4587. [bug] named-checkzone failed to handle occulted data below

DNAMEs correctly. [RT #44877]
2025-08-30 05:57:52 +00:00 · 2017-04-20 13:28:48 +10:00 · 2017-04-20 13:28:48 +10:00 · 600b027731
commit 600b027731
parent 033a59090c
5 changed files with 61 additions and 4 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+4587.	[bug]		named-checkzone failed to handle occulted data below
+			DNAMEs correctly. [RT #44877]
+
 4586.	[func]		dig, host and nslookup now use TCP for ANY queries.
 			[RT #44687]

--- a/bin/tests/system/checkzone/tests.sh
+++ b/bin/tests/system/checkzone/tests.sh
@ -162,5 +162,21 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+echo "I:checking that nameserver below DNAME is reported even with occulted address record present ($n)"
+ret=0
+$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1
+grep "is below a DNAME" test.out.$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)"
+ret=0
+$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1
+grep "is below a DNAME" test.out.$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
+++ b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
@ -0,0 +1,13 @@
+$TTL 300
+example.com.		SOA	marka.isc.org. a.root.servers.nil. (
+				2026    ; serial
+				600     ; refresh
+				600     ; retry
+				1200    ; expire
+				600     ; minimum
+				)
+example.com.            NS	ns.example.com.
+ns.example.com.		A       192.168.0.2
+sub.example.com.        NS      ns.sub2.example.com.
+sub2.example.com.       DNAME   example.net.
+ns.sub2.example.com.	A       192.168.0.2
--- a/bin/tests/system/checkzone/zones/ns-address-below-dname.db
+++ b/bin/tests/system/checkzone/zones/ns-address-below-dname.db
@ -0,0 +1,11 @@
+$TTL 300
+example.com.		SOA	marka.isc.org. a.root.servers.nil. (
+				2026    ; serial
+				600     ; refresh
+				600     ; retry
+				1200    ; expire
+				600     ; minimum
+				)
+example.com.		DNAME	example.net.
+example.com.		NS	ns.example.com
+ns.example.com.		A	192.168.0.2
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@ -2702,10 +2702,24 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
 	dns_rdataset_init(&a);
 	dns_rdataset_init(&aaaa);

+	/*
+	 * Perform a regular lookup to catch DNAME records then look
+	 * for glue.
+	 */
 	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
-			     DNS_DBFIND_GLUEOK, 0, NULL,
-			     foundname, &a, NULL);
-
+			     0, 0, NULL, foundname, &a, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_DNAME:
+	case DNS_R_CNAME:
+		break;
+	default:
+		if (dns_rdataset_isassociated(&a))
+			dns_rdataset_disassociate(&a);
+		result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+				     DNS_DBFIND_GLUEOK, 0, NULL,
+				     foundname, &a, NULL);
+	}
 	if (result == ISC_R_SUCCESS) {
 		dns_rdataset_disassociate(&a);
 		return (ISC_TRUE);
@ -2723,7 +2737,7 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
 			dns_rdataset_disassociate(&aaaa);
 			return (ISC_TRUE);
 		}
-		if (tresult == DNS_R_DELEGATION)
+		if (tresult == DNS_R_DELEGATION || tresult == DNS_R_DNAME)
 			dns_rdataset_disassociate(&aaaa);
 		if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
 			/*