Commit 8d923a05 authored by Evan Hunt's avatar Evan Hunt
Browse files

ensure that we attempt to validate glue if it's signed

- incidentally fixed a bug in the dnssec system test where TTLs in the
  answer section rather than the additional section were being checked
parent 4aecd153
......@@ -18,6 +18,7 @@ n=1
rm -f dig.out.*
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
ADDITIONALOPTS="+noall +additional +dnssec -p ${PORT}"
ANSWEROPTS="+noall +answer +dnssec -p ${PORT}"
DELVOPTS="-a ns1/trusted.conf -p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
......@@ -2767,12 +2768,30 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section ($n)"
echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)"
ret=0
$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
sleep 1
$DIG $ANSWEROPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
$DIG $ANSWEROPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
$DIG $ADDITIONALOPTS +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n
$DIG $ADDITIONALOPTS expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
for ttl in ${ttls:-300}; do
[ ${ttl:-0} -eq 300 ] || ret=1
done
for ttl in ${ttls2:-0}; do
[ ${ttl:-0} -le 60 ] || ret=1
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)"
ret=0
$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
sleep 1
$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
for ttl in ${ttls:-300}; do
......
......@@ -1882,12 +1882,19 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
} else if (result == ISC_R_SUCCESS) {
isc_boolean_t invalid = ISC_FALSE;
mname = NULL;
have_a = ISC_TRUE;
if (additionaltype == dns_rdatasetadditional_fromcache &&
DNS_TRUST_PENDING(rdataset->trust) &&
!validate(client, db, fname, rdataset, sigrdataset))
if (additionaltype ==
dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)))
{
/* validate() may change rdataset->trust */
invalid = ISC_TF(!!validate(client, db, fname,
rdataset, sigrdataset));
}
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
......@@ -1896,7 +1903,8 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdatatype_a, &mname)) {
if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
query_releasename(client,
&fname);
fname = mname;
} else
need_addname = ISC_TRUE;
......@@ -1938,6 +1946,7 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
} else if (result == ISC_R_SUCCESS) {
isc_boolean_t invalid = ISC_FALSE;
mname = NULL;
/*
* There's an A; check whether we're filtering AAAA
......@@ -1948,10 +1957,17 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
(!WANTDNSSEC(client) || sigrdataset == NULL ||
!dns_rdataset_isassociated(sigrdataset)))))
goto addname;
if (additionaltype == dns_rdatasetadditional_fromcache &&
DNS_TRUST_PENDING(rdataset->trust) &&
!validate(client, db, fname, rdataset, sigrdataset))
if (additionaltype ==
dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)))
{
/* validate() may change rdataset->trust */
invalid = ISC_TF(!!validate(client, db, fname,
rdataset, sigrdataset));
}
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
......@@ -1960,7 +1976,8 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdatatype_aaaa, &mname)) {
if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
query_releasename(client,
&fname);
fname = mname;
} else
need_addname = ISC_TRUE;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment