Commit 60ab0312 authored by Mark Andrews's avatar Mark Andrews
Browse files

1939. [bug] The resolver could dereference a null pointer after

                        validation if all the queries have timed out.
                        [RT #15528]

1938.   [bug]           The validator was not correctly handling unsecure
                        negative responses at or below a SEP. [RT #15528]
parent e6d66739
1939. [bug] The resolver could dereference a null pointer after
validation if all the queries have timed out.
[RT #15528]
1938. [bug] The validator was not correctly handling unsecure
negative responses at or below a SEP. [RT #15528]
1937. [bug] sdlz doesn't handle RRSIG records. [RT #15564]
1936. [bug] The validator could leak memory. [RT #15544]
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.281 2005/11/02 22:26:48 marka Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.282 2005/11/03 00:51:54 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -7581,19 +7581,22 @@ query-source-v6 address * port *;
<title><command>trusted-keys</command> Statement Definition
and Usage</title>
<para>
The <command>trusted-keys</command> statement defines
DNSSEC
The <command>trusted-keys</command> statement defines DNSSEC
security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A
security root is defined when the public key for a
non-authoritative
zone is known, but cannot be securely obtained through DNS, either
because it is the DNS root zone or because its parent zone is
because it is the DNS root zone or because its parent zone is
unsigned.
Once a key has been configured as a trusted key, it is treated as
if it had been validated and proven secure. The resolver attempts
DNSSEC validation on all DNS data in subdomains of a security
root.
</para>
</para>
<para>
All zones listed in <command>trusted-keys</command> are deemed
to exist regardless of what parent zones say.
</para>
<para>
The <command>trusted-keys</command> statement can
contain
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: validator.h,v 1.32 2005/08/25 00:56:08 marka Exp $ */
/* $Id: validator.h,v 1.33 2005/11/03 00:51:55 marka Exp $ */
#ifndef DNS_VALIDATOR_H
#define DNS_VALIDATOR_H 1
......@@ -25,10 +25,18 @@
*****/
/*! \file
*
* \brief
* DNS Validator
* This is the BIND 9 validator, the module responsible for validating the
* rdatasets and negative responses (messages). It makes use of zones in
* the view and may fetch RRset to complete trust chains. It implements
* DNSSEC as specified in RFC 4033, 4034 and 4035.
*
* It can also optionally implement ISC's DNSSEC look-aside validation.
*
* XXX TBS XXX
* Correct operation is critical to preventing spoofed answers from secure
* zones being accepted.
*
* MP:
*\li The module ensures appropriate synchronization of data structures it
......@@ -44,8 +52,7 @@
*\li No anticipated impact.
*
* Standards:
*\li RFCs: 1034, 1035, 2181, 2535, TBS
*\li Drafts: TBS
*\li RFCs: 1034, 1035, 2181, 4033, 4034, 4035.
*/
#include <isc/lang.h>
......@@ -65,6 +72,10 @@
* 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
* supplied when dns_validator_create() was called. They are returned to the
* caller so that they may be freed.
*
* If the RESULT is ISC_R_SUCCESS and the answer is secure then
* proofs[] will contain the the names of the NSEC records that hold the
* various proofs. Note the same name may appear multiple times.
*/
typedef struct dns_validatorevent {
ISC_EVENT_COMMON(struct dns_validatorevent);
......@@ -129,7 +140,10 @@ struct dns_validator {
unsigned int depth;
};
#define DNS_VALIDATOR_DLV 1
/*%
* dns_validator_create() options.
*/
#define DNS_VALIDATOR_DLV 1U
ISC_LANG_BEGINDECLS
......@@ -164,13 +178,17 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
* arguments must be provided.
*
* The validation is performed in the context of 'view'.
* 'options' must be zero.
*
* When the validation finishes, a dns_validatorevent_t with
* the given 'action' and 'arg' are sent to 'task'.
* Its 'result' field will be ISC_R_SUCCESS iff the
* response was successfully proven to be either secure or
* part of a known insecure domain.
*
* options:
* If DNS_VALIDATOR_DLV is set the caller knows there is not a
* trusted key and the validator should immediately attempt to validate
* the answer by looking for a appopriate DLV RRset.
*/
void
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: resolver.c,v 1.318 2005/10/14 01:14:09 marka Exp $ */
/* $Id: resolver.c,v 1.319 2005/11/03 00:51:54 marka Exp $ */
/*! \file */
......@@ -3809,21 +3809,20 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
isc_result_t result;
result = dns_ncache_add(message, cache, node, covers, now,
maxttl, ardataset);
if (result == DNS_R_UNCHANGED) {
if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
/*
* The data in the cache are better than the negative cache
* entry we're trying to add.
* If the cache now contains a negative entry and we
* care about whether it is DNS_R_NCACHENXDOMAIN or
* DNS_R_NCACHENXRRSET then extract it.
*/
if (ardataset != NULL && ardataset->type == 0) {
/*
* The cache data is also a negative cache
* entry.
* The cache data is a negative cache entry.
*/
if (NXDOMAIN(ardataset))
*eresultp = DNS_R_NCACHENXDOMAIN;
else
*eresultp = DNS_R_NCACHENXRRSET;
result = ISC_R_SUCCESS;
} else {
/*
* Either we don't care about the nature of the
......@@ -3835,13 +3834,8 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
* XXXRTH There's a CNAME/DNAME problem here.
*/
*eresultp = ISC_R_SUCCESS;
result = ISC_R_SUCCESS;
}
} else if (result == ISC_R_SUCCESS) {
if (NXDOMAIN(ardataset))
*eresultp = DNS_R_NCACHENXDOMAIN;
else
*eresultp = DNS_R_NCACHENXRRSET;
result = ISC_R_SUCCESS;
}
return (result);
......
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment