Merge branch '4608-ensure-static-stub-ns-records-are-not-returned' into 'main'

Resolve "Ensure static stub NS records are not returned" Closes #4608 See merge request isc-projects/bind9!8790
2025-08-29 05:28:00 +00:00 · 2024-03-14 04:16:39 +00:00 · 2024-03-14 04:16:39 +00:00 · fd49abf254
commit fd49abf254
parent 5a17764a77 6a91862ac5
7 changed files with 95 additions and 5 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+6360.	[bug]		Don't return static-stub synthesised NS RRset.
+			[GL #4608]
+
 6359.	[bug]		Fix bug in Depends (keymgr_dep) function. [GL #4552]

 6358.	[bug]		Fix validate_dnskey_dsset when KSK is not signing,
--- a/bin/tests/system/staticstub/ns1/root.db
+++ b/bin/tests/system/staticstub/ns1/root.db
@ -17,3 +17,6 @@ a.root-servers.nil.	A	10.53.0.1
 example.com.		NS	example.

 ns.example.net.		A	10.53.0.3
+
+unsigned.              NS      ns.unsigned.
+ns.unsigned.           A       10.53.0.3
--- a/bin/tests/system/staticstub/ns2/named.conf.in
+++ b/bin/tests/system/staticstub/ns2/named.conf.in
@ -33,6 +33,7 @@ options {
 	recursion yes;
 	dnssec-validation yes;
 	notify no;
+	minimal-responses no;
 };

 zone "." {
@ -60,3 +61,8 @@ zone "undelegated" {
 	type static-stub;
 	server-addresses { 10.53.0.3; };
 };
+
+zone "unsigned" {
+	type static-stub;
+	server-addresses { 10.53.0.3; };
+};
--- a/bin/tests/system/staticstub/ns3/named.conf.in
+++ b/bin/tests/system/staticstub/ns3/named.conf.in
@ -44,3 +44,8 @@ zone "undelegated" {
 	type primary;
 	file "undelegated.db.signed";
 };
+
+zone "unsigned" {
+	type primary;
+	file "unsigned.db";
+};
--- a/bin/tests/system/staticstub/ns3/unsigned.db
+++ b/bin/tests/system/staticstub/ns3/unsigned.db
@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$ORIGIN .
+$TTL 300	; 5 minutes
+unsigned		IN SOA	ns.unsigned. hostmaster.unsigned. (
+				2010080906 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+unsigned.	5	NS	ns.unsigned.
+ns.unsigned.		A	10.53.0.3
+
+data.unsigned. 20	TXT	"example org data"
--- a/bin/tests/system/staticstub/tests.sh
+++ b/bin/tests/system/staticstub/tests.sh
@ -211,5 +211,25 @@ grep "status: NOERROR" dig.out.ns2.soa.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

+n=$((n + 1))
+echo_i "checking static-stub synthesised NS is not returned ($n)"
+ret=0
+$DIG $DIGOPTS unsigned. @10.53.0.2 ns >dig.out.ns2.ns.test$n || ret=1
+sleep 2
+$DIG $DIGOPTS data.unsigned @10.53.0.2 txt >dig.out.ns2.txt1.test$n || ret=1
+sleep 4
+$DIG $DIGOPTS data.unsigned @10.53.0.2 txt >dig.out.ns2.txt2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.ns.test$n >/dev/null || ret=1
+grep "status: NOERROR" dig.out.ns2.txt1.test$n >/dev/null || ret=1
+# NS RRset from zone is returned
+grep '^unsigned\..*NS.ns\.unsigned\.$' dig.out.ns2.txt1.test$n >/dev/null || ret=1
+grep '^unsigned\..*NS.unsigned\.$' dig.out.ns2.txt1.test$n >/dev/null && ret=1
+# NS expired and synthesised response is not returned
+grep "status: NOERROR" dig.out.ns2.txt2.test$n >/dev/null || ret=1
+grep '^unsigned\..*NS.ns\.unsigned\.$' dig.out.ns2.txt2.test$n >/dev/null && ret=1
+grep '^unsigned\..*NS.unsigned\.$' dig.out.ns2.txt2.test$n >/dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -10908,20 +10908,49 @@ query_addbestns(query_ctx_t *qctx) {
 	isc_buffer_t b;
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
+	dns_name_t qname;

 	CTRACE(ISC_LOG_DEBUG(3), "query_addbestns");

 	dns_clientinfomethods_init(&cm, ns_client_sourceip);
 	dns_clientinfo_init(&ci, client, NULL);

+	dns_name_init(&qname, NULL);
+	dns_name_clone(client->query.qname, &qname);
+
 	/*
 	 * Find the right database.
 	 */
-	result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
-			     &zone, &db, &version, &is_zone);
-	if (result != ISC_R_SUCCESS) {
-		goto cleanup;
-	}
+	do {
+		result = query_getdb(client, &qname, dns_rdatatype_ns, 0, &zone,
+				     &db, &version, &is_zone);
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+		/*
+		 * If this is a static stub zone look for a parent zone.
+		 */
+		if (zone != NULL &&
+		    dns_zone_gettype(zone) == dns_zone_staticstub)
+		{
+			unsigned int labels = dns_name_countlabels(&qname);
+			dns_db_detach(&db);
+			dns_zone_detach(&zone);
+			version = NULL;
+			if (labels != 1) {
+				dns_name_split(&qname, labels - 1, NULL,
+					       &qname);
+				continue;
+			}
+			if (!USECACHE(client)) {
+				goto cleanup;
+			}
+			dns_db_attach(client->view->cachedb, &db);
+			is_zone = false;
+		}
+		break;
+	} while (true);

 db_find:
 	/*