mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

Merge branch '4608-ensure-static-stub-ns-records-are-not-returned' into 'main'

Browse Source 
Resolve "Ensure static stub NS records are not returned"

Closes #4608

See merge request isc-projects/bind9!8790
This commit is contained in:
Mark Andrews
2024-03-14 04:16:39 +00:00
parent 5a17764a77 6a91862ac5
commit fd49abf254
7 changed files with 95 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
6360. [bug] Don't return static-stub synthesised NS RRset.
[GL #4608]
6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552] 6359. [bug] Fix bug in Depends (keymgr_dep) function. [GL #4552]
6358. [bug] Fix validate_dnskey_dsset when KSK is not signing, 6358. [bug] Fix validate_dnskey_dsset when KSK is not signing,

3
bin/tests/system/staticstub/ns1/root.db
View File

@@ -17,3 +17,6 @@ a.root-servers.nil. A 10.53.0.1
example.com. NS example. example.com. NS example.
ns.example.net. A 10.53.0.3 ns.example.net. A 10.53.0.3
unsigned. NS ns.unsigned.
ns.unsigned. A 10.53.0.3

6
bin/tests/system/staticstub/ns2/named.conf.in
View File

@@ -33,6 +33,7 @@ options {
recursion yes; recursion yes;
dnssec-validation yes; dnssec-validation yes;
notify no; notify no;
minimal-responses no;
}; };
zone "." { zone "." {
@@ -60,3 +61,8 @@ zone "undelegated" {
type static-stub; type static-stub;
server-addresses { 10.53.0.3; }; server-addresses { 10.53.0.3; };
}; };
zone "unsigned" {
type static-stub;
server-addresses { 10.53.0.3; };
};

5
bin/tests/system/staticstub/ns3/named.conf.in
View File

@@ -44,3 +44,8 @@ zone "undelegated" {
type primary; type primary;
file "undelegated.db.signed"; file "undelegated.db.signed";
}; };
zone "unsigned" {
type primary;
file "unsigned.db";
};

24
bin/tests/system/staticstub/ns3/unsigned.db Normal file
View File

@@ -0,0 +1,24 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$ORIGIN .
$TTL 300 ; 5 minutes
unsigned IN SOA ns.unsigned. hostmaster.unsigned. (
2010080906 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
unsigned. 5 NS ns.unsigned.
ns.unsigned. A 10.53.0.3
data.unsigned. 20 TXT "example org data"

20
bin/tests/system/staticstub/tests.sh
View File

@@ -211,5 +211,25 @@ grep "status: NOERROR" dig.out.ns2.soa.test$n >/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret)) status=$((status + ret))
n=$((n + 1))
echo_i "checking static-stub synthesised NS is not returned ($n)"
ret=0
$DIG $DIGOPTS unsigned. @10.53.0.2 ns >dig.out.ns2.ns.test$n || ret=1
sleep 2
$DIG $DIGOPTS data.unsigned @10.53.0.2 txt >dig.out.ns2.txt1.test$n || ret=1
sleep 4
$DIG $DIGOPTS data.unsigned @10.53.0.2 txt >dig.out.ns2.txt2.test$n || ret=1
grep "status: NOERROR" dig.out.ns2.ns.test$n >/dev/null || ret=1
grep "status: NOERROR" dig.out.ns2.txt1.test$n >/dev/null || ret=1
# NS RRset from zone is returned
grep '^unsigned\..*NS.ns\.unsigned\.$' dig.out.ns2.txt1.test$n >/dev/null || ret=1
grep '^unsigned\..*NS.unsigned\.$' dig.out.ns2.txt1.test$n >/dev/null && ret=1
# NS expired and synthesised response is not returned
grep "status: NOERROR" dig.out.ns2.txt2.test$n >/dev/null || ret=1
grep '^unsigned\..*NS.ns\.unsigned\.$' dig.out.ns2.txt2.test$n >/dev/null && ret=1
grep '^unsigned\..*NS.unsigned\.$' dig.out.ns2.txt2.test$n >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
echo_i "exit status: $status" echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1 [ $status -eq 0 ] || exit 1

39
lib/ns/query.c
View File

@@ -10908,20 +10908,49 @@ query_addbestns(query_ctx_t *qctx) {
isc_buffer_t b; isc_buffer_t b;
dns_clientinfomethods_t cm; dns_clientinfomethods_t cm;
dns_clientinfo_t ci; dns_clientinfo_t ci;
dns_name_t qname;
CTRACE(ISC_LOG_DEBUG(3), "query_addbestns"); CTRACE(ISC_LOG_DEBUG(3), "query_addbestns");
dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfomethods_init(&cm, ns_client_sourceip);
dns_clientinfo_init(&ci, client, NULL); dns_clientinfo_init(&ci, client, NULL);
dns_name_init(&qname, NULL);
dns_name_clone(client->query.qname, &qname);
/* /*
* Find the right database. * Find the right database.
*/ */
result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0, do {
&zone, &db, &version, &is_zone); result = query_getdb(client, &qname, dns_rdatatype_ns, 0, &zone,
if (result != ISC_R_SUCCESS) { &db, &version, &is_zone);
goto cleanup; if (result != ISC_R_SUCCESS) {
} goto cleanup;
}
/*
* If this is a static stub zone look for a parent zone.
*/
if (zone != NULL &&
dns_zone_gettype(zone) == dns_zone_staticstub)
{
unsigned int labels = dns_name_countlabels(&qname);
dns_db_detach(&db);
dns_zone_detach(&zone);
version = NULL;
if (labels != 1) {
dns_name_split(&qname, labels - 1, NULL,
&qname);
continue;
}
if (!USECACHE(client)) {
goto cleanup;
}
dns_db_attach(client->view->cachedb, &db);
is_zone = false;
}
break;
} while (true);
db_find: db_find:
/* /*