Commit 8da265c2 authored by Evan Hunt's avatar Evan Hunt

Merge branch 'validate-glue' into v9_11

parents ae0692ff 7a00ce2e
Pipeline #2286 passed with stages
in 6 minutes and 48 seconds
4968. [bug] If glue records are signed, attempt to validate them.
[GL #209]
4966. [func] Add the ability to not return a DNS COOKIE option 4966. [func] Add the ability to not return a DNS COOKIE option
when one is present in the request (answer-cookie no;). when one is present in the request (answer-cookie no;).
[GL #173] [GL #173]
......
...@@ -5,11 +5,14 @@ ...@@ -5,11 +5,14 @@
static char xslmsg[] = static char xslmsg[] =
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
"<!--\n" "<!--\n"
" - Copyright (C) 2006-2009, 2012-2016 Internet Systems Consortium, Inc. (\"ISC\")\n" " - Copyright (C) Internet Systems Consortium, Inc. (\"ISC\")\n"
" -\n" " -\n"
" - This Source Code Form is subject to the terms of the Mozilla Public\n" " - This Source Code Form is subject to the terms of the Mozilla Public\n"
" - License, v. 2.0. If a copy of the MPL was not distributed with this\n" " - License, v. 2.0. If a copy of the MPL was not distributed with this\n"
" - file, You can obtain one at http://mozilla.org/MPL/2.0/.\n" " - file, You can obtain one at http://mozilla.org/MPL/2.0/.\n"
" -\n"
" - See the COPYRIGHT file distributed with this work for additional\n"
" - information regarding copyright ownership.\n"
"-->\n" "-->\n"
"\n" "\n"
"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n" "<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
......
...@@ -1632,18 +1632,18 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -1632,18 +1632,18 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
if (additionaltype == if (additionaltype ==
dns_rdatasetadditional_fromcache && dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) || (DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) && DNS_TRUST_GLUE(rdataset->trust)))
!validate(client, db, fname, rdataset, sigrdataset))
{ {
invalid = ISC_TRUE; /* validate() may change rdataset->trust */
invalid = ISC_TF(!validate(client, db, fname,
rdataset,
sigrdataset));
} }
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset); dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL && if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset)) dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset); dns_rdataset_disassociate(sigrdataset);
/* treat as if not found */
} else if (!query_isduplicate(client, fname, } else if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) dns_rdatatype_a, &mname))
{ {
...@@ -1709,18 +1709,18 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -1709,18 +1709,18 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
if (additionaltype == if (additionaltype ==
dns_rdatasetadditional_fromcache && dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) || (DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) && DNS_TRUST_GLUE(rdataset->trust)))
!validate(client, db, fname, rdataset, sigrdataset))
{ {
invalid = ISC_TRUE; /* validate() may change rdataset->trust */
invalid = ISC_TF(!validate(client, db, fname,
rdataset,
sigrdataset));
} }
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset); dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL && if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset)) dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset); dns_rdataset_disassociate(sigrdataset);
/* treat as if not found */
} else if (!query_isduplicate(client, fname, } else if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) dns_rdatatype_aaaa, &mname))
{ {
...@@ -2185,10 +2185,10 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -2185,10 +2185,10 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
if (result == ISC_R_SUCCESS && if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache && additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) || (DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) && DNS_TRUST_GLUE(rdataset->trust)))
!validate(client, db, fname, rdataset, sigrdataset))
{ {
invalid = ISC_TRUE; invalid = ISC_TF(!validate(client, db, fname,
rdataset, sigrdataset));
} }
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset); dns_rdataset_disassociate(rdataset);
...@@ -2233,10 +2233,10 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -2233,10 +2233,10 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
if (result == ISC_R_SUCCESS && if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache && additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) || (DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) && DNS_TRUST_GLUE(rdataset->trust)))
!validate(client, db, fname, rdataset, sigrdataset))
{ {
invalid = ISC_TRUE; invalid = ISC_TF(!validate(client, db, fname,
rdataset, sigrdataset));
} }
if (invalid && DNS_TRUST_PENDING(rdataset->trust)) { if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
dns_rdataset_disassociate(rdataset); dns_rdataset_disassociate(rdataset);
......
...@@ -18,6 +18,7 @@ n=1 ...@@ -18,6 +18,7 @@ n=1
rm -f dig.out.* rm -f dig.out.*
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}" DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
ADDITIONALOPTS="+noall +additional +dnssec -p ${PORT}"
ANSWEROPTS="+noall +answer +dnssec -p ${PORT}" ANSWEROPTS="+noall +answer +dnssec -p ${PORT}"
DELVOPTS="-a ns1/trusted.conf -p ${PORT}" DELVOPTS="-a ns1/trusted.conf -p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s" RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
...@@ -2780,12 +2781,30 @@ n=`expr $n + 1` ...@@ -2780,12 +2781,30 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section ($n)" echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)"
ret=0 ret=0
$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i $RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
sleep 1 sleep 1
$DIG $ANSWEROPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n $DIG $ADDITIONALOPTS +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n
$DIG $ANSWEROPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n $DIG $ADDITIONALOPTS expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
for ttl in ${ttls:-300}; do
[ ${ttl:-0} -eq 300 ] || ret=1
done
for ttl in ${ttls2:-0}; do
[ ${ttl:-0} -le 60 ] || ret=1
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)"
ret=0
$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
sleep 1
$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
for ttl in ${ttls:-300}; do for ttl in ${ttls:-300}; do
...@@ -2842,8 +2861,8 @@ sleep 3 ...@@ -2842,8 +2861,8 @@ sleep 3
echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
ret=0 ret=0
$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i $RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
$DIG $ANSWEROPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n $DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
$DIG $ANSWEROPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n $DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
for ttl in ${ttls:-300}; do for ttl in ${ttls:-300}; do
...@@ -2858,9 +2877,9 @@ status=`expr $status + $ret` ...@@ -2858,9 +2877,9 @@ status=`expr $status + $ret`
echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with acache off; ($n)" echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with acache off; ($n)"
ret=0 ret=0
$RNDCCMD 10.53.0.4 flush $RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
$DIG $DIGOPTS +noall +additional +dnssec +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n $DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
$DIG $DIGOPTS +noall +additional +dnssec expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n $DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n` ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n` ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
for ttl in ${ttls:-300}; do for ttl in ${ttls:-300}; do
......
...@@ -9831,7 +9831,7 @@ zone_refreshkeys(dns_zone_t *zone) { ...@@ -9831,7 +9831,7 @@ zone_refreshkeys(dns_zone_t *zone) {
*/ */
#ifdef ENABLE_AFL #ifdef ENABLE_AFL
if (dns_fuzzing_resolver == ISC_FALSE) { if (dns_fuzzing_resolver == ISC_FALSE) {
#endif #endif
result = dns_resolver_createfetch(zone->view->resolver, result = dns_resolver_createfetch(zone->view->resolver,
kname, dns_rdatatype_dnskey, kname, dns_rdatatype_dnskey,
...@@ -9845,9 +9845,9 @@ zone_refreshkeys(dns_zone_t *zone) { ...@@ -9845,9 +9845,9 @@ zone_refreshkeys(dns_zone_t *zone) {
&kfetch->dnskeysigset, &kfetch->dnskeysigset,
&kfetch->fetch); &kfetch->fetch);
#ifdef ENABLE_AFL #ifdef ENABLE_AFL
} else { } else {
result = ISC_R_FAILURE; result = ISC_R_FAILURE;
} }
#endif #endif
if (result == ISC_R_SUCCESS) if (result == ISC_R_SUCCESS)
fetching = ISC_TRUE; fetching = ISC_TRUE;
......
...@@ -636,8 +636,8 @@ cfg_parse_buffer3(cfg_parser_t *pctx, isc_buffer_t *buffer, ...@@ -636,8 +636,8 @@ cfg_parse_buffer3(cfg_parser_t *pctx, isc_buffer_t *buffer,
isc_result_t isc_result_t
cfg_parse_buffer4(cfg_parser_t *pctx, isc_buffer_t *buffer, cfg_parse_buffer4(cfg_parser_t *pctx, isc_buffer_t *buffer,
const char *file, unsigned int line, const char *file, unsigned int line,
const cfg_type_t *type, unsigned int flags, const cfg_type_t *type, unsigned int flags,
cfg_obj_t **ret) cfg_obj_t **ret)
{ {
isc_result_t result; isc_result_t result;
...@@ -1728,19 +1728,19 @@ cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) ...@@ -1728,19 +1728,19 @@ cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
(clause->flags & CFG_CLAUSEFLAG_DEPRECATED) != 0) (clause->flags & CFG_CLAUSEFLAG_DEPRECATED) != 0)
{ {
cfg_parser_warning(pctx, 0, "option '%s' is deprecated", cfg_parser_warning(pctx, 0, "option '%s' is deprecated",
clause->name); clause->name);
} }
if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) { if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) {
cfg_parser_warning(pctx, 0, "option '%s' is obsolete", cfg_parser_warning(pctx, 0, "option '%s' is obsolete",
clause->name); clause->name);
} }
if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0) { if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0) {
cfg_parser_warning(pctx, 0, "option '%s' is " cfg_parser_warning(pctx, 0, "option '%s' is "
"not implemented", clause->name); "not implemented", clause->name);
} }
if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) { if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) {
cfg_parser_warning(pctx, 0, "option '%s' is " cfg_parser_warning(pctx, 0, "option '%s' is "
"not implemented", clause->name); "not implemented", clause->name);
} }
if ((clause->flags & CFG_CLAUSEFLAG_NOOP) != 0) { if ((clause->flags & CFG_CLAUSEFLAG_NOOP) != 0) {
cfg_parser_warning(pctx, 0, "option '%s' was not " cfg_parser_warning(pctx, 0, "option '%s' was not "
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment