3391. [bug] DNSKEY that encountered a CNAME failed. [RT #31262]

2025-08-31 14:35:26 +00:00 · 2012-10-06 14:56:33 +10:00
parent 611dc88768
commit dbf693fdfd
7 changed files with 84 additions and 5 deletions
--- a/2
+++ b/2
@@ -1,3 +1,5 @@
 3391.	[bug]		DNSKEY that encountered a CNAME failed. [RT #31262]
 3390.	[bug]		Silence clang compiler warnings. [RT #30417]
 3389.	[bug]		Always return NOERROR (not 0) in TSIG. [RT #31275]
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -38,6 +38,7 @@ rm -f ns3/optout-unknown.example.db ns3/optout.example.db
 rm -f ns3/expired.example.db ns3/update-nsec3.example.db
 rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk
 rm -f */named.memstats
 rm -f */named.run
 rm -f ns3/nsec3.nsec3.example.db
 rm -f ns3/nsec3.optout.example.db
 rm -f ns3/optout.nsec3.example.db
--- a/bin/tests/system/dnssec/ns3/secure.example.db.in
+++ b/bin/tests/system/dnssec/ns3/secure.example.db.in
@@ -44,3 +44,7 @@ ns.nosoa		A	10.53.0.7
 normalthenrrsig		A	10.0.0.28
 rrsigonly		A	10.0.0.29
 cnameandkey		CNAME	@
 cnamenokey		CNAME	@
 dnameandkey		DNAME	@
--- a/bin/tests/system/dnssec/ns3/sign.sh
+++ b/bin/tests/system/dnssec/ns3/sign.sh
@@ -26,9 +26,11 @@ zone=secure.example.
 infile=secure.example.db.in
 zonefile=secure.example.db
 cnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone`
 dnameandkey=`$KEYGEN -T KEY -q -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
-cat $infile $keyname.key >$zonefile
+cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile
 $SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1809,5 +1809,71 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:testing DNSKEY lookup via CNAME ($n)"
 ret=0
 $DIG $DIGOPTS +noauth cnameandkey.secure.example. \
 	@10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth cnameandkey.secure.example. \
 	@10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:testing KEY lookup at CNAME (present) ($n)"
 ret=0
 $DIG $DIGOPTS +noauth cnameandkey.secure.example. \
 	@10.53.0.3 key > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth cnameandkey.secure.example. \
 	@10.53.0.4 key > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:testing KEY lookup at CNAME (not present) ($n)"
 ret=0
 $DIG $DIGOPTS +noauth cnamenokey.secure.example. \
 	@10.53.0.3 key > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS +noauth cnamenokey.secure.example. \
 	@10.53.0.4 key > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:testing DNSKEY lookup via DNAME ($n)"
 ret=0
 $DIG $DIGOPTS a.dnameandkey.secure.example. \
 	@10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS a.dnameandkey.secure.example. \
 	@10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1
 grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:testing KEY lookup via DNAME ($n)"
 ret=0
 $DIG $DIGOPTS b.dnameandkey.secure.example. \
 	@10.53.0.3 key > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS b.dnameandkey.secure.example. \
 	@10.53.0.4 key > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 echo "I:exit status: $status"
 exit $status
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -5914,12 +5914,12 @@ answer_response(fetchctx_t *fctx) {
 					 * but we found a CNAME.
 					 *
 					 * Getting a CNAME response for some
-					 * query types is an error.
+					 * query types is an error, see
 					 * RFC 4035, Section 2.5.
 					 */
 					if (type == dns_rdatatype_rrsig ||
-					    type == dns_rdatatype_dnskey ||
+					    type == dns_rdatatype_key ||
-					    type == dns_rdatatype_nsec ||
+					    type == dns_rdatatype_nsec) {
 					    type == dns_rdatatype_nsec3) {
 						char buf[DNS_RDATATYPE_FORMATSIZE];
 						dns_rdatatype_format(fctx->type,
 							      buf, sizeof(buf));
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1852,6 +1852,10 @@ isselfsigned(dns_validator_t *val) {
 	name = val->event->name;
 	mctx = val->view->mctx;
 	if (rdataset->type == dns_rdatatype_cname ||
 	    rdataset->type == dns_rdatatype_dname)
 		return (answer);
 	INSIST(rdataset->type == dns_rdatatype_dnskey);
 	for (result = dns_rdataset_first(rdataset);