mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 08:05:21 +00:00
Code Issues Releases Wiki Activity

651. [func] The AD bit in responses now has the meaning

Browse Source 
specified in <draft-ietf-dnsext-ad-is-secure>.
This commit is contained in:
Brian Wellington
2001-01-04 00:24:26 +00:00
parent ac7f13e3dd
commit ec772e873b
4 changed files with 26 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
651. [func] The AD bit in responses now has the meaning
specified in <draft-ietf-dnsext-ad-is-secure>.
650. [bug] SIG(0) records were being generated and verified 650. [bug] SIG(0) records were being generated and verified
incorrectly. [RT #606] incorrectly. [RT #606]

9
bin/named/query.c
View File

@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: query.c,v 1.164 2001/01/03 00:05:08 bwelling Exp $ */ /* $Id: query.c,v 1.165 2001/01/04 00:24:23 bwelling Exp $ */
#include <config.h> #include <config.h>
@@ -3415,11 +3415,8 @@ ns_query_start(ns_client_t *client) {
message->flags |= DNS_MESSAGEFLAG_AA; message->flags |= DNS_MESSAGEFLAG_AA;
/* /*
* Set AD. We need only clear it if we add "pending" data to * Set AD. We must clear it if we add non-validated data to a
* a response. * response.
*
* XXX Note: the way AD is set will be changing in the near
* future.
*/ */
if (WANTDNSSEC(client)) if (WANTDNSSEC(client))
message->flags |= DNS_MESSAGEFLAG_AD; message->flags |= DNS_MESSAGEFLAG_AD;

24
bin/tests/system/dnssec/tests.sh
View File

@@ -15,7 +15,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.27 2000/11/22 01:26:24 gson Exp $ # $Id: tests.sh,v 1.28 2001/01/04 00:24:24 bwelling Exp $
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh . $SYSTEMTESTTOP/conf.sh
@@ -65,7 +65,9 @@ ret=0
$DIG $DIGOPTS a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 $DIG $DIGOPTS a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -112,7 +114,9 @@ $DIG $DIGOPTS a.insecure.secure.example. @10.53.0.2 a \
$DIG $DIGOPTS a.insecure.secure.example. @10.53.0.4 a \ $DIG $DIGOPTS a.insecure.secure.example. @10.53.0.4 a \
> dig.out.ns4.test$n || ret=1 > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -126,7 +130,9 @@ $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
|| ret=1 || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
@@ -191,8 +197,9 @@ $DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \
$DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ $DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \
> dig.out.ns5.test$n || ret=1 > dig.out.ns5.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the && # Note - these are looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -205,8 +212,9 @@ $DIG $DIGOPTS q.insecure.example. soa @10.53.0.4 \
$DIG $DIGOPTS +cdflag q.insecure.example. soa @10.53.0.5 \ $DIG $DIGOPTS +cdflag q.insecure.example. soa @10.53.0.5 \
> dig.out.ns5.test$n || ret=1 > dig.out.ns5.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
# Note - this is looking for failure, hence the && # Note - these are looking for failure, hence the &&
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi

8
lib/dns/message.c
View File

@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: message.c,v 1.165 2001/01/03 20:42:08 bwelling Exp $ */ /* $Id: message.c,v 1.166 2001/01/04 00:24:26 bwelling Exp $ */
/*** /***
*** Imports *** Imports
@@ -1771,10 +1771,10 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
} }
/* /*
* If we have rendered pending data, ensure * If we have rendered non-validated data,
* that the AD bit is not set. * ensure that the AD bit is not set.
*/ */
if (rdataset->trust == dns_trust_pending && if (rdataset->trust != dns_trust_secure &&
(sectionid == DNS_SECTION_ANSWER || (sectionid == DNS_SECTION_ANSWER ||
sectionid == DNS_SECTION_AUTHORITY)) sectionid == DNS_SECTION_AUTHORITY))
msg->flags &= ~DNS_MESSAGEFLAG_AD; msg->flags &= ~DNS_MESSAGEFLAG_AD;