diff --git a/CHANGES b/CHANGES index 1c99810845..4310ac8116 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712] + 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not being released. [RT #20740] diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h index a818fe63cc..4ab32c8c8d 100644 --- a/lib/dns/include/dns/ncache.h +++ b/lib/dns/include/dns/ncache.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.h,v 1.25 2008/09/25 04:02:39 tbox Exp $ */ +/* $Id: ncache.h,v 1.26 2009/12/30 06:46:58 each Exp $ */ #ifndef DNS_NCACHE_H #define DNS_NCACHE_H 1 @@ -76,7 +76,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, * The 'covers' argument is the RR type whose nonexistence we are caching, * or dns_rdatatype_any when caching a NXDOMAIN response. * - * 'optout' indicates a DNS_RATASETATTR_OPTOUT should be set. + * 'optout' indicates a DNS_RDATASETATTR_OPTOUT should be set. * * Note: *\li If 'addedrdataset' is not NULL, then it will be attached to the added diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 2fd0bc1c86..027e23605b 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.182 2009/11/17 23:55:18 marka Exp $ */ +/* $Id: validator.c,v 1.183 2009/12/30 06:46:58 each Exp $ */ #include @@ -3276,20 +3276,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume) if (val->havedlvsep) dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL); else { + unsigned int labels; dns_name_copy(val->event->name, secroot, NULL); /* * If this is a response to a DS query, we need to look in * the parent zone for the trust anchor. */ - if (val->event->type == dns_rdatatype_ds && - dns_name_countlabels(secroot) > 1U) - dns_name_split(secroot, 1, NULL, secroot); + + labels = dns_name_countlabels(secroot); + if (val->event->type == dns_rdatatype_ds && labels > 1U) + dns_name_getlabelsequence(secroot, 1, labels - 1, + secroot); result = dns_keytable_finddeepestmatch(val->keytable, secroot, secroot); - if (result == ISC_R_NOTFOUND) { - validator_log(val, ISC_LOG_DEBUG(3), - "not beneath secure root"); if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, "must be secure failure, "