Commit e1981945 authored by Evan Hunt's avatar Evan Hunt

Merge branch '1561-ncache-validation-crash' into 'master'

fix a bug when validating negative cache entries

Closes #1561

See merge request !2899
parents 4c1adf96 8b9a3314
Pipeline #30898 canceled with stages
in 23 minutes and 12 seconds
5347. [bug] Fixed a bug that could cause an intermittent crash
in validator.c when validating a negative cache
entry. [GL #1561]
5346. [bug] Make hazard pointer array allocations dynamic, fixing a
bug that caused named to crash on machines with more
than 40 cores. [GL #1493]
......
......@@ -1073,6 +1073,23 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking insecurity proof works using negative cache ($n)"
ret=0
rndccmd 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
dig_with_opts +cd @10.53.0.4 insecure.example. ds > dig.out.ns4.test$n.1 || ret=1
for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
do
dig_with_opts @10.53.0.4 nonexistent.insecure.example. > dig.out.ns4.test$n.2 || ret=1
if grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null; then
break
fi
sleep 1
done
grep "status: NXDOMAIN" dig.out.ns4.test$n.2 >/dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking positive validation RSASHA256 NSEC ($n)"
ret=0
dig_with_opts +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
......
......@@ -99,6 +99,7 @@
#define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
static void
destroy(dns_validator_t *val);
......@@ -3085,16 +3086,14 @@ validator_start(isc_task_t *task, isc_event_t *event) {
"parent indicates it should be secure");
}
} else if ((val->event->rdataset == NULL &&
val->event->sigrdataset == NULL) ||
(val->event->rdataset != NULL &&
NEGATIVE(val->event->rdataset)))
val->event->sigrdataset == NULL))
{
/*
* This is a nonexistence validation.
* This is a validation of a negative response.
*/
validator_log(val, ISC_LOG_DEBUG(3),
"attempting negative response validation");
"attempting negative response validation "
"from message");
if (val->event->message->rcode == dns_rcode_nxdomain) {
val->attributes |= VALATTR_NEEDNOQNAME;
......@@ -3102,6 +3101,25 @@ validator_start(isc_task_t *task, isc_event_t *event) {
} else {
val->attributes |= VALATTR_NEEDNODATA;
}
result = validate_nx(val, false);
} else if ((val->event->rdataset != NULL &&
NEGATIVE(val->event->rdataset)))
{
/*
* This is a delayed validation of a negative cache entry.
*/
validator_log(val, ISC_LOG_DEBUG(3),
"attempting negative response validation "
"from cache");
if (NXDOMAIN(val->event->rdataset)) {
val->attributes |= VALATTR_NEEDNOQNAME;
val->attributes |= VALATTR_NEEDNOWILDCARD;
} else {
val->attributes |= VALATTR_NEEDNODATA;
}
result = validate_nx(val, false);
} else {
INSIST(0);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment