mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

1275. [bug] When verifying that an NXT proves nonexistence, check

Browse Source 
the rcode of the message and only do the matching NXT
                        check.  That is, for NXDOMAIN responses, check that
                        the name is in the range between the NXT owner and
                        next name, and for NOERROR NODATA responses, check
                        that the type is not present in the NXT bitmap.
This commit is contained in:
Mark Andrews
2002-04-29 23:50:26 +00:00
parent 0dfac52f06
commit c99d9017ba
2 changed files with 27 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
CHANGES
View File

@@ -1,3 +1,10 @@
1275. [bug] When verifying that an NXT proves nonexistence, check
the rcode of the message and only do the matching NXT
check. That is, for NXDOMAIN responses, check that
the name is in the range between the NXT owner and
next name, and for NOERROR NODATA responses, check
that the type is not present in the NXT bitmap.
1274. [func] preferred-glue option from BIND 8.3. 1274. [func] preferred-glue option from BIND 8.3.
1273. [bug] The dnssec system test failed to remove the correct 1273. [bug] The dnssec system test failed to remove the correct

22
lib/dns/validator.c
View File

@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: validator.c,v 1.103 2002/02/20 03:34:22 marka Exp $ */ /* $Id: validator.c,v 1.104 2002/04/29 23:50:24 marka Exp $ */
#include <config.h> #include <config.h>
@@ -345,8 +345,16 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
{ {
int order; int order;
dns_rdata_t rdata = DNS_RDATA_INIT; dns_rdata_t rdata = DNS_RDATA_INIT;
isc_boolean_t isnxdomain;
isc_result_t result; isc_result_t result;
INSIST(DNS_MESSAGE_VALID(val->event->message));
if (val->event->message->rcode == dns_rcode_nxdomain)
isnxdomain = ISC_TRUE;
else
isnxdomain = ISC_FALSE;
result = dns_rdataset_first(nxtset); result = dns_rdataset_first(nxtset);
if (result != ISC_R_SUCCESS) { if (result != ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3), validator_log(val, ISC_LOG_DEBUG(3),
@@ -359,8 +367,13 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
order = dns_name_compare(val->event->name, nxtname); order = dns_name_compare(val->event->name, nxtname);
if (order == 0) { if (order == 0) {
/* /*
* The names are the same, so look for the type present bit. * The names are the same. Look for the type present bit.
*/ */
if (isnxdomain) {
validator_log(val, ISC_LOG_DEBUG(3),
"NXT record seen at nonexistent name");
return (ISC_FALSE);
}
if (val->event->type >= 128) { if (val->event->type >= 128) {
validator_log(val, ISC_LOG_DEBUG(3), "invalid type %d", validator_log(val, ISC_LOG_DEBUG(3), "invalid type %d",
val->event->type); val->event->type);
@@ -379,6 +392,11 @@ nxtprovesnonexistence(dns_validator_t *val, dns_name_t *nxtname,
/* /*
* The NXT owner name is less than the nonexistent name. * The NXT owner name is less than the nonexistent name.
*/ */
if (!isnxdomain) {
validator_log(val, ISC_LOG_DEBUG(3),
"missing NXT record at name");
return (ISC_FALSE);
}
result = dns_rdata_tostruct(&rdata, &nxt, NULL); result = dns_rdata_tostruct(&rdata, &nxt, NULL);
if (result != ISC_R_SUCCESS) if (result != ISC_R_SUCCESS)
return (ISC_FALSE); return (ISC_FALSE);