From 6455527830d09216c763dd26d17cfe8683348511 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Apr 2024 17:37:14 +1100 Subject: [PATCH 1/3] Clear DNS_FETCHOPT_TRYSTALE_ONTIMEOUT When calling dns_resolver_createfetch in resolver.c with a callback of resume_dslookup, clear DNS_FETCHOPT_TRYSTALE_ONTIMEOUT from options as DNS_EVENT_TRYSTALE is not an expected event type and triggers a REQUIRE. --- lib/dns/resolver.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 3d4d194c31..751534d73f 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -7394,7 +7394,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { dns_rdataset_t nameservers; dns_fixedname_t fixed; dns_name_t *domain = NULL; - unsigned int n; + unsigned int n, options; REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE); @@ -7521,11 +7521,11 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) { /* Starting a new fetch, so restore the extra reference */ fctx_addref(fctx); + options = fctx->options & ~DNS_FETCHOPT_TRYSTALE_ONTIMEOUT; result = dns_resolver_createfetch( res, fctx->nsname, dns_rdatatype_ns, domain, nsrdataset, - NULL, NULL, 0, fctx->options, 0, NULL, task, - resume_dslookup, fctx, &fctx->nsrrset, NULL, - &fctx->nsfetch); + NULL, NULL, 0, options, 0, NULL, task, resume_dslookup, + fctx, &fctx->nsrrset, NULL, &fctx->nsfetch); if (result != ISC_R_SUCCESS) { if (result == DNS_R_DUPLICATE) { result = DNS_R_SERVFAIL; @@ -9875,7 +9875,7 @@ rctx_chaseds(respctx_t *rctx, dns_message_t *message, dns_adbaddrinfo_t *addrinfo, isc_result_t result) { fetchctx_t *fctx = rctx->fctx; isc_task_t *task = NULL; - unsigned int n; + unsigned int n, options; add_bad(fctx, message, addrinfo, result, rctx->broken_type); fctx_cancelqueries(fctx, true, false); @@ -9888,9 +9888,10 @@ rctx_chaseds(respctx_t *rctx, dns_message_t *message, fctx_addref(fctx); task = fctx->res->buckets[fctx->bucketnum].task; + options = fctx->options & ~DNS_FETCHOPT_TRYSTALE_ONTIMEOUT; result = dns_resolver_createfetch( fctx->res, fctx->nsname, dns_rdatatype_ns, NULL, NULL, NULL, - NULL, 0, fctx->options, 0, NULL, task, resume_dslookup, fctx, + NULL, 0, options, 0, NULL, task, resume_dslookup, fctx, &fctx->nsrrset, NULL, &fctx->nsfetch); if (result != ISC_R_SUCCESS) { if (result == DNS_R_DUPLICATE) { From dbc06313a6c3034ba6679fd798ffe37004efe436 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Apr 2024 17:43:57 +1100 Subject: [PATCH 2/3] Add CHANGES not for [GL #4661] --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 19cbb8046c..bb4ea1c5d8 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +6397. [bug] Clear DNS_FETCHOPT_TRYSTALE_ONTIMEOUT when looking for + parent NS records needed to get the DS result. + [GL #4661] + 6395. [bug] Handle ISC_R_HOSTDOWN and ISC_R_NETDOWN in resolver.c. [GL #4736] From 6c740fa78b096aebf7975b515bcbf667a8e9dec3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 3 Apr 2024 17:49:00 +1100 Subject: [PATCH 3/3] Add release note for [GL #4661] --- doc/notes/notes-current.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index f0101b9833..667bd2ab11 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -15,7 +15,9 @@ Notes for BIND 9.18.28 Security Fixes ~~~~~~~~~~~~~~ -- None. +- Named could trigger an assertion failure when looking up the NS + records of parent zones as part of looking up DS records. This + has been fixed. :gl:`#4661` New Features ~~~~~~~~~~~~