From 73d664313703d2874c3b1a4380afdcd8ba26dc62 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 1 Jun 2022 08:51:55 +0000 Subject: [PATCH 1/2] Don't process DNSSEC-related and ZONEMD records in catz When processing a catalog zone update, skip processing records with DNSSEC-related and ZONEMD types, because we are not interested in them in the context of a catalog zone, and processing them will fail and produce an unnecessary warning message. --- lib/dns/catz.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/lib/dns/catz.c b/lib/dns/catz.c index 6007a1cab1..c926be424c 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -2088,6 +2088,12 @@ cleanup: return (result); } +static bool +catz_rdatatype_is_processable(const dns_rdatatype_t type) { + return (!dns_rdatatype_isdnssec(type) && type != dns_rdatatype_cds && + type != dns_rdatatype_cdnskey && type != dns_rdatatype_zonemd); +} + void dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { dns_catz_zone_t *oldzone = NULL, *newzone = NULL; @@ -2230,6 +2236,17 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { result = dns_rdatasetiter_first(rdsiter); while (result == ISC_R_SUCCESS) { dns_rdatasetiter_current(rdsiter, &rdataset); + + /* + * Skip processing DNSSEC-related and ZONEMD types, + * because we are not interested in them in the context + * of a catalog zone, and processing them will fail + * and produce an unnecessary warning message. + */ + if (!catz_rdatatype_is_processable(rdataset.type)) { + goto next; + } + result = dns_catz_update_process(catzs, newzone, name, &rdataset); if (result != ISC_R_SUCCESS) { @@ -2251,6 +2268,7 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { cname, classbuf, typebuf, isc_result_totext(result)); } + next: dns_rdataset_disassociate(&rdataset); result = dns_rdatasetiter_next(rdsiter); } From b8073cbe72563b931c6840eb4a1591ab4fc7aac9 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Thu, 2 Jun 2022 08:42:05 +0000 Subject: [PATCH 2/2] Add CHANGES and release note for [GL #3380] --- CHANGES | 3 +++ doc/notes/notes-current.rst | 3 +++ 2 files changed, 6 insertions(+) diff --git a/CHANGES b/CHANGES index ff445f22fb..7ea8466bb7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5899. [func] Don't try to process DNSSEC-related and ZONEMD records + in catz. [GL #3380] + 5898. [cleanup] Simplify BIND's internal DNS name compression API. As RFC 6891 explains, it isn't practical to deploy new label types or compression methods, so it isn't diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 4537e372ea..2cdadf56de 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -45,3 +45,6 @@ Bug Fixes - Key files were updated every time the ``dnssec-policy`` key manager ran, whether the metadata has changed or not. BIND now checks if changes were applied before writing out the key files. :gl:`#3302`. + +- DNSSEC-signed catalog zones were not being processed correctly. This + has been fixed. :gl:`#3380`.