From: Mark Andrews Date: Thu, 4 Sep 2014 03:57:50 +0000 (+1000) Subject: 3942. [bug] Wildcard responses from a optout range should be X-Git-Tag: v9.11.0a1~1378^2~65 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=fec7998314cbdaf1dc89513ffff5b45fc8ed73fd;p=thirdparty%2Fbind9.git 3942. [bug] Wildcard responses from a optout range should be marked as insecure. [RT #37072] --- diff --git a/CHANGES b/CHANGES index b9c06a05e68..209f3994940 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3942. [bug] Wildcard responses from a optout range should be + marked as insecure. [RT #37072] + 3941. [doc] Include the BIND version number in the ARM. [RT #37067] 3940. [func] "rndc nta" now allows negative trust anchors to be diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 436f8e48bfb..2c10e086a69 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -271,7 +271,7 @@ $DIG $DIGOPTS a.wild.optout.example. \ stripns dig.out.ns3.test$n > dig.out.ns3.stripped.test$n stripns dig.out.ns4.test$n > dig.out.ns4.stripped.test$n $PERL ../digcomp.pl dig.out.ns3.stripped.test$n dig.out.ns4.stripped.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index 619cb4e346e..075fe32567e 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -2071,6 +2071,9 @@ dns_nsec3_noexistnodata(dns_rdatatype_t type, dns_name_t* name, if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0) (*logit)(arg, ISC_LOG_DEBUG(3), "NSEC3 indicates optout"); + else + (*logit)(arg, ISC_LOG_DEBUG(3), + "NSEC3 indicates secure range"); *optout = ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT); } diff --git a/lib/dns/validator.c b/lib/dns/validator.c index e53c2488f36..11e1197bdbb 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -2805,7 +2805,7 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) { if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) { if (!FOUNDNOQNAME(val)) findnsec3proofs(val); - if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val)) { + if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) { validator_log(val, ISC_LOG_DEBUG(3), "marking as secure, noqname proof found"); marksecure(val->event);