mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-29 05:28:00 +00:00
1275. [bug] When verifying that an NXT proves nonexistence, check
the rcode of the message and only do the matching NXT check. That is, for NXDOMAIN responses, check that the name is in the range between the NXT owner and next name, and for NOERROR NODATA responses, check that the type is not present in the NXT bitmap.
This commit is contained in:
parent
0dfac52f06
commit
c99d9017ba
7
CHANGES
7
CHANGES
@ -1,3 +1,10 @@
|
||||
1275. [bug] When verifying that an NXT proves nonexistence, check
|
||||
the rcode of the message and only do the matching NXT
|
||||
check. That is, for NXDOMAIN responses, check that
|
||||
the name is in the range between the NXT owner and
|
||||
next name, and for NOERROR NODATA responses, check
|
||||
that the type is not present in the NXT bitmap.
|
||||
|
||||
1274. [func] preferred-glue option from BIND 8.3.
|
||||
|
||||
1273. [bug] The dnssec system test failed to remove the correct
|
||||
|
@ -15,7 +15,7 @@
|
||||
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/* $Id: validator.c,v 1.103 2002/02/20 03:34:22 marka Exp $ */
|
||||
/* $Id: validator.c,v 1.104 2002/04/29 23:50:24 marka Exp $ */
|
||||
|
||||
#include <config.h>
|
||||
|
||||
@ -345,8 +345,16 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
|
||||
{
|
||||
int order;
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
isc_boolean_t isnxdomain;
|
||||
isc_result_t result;
|
||||
|
||||
INSIST(DNS_MESSAGE_VALID(val->event->message));
|
||||
|
||||
if (val->event->message->rcode == dns_rcode_nxdomain)
|
||||
isnxdomain = ISC_TRUE;
|
||||
else
|
||||
isnxdomain = ISC_FALSE;
|
||||
|
||||
result = dns_rdataset_first(nxtset);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
@ -359,8 +367,13 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
|
||||
order = dns_name_compare(val->event->name, nxtname);
|
||||
if (order == 0) {
|
||||
/*
|
||||
* The names are the same, so look for the type present bit.
|
||||
* The names are the same. Look for the type present bit.
|
||||
*/
|
||||
if (isnxdomain) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"NXT record seen at nonexistent name");
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
if (val->event->type >= 128) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3), "invalid type %d",
|
||||
val->event->type);
|
||||
@ -379,6 +392,11 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
|
||||
/*
|
||||
* The NXT owner name is less than the nonexistent name.
|
||||
*/
|
||||
if (!isnxdomain) {
|
||||
validator_log(val, ISC_LOG_DEBUG(3),
|
||||
"missing NXT record at name");
|
||||
return (ISC_FALSE);
|
||||
}
|
||||
result = dns_rdata_tostruct(&rdata, &nxt, NULL);
|
||||
if (result != ISC_R_SUCCESS)
|
||||
return (ISC_FALSE);
|
||||
|
Loading…
x
Reference in New Issue
Block a user