2925. [bug] Named failed to accept uncachable negative responses

from insecure zones. [RT# 21555]

CHANGES

@@ -1,3 +1,6 @@
+2925.	[bug]		Named failed to accept uncachable negative responses
+			from insecure zones. [RT# 21555]
+
 2924.	[func]		'rndc  secroots'  dump a combined summary of the
 			current managed keys combined with trusted keys.
 			[RT #20904]

bin/named/include/named/globals.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.86 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: globals.h,v 1.87 2010/06/25 23:50:13 marka Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -149,6 +149,7 @@ EXTERN int			ns_g_listen		INIT(3);
 EXTERN isc_time_t		ns_g_boottime;
 EXTERN isc_boolean_t		ns_g_memstatistics	INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_clienttest		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_nosoa		INIT(ISC_FALSE);
 
 #undef EXTERN
 #undef INIT

bin/named/main.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.175 2009/10/05 17:30:49 fdupont Exp $ */
+/* $Id: main.c,v 1.176 2010/06/25 23:50:13 marka Exp $ */
 
 /*! \file */
 
@@ -507,6 +507,8 @@ parse_command_line(int argc, char *argv[]) {
 			 */
 			if (!strcmp(isc_commandline_argument, "clienttest"))
 				ns_g_clienttest = ISC_TRUE;
+			else if (!strcmp(isc_commandline_argument, "nosoa"))
+				ns_g_nosoa = ISC_TRUE;
 			else if (!strcmp(isc_commandline_argument, "maxudp512"))
 				maxudp = 512;
 			else if (!strcmp(isc_commandline_argument, "maxudp1460"))

bin/named/query.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.340 2010/06/22 23:46:52 tbox Exp $ */
+/* $Id: query.c,v 1.341 2010/06/25 23:50:13 marka Exp $ */
 
 /*! \file */
 
@@ -56,6 +56,7 @@
 #include <dns/zt.h>
 
 #include <named/client.h>
+#include <named/globals.h>
 #include <named/log.h>
 #include <named/server.h>
 #include <named/sortlist.h>
@@ -2038,7 +2039,7 @@ query_addrrset(ns_client_t *client, dns_name_t **namep,
 
 static inline isc_result_t
 query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
-	     isc_boolean_t zero_ttl)
+	     isc_boolean_t zero_ttl, isc_boolean_t isassociated)
 {
 	dns_name_t *name;
 	dns_dbnode_t *node;
@@ -2055,6 +2056,12 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
 	rdataset = NULL;
 	node = NULL;
 
+	/*
+	 * Don't add the SOA record for test which set "-T nosoa".
+	 */
+	if (ns_g_nosoa && (!WANTDNSSEC(client) || !isassociated))
+		return (ISC_R_SUCCESS);
+
 	/*
 	 * Get resources and make 'name' be the database origin.
 	 */
@@ -4344,7 +4351,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/*
 		 * Add SOA.
 		 */
-		result = query_addsoa(client, db, version, ISC_FALSE);
+		result = query_addsoa(client, db, version, ISC_FALSE,
+				      dns_rdataset_isassociated(rdataset));
 		if (result != ISC_R_SUCCESS) {
 			QUERY_ERROR(result);
 			goto cleanup;
@@ -4392,9 +4400,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		    zone != NULL &&
 #endif
 		    dns_zone_getzeronosoattl(zone))
-			result = query_addsoa(client, db, version, ISC_TRUE);
+			result = query_addsoa(client, db, version, ISC_TRUE,
+				          dns_rdataset_isassociated(rdataset));
 		else
-			result = query_addsoa(client, db, version, ISC_FALSE);
+			result = query_addsoa(client, db, version, ISC_FALSE,
+					  dns_rdataset_isassociated(rdataset));
 		if (result != ISC_R_SUCCESS) {
 			QUERY_ERROR(result);
 			goto cleanup;
@@ -4811,7 +4821,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				 * Add SOA.
 				 */
 				result = query_addsoa(client, db, version,
-						      ISC_FALSE);
+						      ISC_FALSE, ISC_FALSE);
 				if (result == ISC_R_SUCCESS)
 					result = ISC_R_NOMORE;
 			} else {

bin/tests/system/dnssec/ns3/secure.example.db.in

@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: secure.example.db.in,v 1.13 2008/09/25 04:02:38 tbox Exp $
+; $Id: secure.example.db.in,v 1.14 2010/06/25 23:50:13 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -39,3 +39,5 @@ ns.private		A	10.53.0.2
 insecure		NS	ns.insecure
 ns.insecure		A	10.53.0.2
 
+nosoa 			NS	ns.nosoa
+ns.nosoa		A	10.53.0.7

bin/tests/system/dnssec/ns7/named.conf

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.3 2008/09/25 04:02:38 tbox Exp $ */
+/* $Id: named.conf,v 1.4 2010/06/25 23:50:13 marka Exp $ */
 
 // NS3
 
@@ -32,6 +32,7 @@ options {
 	notify yes;
 	dnssec-enable yes;
 	dnssec-validation yes;
+	minimal-responses yes;
 };
 
 zone "." {
@@ -69,4 +70,9 @@ zone "multiple.example" {
 	file "multiple.example.bk";
 };
 
+zone "nosoa.secure.example" {
+	type master;
+	file "nosoa.secure.example.db";
+};
+
 include "trusted.conf";

bin/tests/system/dnssec/ns7/named.nosoa

@@ -0,0 +1 @@
+Add -T nosoa.

bin/tests/system/dnssec/ns7/nosoa.secure.example.db

@@ -0,0 +1,27 @@
+; Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nosoa.secure.example.db,v 1.2 2010/06/25 23:50:13 marka Exp $
+
+$TTL 300        ; 5 minutes
+@                       IN SOA  mname1. . (
+                                2010062400 ; serial
+                                20         ; refresh (20 seconds)
+                                20         ; retry (20 seconds)
+                                1814400    ; expire (3 weeks)
+                                3600       ; minimum (1 hour)
+                                )
+@                       IN NS   ns
+ns			IN A	10.53.0.7
+a			IN A	1.2.3.4

bin/tests/system/dnssec/tests.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.63 2010/06/25 07:28:46 marka Exp $
+# $Id: tests.sh,v 1.64 2010/06/25 23:50:13 marka Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -871,6 +871,28 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking a non-cachable NODATA works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.7 \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nosoa.secure.example. txt @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking a non-cachable NXDOMAIN works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.7 \
+	> dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth b.nosoa.secure.example. txt @10.53.0.4 \
+	> dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 #
 # private.secure.example is served by the same server as its
 # grand parent and there is not a secure delegation from secure.example

bin/tests/system/start.pl

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: start.pl,v 1.13 2008/01/02 23:47:01 tbox Exp $
+# $Id: start.pl,v 1.14 2010/06/25 23:50:13 marka Exp $
 
 # Framework for starting test servers.
 # Based on the type of server specified, check for port availability, remove
@@ -131,6 +131,8 @@ sub start_server {
 		} else {
 			$command .= "-m record,size,mctx ";
 			$command .= "-T clienttest ";
+			$command .= "-T nosoa " 
+				if (-e "$testdir/$server/named.nosoa");
 			$command .= "-c named.conf -d 99 -g";
 		}
 		$command .= " >named.run 2>&1 &";

lib/dns/validator.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.194 2010/05/26 06:27:59 marka Exp $ */
+/* $Id: validator.c,v 1.195 2010/06/25 23:50:13 marka Exp $ */
 
 #include <config.h>
 
@@ -2904,11 +2904,9 @@ validate_authority(dns_validator_t *val, isc_boolean_t resume) {
 	dns_message_t *message = val->event->message;
 	isc_result_t result;
 
-	if (!resume) {
+	if (!resume)
 		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else
+	else
 		result = ISC_R_SUCCESS;
 
 	for (;
@@ -2992,11 +2990,9 @@ validate_ncache(dns_validator_t *val, isc_boolean_t resume) {
 	dns_name_t *name;
 	isc_result_t result;
 
-	if (!resume) {
+	if (!resume)
 		result = dns_rdataset_first(val->event->rdataset);
-		if (result != ISC_R_SUCCESS)
-			return (result);
-	} else
+	else
 		result = dns_rdataset_next(val->event->rdataset);
 
 	for (;