mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 22:45:39 +00:00
Code Issues Releases Wiki Activity

2245. [bug] Validating lack of DS records at trust anchors wasn't

Browse Source 
working. [RT #17151]
This commit is contained in:
Mark Andrews
2007-09-19 03:38:56 +00:00
parent 69f3cb5abc
commit 8bedd9647f
3 changed files with 31 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
2245. [bug] Validating lack of DS records at trust anchors wasn't
working. [RT #17151]
2244. [func] Allow the check of nameserver names against the 2244. [func] Allow the check of nameserver names against the
SOA MNAME field to be disabled by specifying SOA MNAME field to be disabled by specifying
'notify-to-soa yes;'. [RT #17073] 'notify-to-soa yes;'. [RT #17073]

15
lib/dns/include/dns/validator.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: validator.h,v 1.38 2007/06/18 23:47:42 tbox Exp $ */ /* $Id: validator.h,v 1.39 2007/09/19 03:38:56 marka Exp $ */
#ifndef DNS_VALIDATOR_H #ifndef DNS_VALIDATOR_H
#define DNS_VALIDATOR_H 1 #define DNS_VALIDATOR_H 1
@@ -81,11 +81,24 @@ typedef struct dns_validatorevent {
ISC_EVENT_COMMON(struct dns_validatorevent); ISC_EVENT_COMMON(struct dns_validatorevent);
dns_validator_t * validator; dns_validator_t * validator;
isc_result_t result; isc_result_t result;
/*
* Name and type of the response to be validated.
*/
dns_name_t * name; dns_name_t * name;
dns_rdatatype_t type; dns_rdatatype_t type;
/*
* Rdata and RRSIG (if any) for positive responses.
*/
dns_rdataset_t * rdataset; dns_rdataset_t * rdataset;
dns_rdataset_t * sigrdataset; dns_rdataset_t * sigrdataset;
/*
* The full response. Required for negative responses.
* Also required for positive wildcard responses.
*/
dns_message_t * message; dns_message_t * message;
/*
* Proofs to be cached.
*/
dns_name_t * proofs[3]; dns_name_t * proofs[3];
} dns_validatorevent_t; } dns_validatorevent_t;

17
lib/dns/validator.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: validator.c,v 1.154 2007/09/14 05:43:05 marka Exp $ */ /* $Id: validator.c,v 1.155 2007/09/19 03:38:55 marka Exp $ */
#include <config.h> #include <config.h>
@@ -2390,6 +2390,10 @@ finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
dns_fixedname_init(&val->dlvsep); dns_fixedname_init(&val->dlvsep);
dlvsep = dns_fixedname_name(&val->dlvsep); dlvsep = dns_fixedname_name(&val->dlvsep);
dns_name_copy(val->event->name, dlvsep, NULL); dns_name_copy(val->event->name, dlvsep, NULL);
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
if (val->event->type == dns_rdatatype_ds) { if (val->event->type == dns_rdatatype_ds) {
labels = dns_name_countlabels(dlvsep); labels = dns_name_countlabels(dlvsep);
if (labels == 0) if (labels == 0)
@@ -2492,9 +2496,16 @@ proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
if (val->havedlvsep) if (val->havedlvsep)
dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL); dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
else { else {
dns_name_copy(val->event->name, secroot, NULL);
/*
* If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor.
*/
if (val->event->type == dns_rdatatype_ds &&
dns_name_countlabels(secroot) > 1U)
dns_name_split(secroot, 1, NULL, secroot);
result = dns_keytable_finddeepestmatch(val->keytable, result = dns_keytable_finddeepestmatch(val->keytable,
val->event->name, secroot, secroot);
secroot);
if (result == ISC_R_NOTFOUND) { if (result == ISC_R_NOTFOUND) {
validator_log(val, ISC_LOG_DEBUG(3), validator_log(val, ISC_LOG_DEBUG(3),