From: Mark Andrews Date: Tue, 2 Jun 2009 05:56:27 +0000 (+0000) Subject: 2605. [bug] Accept DS responses from delegation only zones. X-Git-Tag: v9.6.1^2~23 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=ba58299f9ff6c39b0ea15f5d5d0971d6d6e25f0f;p=thirdparty%2Fbind9.git 2605. [bug] Accept DS responses from delegation only zones. [RT # 19296] --- diff --git a/CHANGES b/CHANGES index 3003a161686..2527c851215 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2605. [bug] Accept DS responses from delegation only zones. + [RT # 19296] + 2603. [port] win32: handle .exe extension of named-checkzone and named-comilezone argv[0] names under windows. [RT #19767] diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index f3bfe0d29ff..0875e57ff09 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -4333,16 +4333,16 @@ category notify { null; }; delegation-only - - - Delegation only. Logs queries that have - been forced to NXDOMAIN as the result of a - delegation-only zone or - a delegation-only in a - hint or stub zone declaration. - - - + + + Delegation only. Logs queries that have been + forced to NXDOMAIN as the result of a + delegation-only zone or a + delegation-only in a hint + or stub zone declaration. + + + edns-disabled @@ -5116,17 +5116,45 @@ category notify { null; }; - + root-delegation-only - Turn on enforcement of delegation-only in TLDs (top level domains) and root zones - with an optional - exclude list. + Turn on enforcement of delegation-only in TLDs + (top level domains) and root zones with an optional + exclude list. + + DS queries are expected to be made to and be answered by + delegation only zones. Such queries and responses are + treated as a exception to delegation-only processing + and are not converted to NXDOMAIN responses provided + a CNAME is not discovered at the query name. + + + If a delegation only zone server also serves a child + zone it is not always possible to determine whether + a answer comes from the delegation only zone or the + child zone. SOA NS and DNSKEY records are apex + only records and a matching response that contains + these records or DS is treated as coming from a + child zone. RRSIG records are also examined to see + if they are signed by a child zone or not. The + authority section is also examined to see if there + is evidence that the answer is from the child zone. + Answers that are determined to be from a child zone + are not converted to NXDOMAIN responses. Despite + all these checks there is still a possibility of + false negatives when a child zone is being served. + + + Similarly false positives can arise from empty nodes + (no records at the name) in the delegation only zone + when the query type is not ANY. + - Note some TLDs are not delegation only (e.g. "DE", "LV", "US" - and "MUSEUM"). + Note some TLDs are not delegation only (e.g. "DE", "LV", + "US" and "MUSEUM"). This list is not exhaustive. @@ -9027,20 +9055,22 @@ zone zone_name class - This is used to enforce the delegation-only - status of infrastructure zones (e.g. COM, NET, ORG). - Any answer that - is received without an explicit or implicit delegation - in the authority - section will be treated as NXDOMAIN. This does not - apply to the zone - apex. This should not be applied to leaf zones. + This is used to enforce the delegation-only + status of infrastructure zones (e.g. COM, + NET, ORG). Any answer that is received + without an explicit or implicit delegation + in the authority section will be treated + as NXDOMAIN. This does not apply to the + zone apex. This should not be applied to + leaf zones. delegation-only has no - effect on answers received - from forwarders. + effect on answers received from forwarders. + + See caveats in . + @@ -9299,9 +9329,11 @@ zone zone_name class The flag only applies to hint and stub zones. If set to yes, then the zone will also be - treated as if it - is also a delegation-only type zone. + treated as if it is also a delegation-only type zone. + + See caveats in . + diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index a1c263e12d4..686b24e0f3f 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.384.14.12 2009/05/11 02:38:03 tbox Exp $ */ +/* $Id: resolver.c,v 1.384.14.13 2009/06/02 05:56:27 marka Exp $ */ /*! \file */ @@ -471,6 +471,30 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, return (result); } +static isc_boolean_t +rrsig_fromchildzone(fetchctx_t *fctx, dns_rdataset_t *rdataset) { + dns_namereln_t namereln; + dns_rdata_rrsig_t rrsig; + dns_rdata_t rdata = DNS_RDATA_INIT; + int order; + isc_result_t result; + unsigned int labels; + + for (result = dns_rdataset_first(rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(rdataset)) { + dns_rdataset_current(rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &rrsig, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + namereln = dns_name_fullcompare(&rrsig.signer, &fctx->domain, + &order, &labels); + if (namereln == dns_namereln_subdomain) + return (ISC_TRUE); + dns_rdata_reset(&rdata); + } + return (ISC_FALSE); +} + static isc_boolean_t fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) { dns_name_t *name; @@ -484,13 +508,43 @@ fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) { return (ISC_FALSE); /* - * Look for BIND 8 style delegations. - * Also look for answers to ANY queries where the duplicate NS RRset - * may have been stripped from the authority section. + * A DS RRset can appear anywhere in a zone, even for a delegation-only + * zone. So a response to an explicit query for this type should be + * excluded from delegation-only fixup. + * + * SOA, NS, and DNSKEY can only exist at a zone apex, so a postive + * response to a query for these types can never violate the + * delegation-only assumption: if the query name is below a + * zone cut, the response should normally be a referral, which should + * be accepted; if the query name is below a zone cut but the server + * happens to have authority for the zone of the query name, the + * response is a (non-referral) answer. But this does not violate + * delegation-only because the query name must be in a different zone + * due to the "apex-only" nature of these types. Note that if the + * remote server happens to have authority for a child zone of a + * delegation-only zone, we may still incorrectly "fix" the response + * with NXDOMAIN for queries for other types. Unfortunately it's + * generally impossible to differentiate this case from violation of + * the delegation-only assumption. Once the resolver learns the + * correct zone cut, possibly via a separate query for an "apex-only" + * type, queries for other types will be resolved correctly. + * + * A query for type ANY will be accepted if it hits an exceptional + * type above in the answer section as it should be from a child + * zone. + * + * Also accept answers with RRSIG records from the child zone. + * Direct queries for RRSIG records should not be answered from + * the parent zone. */ + if (message->counts[DNS_SECTION_ANSWER] != 0 && (fctx->type == dns_rdatatype_ns || - fctx->type == dns_rdatatype_any)) { + fctx->type == dns_rdatatype_ds || + fctx->type == dns_rdatatype_soa || + fctx->type == dns_rdatatype_any || + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_dnskey)) { result = dns_message_firstname(message, DNS_SECTION_ANSWER); while (result == ISC_R_SUCCESS) { name = NULL; @@ -499,10 +553,32 @@ fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) { for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { - type = rdataset->type; - if (type != dns_rdatatype_ns) + if (!dns_name_equal(name, &fctx->name)) continue; - if (dns_name_issubdomain(name, domain)) + type = rdataset->type; + /* + * RRsig from child? + */ + if (type == dns_rdatatype_rrsig && + rrsig_fromchildzone(fctx, rdataset)) + return (ISC_FALSE); + /* + * Direct query for apex records or DS. + */ + if (fctx->type == type && + (type == dns_rdatatype_ds || + type == dns_rdatatype_ns || + type == dns_rdatatype_soa || + type == dns_rdatatype_dnskey)) + return (ISC_FALSE); + /* + * Indirect query for apex records or DS. + */ + if (fctx->type == dns_rdatatype_any && + (type == dns_rdatatype_ns || + type == dns_rdatatype_ds || + type == dns_rdatatype_soa || + type == dns_rdatatype_dnskey)) return (ISC_FALSE); } result = dns_message_nextname(message, @@ -510,7 +586,14 @@ fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) { } } - /* Look for referral. */ + /* + * A NODATA response to a DS query? + */ + if (fctx->type == dns_rdatatype_ds && + message->counts[DNS_SECTION_ANSWER] == 0) + return (ISC_FALSE); + + /* Look for referral or indication of answer from child zone? */ if (message->counts[DNS_SECTION_AUTHORITY] == 0) goto munge; @@ -525,13 +608,37 @@ fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) { if (type == dns_rdatatype_soa && dns_name_equal(name, domain)) keep_auth = ISC_TRUE; + if (type != dns_rdatatype_ns && - type != dns_rdatatype_soa) + type != dns_rdatatype_soa && + type != dns_rdatatype_rrsig) continue; - if (dns_name_equal(name, domain)) - goto munge; - if (dns_name_issubdomain(name, domain)) + + if (type == dns_rdatatype_rrsig) { + if (rrsig_fromchildzone(fctx, rdataset)) + return (ISC_FALSE); + else + continue; + } + + /* NS or SOA records. */ + if (dns_name_equal(name, domain)) { + /* + * If a query for ANY causes a negative + * response, we can be sure that this is + * an empty node. For other type of queries + * we cannot differentiate an empty node + * from a node that just doesn't have that + * type of record. We only accept the former + * case. + */ + if (message->counts[DNS_SECTION_ANSWER] == 0 && + fctx->type == dns_rdatatype_any) + return (ISC_FALSE); + } else if (dns_name_issubdomain(name, domain)) { + /* Referral or answer from child zone. */ return (ISC_FALSE); + } } result = dns_message_nextname(message, DNS_SECTION_AUTHORITY); }