From ad7fdba1ed5eab146b51d6eb25b3094c96435677 Mon Sep 17 00:00:00 2001
From: ckb <ckb@isc.org>
Date: Mon, 9 Jul 2012 12:51:11 -0500
Subject: [PATCH 1/4] 3348.	[security]	prevent RRSIG data from being
 cached if a negative 			record matching the covering type
 exists at a higher 			trust level. Such data already can't
 be retrieved from 			the cache since change 3218 -- this
 prevents it 			being inserted into the cache as well.

---
 CHANGES         |  6 ++++++
 lib/dns/rbtdb.c | 21 +++++++++++++--------
 2 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4051c00459..c632f49ce3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+3348.	[security]	prevent RRSIG data from being cached if a negative 
+			record matching the covering type exists at a higher 
+			trust level. Such data already can't be retrieved from 
+			the cache since change 3218 -- this prevents it 
+			being inserted into the cache as well.
+			
 3347.	[bug]		dnssec-settime: Issue a warning when writing a new 
 			private key file would cause a change in the 
 			permissions of the existing file. [RT #27724]
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index ebde1f510a..c6fa405579 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6040,13 +6040,12 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	negtype = 0;
 	if (rbtversion == NULL && !newheader_nx) {
 		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
+		covers = RBTDB_RDATATYPE_EXT(newheader->type);
+		sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, covers);
 		if (NEGATIVE(newheader)) {
 			/*
 			 * We're adding a negative cache entry.
 			 */
-			covers = RBTDB_RDATATYPE_EXT(newheader->type);
-			sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
-							covers);
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
@@ -6077,14 +6076,20 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			 * We're adding something that isn't a
 			 * negative cache entry.  Look for an extant
 			 * non-stale NXDOMAIN/NODATA(QTYPE=ANY) negative
-			 * cache entry.
+			 * cache entry.  If we're adding an RRSIG, also
+			 * check for an extant non-stale NODATA ncache
+			 * entry which covers the same type as the RRSIG.
 			 */
 			for (topheader = rbtnode->data;
 			     topheader != NULL;
 			     topheader = topheader->next) {
-				if (topheader->type ==
-				    RBTDB_RDATATYPE_NCACHEANY)
-					break;
+				if ((topheader->type ==
+					RBTDB_RDATATYPE_NCACHEANY) ||
+					(newheader->type == sigtype &&
+					topheader->type ==
+					RBTDB_RDATATYPE_VALUE(0, covers))) {
+						break;
+					}
 			}
 			if (topheader != NULL && EXISTS(topheader) &&
 			    topheader->rdh_ttl > now) {
@@ -6107,7 +6112,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				}
 				/*
 				 * The new rdataset is better.  Expire the
-				 * NXDOMAIN/NODATA(QTYPE=ANY).
+				 * ncache entry.
 				 */
 				set_ttl(rbtdb, topheader, 0);
 				mark_stale_header(rbtdb, topheader);

From e6e7b050a68ea2a6b3db40e14b8228f5cc476df7 Mon Sep 17 00:00:00 2001
From: Tinderbox User <tbox@isc.org>
Date: Mon, 9 Jul 2012 18:15:39 +0000
Subject: [PATCH 2/4] update SRCID

---
 doc/private/SRCID | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/private/SRCID b/doc/private/SRCID
index 4943660030..963c18ddb3 100644
--- a/doc/private/SRCID
+++ b/doc/private/SRCID
@@ -1,4 +1,4 @@
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
-SRCID="( 2012/07/06 22:15:00 UTC )"
+SRCID="( 2012/07/09 18:15:00 UTC )"

From 3342b2720b41820666e1afe9e3d8f5b28bbe6898 Mon Sep 17 00:00:00 2001
From: ckb <ckb@isc.org>
Date: Mon, 9 Jul 2012 13:20:33 -0500
Subject: [PATCH 3/4] corrected CHANGES (added rt #)

---
 CHANGES | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index c632f49ce3..390edf3ba8 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,7 @@
 			record matching the covering type exists at a higher 
 			trust level. Such data already can't be retrieved from 
 			the cache since change 3218 -- this prevents it 
-			being inserted into the cache as well.
+			being inserted into the cache as well [RT #27724].
 			
 3347.	[bug]		dnssec-settime: Issue a warning when writing a new 
 			private key file would cause a change in the 

From eaca18d408443ddaa3945e08fdaf636c6b9f77ec Mon Sep 17 00:00:00 2001
From: Tinderbox User <tbox@isc.org>
Date: Mon, 9 Jul 2012 19:16:18 +0000
Subject: [PATCH 4/4] update SRCID

---
 doc/private/SRCID | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/private/SRCID b/doc/private/SRCID
index 963c18ddb3..ca9be6dccc 100644
--- a/doc/private/SRCID
+++ b/doc/private/SRCID
@@ -1,4 +1,4 @@
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
-SRCID="( 2012/07/09 18:15:00 UTC )"
+SRCID="( 2012/07/09 19:15:00 UTC )"