1625. [bug] named failed to load/transfer RFC2535 signed zones

                        which contained CNAMES. [RT# 11237]

CHANGES

@@ -3,7 +3,8 @@
 
 1626.	[bug]		--enable-getifaddrs was broken. [RT#11259]
 
-1625.   [placeholder]	rt11237
+1625.	[bug]		named failed to load/transfer RFC2535 signed zones
+			which contained CNAMES. [RT# 11237]
 
 1624.	[bug]		zonemgr_putio() call should be locked. [RT# 11163]
 

bin/named/update.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.110 2004/04/15 01:58:23 marka Exp $ */
+/* $Id: update.c,v 1.111 2004/05/05 01:32:56 marka Exp $ */
 
 #include <config.h>
 
@@ -850,7 +850,8 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
 						this name and type */
 
 			*typep = type = t->rdata.type;
-			if (type == dns_rdatatype_rrsig)
+			if (type == dns_rdatatype_rrsig ||
+			    type == dns_rdatatype_sig)
 				covers = dns_rdata_covers(&t->rdata);
 			else
 				covers = 0;
@@ -2467,8 +2468,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				ctx.ignore_add = ISC_FALSE;
 				dns_diff_init(mctx, &ctx.del_diff);
 				dns_diff_init(mctx, &ctx.add_diff);
-				CHECK(foreach_rr(db, ver, name, rdata.type, covers,
-						 add_rr_prepare_action, &ctx));
+				CHECK(foreach_rr(db, ver, name, rdata.type,
+						 covers, add_rr_prepare_action,
+						 &ctx));
 
 				if (ctx.ignore_add) {
 					dns_diff_clear(&ctx.del_diff);

bin/tests/system/dnssec/ns2/example.db.in

@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example.db.in,v 1.14 2004/04/15 23:40:22 marka Exp $
+; $Id: example.db.in,v 1.15 2004/05/05 01:32:57 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -70,6 +70,10 @@ dynamic			A	10.53.0.3
 mustbesecure		NS	ns.mustbesecure
 ns.mustbesecure		A	10.53.0.3
 
+; A rfc2535 signed zone w/ CNAME
+rfc2535			NS	ns.rfc2535
+ns.rfc2535		A	10.53.0.3
+
 z			A	10.0.0.26
 
 keyless			NS	ns.keyless

bin/tests/system/dnssec/ns2/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.23 2004/03/10 02:19:53 marka Exp $ */
+/* $Id: named.conf,v 1.24 2004/05/05 01:32:57 marka Exp $ */
 
 // NS2
 
@@ -62,4 +62,10 @@ zone "insecure.secure.example" {
 	allow-update { any; };
 };
 
+zone "rfc2335.example" {
+        type master;
+        file "rfc2335.example.db";
+};
+
+
 include "trusted.conf";

bin/tests/system/dnssec/ns2/rfc2335.example.db

+; File written on Fri Apr 30 12:19:15 2004
+; dnssec_signzone version 9.2.4rc3
+rfc2335.example.	300	IN SOA	mname1. . (
+					2000042407 ; serial
+					20         ; refresh (20 seconds)
+					20         ; retry (20 seconds)
+					1814400    ; expire (3 weeks)
+					3600       ; minimum (1 hour)
+					)
+			300	SIG	SOA 1 2 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					nGPJKIzF7X/hMJbZURRz59UeEi/6HRxCn9Er
+					GqSnpw0Ea9Yx5Axu6sLKnF7jXlkZ6NHMCIpJ
+					+Lv+FDHXTs/dQg== )
+			300	NS	ns.rfc2335.example.
+			300	SIG	NS 1 2 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					Q234AL9dJYMvxdWG33lpww6AJ3GplKp+ace7
+					MUaj0oqDdkx4DtJF2XaP2xcqq7kTOObdQ8ES
+					vVxNThqOx7LFzg== )
+			300	KEY	256 3 1 (
+					AQPZhzXIabI8y5ihWUw7F0WxN2MabnYWkOcV
+					Fn11NgaGSdjBSYPRMMwMCasD5N2KYPRUP83W
+					y8mj+ofcoW1FurcZ
+					) ; key id = 47799
+			300	NXT	a.rfc2335.example. NS SOA SIG KEY NXT
+			300	SIG	NXT 1 2 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					Y587mqNy6pBEfbsU6+weM2XRSqLwLwRT9Sl7
+					oNuOK9kV3TR4R2M54m2S0MgJCXbRAwU+fF8Q
+					UbZkSTVe2N8Nyg== )
+a.rfc2335.example.	300	IN A	10.0.0.1
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					FnfWrcw5ire8ut25504zti5l///BdDMUAkJZ
+					UCLFiTW4lBGMcq1pqz64zltDZXCgJ3xUeQ2i
+					nRt19/ZxO6Z1KA== )
+			300	NXT	b.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					R6SpC3ndMVg4u/eZaaUsXSuMHV/hZXeaM/Op
+					bJLAe3KxMiOHfb6XgLy7wflAiC1xt6A9bWpy
+					kTc5T5gfic33kA== )
+b.rfc2335.example.	300	IN A	10.0.0.2
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					zjRsYXMGyhDI6ipDtu8YXC9XPN+3hGamzzxL
+					8uPE/LPo+x19MNdbzEgWzlajAf1/mkSGr2jN
+					BDMVBA5NMKpwAA== )
+			300	NXT	d.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					aV87iZCYsC5Tqop827Zzb18TNqopGt0QynkR
+					gIF/lIHqZasNFRfaS1/nTnXdDKD8JS5IqxKb
+					oTJr5zswDAtCEw== )
+d.rfc2335.example.	300	IN A	10.0.0.4
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					NsKyvhUYZxTbOTBX4YwxTxevI5iGBpULKwmt
+					+D4l00ME4XRygOVmiqVDTT9dF1EgjDxOdfMT
+					hSjtCh5M1b2f6g== )
+			300	NXT	ns.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					OGqlvSDZIZdHYigh4UAFzXfPze7vcQfgj7sN
+					+cAeoh4BL1gpa00DqANCxowNCYluDk3ZCDwt
+					UHZEJa8ZjNvv4g== )
+ns.rfc2335.example.	300	IN A	10.53.0.3
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					T6ZGeUWflLTku8jO23x/TeAPeUl8t0I18FCh
+					qHUZaHomLQasQ2jlZQn6cLpFd2uFJkBNxZ0G
+					I39aG7G1bObXdA== )
+			300	NXT	x.rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					l46mrf3/Ii5iRm3AiDjYeMg4ZXBgitHxXA2y
+					e/NhKpkxRRpCs7UQ94wT/RiSCjjK49E5FBe6
+					5bRxtWq0GI7zlg== )
+x.rfc2335.example.	300	IN CNAME a.rfc2335.example.
+			300	SIG	CNAME 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					L3IOluq+kboBd2gR2Mu54uJKCUzfmyHRiWKl
+					kfx+vuFr0I8mEHQRmJtouxNDrBzmzGp5vybK
+					SdabLWw0n6uQEA== )
+			300	NXT	z.rfc2335.example. CNAME SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					CBKoJSkZzdpwiON7JS4yPFY5VVeBjfT19x/O
+					vx+5UK1JZUNKhTXWWgW1er+JlLzNf4Ot40+l
+					z9HUTyaeS0eWyw== )
+z.rfc2335.example.	300	IN A	10.0.0.26
+			300	SIG	A 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					ccqjVHnehvVwlNNd4+7n/GzGlRjj+ul0gCT3
+					X3950LTccxHsOFyjNNm8v/Ho/aurSYdqXEjY
+					jwmjC6elwkzB7A== )
+			300	NXT	rfc2335.example. A SIG NXT
+			300	SIG	NXT 1 3 300 20040530021915 (
+					20040430021915 47799 rfc2335.example.
+					W42WoFyd9erysv8HjKo+CpHIH1x6+pAKwCDO
+					/hHnkEpQI3brewxl7cWOPYeA92Ns80Ody/ui
+					m2E28A5gnmWqPw== )

bin/tests/system/dnssec/ns3/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.26 2004/04/15 23:40:22 marka Exp $ */
+/* $Id: named.conf,v 1.27 2004/05/05 01:32:57 marka Exp $ */
 
 // NS3
 
@@ -79,4 +79,10 @@ zone "mustbesecure.example" {
 	file "mustbesecure.example.db";
 };
 
+zone "rfc2335.example" {
+	type slave;
+	masters { 10.53.0.2; };
+	file "rfc2335.example.bk";
+};
+
 include "trusted.conf";

bin/tests/system/dnssec/tests.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.44 2004/03/10 02:19:53 marka Exp $
+# $Id: tests.sh,v 1.45 2004/05/05 01:32:56 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -446,6 +446,27 @@ ret=0
 $DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \
 	> dig.out.ns6.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that we can load a rfc2535 signed zone ($n)"
+ret=0
+$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.2 \
+	> dig.out.ns2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that we can transfer a rfc2535 signed zone ($n)"
+ret=0
+$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.3 \
+	> dig.out.ns3.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
 
 # Run a minimal update test if possible.  This is really just
 # a regression test for RT #2399; more tests should be added.

lib/dns/master.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.148 2004/03/05 05:09:21 marka Exp $ */
+/* $Id: master.c,v 1.149 2004/05/05 01:32:58 marka Exp $ */
 
 #include <config.h>
 
@@ -1645,7 +1645,8 @@ load(dns_loadctx_t *lctx) {
 		}
 
 
-		if (type == dns_rdatatype_rrsig)
+		if (type == dns_rdatatype_rrsig ||
+		    type == dns_rdatatype_sig)
 			covers = dns_rdata_covers(&rdata[rdcount]);
 		else
 			covers = 0;

lib/dns/message.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.222 2004/03/10 00:47:40 marka Exp $ */
+/* $Id: message.c,v 1.223 2004/05/05 01:32:58 marka Exp $ */
 
 /***
  *** Imports
@@ -1288,18 +1288,16 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
 		rdata->rdclass = rdclass;
+		issigzero = ISC_FALSE;
 		if (rdtype == dns_rdatatype_rrsig  &&
 		    rdata->flags == 0) {
 			covers = dns_rdata_covers(rdata);
 			if (covers == 0)
 				DO_FORMERR;
-		} else
-			covers = 0;
-
-		issigzero = ISC_FALSE;
-		if (rdtype == dns_rdatatype_sig /* SIG(0) */ &&
-		    rdata->flags == 0) {
-			if (dns_rdata_covers(rdata) == 0) {
+		} else if (rdtype == dns_rdatatype_sig /* SIG(0) */ &&
+			   rdata->flags == 0) {
+			covers = dns_rdata_covers(rdata);
+			if (covers == 0) {
 				if (sectionid != DNS_SECTION_ADDITIONAL ||
 				    count != msg->counts[sectionid]  - 1)
 					DO_FORMERR;
@@ -1308,7 +1306,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 				skip_type_search = ISC_TRUE;
 				issigzero = ISC_TRUE;
 			}
-		}
+		} else
+			covers = 0;
 
 		/*
 		 * If we are doing a dynamic update or this is a meta-type,

lib/dns/rbtdb.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.196 2004/03/05 05:09:22 marka Exp $ */
+/* $Id: rbtdb.c,v 1.197 2004/05/05 01:32:58 marka Exp $ */
 
 /*
  * Principal Author: Bob Halley
@@ -3669,10 +3669,13 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
 			 * or RRSIG CNAME.
 			 */
 			rdtype = RBTDB_RDATATYPE_BASE(header->type);
-			if (rdtype == dns_rdatatype_rrsig)
+			if (rdtype == dns_rdatatype_rrsig ||
+			    rdtype == dns_rdatatype_sig)
 				rdtype = RBTDB_RDATATYPE_EXT(header->type);
 			if (rdtype != dns_rdatatype_nsec &&
 			    rdtype != dns_rdatatype_dnskey &&
+			    rdtype != dns_rdatatype_nxt &&
+			    rdtype != dns_rdatatype_key &&
 			    rdtype != dns_rdatatype_cname) {
 				/*
 				 * We've found a type that isn't