From 3f59d6c25118bd156535ed969435d29b972452b1 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Wed, 2 May 2018 12:18:44 +0530
Subject: [PATCH 1/5] Don't validate non-pending glue when adding to the
 additional section

(cherry picked from commit 31bd3147d118106faa62fe90ec39f36c64239e5d)
---
 bin/named/query.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/bin/named/query.c b/bin/named/query.c
index 6b3d7980656..ae1ae76d40e 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -1625,8 +1625,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 			have_a = ISC_TRUE;
 #endif
 			if (additionaltype == dns_rdatasetadditional_fromcache &&
-			    (DNS_TRUST_PENDING(rdataset->trust) ||
-			     DNS_TRUST_GLUE(rdataset->trust)) &&
+			    DNS_TRUST_PENDING(rdataset->trust) &&
 			    !validate(client, db, fname, rdataset, sigrdataset))
 			{
 				dns_rdataset_disassociate(rdataset);
@@ -1696,8 +1695,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 				goto addname;
 #endif
 			if (additionaltype == dns_rdatasetadditional_fromcache &&
-			    (DNS_TRUST_PENDING(rdataset->trust) ||
-			     DNS_TRUST_GLUE(rdataset->trust)) &&
+			    DNS_TRUST_PENDING(rdataset->trust) &&
 			    !validate(client, db, fname, rdataset, sigrdataset))
 			{
 				dns_rdataset_disassociate(rdataset);
-- 
GitLab


From 3d62545657aea368bcabf64bb351dddae4e02453 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Wed, 2 May 2018 13:07:14 +0530
Subject: [PATCH 2/5] Add system test

(cherry picked from commit 303391ea415cd3c09c285a1e11c988e11c540974)
---
 bin/tests/system/dnssec/tests.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 8c00a91d23b..7431351e4bf 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -73,6 +73,18 @@ stripns () {
     awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' $1
 }
 
+# Check that for a query against a validating resolver where the
+# authoritative zone is unsigned (insecure delegation), glue is returned
+# in the additional section
+echo_i "checking that additional glue is returned for unsigned delegation ($n)"
+ret=0
+$DIG +tcp +dnssec -p ${PORT} a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ns\.insecure\.example\..*A.10\.53\.0\.3" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 # Check the example. domain
 
 echo_i "checking that zone transfer worked ($n)"
-- 
GitLab


From a5c94e1d443137a9c7890e7d73d6f7f1d9070bc9 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Wed, 2 May 2018 13:17:36 +0530
Subject: [PATCH 3/5] Add CHANGES entry

(cherry picked from commit dfd73d7e169b601049912ee9c29620971a526d50)
---
 CHANGES | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/CHANGES b/CHANGES
index 869d7c5a5b8..6fedd0067ca 100644
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,9 @@
 4949.	[bug]		lib/isc/print.c failed to handle floating point
 			output correctly. [GL #261]
 
+4946.	[bug]		Additional glue was not being returned by resolver
+			for unsigned zones since change 4596. [GL #209]
+
 4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
 
 4935.	[func]		Add support for LibreSSL >= 2.7.0 (some OpenSSL 1.1.0
-- 
GitLab


From 22ff9c9199c73775533725aa1f118e099625014b Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Wed, 16 May 2018 13:03:00 +0530
Subject: [PATCH 4/5] Fix acache case too

---
 bin/named/query.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/bin/named/query.c b/bin/named/query.c
index ae1ae76d40e..44caf79ff5a 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -2162,9 +2162,9 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 */
 	if (result == ISC_R_SUCCESS &&
 	    additionaltype == dns_rdatasetadditional_fromcache &&
-	    (DNS_TRUST_PENDING(rdataset->trust) ||
-	     DNS_TRUST_GLUE(rdataset->trust)) &&
-	    !validate(client, db, fname, rdataset, sigrdataset)) {
+	    DNS_TRUST_PENDING(rdataset->trust) &&
+	    !validate(client, db, fname, rdataset, sigrdataset))
+	{
 		dns_rdataset_disassociate(rdataset);
 		if (dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
@@ -2204,9 +2204,9 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 */
 	if (result == ISC_R_SUCCESS &&
 	    additionaltype == dns_rdatasetadditional_fromcache &&
-	    (DNS_TRUST_PENDING(rdataset->trust) ||
-	     DNS_TRUST_GLUE(rdataset->trust)) &&
-	    !validate(client, db, fname, rdataset, sigrdataset)) {
+	    DNS_TRUST_PENDING(rdataset->trust) &&
+	    !validate(client, db, fname, rdataset, sigrdataset))
+	{
 		dns_rdataset_disassociate(rdataset);
 		if (dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
-- 
GitLab


From 32681598cd57f7ad4af8c3036cd2431e819ff6ee Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 17 May 2018 17:12:15 -0700
Subject: [PATCH 5/5] attempt to validate glue, but don't drop it if it can't
 be validated

---
 bin/named/query.c | 48 +++++++++++++++++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 10 deletions(-)

diff --git a/bin/named/query.c b/bin/named/query.c
index 44caf79ff5a..7fc535056db 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -1620,14 +1620,21 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 				dns_rdataset_disassociate(sigrdataset);
 		}
 		if (result == ISC_R_SUCCESS) {
+			isc_boolean_t invalid = ISC_FALSE;
 			mname = NULL;
 #ifdef ALLOW_FILTER_AAAA
 			have_a = ISC_TRUE;
 #endif
-			if (additionaltype == dns_rdatasetadditional_fromcache &&
-			    DNS_TRUST_PENDING(rdataset->trust) &&
+			if (additionaltype ==
+			    dns_rdatasetadditional_fromcache &&
+			    (DNS_TRUST_PENDING(rdataset->trust) ||
+			     DNS_TRUST_GLUE(rdataset->trust)) &&
 			    !validate(client, db, fname, rdataset, sigrdataset))
 			{
+				invalid = ISC_TRUE;
+			}
+
+			if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
 				dns_rdataset_disassociate(rdataset);
 				if (sigrdataset != NULL &&
 				    dns_rdataset_isassociated(sigrdataset))
@@ -1682,6 +1689,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 				dns_rdataset_disassociate(sigrdataset);
 		}
 		if (result == ISC_R_SUCCESS) {
+			isc_boolean_t invalid = ISC_FALSE;
 			mname = NULL;
 			/*
 			 * There's an A; check whether we're filtering AAAA
@@ -1694,10 +1702,16 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 			      !dns_rdataset_isassociated(sigrdataset)))))
 				goto addname;
 #endif
-			if (additionaltype == dns_rdatasetadditional_fromcache &&
-			    DNS_TRUST_PENDING(rdataset->trust) &&
+			if (additionaltype ==
+			    dns_rdatasetadditional_fromcache &&
+			    (DNS_TRUST_PENDING(rdataset->trust) ||
+			     DNS_TRUST_GLUE(rdataset->trust)) &&
 			    !validate(client, db, fname, rdataset, sigrdataset))
 			{
+				invalid = ISC_TRUE;
+			}
+
+			if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
 				dns_rdataset_disassociate(rdataset);
 				if (sigrdataset != NULL &&
 				    dns_rdataset_isassociated(sigrdataset))
@@ -1859,6 +1873,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	dns_rdatasetadditional_t additionaltype;
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
+	isc_boolean_t invalid;
 
 	/*
 	 * If we don't have an additional cache call query_addadditional.
@@ -2156,15 +2171,22 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 */
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_a, 0,
 				     client->now, rdataset, sigrdataset);
+
 	/*
-	 * If we can't promote glue/pending from the cache to secure
-	 * then drop it.
+	 * Try to promote pending/glue from the cache to secure.
+	 * If unable to do so, drop it from the response unless
+	 * it's glue, in which case it may still be needed.
 	 */
+	invalid = ISC_FALSE;
 	if (result == ISC_R_SUCCESS &&
 	    additionaltype == dns_rdatasetadditional_fromcache &&
-	    DNS_TRUST_PENDING(rdataset->trust) &&
+	    (DNS_TRUST_PENDING(rdataset->trust) ||
+	     DNS_TRUST_GLUE(rdataset->trust)) &&
 	    !validate(client, db, fname, rdataset, sigrdataset))
 	{
+		invalid = ISC_TRUE;
+	}
+	if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
 		dns_rdataset_disassociate(rdataset);
 		if (dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
@@ -2199,14 +2221,20 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_aaaa,
 				     0, client->now, rdataset, sigrdataset);
 	/*
-	 * If we can't promote glue/pending from the cache to secure
-	 * then drop it.
+	 * Try to promote pending/glue from the cache to secure.
+	 * If unable to do so, drop it from the response unless
+	 * it's glue, in which case it may still be needed.
 	 */
+	invalid = ISC_FALSE;
 	if (result == ISC_R_SUCCESS &&
 	    additionaltype == dns_rdatasetadditional_fromcache &&
-	    DNS_TRUST_PENDING(rdataset->trust) &&
+	    (DNS_TRUST_PENDING(rdataset->trust) ||
+	     DNS_TRUST_GLUE(rdataset->trust)) &&
 	    !validate(client, db, fname, rdataset, sigrdataset))
 	{
+		invalid = ISC_TRUE;
+	}
+	if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
 		dns_rdataset_disassociate(rdataset);
 		if (dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
-- 
GitLab