mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 22:15:20 +00:00
Code Issues Releases Wiki Activity

2245. [bug] Validating lack of DS records at trust anchors wasn't

Browse Source 
working. [RT #17151]
This commit is contained in:
Mark Andrews
2007-09-19 03:38:56 +00:00
parent 69f3cb5abc
commit 8bedd9647f
3 changed files with 31 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
2245. [bug] Validating lack of DS records at trust anchors wasn't
working. [RT #17151]
2244. [func] Allow the check of nameserver names against the
SOA MNAME field to be disabled by specifying
'notify-to-soa yes;'. [RT #17073]

15
lib/dns/include/dns/validator.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.h,v 1.38 2007/06/18 23:47:42 tbox Exp $ */
/* $Id: validator.h,v 1.39 2007/09/19 03:38:56 marka Exp $ */
#ifndef DNS_VALIDATOR_H
#define DNS_VALIDATOR_H 1
@@ -81,11 +81,24 @@ typedef struct dns_validatorevent {
ISC_EVENT_COMMON(struct dns_validatorevent);
dns_validator_t * validator;
isc_result_t result;
/*
* Name and type of the response to be validated.
*/
dns_name_t * name;
dns_rdatatype_t type;
/*
* Rdata and RRSIG (if any) for positive responses.
*/
dns_rdataset_t * rdataset;
dns_rdataset_t * sigrdataset;
/*
* The full response. Required for negative responses.
* Also required for positive wildcard responses.
*/
dns_message_t * message;
/*
* Proofs to be cached.
*/
dns_name_t * proofs[3];
} dns_validatorevent_t;

17
lib/dns/validator.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.c,v 1.154 2007/09/14 05:43:05 marka Exp $ */
/* $Id: validator.c,v 1.155 2007/09/19 03:38:55 marka Exp $ */
#include <config.h>
@@ -2390,6 +2390,10 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
dns_fixedname_init(&val->dlvsep);
dlvsep = dns_fixedname_name(&val->dlvsep);
dns_name_copy(val->event->name, dlvsep, NULL);
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
if (val->event->type == dns_rdatatype_ds) {
labels = dns_name_countlabels(dlvsep);
if (labels == 0)
@@ -2492,9 +2496,16 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
if (val->havedlvsep)
dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
else {
dns_name_copy(val->event->name, secroot, NULL);
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
if (val->event->type == dns_rdatatype_ds &&
dns_name_countlabels(secroot) > 1U)
dns_name_split(secroot, 1, NULL, secroot);
result = dns_keytable_finddeepestmatch(val->keytable,
val->event->name,
secroot);
secroot, secroot);
if (result == ISC_R_NOTFOUND) {
validator_log(val, ISC_LOG_DEBUG(3),