Skip to content

GitLab

BIND
BIND
Commit b0dbcba2 authored by Mukund Sivaraman's avatar Mukund Sivaraman
Browse files
Options

Validate glue before adding it to the additional section (#45062)

parent dd7d1df8
Hide whitespace changes
Inline Side-by-side
Showing with 144 additions and 52 deletions
CHANGES
View file @ b0dbcba2
4596. [bug] Validate glue before adding it to the additional
section. This also fixes incorrect TTL capping
when the RRSIG expired earlier than the TTL.
[RT #45062]
4595. [func] dnssec-keygen will no longer generate RSA keys 4595. [func] dnssec-keygen will no longer generate RSA keys
less than 1024 bits in length. dnssec-keymgr less than 1024 bits in length. dnssec-keymgr
was similarly updated. [RT #36895] was similarly updated. [RT #36895]
......
bin/named/query.c
View file @ b0dbcba2
...@@ -1586,6 +1586,7 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -1586,6 +1586,7 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
dns_rdatatype_t type; dns_rdatatype_t type;
dns_clientinfomethods_t cm; dns_clientinfomethods_t cm;
dns_clientinfo_t ci; dns_clientinfo_t ci;
dns_rdatasetadditional_t additionaltype;
REQUIRE(NS_CLIENT_VALID(client)); REQUIRE(NS_CLIENT_VALID(client));
REQUIRE(qtype != dns_rdatatype_any); REQUIRE(qtype != dns_rdatatype_any);
...@@ -1609,6 +1610,7 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -1609,6 +1610,7 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
added_something = ISC_FALSE; added_something = ISC_FALSE;
need_addname = ISC_FALSE; need_addname = ISC_FALSE;
zone = NULL; zone = NULL;
additionaltype = dns_rdatasetadditional_fromauth;
dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfomethods_init(&cm, ns_client_sourceip);
dns_clientinfo_init(&ci, client, NULL); dns_clientinfo_init(&ci, client, NULL);
...@@ -1682,6 +1684,7 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -1682,6 +1684,7 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
*/ */
try_cache: try_cache:
additionaltype = dns_rdatasetadditional_fromcache;
result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG); result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
if (result != ISC_R_SUCCESS) if (result != ISC_R_SUCCESS)
/* /*
...@@ -1698,20 +1701,16 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -1698,20 +1701,16 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
} }
result = dns_db_findext(db, name, version, type, result = dns_db_findext(db, name, version, type,
client->query.dboptions | client->query.dboptions |
DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK, DNS_DBFIND_GLUEOK | DNS_DBFIND_ADDITIONALOK,
client->now, &node, fname, &cm, &ci, client->now, &node, fname, &cm, &ci,
rdataset, sigrdataset); rdataset, sigrdataset);
dns_cache_updatestats(client->view->cache, result); dns_cache_updatestats(client->view->cache, result);
if (result == DNS_R_GLUE &&
validate(client, db, fname, rdataset, sigrdataset))
result = ISC_R_SUCCESS;
if (!WANTDNSSEC(client)) if (!WANTDNSSEC(client))
query_putrdataset(client, &sigrdataset); query_putrdataset(client, &sigrdataset);
if (result == ISC_R_SUCCESS) if (result == ISC_R_SUCCESS)
goto found; goto found;
if (dns_rdataset_isassociated(rdataset)) if (dns_rdataset_isassociated(rdataset))
dns_rdataset_disassociate(rdataset); dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
...@@ -1746,6 +1745,8 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -1746,6 +1745,8 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
goto cleanup; goto cleanup;
dns_db_attach(client->query.gluedb, &db); dns_db_attach(client->query.gluedb, &db);
additionaltype = dns_rdatasetadditional_fromglue;
result = dns_db_findext(db, name, version, type, result = dns_db_findext(db, name, version, type,
client->query.dboptions | DNS_DBFIND_GLUEOK, client->query.dboptions | DNS_DBFIND_GLUEOK,
client->now, &node, fname, &cm, &ci, client->now, &node, fname, &cm, &ci,
...@@ -1838,7 +1839,17 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -1838,7 +1839,17 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
#ifdef ALLOW_FILTER_AAAA #ifdef ALLOW_FILTER_AAAA
have_a = ISC_TRUE; have_a = ISC_TRUE;
#endif #endif
if (!query_isduplicate(client, fname, if (additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset))
{
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
result = ISC_R_NOTFOUND;
} else if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) { dns_rdatatype_a, &mname)) {
if (mname != fname) { if (mname != fname) {
if (mname != NULL) { if (mname != NULL) {
...@@ -1897,7 +1908,17 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) { ...@@ -1897,7 +1908,17 @@ query_addadditional(void *arg, const dns_name_t *name, dns_rdatatype_t qtype) {
!dns_rdataset_isassociated(sigrdataset))))) !dns_rdataset_isassociated(sigrdataset)))))
goto addname; goto addname;
#endif #endif
if (!query_isduplicate(client, fname, if (additionaltype == dns_rdatasetadditional_fromcache &&
(DNS_TRUST_PENDING(rdataset->trust) ||
DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset))
{
dns_rdataset_disassociate(rdataset);
if (sigrdataset != NULL &&
dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
result = ISC_R_NOTFOUND;
} else if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) { dns_rdatatype_aaaa, &mname)) {
if (mname != fname) { if (mname != fname) {
if (mname != NULL) { if (mname != NULL) {
......
bin/tests/system/dnssec/ns4/named4.conf
View file @ b0dbcba2
/* /*
* Copyright (C) 2013, 2016 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2012, 2013, 2016 Internet Systems Consortium, Inc. ("ISC")
* *
* This Source Code Form is subject to the terms of the Mozilla Public * This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this * License, v. 2.0. If a copy of the MPL was not distributed with this
...@@ -18,6 +18,12 @@ options { ...@@ -18,6 +18,12 @@ options {
pid-file "named.pid"; pid-file "named.pid";
listen-on { 10.53.0.4; }; listen-on { 10.53.0.4; };
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion yes;
acache-enable no;
dnssec-enable yes;
dnssec-validation auto;
bindkeys-file "managed.conf";
dnssec-accept-expired yes;
}; };
key rndc_key { key rndc_key {
...@@ -29,47 +35,7 @@ controls { ...@@ -29,47 +35,7 @@ controls {
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; }; inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
}; };
key auth { zone "." {
secret "1234abcd8765"; type hint;
algorithm hmac-sha256; file "../../common/root.hint";
};
include "trusted.conf";
view rec {
match-recursive-only yes;
recursion yes;
acache-enable yes;
dnssec-validation yes;
dnssec-accept-expired yes;
zone "." {
type hint;
file "../../common/root.hint";
};
zone secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
zone insecure.secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
};
view auth {
recursion no;
allow-recursion { none; };
zone secure.example {
type slave;
masters { 10.53.0.3; };
};
zone insecure.secure.example {
type slave;
masters { 10.53.0.2; };
};
}; };
bin/tests/system/dnssec/ns4/named5.conf 0 → 100644
View file @ b0dbcba2
/*
* Copyright (C) 2013, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
// NS4
controls { /* empty */ };
options {
query-source address 10.53.0.4;
notify-source 10.53.0.4;
transfer-source 10.53.0.4;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
};
key auth {
secret "1234abcd8765";
algorithm hmac-sha256;
};
include "trusted.conf";
view rec {
match-recursive-only yes;
recursion yes;
acache-enable yes;
dnssec-validation yes;
dnssec-accept-expired yes;
zone "." {
type hint;
file "../../common/root.hint";
};
zone secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
zone insecure.secure.example {
type static-stub;
server-addresses { 10.53.0.4; };
};
};
view auth {
recursion no;
allow-recursion { none; };
zone secure.example {
type slave;
masters { 10.53.0.3; };
};
zone insecure.secure.example {
type slave;
masters { 10.53.0.2; };
};
};
bin/tests/system/dnssec/tests.sh
View file @ b0dbcba2
...@@ -2697,6 +2697,10 @@ n=`expr $n + 1` ...@@ -2697,6 +2697,10 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
cp ns4/named4.conf ns4/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
sleep 3
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)" echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
ret=0 ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
...@@ -2714,6 +2718,27 @@ n=`expr $n + 1` ...@@ -2714,6 +2718,27 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
cp ns4/named4.conf ns4/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
sleep 3
echo "I:testing TTL is capped at RRSIG expiry time for records in the additional section with acache off; ($n)"
ret=0
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 flush
$DIG +noall +additional +dnssec +cd -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
$DIG +noall +additional +dnssec -p 5300 expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
for ttl in ${ttls:-300}; do
[ $ttl -eq 300 ] || ret=1
done
for ttl in ${ttls2:-0}; do
[ $ttl -le 120 -a $ttl -gt 60 ] || ret=1
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:testing DNSKEY lookup via CNAME ($n)" echo "I:testing DNSKEY lookup via CNAME ($n)"
ret=0 ret=0
$DIG $DIGOPTS +noauth cnameandkey.secure.example. \ $DIG $DIGOPTS +noauth cnameandkey.secure.example. \
...@@ -2875,7 +2900,7 @@ n=`expr $n + 1` ...@@ -2875,7 +2900,7 @@ n=`expr $n + 1`
if test "$before" = "$after" ; then echo "I:failed"; ret=1; fi if test "$before" = "$after" ; then echo "I:failed"; ret=1; fi
status=`expr $status + $ret` status=`expr $status + $ret`
cp ns4/named4.conf ns4/named.conf cp ns4/named5.conf ns4/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /' $RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 reconfig 2>&1 | sed 's/^/I:ns4 /'
sleep 3 sleep 3
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment