Merge branch '3439-stop-resolving-invalid-names-in-resume_dslookup' into 'main'

Stop resolving invalid names in resume_dslookup() Closes #3439 See merge request isc-projects/bind9!6563
2026-03-12 05:32:42 -04:00 · 2022-07-13 08:59:30 +00:00 · 2022-07-13 08:59:30 +00:00 · 5415ecbd7c
commit 5415ecbd7c
parent 75027bc6ce cfa398ad37
3 changed files with 34 additions and 9 deletions
--- a/7
+++ b/7
@ -1,3 +1,10 @@
+5925.	[bug]		With a forwarder configured for all queries, resolution
+			failures encountered during DS chasing could trigger
+			assertion failures due to a logic bug in
+			resume_dslookup() that caused it to call
+			dns_resolver_createfetch() with an invalid name.
+			[GL #3439]
+
 5924.	[func]		When it's necessary to use AXFR to respond to an
 			IXFR request, a message explaining the reason
 			is now logged at level info. [GL #2683]
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -40,6 +40,12 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~

+- When running as a validating resolver forwarding all queries to
+  another resolver, :iscman:`named` could crash with an assertion
+  failure. These crashes occurred when the configured forwarder sent a
+  broken DS response and :iscman:`named` failed its attempts to find a
+  proper one instead. This has been fixed. :gl:`#3439`
+
 - A DNS compression would be applied on the root zone name if it is repeatedly
  used in the same RRSet. :gl:`#3423`

--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -7343,22 +7343,34 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 		}

 		/*
-		 * Get domain and nameservers from fctx->nsfetch
-		 * before we destroy it.
+		 * Get domain from fctx->nsfetch before we destroy it.
+		 */
+		domain = dns_fixedname_initname(&fixed);
+		dns_name_copy(fctx->nsfetch->private->domain, domain);
+
+		/*
+		 * If the chain of resume_dslookup() invocations managed to
+		 * chop off enough labels from the original DS owner name to
+		 * reach the top of the namespace, no further progress can be
+		 * made.  Interrupt the DS chasing process, returning SERVFAIL.
+		 */
+		if (dns_name_equal(fctx->nsname, domain)) {
+			dns_resolver_destroyfetch(&fctx->nsfetch);
+			fctx_done_detach(&fctx, DNS_R_SERVFAIL);
+			return;
+		}
+
+		/*
+		 * Get nameservers from fctx->nsfetch before we destroy it.
 		 */
 		dns_rdataset_init(&nameservers);
 		if (dns_rdataset_isassociated(
 			    &fctx->nsfetch->private->nameservers)) {
-			domain = dns_fixedname_initname(&fixed);
-			dns_name_copy(fctx->nsfetch->private->domain, domain);
-			if (dns_name_equal(fctx->nsname, domain)) {
-				dns_resolver_destroyfetch(&fctx->nsfetch);
-				fctx_done_detach(&fctx, DNS_R_SERVFAIL);
-				return;
-			}
 			dns_rdataset_clone(&fctx->nsfetch->private->nameservers,
 					   &nameservers);
 			nsrdataset = &nameservers;
+		} else {
+			domain = NULL;
 		}

 		dns_resolver_destroyfetch(&fctx->nsfetch);