Commit 638c7c63 authored by Mark Andrews's avatar Mark Andrews

4580. [bug] 4578 introduced a regression when handling CNAME to

                        referral below the current domain. [RT #44850]
parent ecbef65a
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
4579. [func] Logging channels and dnstap output files can now 4579. [func] Logging channels and dnstap output files can now
be configured with a "suffix" option, set to be configured with a "suffix" option, set to
either "increment" or "timestamp", indicating either "increment" or "timestamp", indicating
......
...@@ -6256,7 +6256,7 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, ...@@ -6256,7 +6256,7 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
static isc_boolean_t static isc_boolean_t
is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
dns_rdataset_t *rdataset) dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
{ {
isc_result_t result; isc_result_t result;
dns_rbtnode_t *node = NULL; dns_rbtnode_t *node = NULL;
...@@ -6277,8 +6277,11 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, ...@@ -6277,8 +6277,11 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
REQUIRE(rdataset->type == dns_rdatatype_cname || REQUIRE(rdataset->type == dns_rdatatype_cname ||
rdataset->type == dns_rdatatype_dname); rdataset->type == dns_rdatatype_dname);
/* By default, we allow any target name. */ /*
if (view->denyanswernames == NULL) * By default, we allow any target name.
* If newqname != NULL we also need to extract the newqname.
*/
if (chainingp == NULL && view->denyanswernames == NULL)
return (ISC_TRUE); return (ISC_TRUE);
result = dns_rdataset_first(rdataset); result = dns_rdataset_first(rdataset);
...@@ -6301,7 +6304,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, ...@@ -6301,7 +6304,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
dns_name_split(qname, nlabels, &prefix, NULL); dns_name_split(qname, nlabels, &prefix, NULL);
result = dns_name_concatenate(&prefix, &dname.dname, tname, result = dns_name_concatenate(&prefix, &dname.dname, tname,
NULL); NULL);
if (result == ISC_R_NOSPACE) if (result == DNS_R_NAMETOOLONG)
return (ISC_TRUE); return (ISC_TRUE);
RUNTIME_CHECK(result == ISC_R_SUCCESS); RUNTIME_CHECK(result == ISC_R_SUCCESS);
break; break;
...@@ -6309,6 +6312,12 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, ...@@ -6309,6 +6312,12 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
INSIST(0); INSIST(0);
} }
if (chainingp != NULL)
*chainingp = ISC_TRUE;
if (view->denyanswernames == NULL)
return (ISC_TRUE);
/* /*
* If the owner name matches one in the exclusion list, either exactly * If the owner name matches one in the exclusion list, either exactly
* or partially, allow it. * or partially, allow it.
...@@ -6994,7 +7003,7 @@ answer_response(fetchctx_t *fctx) { ...@@ -6994,7 +7003,7 @@ answer_response(fetchctx_t *fctx) {
if ((rdataset->type == dns_rdatatype_cname || if ((rdataset->type == dns_rdatatype_cname ||
rdataset->type == dns_rdatatype_dname) && rdataset->type == dns_rdatatype_dname) &&
!is_answertarget_allowed(fctx, qname, aname, !is_answertarget_allowed(fctx, qname, aname,
rdataset)) rdataset, NULL))
{ {
return (DNS_R_SERVFAIL); return (DNS_R_SERVFAIL);
} }
...@@ -7017,7 +7026,9 @@ answer_response(fetchctx_t *fctx) { ...@@ -7017,7 +7026,9 @@ answer_response(fetchctx_t *fctx) {
} }
if ((ardataset->type == dns_rdatatype_cname || if ((ardataset->type == dns_rdatatype_cname ||
ardataset->type == dns_rdatatype_dname) && ardataset->type == dns_rdatatype_dname) &&
!is_answertarget_allowed(fctx, qname, aname, ardataset)) { !is_answertarget_allowed(fctx, qname, aname, ardataset,
NULL))
{
return (DNS_R_SERVFAIL); return (DNS_R_SERVFAIL);
} }
aname->attributes |= DNS_NAMEATTR_CACHE; aname->attributes |= DNS_NAMEATTR_CACHE;
...@@ -7052,7 +7063,9 @@ answer_response(fetchctx_t *fctx) { ...@@ -7052,7 +7063,9 @@ answer_response(fetchctx_t *fctx) {
log_formerr(fctx, "CNAME response for %s RR", buf); log_formerr(fctx, "CNAME response for %s RR", buf);
return (DNS_R_FORMERR); return (DNS_R_FORMERR);
} }
if (!is_answertarget_allowed(fctx, qname, cname, crdataset)) { if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
NULL))
{
return (DNS_R_SERVFAIL); return (DNS_R_SERVFAIL);
} }
cname->attributes |= DNS_NAMEATTR_CACHE; cname->attributes |= DNS_NAMEATTR_CACHE;
...@@ -7084,7 +7097,8 @@ answer_response(fetchctx_t *fctx) { ...@@ -7084,7 +7097,8 @@ answer_response(fetchctx_t *fctx) {
if (!validinanswer(drdataset, fctx)) { if (!validinanswer(drdataset, fctx)) {
return (DNS_R_FORMERR); return (DNS_R_FORMERR);
} }
if (!is_answertarget_allowed(fctx, qname, dname, drdataset)) { if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
&chaining)) {
return (DNS_R_SERVFAIL); return (DNS_R_SERVFAIL);
} }
dname->attributes |= DNS_NAMEATTR_CACHE; dname->attributes |= DNS_NAMEATTR_CACHE;
...@@ -7111,7 +7125,6 @@ answer_response(fetchctx_t *fctx) { ...@@ -7111,7 +7125,6 @@ answer_response(fetchctx_t *fctx) {
sigrdataset->trust = trust; sigrdataset->trust = trust;
break; break;
} }
chaining = ISC_TRUE;
} else { } else {
log_formerr(fctx, "reply has no answer"); log_formerr(fctx, "reply has no answer");
return (DNS_R_FORMERR); return (DNS_R_FORMERR);
...@@ -7126,13 +7139,7 @@ answer_response(fetchctx_t *fctx) { ...@@ -7126,13 +7139,7 @@ answer_response(fetchctx_t *fctx) {
* Did chaining end before we got the final answer? * Did chaining end before we got the final answer?
*/ */
if (chaining) { if (chaining) {
/* return (ISC_R_SUCCESS);
* Yes. This may be a negative reply, so hand off
* authority section processing to the noanswer code.
* If it isn't a noanswer response, no harm will be
* done.
*/
return (noanswer_response(fctx, qname, 0));
} }
/* /*
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment