From 3bf783a6d4627266d76b0ebdc05afdccb3d06ad0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 16 Feb 2006 00:59:38 +0000 Subject: [PATCH] 1982. [bug] DNSKEY was being accepted on the parent side of a delegation. KEY is still accepted there for RFC 3007 validated updates. [RT #15620] --- CHANGES | 4 ++++ lib/dns/rbtdb.c | 31 ++++++++++++++++++++----------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/CHANGES b/CHANGES index 9594f51a88..0b34541c21 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +1982. [bug] DNSKEY was being accepted on the parent side of + a delegation. KEY is still accepted there for + RFC 3007 validated updates. [RT #15620] + 1981. [bug] win32: condition.c:wait() could fail to reattain the mutex lock. diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 8c6112fb67..e7643fb0be 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.225 2006/01/06 00:01:44 marka Exp $ */ +/* $Id: rbtdb.c,v 1.226 2006/02/16 00:59:38 marka Exp $ */ /*! \file */ @@ -2581,12 +2581,12 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, /* * Certain DNSSEC types are not subject to CNAME matching - * (RFC2535, section 2.3.5). + * (RFC4035, section 2.5 and RFC3007). * * We don't check for RRSIG, because we don't store RRSIG records * directly. */ - if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec) + if (type == dns_rdatatype_key || type == dns_rdatatype_nsec) cname_ok = ISC_FALSE; /* @@ -2645,9 +2645,15 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, search.need_cleanup = ISC_TRUE; maybe_zonecut = ISC_FALSE; at_zonecut = ISC_TRUE; + /* + * It is not clear if KEY should still be + * allowed at the parent side of the zone + * cut or not. It is needed for RFC3007 + * validated updates. + */ if ((search.options & DNS_DBFIND_GLUEOK) == 0 && type != dns_rdatatype_nsec - && type != dns_rdatatype_dnskey) { + && type != dns_rdatatype_key) { /* * Glue is not OK, but any answer we * could return would be glue. Return @@ -2831,8 +2837,14 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, * and the type is NSEC or KEY. */ if (search.zonecut == node) { + /* + * It is not clear if KEY should still be + * allowed at the parent side of the zone + * cut or not. It is needed for RFC3007 + * validated updates. + */ if (type == dns_rdatatype_nsec || - type == dns_rdatatype_dnskey) + type == dns_rdatatype_key) result = ISC_R_SUCCESS; else if (type == dns_rdatatype_any) result = DNS_R_ZONECUT; @@ -3377,12 +3389,12 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, /* * Certain DNSSEC types are not subject to CNAME matching - * (RFC2535, section 2.3.5). + * (RFC4035, section 2.5 and RFC3007). * * We don't check for RRSIG, because we don't store RRSIG records * directly. */ - if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec) + if (type == dns_rdatatype_key || type == dns_rdatatype_nsec) cname_ok = ISC_FALSE; /* @@ -4307,16 +4319,13 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) { * Look for active extant "other data". * * "Other data" is any rdataset whose type is not - * DNSKEY, RRSIG DNSKEY, NSEC, RRSIG NSEC, - * or RRSIG CNAME. + * KEY, RRSIG KEY, NSEC, RRSIG NSEC or RRSIG CNAME. */ rdtype = RBTDB_RDATATYPE_BASE(header->type); if (rdtype == dns_rdatatype_rrsig || rdtype == dns_rdatatype_sig) rdtype = RBTDB_RDATATYPE_EXT(header->type); if (rdtype != dns_rdatatype_nsec && - rdtype != dns_rdatatype_dnskey && - rdtype != dns_rdatatype_nxt && rdtype != dns_rdatatype_key && rdtype != dns_rdatatype_cname) { /*