms", namebuf);
+       markanswer(val);
+       validator_done(val, ISC_R_SUCCESS);
+       return (ISC_R_SUCCESS);
 }
 
 /*%