mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 18:19:42 +00:00
Code Issues Releases Wiki Activity
bind/lib/dns/nsec.c

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

505 lines
12 KiB
C
Raw Normal View History

created
1999-09-09 08:21:45 +00:00
/*
update copyright notice
2011-03-12 04:59:49 +00:00
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
created
1999-09-09 08:21:45 +00:00
*
1541. [func] NSEC now uses new bitmap format.
2003-12-13 04:20:44 +00:00
* SPDX-License-Identifier: MPL-2.0
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files.
2021-06-03 08:37:05 +02:00
*
created
1999-09-09 08:21:45 +00:00
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
Update license headers to not include years in copyright in all applicable files
2018-02-23 09:53:12 +01:00
*
created
1999-09-09 08:21:45 +00:00
* See the COPYRIGHT file distributed with this work for additional
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
* information regarding copyright ownership.
created
1999-09-09 08:21:45 +00:00
*/
1851. [doc] Doxygen comment markup. [RT #11398]
2005-04-27 04:57:32 +00:00
/*! \file */
add RCS id string
2000-06-22 22:00:42 +00:00
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
#include <stdbool.h>
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
#include <isc/log.h>
Make isc_result a static enum Remove the dynamic registration of result codes. Convert isc_result_t from unsigned + #defines into 32-bit enum type in grand unified <isc/result.h> header. Keep the existing values of the result codes even at the expense of the description and identifier tables being unnecessary large. Additionally, add couple of: switch (result) { [...] default: break; } statements where compiler now complains about missing enum values in the switch statement.
2021-10-04 17:14:53 +02:00
#include <isc/result.h>
Megacommit of dozens of files. Cleanup of redundant/useless header file inclusion. ISC style lint, primarily for function declarations and standalone comments -- ie, those that appear on a line without any code, which should be written as follows: /* * This is a comment. */
2000-05-08 14:38:29 +00:00
#include <isc/string.h>
include isc/util.h
2000-04-28 01:12:23 +00:00
#include <isc/util.h>
created
1999-09-09 08:21:45 +00:00
#include <dns/db.h>
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
#include <dns/nsec.h>
created
1999-09-09 08:21:45 +00:00
#include <dns/rdata.h>
Redundant header work, mostly removing <dns/result.h> from installed headers and adding it to source files that need it.
2000-05-02 03:54:17 +00:00
#include <dns/rdatalist.h>
created
1999-09-09 08:21:45 +00:00
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
clean up suspicious looking and incorrect uses of dns_name_fromregion
2000-10-07 00:09:28 +00:00
#include <dns/rdatastruct.h>
created
1999-09-09 08:21:45 +00:00
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
#include <dst/dst.h>
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
void
dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit) {
*FIXED* IRIX warnings: "nxt.c", line 42: remark(1552): variable "byte" was set but never used "nxt.c", line 56: remark(1552): variable "byte" was set but never used
2000-05-13 20:39:17 +00:00
unsigned int shift, mask;
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
shift = 7 - (type % 8);
created
1999-09-09 08:21:45 +00:00
mask = 1 << shift;
*FIXED* IRIX warnings: "nxt.c", line 42: remark(1552): variable "byte" was set but never used "nxt.c", line 56: remark(1552): variable "byte" was set but never used
2000-05-13 20:39:17 +00:00
if (bit != 0) {
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
array[type / 8] |= mask;
created
1999-09-09 08:21:45 +00:00
} else {
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
array[type / 8] &= (~mask & 0xFF);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
created
1999-09-09 08:21:45 +00:00
}
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
bool
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
dns_nsec_isset(const unsigned char *array, unsigned int type) {
created
1999-09-09 08:21:45 +00:00
unsigned int byte, shift, mask;
*FIXED* IRIX warnings: "nxt.c", line 42: remark(1552): variable "byte" was set but never used "nxt.c", line 56: remark(1552): variable "byte" was set but never used
2000-05-13 20:39:17 +00:00
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
byte = array[type / 8];
shift = 7 - (type % 8);
created
1999-09-09 08:21:45 +00:00
mask = 1 << shift;
*FIXED* IRIX warnings: "nxt.c", line 42: remark(1552): variable "byte" was set but never used "nxt.c", line 56: remark(1552): variable "byte" was set but never used
2000-05-13 20:39:17 +00:00
Turn (int & flag) into (int & flag) != 0 when implicitly typed to bool
2018-10-11 11:57:57 +02:00
return (byte & mask) != 0;
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
}
unsigned int
dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw,
unsigned int max_type) {
unsigned char *start = map;
unsigned int window;
int octet;
if (raw == NULL) {
return 0;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
for (window = 0; window < 256; window++) {
if (window * 256 > max_type) {
break;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
Use coccinelle to add braces to nested single line statement Both clang-tidy and uncrustify chokes on statement like this: for (...) if (...) break; This commit uses a very simple semantic patch (below) to add braces around such statements. Semantic patch used: @@ statement S; expression E; @@ while (...) - if (E) S + { if (E) { S } } @@ statement S; expression E; @@ for (...;...;...) - if (E) S + { if (E) { S } } @@ statement S; expression E; @@ if (...) - if (E) S + { if (E) { S } }
2020-02-13 18:16:57 +01:00
for (octet = 31; octet >= 0; octet--) {
if (*(raw + octet) != 0) {
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
break;
Use coccinelle to add braces to nested single line statement Both clang-tidy and uncrustify chokes on statement like this: for (...) if (...) break; This commit uses a very simple semantic patch (below) to add braces around such statements. Semantic patch used: @@ statement S; expression E; @@ while (...) - if (E) S + { if (E) { S } } @@ statement S; expression E; @@ for (...;...;...) - if (E) S + { if (E) { S } } @@ statement S; expression E; @@ if (...) - if (E) S + { if (E) { S } }
2020-02-13 18:16:57 +01:00
}
}
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
if (octet < 0) {
raw += 32;
continue;
}
*map++ = window;
*map++ = octet + 1;
/*
* Note: potential overlapping move.
*/
memmove(map, raw, octet + 1);
map += octet + 1;
raw += 32;
}
3681. [port] Update the Windows build system to support feature selection and WIN64 builds. This is a work in progress. [RT #34160]
2013-12-04 12:47:23 +11:00
return (unsigned int)(map - start);
created
1999-09-09 08:21:45 +00:00
}
dns_result_t is no more. s/dns_result_t/isc_result_t/ -- more later, when I need a break.
1999-12-23 00:09:04 +00:00
isc_result_t
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
const dns_name_t *target, unsigned char *buffer,
dns_rdata_t *rdata) {
created
1999-09-09 08:21:45 +00:00
isc_result_t result;
isc_region_t r;
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
unsigned int i;
1541. [func] NSEC now uses new bitmap format.
2003-12-13 04:20:44 +00:00
unsigned char *nsec_bits, *bm;
created
1999-09-09 08:21:45 +00:00
unsigned int max_type;
dns_rdatasetiter_t *rdsiter;
address or suppress cppcheck warnings
2019-08-08 13:52:44 +10:00
REQUIRE(target != NULL);
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
created
1999-09-09 08:21:45 +00:00
dns_name_toregion(target, &r);
[master] replace memcpy() with memmove(). 3698. [cleanup] Replaced all uses of memcpy() with memmove(). [RT #35120]
2014-01-08 16:27:10 -08:00
memmove(buffer, r.base, r.length);
created
1999-09-09 08:21:45 +00:00
r.base = buffer;
1541. [func] NSEC now uses new bitmap format.
2003-12-13 04:20:44 +00:00
/*
* Use the end of the space for a raw bitmap leaving enough
* space for the window identifiers and length octets.
*/
bm = r.base + r.length + 512;
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
nsec_bits = r.base + r.length;
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
dns_nsec_setbit(bm, dns_rdatatype_nsec, 1);
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
max_type = dns_rdatatype_nsec;
created
1999-09-09 08:21:45 +00:00
rdsiter = NULL;
Extend dns_db_allrdatasets to control interation results Add an options parameter to control what rdatasets are returned when iteratating over the node. Specific modes will be added later.
2022-11-16 10:47:40 +11:00
result = dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter);
s/DNS_R_/ISC_R_/ change for some codes.
2000-04-06 22:03:35 +00:00
if (result != ISC_R_SUCCESS) {
created
1999-09-09 08:21:45 +00:00
return result;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
add DNS_DBITERATOR_FOREACH and DNS_RDATASETITER_FOREACH when iterating databases, use DNS_DBITERATOR_FOREACH and DNS_DNSRDATASETITER_FOREACH macros where possible.
2025-03-26 22:49:03 -07:00
DNS_RDATASETITER_FOREACH(rdsiter) {
dns_rdataset_t rdataset = DNS_RDATASET_INIT;
created
1999-09-09 08:21:45 +00:00
dns_rdatasetiter_current(rdsiter, &rdataset);
Add dns_rdatatype_isnsec() helper function Replace the checks for both NSEC and NSEC3 with a single helper function.
2025-08-11 10:06:33 +02:00
if (!dns_rdatatype_isnsec(rdataset.type) &&
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
rdataset.type != dns_rdatatype_rrsig)
{
created
1999-09-09 08:21:45 +00:00
if (rdataset.type > max_type) {
max_type = rdataset.type;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
dns_nsec_setbit(bm, rdataset.type, 1);
created
1999-09-09 08:21:45 +00:00
}
dns_rdataset_disassociate(&rdataset);
}
add DNS_DBITERATOR_FOREACH and DNS_RDATASETITER_FOREACH when iterating databases, use DNS_DBITERATOR_FOREACH and DNS_DNSRDATASETITER_FOREACH macros where possible.
2025-03-26 22:49:03 -07:00
dns_rdatasetiter_destroy(&rdsiter);
created
1999-09-09 08:21:45 +00:00
DNS_R_RANGE -> ISC_R_RANGE
2000-05-15 21:14:38 +00:00
/*
* At zone cuts, deny the existence of glue in the parent zone.
*/
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
!dns_nsec_isset(bm, dns_rdatatype_soa))
{
1541. [func] NSEC now uses new bitmap format.
2003-12-13 04:20:44 +00:00
for (i = 0; i <= max_type; i++) {
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
if (dns_nsec_isset(bm, i) &&
Update sources to Clang 15 formatting
2022-11-02 19:33:14 +01:00
!dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
{
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
dns_nsec_setbit(bm, i, 0);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
created
1999-09-09 08:21:45 +00:00
}
}
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673]
2012-06-25 13:57:32 +10:00
nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);
3681. [port] Update the Windows build system to support feature selection and WIN64 builds. This is a work in progress. [RT #34160]
2013-12-04 12:47:23 +11:00
r.length = (unsigned int)(nsec_bits - r.base);
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
created
1999-09-09 08:21:45 +00:00
dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
s/DNS_R_/ISC_R_/ change for some codes.
2000-04-06 22:03:35 +00:00
return ISC_R_SUCCESS;
created
1999-09-09 08:21:45 +00:00
}
dns_result_t is no more. s/dns_result_t/isc_result_t/ -- more later, when I need a break.
1999-12-23 00:09:04 +00:00
isc_result_t
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
4546. [func] Extend the use of const declarations. [RT #43379]
2016-12-30 15:45:08 +11:00
const dns_name_t *target, dns_ttl_t ttl) {
dns_result_t is no more. s/dns_result_t/isc_result_t/ -- more later, when I need a break.
1999-12-23 00:09:04 +00:00
isc_result_t result;
532. [func] Implement DNS UPDATE pseudo records using DNS_RDATA_UPDATE flag. 531. [func] Rdata really should be initalized before being assigned to (dns_rdata_fromwire(), dns_rdata_fromtext(), dns_rdata_clone(), dns_rdata_fromregion()), check that it is.
2000-10-25 04:26:57 +00:00
dns_rdata_t rdata = DNS_RDATA_INIT;
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
unsigned char data[DNS_NSEC_BUFFERSIZE];
created
1999-09-09 08:21:45 +00:00
dns_rdatalist_t rdatalist;
dns_rdataset_t rdataset;
Trailing whitespace trimmed. Perhaps running "perl util/spacewhack.pl in your own CVS tree will help minimize CVS conflicts. Maybe not. Blame Graff for getting me to trim all trailing whitespace.
2000-08-01 01:33:37 +00:00
created
1999-09-09 08:21:45 +00:00
dns_rdataset_init(&rdataset);
Uninitalised link fixes, batch 1.
2000-10-20 02:21:58 +00:00
dns_rdata_init(&rdata);
created
1999-09-09 08:21:45 +00:00
Drop single-use RETERR macro If the RETERR define is only used once in a file, just drop the macro.
2024-12-09 15:10:53 +01:00
result = dns_nsec_buildrdata(db, version, node, target, data, &rdata);
if (result != ISC_R_SUCCESS) {
goto failure;
}
Trailing whitespace trimmed. Perhaps running "perl util/spacewhack.pl in your own CVS tree will help minimize CVS conflicts. Maybe not. Blame Graff for getting me to trim all trailing whitespace.
2000-08-01 01:33:37 +00:00
4081. [cleanup] Use dns_rdatalist_init consistently. [RT #38759]
2015-03-03 16:43:42 +11:00
dns_rdatalist_init(&rdatalist);
Don't assume class IN; rename functions to conform to the naming style.
2000-09-12 09:55:32 +00:00
rdatalist.rdclass = dns_db_class(db);
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
rdatalist.type = dns_rdatatype_nsec;
dns_buildnxt takes a ttl as a parameter, instead of using 3600.
2000-02-08 19:02:24 +00:00
rdatalist.ttl = ttl;
created
1999-09-09 08:21:45 +00:00
ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
dns_rdatalist_tordataset() and dns_rdatalist_fromrdataset() can not fail Clean up dns_rdatalist_tordataset() and dns_rdatalist_fromrdataset() functions by making them return void, because they cannot fail. Clean up other functions that subsequently cannot fail.
2022-07-29 12:40:45 +00:00
dns_rdatalist_tordataset(&rdatalist, &rdataset);
created
1999-09-09 08:21:45 +00:00
result = dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL);
if (result == DNS_R_UNCHANGED) {
result = ISC_R_SUCCESS;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
3069. [cleanup] Silence warnings messages from clang static analysis. [RT #20256]
2011-03-11 06:11:27 +00:00
created
1999-09-09 08:21:45 +00:00
failure:
if (dns_rdataset_isassociated(&rdataset)) {
dns_rdataset_disassociate(&rdataset);
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
created
1999-09-09 08:21:45 +00:00
return result;
}
Added dns_nxt_typepresent()
2000-04-13 18:08:07 +00:00
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
bool
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
dns_rdata_nsec_t nsecstruct;
clean up suspicious looking and incorrect uses of dns_name_fromregion
2000-10-07 00:09:28 +00:00
isc_result_t result;
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
bool present;
1541. [func] NSEC now uses new bitmap format.
2003-12-13 04:20:44 +00:00
unsigned int i, len, window;
Added dns_nxt_typepresent()
2000-04-13 18:08:07 +00:00
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
REQUIRE(nsec != NULL);
REQUIRE(nsec->type == dns_rdatatype_nsec);
Added dns_nxt_typepresent()
2000-04-13 18:08:07 +00:00
clean up suspicious looking and incorrect uses of dns_name_fromregion
2000-10-07 00:09:28 +00:00
/* This should never fail */
1516. [func] Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
2003-09-30 06:00:40 +00:00
result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
clean up suspicious looking and incorrect uses of dns_name_fromregion
2000-10-07 00:09:28 +00:00
INSIST(result == ISC_R_SUCCESS);
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
present = false;
1541. [func] NSEC now uses new bitmap format.
2003-12-13 04:20:44 +00:00
for (i = 0; i < nsecstruct.len; i += len) {
INSIST(i + 2 <= nsecstruct.len);
window = nsecstruct.typebits[i];
len = nsecstruct.typebits[i + 1];
INSIST(len > 0 && len <= 32);
i += 2;
INSIST(i + len <= nsecstruct.len);
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
if (window * 256 > type) {
1541. [func] NSEC now uses new bitmap format.
2003-12-13 04:20:44 +00:00
break;
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
}
if ((window + 1) * 256 <= type) {
1541. [func] NSEC now uses new bitmap format.
2003-12-13 04:20:44 +00:00
continue;
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
}
if (type < (window * 256) + len * 8) {
present = dns_nsec_isset(&nsecstruct.typebits[i],
type % 256);
}
1541. [func] NSEC now uses new bitmap format.
2003-12-13 04:20:44 +00:00
break;
}
bug in dns_nsec_typepresent() - 19112
2009-01-06 09:06:02 +00:00
dns_rdata_freestruct(&nsecstruct);
clean up suspicious looking and incorrect uses of dns_name_fromregion
2000-10-07 00:09:28 +00:00
return present;
Added dns_nxt_typepresent()
2000-04-13 18:08:07 +00:00
}
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
isc_result_t
Wait with NSEC3 during a DNSSEC policy change When doing a dnssec-policy reconfiguration from a zone with NSEC only keys to a zone that uses NSEC3, figure out to wait with building the NSEC3 chain. Previously, BIND 9 would attempt to sign such a zone, but failed to do so because the NSEC3 chain conflicted with existing DNSKEY records in the zone that were not compatible with NSEC3. There exists logic for detecting such a case in the functions dnskey_sane() (in lib/dns/zone.c) and check_dnssec() (in lib/ns/update.c). Both functions look very similar so refactor them to use the same code and call the new function (called dns_zone_check_dnskey_nsec3()). Also update the dns_nsec_nseconly() function to take an additional parameter 'diff' that, if provided, will be checked whether an offending NSEC only DNSKEY will be deleted from the zone. If so, this key will not be considered when checking the zone for NSEC only DNSKEYs. This is needed to allow a transition from an NSEC zone with NSEC only DNSKEYs to an NSEC3 zone.
2022-08-10 15:29:59 +02:00
dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
bool *answer) {
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
dns_dbnode_t *node = NULL;
dns_rdataset_t rdataset;
dns_rdata_dnskey_t dnskey;
isc_result_t result;
REQUIRE(answer != NULL);
dns_rdataset_init(&rdataset);
result = dns_db_getoriginnode(db, &node);
if (result != ISC_R_SUCCESS) {
return result;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
update copyright notice
2008-09-25 04:02:39 +00:00
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
0, &rdataset, NULL);
Decouple database and node lifetimes by adding node-specific vtables All databases in the codebase follow the same structure: a database is an associative container from DNS names to nodes, and each node is an associative container from RR types to RR data. Each database implementation (qpzone, qpcache, sdlz, builtin, dyndb) has its own corresponding node type (qpznode, qpcnode, etc). However, some code needs to work with nodes generically regardless of their specific type - for example, to acquire locks, manage references, or register/unregister slabs from the heap. Currently, these generic node operations are implemented as methods in the database vtable, which creates problematic coupling between database and node lifetimes. If a node outlives its parent database, the node destructor will destroy all RR data, and each RR data destructor will try to unregister from heaps by calling a virtual function from the database vtable. Since the database was already freed, this causes a crash. This commit breaks the coupling by standardizing the layout of all database nodes, adding a dedicated vtable for node operations, and moving node-specific methods from the database vtable to the node vtable.
2025-06-05 11:51:29 +02:00
dns_db_detachnode(&node);
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
3128. [func] Inserting an NSEC3PARAM via dynamic update in an auto-dnssec zone that has not been signed yet will cause it to be signed with the specified NSEC3 parameters when keys are activated. The NSEC3PARAM record will not appear in the zone until it is signed, but the parameters will be stored. [RT #23684]
2011-06-10 01:51:09 +00:00
if (result == ISC_R_NOTFOUND) {
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
*answer = false;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
if (result != ISC_R_SUCCESS) {
return result;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
add DNS_RDATASET_FOREACH macro replace the pattern `for (result = dns_rdataset_first(x); result == ISC_R_SUCCES; result = dns_rdataset_next(x)` with a new `DNS_RDATASET_FOREACH` macro throughout BIND.
2025-03-21 23:32:27 -07:00
bool matched = false;
DNS_RDATASET_FOREACH(&rdataset) {
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (dnskey.algorithm == DST_ALG_RSAMD5 ||
Wait with NSEC3 during a DNSSEC policy change When doing a dnssec-policy reconfiguration from a zone with NSEC only keys to a zone that uses NSEC3, figure out to wait with building the NSEC3 chain. Previously, BIND 9 would attempt to sign such a zone, but failed to do so because the NSEC3 chain conflicted with existing DNSKEY records in the zone that were not compatible with NSEC3. There exists logic for detecting such a case in the functions dnskey_sane() (in lib/dns/zone.c) and check_dnssec() (in lib/ns/update.c). Both functions look very similar so refactor them to use the same code and call the new function (called dns_zone_check_dnskey_nsec3()). Also update the dns_nsec_nseconly() function to take an additional parameter 'diff' that, if provided, will be checked whether an offending NSEC only DNSKEY will be deleted from the zone. If so, this key will not be considered when checking the zone for NSEC only DNSKEYs. This is needed to allow a transition from an NSEC zone with NSEC only DNSKEYs to an NSEC3 zone.
2022-08-10 15:29:59 +02:00
dnskey.algorithm == DST_ALG_DSA ||
dnskey.algorithm == DST_ALG_RSASHA1)
{
bool deleted = false;
if (diff != NULL) {
use ISC_LIST_FOREACH in more places use the ISC_LIST_FOREACH pattern in places where lists had been iterated using a different pattern from the typical `for` loop: for example, `while (!ISC_LIST_EMPTY(...))` or `while ((e = ISC_LIST_HEAD(...)) != NULL)`.
2025-03-22 15:26:16 -07:00
ISC_LIST_FOREACH(diff->tuples, tuple, link) {
Wait with NSEC3 during a DNSSEC policy change When doing a dnssec-policy reconfiguration from a zone with NSEC only keys to a zone that uses NSEC3, figure out to wait with building the NSEC3 chain. Previously, BIND 9 would attempt to sign such a zone, but failed to do so because the NSEC3 chain conflicted with existing DNSKEY records in the zone that were not compatible with NSEC3. There exists logic for detecting such a case in the functions dnskey_sane() (in lib/dns/zone.c) and check_dnssec() (in lib/ns/update.c). Both functions look very similar so refactor them to use the same code and call the new function (called dns_zone_check_dnskey_nsec3()). Also update the dns_nsec_nseconly() function to take an additional parameter 'diff' that, if provided, will be checked whether an offending NSEC only DNSKEY will be deleted from the zone. If so, this key will not be considered when checking the zone for NSEC only DNSKEYs. This is needed to allow a transition from an NSEC zone with NSEC only DNSKEYs to an NSEC3 zone.
2022-08-10 15:29:59 +02:00
if (tuple->rdata.type !=
dns_rdatatype_dnskey ||
Update sources to Clang 15 formatting
2022-11-02 19:33:14 +01:00
tuple->op != DNS_DIFFOP_DEL)
{
Wait with NSEC3 during a DNSSEC policy change When doing a dnssec-policy reconfiguration from a zone with NSEC only keys to a zone that uses NSEC3, figure out to wait with building the NSEC3 chain. Previously, BIND 9 would attempt to sign such a zone, but failed to do so because the NSEC3 chain conflicted with existing DNSKEY records in the zone that were not compatible with NSEC3. There exists logic for detecting such a case in the functions dnskey_sane() (in lib/dns/zone.c) and check_dnssec() (in lib/ns/update.c). Both functions look very similar so refactor them to use the same code and call the new function (called dns_zone_check_dnskey_nsec3()). Also update the dns_nsec_nseconly() function to take an additional parameter 'diff' that, if provided, will be checked whether an offending NSEC only DNSKEY will be deleted from the zone. If so, this key will not be considered when checking the zone for NSEC only DNSKEYs. This is needed to allow a transition from an NSEC zone with NSEC only DNSKEYs to an NSEC3 zone.
2022-08-10 15:29:59 +02:00
continue;
}
if (dns_rdata_compare(
&rdata, &tuple->rdata) == 0)
{
deleted = true;
break;
}
}
}
if (!deleted) {
add DNS_RDATASET_FOREACH macro replace the pattern `for (result = dns_rdataset_first(x); result == ISC_R_SUCCES; result = dns_rdataset_next(x)` with a new `DNS_RDATASET_FOREACH` macro throughout BIND.
2025-03-21 23:32:27 -07:00
matched = true;
Wait with NSEC3 during a DNSSEC policy change When doing a dnssec-policy reconfiguration from a zone with NSEC only keys to a zone that uses NSEC3, figure out to wait with building the NSEC3 chain. Previously, BIND 9 would attempt to sign such a zone, but failed to do so because the NSEC3 chain conflicted with existing DNSKEY records in the zone that were not compatible with NSEC3. There exists logic for detecting such a case in the functions dnskey_sane() (in lib/dns/zone.c) and check_dnssec() (in lib/ns/update.c). Both functions look very similar so refactor them to use the same code and call the new function (called dns_zone_check_dnskey_nsec3()). Also update the dns_nsec_nseconly() function to take an additional parameter 'diff' that, if provided, will be checked whether an offending NSEC only DNSKEY will be deleted from the zone. If so, this key will not be considered when checking the zone for NSEC only DNSKEYs. This is needed to allow a transition from an NSEC zone with NSEC only DNSKEYs to an NSEC3 zone.
2022-08-10 15:29:59 +02:00
break;
}
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
}
dns_rdataset_disassociate(&rdataset);
add DNS_RDATASET_FOREACH macro replace the pattern `for (result = dns_rdataset_first(x); result == ISC_R_SUCCES; result = dns_rdataset_next(x)` with a new `DNS_RDATASET_FOREACH` macro throughout BIND.
2025-03-21 23:32:27 -07:00
*answer = matched;
return ISC_R_SUCCESS;
2448. [func] Add NSEC3 support. [RT #15452]
2008-09-24 02:46:23 +00:00
}
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
/*%
* Return ISC_R_SUCCESS if we can determine that the name doesn't exist
* or we can determine whether there is data or not at the name.
* If the name does not exist return the wildcard name.
*
* Return ISC_R_IGNORE when the NSEC is not the appropriate one.
*/
isc_result_t
4546. [func] Extend the use of const declarations. [RT #43379]
2016-12-30 15:45:08 +11:00
dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
const dns_name_t *nsecname, dns_rdataset_t *nsecset,
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
bool *exists, bool *data, dns_name_t *wild,
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
dns_nseclog_t logit, void *arg) {
int order;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
dns_namereln_t relation;
unsigned int olabels, nlabels, labels;
dns_rdata_nsec_t nsec;
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
bool atparent;
bool ns;
bool soa;
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
REQUIRE(exists != NULL);
REQUIRE(data != NULL);
REQUIRE(nsecset != NULL && nsecset->type == dns_rdatatype_nsec);
result = dns_rdataset_first(nsecset);
if (result != ISC_R_SUCCESS) {
(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
return result;
}
dns_rdataset_current(nsecset, &rdata);
Ignore NSEC records without RRSIG and NSEC present dns_nsec_noexistnodata now checks that RRSIG and NSEC are present in the type map. Both types should be present in a correctly constructed NSEC record. This check is in addition to similar checks in resolver.c and validator.c.
2021-11-06 09:30:48 +11:00
#ifdef notyet
if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) ||
!dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
{
(*logit)(arg, ISC_LOG_DEBUG(3),
"NSEC missing RRSIG and/or NSEC from type map");
return ISC_R_IGNORE;
}
#endif
3461. [bug] Negative responses could incorrectly have AD=1 set. [RT #32237]
2013-01-10 23:09:08 +11:00
(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
if (order < 0) {
/*
* The name is not within the NSEC range.
*/
(*logit)(arg, ISC_LOG_DEBUG(3),
"NSEC does not cover name, before NSEC");
return ISC_R_IGNORE;
}
if (order == 0) {
/*
* The names are the same. If we are validating "."
* then atparent should not be set as there is no parent.
*/
atparent = (olabels != 1) && dns_rdatatype_atparent(type);
ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
if (ns && !soa) {
if (!atparent) {
/*
* This NSEC record is from somewhere higher in
* the DNS, and at the parent of a delegation.
* It can not be legitimately used here.
*/
(*logit)(arg, ISC_LOG_DEBUG(3),
"ignoring parent nsec");
return ISC_R_IGNORE;
}
} else if (atparent && ns && soa) {
/*
* This NSEC record is from the child.
* It can not be legitimately used here.
*/
(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring child nsec");
return ISC_R_IGNORE;
}
if (type == dns_rdatatype_cname || type == dns_rdatatype_nxt ||
type == dns_rdatatype_nsec || type == dns_rdatatype_key ||
!dns_nsec_typepresent(&rdata, dns_rdatatype_cname))
{
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
*exists = true;
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
*data = dns_nsec_typepresent(&rdata, type);
(*logit)(arg, ISC_LOG_DEBUG(3),
"nsec proves name exists (owner) data=%d",
*data);
return ISC_R_SUCCESS;
}
(*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
return ISC_R_IGNORE;
}
if (relation == dns_namereln_subdomain &&
the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata
2018-07-06 15:07:59 +10:00
dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
!dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
{
/*
* This NSEC record is from somewhere higher in
Don't synthesize NXDOMAIN from NSEC for records under a DNAME
2018-07-05 12:58:49 +02:00
* the DNS, and at the parent of a delegation or
* at a DNAME.
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
* It can not be legitimately used here.
*/
(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
return ISC_R_IGNORE;
}
the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata
2018-07-06 15:07:59 +10:00
if (relation == dns_namereln_subdomain &&
dns_nsec_typepresent(&rdata, dns_rdatatype_dname))
{
(*logit)(arg, ISC_LOG_DEBUG(3), "nsec proves covered by dname");
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
*exists = false;
the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata
2018-07-06 15:07:59 +10:00
return DNS_R_DNAME;
}
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
result = dns_rdata_tostruct(&rdata, &nsec, NULL);
if (result != ISC_R_SUCCESS) {
return result;
Use clang-tidy to add curly braces around one-line statements The command used to reformat the files in this commit was: ./util/run-clang-tidy \ -clang-tidy-binary clang-tidy-11 -clang-apply-replacements-binary clang-apply-replacements-11 \ -checks=-*,readability-braces-around-statements \ -j 9 \ -fix \ -format \ -style=file \ -quiet clang-format -i --style=format $(git ls-files '*.c' '*.h') uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h') clang-format -i --style=format $(git ls-files '*.c' '*.h')
2020-02-13 21:48:23 +01:00
}
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
if (order == 0) {
dns_rdata_freestruct(&nsec);
(*logit)(arg, ISC_LOG_DEBUG(3),
"ignoring nsec matches next name");
return ISC_R_IGNORE;
}
if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
/*
* The name is not within the NSEC range.
*/
dns_rdata_freestruct(&nsec);
(*logit)(arg, ISC_LOG_DEBUG(3),
"ignoring nsec because name is past end of range");
return ISC_R_IGNORE;
}
if (order > 0 && relation == dns_namereln_subdomain) {
(*logit)(arg, ISC_LOG_DEBUG(3),
"nsec proves name exist (empty)");
dns_rdata_freestruct(&nsec);
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
*exists = true;
*data = false;
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
return ISC_R_SUCCESS;
}
if (wild != NULL) {
dns_name_t common;
Simplify dns_name_init() Remove the now-unused offsets parameter from dns_name_init().
2025-02-21 12:09:39 +01:00
dns_name_init(&common);
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
if (olabels > nlabels) {
labels = dns_name_countlabels(nsecname);
dns_name_getlabelsequence(nsecname, labels - olabels,
olabels, &common);
} else {
labels = dns_name_countlabels(&nsec.next);
dns_name_getlabelsequence(&nsec.next, labels - nlabels,
nlabels, &common);
}
remove 'target' parameter from dns_name_concatenate() the target buffer passed to dns_name_concatenate() was never used (except for one place in dig, where it wasn't actually needed, and has already been removed in a prior commit). we can safely remove the parameter.
2025-02-21 00:56:47 -08:00
result = dns_name_concatenate(dns_wildcardname, &common, wild);
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
if (result != ISC_R_SUCCESS) {
dns_rdata_freestruct(&nsec);
(*logit)(arg, ISC_LOG_DEBUG(3),
"failure generating wildcard name");
return result;
}
}
dns_rdata_freestruct(&nsec);
(*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
Replace custom isc_boolean_t with C standard bool type
2018-04-17 08:29:14 -07:00
*exists = false;
3443. [bug] The NOQNAME proof was not being returned from cached insecure responses. [RT #21409]
2012-12-19 09:55:02 +11:00
return ISC_R_SUCCESS;
}
Add dns_nsec_requiredtypespresent checks an NSEC rdataset to ensure that both NSEC and RRSIG are present in the type map. These types are required for the NSEC to be valid
2021-11-27 09:12:08 +11:00
bool
dns_nsec_requiredtypespresent(dns_rdataset_t *nsecset) {
add DNS_RDATASET_FOREACH macro replace the pattern `for (result = dns_rdataset_first(x); result == ISC_R_SUCCES; result = dns_rdataset_next(x)` with a new `DNS_RDATASET_FOREACH` macro throughout BIND.
2025-03-21 23:32:27 -07:00
dns_rdataset_t rdataset = DNS_RDATASET_INIT;
Add dns_nsec_requiredtypespresent checks an NSEC rdataset to ensure that both NSEC and RRSIG are present in the type map. These types are required for the NSEC to be valid
2021-11-27 09:12:08 +11:00
bool found = false;
REQUIRE(DNS_RDATASET_VALID(nsecset));
REQUIRE(nsecset->type == dns_rdatatype_nsec);
dns_rdataset_clone(nsecset, &rdataset);
add DNS_RDATASET_FOREACH macro replace the pattern `for (result = dns_rdataset_first(x); result == ISC_R_SUCCES; result = dns_rdataset_next(x)` with a new `DNS_RDATASET_FOREACH` macro throughout BIND.
2025-03-21 23:32:27 -07:00
DNS_RDATASET_FOREACH(&rdataset) {
Add dns_nsec_requiredtypespresent checks an NSEC rdataset to ensure that both NSEC and RRSIG are present in the type map. These types are required for the NSEC to be valid
2021-11-27 09:12:08 +11:00
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(&rdataset, &rdata);
if (!dns_nsec_typepresent(&rdata, dns_rdatatype_nsec) ||
!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig))
{
dns_rdataset_disassociate(&rdataset);
return false;
}
found = true;
}
dns_rdataset_disassociate(&rdataset);
return found;
}
Reference in New Issue Copy Permalink