4615. [bug] AD could be set on truncated answer with no records

                        present in the answer and authority sections.
                        [RT #45140]

(cherry picked from commit 33e94f501f32955e1c44bcd4015459dc9c95ccb0)

diff --git a/CHANGES b/CHANGES
index 0baffe5870038cb409368fcad43d9d7f63d40782..4b8a400f0d6c8d9f970d288bd2c039123870b403 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4615.  [bug]           AD could be set on truncated answer with no records
+                       present in the answer and authority sections.
+                       [RT #45140]
+
 4614.  [test]          Fixed an error in the sockaddr unit test. [RT #45146]
 
 4612.  [bug]           Silence 'may be use uninitalised' warning and simplify

diff --git a/bin/tests/system/resolver/ns6/keygen.sh b/bin/tests/system/resolver/ns6/keygen.sh
index dc6e9dabb41d678b4a4e8f8c24a4209395268c65..7b31e265c5f1873a3229b0c76c9c360efab2543f 100644 (file)
--- a/bin/tests/system/resolver/ns6/keygen.sh
+++ b/bin/tests/system/resolver/ns6/keygen.sh
@@ -24,7 +24,7 @@ zonefile="${zone}.db"
 infile="${zonefile}.in"
 cp $infile $zonefile
 ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
-zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
+zsk=`$KEYGEN -q -3 -r $RANDFILE -b 2048 $zone`
 cat $ksk.key $zsk.key >> $zonefile
 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
 

diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 64d5701db57fa39f8ec412631622ca2b9a1176fb..af770894934990ea89e2253599b2d42dd0027a39 100755 (executable)
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -717,5 +717,21 @@ test ${ttl:-1} -eq 0 || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +ad (${n})"
+ret=0
+$DIG @10.53.0.6 -p 5300 dnskey ds.example.net +bufsize=512 +ad +nodnssec +ignore +norec > dig.out.$n
+grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:check that 'ad' in not returned in truncated answer with empty answer and authority sections to request with +dnssec (${n})"
+ret=0
+$DIG @10.53.0.6 -p 5300 dnskey ds.example.net +bufsize=512 +noad +dnssec +ignore +norec > dig.out.$n
+grep "flags: qr aa tc; QUERY: 1, ANSWER: 0, AUTHORITY: 0" dig.out.$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1

diff --git a/lib/dns/message.c b/lib/dns/message.c
index 63c43b153c162e52d08c6c046224937968d10979..9b78d2645c4df7bf6fbee416aa8d35dd7ebe075e 100644 (file)
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1962,6 +1962,15 @@ renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
        return (result);
 }
 
+static void
+maybe_clear_ad(dns_message_t *msg, dns_section_t sectionid) {
+       if (msg->counts[sectionid] == 0 &&
+           (sectionid == DNS_SECTION_ANSWER ||
+            (sectionid == DNS_SECTION_AUTHORITY &&
+             msg->counts[DNS_SECTION_ANSWER] == 0)))
+               msg->flags &= ~DNS_MESSAGEFLAG_AD;
+}
+
 isc_result_t
 dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
                          unsigned int options)
@@ -2159,6 +2168,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
                                        *(msg->buffer) = st;  /* rollback */
                                        msg->buffer->length += msg->reserved;
                                        msg->counts[sectionid] += total;
+                                       maybe_clear_ad(msg, sectionid);
                                        return (result);
                                }