1939. [bug] The resolver could dereference a null pointer after

validation if all the queries have timed out. [RT #15528] 1938. [bug] The validator was not correctly handling unsecure negative responses at or below a SEP. [RT #15528]

1939. [bug] The resolver could dereference a null pointer after
validation if all the queries have timed out. [RT #15528] 1938. [bug] The validator was not correctly handling unsecure negative responses at or below a SEP. [RT #15528]
60ab0312 · Mark Andrews · e6d66739 · 60ab0312 · 60ab0312 · 60ab0312
Commit 60ab0312 authored Nov 03, 2005 by Mark Andrews
5 changed files
--- a/CHANGES
+++ b/CHANGES
+1939.	[bug]		The resolver could dereference a null pointer after
+			validation if all the queries have timed out.
+			[RT #15528]
+
+1938.	[bug]		The validator was not correctly handling unsecure
+			negative responses at or below a SEP. [RT #15528]
+
 1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]

 1936.	[bug]		The validator could leak memory. [RT #15544]

--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -18,7 +18,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- File: $Id: Bv9ARM-book.xml,v 1.281 2005/11/02 22:26:48 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.282 2005/11/03 00:51:54 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
  <title>BIND 9 Administrator Reference Manual</title>

@@ -7581,19 +7581,22 @@ query-source-v6 address * port *;
          <title><command>trusted-keys</command> Statement Definition
            and Usage</title>
          <para>
-            The <command>trusted-keys</command> statement defines
-            DNSSEC
+            The <command>trusted-keys</command> statement defines DNSSEC
            security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A
            security root is defined when the public key for a
            non-authoritative
            zone is known, but cannot be securely obtained through DNS, either
-            because it is the  DNS root zone or because its parent zone is
+            because it is the DNS root zone or because its parent zone is
            unsigned.
            Once a key has been configured as a trusted key, it is treated as
            if it had been validated and proven secure. The resolver attempts
            DNSSEC validation on all DNS data in subdomains of a security
            root.
-          </para>
+	  </para>
+	  <para>
+	    All zones listed in <command>trusted-keys</command> are deemed
+	    to exist regardless of what parent zones say.
+	  </para>
          <para>
            The <command>trusted-keys</command> statement can
            contain

--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: validator.h,v 1.32 2005/08/25 00:56:08 marka Exp $ */
+/* $Id: validator.h,v 1.33 2005/11/03 00:51:55 marka Exp $ */

 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
@@ -25,10 +25,18 @@
 *****/

 /*! \file
+ *
 * \brief
 * DNS Validator
+ * This is the BIND 9 validator, the module responsible for validating the
+ * rdatasets and negative responses (messages).  It makes use of zones in
+ * the view and may fetch RRset to complete trust chains.  It implements
+ * DNSSEC as specified in RFC 4033, 4034 and 4035.
+ *
+ * It can also optionally implement ISC's DNSSEC look-aside validation.
 *
- * XXX TBS XXX
+ * Correct operation is critical to preventing spoofed answers from secure
+ * zones being accepted.
 *
 * MP:
 *\li	The module ensures appropriate synchronization of data structures it
@@ -44,8 +52,7 @@
 *\li	No anticipated impact.
 *
 * Standards:
- *\li	RFCs:	1034, 1035, 2181, 2535, TBS
- *\li	Drafts:	TBS
+ *\li	RFCs:	1034, 1035, 2181, 4033, 4034, 4035.
 */

 #include <isc/lang.h>
@@ -65,6 +72,10 @@
 * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
 * supplied when dns_validator_create() was called.  They are returned to the
 * caller so that they may be freed.
+ *
+ * If the RESULT is ISC_R_SUCCESS and the answer is secure then
+ * proofs[] will contain the the names of the NSEC records that hold the
+ * various proofs.  Note the same name may appear multiple times.
 */
 typedef struct dns_validatorevent {
 	ISC_EVENT_COMMON(struct dns_validatorevent);
@@ -129,7 +140,10 @@ struct dns_validator {
 	unsigned int			depth;
 };

-#define DNS_VALIDATOR_DLV 1
+/*%
+ * dns_validator_create() options.
+ */
+#define DNS_VALIDATOR_DLV 1U

 ISC_LANG_BEGINDECLS

@@ -164,13 +178,17 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 * arguments must be provided.
 *
 * The validation is performed in the context of 'view'.
- * 'options' must be zero.
 *
 * When the validation finishes, a dns_validatorevent_t with
 * the given 'action' and 'arg' are sent to 'task'.
 * Its 'result' field will be ISC_R_SUCCESS iff the
 * response was successfully proven to be either secure or
 * part of a known insecure domain.
+ *
+ * options:
+ * If DNS_VALIDATOR_DLV is set the caller knows there is not a
+ * trusted key and the validator should immediately attempt to validate
+ * the answer by looking for a appopriate DLV RRset.
 */

 void

--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: resolver.c,v 1.318 2005/10/14 01:14:09 marka Exp $ */
+/* $Id: resolver.c,v 1.319 2005/11/03 00:51:54 marka Exp $ */

 /*! \file */

@@ -3809,21 +3809,20 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	isc_result_t result;
 	result = dns_ncache_add(message, cache, node, covers, now,
 				maxttl, ardataset);
-	if (result == DNS_R_UNCHANGED) {
+	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
 		/*
-		 * The data in the cache are better than the negative cache
-		 * entry we're trying to add.
+		 * If the cache now contains a negative entry and we
+		 * care about whether it is DNS_R_NCACHENXDOMAIN or
+		 * DNS_R_NCACHENXRRSET then extract it.
 		 */
 		if (ardataset != NULL && ardataset->type == 0) {
 			/*
-			 * The cache data is also a negative cache
-			 * entry.
+			 * The cache data is a negative cache entry.
 			 */
 			if (NXDOMAIN(ardataset))
 				*eresultp = DNS_R_NCACHENXDOMAIN;
 			else
 				*eresultp = DNS_R_NCACHENXRRSET;
-			result = ISC_R_SUCCESS;
 		} else {
 			/*
 			 * Either we don't care about the nature of the
@@ -3835,13 +3834,8 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 			 * XXXRTH  There's a CNAME/DNAME problem here.
 			 */
 			*eresultp = ISC_R_SUCCESS;
-			result = ISC_R_SUCCESS;
 		}
-	} else if (result == ISC_R_SUCCESS) {
-		if (NXDOMAIN(ardataset))
-			*eresultp = DNS_R_NCACHENXDOMAIN;
-		else
-			*eresultp = DNS_R_NCACHENXRRSET;
+		result = ISC_R_SUCCESS;
 	}

 	return (result);

--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c