651. [func] The AD bit in responses now has the meaning

specified in <draft-ietf-dnsext-ad-is-secure>.

CHANGES

@@ -1,3 +1,6 @@
+ 651.	[func]		The AD bit in responses now has the meaning
+			specified in <draft-ietf-dnsext-ad-is-secure>.
+
  650.	[bug]		SIG(0) records were being generated and verified
 			incorrectly. [RT #606]
 

bin/named/query.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.164 2001/01/03 00:05:08 bwelling Exp $ */
+/* $Id: query.c,v 1.165 2001/01/04 00:24:23 bwelling Exp $ */
 
 #include <config.h>
 
@@ -3415,11 +3415,8 @@ ns_query_start(ns_client_t *client) {
 	message->flags |= DNS_MESSAGEFLAG_AA;
 
 	/*
-	 * Set AD.  We need only clear it if we add "pending" data to
-	 * a response.
-	 *
-	 * XXX  Note: the way AD is set will be changing in the near
-	 *      future.
+	 * Set AD.  We must clear it if we add non-validated data to a
+	 * response.
 	 */
 	if (WANTDNSSEC(client))
 		message->flags |= DNS_MESSAGEFLAG_AD;

bin/tests/system/dnssec/tests.sh

@@ -15,7 +15,7 @@
 # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.27 2000/11/22 01:26:24 gson Exp $
+# $Id: tests.sh,v 1.28 2001/01/04 00:24:24 bwelling Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -65,7 +65,9 @@ ret=0
 $DIG $DIGOPTS a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
 $DIG $DIGOPTS a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@@ -112,7 +114,9 @@ $DIG $DIGOPTS a.insecure.secure.example. @10.53.0.2 a \
 $DIG $DIGOPTS a.insecure.secure.example. @10.53.0.4 a \
 	> dig.out.ns4.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@@ -126,7 +130,9 @@ $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
 $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
 	|| ret=1
 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
@@ -191,8 +197,9 @@ $DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \
 $DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \
 	> dig.out.ns5.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-# Note - this is looking for failure, hence the &&
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - these are looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
@@ -205,8 +212,9 @@ $DIG $DIGOPTS q.insecure.example. soa @10.53.0.4 \
 $DIG $DIGOPTS +cdflag q.insecure.example. soa @10.53.0.5 \
 	> dig.out.ns5.test$n || ret=1
 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
-# Note - this is looking for failure, hence the &&
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - these are looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi

lib/dns/message.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.165 2001/01/03 20:42:08 bwelling Exp $ */
+/* $Id: message.c,v 1.166 2001/01/04 00:24:26 bwelling Exp $ */
 
 /***
  *** Imports
@@ -1771,10 +1771,10 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 				}
 
 				/*
-				 * If we have rendered pending data, ensure
-				 * that the AD bit is not set.
+				 * If we have rendered non-validated data,
+				 * ensure that the AD bit is not set.
 				 */
-				if (rdataset->trust == dns_trust_pending &&
+				if (rdataset->trust != dns_trust_secure &&
 				    (sectionid == DNS_SECTION_ANSWER ||
 				     sectionid == DNS_SECTION_AUTHORITY))
 					msg->flags &= ~DNS_MESSAGEFLAG_AD;