diff --git a/CHANGES b/CHANGES index 959bcc717f..ffedb9299d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +3391. [bug] DNSKEY that encountered a CNAME failed. [RT #31262] + 3390. [bug] Silence clang compiler warnings. [RT #30417] 3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275] diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index fe98a3a774..8e21caa871 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -38,6 +38,7 @@ rm -f ns3/optout-unknown.example.db ns3/optout.example.db rm -f ns3/expired.example.db ns3/update-nsec3.example.db rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk rm -f */named.memstats +rm -f */named.run rm -f ns3/nsec3.nsec3.example.db rm -f ns3/nsec3.optout.example.db rm -f ns3/optout.nsec3.example.db diff --git a/bin/tests/system/dnssec/ns3/secure.example.db.in b/bin/tests/system/dnssec/ns3/secure.example.db.in index 2637d29de3..95b7372cd9 100644 --- a/bin/tests/system/dnssec/ns3/secure.example.db.in +++ b/bin/tests/system/dnssec/ns3/secure.example.db.in @@ -44,3 +44,7 @@ ns.nosoa A 10.53.0.7 normalthenrrsig A 10.0.0.28 rrsigonly A 10.0.0.29 + +cnameandkey CNAME @ +cnamenokey CNAME @ +dnameandkey DNAME @ diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 728ab22846..36c8d30c2d 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -26,9 +26,11 @@ zone=secure.example. infile=secure.example.db.in zonefile=secure.example.db +cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone` +dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone` keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone` -cat $infile $keyname.key >$zonefile +cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 5f2c06b293..e4040ddb74 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -1809,5 +1809,71 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:testing DNSKEY lookup via CNAME ($n)" +ret=0 +$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ + @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ + @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:testing KEY lookup at CNAME (present) ($n)" +ret=0 +$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ + @10.53.0.3 key > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ + @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:testing KEY lookup at CNAME (not present) ($n)" +ret=0 +$DIG $DIGOPTS +noauth cnamenokey.secure.example. \ + @10.53.0.3 key > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth cnamenokey.secure.example. \ + @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:testing DNSKEY lookup via DNAME ($n)" +ret=0 +$DIG $DIGOPTS a.dnameandkey.secure.example. \ + @10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS a.dnameandkey.secure.example. \ + @10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:testing KEY lookup via DNAME ($n)" +ret=0 +$DIG $DIGOPTS b.dnameandkey.secure.example. \ + @10.53.0.3 key > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS b.dnameandkey.secure.example. \ + @10.53.0.4 key > dig.out.ns4.test$n || ret=1 +$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index cd0667cfbe..256c29bb38 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -5914,12 +5914,12 @@ answer_response(fetchctx_t *fctx) { * but we found a CNAME. * * Getting a CNAME response for some - * query types is an error. + * query types is an error, see + * RFC 4035, Section 2.5. */ if (type == dns_rdatatype_rrsig || - type == dns_rdatatype_dnskey || - type == dns_rdatatype_nsec || - type == dns_rdatatype_nsec3) { + type == dns_rdatatype_key || + type == dns_rdatatype_nsec) { char buf[DNS_RDATATYPE_FORMATSIZE]; dns_rdatatype_format(fctx->type, buf, sizeof(buf)); diff --git a/lib/dns/validator.c b/lib/dns/validator.c index e3c52d10e5..1a620f8099 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1852,6 +1852,10 @@ isselfsigned(dns_validator_t *val) { name = val->event->name; mctx = val->view->mctx; + if (rdataset->type == dns_rdatatype_cname || + rdataset->type == dns_rdatatype_dname) + return (answer); + INSIST(rdataset->type == dns_rdatatype_dnskey); for (result = dns_rdataset_first(rdataset);