From da34d92aeee25dedd6affd69623dc7d0aba2cc23 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 19 Sep 2003 05:53:28 +0000 Subject: [PATCH] 1509. [bug] Hint zones should accept delegation-only. Forward zone should not accept delegation-only. 1508. [bug] Don't apply delegation-only checks to answers from forwarders. 1507. [bug] Handle BIND 8 style returns to NS queries to parents when making delegation-only checks. --- CHANGES | 11 ++++++++++- bin/named/server.c | 16 ++++++++++++++-- doc/arm/Bv9ARM-book.xml | 13 +++++++------ lib/bind9/check.c | 4 ++-- lib/dns/resolver.c | 41 ++++++++++++++++++++++++++++++++++------- 5 files changed, 67 insertions(+), 18 deletions(-) diff --git a/CHANGES b/CHANGES index cb714af8d4..87d625bb15 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,15 @@ +1509. [bug] Hint zones should accept delegation-only. Forward + zone should not accept delegation-only. + +1508. [bug] Don't apply delegation-only checks to answers from + forwarders. + +1507. [bug] Handle BIND 8 style returns to NS queries to parents + when making delegation-only checks. + 1506. [bug] Wrong return type for dns_view_isdelegationonly(). -1505. [bug] Uninitialized rdataset in sdb. [RT #8750] +1505. [bug] Uninitialised rdataset in sdb. [RT #8750] 1504. [func] New zone type "delegation-only". diff --git a/bin/named/server.c b/bin/named/server.c index 5568dae366..f22cdbbd16 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.401 2003/09/17 05:24:41 marka Exp $ */ +/* $Id: server.c,v 1.402 2003/09/19 05:53:26 marka Exp $ */ #include @@ -1276,6 +1276,7 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *forwardtype = NULL; cfg_obj_t *only = NULL; isc_result_t result; + isc_result_t tresult; isc_buffer_t buffer; dns_fixedname_t fixorigin; dns_name_t *origin; @@ -1341,14 +1342,25 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig, } if (dns_name_equal(origin, dns_rootname)) { char *hintsfile = cfg_obj_asstring(fileobj); + result = configure_hints(view, hintsfile); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, "could not configure root hints " "from '%s': %s", hintsfile, isc_result_totext(result)); + goto cleanup; + } + /* + * Hint zones may also refer to delegation only points. + */ + only = NULL; + tresult = cfg_map_get(zoptions, "delegation-only", + &only); + if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only)) + CHECK(dns_view_adddelegationonly(view, origin)); } else { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_WARNING, diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 1c9a3f6819..956608add4 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -2638,8 +2638,7 @@ those servers during resolution. delegation-only Delegation only. Logs queries that have have been forced to NXDOMAIN as the result of a delegation-only zone or -a delegation-only in a stub or forward -zone declartation. +a delegation-only in a hint or stub zone declartation. @@ -4436,7 +4435,7 @@ view "external" { <command>zone</command> Statement Grammar zone zone_name class { - type ( master | slave | hint | stub | forward /| delegation-only ) ; + type ( master | slave | hint | stub | forward | delegation-only ) ; allow-notify { address_match_list } ; allow-query { address_match_list } ; allow-transfer { address_match_list } ; @@ -4582,7 +4581,9 @@ Classes other than IN have no built-in defaults hints. status of infrastructure zones (e.g. COM, NET, ORG). Any answer that is received without a explicit or implict delegation in the authority section will be treated as NXDOMAIN. This does not apply to the zone -apex. This SHOULD NOT be applied to leaf zones. +apex. This SHOULD NOT be applied to leaf zones. +delegation-only has no effect on answers received +from forwarders. @@ -4681,7 +4682,7 @@ with the distribution but none are linked in by default. delegation-only -The flag only applies to forward and stub zones. If set +The flag only applies to hint and stub zones. If set to yes then the zone will also be treated as if it is also a delegation-only type zone. diff --git a/lib/bind9/check.c b/lib/bind9/check.c index a285e1a338..e57a105877 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.38 2003/09/17 05:24:42 marka Exp $ */ +/* $Id: check.c,v 1.39 2003/09/19 05:53:27 marka Exp $ */ #include @@ -438,7 +438,7 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, { "notify", MASTERZONE | SLAVEZONE }, { "also-notify", MASTERZONE | SLAVEZONE }, { "dialup", MASTERZONE | SLAVEZONE | STUBZONE }, - { "delegation-only", STUBZONE | FORWARDZONE}, + { "delegation-only", HINTZONE | STUBZONE }, { "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE}, { "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE}, { "maintain-ixfr-base", MASTERZONE | SLAVEZONE }, diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 54c42dab5c..ac6ebe94dc 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.265 2003/09/17 05:24:42 marka Exp $ */ +/* $Id: resolver.c,v 1.266 2003/09/19 05:53:28 marka Exp $ */ #include @@ -327,9 +327,9 @@ static isc_result_t ncache_adderesult(dns_message_t *message, isc_result_t *eresultp); static isc_boolean_t -fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) { - +fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) { dns_name_t *name; + dns_name_t *domain = &fctx->domain; dns_rdataset_t *rdataset; dns_rdatatype_t type; isc_result_t result; @@ -338,6 +338,33 @@ fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) { if (message->rcode == dns_rcode_nxdomain) return (ISC_FALSE); + /* + * Look for BIND 8 style delegations. + * Also look for answers to ANY queries where the duplicate NS RRset + * may have been stripped from the authority section. + */ + if (message->counts[DNS_SECTION_ANSWER] != 0 && + (fctx->type == dns_rdatatype_ns || + fctx->type == dns_rdatatype_any)) { + result = dns_message_firstname(message, DNS_SECTION_ANSWER); + while (result == ISC_R_SUCCESS) { + name = NULL; + dns_message_currentname(message, DNS_SECTION_ANSWER, + &name); + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) { + type = rdataset->type; + if (type != dns_rdatatype_ns) + continue; + if (dns_name_issubdomain(name, domain)) + return (ISC_FALSE); + } + result = dns_message_nextname(message, + DNS_SECTION_ANSWER); + } + } + /* Look for referral. */ if (message->counts[DNS_SECTION_AUTHORITY] == 0) goto munge; @@ -345,8 +372,7 @@ fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) { result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); while (result == ISC_R_SUCCESS) { name = NULL; - dns_message_currentname(message, DNS_SECTION_AUTHORITY, - &name); + dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { @@ -4967,9 +4993,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) { /* * Enforce delegations only zones like NET and COM. */ - if (dns_view_isdelegationonly(fctx->res->view, &fctx->domain) && + if (!ISFORWARDER(query->addrinfo) && + dns_view_isdelegationonly(fctx->res->view, &fctx->domain) && !dns_name_equal(&fctx->domain, &fctx->name) && - fix_mustbedelegationornxdomain(message, &fctx->domain)) { + fix_mustbedelegationornxdomain(message, fctx)) { char namebuf[DNS_NAME_FORMATSIZE]; char domainbuf[DNS_NAME_FORMATSIZE];