Commit 93143fd8 authored by Evan Hunt's avatar Evan Hunt
Browse files

3273. [bug] AAAA responses could be returned in the additional

                        section even when filter-aaaa-on-v4 was in use.
                        [RT #27292]
parent f26d91eb
3273. [bug] AAAA responses could be returned in the additional
section even when filter-aaaa-on-v4 was in use.
[RT #27292]
3272. [func] New "rndc zonestatus" command prints information
about the specified zone. [RT #21671]
3271. [port] darwin: mksymtbl is not always stable, loop several
times before giving up. mksymtbl was using non
portable perl to covert 64 bit hex strings. [RT #27653]
3271. [func] New "rndc zonestatus" command prints information
about the specified zone. [RT #21671]
--- 9.9.0rc2 released ---
3270. [bug] "rndc reload" didn't reuse existing zones correctly
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: client.c,v 1.284 2011/11/09 22:05:09 each Exp $ */
/* $Id: client.c,v 1.285 2012/01/31 06:58:38 each Exp $ */
#include <config.h>
......@@ -929,6 +929,15 @@ ns_client_send(ns_client_t *client) {
render_opts = 0;
else
render_opts = DNS_MESSAGERENDER_OMITDNSSEC;
preferred_glue = 0;
if (client->view != NULL) {
if (client->view->preferred_glue == dns_rdatatype_a)
preferred_glue = DNS_MESSAGERENDER_PREFER_A;
else if (client->view->preferred_glue == dns_rdatatype_aaaa)
preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
}
#ifdef ALLOW_FILTER_AAAA_ON_V4
/*
* filter-aaaa-on-v4 yes or break-dnssec option to suppress
......@@ -937,17 +946,15 @@ ns_client_send(ns_client_t *client) {
* that we have both AAAA and A records,
* and that we either have no signatures that the client wants
* or we are supposed to break DNSSEC.
*
* Override preferred glue if necessary.
*/
if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0)
if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0) {
render_opts |= DNS_MESSAGERENDER_FILTER_AAAA;
#endif
preferred_glue = 0;
if (client->view != NULL) {
if (client->view->preferred_glue == dns_rdatatype_a)
if (preferred_glue == DNS_MESSAGERENDER_PREFER_AAAA)
preferred_glue = DNS_MESSAGERENDER_PREFER_A;
else if (client->view->preferred_glue == dns_rdatatype_aaaa)
preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
}
#endif
/*
* XXXRTH The following doesn't deal with TCP buffer resizing.
......@@ -2110,6 +2117,9 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
client->recursionquota = NULL;
client->interface = NULL;
client->peeraddr_valid = ISC_FALSE;
#ifdef ALLOW_FILTER_AAAA_ON_V4
client->filter_aaaa = dns_v4_aaaa_ok;
#endif
ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
NS_EVENT_CLIENTCONTROL, client_start, client, client,
NULL, NULL);
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: client.h,v 1.94 2011/10/11 23:46:44 tbox Exp $ */
/* $Id: client.h,v 1.95 2012/01/31 06:58:38 each Exp $ */
#ifndef NAMED_CLIENT_H
#define NAMED_CLIENT_H 1
......@@ -141,6 +141,9 @@ struct ns_client {
isc_netaddr_t destaddr;
struct in6_pktinfo pktinfo;
isc_event_t ctlevent;
#ifdef ALLOW_FILTER_AAAA_ON_V4
dns_v4_aaaa_t filter_aaaa;
#endif
/*%
* Information about recent FORMERR response(s), for
* FORMERR loop avoidance. This is separate for each
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: query.c,v 1.381 2012/01/07 00:19:59 each Exp $ */
/* $Id: query.c,v 1.382 2012/01/31 06:58:38 each Exp $ */
/*! \file */
......@@ -1352,6 +1352,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
}
if (qtype == dns_rdatatype_a) {
#ifdef ALLOW_FILTER_AAAA_ON_V4
isc_boolean_t have_a = ISC_FALSE;
#endif
/*
* We now go looking for A and AAAA records, along with
* their signatures.
......@@ -1390,6 +1394,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
}
if (result == ISC_R_SUCCESS) {
mname = NULL;
#ifdef ALLOW_FILTER_AAAA_ON_V4
have_a = ISC_TRUE;
#endif
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
if (mname != NULL) {
......@@ -1436,6 +1443,17 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
}
if (result == ISC_R_SUCCESS) {
mname = NULL;
/*
* There's an A; check whether we're filtering AAAA
*/
#ifdef ALLOW_FILTER_AAAA_ON_V4
if (have_a &&
(client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
(client->filter_aaaa == dns_v4_aaaa_filter &&
(!WANTDNSSEC(client) || sigrdataset == NULL ||
!dns_rdataset_isassociated(sigrdataset)))))
goto addname;
#endif
if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) {
if (mname != NULL) {
......@@ -6638,9 +6656,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
need_wildcardproof = ISC_TRUE;
}
#ifdef ALLOW_FILTER_AAAA_ON_V4
if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
is_v4_client(client) &&
ns_client_checkaclsilent(client, NULL,
client->view->v4_aaaa_acl,
ISC_TRUE) == ISC_R_SUCCESS)
client->filter_aaaa = client->view->v4_aaaa;
else
client->filter_aaaa = dns_v4_aaaa_ok;
#endif
if (type == dns_rdatatype_any) {
#ifdef ALLOW_FILTER_AAAA_ON_V4
isc_boolean_t have_aaaa, have_a, have_sig, filter_aaaa;
isc_boolean_t have_aaaa, have_a, have_sig;
/*
* The filter-aaaa-on-v4 option should
......@@ -6652,14 +6682,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
have_aaaa = ISC_FALSE;
have_a = !authoritative;
have_sig = ISC_FALSE;
if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
is_v4_client(client) &&
ns_client_checkaclsilent(client, NULL,
client->view->v4_aaaa_acl,
ISC_TRUE) == ISC_R_SUCCESS)
filter_aaaa = ISC_TRUE;
else
filter_aaaa = ISC_FALSE;
#endif
/*
* XXXRTH Need to handle zonecuts with special case
......@@ -6694,7 +6716,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* Notice the presence of A and AAAAs so
* that AAAAs can be hidden from IPv4 clients.
*/
if (filter_aaaa) {
if (client->filter_aaaa != dns_v4_aaaa_ok) {
if (rdataset->type == dns_rdatatype_aaaa)
have_aaaa = ISC_TRUE;
else if (rdataset->type == dns_rdatatype_a)
......@@ -6751,9 +6773,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* Filter AAAAs if there is an A and there is no signature
* or we are supposed to break DNSSEC.
*/
if (filter_aaaa && have_aaaa && have_a &&
(!have_sig || !WANTDNSSEC(client) ||
client->view->v4_aaaa == dns_v4_aaaa_break_dnssec))
if (client->filter_aaaa == dns_v4_aaaa_break_dnssec)
client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
else if (client->filter_aaaa != dns_v4_aaaa_ok &&
have_aaaa && have_a &&
(!have_sig || !WANTDNSSEC(client)))
client->attributes |= NS_CLIENTATTR_FILTER_AAAA;
#endif
if (fname != NULL)
......@@ -6815,15 +6839,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
* so fundamentally wrong, unavoidably inaccurate, and
* unneeded that it is best to keep it as short as possible.
*/
if (client->view->v4_aaaa != dns_v4_aaaa_ok &&
is_v4_client(client) &&
ns_client_checkaclsilent(client, NULL,
client->view->v4_aaaa_acl,
ISC_TRUE) == ISC_R_SUCCESS &&
(!WANTDNSSEC(client) ||
sigrdataset == NULL ||
!dns_rdataset_isassociated(sigrdataset) ||
client->view->v4_aaaa == dns_v4_aaaa_break_dnssec)) {
if (client->filter_aaaa == dns_v4_aaaa_break_dnssec ||
(client->filter_aaaa == dns_v4_aaaa_filter &&
(!WANTDNSSEC(client) || sigrdataset == NULL ||
!dns_rdataset_isassociated(sigrdataset))))
{
if (qtype == dns_rdatatype_aaaa) {
trdataset = query_newrdataset(client);
result = dns_db_findrdataset(db, node, version,
......
......@@ -12,12 +12,13 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db,v 1.2 2010/06/22 03:58:37 marka Exp $
; $Id: root.db,v 1.3 2012/01/31 06:58:38 each Exp $
$TTL 120
@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
@ NS ns.utld
ns.utld A 10.53.0.1
ns.utld AAAA fd92:7065:b8e:ffff::1
;
signed NS ns.utld
unsigned NS ns.utld
......@@ -12,12 +12,15 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: signed.db.in,v 1.2 2010/06/22 03:58:37 marka Exp $
; $Id: signed.db.in,v 1.3 2012/01/31 06:58:38 each Exp $
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
@ MX 10 mx
a-only NS 1.0.0.1
aaaa-only AAAA 2001:db8::2
dual A 1.0.0.3
dual AAAA 2001:db8::3
mx A 1.0.0.3
mx AAAA 2001:db8::3
......@@ -12,12 +12,15 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: unsigned.db,v 1.2 2010/06/22 03:58:37 marka Exp $
; $Id: unsigned.db,v 1.3 2012/01/31 06:58:38 each Exp $
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
@ MX 10 mx
a-only NS 1.0.0.4
aaaa-only AAAA 2001:db8::5
dual A 1.0.0.6
dual AAAA 2001:db8::6
mx A 1.0.0.3
mx AAAA 2001:db8::3
......@@ -12,12 +12,13 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: root.db,v 1.2 2010/06/22 03:58:38 marka Exp $
; $Id: root.db,v 1.3 2012/01/31 06:58:38 each Exp $
$TTL 120
@ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 )
@ NS ns.utld
ns.utld A 10.53.0.1
ns.utld AAAA fd92:7065:b8e:ffff::1
;
signed NS ns.utld
unsigned NS ns.utld
......@@ -12,12 +12,15 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: signed.db.in,v 1.2 2010/06/22 03:58:38 marka Exp $
; $Id: signed.db.in,v 1.3 2012/01/31 06:58:38 each Exp $
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
@ MX 10 mx
a-only NS 1.0.0.1
aaaa-only AAAA 2001:db8::2
dual A 1.0.0.3
dual AAAA 2001:db8::3
mx A 1.0.0.3
mx AAAA 2001:db8::3
......@@ -12,12 +12,15 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: unsigned.db,v 1.2 2010/06/22 03:58:38 marka Exp $
; $Id: unsigned.db,v 1.3 2012/01/31 06:58:39 each Exp $
$TTL 120
@ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 )
@ NS ns.utld.
@ MX 10 mx
a-only NS 1.0.0.4
aaaa-only AAAA 2001:db8::5
dual A 1.0.0.6
dual AAAA 2001:db8::6
mx A 1.0.0.3
mx AAAA 2001:db8::3
......@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.2 2010/06/22 03:58:36 marka Exp $
# $Id: tests.sh,v 1.3 2012/01/31 06:58:38 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -174,6 +174,45 @@ else
echo "I: skipped."
fi
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)"
ret=0
$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)"
if $TESTSOCK6 fd92:7065:b8e:ffff::1
then
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
else
echo "I: skipped."
fi
#
# Authoritative tests against:
# filter-aaaa-on-v4 break-dnssec;
......@@ -303,6 +342,45 @@ else
echo "I: skipped."
fi
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, with break-dnssec ($n)"
if $TESTSOCK6 fd92:7065:b8e:ffff::4
then
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
else
echo "I: skipped."
fi
#
# Recursive tests against:
# filter-aaaa-on-v4 yes;
......@@ -431,6 +509,45 @@ else
echo "I: skipped."
fi
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)"
ret=0
$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)"
if $TESTSOCK6 fd92:7065:b8e:ffff::2
then
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
else
echo "I: skipped."
fi
#
# Recursive tests against:
# filter-aaaa-on-v4 break-dnssec;
......@@ -559,5 +676,43 @@ else
echo "I: skipped."
fi
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)"
ret=0
$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, recursive with break-dnssec ($n)"
if $TESTSOCK6 fd92:7065:b8e:ffff::3
then
ret=0
$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1
grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
else
echo "I: skipped."
fi
echo "I:exit status: $status"
exit $status
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment