Commit 4a2729a4 authored by Mark Andrews's avatar Mark Andrews

Merge branch '209-glue-is-no-longer-included-v9_11' into 'v9_11'

Resolve "Glue is no longer included for non-DNSSEC-signed zones since CHANGE 4596"

See merge request !286
parents 0b7337f7 32681598
Pipeline #2076 failed with stages
in 7 minutes and 10 seconds
......@@ -11,6 +11,9 @@
4949. [bug] lib/isc/print.c failed to handle floating point
output correctly. [GL #261]
4946. [bug] Additional glue was not being returned by resolver
for unsigned zones since change 4596. [GL #209]
4939. [test] Add basic unit tests for update_sigs(). [GL #135]
4935. [func] Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
......
......@@ -1620,15 +1620,21 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdataset_disassociate(sigrdataset);
}
if (result == ISC_R_SUCCESS) {
isc_boolean_t invalid = ISC_FALSE;
mname = NULL;
#ifdef ALLOW_FILTER_AAAA
have_a = ISC_TRUE;
#endif
if (additionaltype == dns_rdatasetadditional_fromcache &&
if (additionaltype ==
dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset))
{
invalid = ISC_TRUE;
}
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
......@@ -1683,6 +1689,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdataset_disassociate(sigrdataset);
}
if (result == ISC_R_SUCCESS) {
isc_boolean_t invalid = ISC_FALSE;
mname = NULL;
/*
* There's an A; check whether we're filtering AAAA
......@@ -1695,11 +1702,16 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
!dns_rdataset_isassociated(sigrdataset)))))
goto addname;
#endif
if (additionaltype == dns_rdatasetadditional_fromcache &&
if (additionaltype ==
dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset))
{
invalid = ISC_TRUE;
}
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
......@@ -1861,6 +1873,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdatasetadditional_t additionaltype;
dns_clientinfomethods_t cm;
dns_clientinfo_t ci;
isc_boolean_t invalid;
/*
* If we don't have an additional cache call query_addadditional.
......@@ -2158,15 +2171,22 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
*/
result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
client->now, rdataset, sigrdataset);
/*
* If we can't promote glue/pending from the cache to secure
* then drop it.
* Try to promote pending/glue from the cache to secure.
* If unable to do so, drop it from the response unless
* it's glue, in which case it may still be needed.
*/
invalid = ISC_FALSE;
if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset)) {
!validate(client, db, fname, rdataset, sigrdataset))
{
invalid = ISC_TRUE;
}
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
......@@ -2201,14 +2221,20 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
0, client->now, rdataset, sigrdataset);
/*
* If we can't promote glue/pending from the cache to secure
* then drop it.
* Try to promote pending/glue from the cache to secure.
* If unable to do so, drop it from the response unless
* it's glue, in which case it may still be needed.
*/
invalid = ISC_FALSE;
if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset)) {
!validate(client, db, fname, rdataset, sigrdataset))
{
invalid = ISC_TRUE;
}
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
......
......@@ -73,6 +73,18 @@ stripns () {
awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' $1
}
# Check that for a query against a validating resolver where the
# authoritative zone is unsigned (insecure delegation), glue is returned
# in the additional section
echo_i "checking that additional glue is returned for unsigned delegation ($n)"
ret=0
$DIG +tcp +dnssec -p ${PORT} a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1
grep "ns\.insecure\.example\..*A.10\.53\.0\.3" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# Check the example. domain
echo_i "checking that zone transfer worked ($n)"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment