Commit 1bbed57e authored by Mark Andrews's avatar Mark Andrews
Browse files

Merge branch...

Merge branch '445-filter-aaaa-and-dns64-can-both-attempt-to-recurse-for-a-records-at-the-same-time-v9_11' into 'v9_11'

Resolve "filter-aaaa and dns64 can both attempt to recurse for A records at the same time"

See merge request !686
parents 30a24678 70f4f796
Pipeline #4075 failed with stages
in 8 minutes and 38 seconds
5016. [bug] Named could assert with overlapping filter-aaaa and
dns64 acls. [GL #445]
5015. [bug] Reloading all zones caused zone maintenance to cease
for inline-signed zones. [GL #435]
 
......
......@@ -8861,6 +8861,35 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
goto cleanup;
}
/*
* Check to see if the AAAA RRset has non-excluded addresses
* in it. If not look for a A RRset.
*
* Note: the order of dns64_aaaaok() and filter_aaaa check is
* important. Both result is fetches being called but the
* dns64 case goes to db_find while the filter_aaaa case
* adds the records now for later potential exclusion.
*/
INSIST(client->query.dns64_aaaaok == NULL);
if (qtype == dns_rdatatype_aaaa && !dns64_exclude &&
!ISC_LIST_EMPTY(client->view->dns64) &&
client->message->rdclass == dns_rdataclass_in &&
!dns64_aaaaok(client, rdataset, sigrdataset)) {
/*
* Look to see if there are A records for this
* name.
*/
client->query.dns64_ttl = rdataset->ttl;
SAVE(client->query.dns64_aaaa, rdataset);
SAVE(client->query.dns64_sigaaaa, sigrdataset);
query_releasename(client, &fname);
dns_db_detachnode(db, &node);
type = qtype = dns_rdatatype_a;
dns64_exclude = dns64 = true;
goto db_find;
}
#ifdef ALLOW_FILTER_AAAA
/*
* Optionally hide AAAAs from IPv4 clients if there is an A.
......@@ -8945,29 +8974,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
}
}
#endif
/*
* Check to see if the AAAA RRset has non-excluded addresses
* in it. If not look for a A RRset.
*/
INSIST(client->query.dns64_aaaaok == NULL);
if (qtype == dns_rdatatype_aaaa && !dns64_exclude &&
!ISC_LIST_EMPTY(client->view->dns64) &&
client->message->rdclass == dns_rdataclass_in &&
!dns64_aaaaok(client, rdataset, sigrdataset)) {
/*
* Look to see if there are A records for this
* name.
*/
client->query.dns64_ttl = rdataset->ttl;
SAVE(client->query.dns64_aaaa, rdataset);
SAVE(client->query.dns64_sigaaaa, sigrdataset);
query_releasename(client, &fname);
dns_db_detachnode(db, &node);
type = qtype = dns_rdatatype_a;
dns64_exclude = dns64 = true;
goto db_find;
}
if (sigrdataset != NULL)
sigrdatasetp = &sigrdataset;
......
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
. 0 NS ns.rootservers.utld.
ns.rootservers.utld. 0 A 10.53.0.1
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.5;
notify-source 10.53.0.5;
transfer-source 10.53.0.5;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { fd92:7065:b8e:ffff::5; };
recursion yes;
dnssec-validation no;
notify yes;
dns64 64:ff9b::/96 {
clients { any; };
exclude { any; };
mapped { any; };
};
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { any; };
minimal-responses no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." { type hint; file "hints"; };
......@@ -20,6 +20,7 @@ copy_setports ns1/named1.conf.in ns1/named.conf
copy_setports ns2/named1.conf.in ns2/named.conf
copy_setports ns3/named1.conf.in ns3/named.conf
copy_setports ns4/named1.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
if $SHELL ../testcrypto.sh -q
then
......
......@@ -1374,5 +1374,17 @@ grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# We don't check for the AAAA record here as configuration in ns5 does
# not make sense. The AAAA record is wanted by filter-aaaa but discarded
# by the dns64 configuration. We just want to ensure the server stays
# running.
n=`expr $n + 1`
echo_i "checking filter-aaaa with dns64 ($n)"
ret=0
$DIG $DIGOPTS aaaa aaaa-only.unsigned @10.53.0.5 > dig.out.ns5.test$n || ret=1
grep "status: NOERROR" dig.out.ns5.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -1344,6 +1344,8 @@
./bin/tests/system/filter-aaaa/ns4/signed.db.in ZONE 2010,2012,2016,2017,2018
./bin/tests/system/filter-aaaa/ns4/signed.db.presigned X 2014,2018
./bin/tests/system/filter-aaaa/ns4/unsigned.db ZONE 2010,2012,2016,2017,2018
./bin/tests/system/filter-aaaa/ns5/hints ZONE 2018
./bin/tests/system/filter-aaaa/ns5/named.conf.in CONF-C 2018
./bin/tests/system/filter-aaaa/prereq.sh SH 2010,2012,2014,2016,2018
./bin/tests/system/filter-aaaa/setup.sh SH 2010,2012,2014,2016,2018
./bin/tests/system/filter-aaaa/tests.sh SH 2010,2012,2015,2016,2017,2018
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment