upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-08 23:32:05 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

[master] add no-case-compress

Browse source 
3731.	[func]		Added a "no-case-compress" ACL, which causes
			named to use case-insensitive compression
			(disabling change #3645) for specified
			clients. (This is useful when dealing
			with broken client implementations that
			use case-sensitive name comparisons,
			rejecting responses that fail to match the
			capitalization of the query that was sent.)
			[RT #35300]
This commit is contained in:
Evan Hunt 2014-02-06 19:37:26 -08:00
parent dd19c1a352
commit 166341d554
9 changed files with 151 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
CHANGES
View file

@ -1,3 +1,13 @@
3731. [func] Added a "no-case-compress" ACL, which causes
named to use case-insensitive compression
(disabling change #3645) for specified
clients. (This is useful when dealing
with broken client implementations that
use case-sensitive name comparisons,
rejecting responses that fail to match the
capitalization of the query that was sent.)
[RT #35300]
3730. [cleanup] Added "never" as a synonym for "none" when
configuring key event dates in the dnssec tools.
[RT #35277]

16
bin/named/client.c
View file

@ -233,6 +233,8 @@ static void client_request(isc_task_t *task, isc_event_t *event);
static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
static isc_result_t get_client(ns_clientmgr_t *manager, ns_interface_t *ifp,
dns_dispatch_t *disp, isc_boolean_t tcp);
static inline isc_boolean_t
allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl);
void
ns_client_recursing(ns_client_t *client) {
@ -994,7 +996,19 @@ client_send(ns_client_t *client) {
result = dns_compress_init(&cctx, -1, client->mctx);
if (result != ISC_R_SUCCESS)
goto done;
dns_compress_setsensitive(&cctx, ISC_TRUE);
if (client->peeraddr_valid && client->view != NULL) {
isc_netaddr_t netaddr;
dns_name_t *name = NULL;
isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
if (client->message->tsigkey != NULL)
name = &client->message->tsigkey->name;
if (client->view->nocasecompress == NULL ||
!allowed(&netaddr, name, client->view->nocasecompress))
{
dns_compress_setsensitive(&cctx, ISC_TRUE);
}
}
cleanup_cctx = ISC_TRUE;
result = dns_message_renderbegin(client->message, &cctx, &buffer);

8
bin/named/server.c
View file

@ -3306,6 +3306,14 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
CHECK(dns_acl_none(mctx, &view->cacheacl));
}
/*
* Ignore case when compressing responses to the specified
* clients. This causes case not always to be presrerved,
* and is needed by some broken clients.
*/
CHECK(configure_view_acl(vconfig, config, "no-case-compress", NULL,
actx, ns_g_mctx, &view->nocasecompress));
/*
* Filter setting on addresses in the answer section.
*/

38
bin/tests/system/case/ns2/named.conf Normal file
View file

@ -0,0 +1,38 @@
/*
* Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
notify yes;
ixfr-from-differences yes;
check-integrity no;
no-case-compress { 10.53.0.2; };
};
zone "example" {
type slave;
file "example.bk";
masters { 10.53.0.1; };
};

25
bin/tests/system/case/tests.sh
View file

@ -23,11 +23,28 @@ status=0
n=0
n=`expr $n + 1`
echo "I:testing case sensitive responses ($n)"
echo "I:testing case preserving responses - no acl ($n)"
ret=0
$DIG $DIGOPTS mx example. @10.53.0.1 -p 5300 > dig.n1.test$n
grep "0.mail.eXaMpLe" dig.n1.test$n > /dev/null || ret=1
grep "mAiL.example" dig.n1.test$n > /dev/null || ret=1
$DIG $DIGOPTS mx example. @10.53.0.1 -p 5300 > dig.ns1.test$n
grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
test $ret -eq 0 || echo "I:failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo "I:testing no-case-compress acl '{ 10.53.0.2; }' ($n)"
ret=0
# check that we preserve zone case for non-matching query (10.53.0.1)
$DIG $DIGOPTS mx example. -b 10.53.0.1 @10.53.0.1 -p 5300 > dig.ns1.test$n
grep "0.mail.eXaMpLe" dig.ns1.test$n > /dev/null || ret=1
grep "mAiL.example" dig.ns1.test$n > /dev/null || ret=1
# check that we don't preserve zone case for match (10.53.0.2)
$DIG $DIGOPTS mx example. -b 10.53.0.2 @10.53.0.2 -p 5300 > dig.ns2.test$n
grep "0.mail.example" dig.ns2.test$n > /dev/null || ret=1
grep "mail.example" dig.ns2.test$n > /dev/null || ret=1
test $ret -eq 0 || echo "I:failed"
status=`expr $status + $ret`

54
doc/arm/Bv9ARM-book.xml
View file

@ -4813,6 +4813,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
<optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
<optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
<optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
<optional> no-case-compress { <replaceable>address_match_list</replaceable> }; </optional>
<optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
<optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
<optional> use-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
@ -7181,6 +7182,59 @@ options {
</listitem>
</varlistentry>
<varlistentry>
<term><command>no-case-compress</command></term> <listitem>
<para>
Specifies a list of addresses which require responses
to use case-insensitive compression. This ACL can be
used when <command>named</command> needs to work with
clients that do not comply with the requirement in RFC
1034 to use case-insensitive name comparisons when
checking for matching domain names.
</para>
<para>
If left undefined, the ACL defaults to
<command>none</command>: case-insensitive compression
will be used for all clients. If the ACL is defined and
matches a client, then case will be ignored when
compressing domain names in DNS responses sent to that
client.
</para>
<para>
This can result in slightly smaller responses: if
a response contains the names "example.com" and
"example.COM", case-insensitive compression would treat
the second one as a duplicate. It also ensures
that the case of the query name exactly matches the
case of the owner names of returned records, rather
than matching the case of the records entered in
the zone file. This allows responses to exactly
match the query, which is required by some clients
due to incorrect use of case-sensitive comparisions.
</para>
<para>
Case-insensitive compression is <emphasis>always</emphasis>
used in AXFR and IXFR responses, regardless of whether
the client matches this ACL.
</para>
<para>
There are circusmstances in which <command>named</command>
will not preserve the case of owner names of records:
if a zone file defines records of different types with
the same name, but the capitalization of the name is
different (e.g., "www.example.com/A" and
"WWW.EXAMPLE.COM/AAAA"), then all resposnes for that
name will use the <emphasis>first</emphasis> version
of the name that was used in the zone file. This
limitation may be addressed in a future release. However,
domain names specified in the rdata of resource records
(i.e., records of type NS, MX, CNAME, etc) will always
have their case preserved unless the client matches this
ACL.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>resolver-query-timeout</command></term>
<listitem>

1
lib/dns/include/dns/view.h
View file

@ -141,6 +141,7 @@ struct dns_view {
dns_acl_t * updateacl;
dns_acl_t * upfwdacl;
dns_acl_t * denyansweracl;
dns_acl_t * nocasecompress;
dns_rbt_t * answeracl_exclude;
dns_rbt_t * denyanswernames;
dns_rbt_t * answernames_exclude;

3
lib/dns/view.c
View file

@ -182,6 +182,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->updateacl = NULL;
view->upfwdacl = NULL;
view->denyansweracl = NULL;
view->nocasecompress = NULL;
view->answeracl_exclude = NULL;
view->denyanswernames = NULL;
view->answernames_exclude = NULL;
@ -357,6 +358,8 @@ destroy(dns_view_t *view) {
dns_db_detach(&view->cachedb);
if (view->cache != NULL)
dns_cache_detach(&view->cache);
if (view->nocasecompress != NULL)
dns_acl_detach(&view->nocasecompress);
if (view->matchclients != NULL)
dns_acl_detach(&view->matchclients);
if (view->matchdestinations != NULL)

1
lib/isccfg/namedconf.c
View file

@ -1522,6 +1522,7 @@ view_clauses[] = {
{ "minimal-responses", &cfg_type_boolean, 0 },
{ "prefetch", &cfg_type_prefetch, 0 },
{ "preferred-glue", &cfg_type_astring, 0 },
{ "no-case-compress", &cfg_type_bracketed_aml, 0 },
{ "provide-ixfr", &cfg_type_boolean, 0 },
/*
* Note that the query-source option syntax is different