1763. [func] Perform sanity checks on NS records which refer to

'in zone' names. [RT #13002]

1763. [func] Perform sanity checks on NS records which refer to
'in zone' names. [RT #13002]
6c52944e · Mark Andrews · e9475442 · 6c52944e · 6c52944e · 6c52944e
Commit 6c52944e authored Nov 23, 2004 by Mark Andrews
25 changed files
--- a/CHANGES
+++ b/CHANGES
@@ -23,7 +23,8 @@
 			if there was no SOA record in the replacment db.
 			[RT #13016]

-1763.	[placeholder]	rt13002
+1763.	[func]		Perform sanity checks on NS records which refer to
+			'in zone' names. [RT #13002]

 1762.	[bug]		isc_interfaceiter_create() could return ISC_R_SUCCESS
 			even when it failed. [RT #12995]

--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: conf.sh.in,v 1.27 2004/03/05 04:59:12 marka Exp $
+# $Id: conf.sh.in,v 1.28 2004/11/23 05:23:35 marka Exp $

 #
 # Common configuration data for system tests, to be sourced into
@@ -37,16 +37,17 @@ RNDC=$TOP/bin/rndc/rndc
 NSUPDATE=$TOP/bin/nsupdate/nsupdate
 KEYGEN=$TOP/bin/dnssec/dnssec-keygen
 SIGNER=$TOP/bin/dnssec/dnssec-signzone
+CHECKZONE=$TOP/bin/check/named-checkzone

 # The "stress" test is not run by default since it creates enough
 # load on the machine to make it unusable to other users.
 # v6synth
 SUBDIRS="cacheclean checknames dnssec forward glue ixfr limits lwresd \
    masterfile notify nsupdate resolver sortlist stub tkey \
-    unknown upforwd views xfer xferquota"
+    unknown upforwd views xfer xferquota zonechecks"

 # PERL will be an empty string if no perl interpreter was found.
 PERL=@PERL@

 export NAMED LWRESD DIG NSUPDATE KEYGEN SIGNER KEYSIGNER KEYSETTOOL PERL \
-    SUBDIRS RNDC
+    SUBDIRS RNDC CHECKZONE
--- a/bin/tests/system/masterfile/knowngood.dig.out
+++ b/bin/tests/system/masterfile/knowngood.dig.out
@@ -19,6 +19,7 @@ c.ttl2.			2	IN	TXT	"inherited ttl 2"
 d.ttl2.			3	IN	TXT	"default ttl 3"
 e.ttl2.			2	IN	TXT	"explicit ttl 2"
 f.ttl2.			3	IN	TXT	"default ttl 3"
+ns.ttl2.		1	IN	A	10.53.0.1
 ttl2.			1	IN	SOA	ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3
 ttl2.			1	IN	SOA	ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3
 ttl2.			1	IN	NS	ns.ttl2.
@@ -28,4 +29,5 @@ c.ttl2.			2	IN	TXT	"inherited ttl 2"
 d.ttl2.			3	IN	TXT	"default ttl 3"
 e.ttl2.			2	IN	TXT	"explicit ttl 2"
 f.ttl2.			3	IN	TXT	"default ttl 3"
+ns.ttl2.		1	IN	A	10.53.0.1
 ttl2.			1	IN	SOA	ns.ttl2. hostmaster.ttl2. 1 3600 1800 1814400 3
--- a/bin/tests/system/masterfile/ns1/ttl1.db
+++ b/bin/tests/system/masterfile/ns1/ttl1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: ttl1.db,v 1.3 2004/03/05 05:01:35 marka Exp $
+; $Id: ttl1.db,v 1.4 2004/11/23 05:23:38 marka Exp $

 @			IN SOA	ns hostmaster (
 				1        ; serial
@@ -23,6 +23,7 @@
 				3
 				)
 			NS	ns
+ns			A	10.53.0.1
 a			TXT	"soa minttl 3"
 b		2	TXT	"explicit ttl 2"
 c			TXT	"soa minttl 3"

--- a/bin/tests/system/masterfile/ns1/ttl2.db
+++ b/bin/tests/system/masterfile/ns1/ttl2.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: ttl2.db,v 1.3 2004/03/05 05:01:35 marka Exp $
+; $Id: ttl2.db,v 1.4 2004/11/23 05:23:38 marka Exp $

 @		1	IN SOA	ns hostmaster (
 				1        ; serial
@@ -23,6 +23,7 @@
 				3
 				)
 			NS	ns
+ns			A	10.53.0.1
 a			TXT	"inherited ttl 1"
 b		2	TXT	"explicit ttl 2"
 c			TXT	"inherited ttl 2"

--- a/bin/tests/system/nsupdate/knowngood.ns1.after
+++ b/bin/tests/system/nsupdate/knowngood.ns1.after
 example.nil.		300	IN	SOA	ns1.example.nil. hostmaster.example.nil. 2 2000 2000 1814400 3600
+example.nil.		300	IN	NS	ns1.example.nil.
 example.nil.		300	IN	NS	ns2.example.nil.
-example.nil.		300	IN	NS	ns3.example.nil.
 *.example.nil.		300	IN	MX	10 mail.example.nil.
 a.example.nil.		300	IN	TXT	"foo foo foo"
 a.example.nil.		300	IN	PTR	foo.net.
@@ -21,12 +21,12 @@ dname02.example.nil.	3600	IN	DNAME	dname-target.example.nil.
 dname03.example.nil.	3600	IN	DNAME	.
 e.example.nil.		300	IN	MX	10 mail.example.nil.
 e.example.nil.		300	IN	TXT	"one"
-e.example.nil.		300	IN	TXT	"three"
 e.example.nil.		300	IN	TXT	"two"
+e.example.nil.		300	IN	TXT	"three"
 e.example.nil.		300	IN	A	73.80.65.49
 e.example.nil.		300	IN	A	73.80.65.50
-e.example.nil.		300	IN	A	73.80.65.52
 e.example.nil.		300	IN	A	73.80.65.51
+e.example.nil.		300	IN	A	73.80.65.52
 f.example.nil.		300	IN	A	73.80.65.52
 gpos01.example.nil.	3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
 gpos02.example.nil.	3600	IN	GPOS	"" "" ""
@@ -55,8 +55,8 @@ naptr01.example.nil.	3600	IN	NAPTR	0 0 "" "" "" .
 naptr02.example.nil.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
 ns1.example.nil.	300	IN	A	10.53.0.1
 ns2.example.nil.	300	IN	A	10.53.0.2
-nsap-ptr01.example.nil.	3600	IN	NSAP-PTR foo.
 nsap-ptr01.example.nil.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.nil.	3600	IN	NSAP-PTR foo.
 nsap01.example.nil.	3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
 nsap02.example.nil.	3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
 nxt01.example.nil.	3600	IN	NXT	a.secure.example.nil. NS SOA MX SIG KEY LOC NXT
@@ -97,4 +97,3 @@ wks02.example.nil.	3600	IN	WKS	10.0.0.1 17 0 1 2 53
 wks03.example.nil.	3600	IN	WKS	10.0.0.2 6 65535
 x2501.example.nil.	3600	IN	X25	"123456789"
 example.nil.		300	IN	SOA	ns1.example.nil. hostmaster.example.nil. 2 2000 2000 1814400 3600
-
--- a/bin/tests/system/nsupdate/knowngood.ns1.afterstop
+++ b/bin/tests/system/nsupdate/knowngood.ns1.afterstop
 updated4.example.nil.	600	IN	A	10.10.10.3
+example.nil.		300	IN	NS	ns1.example.nil.
 example.nil.		300	IN	NS	ns2.example.nil.
-example.nil.		300	IN	NS	ns3.example.nil.
--- a/bin/tests/system/nsupdate/knowngood.ns1.before
+++ b/bin/tests/system/nsupdate/knowngood.ns1.before
 example.nil.		300	IN	SOA	ns1.example.nil. hostmaster.example.nil. 1 2000 2000 1814400 3600
+example.nil.		300	IN	NS	ns1.example.nil.
 example.nil.		300	IN	NS	ns2.example.nil.
-example.nil.		300	IN	NS	ns3.example.nil.
 *.example.nil.		300	IN	MX	10 mail.example.nil.
 a.example.nil.		300	IN	TXT	"foo foo foo"
 a.example.nil.		300	IN	PTR	foo.net.
@@ -21,12 +21,12 @@ dname02.example.nil.	3600	IN	DNAME	dname-target.example.nil.
 dname03.example.nil.	3600	IN	DNAME	.
 e.example.nil.		300	IN	MX	10 mail.example.nil.
 e.example.nil.		300	IN	TXT	"one"
-e.example.nil.		300	IN	TXT	"three"
 e.example.nil.		300	IN	TXT	"two"
+e.example.nil.		300	IN	TXT	"three"
 e.example.nil.		300	IN	A	73.80.65.49
 e.example.nil.		300	IN	A	73.80.65.50
-e.example.nil.		300	IN	A	73.80.65.52
 e.example.nil.		300	IN	A	73.80.65.51
+e.example.nil.		300	IN	A	73.80.65.52
 f.example.nil.		300	IN	A	73.80.65.52
 gpos01.example.nil.	3600	IN	GPOS	"-22.6882" "116.8652" "250.0"
 gpos02.example.nil.	3600	IN	GPOS	"" "" ""
@@ -55,8 +55,8 @@ naptr01.example.nil.	3600	IN	NAPTR	0 0 "" "" "" .
 naptr02.example.nil.	3600	IN	NAPTR	65535 65535 "blurgh" "blorf" "blegh" foo.
 ns1.example.nil.	300	IN	A	10.53.0.1
 ns2.example.nil.	300	IN	A	10.53.0.2
-nsap-ptr01.example.nil.	3600	IN	NSAP-PTR foo.
 nsap-ptr01.example.nil.	3600	IN	NSAP-PTR .
+nsap-ptr01.example.nil.	3600	IN	NSAP-PTR foo.
 nsap01.example.nil.	3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
 nsap02.example.nil.	3600	IN	NSAP	0x47000580005a0000000001e133ffffff00016100
 nxt01.example.nil.	3600	IN	NXT	a.secure.example.nil. NS SOA MX SIG KEY LOC NXT
@@ -96,4 +96,3 @@ wks02.example.nil.	3600	IN	WKS	10.0.0.1 17 0 1 2 53
 wks03.example.nil.	3600	IN	WKS	10.0.0.2 6 65535
 x2501.example.nil.	3600	IN	X25	"123456789"
 example.nil.		300	IN	SOA	ns1.example.nil. hostmaster.example.nil. 1 2000 2000 1814400 3600
-
--- a/bin/tests/system/nsupdate/ns1/example1.db
+++ b/bin/tests/system/nsupdate/ns1/example1.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: example1.db,v 1.5 2004/03/05 05:01:58 marka Exp $
+; $Id: example1.db,v 1.6 2004/11/23 05:23:39 marka Exp $

 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -24,9 +24,9 @@ example.nil		IN SOA	ns1.example.nil. hostmaster.example.nil. (
 				1814400    ; expire (3 weeks)
 				3600       ; minimum (1 hour)
 				)
-example.nil.		NS	ns2.example.nil.
+example.nil.		NS	ns1.example.nil.
 ns1.example.nil.	A	10.53.0.1
-example.nil.		NS	ns3.example.nil.
+example.nil.		NS	ns2.example.nil.
 ns2.example.nil.	A	10.53.0.2

 $ORIGIN example.nil.

--- a/bin/tests/system/sortlist/ns1/example.db
+++ b/bin/tests/system/sortlist/ns1/example.db
@@ -13,10 +13,10 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: example.db,v 1.4 2004/03/05 05:02:43 marka Exp $
+; $Id: example.db,v 1.5 2004/11/23 05:23:40 marka Exp $

 $TTL 300	; 5 minutes
-@			IN SOA	ns2.example. hostmaster.example. (
+@			IN SOA	ns1.example. hostmaster.example. (
 				2000042795 ; serial
 				20         ; refresh (20 seconds)
 				20         ; retry (20 seconds)
@@ -24,7 +24,7 @@ $TTL 300	; 5 minutes
 				3600       ; minimum (1 hour)
 				)
 example.		NS	ns1.example.
-ns2.example.		A	10.53.0.1
+ns1.example.		A	10.53.0.1

 ; Let's see what the sortlist picks out of this...
 a			A	1.1.1.1

--- a/bin/tests/system/views/ns2/example2.db
+++ b/bin/tests/system/views/ns2/example2.db
@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: example2.db,v 1.7 2004/03/05 05:03:48 marka Exp $
+; $Id: example2.db,v 1.8 2004/11/23 05:23:41 marka Exp $

 $ORIGIN .
 $TTL 300	; 5 minutes
@@ -25,7 +25,7 @@ example			IN SOA	mname1. . (
 				3600       ; minimum (1 hour)
 				)
 example.		NS	ns2.example.
-ns0.example.		A	10.53.0.4
+ns2.example.		A	10.53.0.4

 $ORIGIN example.
 a			A	10.0.0.1

--- a/bin/tests/system/xferquota/ns1/changing1.db
+++ b/bin/tests/system/xferquota/ns1/changing1.db
@@ -13,11 +13,11 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: changing1.db,v 1.7 2004/03/05 05:04:05 marka Exp $
+; $Id: changing1.db,v 1.8 2004/11/23 05:23:43 marka Exp $

 $TTL	600

-@               IN      SOA     dns.changing. postmaster.changing. (
+@               IN      SOA     dns1.changing. postmaster.changing. (
                        1               ;; serial
                        3600            ;; refresh period
                        1800            ;; retry interval

--- a/bin/tests/system/xferquota/ns1/changing2.db
+++ b/bin/tests/system/xferquota/ns1/changing2.db
@@ -13,11 +13,11 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.

-; $Id: changing2.db,v 1.7 2004/03/05 05:04:05 marka Exp $
+; $Id: changing2.db,v 1.8 2004/11/23 05:23:44 marka Exp $

 $TTL	600

-@               IN      SOA     dns.changing. postmaster.changing. (
+@               IN      SOA     dns1.changing. postmaster.changing. (
                        2               ;; serial
                        3600            ;; refresh period
                        1800            ;; retry interval

--- a/bin/tests/system/xferquota/ns2/named.conf
+++ b/bin/tests/system/xferquota/ns2/named.conf
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.19 2004/03/05 05:04:08 marka Exp $ */
+/* $Id: named.conf,v 1.20 2004/11/23 05:23:44 marka Exp $ */

 controls { /* empty */ };

@@ -28,7 +28,7 @@ options {
 	listen-on { 10.53.0.2; };
 	listen-on-v6 { none; };
 	recursion no;
-	notify yes;
+	notify no;

 	transfers-in 5;
 	transfers-per-ns 5;

--- a/bin/tests/system/xferquota/setup.pl
+++ b/bin/tests/system/xferquota/setup.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: setup.pl,v 1.11 2004/03/05 05:04:03 marka Exp $
+# $Id: setup.pl,v 1.12 2004/11/23 05:23:42 marka Exp $

 #
 # Set up test data for zone transfer quota tests.
@@ -32,9 +32,11 @@ for ($z = 0; $z < 300; $z++) {
    my $fn = "ns1/$zn.db";
    my $f = new FileHandle($fn, "w") or die "open: $fn: $!";
    print $f "\$TTL 300
-\@	IN SOA 	. . 1 300 120 3600 86400
+\@	IN SOA 	ns1 . 1 300 120 3600 86400
 	NS	ns1
 	NS	ns2
+ns1	A	10.53.0.1
+ns2	A	10.53.0.2
 	MX	10 mail1.isp.example.
 	MX	20 mail2.isp.example.
 www	A	10.0.0.1

--- a/bin/tests/system/xferquota/tests.sh
+++ b/bin/tests/system/xferquota/tests.sh
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: tests.sh,v 1.22 2004/03/10 01:06:06 marka Exp $
+# $Id: tests.sh,v 1.23 2004/11/23 05:23:42 marka Exp $

 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -55,7 +55,7 @@ grep ";" dig.out.ns2

 $PERL ../digcomp.pl dig.out.ns1 dig.out.ns2 || status=1

-sleep 5
+sleep 15

 $DIG +tcp +noadd +nosea +nostat +noquest +nocomm +nocmd \
 	a.changing. @10.53.0.1 a -p 5300 > dig.out.ns1 || status=1

--- a/bin/tests/system/zonechecks/a.db
+++ b/bin/tests/system/zonechecks/a.db
+; Copyright
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	127.0.0.1
+127.0.0.1 3600	IN A	127.0.0.1
--- a/bin/tests/system/zonechecks/aaaa.db
+++ b/bin/tests/system/zonechecks/aaaa.db
+; Copyright
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	::1
+::1	3600	IN AAAA	::1
--- a/bin/tests/system/zonechecks/clean.sh
+++ b/bin/tests/system/zonechecks/clean.sh
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.2 2004/11/23 05:23:45 marka Exp $
+
+rm -f *.out
--- a/bin/tests/system/zonechecks/cname.db
+++ b/bin/tests/system/zonechecks/cname.db
+; Copyright
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	ns
+ns	3600	IN CNAME @
--- a/bin/tests/system/zonechecks/dname.db
+++ b/bin/tests/system/zonechecks/dname.db
+; Copyright
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	ns
+@	3600	IN DNAME .
--- a/bin/tests/system/zonechecks/noaddress.db
+++ b/bin/tests/system/zonechecks/noaddress.db
+; Copyright
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	ns
+ns	3600	IN TXT	this name has no address records
--- a/bin/tests/system/zonechecks/nxdomain.db
+++ b/bin/tests/system/zonechecks/nxdomain.db
+; Copyright
+@	3600	IN SOA	ns hostmaster 1 3600 1200 604800 3600
+@	3600	IN NS	ns
+; There are no records at all with the ownername of "ns".
--- a/bin/tests/system/zonechecks/tests.sh
+++ b/bin/tests/system/zonechecks/tests.sh
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.2 2004/11/23 05:23:46 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+#
+echo "I: checking that we detect a NS which refers to a CNAME"
+if $CHECKZONE . cname.db > cname.out 2>&1
+then
+	echo "I:failed (status)"; status=1
+else
+	if grep "is a CNAME" cname.out > /dev/null
+	then
+		:
+	else
+		echo "I:failed (message)"; status=1
+	fi
+fi
+
+#
+echo "I: checking that we detect a NS which is below a DNAME"
+if $CHECKZONE . dname.db > dname.out 2>&1
+then
+	echo "I:failed (status)"; status=1
+else
+	if grep "is below a DNAME" dname.out > /dev/null
+	then
+		:
+	else
+		echo "I:failed (message)"; status=1
+	fi
+fi
+
+#
+echo "I: checking that we detect a NS which has no address records (A/AAAA)"
+if $CHECKZONE . noaddress.db > noaddress.out
+then
+	echo "I:failed (status)"; status=1
+else
+	if grep "has no address records" noaddress.out > /dev/null
+	then
+		:
+	else
+		echo "I:failed (message)"; status=1
+	fi
+fi
+
+#
+echo "I: checking that we detect a NS which has no records"
+if $CHECKZONE . nxdomain.db > nxdomain.out
+then
+	echo "I:failed (status)"; status=1
+else
+	if grep "has no address records" noaddress.out > /dev/null
+	then
+		:
+	else
+		echo "I:failed (message)"; status=1
+	fi
+fi
+
+#
+echo "I: checking that we detect a NS which looks like a A record (fail)"
+if $CHECKZONE -n fail . a.db > a.out 2>&1
+then
+	echo "I:failed (status)"; status=1
+else
+	if grep "appears to be an address" a.out > /dev/null
+	then
+		:
+	else
+		echo "I:failed (message)"; status=1
+	fi
+fi
+
+#
+echo "I: checking that we detect a NS which looks like a A record (warn=default)"
+if $CHECKZONE . a.db > a.out 2>&1
+then
+	if grep "appears to be an address" a.out > /dev/null
+	then
+		:
+	else
+		echo "I:failed (message)"; status=1
+	fi
+else
+	echo "I:failed (status)"; status=1
+fi
+
+#
+echo "I: checking that we detect a NS which looks like a A record (ignore)"
+if $CHECKZONE -n ignore . a.db > a.out 2>&1
+then
+	if grep "appears to be an address" a.out > /dev/null
+	then
+		echo "I:failed (message)"; status=1
+	else
+		:
+	fi
+else
+	echo "I:failed (status)"; status=1
+fi
+
+#
+echo "I: checking that we detect a NS which looks like a AAAA record (fail)"
+if $CHECKZONE -n fail . aaaa.db > aaaa.out 2>&1
+then
+	echo "I:failed (status)"; status=1
+else
+	if grep "appears to be an address" aaaa.out > /dev/null
+	then
+		:
+	else
+		echo "I:failed (message)"; status=1
+	fi
+fi
+
+#
+echo "I: checking that we detect a NS which looks like a AAAA record (warn=default)"
+if $CHECKZONE . aaaa.db > aaaa.out 2>&1
+then
+	if grep "appears to be an address" aaaa.out > /dev/null
+	then
+		:
+	else
+		echo "I:failed (message)"; status=1
+	fi
+else
+	echo "I:failed (status)"; status=1
+fi
+
+#
+echo "I: checking that we detect a NS which looks like a AAAA record (ignore)"
+if $CHECKZONE -n ignore . aaaa.db > aaaa.out 2>&1
+then
+	if grep "appears to be an address" aaaa.out > /dev/null
+	then
+		echo "I:failed (message)"; status=1
+	else
+		:
+	fi
+else
+	echo "I:failed (status)"; status=1
+fi
+echo "I:exit status: $status"
+exit $?
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zone.c,v 1.424 2004/11/22 23:52:25 marka Exp $ */
+/* $Id: zone.c,v 1.425 2004/11/23 05:23:46 marka Exp $ */

 #include <config.h>

@@ -428,10 +428,11 @@ static void zonemgr_putio(dns_io_t **iop);
 static void zonemgr_cancelio(dns_io_t *io);

 static isc_result_t
-zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
+zone_get_from_db(dns_zone_t *zone, dns_db_t *db, unsigned int *nscount,
 		 unsigned int *soacount, isc_uint32_t *serial,
 		 isc_uint32_t *refresh, isc_uint32_t *retry,
-		 isc_uint32_t *expire, isc_uint32_t *minimum);
+		 isc_uint32_t *expire, isc_uint32_t *minimum,
+		 unsigned int *cnames);

 static void zone_freedbargs(dns_zone_t *zone);
 static void forward_callback(isc_task_t *task, isc_event_t *event);
@@ -1247,6 +1248,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 {
 	unsigned int soacount = 0;
 	unsigned int nscount = 0;
+	unsigned int cnames = 0;
 	isc_uint32_t serial, refresh, retry, expire, minimum;
 	isc_time_t now;
 	isc_boolean_t needdump = ISC_FALSE;
@@ -1321,14 +1323,12 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	}

 	/*
-	 * Obtain ns and soa counts for top of zone.
+	 * Obtain ns, soa and cname counts for top of zone.
 	 */
-	nscount = 0;
-	soacount = 0;
 	INSIST(db != NULL);
-	result = zone_get_from_db(db, &zone->origin, &nscount,
-				  &soacount, &serial, &refresh, &retry,
-				  &expire, &minimum);
+	result = zone_get_from_db(zone, db, &nscount, &soacount, &serial,
+				  &refresh, &retry, &expire, &minimum,
+				  &cnames);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
 			     "could not find NS and/or SOA records");
@@ -1355,6 +1355,10 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		}
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
+		if (zone->type == dns_zone_master && cnames != 0) {
+			result = DNS_R_BADZONE;
+			goto cleanup;
+		}
 		if (zone->db != NULL) {
 			if (!isc_serial_ge(serial, zone->serial)) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
@@ -1402,7 +1406,6 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 		goto cleanup;
 	}

-
 #if 0
 	/* destroy notification example. */
 	{
@@ -1471,36 +1474,104 @@ exit_check(dns_zone_t *zone) {
 	return (ISC_FALSE);
 }

+static isc_boolean_t
+zone_check_ns(dns_zone_t *zone, dns_db_t *db, dns_name_t *name) {
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char altbuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *foundname;
+	int level;
+	
+	if (zone->type == dns_zone_master)
+		level = ISC_LOG_ERROR;
+	else
+		level = ISC_LOG_WARNING;
+
+	dns_fixedname_init(&fixed);
+	foundname = dns_fixedname_name(&fixed);
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+			     0, 0, NULL, foundname, NULL, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+
+	if (result == DNS_R_NXRRSET) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_aaaa,
+				     0, 0, NULL, foundname, NULL, NULL);
+		if (result == ISC_R_SUCCESS)
+			return (ISC_TRUE);
+	}
+
+	dns_name_format(name, namebuf, sizeof namebuf);
+	if (result == DNS_R_NXRRSET || result == DNS_R_NXDOMAIN) {
+		dns_zone_log(zone, level,
+			     "NS '%s' has no address records (A or AAAA)",
+			     namebuf);
+		return (ISC_FALSE);
+	}
+
+	if (result == DNS_R_CNAME) {
+		dns_zone_log(zone, level, "NS '%s' is a CNAME (illegal)",
+			     namebuf);
+		return (ISC_FALSE);
+	}
+
+	if (result == DNS_R_DNAME) {
+		dns_name_format(foundname, altbuf, sizeof altbuf);
+		dns_zone_log(zone, level,
+			     "NS '%s' is below a DNAME '%s' (illegal)",
+			     namebuf, altbuf);
+		return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
+
 static isc_result_t