From 410fcbfcfe7ceb100f309695a6a7d9e9536b8296 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 1 Feb 2023 14:41:58 +0000
Subject: [PATCH 1/3] Fix a bug in resolver's resume_dslookup() function

A recent refactoring in 7e4e125e5ea5b29c946ce4646461d06a75cd8702
had introduced a logical error which could result in calling the
dns_resolver_createfetch() function with 'nameservers' pointer set
to NULL, but with 'domain' not set to NULL, which is not allowed
by the function.

Make sure 'domain' is set only when 'nsrdataset' is valid.
---
 lib/dns/resolver.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index fc6d7f57df..32cb137f7a 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7217,6 +7217,8 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 	dns_resolver_t *res = NULL;
 	dns_rdataset_t *nsrdataset = NULL;
 	dns_rdataset_t nameservers;
+	dns_fixedname_t fixed;
+	dns_name_t *domain = NULL;
 	unsigned int n;
 	dns_fetch_t *fetch = NULL;
 
@@ -7291,12 +7293,16 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 			goto cleanup;
 		}
 
-		/* Get nameservers from fctx->nsfetch before we destroy it. */
+		/* Get nameservers from fetch before we destroy it. */
 		dns_rdataset_init(&nameservers);
 		if (dns_rdataset_isassociated(&fetch->private->nameservers)) {
 			dns_rdataset_clone(&fetch->private->nameservers,
 					   &nameservers);
 			nsrdataset = &nameservers;
+
+			/* Get domain from fetch before we destroy it. */
+			domain = dns_fixedname_initname(&fixed);
+			dns_name_copy(fetch->private->domain, domain);
 		}
 
 		n = dns_name_countlabels(fctx->nsname);
@@ -7306,10 +7312,10 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 
 		fetchctx_ref(fctx);
 		result = dns_resolver_createfetch(
-			res, fctx->nsname, dns_rdatatype_ns,
-			fetch->private->domain, nsrdataset, NULL, NULL, 0,
-			fctx->options, 0, NULL, task, resume_dslookup, fctx,
-			&fctx->nsrrset, NULL, &fctx->nsfetch);
+			res, fctx->nsname, dns_rdatatype_ns, domain, nsrdataset,
+			NULL, NULL, 0, fctx->options, 0, NULL, task,
+			resume_dslookup, fctx, &fctx->nsrrset, NULL,
+			&fctx->nsfetch);
 		if (result != ISC_R_SUCCESS) {
 			fetchctx_unref(fctx);
 			if (result == DNS_R_DUPLICATE) {

From 2a1f93753649b70158256a41cfc8b828175d303a Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 1 Feb 2023 14:49:49 +0000
Subject: [PATCH 2/3] Add a CHANGES note for [GL #3839]

---
 CHANGES | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CHANGES b/CHANGES
index 934ea81f96..e871fe824a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+6090.	[bug]		Fix a bug in resolver's resume_dslookup() function by
+			making sure that dns_resolver_createfetch() is called
+			with valid parameters, as required by the function.
+			[GL #3839]
+
 6089.	[bug]		Source ports configured for query-source,
 			transfer-source, etc, were being ignored. (This
 			feature is deprecated, but it is not yet removed,

From 4d465e9c0c9890430b69c0899433906e1918625b Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 7 Feb 2023 15:05:39 +1100
Subject: [PATCH 3/3] check that delv handles REFUSED when chasing DS records

---
 bin/tests/system/digdelv/clean.sh          | 4 +++-
 bin/tests/system/digdelv/ns2/named.conf.in | 5 +++++
 bin/tests/system/digdelv/ns2/sign.sh       | 3 +++
 bin/tests/system/digdelv/tests.sh          | 8 ++++++++
 4 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/bin/tests/system/digdelv/clean.sh b/bin/tests/system/digdelv/clean.sh
index ed9ad87a5b..77e467a499 100644
--- a/bin/tests/system/digdelv/clean.sh
+++ b/bin/tests/system/digdelv/clean.sh
@@ -29,7 +29,9 @@ rm -f ./host.out.test*
 rm -f ./ns*/managed-keys.bind*
 rm -f ./ns*/named.lock
 rm -f ./ns2/dsset-example.
+rm -f ./ns2/dsset-example.tld.
 rm -f ./ns2/example.db ./ns2/K* ./ns2/keyid ./ns2/keydata
+rm -f ./ns2/example.tld.db
 rm -f ./nslookup.out.test*
-rm -f ./yamlget.out.*
 rm -f ./nsupdate.out.test*
+rm -f ./yamlget.out.*
diff --git a/bin/tests/system/digdelv/ns2/named.conf.in b/bin/tests/system/digdelv/ns2/named.conf.in
index 1391b7322c..6a6c2b9fb7 100644
--- a/bin/tests/system/digdelv/ns2/named.conf.in
+++ b/bin/tests/system/digdelv/ns2/named.conf.in
@@ -32,3 +32,8 @@ zone "example" {
 	type primary;
 	file "example.db";
 };
+
+zone "example.tld" {
+	type primary;
+	file "example.tld.db";
+};
diff --git a/bin/tests/system/digdelv/ns2/sign.sh b/bin/tests/system/digdelv/ns2/sign.sh
index c8564b2830..782b7a1a24 100644
--- a/bin/tests/system/digdelv/ns2/sign.sh
+++ b/bin/tests/system/digdelv/ns2/sign.sh
@@ -27,3 +27,6 @@ grep -Ev '^;' < "$ksk.key" | cut -f 7- -d ' ' > keydata
 
 keyfile_to_initial_keys "$ksk" > ../ns3/anchor.dnskey
 keyfile_to_initial_ds "$ksk" > ../ns3/anchor.ds
+
+ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone example.tld.)
+"$SIGNER" -Sz -f example.tld.db -o example.tld example.db.in > /dev/null 2>&1
diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh
index 3debad3da8..9e82298f35 100644
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@@ -1396,6 +1396,14 @@ if [ -x "$DELV" ] ; then
     if [ $ret -ne 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
   fi
+
+  n=$((n+1))
+  echo_i "check that delv handles REFUSED when chasing DS records ($n)"
+  delv_with_opts @10.53.0.2 +root xxx.example.tld A > delv.out.test$n 2>&1 || ret=1
+  grep ";; resolution failed: broken trust chain" delv.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
+
 else
   echo_i "$DELV is needed, so skipping these delv tests"
 fi