mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-28 04:34:54 -04:00
Merge branch '964-use-referral-ds-record-when-validating' into 'master'
Resolve "Use referral DS record when validating" Closes #964 See merge request isc-projects/bind9!1755
This commit is contained in:
Mark Andrews
commit
451113b4a9
4 changed files with 57 additions and 17 deletions
5
CHANGES
5
CHANGES
|
|
@ -1,3 +1,8 @@
|
|||
5275. [bug] Mark DS records included in referral messages
|
||||
with trust level "pending" so that they can be
|
||||
validated and cached immediately, with no need to
|
||||
re-query. [GL #964]
|
||||
|
||||
5274. [bug] Address potential use after free race when shutting
|
||||
down rpz. [GL #1175]
|
||||
|
||||
|
|
|
|||
|
|
@ -184,6 +184,15 @@ n=$((n+1))
|
|||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
echo_i "checking that 'example/DS' from the referral was used in previous validation ($n)"
|
||||
ret=0
|
||||
grep "query 'example/DS/IN' approved" ns1/named.run > /dev/null && ret=1
|
||||
grep "fetch: example/DS" ns4/named.run > /dev/null && ret=1
|
||||
grep "validating example/DS: starting" ns4/named.run > /dev/null || ret=1
|
||||
n=$((n+1))
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
if [ -x ${DELV} ] ; then
|
||||
ret=0
|
||||
echo_i "checking positive validation NSEC using dns_client ($n)"
|
||||
|
|
|
|||
|
|
@ -288,6 +288,13 @@
|
|||
all output on standard output except for the name of the signed zone.
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
DS records included in DNS referral messages can now be validated
|
||||
and cached immediately, reducing the number of queries needed for
|
||||
a DNSSEC validation. [GL #964]
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
|
|
|
|||
|
|
@ -8697,12 +8697,14 @@ rctx_answer_none(respctx_t *rctx) {
|
|||
rctx->negative = true;
|
||||
}
|
||||
|
||||
/*
|
||||
* Process DNSSEC records in the authority section.
|
||||
*/
|
||||
result = rctx_authority_dnssec(rctx);
|
||||
if (result == ISC_R_COMPLETE) {
|
||||
return (rctx->result);
|
||||
if (!rctx->ns_in_answer && !rctx->glue_in_answer) {
|
||||
/*
|
||||
* Process DNSSEC records in the authority section.
|
||||
*/
|
||||
result = rctx_authority_dnssec(rctx);
|
||||
if (result == ISC_R_COMPLETE) {
|
||||
return (rctx->result);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
@ -8955,18 +8957,12 @@ static isc_result_t
|
|||
rctx_authority_dnssec(respctx_t *rctx) {
|
||||
isc_result_t result;
|
||||
fetchctx_t *fctx = rctx->fctx;
|
||||
dns_section_t section;
|
||||
dns_rdataset_t *rdataset = NULL;
|
||||
bool finished = false;
|
||||
|
||||
if (rctx->ns_in_answer) {
|
||||
INSIST(fctx->type == dns_rdatatype_ns);
|
||||
section = DNS_SECTION_ANSWER;
|
||||
} else {
|
||||
section = DNS_SECTION_AUTHORITY;
|
||||
}
|
||||
REQUIRE(!rctx->ns_in_answer && !rctx->glue_in_answer);
|
||||
|
||||
result = dns_message_firstname(fctx->rmessage, section);
|
||||
result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
|
@ -8974,8 +8970,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
|
|||
while (!finished) {
|
||||
dns_name_t *name = NULL;
|
||||
|
||||
dns_message_currentname(fctx->rmessage, section, &name);
|
||||
result = dns_message_nextname(fctx->rmessage, section);
|
||||
dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
|
||||
&name);
|
||||
result = dns_message_nextname(fctx->rmessage,
|
||||
DNS_SECTION_AUTHORITY);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
finished = true;
|
||||
}
|
||||
|
|
@ -8991,7 +8989,10 @@ rctx_authority_dnssec(respctx_t *rctx) {
|
|||
rdataset != NULL;
|
||||
rdataset = ISC_LIST_NEXT(rdataset, link))
|
||||
{
|
||||
bool checknta = true;
|
||||
bool secure_domain = false;
|
||||
dns_rdatatype_t type = rdataset->type;
|
||||
|
||||
if (type == dns_rdatatype_rrsig) {
|
||||
type = rdataset->covers;
|
||||
}
|
||||
|
|
@ -9051,7 +9052,25 @@ rctx_authority_dnssec(respctx_t *rctx) {
|
|||
|
||||
name->attributes |= DNS_NAMEATTR_CACHE;
|
||||
rdataset->attributes |= DNS_RDATASETATTR_CACHE;
|
||||
if (rctx->aa) {
|
||||
|
||||
if ((fctx->options & DNS_FETCHOPT_NONTA) != 0) {
|
||||
checknta = false;
|
||||
}
|
||||
if (fctx->res->view->enablevalidation) {
|
||||
result = issecuredomain(fctx->res->view,
|
||||
name,
|
||||
dns_rdatatype_ds,
|
||||
fctx->now,
|
||||
checknta, NULL,
|
||||
&secure_domain);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
return (result);
|
||||
}
|
||||
}
|
||||
if (secure_domain) {
|
||||
rdataset->trust =
|
||||
dns_trust_pending_answer;
|
||||
} else if (rctx->aa) {
|
||||
rdataset->trust =
|
||||
dns_trust_authauthority;
|
||||
} else if (ISFORWARDER(fctx->addrinfo)) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue