Merge branch '3607-apex-in-name_external-may-be-invalid-when-using-dual-stack-servers' into 'main'

Resolve "apex in name_external may be invalid when using dual stack servers" Closes #3607 See merge request isc-projects/bind9!6924
2025-08-30 05:57:52 +00:00 · 2022-11-17 01:50:10 +00:00 · 2022-11-17 01:50:10 +00:00 · 2001a0cdeb
commit 2001a0cdeb
parent 3921181e0d 8a2149f502
16 changed files with 129 additions and 7 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+6021.	[bug]		Use the current domain name when checking answers from
+			a dual-stack-server. [GL #3607]
+
 6020.	[bug]		Ensure 'named-checkconf -z' respects the check-wildcard
 			option when loading a zone.  [GL #1905]

--- a/bin/tests/system/resolver/ns4/named.conf.in
+++ b/bin/tests/system/resolver/ns4/named.conf.in
@ -57,6 +57,11 @@ zone "sourcens" {
    file "sourcens.db";
 };

+zone "v4only.net" {
+	type primary;
+	file "v4only.net.db";
+};
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
--- a/bin/tests/system/resolver/ns4/v4only.net.db
+++ b/bin/tests/system/resolver/ns4/v4only.net.db
@ -0,0 +1,22 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ 			IN SOA	marka.isc.org. ns.server. (
+				2010   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+@			NS	v4.nameserver.
+			A	10.0.0.1
+*			CNAME	@
--- a/bin/tests/system/resolver/ns6/named.conf.in
+++ b/bin/tests/system/resolver/ns6/named.conf.in
@ -20,7 +20,7 @@ options {
 	port @PORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.6; };
-	listen-on-v6 { none; };
+	listen-on-v6 { fd92:7065:b8e:ffff::6; };
 	recursion no;
 	dnssec-validation no;
 	querylog yes;
--- a/bin/tests/system/resolver/ns6/root.db
+++ b/bin/tests/system/resolver/ns6/root.db
@ -19,6 +19,7 @@ $TTL 300
 				)
 .			NS	a.root-servers.nil.
 a.root-servers.nil.	A	10.53.0.6
+a.root-servers.nil.	AAAA	fd92:7065:b8e:ffff::6
 moves.			NS	ns.server.
 server.			NS	ns7.server.
 ns7.server.		A	10.53.0.7
@ -31,3 +32,5 @@ no-edns-version.tld.	NS	ns.no-edns-version.tld.
 ns.no-edns-version.tld.	A	10.53.0.6
 edns-version.tld.	NS	ns.edns-version.tld.
 ns.edns-version.tld.	A	10.53.0.7
+v4only.net.		NS	v4.nameserver.
+v4.nameserver.		A	10.53.0.4
--- a/bin/tests/system/resolver/ns7/named1.conf.in
+++ b/bin/tests/system/resolver/ns7/named1.conf.in
@ -20,7 +20,7 @@ options {
 	port @PORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.7; };
-	listen-on-v6 { none; };
+	listen-on-v6 { fd92:7065:b8e:ffff::7; };
 	recursion yes;
 	dnssec-validation yes;
 	empty-zones-enable yes;
--- a/bin/tests/system/resolver/ns7/named2.conf.in
+++ b/bin/tests/system/resolver/ns7/named2.conf.in
@ -20,7 +20,7 @@ options {
 	port @PORT@;
 	pid-file "named.pid";
 	listen-on { 10.53.0.7; };
-	listen-on-v6 { none; };
+	listen-on-v6 { fd92:7065:b8e:ffff::7; };
 	recursion yes;
 	dnssec-validation yes;
 	empty-zones-enable yes;
--- a/bin/tests/system/resolver/ns9/named.args
+++ b/bin/tests/system/resolver/ns9/named.args
@ -0,0 +1,2 @@
+# this server is IPv6 only
+-6 -m record -c named.conf -d 99 -D resolver-ns9 -X named.lock -g -T maxcachesize=2097152
--- a/bin/tests/system/resolver/ns9/named.conf.in
+++ b/bin/tests/system/resolver/ns9/named.conf.in
@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS9
+
+options {
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { none; };
+	listen-on-v6 { fd92:7065:b8e:ffff::9; };
+	recursion yes;
+	dnssec-validation yes;
+	dual-stack-servers { fd92:7065:b8e:ffff::7; };
+	qname-minimization off;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet fd92:7065:b8e:ffff::9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+	type hint;
+	file "root.hint";
+};
--- a/bin/tests/system/resolver/ns9/named.ipv6-only
+++ b/bin/tests/system/resolver/ns9/named.ipv6-only
--- a/bin/tests/system/resolver/ns9/root.hint
+++ b/bin/tests/system/resolver/ns9/root.hint
@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	 a.root-servers.nil.
+a.root-servers.nil.	 IN A	 10.53.0.6
+a.root-servers.nil.	 IN AAAA fd92:7065:b8e:ffff::6;
--- a/bin/tests/system/resolver/setup.sh
+++ b/bin/tests/system/resolver/setup.sh
@ -23,5 +23,6 @@ copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
 copy_setports ns7/named1.conf.in ns7/named.conf
+copy_setports ns9/named.conf.in ns9/named.conf

 (cd ns6 && $SHELL keygen.sh)
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@ -847,5 +847,18 @@ grep "IN.*TXT.*baz" dig.out.ns1.test${n} > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n+1))
+echo_i "check that correct namespace is chosen for dual-stack-servers ($n)"
+ret=0
+#
+# The two priming queries are needed until we fix dual-stack-servers fully
+#
+dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver A > dig.out.prime1.${n} || ret=1
+dig_with_opts @fd92:7065:b8e:ffff::9 v4.nameserver AAAA > dig.out.prime2.${n} || ret=1
+dig_with_opts @fd92:7065:b8e:ffff::9 foo.v4only.net A > dig.out.ns9.${n} || ret=1
+grep "status: NOERROR" dig.out.ns9.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/bin/tests/system/start.pl
+++ b/bin/tests/system/start.pl
@ -426,8 +426,13 @@ sub verify_ns_server {
 		$tcp = "";
 	}

+	my $ip = "10.53.0.$n";
+	if (-e "$testdir/$server/named.ipv6-only") {
+		$ip = "fd92:7065:b8e:ffff::$n";
+	}
+
 	while (1) {
-		my $return = system("$DIG $tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noedns -p $port version.bind. chaos txt \@10.53.0.$n > /dev/null");
+		my $return = system("$DIG $tcp +noadd +nosea +nostat +noquest +nocomm +nocmd +noedns -p $port version.bind. chaos txt \@$ip > /dev/null");

 		last if ($return == 0);

--- a/bin/tests/system/stop.pl
+++ b/bin/tests/system/stop.pl
@ -182,6 +182,10 @@ sub stop_rndc {
 	}

 	my $ip = "10.53.0.$n";
+	if (-e "$testdir/$server/named.ipv6-only") {
+		$ip = "fd92:7065:b8e:ffff::$n";
+	}
+
 	my $how = $halt ? "halt" : "stop";

 	# Ugly, but should work.
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -375,6 +375,11 @@ struct fetchctx {
 	ISC_LIST(resquery_t) queries;
 	dns_adbfindlist_t finds;
 	dns_adbfind_t *find;
+	/*
+	 * altfinds are names and/or addresses of dual stack servers that
+	 * should be used when iterative resolution to a server is not
+	 * possible because the address family of that server is not usable.
+	 */
 	dns_adbfindlist_t altfinds;
 	dns_adbfind_t *altfind;
 	dns_adbaddrinfolist_t forwaddrs;
@ -609,12 +614,14 @@ struct dns_resolver {
 #define FCTX_ADDRINFO_EDNSOK	0x04000
 #define FCTX_ADDRINFO_NOCOOKIE	0x08000
 #define FCTX_ADDRINFO_BADCOOKIE 0x10000
+#define FCTX_ADDRINFO_DUALSTACK 0x20000

 #define UNMARKED(a)    (((a)->flags & FCTX_ADDRINFO_MARK) == 0)
 #define ISFORWARDER(a) (((a)->flags & FCTX_ADDRINFO_FORWARDER) != 0)
 #define NOCOOKIE(a)    (((a)->flags & FCTX_ADDRINFO_NOCOOKIE) != 0)
 #define EDNSOK(a)      (((a)->flags & FCTX_ADDRINFO_EDNSOK) != 0)
 #define BADCOOKIE(a)   (((a)->flags & FCTX_ADDRINFO_BADCOOKIE) != 0)
+#define ISDUALSTACK(a) (((a)->flags & FCTX_ADDRINFO_DUALSTACK) != 0)

 #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
 #define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
@ -3477,7 +3484,7 @@ findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port,
 				}
 			}
 		}
-		if ((flags & FCTX_ADDRINFO_FORWARDER) != 0) {
+		if ((flags & FCTX_ADDRINFO_DUALSTACK) != 0) {
 			ISC_LIST_APPEND(fctx->altfinds, find, publink);
 		} else {
 			ISC_LIST_APPEND(fctx->finds, find, publink);
@ -3797,7 +3804,7 @@ normal_nses:
 		     a = ISC_LIST_NEXT(a, link)) {
 			if (!a->isaddress) {
 				findname(fctx, &a->_u._n.name, a->_u._n.port,
-					 stdoptions, FCTX_ADDRINFO_FORWARDER,
+					 stdoptions, FCTX_ADDRINFO_DUALSTACK,
 					 now, NULL, NULL, NULL);
 				continue;
 			}
@ -3810,6 +3817,7 @@ normal_nses:
 			if (result == ISC_R_SUCCESS) {
 				dns_adbaddrinfo_t *cur;
 				ai->flags |= FCTX_ADDRINFO_FORWARDER;
+				ai->flags |= FCTX_ADDRINFO_DUALSTACK;
 				cur = ISC_LIST_HEAD(fctx->altaddrs);
 				while (cur != NULL && cur->srtt < ai->srtt) {
 					cur = ISC_LIST_NEXT(cur, publink);
@ -6832,7 +6840,9 @@ name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
 	unsigned int labels;
 	dns_namereln_t rel;

-	apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : fctx->domain;
+	apex = (ISDUALSTACK(fctx->addrinfo) || !ISFORWARDER(fctx->addrinfo))
+		       ? fctx->domain
+		       : fctx->fwdname;

 	/*
 	 * The name is outside the queried namespace.