mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-15 00:10:04 -04:00
3391. [bug] DNSKEY that encountered a CNAME failed. [RT #31262]
This commit is contained in:
Mark Andrews
parent
e4e82b398c
commit
6e8dc44545
7 changed files with 83 additions and 3 deletions
2
CHANGES
2
CHANGES
|
|
@ -1,3 +1,5 @@
|
|||
3391. [bug] DNSKEY that encountered a CNAME failed. [RT #31262]
|
||||
|
||||
3390. [bug] Silence clang compiler warnings. [RT #30417]
|
||||
|
||||
3389. [bug] Always return NOERROR (not 0) in TSIG. [RT #31275]
|
||||
|
|
|
|||
|
|
@ -34,6 +34,7 @@ rm -f ns3/optout-unknown.example.db ns3/optout.example.db
|
|||
rm -f ns3/expired.example.db ns3/update-nsec3.example.db
|
||||
rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk
|
||||
rm -f */named.memstats
|
||||
rm -f */named.run
|
||||
rm -f ns3/nsec3.nsec3.example.db
|
||||
rm -f ns3/nsec3.optout.example.db
|
||||
rm -f ns3/optout.nsec3.example.db
|
||||
|
|
|
|||
|
|
@ -44,3 +44,7 @@ ns.nosoa A 10.53.0.7
|
|||
|
||||
normalthenrrsig A 10.0.0.28
|
||||
rrsigonly A 10.0.0.29
|
||||
|
||||
cnameandkey CNAME @
|
||||
cnamenokey CNAME @
|
||||
dnameandkey DNAME @
|
||||
|
|
|
|||
|
|
@ -26,9 +26,11 @@ zone=secure.example.
|
|||
infile=secure.example.db.in
|
||||
zonefile=secure.example.db
|
||||
|
||||
cnameandkey=`$KEYGEN -T KEY -r $RANDFILE -a RSASHA1 -b 768 -n host cnameandkey.$zone`
|
||||
dnameandkey=`$KEYGEN -T KEY -r $RANDFILE -a RSASHA1 -b 768 -n host dnameandkey.$zone`
|
||||
keyname=`$KEYGEN -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
|
||||
|
||||
cat $infile $keyname.key >$zonefile
|
||||
cat $infile $cnameandkey.key $dnameandkey.key $keyname.key >$zonefile
|
||||
|
||||
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null
|
||||
|
||||
|
|
|
|||
|
|
@ -1149,5 +1149,71 @@ n=`expr $n + 1`
|
|||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:testing DNSKEY lookup via CNAME ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth cnameandkey.secure.example. \
|
||||
@10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth cnameandkey.secure.example. \
|
||||
@10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:testing KEY lookup at CNAME (present) ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth cnameandkey.secure.example. \
|
||||
@10.53.0.3 key > dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth cnameandkey.secure.example. \
|
||||
@10.53.0.4 key > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:testing KEY lookup at CNAME (not present) ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS +noauth cnamenokey.secure.example. \
|
||||
@10.53.0.3 key > dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS +noauth cnamenokey.secure.example. \
|
||||
@10.53.0.4 key > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "CNAME" dig.out.ns4.test$n > /dev/null && ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:testing DNSKEY lookup via DNAME ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS a.dnameandkey.secure.example. \
|
||||
@10.53.0.3 dnskey > dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS a.dnameandkey.secure.example. \
|
||||
@10.53.0.4 dnskey > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "CNAME" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:testing KEY lookup via DNAME ($n)"
|
||||
ret=0
|
||||
$DIG $DIGOPTS b.dnameandkey.secure.example. \
|
||||
@10.53.0.3 key > dig.out.ns3.test$n || ret=1
|
||||
$DIG $DIGOPTS b.dnameandkey.secure.example. \
|
||||
@10.53.0.4 key > dig.out.ns4.test$n || ret=1
|
||||
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
|
||||
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
grep "DNAME" dig.out.ns4.test$n > /dev/null || ret=1
|
||||
n=`expr $n + 1`
|
||||
if [ $ret != 0 ]; then echo "I:failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
echo "I:exit status: $status"
|
||||
exit $status
|
||||
|
|
|
|||
|
|
@ -5655,10 +5655,11 @@ answer_response(fetchctx_t *fctx) {
|
|||
* but we found a CNAME.
|
||||
*
|
||||
* Getting a CNAME response for some
|
||||
* query types is an error.
|
||||
* query types is an error, see
|
||||
* RFC 4035, Section 2.5.
|
||||
*/
|
||||
if (type == dns_rdatatype_rrsig ||
|
||||
type == dns_rdatatype_dnskey ||
|
||||
type == dns_rdatatype_key ||
|
||||
type == dns_rdatatype_nsec)
|
||||
return (DNS_R_FORMERR);
|
||||
found = ISC_TRUE;
|
||||
|
|
|
|||
|
|
@ -1837,6 +1837,10 @@ isselfsigned(dns_validator_t *val) {
|
|||
rdataset = val->event->rdataset;
|
||||
sigrdataset = val->event->sigrdataset;
|
||||
|
||||
if (rdataset->type == dns_rdatatype_cname ||
|
||||
rdataset->type == dns_rdatatype_dname)
|
||||
return (ISC_FALSE);
|
||||
|
||||
INSIST(rdataset->type == dns_rdatatype_dnskey);
|
||||
|
||||
for (result = dns_rdataset_first(rdataset);
|
||||
|
|
|
|||
Loading…
Reference in a new issue