1939. [bug] The resolver could dereference a null pointer after

                        validation if all the queries have timed out.
                        [RT #15528]

1938.   [bug]           The validator was not correctly handling unsecure
                        negative responses at or below a SEP. [RT #15528]

CHANGES

+1939.	[bug]		The resolver could dereference a null pointer after
+			validation if all the queries have timed out.
+			[RT #15528]
+
+1938.	[bug]		The validator was not correctly handling unsecure
+			negative responses at or below a SEP. [RT #15528]
+
 1937.	[bug]		sdlz doesn't handle RRSIG records. [RT #15564]
 
 1936.	[bug]		The validator could leak memory. [RT #15544]

doc/arm/Bv9ARM-book.xml

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.281 2005/11/02 22:26:48 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.282 2005/11/03 00:51:54 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -7581,19 +7581,22 @@ query-source-v6 address * port *;
           <title><command>trusted-keys</command> Statement Definition
             and Usage</title>
           <para>
-            The <command>trusted-keys</command> statement defines
-            DNSSEC
+            The <command>trusted-keys</command> statement defines DNSSEC
             security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A
             security root is defined when the public key for a
             non-authoritative
             zone is known, but cannot be securely obtained through DNS, either
-            because it is the  DNS root zone or because its parent zone is
+            because it is the DNS root zone or because its parent zone is
             unsigned.
             Once a key has been configured as a trusted key, it is treated as
             if it had been validated and proven secure. The resolver attempts
             DNSSEC validation on all DNS data in subdomains of a security
             root.
-          </para>
+	  </para>
+	  <para>
+	    All zones listed in <command>trusted-keys</command> are deemed
+	    to exist regardless of what parent zones say.
+	  </para>
           <para>
             The <command>trusted-keys</command> statement can
             contain

lib/dns/include/dns/validator.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.32 2005/08/25 00:56:08 marka Exp $ */
+/* $Id: validator.h,v 1.33 2005/11/03 00:51:55 marka Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
@@ -25,10 +25,18 @@
  *****/
 
 /*! \file
+ *
  * \brief
  * DNS Validator
+ * This is the BIND 9 validator, the module responsible for validating the
+ * rdatasets and negative responses (messages).  It makes use of zones in
+ * the view and may fetch RRset to complete trust chains.  It implements
+ * DNSSEC as specified in RFC 4033, 4034 and 4035.
+ *
+ * It can also optionally implement ISC's DNSSEC look-aside validation.
  *
- * XXX TBS XXX
+ * Correct operation is critical to preventing spoofed answers from secure
+ * zones being accepted.
  *
  * MP:
  *\li	The module ensures appropriate synchronization of data structures it
@@ -44,8 +52,7 @@
  *\li	No anticipated impact.
  *
  * Standards:
- *\li	RFCs:	1034, 1035, 2181, 2535, TBS
- *\li	Drafts:	TBS
+ *\li	RFCs:	1034, 1035, 2181, 4033, 4034, 4035.
  */
 
 #include <isc/lang.h>
@@ -65,6 +72,10 @@
  * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
  * supplied when dns_validator_create() was called.  They are returned to the
  * caller so that they may be freed.
+ *
+ * If the RESULT is ISC_R_SUCCESS and the answer is secure then
+ * proofs[] will contain the the names of the NSEC records that hold the
+ * various proofs.  Note the same name may appear multiple times.
  */
 typedef struct dns_validatorevent {
 	ISC_EVENT_COMMON(struct dns_validatorevent);
@@ -129,7 +140,10 @@ struct dns_validator {
 	unsigned int			depth;
 };
 
-#define DNS_VALIDATOR_DLV 1
+/*%
+ * dns_validator_create() options.
+ */
+#define DNS_VALIDATOR_DLV 1U
 
 ISC_LANG_BEGINDECLS
 
@@ -164,13 +178,17 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
  * arguments must be provided.
  *
  * The validation is performed in the context of 'view'.
- * 'options' must be zero.
  *
  * When the validation finishes, a dns_validatorevent_t with
  * the given 'action' and 'arg' are sent to 'task'.
  * Its 'result' field will be ISC_R_SUCCESS iff the
  * response was successfully proven to be either secure or
  * part of a known insecure domain.
+ *
+ * options:
+ * If DNS_VALIDATOR_DLV is set the caller knows there is not a
+ * trusted key and the validator should immediately attempt to validate
+ * the answer by looking for a appopriate DLV RRset.
  */
 
 void

lib/dns/resolver.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.318 2005/10/14 01:14:09 marka Exp $ */
+/* $Id: resolver.c,v 1.319 2005/11/03 00:51:54 marka Exp $ */
 
 /*! \file */
 
@@ -3809,21 +3809,20 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	isc_result_t result;
 	result = dns_ncache_add(message, cache, node, covers, now,
 				maxttl, ardataset);
-	if (result == DNS_R_UNCHANGED) {
+	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
 		/*
-		 * The data in the cache are better than the negative cache
-		 * entry we're trying to add.
+		 * If the cache now contains a negative entry and we
+		 * care about whether it is DNS_R_NCACHENXDOMAIN or
+		 * DNS_R_NCACHENXRRSET then extract it.
 		 */
 		if (ardataset != NULL && ardataset->type == 0) {
 			/*
-			 * The cache data is also a negative cache
-			 * entry.
+			 * The cache data is a negative cache entry.
 			 */
 			if (NXDOMAIN(ardataset))
 				*eresultp = DNS_R_NCACHENXDOMAIN;
 			else
 				*eresultp = DNS_R_NCACHENXRRSET;
-			result = ISC_R_SUCCESS;
 		} else {
 			/*
 			 * Either we don't care about the nature of the
@@ -3835,13 +3834,8 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 			 * XXXRTH  There's a CNAME/DNAME problem here.
 			 */
 			*eresultp = ISC_R_SUCCESS;
-			result = ISC_R_SUCCESS;
 		}
-	} else if (result == ISC_R_SUCCESS) {
-		if (NXDOMAIN(ardataset))
-			*eresultp = DNS_R_NCACHENXDOMAIN;
-		else
-			*eresultp = DNS_R_NCACHENXRRSET;
+		result = ISC_R_SUCCESS;
 	}
 
 	return (result);