Commit 7f60bb39 authored by Witold Krecicki's avatar Witold Krecicki Committed by Witold Krecicki
Browse files

Don't synthesize NXDOMAIN from NSEC for records under a DNAME

parent cd0e7df6
4988. [bug] Don't synthesize NXDOMAIN from NSEC for records under
a DNAME.
--- 9.13.2 released ---
 
4987. [cleanup] dns_rdataslab_tordataset() and its related
......
......@@ -16,6 +16,8 @@ rm -f ns1/K*+*+*.private
rm -f ns1/dsset-*
rm -f ns1/example.db
rm -f ns1/example.db.signed
rm -f ns1/dnamed.db
rm -f ns1/dnamed.db.signed
rm -f ns1/root.db
rm -f ns1/root.db.signed
rm -f ns1/trusted.conf
......
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ SOA ns1 hostmaster 1 3600 1200 604800 3600
@ NS ns1
ns1 A 10.53.0.1
a A 10.53.0.1
......@@ -14,3 +14,4 @@ ns1 A 10.53.0.1
nodata TXT nodata
*.wild-a A 1.2.3.4
*.wild-cname CNAME ns1
dnamed DNAME dnamed.
......@@ -35,4 +35,9 @@ zone "example" {
file "example.db.signed";
};
zone "dnamed" {
type master;
file "dnamed.db.signed";
};
include "trusted.conf";
......@@ -13,3 +13,5 @@ $TTL 3600
ns1 A 10.53.0.1
example NS ns1.example
ns1.example A 10.53.0.1
dnamed NS ns1.dnamed
ns1.dnamed A 10.53.0.1
......@@ -21,6 +21,15 @@ cat $infile $keyname.key > $zonefile
$SIGNER -P -o $zone $zonefile > /dev/null
zone=dnamed
infile=dnamed.db.in
zonefile=dnamed.db
keyname=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone`
cat $infile $keyname.key > $zonefile
$SIGNER -P -o $zone $zonefile > /dev/null
zone=.
infile=root.db.in
zonefile=root.db
......
......@@ -182,5 +182,15 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)"
ret=0
$DIG $DIGOPTS dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1
$DIG $DIGOPTS a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
grep "status: NOERROR," dig.out.ns5-1.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -374,12 +374,14 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
}
if (relation == dns_namereln_subdomain &&
dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
(dns_nsec_typepresent(&rdata, dns_rdatatype_dname) ||
dns_nsec_typepresent(&rdata, dns_rdatatype_ns)) &&
!dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
{
/*
* This NSEC record is from somewhere higher in
* the DNS, and at the parent of a delegation.
* the DNS, and at the parent of a delegation or
* at a DNAME.
* It can not be legitimately used here.
*/
(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
......
......@@ -2188,6 +2188,7 @@
./bin/tests/system/stub/setup.sh SH 2018
./bin/tests/system/stub/tests.sh SH 2000,2001,2004,2007,2011,2012,2013,2016,2018
./bin/tests/system/synthfromdnssec/clean.sh SH 2017,2018
./bin/tests/system/synthfromdnssec/ns1/dnamed.db.in ZONE 2018
./bin/tests/system/synthfromdnssec/ns1/example.db.in ZONE 2017,2018
./bin/tests/system/synthfromdnssec/ns1/named.conf.in CONF-C 2017,2018
./bin/tests/system/synthfromdnssec/ns1/root.db.in ZONE 2017,2018
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment