2951. [bug] named failed to generate a correct signed response

in a optout, delegation only zone with no secure delegations. [RT #22007]
2025-09-01 15:05:23 +00:00 · 2010-09-07 00:58:36 +00:00
parent e92e62990b
commit 240a7dc59d
7 changed files with 112 additions and 7 deletions
--- a/4
+++ b/4
@@ -1,3 +1,7 @@
 2951.	[bug]		named failed to generate a correct signed response
 			in a optout, delegation only zone with no secure
 			delegations. [RT #22007]
 2950.	[bug]		named failed to perform a SOA up to date check when
 			falling back to TCP on UDP timeouts when
 			ixfr-from-differences was set. [RT #21595]
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: clean.sh,v 1.29 2010/08/13 06:46:24 marka Exp $
+# $Id: clean.sh,v 1.30 2010/09/07 00:58:35 marka Exp $
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
@@ -24,6 +24,7 @@ rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
 rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
 rm -f ns2/private.secure.example.db
 rm -f ns2/badparam.db ns2/badparam.db.bad
 rm -f ns2/single-nsec3.db
 rm -f */example.bk
 rm -f dig.out.*
 rm -f random.data
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: named.conf,v 1.32 2010/08/13 23:47:03 tbox Exp $ */
+/* $Id: named.conf,v 1.33 2010/09/07 00:58:35 marka Exp $ */
 // NS2
@@ -80,10 +80,14 @@ zone "child.optout.example" {
 	allow-update { none; };
 };
 zone "badparam" {
 	type master;
 	file "badparam.db.bad";
 };
 zone "single-nsec3" {
 	type master;
 	file "single-nsec3.db.signed";
 };
 include "trusted.conf";
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: sign.sh,v 1.39 2010/08/13 06:46:25 marka Exp $
+# $Id: sign.sh,v 1.40 2010/09/07 00:58:35 marka Exp $
 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -115,7 +115,6 @@ cat $dlvinfile $dlvkeyname.key dlvset-$privzone > $dlvzonefile
 $SIGNER -P -g -r $RANDFILE -o $dlvzone $dlvzonefile > /dev/null
 # Sign the badparam secure file
 zone=badparam.
@@ -130,3 +129,16 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
 $SIGNER -P -3 - -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 sed 's/IN NSEC3 1 0 1 /IN NSEC3 1 0 10 /' $zonefile.signed > $zonefile.bad
 # Sign the single-nsec3 secure zone with optout
 zone=single-nsec3.
 infile=single-nsec3.db.in
 zonefile=single-nsec3.db
 keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
 keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
 cat $infile $keyname1.key $keyname2.key >$zonefile
 $SIGNER -P -3 - -A -H 1 -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
--- a/bin/tests/system/dnssec/ns2/single-nsec3.db.in
+++ b/bin/tests/system/dnssec/ns2/single-nsec3.db.in
@@ -0,0 +1,26 @@
 ; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
 ;
 ; Permission to use, copy, modify, and/or distribute this software for any
 ; purpose with or without fee is hereby granted, provided that the above
 ; copyright notice and this permission notice appear in all copies.
 ;
 ; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 ; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 ; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 ; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 ; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 ; $Id: single-nsec3.db.in,v 1.2 2010/09/07 00:58:36 marka Exp $
 $TTL 300	; 5 minutes
@			IN SOA	ns2.example. . (
 				2010042407 ; serial
 				20         ; refresh (20 seconds)
 				20         ; retry (20 seconds)
 				1814400    ; expire (3 weeks)
 				3600       ; minimum (1 hour)
 				)
 			NS	ns2.example.
 delegation		NS	ns3.example.
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.69 2010/08/13 06:46:24 marka Exp $
+# $Id: tests.sh,v 1.70 2010/09/07 00:58:35 marka Exp $
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -1006,6 +1006,36 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 #
 # RT22007 regression test.
 #
 echo "I:checking optout NSEC3 referral with only insecure delegations ($n)"
 ret=0
 $DIG $DIGOPTS +norec delegation.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
 grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:checking optout NSEC3 NXDOMAIN with only insecure delegations ($n)"
 ret=0
 $DIG $DIGOPTS +norec nonexist.single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
 grep "status: NXDOMAIN" dig.out.ns2.test$n > /dev/null || ret=1
 grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:checking optout NSEC3 nodata with only insecure delegations ($n)"
 ret=0
 $DIG $DIGOPTS +norec single-nsec3. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
 grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
 grep "3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN.*NSEC3 1 1 1 - 3KL3NK1HKQ4IUEEHBEF12VGFKUETNBAN" dig.out.ns2.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 # Run a minimal update test if possible.  This is really just
 # a regression test for RT #2399; more tests should be added.
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */
-/* $Id: rbtdb.c,v 1.304 2010/08/13 23:47:03 tbox Exp $ */
+/* $Id: rbtdb.c,v 1.305 2010/09/07 00:58:36 marka Exp $ */
 /*! \file */
@@ -7378,6 +7378,8 @@ dns_rbtdb_create
 	 * change.
 	 */
 	if (!IS_CACHE(rbtdb)) {
 		dns_rbtnode_t *nsec3node;
 		rbtdb->origin_node = NULL;
 		result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
 					 &rbtdb->origin_node);
@@ -7400,6 +7402,32 @@ dns_rbtdb_create
 		rbtdb->origin_node->locknum =
 			dns_name_hash(&name, ISC_TRUE) %
 			rbtdb->node_lock_count;
 #endif
 		/*
 		 * Add an apex node to the NSEC3 tree so that NSEC3 searches
 		 * return partial matches when there is only a single NSEC3
 		 * record in the tree.
 		 */
 		nsec3node = NULL;
 		result = dns_rbt_addnode(rbtdb->nsec3, &rbtdb->common.origin,
 					 &nsec3node);
 		if (result != ISC_R_SUCCESS) {
 			INSIST(result != ISC_R_EXISTS);
 			free_rbtdb(rbtdb, ISC_FALSE, NULL);
 			return (result);
 		}
 		nsec3node->nsec = DNS_RBT_NSEC_NSEC3;
 		/*
 		 * We need to give the nsec3 origin node the right locknum.
 		 */
 		dns_name_init(&name, NULL);
 		dns_rbt_namefromnode(nsec3node, &name);
 #ifdef DNS_RBT_USEHASH
 		nsec3node->locknum = nsec3node->hashval %
 			rbtdb->node_lock_count;
 #else
 		nsec3node->locknum = dns_name_hash(&name, ISC_TRUE) %
 			rbtdb->node_lock_count;
 #endif
 	}