upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: usr: Fix NTA (Negative Trust Anchor) expiration issue

Browse source 
When a configured NTA for a name expired, any possibly cached
data for the name (with "insecure" DNSSEC validation result)
was not flushed from the resolver's cache. This has been fixed.

Closes #5747

Merge branch '5747-nta-expiry-cache-flush-bug-fix' into 'main'

See merge request isc-projects/bind9!11597
This commit is contained in:
Ondřej Surý 2026-03-19 00:56:31 +01:00
commit 7be7dbb7b3
2 changed files with 23 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
bin/tests/system/nta/tests_nta.py
View file

@ -147,6 +147,13 @@ def test_nta_behavior(servers):
isctest.check.noerror(res)
isctest.check.noadflag(res)
# Expiry should also trigger a cache flush, so even if a.secure.example A
# was cached when its NTA was active, cached data should not be returned.
m = isctest.query.create("a.secure.example", "A")
res = isctest.query.tcp(m, "10.53.0.4")
isctest.check.noerror(res)
isctest.check.adflag(res)
# bogus.example was set to expire in 20s, so at t=13
# it should still be NTA'd, but badds.example used the default
# lifetime of 12s, so it should revert to SERVFAIL now.

16
lib/dns/nta.c
View file

@ -361,6 +361,7 @@ delete_expired(void *arg) {
isc_result_t result;
dns_qp_t *qp = NULL;
void *pval = NULL;
dns_view_t *view = NULL;
REQUIRE(VALID_NTATABLE(ntatable));
@ -375,6 +376,17 @@ delete_expired(void *arg) {
dns_name_format(&nta->name, nb, sizeof(nb));
isc_log_write(DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_NTA,
ISC_LOG_INFO, "deleting expired NTA at %s", nb);
/*
* Delay the flushing to avoid lock-order-inversion, as
* dns_view_flushnode()->dns_adb_flushnames() locks 'adbname',
* and it can cause a problem e.g. in dns_ntatable_covered() in
* another thread called by the resolver (also involving 'fctx'
* lock), or in dns_ntatable_shutdown() (also involving 'view'
* lock).
*/
dns_view_weakattach(ntatable->view, &view);
dns_qp_deletename(qp, &nta->name, DNS_DBNAMESPACE_NORMAL, NULL,
NULL);
dns__nta_shutdown(nta);
@ -383,6 +395,10 @@ delete_expired(void *arg) {
dns_qp_compact(qp, DNS_QPGC_MAYBE);
dns_qpmulti_commit(ntatable->table, &qp);
RWUNLOCK(&ntatable->rwlock, isc_rwlocktype_write);
if (view != NULL) {
dns_view_flushnode(view, &nta->name, true);
dns_view_weakdetach(&view);
}
dns__nta_detach(&nta);
dns_ntatable_detach(&ntatable);
}