When a query matched a DNAME in a secure zone, the server did not return the

signature of the DNAME.  [RT #915]

A query should not match a DNAME whose trust level is pending.  [RT #916]

CHANGES

@@ -1,3 +1,9 @@
+ 750.	[bug]		A query should not match a DNAME whose trust level
+			is pending.  [RT #916]
+
+ 749.	[bug]		When a query matched a DNAME in a secure zone, the
+			server did not return the signature of the DNAME.
+			[RT #915]
 
  748.	[doc]		List supported RFCs in doc/misc/rfc-compliance.
 			[RT #781]

lib/dns/rbtdb.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.147 2001/02/09 01:26:51 bwelling Exp $ */
+/* $Id: rbtdb.c,v 1.148 2001/02/23 02:14:14 halley Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -77,6 +77,8 @@ typedef isc_uint32_t			rbtdb_rdatatype_t;
 		RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, dns_rdatatype_ns)
 #define RBTDB_RDATATYPE_SIGCNAME \
 		RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, dns_rdatatype_cname)
+#define RBTDB_RDATATYPE_SIGDNAME \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_sig, dns_rdatatype_dname)
 #define RBTDB_RDATATYPE_NXDOMAIN \
 		RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any)
 
@@ -190,6 +192,7 @@ typedef struct {
 	isc_boolean_t		wild;
 	dns_rbtnode_t *	       	zonecut;
 	rdatasetheader_t *	zonecut_rdataset;
+	rdatasetheader_t *	zonecut_sigrdataset;
 	dns_fixedname_t		zonecut_name;
 	isc_stdtime_t		now;
 } rbtdb_search_t;
@@ -1010,6 +1013,7 @@ static isc_result_t
 zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	rbtdb_search_t *search = arg;
 	rdatasetheader_t *header, *header_next;
+	rdatasetheader_t *dname_header, *sigdname_header, *ns_header;
 	rdatasetheader_t *found;
 	isc_result_t result;
 	dns_rbtnode_t *onode;
@@ -1031,10 +1035,14 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	/*
 	 * Look for an NS or DNAME rdataset active in our version.
 	 */
+	ns_header = NULL;
+	dname_header = NULL;
+	sigdname_header = NULL;
 	for (header = node->data; header != NULL; header = header_next) {
 		header_next = header->next;
 		if (header->type == dns_rdatatype_ns ||
-		    header->type == dns_rdatatype_dname) {
+		    header->type == dns_rdatatype_dname ||
+		    header->type == RBTDB_RDATATYPE_SIGDNAME) {
 			do {
 				if (header->serial <= search->serial &&
 				    !IGNORE(header)) {
@@ -1042,24 +1050,20 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 					 * Is this a "this rdataset doesn't
 					 * exist" record?
 					 */
-					if ((header->attributes &
-					     RDATASET_ATTR_NONEXISTENT) != 0)
+					if (NONEXISTENT(header))
 						header = NULL;
 					break;
 				} else
 					header = header->down;
 			} while (header != NULL);
 			if (header != NULL) {
-				if (header->type == dns_rdatatype_dname) {
-					/*
-					 * We don't need to keep looking for
-					 * NS records, because the DNAME has
-					 * precedence.
-					 */
-					found = header;
-					break;
-				} else if (node != onode ||
-					   IS_STUB(search->rbtdb)) {
+				if (header->type == dns_rdatatype_dname)
+					dname_header = header;
+				else if (header->type == 
+					   RBTDB_RDATATYPE_SIGDNAME)
+					sigdname_header = header;
+				else if (node != onode ||
+					 IS_STUB(search->rbtdb)) {
 					/*
 					 * We've found an NS rdataset that
 					 * isn't at the origin node.  We check
@@ -1068,12 +1072,26 @@ zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 					 * treat the zone top as if it were
 					 * a delegation.
 					 */
-					found = header;
+					ns_header = header;
 				}
 			}
 		}
 	}
 
+	/*
+	 * Did we find anything?
+	 */
+	if (dname_header != NULL) {
+		/*
+		 * Note that DNAME has precedence over NS if both exist.
+		 */
+		found = dname_header;
+		search->zonecut_sigrdataset = sigdname_header;
+	} else if (ns_header != NULL) {
+		found = ns_header;
+		search->zonecut_sigrdataset = NULL;
+	}
+
 	if (found != NULL) {
 		/*
 		 * We increment the reference count on node to ensure that
@@ -1164,7 +1182,8 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 
 static inline isc_result_t
 setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
-		 dns_name_t *foundname, dns_rdataset_t *rdataset)
+		 dns_name_t *foundname, dns_rdataset_t *rdataset,
+		 dns_rdataset_t *sigrdataset)
 {
 	isc_result_t result;
 	dns_name_t *zcname;
@@ -1204,6 +1223,10 @@ setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
 		bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
 			      search->now, rdataset);
+		if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
+			bind_rdataset(search->rbtdb, node,
+				      search->zonecut_sigrdataset,
+				      search->now, sigrdataset);
 		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
 	}
 
@@ -1611,7 +1634,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	partial_match:
 		if (search.zonecut != NULL) {
 		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset);
+					      rdataset, sigrdataset);
 		    goto tree_exit;
 		}
 
@@ -1850,7 +1873,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		     */
 		    UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
 		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset);
+					      rdataset, sigrdataset);
 		    goto tree_exit;
 		} else {
 			/*
@@ -1921,7 +1944,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		    !valid_glue(&search, foundname, type, node)) {
 		    UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
 		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset);
+					      rdataset, sigrdataset);
 		    goto tree_exit;
 		}
 	} else {
@@ -1999,6 +2022,7 @@ static isc_result_t
 cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	rbtdb_search_t *search = arg;
 	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *dname_header, *sigdname_header;
 	isc_result_t result;
 
 	/* XXX comment */
@@ -2013,8 +2037,10 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
 
 	/*
-	 * Look for a DNAME rdataset.
+	 * Look for a DNAME or SIG DNAME rdataset.
 	 */
+	dname_header = NULL;
+	sigdname_header = NULL;
 	header_prev = NULL;
 	for (header = node->data; header != NULL; header = header_next) {
 		header_next = header->next;
@@ -2042,21 +2068,28 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 				header_prev = header;
 			}
 		} else if (header->type == dns_rdatatype_dname &&
-			   (header->attributes & RDATASET_ATTR_NONEXISTENT) ==
-			   0)
-			break;
-		else
+			   EXISTS(header)) {
+			dname_header = header;
+			header_prev = header;
+		} else if (header->type == RBTDB_RDATATYPE_SIGDNAME &&
+			 EXISTS(header)) {
+			sigdname_header = header;
+			header_prev = header;
+		} else
 			header_prev = header;
 	}
 
-	if (header != NULL) {
+	if (dname_header != NULL &&
+	    (dname_header->trust != dns_trust_pending ||
+	     (search->options & DNS_DBFIND_PENDINGOK) != 0)) {
 		/*
 		 * We increment the reference count on node to ensure that
 		 * search->zonecut_rdataset will still be valid later.
 		 */
 		new_reference(search->rbtdb, node);
 		search->zonecut = node;
-		search->zonecut_rdataset = header;
+		search->zonecut_rdataset = dname_header;
+		search->zonecut_sigrdataset = sigdname_header;
 		search->need_cleanup = ISC_TRUE;
 		result = DNS_R_PARTIALMATCH;
 	} else
@@ -2252,7 +2285,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	if (result == DNS_R_PARTIALMATCH) {
 		if (search.zonecut != NULL) {
 		    result = setup_delegation(&search, nodep, foundname,
-					      rdataset);
+					      rdataset, sigrdataset);
 		    goto tree_exit;
 		} else {
 		find_ns: