only return DNS_R_ZONECUT from secure zones

2025-08-31 14:35:26 +00:00 · 2001-05-14 19:25:59 +00:00
parent ecf4962155
commit 751aa24c98
3 changed files with 18 additions and 7 deletions
--- a/4
+++ b/4
@@ -1,4 +1,8 @@

+ 829.	[bug]		The DNS_R_ZONECUT result code is only meaningful
+			for secure zone databases.  Queries at zone cut points
+			in non-secure zones should always return a delegation.
+
 828.	[bug]		The errno value from recvfrom() could be overwritten
 			by logging code. [RT #1293]

--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: db.h,v 1.64 2001/01/09 21:52:42 bwelling Exp $ */
+/* $Id: db.h,v 1.65 2001/05/14 19:25:59 halley Exp $ */

 #ifndef DNS_DB_H
 #define DNS_DB_H 1
@@ -712,8 +712,8 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 *						The caller must take care not
 *						to return inappropriate glue
 *						to a client.  This result can
- *						only occur if 'db' is a zone
- *						database.
+ *						only occur if 'db' is a
+ *						secure zone database.
 *
 *		DNS_R_DNAME			The data requested is beneath
 *						a DNAME.  node, foundname,
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: rbtdb.c,v 1.162 2001/05/10 16:26:07 gson Exp $ */
+/* $Id: rbtdb.c,v 1.163 2001/05/14 19:25:57 halley Exp $ */

 /*
 * Principal Author: Bob Halley
@@ -2053,7 +2053,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			if (type == dns_rdatatype_nxt ||
 			    type == dns_rdatatype_key)
 				result = ISC_R_SUCCESS;
-			else if (type == dns_rdatatype_any)
+			else if (type == dns_rdatatype_any &&
+				 search.rbtdb->secure)
 				result = DNS_R_ZONECUT;
 			else
 				result = DNS_R_GLUE;
@@ -2067,8 +2068,14 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 * XXX We should cache the glue validity state!
 		 */
 		if (result == DNS_R_GLUE &&
-		    (search.options & DNS_DBFIND_VALIDATEGLUE) != 0 &&
-		    !valid_glue(&search, foundname, type, node)) {
+		    ((search.options & DNS_DBFIND_VALIDATEGLUE) == 0 ||
+		     !valid_glue(&search, foundname, type, node))) {
+		    /*
+		     * Either we're not validating glue (the usual
+		     * case), or we are and this isn't valid glue.  In
+		     * any event, the thing to do is to return a
+		     * delegation.
+		     */
 		    UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
 		    result = setup_delegation(&search, nodep, foundname,
 					      rdataset, sigrdataset);