Commit 638c7c63 authored by Mark Andrews's avatar Mark Andrews

4580. [bug] 4578 introduced a regression when handling CNAME to

                        referral below the current domain. [RT #44850]
parent ecbef65a
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
4579. [func] Logging channels and dnstap output files can now
be configured with a "suffix" option, set to
either "increment" or "timestamp", indicating
......
......@@ -6256,7 +6256,7 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
static isc_boolean_t
is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
dns_rdataset_t *rdataset)
dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
{
isc_result_t result;
dns_rbtnode_t *node = NULL;
......@@ -6277,8 +6277,11 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
REQUIRE(rdataset->type == dns_rdatatype_cname ||
rdataset->type == dns_rdatatype_dname);
/* By default, we allow any target name. */
if (view->denyanswernames == NULL)
/*
* By default, we allow any target name.
* If newqname != NULL we also need to extract the newqname.
*/
if (chainingp == NULL && view->denyanswernames == NULL)
return (ISC_TRUE);
result = dns_rdataset_first(rdataset);
......@@ -6301,7 +6304,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
dns_name_split(qname, nlabels, &prefix, NULL);
result = dns_name_concatenate(&prefix, &dname.dname, tname,
NULL);
if (result == ISC_R_NOSPACE)
if (result == DNS_R_NAMETOOLONG)
return (ISC_TRUE);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
break;
......@@ -6309,6 +6312,12 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
INSIST(0);
}
if (chainingp != NULL)
*chainingp = ISC_TRUE;
if (view->denyanswernames == NULL)
return (ISC_TRUE);
/*
* If the owner name matches one in the exclusion list, either exactly
* or partially, allow it.
......@@ -6994,7 +7003,7 @@ answer_response(fetchctx_t *fctx) {
if ((rdataset->type == dns_rdatatype_cname ||
rdataset->type == dns_rdatatype_dname) &&
!is_answertarget_allowed(fctx, qname, aname,
rdataset))
rdataset, NULL))
{
return (DNS_R_SERVFAIL);
}
......@@ -7017,7 +7026,9 @@ answer_response(fetchctx_t *fctx) {
}
if ((ardataset->type == dns_rdatatype_cname ||
ardataset->type == dns_rdatatype_dname) &&
!is_answertarget_allowed(fctx, qname, aname, ardataset)) {
!is_answertarget_allowed(fctx, qname, aname, ardataset,
NULL))
{
return (DNS_R_SERVFAIL);
}
aname->attributes |= DNS_NAMEATTR_CACHE;
......@@ -7052,7 +7063,9 @@ answer_response(fetchctx_t *fctx) {
log_formerr(fctx, "CNAME response for %s RR", buf);
return (DNS_R_FORMERR);
}
if (!is_answertarget_allowed(fctx, qname, cname, crdataset)) {
if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
NULL))
{
return (DNS_R_SERVFAIL);
}
cname->attributes |= DNS_NAMEATTR_CACHE;
......@@ -7084,7 +7097,8 @@ answer_response(fetchctx_t *fctx) {
if (!validinanswer(drdataset, fctx)) {
return (DNS_R_FORMERR);
}
if (!is_answertarget_allowed(fctx, qname, dname, drdataset)) {
if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
&chaining)) {
return (DNS_R_SERVFAIL);
}
dname->attributes |= DNS_NAMEATTR_CACHE;
......@@ -7111,7 +7125,6 @@ answer_response(fetchctx_t *fctx) {
sigrdataset->trust = trust;
break;
}
chaining = ISC_TRUE;
} else {
log_formerr(fctx, "reply has no answer");
return (DNS_R_FORMERR);
......@@ -7126,13 +7139,7 @@ answer_response(fetchctx_t *fctx) {
* Did chaining end before we got the final answer?
*/
if (chaining) {
/*
* Yes. This may be a negative reply, so hand off
* authority section processing to the noanswer code.
* If it isn't a noanswer response, no harm will be
* done.
*/
return (noanswer_response(fctx, qname, 0));
return (ISC_R_SUCCESS);
}
/*
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment