Commit 840d6a46 authored by Mark Andrews's avatar Mark Andrews

3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917

parent 251be6e9
3925. [bug] DS lookup of RFC 1918 empty zones failed. [RT #36917]
3924. [bug] Improve 'rndc addzone' error reporting. [RT #35187]
3923. [bug] Sanity check the xml2-config output. [RT #22246]
......
......@@ -27,6 +27,7 @@ rm -f ns2/private.secure.example.db
rm -f ns2/badparam.db ns2/badparam.db.bad
rm -f ns2/single-nsec3.db
rm -f ns2/nsec3chain-test.db
rm -f ns2/in-addr.arpa.db
rm -f */example.bk
rm -f dig.out.*
rm -f rndc.out.*
......
......@@ -34,3 +34,4 @@ algroll NS ns2.algroll
ns2.algroll. A 10.53.0.2
optout-tld NS ns6.optout-tld.
ns6.optout-tld. A 10.53.0.6
in-addr.arpa. NS ns2.example.
......@@ -28,6 +28,8 @@ zonefile=root.db
cp ../ns2/dsset-example. .
cp ../ns2/dsset-dlv. .
cp ../ns2/dsset-in-addr.arpa. .
grep "8 [12] " ../ns2/dsset-algroll. > dsset-algroll.
cp ../ns6/dsset-optout-tld. .
......
$TTL 3600
@ SOA ns2.example. . 1 3600 1200 86400 1200
@ NS ns2.example.
;
; As we are testing empty zone behaviour ns3 doesn't need to be
; configured to serve 10.in-addr.arpa.
;
10 NS ns3.example.
......@@ -102,4 +102,9 @@ zone "nsec3chain-test" {
allow-update {any;};
};
zone "in-addr.arpa" {
type master;
file "in-addr.arpa.db.signed";
};
include "trusted.conf";
......@@ -87,6 +87,18 @@ tolower($1) == "bad-dname.example." && $4 == "RRSIG" && $5 == "DNAME" {
{ print; }' > $zonefile.signed++ && mv $zonefile.signed++ $zonefile.signed
#
# signed in-addr.arpa w/ a delegation for 10.in-addr.arpa which is unsigned.
#
zone=in-addr.arpa.
infile=in-addr.arpa.db.in
zonefile=in-addr.arpa.db
keyname1=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
keyname2=`$KEYGEN -q -r $RANDFILE -a DSA -b 768 -n zone $zone`
cat $infile $keyname1.key $keyname2.key >$zonefile
$SIGNER -P -g -r $RANDFILE -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
# Sign the privately secure file
......
......@@ -1854,6 +1854,16 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking that DS at a RFC 1918 empty zone lookup succeeds ($n)"
ret=0
$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.2 >dig.out.ns2.test$n || ret=1
$DIG $DIGOPTS +noauth 10.in-addr.arpa ds @10.53.0.6 >dig.out.ns6.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns6.test$n || ret=1
grep "status: NOERROR" dig.out.ns6.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking expired signatures remain with "'"allow-update { none; };"'" and no keys available ($n)"
ret=0
$DIG $DIGOPTS +noauth expired.example. +dnssec @10.53.0.3 soa > dig.out.ns3.test$n || ret=1
......
......@@ -1207,6 +1207,7 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
dns_name_t *zfname;
dns_rdataset_t zrdataset, zsigrdataset;
dns_fixedname_t zfixedname;
unsigned int ztoptions = 0;
REQUIRE(DNS_VIEW_VALID(view));
REQUIRE(view->frozen);
......@@ -1228,9 +1229,12 @@ dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
*/
zone = NULL;
LOCK(&view->lock);
if (view->zonetable != NULL)
result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
else
if (view->zonetable != NULL) {
if ((options & DNS_DBFIND_NOEXACT) != 0)
ztoptions |= DNS_ZTFIND_NOEXACT;
result = dns_zt_find(view->zonetable, name, ztoptions,
NULL, &zone);
} else
result = ISC_R_NOTFOUND;
UNLOCK(&view->lock);
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment