From 600b0277316e2e34d48c9dbbcad2cf759abfc1be Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 20 Apr 2017 13:28:48 +1000
Subject: [PATCH] 4587.   [bug]           named-checkzone failed to handle
 occulted data below                         DNAMEs correctly. [RT #44877]

---
 CHANGES                                       |  3 +++
 bin/tests/system/checkzone/tests.sh           | 16 ++++++++++++++
 .../delegating-ns-address-below-dname.db      | 13 +++++++++++
 .../checkzone/zones/ns-address-below-dname.db | 11 ++++++++++
 lib/dns/zone.c                                | 22 +++++++++++++++----
 5 files changed, 61 insertions(+), 4 deletions(-)
 create mode 100644 bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
 create mode 100644 bin/tests/system/checkzone/zones/ns-address-below-dname.db

diff --git a/CHANGES b/CHANGES
index e9a50b55ed..3608b29ccf 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4587.	[bug]		named-checkzone failed to handle occulted data below
+			DNAMEs correctly. [RT #44877]
+
 4586.	[func]		dig, host and nslookup now use TCP for ANY queries.
 			[RT #44687]
 
diff --git a/bin/tests/system/checkzone/tests.sh b/bin/tests/system/checkzone/tests.sh
index 34401750af..125626d20a 100644
--- a/bin/tests/system/checkzone/tests.sh
+++ b/bin/tests/system/checkzone/tests.sh
@@ -162,5 +162,21 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that nameserver below DNAME is reported even with occulted address record present ($n)"
+ret=0
+$CHECKZONE example.com zones/ns-address-below-dname.db > test.out.$n 2>&1 && ret=1
+grep "is below a DNAME" test.out.$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that delegating nameserver below DNAME is reported even with occulted address record present ($n)"
+ret=0
+$CHECKZONE example.com zones/delegating-ns-address-below-dname.db > test.out.$n 2>&1 || ret=1
+grep "is below a DNAME" test.out.$n >/dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
new file mode 100644
index 0000000000..ec13ffadd1
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/delegating-ns-address-below-dname.db
@@ -0,0 +1,13 @@
+$TTL 300
+example.com.		SOA	marka.isc.org. a.root.servers.nil. (
+				2026    ; serial
+				600     ; refresh
+				600     ; retry
+				1200    ; expire
+				600     ; minimum
+				)
+example.com.            NS	ns.example.com.
+ns.example.com.		A       192.168.0.2
+sub.example.com.        NS      ns.sub2.example.com.
+sub2.example.com.       DNAME   example.net.
+ns.sub2.example.com.	A       192.168.0.2
diff --git a/bin/tests/system/checkzone/zones/ns-address-below-dname.db b/bin/tests/system/checkzone/zones/ns-address-below-dname.db
new file mode 100644
index 0000000000..b6d7c41fb0
--- /dev/null
+++ b/bin/tests/system/checkzone/zones/ns-address-below-dname.db
@@ -0,0 +1,11 @@
+$TTL 300
+example.com.		SOA	marka.isc.org. a.root.servers.nil. (
+				2026    ; serial
+				600     ; refresh
+				600     ; retry
+				1200    ; expire
+				600     ; minimum
+				)
+example.com.		DNAME	example.net.
+example.com.		NS	ns.example.com
+ns.example.com.		A	192.168.0.2
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index e503039b81..f477efc765 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -2702,10 +2702,24 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
 	dns_rdataset_init(&a);
 	dns_rdataset_init(&aaaa);
 
+	/*
+	 * Perform a regular lookup to catch DNAME records then look
+	 * for glue.
+	 */
 	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
-			     DNS_DBFIND_GLUEOK, 0, NULL,
-			     foundname, &a, NULL);
-
+			     0, 0, NULL, foundname, &a, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_DNAME:
+	case DNS_R_CNAME:
+		break;
+	default:
+		if (dns_rdataset_isassociated(&a))
+			dns_rdataset_disassociate(&a);
+		result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+				     DNS_DBFIND_GLUEOK, 0, NULL,
+				     foundname, &a, NULL);
+	}
 	if (result == ISC_R_SUCCESS) {
 		dns_rdataset_disassociate(&a);
 		return (ISC_TRUE);
@@ -2723,7 +2737,7 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
 			dns_rdataset_disassociate(&aaaa);
 			return (ISC_TRUE);
 		}
-		if (tresult == DNS_R_DELEGATION)
+		if (tresult == DNS_R_DELEGATION || tresult == DNS_R_DNAME)
 			dns_rdataset_disassociate(&aaaa);
 		if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
 			/*