upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 20:50:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Don't allow DNSSEC records in the raw zone

Browse source 
There was an exception for dnssec-policy that allowed DNSSEC in the
unsigned version of the zone. This however causes a crash if the
zone switches from dynamic to inline-signing in the case of NSEC3,
because we are now trying to add an NSEC3 record to a non-NSEC3 node.
This is because BIND expects none of the records in the unsigned
version of the zone to be NSEC3.

Remove the exception for dnssec-policy when copying non DNSSEC
records, but do allow for DNSKEY as this may be a published DNSKEY
from a different provider.

(cherry picked from commit 332b98ae49)
This commit is contained in:
Matthijs Mekking 2022-10-10 14:14:43 +02:00
parent bb1c40e0a3
commit 3609dce81d
1 changed files with 6 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
lib/dns/zone.c
View file

@ -17246,9 +17246,8 @@ restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
}
static isc_result_t
copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
dns_db_t *rawdb, dns_dbiterator_t *dbiterator,
unsigned int *oldserial) {
copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb,
dns_dbiterator_t *dbiterator, unsigned int *oldserial) {
dns_dbnode_t *rawnode = NULL, *node = NULL;
dns_fixedname_t fixed;
dns_name_t *name = dns_fixedname_initname(&fixed);
@ -17285,14 +17284,8 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
rdataset.type == dns_rdatatype_dnskey ||
rdataset.type == dns_rdatatype_nsec3param)
{
/*
* Allow DNSSEC records with dnssec-policy.
* WMM: Perhaps add config option for it.
*/
if (dns_zone_getkasp(zone) == NULL) {
dns_rdataset_disassociate(&rdataset);
continue;
}
dns_rdataset_disassociate(&rdataset);
continue;
}
if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) {
result = checkandaddsoa(db, node, version, &rdataset,
@ -17395,8 +17388,8 @@ receive_secure_db(isc_task_t *task, isc_event_t *event) {
for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS;
result = dns_dbiterator_next(dbiterator))
{
result = copy_non_dnssec_records(zone, db, version, rawdb,
dbiterator, oldserialp);
result = copy_non_dnssec_records(db, version, rawdb, dbiterator,
oldserialp);
if (result != ISC_R_SUCCESS) {
goto failure;
}