4580. [bug] 4578 introduced a regression when handling CNAME to

author Mark Andrews <marka@isc.org>

Tue, 14 Mar 2017 04:07:00 +0000 (15:07 +1100)

committer Mark Andrews <marka@isc.org>

Tue, 14 Mar 2017 04:13:31 +0000 (15:13 +1100)
author Mark Andrews <marka@isc.org>
Tue, 14 Mar 2017 04:07:00 +0000 (15:07 +1100)
committer Mark Andrews <marka@isc.org>
Tue, 14 Mar 2017 04:13:31 +0000 (15:13 +1100)
diff --git a/CHANGES b/CHANGES

index ed04e8543a06097aa33ace59922450576b7b480b..3ab216a8bc4afaaeee8e1e456fc7228d99738d1b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+       --- 9.11.0-P5 released ---
+
+4580.  [bug]           4578 introduced a regression when handling CNAME to
+                       referral below the current domain. [RT #44850]
+
         --- 9.11.0-P4 released ---
  
  4578.  [security]      Some chaining (CNAME or DNAME) responses to upstream
diff --git a/lib/dns/api b/lib/dns/api

index 1fd2092f0da10d7239a0869ee6f532f63e4e4136..2eb8e6496733c4d0fd7a1948fe0b7fa2efa099b3 100644 (file)
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -7,5 +7,5 @@
  # 9.10: 140-149
  # 9.11: 160-169
  LIBINTERFACE = 166
-LIBREVISION = 6
+LIBREVISION = 7
  LIBAGE = 0
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c

index 4bb09175fa48a2b4fdb53b6fd89414703a4c0501..f0d7eb49425b34772b410e5aced98dfa739cc50a 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6222,7 +6222,7 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
  
  static isc_boolean_t
  is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
-                       dns_rdataset_t *rdataset)
+                       dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
  {
         isc_result_t result;
         dns_rbtnode_t *node = NULL;
@@ -6243,8 +6243,11 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
         REQUIRE(rdataset->type == dns_rdatatype_cname ||
                 rdataset->type == dns_rdatatype_dname);
  
-       /* By default, we allow any target name. */
-       if (view->denyanswernames == NULL)
+       /*
+        * By default, we allow any target name.
+        * If newqname != NULL we also need to extract the newqname.
+        */
+       if (chainingp == NULL && view->denyanswernames == NULL)
                 return (ISC_TRUE);
  
         result = dns_rdataset_first(rdataset);
@@ -6267,7 +6270,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
                 dns_name_split(qname, nlabels, &prefix, NULL);
                 result = dns_name_concatenate(&prefix, &dname.dname, tname,
                                               NULL);
-               if (result == ISC_R_NOSPACE)
+               if (result == DNS_R_NAMETOOLONG)
                         return (ISC_TRUE);
                 RUNTIME_CHECK(result == ISC_R_SUCCESS);
                 break;
@@ -6275,6 +6278,12 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
                 INSIST(0);
         }
  
+       if (chainingp != NULL)
+               *chainingp = ISC_TRUE;
+
+       if (view->denyanswernames == NULL)
+               return (ISC_TRUE);
+
         /*
          * If the owner name matches one in the exclusion list, either exactly
          * or partially, allow it.
@@ -6960,7 +6969,7 @@ answer_response(fetchctx_t *fctx) {
                         if ((rdataset->type == dns_rdatatype_cname ||
                              rdataset->type == dns_rdatatype_dname) &&
                              !is_answertarget_allowed(fctx, qname, aname,
-                                                     rdataset))
+                                                     rdataset, NULL))
                         {
                                 return (DNS_R_SERVFAIL);
                         }
@@ -6983,7 +6992,9 @@ answer_response(fetchctx_t *fctx) {
                 }
                 if ((ardataset->type == dns_rdatatype_cname ||
                      ardataset->type == dns_rdatatype_dname) &&
-                    !is_answertarget_allowed(fctx, qname, aname, ardataset)) {
+                    !is_answertarget_allowed(fctx, qname, aname, ardataset,
+                                             NULL))
+               {
                         return (DNS_R_SERVFAIL);
                 }
                 aname->attributes |= DNS_NAMEATTR_CACHE;
@@ -7018,7 +7029,9 @@ answer_response(fetchctx_t *fctx) {
                         log_formerr(fctx, "CNAME response for %s RR", buf);
                         return (DNS_R_FORMERR);
                 }
-               if (!is_answertarget_allowed(fctx, qname, cname, crdataset)) {
+               if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
+                                            NULL))
+               {
                         return (DNS_R_SERVFAIL);
                 }
                 cname->attributes |= DNS_NAMEATTR_CACHE;
@@ -7050,7 +7063,8 @@ answer_response(fetchctx_t *fctx) {
                 if (!validinanswer(drdataset, fctx)) {
                         return (DNS_R_FORMERR);
                 }
-               if (!is_answertarget_allowed(fctx, qname, dname, drdataset)) {
+               if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
+                                            &chaining)) {
                         return (DNS_R_SERVFAIL);
                 }
                 dname->attributes |= DNS_NAMEATTR_CACHE;
@@ -7077,7 +7091,6 @@ answer_response(fetchctx_t *fctx) {
                         sigrdataset->trust = trust;
                         break;
                 }
-               chaining = ISC_TRUE;
         } else {
                 log_formerr(fctx, "reply has no answer");
                 return (DNS_R_FORMERR);
@@ -7092,13 +7105,7 @@ answer_response(fetchctx_t *fctx) {
          * Did chaining end before we got the final answer?
          */
         if (chaining) {
-               /*
-                * Yes.  This may be a negative reply, so hand off
-                * authority section processing to the noanswer code.
-                * If it isn't a noanswer response, no harm will be
-                * done.
-                */
-               return (noanswer_response(fctx, qname, 0));
+               return (ISC_R_SUCCESS);
         }
  
         /*
diff --git a/version b/version

index efce24100795069c69021c4c721d92b40e1c9745..457a720794c115cc0b23ce867f75b5e257f21776 100644 (file)
--- a/version
+++ b/version
@@ -7,5 +7,5 @@ MAJORVER=9
  MINORVER=11
  PATCHVER=0
  RELEASETYPE=-P
-RELEASEVER=4
+RELEASEVER=5
  EXTENSIONS=
author	Mark Andrews <marka@isc.org>
	Tue, 14 Mar 2017 04:07:00 +0000 (15:07 +1100)
committer	Mark Andrews <marka@isc.org>
	Tue, 14 Mar 2017 04:13:31 +0000 (15:13 +1100)
CHANGES		patch \| blob \| blame \| history
lib/dns/api		patch \| blob \| blame \| history
lib/dns/resolver.c		patch \| blob \| blame \| history
version		patch \| blob \| blame \| history