Merge branch 'master' of repo:/proj/git/prod/bind9

2025-09-05 09:05:40 +00:00 · 2012-07-09 19:18:13 +00:00
parent 929621dd7d eaca18d408
commit ea7834b39d
3 changed files with 20 additions and 9 deletions
--- a/6
+++ b/6
@@ -1,3 +1,9 @@
+3348.	[security]	prevent RRSIG data from being cached if a negative 
+			record matching the covering type exists at a higher 
+			trust level. Such data already can't be retrieved from 
+			the cache since change 3218 -- this prevents it 
+			being inserted into the cache as well [RT #27724].
+			
 3347.	[bug]		dnssec-settime: Issue a warning when writing a new 
 			private key file would cause a change in the 
 			permissions of the existing file. [RT #27724]
--- a/doc/private/SRCID
+++ b/doc/private/SRCID
@@ -1,4 +1,4 @@
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
-SRCID="( 2012/07/06 22:15:00 UTC )"
+SRCID="( 2012/07/09 19:15:00 UTC )"
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6040,13 +6040,12 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	negtype = 0;
 	if (rbtversion == NULL && !newheader_nx) {
 		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
+		covers = RBTDB_RDATATYPE_EXT(newheader->type);
+		sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, covers);
 		if (NEGATIVE(newheader)) {
 			/*
 			 * We're adding a negative cache entry.
 			 */
-			covers = RBTDB_RDATATYPE_EXT(newheader->type);
-			sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
-							covers);
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
@@ -6077,14 +6076,20 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			 * We're adding something that isn't a
 			 * negative cache entry.  Look for an extant
 			 * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
-			 * cache entry.
+			 * cache entry.  If we're adding an RRSIG, also
+			 * check for an extant non-stale NODATA ncache
+			 * entry which covers the same type as the RRSIG.
 			 */
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
-				if (topheader->type ==
-				    RBTDB_RDATATYPE_NCACHEANY)
-					break;
+				if ((topheader->type ==
+					RBTDB_RDATATYPE_NCACHEANY) ||
+					(newheader->type == sigtype &&
+					topheader->type ==
+					RBTDB_RDATATYPE_VALUE(0, covers))) {
+						break;
+					}
 			}
 			if (topheader != NULL && EXISTS(topheader) &&
 			    topheader->rdh_ttl > now) {
@@ -6107,7 +6112,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				}
 				/*
 				 * The new rdataset is better.  Expire the
-				 * NXDOMAIN/NODATA(QTYPE=ANY).
+				 * ncache entry.
 				 */
 				set_ttl(rbtdb, topheader, 0);
 				mark_stale_header(rbtdb, topheader);