Commit 3bf783a6 authored by Mark Andrews's avatar Mark Andrews
Browse files

1982. [bug] DNSKEY was being accepted on the parent side of

                        a delegation.  KEY is still accepted there for
                        RFC 3007 validated updates. [RT #15620]
parent d849f8d7
1982. [bug] DNSKEY was being accepted on the parent side of
a delegation. KEY is still accepted there for
RFC 3007 validated updates. [RT #15620]
1981. [bug] win32: condition.c:wait() could fail to reattain
the mutex lock.
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: rbtdb.c,v 1.225 2006/01/06 00:01:44 marka Exp $ */
/* $Id: rbtdb.c,v 1.226 2006/02/16 00:59:38 marka Exp $ */
/*! \file */
......@@ -2581,12 +2581,12 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
/*
* Certain DNSSEC types are not subject to CNAME matching
* (RFC2535, section 2.3.5).
* (RFC4035, section 2.5 and RFC3007).
*
* We don't check for RRSIG, because we don't store RRSIG records
* directly.
*/
if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
cname_ok = ISC_FALSE;
/*
......@@ -2645,9 +2645,15 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
search.need_cleanup = ISC_TRUE;
maybe_zonecut = ISC_FALSE;
at_zonecut = ISC_TRUE;
/*
* It is not clear if KEY should still be
* allowed at the parent side of the zone
* cut or not. It is needed for RFC3007
* validated updates.
*/
if ((search.options & DNS_DBFIND_GLUEOK) == 0
&& type != dns_rdatatype_nsec
&& type != dns_rdatatype_dnskey) {
&& type != dns_rdatatype_key) {
/*
* Glue is not OK, but any answer we
* could return would be glue. Return
......@@ -2831,8 +2837,14 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
* and the type is NSEC or KEY.
*/
if (search.zonecut == node) {
/*
* It is not clear if KEY should still be
* allowed at the parent side of the zone
* cut or not. It is needed for RFC3007
* validated updates.
*/
if (type == dns_rdatatype_nsec ||
type == dns_rdatatype_dnskey)
type == dns_rdatatype_key)
result = ISC_R_SUCCESS;
else if (type == dns_rdatatype_any)
result = DNS_R_ZONECUT;
......@@ -3377,12 +3389,12 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
/*
* Certain DNSSEC types are not subject to CNAME matching
* (RFC2535, section 2.3.5).
* (RFC4035, section 2.5 and RFC3007).
*
* We don't check for RRSIG, because we don't store RRSIG records
* directly.
*/
if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
if (type == dns_rdatatype_key || type == dns_rdatatype_nsec)
cname_ok = ISC_FALSE;
/*
......@@ -4307,16 +4319,13 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
* Look for active extant "other data".
*
* "Other data" is any rdataset whose type is not
* DNSKEY, RRSIG DNSKEY, NSEC, RRSIG NSEC,
* or RRSIG CNAME.
* KEY, RRSIG KEY, NSEC, RRSIG NSEC or RRSIG CNAME.
*/
rdtype = RBTDB_RDATATYPE_BASE(header->type);
if (rdtype == dns_rdatatype_rrsig ||
rdtype == dns_rdatatype_sig)
rdtype = RBTDB_RDATATYPE_EXT(header->type);
if (rdtype != dns_rdatatype_nsec &&
rdtype != dns_rdatatype_dnskey &&
rdtype != dns_rdatatype_nxt &&
rdtype != dns_rdatatype_key &&
rdtype != dns_rdatatype_cname) {
/*
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment