2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]

2025-08-31 14:35:26 +00:00 · 2009-12-30 06:46:58 +00:00
parent 3156309a79
commit 9ead684875
3 changed files with 11 additions and 9 deletions
--- a/2
+++ b/2
@@ -1,3 +1,5 @@
+2827.	[security]	Bogus NXDOMAIN could be cached as if valid. [RT #20712]
+
 2826.	[bug]		NSEC3->NSEC transitions could fail due to a lock not
 			being released.  [RT #20740]

--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: ncache.h,v 1.25 2008/09/25 04:02:39 tbox Exp $ */
+/* $Id: ncache.h,v 1.26 2009/12/30 06:46:58 each Exp $ */

 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
@@ -76,7 +76,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 * The 'covers' argument is the RR type whose nonexistence we are caching,
 * or dns_rdatatype_any when caching a NXDOMAIN response.
 *
- * 'optout' indicates a DNS_RATASETATTR_OPTOUT should be set.
+ * 'optout' indicates a DNS_RDATASETATTR_OPTOUT should be set.
 *
 * Note:
 *\li	If 'addedrdataset' is not NULL, then it will be attached to the added
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: validator.c,v 1.182 2009/11/17 23:55:18 marka Exp $ */
+/* $Id: validator.c,v 1.183 2009/12/30 06:46:58 each Exp $ */

 #include <config.h>

@@ -3276,20 +3276,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 	if (val->havedlvsep)
 		dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
 	else {
+		unsigned int labels;
 		dns_name_copy(val->event->name, secroot, NULL);
 		/*
 		 * If this is a response to a DS query, we need to look in
 		 * the parent zone for the trust anchor.
 		 */
-		if (val->event->type == dns_rdatatype_ds &&
-		    dns_name_countlabels(secroot) > 1U)
-			dns_name_split(secroot, 1, NULL, secroot);
+
+		labels = dns_name_countlabels(secroot);
+		if (val->event->type == dns_rdatatype_ds && labels > 1U)
+			dns_name_getlabelsequence(secroot, 1, labels - 1,
+						  secroot);
 		result = dns_keytable_finddeepestmatch(val->keytable,
 						       secroot, secroot);
-
 		if (result == ISC_R_NOTFOUND) {
-			validator_log(val, ISC_LOG_DEBUG(3),
-				      "not beneath secure root");
 			if (val->mustbesecure) {
 				validator_log(val, ISC_LOG_WARNING,
 					      "must be secure failure, "