mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Merge branch '3607-apex-in-name_external-may-be-invalid-when-using-dual-stack-servers' into 'main'

Browse Source 
Resolve "apex in name_external may be invalid when using dual stack servers"

Closes #3607

See merge request isc-projects/bind9!6924
This commit is contained in:
Mark Andrews
2022-11-17 01:50:10 +00:00
parent 3921181e0d 8a2149f502
commit 2001a0cdeb
16 changed files with 129 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
6021. [bug] Use the current domain name when checking answers from
a dual-stack-server. [GL #3607]
6020. [bug] Ensure 'named-checkconf -z' respects the check-wildcard 6020. [bug] Ensure 'named-checkconf -z' respects the check-wildcard
option when loading a zone. [GL #1905] option when loading a zone. [GL #1905]

5
bin/tests/system/resolver/ns4/named.conf.in
View File

@@ -57,6 +57,11 @@ zone "sourcens" {
file "sourcens.db"; file "sourcens.db";
}; };
zone "v4only.net" {
type primary;
file "v4only.net.db";
};
key rndc_key { key rndc_key {
secret "1234abcd8765"; secret "1234abcd8765";
algorithm @DEFAULT_HMAC@; algorithm @DEFAULT_HMAC@;

22
bin/tests/system/resolver/ns4/v4only.net.db Normal file
View File

@@ -0,0 +1,22 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA marka.isc.org. ns.server. (
2010 ; serial
600 ; refresh
600 ; retry
1200 ; expire
600 ; minimum
)
@ NS v4.nameserver.
A 10.0.0.1
* CNAME @

2
bin/tests/system/resolver/ns6/named.conf.in
View File

@@ -20,7 +20,7 @@ options {
port @PORT@; port @PORT@;
pid-file "named.pid"; pid-file "named.pid";
listen-on { 10.53.0.6; }; listen-on { 10.53.0.6; };
listen-on-v6 { none; }; listen-on-v6 { fd92:7065:b8e:ffff::6; };
recursion no; recursion no;
dnssec-validation no; dnssec-validation no;
querylog yes; querylog yes;

3
bin/tests/system/resolver/ns6/root.db
View File

@@ -19,6 +19,7 @@ $TTL 300
) )
. NS a.root-servers.nil. . NS a.root-servers.nil.
a.root-servers.nil. A 10.53.0.6 a.root-servers.nil. A 10.53.0.6
a.root-servers.nil. AAAA fd92:7065:b8e:ffff::6
moves. NS ns.server. moves. NS ns.server.
server. NS ns7.server. server. NS ns7.server.
ns7.server. A 10.53.0.7 ns7.server. A 10.53.0.7
@@ -31,3 +32,5 @@ no-edns-version.tld. NS ns.no-edns-version.tld.
ns.no-edns-version.tld. A 10.53.0.6 ns.no-edns-version.tld. A 10.53.0.6
edns-version.tld. NS ns.edns-version.tld. edns-version.tld. NS ns.edns-version.tld.
ns.edns-version.tld. A 10.53.0.7 ns.edns-version.tld. A 10.53.0.7
v4only.net. NS v4.nameserver.
v4.nameserver. A 10.53.0.4

2
bin/tests/system/resolver/ns7/named1.conf.in
View File

@@ -20,7 +20,7 @@ options {
port @PORT@; port @PORT@;
pid-file "named.pid"; pid-file "named.pid";
listen-on { 10.53.0.7; }; listen-on { 10.53.0.7; };
listen-on-v6 { none; }; listen-on-v6 { fd92:7065:b8e:ffff::7; };
recursion yes; recursion yes;
dnssec-validation yes; dnssec-validation yes;
empty-zones-enable yes; empty-zones-enable yes;

2
bin/tests/system/resolver/ns7/named2.conf.in
View File

@@ -20,7 +20,7 @@ options {
port @PORT@; port @PORT@;
pid-file "named.pid"; pid-file "named.pid";
listen-on { 10.53.0.7; }; listen-on { 10.53.0.7; };
listen-on-v6 { none; }; listen-on-v6 { fd92:7065:b8e:ffff::7; };
recursion yes; recursion yes;
dnssec-validation yes; dnssec-validation yes;
empty-zones-enable yes; empty-zones-enable yes;

2
bin/tests/system/resolver/ns9/named.args Normal file
View File

@@ -0,0 +1,2 @@
# this server is IPv6 only
-6 -m record -c named.conf -d 99 -D resolver-ns9 -X named.lock -g -T maxcachesize=2097152

39
bin/tests/system/resolver/ns9/named.conf.in Normal file
View File

@@ -0,0 +1,39 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS9
options {
port @PORT@;
pid-file "named.pid";
listen-on { none; };
listen-on-v6 { fd92:7065:b8e:ffff::9; };
recursion yes;
dnssec-validation yes;
dual-stack-servers { fd92:7065:b8e:ffff::7; };
qname-minimization off;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet fd92:7065:b8e:ffff::9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "root.hint";
};

0
bin/tests/system/resolver/ns9/named.ipv6-only Normal file
View File

15
bin/tests/system/resolver/ns9/root.hint Normal file
View File

@@ -0,0 +1,15 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 999999
. IN NS a.root-servers.nil.
a.root-servers.nil. IN A 10.53.0.6
a.root-servers.nil. IN AAAA fd92:7065:b8e:ffff::6;

1
bin/tests/system/resolver/setup.sh
View File

@@ -23,5 +23,6 @@ copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named1.conf.in ns7/named.conf copy_setports ns7/named1.conf.in ns7/named.conf
copy_setports ns9/named.conf.in ns9/named.conf
(cd ns6 && $SHELL keygen.sh) (cd ns6 && $SHELL keygen.sh)

13
bin/tests/system/resolver/tests.sh
View File

@@ -847,5 +847,18 @@ grep "IN.*TXT.*baz" dig.out.ns1.test${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret)) status=$((status + ret))
n=$((n+1))
echo_i "check that correct namespace is chosen for dual-stack-servers ($n)"
ret=0
#
# The two priming queries are needed until we fix dual-stack-servers fully
#
dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A > dig.out.prime1.${n} || ret=1
dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA > dig.out.prime2.${n} || ret=1
dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A > dig.out.ns9.${n} || ret=1
grep "status: NOERROR" dig.out.ns9.${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "exit status: $status" echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1

7
bin/tests/system/start.pl
View File

@@ -426,8 +426,13 @@ sub verify_ns_server {
$tcp = ""; $tcp = "";
} }
my $ip = "10.53.0.$n";
if (-e "$testdir/$server/named.ipv6-only") {
$ip = "fd92:7065:b8e:ffff::$n";
}
while (1) { while (1) {
my $return = system("$DIG $tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noedns -p $port version.bind. chaos txt \@10.53.0.$n > /dev/null"); my $return = system("$DIG $tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noedns -p $port version.bind. chaos txt \@$ip > /dev/null");
last if ($return == 0); last if ($return == 0);

4
bin/tests/system/stop.pl
View File

@@ -182,6 +182,10 @@ sub stop_rndc {
} }
my $ip = "10.53.0.$n"; my $ip = "10.53.0.$n";
if (-e "$testdir/$server/named.ipv6-only") {
$ip = "fd92:7065:b8e:ffff::$n";
}
my $how = $halt ? "halt" : "stop"; my $how = $halt ? "halt" : "stop";
# Ugly, but should work. # Ugly, but should work.

16
lib/dns/resolver.c
View File

@@ -375,6 +375,11 @@ struct fetchctx {
ISC_LIST(resquery_t) queries; ISC_LIST(resquery_t) queries;
dns_adbfindlist_t finds; dns_adbfindlist_t finds;
dns_adbfind_t *find; dns_adbfind_t *find;
/*
* altfinds are names and/or addresses of dual stack servers that
* should be used when iterative resolution to a server is not
* possible because the address family of that server is not usable.
*/
dns_adbfindlist_t altfinds; dns_adbfindlist_t altfinds;
dns_adbfind_t *altfind; dns_adbfind_t *altfind;
dns_adbaddrinfolist_t forwaddrs; dns_adbaddrinfolist_t forwaddrs;
@@ -609,12 +614,14 @@ struct dns_resolver {
#define FCTX_ADDRINFO_EDNSOK 0x04000 #define FCTX_ADDRINFO_EDNSOK 0x04000
#define FCTX_ADDRINFO_NOCOOKIE 0x08000 #define FCTX_ADDRINFO_NOCOOKIE 0x08000
#define FCTX_ADDRINFO_BADCOOKIE 0x10000 #define FCTX_ADDRINFO_BADCOOKIE 0x10000
#define FCTX_ADDRINFO_DUALSTACK 0x20000
#define UNMARKED(a) (((a)->flags & FCTX_ADDRINFO_MARK) == 0) #define UNMARKED(a) (((a)->flags & FCTX_ADDRINFO_MARK) == 0)
#define ISFORWARDER(a) (((a)->flags & FCTX_ADDRINFO_FORWARDER) != 0) #define ISFORWARDER(a) (((a)->flags & FCTX_ADDRINFO_FORWARDER) != 0)
#define NOCOOKIE(a) (((a)->flags & FCTX_ADDRINFO_NOCOOKIE) != 0) #define NOCOOKIE(a) (((a)->flags & FCTX_ADDRINFO_NOCOOKIE) != 0)
#define EDNSOK(a) (((a)->flags & FCTX_ADDRINFO_EDNSOK) != 0) #define EDNSOK(a) (((a)->flags & FCTX_ADDRINFO_EDNSOK) != 0)
#define BADCOOKIE(a) (((a)->flags & FCTX_ADDRINFO_BADCOOKIE) != 0) #define BADCOOKIE(a) (((a)->flags & FCTX_ADDRINFO_BADCOOKIE) != 0)
#define ISDUALSTACK(a) (((a)->flags & FCTX_ADDRINFO_DUALSTACK) != 0)
#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) #define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
@@ -3477,7 +3484,7 @@ findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port,
} }
} }
} }
if ((flags & FCTX_ADDRINFO_FORWARDER) != 0) { if ((flags & FCTX_ADDRINFO_DUALSTACK) != 0) {
ISC_LIST_APPEND(fctx->altfinds, find, publink); ISC_LIST_APPEND(fctx->altfinds, find, publink);
} else { } else {
ISC_LIST_APPEND(fctx->finds, find, publink); ISC_LIST_APPEND(fctx->finds, find, publink);
@@ -3797,7 +3804,7 @@ normal_nses:
a = ISC_LIST_NEXT(a, link)) { a = ISC_LIST_NEXT(a, link)) {
if (!a->isaddress) { if (!a->isaddress) {
findname(fctx, &a->_u._n.name, a->_u._n.port, findname(fctx, &a->_u._n.name, a->_u._n.port,
stdoptions, FCTX_ADDRINFO_FORWARDER, stdoptions, FCTX_ADDRINFO_DUALSTACK,
now, NULL, NULL, NULL); now, NULL, NULL, NULL);
continue; continue;
} }
@@ -3810,6 +3817,7 @@ normal_nses:
if (result == ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) {
dns_adbaddrinfo_t *cur; dns_adbaddrinfo_t *cur;
ai->flags |= FCTX_ADDRINFO_FORWARDER; ai->flags |= FCTX_ADDRINFO_FORWARDER;
ai->flags |= FCTX_ADDRINFO_DUALSTACK;
cur = ISC_LIST_HEAD(fctx->altaddrs); cur = ISC_LIST_HEAD(fctx->altaddrs);
while (cur != NULL && cur->srtt < ai->srtt) { while (cur != NULL && cur->srtt < ai->srtt) {
cur = ISC_LIST_NEXT(cur, publink); cur = ISC_LIST_NEXT(cur, publink);
@@ -6832,7 +6840,9 @@ name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
unsigned int labels; unsigned int labels;
dns_namereln_t rel; dns_namereln_t rel;
apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : fctx->domain; apex = (ISDUALSTACK(fctx->addrinfo) || !ISFORWARDER(fctx->addrinfo))
? fctx->domain
: fctx->fwdname;
/* /*
* The name is outside the queried namespace. * The name is outside the queried namespace.