[v9_9_8_patch] fixed bogus server regression

4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
			which caused known-bogus servers to be queried
			anyway. [RT #41321]

diff --git a/CHANGES b/CHANGES
index 74d0384b5cf3cccb171be8ff3bd4bbd98e737e36..02c91b2405337d0a1f21c8fb36faf1635a335fe9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
        --- 9.9.8-P3 released ---
 
+4288.  [bug]           Fixed a regression in resolver.c:possibly_mark()
+                       which caused known-bogus servers to be queried
+                       anyway. [RT #41321]
+
 4285.  [security]      Specific APL data could trigger a INSIST.
                        (CVE-2015-8704) [RT #41396]
 

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 4b32237f1c2ca0f56248637ae1b8cab78323abf0..af0de21d5d226b84944dc518334f307f68072309 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -24,6 +24,8 @@
     </para>
     <para>
       BIND 9.9.8-P3 addresses the security issue described in CVE-2015-8704.
+      It also fixes a serious regression in authoritative server selection
+      that was introduced in 9.9.8.
     </para>
     <para>
       BIND 9.9.8-P2 addresses security issues described in CVE-2015-3193
@@ -100,7 +102,11 @@
     <title>Bug Fixes</title>
     <itemizedlist>
       <listitem>
-       <para>None</para>
+       <para>
+         Authoritative servers that were marked as bogus (e.g. blackholed
+         in configuration or with invalid addresses) were being queried
+         anyway. [RT #41321]
+       </para>
       </listitem>
     </itemizedlist>
   </sect2>

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index a99bdd9b77cef94892f8a750b16be01ef7fb9d00..5bbb9c4139bc7f9ef0e0b4af30c6b24c65ebd149 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -3169,9 +3169,6 @@ possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
            bogus)
                aborted = ISC_TRUE;
 
-       if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3)))
-               return;
-
        if (aborted) {
                addr->flags |= FCTX_ADDRINFO_MARK;
                msg = "ignoring blackholed / bogus server: ";
@@ -3192,9 +3189,11 @@ possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
        } else
                return;
 
-       isc_netaddr_fromsockaddr(&na, sa);
-       isc_netaddr_format(&na, buf, sizeof(buf));
-       FCTXTRACE2(msg, buf);
+       if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+               isc_netaddr_fromsockaddr(&na, sa);
+               isc_netaddr_format(&na, buf, sizeof(buf));
+               FCTXTRACE2(msg, buf);
+       }
 }
 
 static inline dns_adbaddrinfo_t *