diff --git a/CHANGES b/CHANGES index 934ea81f96..e871fe824a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +6090. [bug] Fix a bug in resolver's resume_dslookup() function by + making sure that dns_resolver_createfetch() is called + with valid parameters, as required by the function. + [GL #3839] + 6089. [bug] Source ports configured for query-source, transfer-source, etc, were being ignored. (This feature is deprecated, but it is not yet removed, diff --git a/bin/tests/system/digdelv/clean.sh b/bin/tests/system/digdelv/clean.sh index ed9ad87a5b..77e467a499 100644 --- a/bin/tests/system/digdelv/clean.sh +++ b/bin/tests/system/digdelv/clean.sh @@ -29,7 +29,9 @@ rm -f ./host.out.test* rm -f ./ns*/managed-keys.bind* rm -f ./ns*/named.lock rm -f ./ns2/dsset-example. +rm -f ./ns2/dsset-example.tld. rm -f ./ns2/example.db ./ns2/K* ./ns2/keyid ./ns2/keydata +rm -f ./ns2/example.tld.db rm -f ./nslookup.out.test* -rm -f ./yamlget.out.* rm -f ./nsupdate.out.test* +rm -f ./yamlget.out.* diff --git a/bin/tests/system/digdelv/ns2/named.conf.in b/bin/tests/system/digdelv/ns2/named.conf.in index 1391b7322c..6a6c2b9fb7 100644 --- a/bin/tests/system/digdelv/ns2/named.conf.in +++ b/bin/tests/system/digdelv/ns2/named.conf.in @@ -32,3 +32,8 @@ zone "example" { type primary; file "example.db"; }; + +zone "example.tld" { + type primary; + file "example.tld.db"; +}; diff --git a/bin/tests/system/digdelv/ns2/sign.sh b/bin/tests/system/digdelv/ns2/sign.sh index c8564b2830..782b7a1a24 100644 --- a/bin/tests/system/digdelv/ns2/sign.sh +++ b/bin/tests/system/digdelv/ns2/sign.sh @@ -27,3 +27,6 @@ grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds + +ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.tld.) +"$SIGNER" -Sz -f example.tld.db -o example.tld example.db.in > /dev/null 2>&1 diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index 3debad3da8..9e82298f35 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -1396,6 +1396,14 @@ if [ -x "$DELV" ] ; then if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) fi + + n=$((n+1)) + echo_i "check that delv handles REFUSED when chasing DS records ($n)" + delv_with_opts @10.53.0.2 +root xxx.example.tld A > delv.out.test$n 2>&1 || ret=1 + grep ";; resolution failed: broken trust chain" delv.out.test$n > /dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status+ret)) + else echo_i "$DELV is needed, so skipping these delv tests" fi diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index fc6d7f57df..32cb137f7a 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -7217,6 +7217,8 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { dns_resolver_t *res = NULL; dns_rdataset_t *nsrdataset = NULL; dns_rdataset_t nameservers; + dns_fixedname_t fixed; + dns_name_t *domain = NULL; unsigned int n; dns_fetch_t *fetch = NULL; @@ -7291,12 +7293,16 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { goto cleanup; } - /* Get nameservers from fctx->nsfetch before we destroy it. */ + /* Get nameservers from fetch before we destroy it. */ dns_rdataset_init(&nameservers); if (dns_rdataset_isassociated(&fetch->private->nameservers)) { dns_rdataset_clone(&fetch->private->nameservers, &nameservers); nsrdataset = &nameservers; + + /* Get domain from fetch before we destroy it. */ + domain = dns_fixedname_initname(&fixed); + dns_name_copy(fetch->private->domain, domain); } n = dns_name_countlabels(fctx->nsname); @@ -7306,10 +7312,10 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { fetchctx_ref(fctx); result = dns_resolver_createfetch( - res, fctx->nsname, dns_rdatatype_ns, - fetch->private->domain, nsrdataset, NULL, NULL, 0, - fctx->options, 0, NULL, task, resume_dslookup, fctx, - &fctx->nsrrset, NULL, &fctx->nsfetch); + res, fctx->nsname, dns_rdatatype_ns, domain, nsrdataset, + NULL, NULL, 0, fctx->options, 0, NULL, task, + resume_dslookup, fctx, &fctx->nsrrset, NULL, + &fctx->nsfetch); if (result != ISC_R_SUCCESS) { fetchctx_unref(fctx); if (result == DNS_R_DUPLICATE) {