mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 21:47:59 +00:00
Code Issues Releases Wiki Activity

Remove check for missing RRSIG records from getsection

Browse Source 
Checking whether the authority section is properly signed should
be left to the validator.  Checking in getsection (dns_message_parse)
was way too early and resulted in resolution failures of lookups
that should have otherwise succeeded.
This commit is contained in:
Mark Andrews 2025-02-19 10:34:47 +11:00
parent d78ebff861
commit 83159d0a54
1 changed files with 0 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
lib/dns/message.c
View File

@ -1169,57 +1169,6 @@ update(dns_section_t section, dns_rdataclass_t rdclass) {
return false; return false;
} }
/*
* Check to confirm that all DNSSEC records (DS, NSEC, NSEC3) have
* covering RRSIGs.
*/
static bool
auth_signed(dns_namelist_t *section) {
dns_name_t *name = NULL;
ISC_LIST_FOREACH (*section, name, link) {
int auth_dnssec = 0, auth_rrsig = 0;
dns_rdataset_t *rds = NULL;
ISC_LIST_FOREACH (name->list, rds, link) {
switch (rds->type) {
case dns_rdatatype_ds:
auth_dnssec |= 0x1;
break;
case dns_rdatatype_nsec:
auth_dnssec |= 0x2;
break;
case dns_rdatatype_nsec3:
auth_dnssec |= 0x4;
break;
case dns_rdatatype_rrsig:
break;
default:
continue;
}
switch (rds->covers) {
case dns_rdatatype_ds:
auth_rrsig |= 0x1;
break;
case dns_rdatatype_nsec:
auth_rrsig |= 0x2;
break;
case dns_rdatatype_nsec3:
auth_rrsig |= 0x4;
break;
default:
break;
}
}
if (auth_dnssec != auth_rrsig) {
return false;
}
}
return true;
}
static isc_result_t static isc_result_t
getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t dctx, getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t dctx,
dns_section_t sectionid, unsigned int options) { dns_section_t sectionid, unsigned int options) {
@ -1691,21 +1640,6 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t dctx,
INSIST(!free_name); INSIST(!free_name);
} }
/*
* If any of DS, NSEC or NSEC3 appeared in the
* authority section of a query response without
* a covering RRSIG, FORMERR
*/
if (sectionid == DNS_SECTION_AUTHORITY &&
msg->opcode == dns_opcode_query &&
((msg->flags & DNS_MESSAGEFLAG_QR) != 0) &&
((msg->flags & DNS_MESSAGEFLAG_TC) == 0) && !preserve_order &&
!auth_signed(section))
{
/* XXX test coverage */
DO_ERROR(DNS_R_FORMERR);
}
if (seen_problem) { if (seen_problem) {
result = DNS_R_RECOVERABLE; result = DNS_R_RECOVERABLE;
} }