From 38e8022ace865803bdd609c9763cd7d7ba2818dc Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 5 May 2004 01:32:58 +0000 Subject: [PATCH] 1625. [bug] named failed to load/transfer RFC2535 signed zones which contained CNAMES. [RT# 11237] --- CHANGES | 3 +- bin/named/update.c | 10 +- bin/tests/system/dnssec/ns2/example.db.in | 6 +- bin/tests/system/dnssec/ns2/named.conf | 8 +- .../system/dnssec/ns2/rfc2335.example.db | 103 ++++++++++++++++++ bin/tests/system/dnssec/ns3/named.conf | 8 +- bin/tests/system/dnssec/tests.sh | 23 +++- lib/dns/master.c | 5 +- lib/dns/message.c | 17 ++- lib/dns/rbtdb.c | 7 +- 10 files changed, 168 insertions(+), 22 deletions(-) create mode 100644 bin/tests/system/dnssec/ns2/rfc2335.example.db diff --git a/CHANGES b/CHANGES index 21c2ac5780..f52be02cbe 100644 --- a/CHANGES +++ b/CHANGES @@ -3,7 +3,8 @@ 1626. [bug] --enable-getifaddrs was broken. [RT#11259] -1625. [placeholder] rt11237 +1625. [bug] named failed to load/transfer RFC2535 signed zones + which contained CNAMES. [RT# 11237] 1624. [bug] zonemgr_putio() call should be locked. [RT# 11163] diff --git a/bin/named/update.c b/bin/named/update.c index 9268fcd52e..86838e4158 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.110 2004/04/15 01:58:23 marka Exp $ */ +/* $Id: update.c,v 1.111 2004/05/05 01:32:56 marka Exp $ */ #include @@ -850,7 +850,8 @@ temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db, this name and type */ *typep = type = t->rdata.type; - if (type == dns_rdatatype_rrsig) + if (type == dns_rdatatype_rrsig || + type == dns_rdatatype_sig) covers = dns_rdata_covers(&t->rdata); else covers = 0; @@ -2467,8 +2468,9 @@ update_action(isc_task_t *task, isc_event_t *event) { ctx.ignore_add = ISC_FALSE; dns_diff_init(mctx, &ctx.del_diff); dns_diff_init(mctx, &ctx.add_diff); - CHECK(foreach_rr(db, ver, name, rdata.type, covers, - add_rr_prepare_action, &ctx)); + CHECK(foreach_rr(db, ver, name, rdata.type, + covers, add_rr_prepare_action, + &ctx)); if (ctx.ignore_add) { dns_diff_clear(&ctx.del_diff); diff --git a/bin/tests/system/dnssec/ns2/example.db.in b/bin/tests/system/dnssec/ns2/example.db.in index c9f00c55ec..761738f1c6 100644 --- a/bin/tests/system/dnssec/ns2/example.db.in +++ b/bin/tests/system/dnssec/ns2/example.db.in @@ -13,7 +13,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: example.db.in,v 1.14 2004/04/15 23:40:22 marka Exp $ +; $Id: example.db.in,v 1.15 2004/05/05 01:32:57 marka Exp $ $TTL 300 ; 5 minutes @ IN SOA mname1. . ( @@ -70,6 +70,10 @@ dynamic A 10.53.0.3 mustbesecure NS ns.mustbesecure ns.mustbesecure A 10.53.0.3 +; A rfc2535 signed zone w/ CNAME +rfc2535 NS ns.rfc2535 +ns.rfc2535 A 10.53.0.3 + z A 10.0.0.26 keyless NS ns.keyless diff --git a/bin/tests/system/dnssec/ns2/named.conf b/bin/tests/system/dnssec/ns2/named.conf index ce2501f7f9..66f33bf692 100644 --- a/bin/tests/system/dnssec/ns2/named.conf +++ b/bin/tests/system/dnssec/ns2/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.23 2004/03/10 02:19:53 marka Exp $ */ +/* $Id: named.conf,v 1.24 2004/05/05 01:32:57 marka Exp $ */ // NS2 @@ -62,4 +62,10 @@ zone "insecure.secure.example" { allow-update { any; }; }; +zone "rfc2335.example" { + type master; + file "rfc2335.example.db"; +}; + + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns2/rfc2335.example.db b/bin/tests/system/dnssec/ns2/rfc2335.example.db new file mode 100644 index 0000000000..b8b477ea84 --- /dev/null +++ b/bin/tests/system/dnssec/ns2/rfc2335.example.db @@ -0,0 +1,103 @@ +; File written on Fri Apr 30 12:19:15 2004 +; dnssec_signzone version 9.2.4rc3 +rfc2335.example. 300 IN SOA mname1. . ( + 2000042407 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + 300 SIG SOA 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + nGPJKIzF7X/hMJbZURRz59UeEi/6HRxCn9Er + GqSnpw0Ea9Yx5Axu6sLKnF7jXlkZ6NHMCIpJ + +Lv+FDHXTs/dQg== ) + 300 NS ns.rfc2335.example. + 300 SIG NS 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + Q234AL9dJYMvxdWG33lpww6AJ3GplKp+ace7 + MUaj0oqDdkx4DtJF2XaP2xcqq7kTOObdQ8ES + vVxNThqOx7LFzg== ) + 300 KEY 256 3 1 ( + AQPZhzXIabI8y5ihWUw7F0WxN2MabnYWkOcV + Fn11NgaGSdjBSYPRMMwMCasD5N2KYPRUP83W + y8mj+ofcoW1FurcZ + ) ; key id = 47799 + 300 NXT a.rfc2335.example. NS SOA SIG KEY NXT + 300 SIG NXT 1 2 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + Y587mqNy6pBEfbsU6+weM2XRSqLwLwRT9Sl7 + oNuOK9kV3TR4R2M54m2S0MgJCXbRAwU+fF8Q + UbZkSTVe2N8Nyg== ) +a.rfc2335.example. 300 IN A 10.0.0.1 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + FnfWrcw5ire8ut25504zti5l///BdDMUAkJZ + UCLFiTW4lBGMcq1pqz64zltDZXCgJ3xUeQ2i + nRt19/ZxO6Z1KA== ) + 300 NXT b.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + R6SpC3ndMVg4u/eZaaUsXSuMHV/hZXeaM/Op + bJLAe3KxMiOHfb6XgLy7wflAiC1xt6A9bWpy + kTc5T5gfic33kA== ) +b.rfc2335.example. 300 IN A 10.0.0.2 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + zjRsYXMGyhDI6ipDtu8YXC9XPN+3hGamzzxL + 8uPE/LPo+x19MNdbzEgWzlajAf1/mkSGr2jN + BDMVBA5NMKpwAA== ) + 300 NXT d.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + aV87iZCYsC5Tqop827Zzb18TNqopGt0QynkR + gIF/lIHqZasNFRfaS1/nTnXdDKD8JS5IqxKb + oTJr5zswDAtCEw== ) +d.rfc2335.example. 300 IN A 10.0.0.4 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + NsKyvhUYZxTbOTBX4YwxTxevI5iGBpULKwmt + +D4l00ME4XRygOVmiqVDTT9dF1EgjDxOdfMT + hSjtCh5M1b2f6g== ) + 300 NXT ns.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + OGqlvSDZIZdHYigh4UAFzXfPze7vcQfgj7sN + +cAeoh4BL1gpa00DqANCxowNCYluDk3ZCDwt + UHZEJa8ZjNvv4g== ) +ns.rfc2335.example. 300 IN A 10.53.0.3 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + T6ZGeUWflLTku8jO23x/TeAPeUl8t0I18FCh + qHUZaHomLQasQ2jlZQn6cLpFd2uFJkBNxZ0G + I39aG7G1bObXdA== ) + 300 NXT x.rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + l46mrf3/Ii5iRm3AiDjYeMg4ZXBgitHxXA2y + e/NhKpkxRRpCs7UQ94wT/RiSCjjK49E5FBe6 + 5bRxtWq0GI7zlg== ) +x.rfc2335.example. 300 IN CNAME a.rfc2335.example. + 300 SIG CNAME 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + L3IOluq+kboBd2gR2Mu54uJKCUzfmyHRiWKl + kfx+vuFr0I8mEHQRmJtouxNDrBzmzGp5vybK + SdabLWw0n6uQEA== ) + 300 NXT z.rfc2335.example. CNAME SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + CBKoJSkZzdpwiON7JS4yPFY5VVeBjfT19x/O + vx+5UK1JZUNKhTXWWgW1er+JlLzNf4Ot40+l + z9HUTyaeS0eWyw== ) +z.rfc2335.example. 300 IN A 10.0.0.26 + 300 SIG A 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + ccqjVHnehvVwlNNd4+7n/GzGlRjj+ul0gCT3 + X3950LTccxHsOFyjNNm8v/Ho/aurSYdqXEjY + jwmjC6elwkzB7A== ) + 300 NXT rfc2335.example. A SIG NXT + 300 SIG NXT 1 3 300 20040530021915 ( + 20040430021915 47799 rfc2335.example. + W42WoFyd9erysv8HjKo+CpHIH1x6+pAKwCDO + /hHnkEpQI3brewxl7cWOPYeA92Ns80Ody/ui + m2E28A5gnmWqPw== ) diff --git a/bin/tests/system/dnssec/ns3/named.conf b/bin/tests/system/dnssec/ns3/named.conf index a4c454a0b9..71e88928e8 100644 --- a/bin/tests/system/dnssec/ns3/named.conf +++ b/bin/tests/system/dnssec/ns3/named.conf @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.26 2004/04/15 23:40:22 marka Exp $ */ +/* $Id: named.conf,v 1.27 2004/05/05 01:32:57 marka Exp $ */ // NS3 @@ -79,4 +79,10 @@ zone "mustbesecure.example" { file "mustbesecure.example.db"; }; +zone "rfc2335.example" { + type slave; + masters { 10.53.0.2; }; + file "rfc2335.example.bk"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 24a1f7ac61..2b251ce97b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.44 2004/03/10 02:19:53 marka Exp $ +# $Id: tests.sh,v 1.45 2004/05/05 01:32:56 marka Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -446,6 +446,27 @@ ret=0 $DIG $DIGOPTS private.secure.example. SOA @10.53.0.6 \ > dig.out.ns6.test$n || ret=1 grep "flags:.*ad.*QUERY" dig.out.ns6.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that we can load a rfc2535 signed zone ($n)" +ret=0 +$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.2 \ + > dig.out.ns2.test$n || ret=1 +grep "status: NOERROR" dig.out.ns2.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +echo "I:checking that we can transfer a rfc2535 signed zone ($n)" +ret=0 +$DIG $DIGOPTS rfc2535.example. SOA @10.53.0.3 \ + > dig.out.ns3.test$n || ret=1 +grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` # Run a minimal update test if possible. This is really just # a regression test for RT #2399; more tests should be added. diff --git a/lib/dns/master.c b/lib/dns/master.c index f38432c820..615a95a494 100644 --- a/lib/dns/master.c +++ b/lib/dns/master.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: master.c,v 1.148 2004/03/05 05:09:21 marka Exp $ */ +/* $Id: master.c,v 1.149 2004/05/05 01:32:58 marka Exp $ */ #include @@ -1645,7 +1645,8 @@ load(dns_loadctx_t *lctx) { } - if (type == dns_rdatatype_rrsig) + if (type == dns_rdatatype_rrsig || + type == dns_rdatatype_sig) covers = dns_rdata_covers(&rdata[rdcount]); else covers = 0; diff --git a/lib/dns/message.c b/lib/dns/message.c index 81304265d6..e13c544f98 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.222 2004/03/10 00:47:40 marka Exp $ */ +/* $Id: message.c,v 1.223 2004/05/05 01:32:58 marka Exp $ */ /*** *** Imports @@ -1288,18 +1288,16 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, if (result != ISC_R_SUCCESS) goto cleanup; rdata->rdclass = rdclass; + issigzero = ISC_FALSE; if (rdtype == dns_rdatatype_rrsig && rdata->flags == 0) { covers = dns_rdata_covers(rdata); if (covers == 0) DO_FORMERR; - } else - covers = 0; - - issigzero = ISC_FALSE; - if (rdtype == dns_rdatatype_sig /* SIG(0) */ && - rdata->flags == 0) { - if (dns_rdata_covers(rdata) == 0) { + } else if (rdtype == dns_rdatatype_sig /* SIG(0) */ && + rdata->flags == 0) { + covers = dns_rdata_covers(rdata); + if (covers == 0) { if (sectionid != DNS_SECTION_ADDITIONAL || count != msg->counts[sectionid] - 1) DO_FORMERR; @@ -1308,7 +1306,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, skip_type_search = ISC_TRUE; issigzero = ISC_TRUE; } - } + } else + covers = 0; /* * If we are doing a dynamic update or this is a meta-type, diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index 87771ce344..d0693fd6bd 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.196 2004/03/05 05:09:22 marka Exp $ */ +/* $Id: rbtdb.c,v 1.197 2004/05/05 01:32:58 marka Exp $ */ /* * Principal Author: Bob Halley @@ -3669,10 +3669,13 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) { * or RRSIG CNAME. */ rdtype = RBTDB_RDATATYPE_BASE(header->type); - if (rdtype == dns_rdatatype_rrsig) + if (rdtype == dns_rdatatype_rrsig || + rdtype == dns_rdatatype_sig) rdtype = RBTDB_RDATATYPE_EXT(header->type); if (rdtype != dns_rdatatype_nsec && rdtype != dns_rdatatype_dnskey && + rdtype != dns_rdatatype_nxt && + rdtype != dns_rdatatype_key && rdtype != dns_rdatatype_cname) { /* * We've found a type that isn't