mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 16:15:27 +00:00
Code Issues Releases Wiki Activity

2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]

Browse Source
This commit is contained in:
Evan Hunt
2009-12-30 06:46:58 +00:00
parent 3156309a79
commit 9ead684875
3 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -1,3 +1,5 @@
2827. [security] Bogus NXDOMAIN could be cached as if valid. [RT #20712]
2826. [bug] NSEC3->NSEC transitions could fail due to a lock not 2826. [bug] NSEC3->NSEC transitions could fail due to a lock not
being released. [RT #20740] being released. [RT #20740]

4
lib/dns/include/dns/ncache.h
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: ncache.h,v 1.25 2008/09/25 04:02:39 tbox Exp $ */ /* $Id: ncache.h,v 1.26 2009/12/30 06:46:58 each Exp $ */
#ifndef DNS_NCACHE_H #ifndef DNS_NCACHE_H
#define DNS_NCACHE_H 1 #define DNS_NCACHE_H 1
@@ -76,7 +76,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
* The 'covers' argument is the RR type whose nonexistence we are caching, * The 'covers' argument is the RR type whose nonexistence we are caching,
* or dns_rdatatype_any when caching a NXDOMAIN response. * or dns_rdatatype_any when caching a NXDOMAIN response.
* *
* 'optout' indicates a DNS_RATASETATTR_OPTOUT should be set. * 'optout' indicates a DNS_RDATASETATTR_OPTOUT should be set.
* *
* Note: * Note:
*\li If 'addedrdataset' is not NULL, then it will be attached to the added *\li If 'addedrdataset' is not NULL, then it will be attached to the added

14
lib/dns/validator.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: validator.c,v 1.182 2009/11/17 23:55:18 marka Exp $ */ /* $Id: validator.c,v 1.183 2009/12/30 06:46:58 each Exp $ */
#include <config.h> #include <config.h>
@@ -3276,20 +3276,20 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
if (val->havedlvsep) if (val->havedlvsep)
dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL); dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
else { else {
unsigned int labels;
dns_name_copy(val->event->name, secroot, NULL); dns_name_copy(val->event->name, secroot, NULL);
/* /*
* If this is a response to a DS query, we need to look in * If this is a response to a DS query, we need to look in
* the parent zone for the trust anchor. * the parent zone for the trust anchor.
*/ */
if (val->event->type == dns_rdatatype_ds &&
dns_name_countlabels(secroot) > 1U) labels = dns_name_countlabels(secroot);
dns_name_split(secroot, 1, NULL, secroot); if (val->event->type == dns_rdatatype_ds && labels > 1U)
dns_name_getlabelsequence(secroot, 1, labels - 1,
secroot);
result = dns_keytable_finddeepestmatch(val->keytable, result = dns_keytable_finddeepestmatch(val->keytable,
secroot, secroot); secroot, secroot);
if (result == ISC_R_NOTFOUND) { if (result == ISC_R_NOTFOUND) {
validator_log(val, ISC_LOG_DEBUG(3),
"not beneath secure root");
if (val->mustbesecure) { if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING, validator_log(val, ISC_LOG_WARNING,
"must be secure failure, " "must be secure failure, "