[v9_11] remove unnecessary INSIST and prep 9.11.1rc2

4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

(cherry picked from commit a1365a0042)

CHANGES

@@ -1,4 +1,8 @@
-	--- 9.11.1 released ---
+	--- 9.11.1rc2 released ---
+
+4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
+			queries could trigger assertion failures.
+			(CVE-2017-3137) [RT #44734]
 
 4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
 			assertion failure. (CVE-2017-3136) [RT #44653]

README

@@ -55,7 +55,8 @@ BIND 9.11.1
 	
 	BIND 9.11.1 is a maintenance release and addresses the security
 	flaws disclosed in CVE-2016-6170, CVE-2016-8864, CVE-2016-9131,
-	CVE-2016-9147, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136.
+	CVE-2016-9147, CVE-2016-9778, CVE-2017-3135, CVE-2017-3136, and
+	CVE-2017-3137.
 
 BIND 9.11.0
 

doc/arm/notes.xml

@@ -93,11 +93,18 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
+	  queries could trigger assertion failures. This flaw is disclosed
+	  in CVE-2017-3137. [RT #44734]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  <command>dns64</command> with <command>break-dnssec yes;</command>
 	  can result in an assertion failure. This flaw is disclosed in
-	  CVE-2017-3136.[RT #44653]
+	  CVE-2017-3136. [RT #44653]
 	</para>
       </listitem>
       <listitem>

lib/dns/api

@@ -7,5 +7,5 @@
 # 9.10: 140-149, 170-179
 # 9.11: 160-169
 LIBINTERFACE = 168
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 0

lib/dns/resolver.c

@@ -7005,15 +7005,15 @@ answer_response(fetchctx_t *fctx) {
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
 					rdataset->trust = dns_trust_answer;
-					if (chaining == 0) {
+					if (external) {
 						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining (i.e.
-						 * if we haven't followed
-						 * a CNAME or DNAME).
+						 * This data is outside of
+						 * our query domain, and
+						 * may not be cached.
 						 */
-						INSIST(!external);
+						rdataset->attributes |=
+						    DNS_RDATASETATTR_EXTERNAL;
+					} else if (chaining == 0) {
 						/*
 						 * Don't use found_cname here
 						 * as we have just set it
@@ -7035,14 +7035,6 @@ answer_response(fetchctx_t *fctx) {
 						if (aa)
 							rdataset->trust =
 							  dns_trust_authanswer;
-					} else if (external) {
-						/*
-						 * This data is outside of
-						 * our query domain, and
-						 * may not be cached.
-						 */
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
 					}
 
 					/*
@@ -7217,15 +7209,12 @@ answer_response(fetchctx_t *fctx) {
 				 * If we are not chaining or the first CNAME
 				 * is a synthesised CNAME before the DNAME.
 				 */
-				if ((chaining == 0) ||
-				    (chaining == 1U && synthcname))
+				if (external) {
+					rdataset->attributes |=
+					    DNS_RDATASETATTR_EXTERNAL;
+				} else if ((chaining == 0) ||
+					   (chaining == 1U && synthcname))
 				{
-					/*
-					 * This data is "the" answer to
-					 * our question only if we're
-					 * not chaining.
-					 */
-					INSIST(!external);
 					if (aflag == DNS_RDATASETATTR_ANSWER) {
 						have_answer = ISC_TRUE;
 						found_dname = ISC_TRUE;
@@ -7242,9 +7231,6 @@ answer_response(fetchctx_t *fctx) {
 					if (aa)
 						rdataset->trust =
 						  dns_trust_authanswer;
-				} else if (external) {
-					rdataset->attributes |=
-					    DNS_RDATASETATTR_EXTERNAL;
 				}
 			}
 

version

@@ -6,6 +6,6 @@ DESCRIPTION=
 MAJORVER=9
 MINORVER=11
 PATCHVER=1
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=rc
+RELEASEVER=2
 EXTENSIONS=