1187. [bug] named was incorrectly returning DNSSEC records

in negative responses when the DO bit was not set.

CHANGES

@@ -1,3 +1,6 @@
+1187.	[bug]		named was incorrectly returning DNSSEC records
+			in negative responses when the DO bit was not set.
+
 1186.	[bug]		isc_hex_tobuffer(,,length = 0) failed to unget the
 			EOL token when reading to end of line.
 

lib/dns/include/dns/masterdump.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.h,v 1.25 2001/11/19 03:08:14 mayer Exp $ */
+/* $Id: masterdump.h,v 1.26 2002/01/22 09:07:25 bwelling Exp $ */
 
 #ifndef DNS_MASTERDUMP_H
 #define DNS_MASTERDUMP_H 1
@@ -217,22 +217,6 @@ dns_master_questiontotext(dns_name_t *owner_name,
 			  dns_rdataset_t *rdataset,
 			  const dns_master_style_t *style,
 			  isc_buffer_t *target);
-/*
- * Print a text representation of 'rdataset', a pseudo-rdataset
- * representing a questino.
- *
- * Requires:
- *	'rdataset' is a valid question rdataset.
- *
- *	'rdataset' is not empty.
- */
-
-isc_result_t
-dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    dns_compress_t *cctx,
-		    isc_buffer_t *target,
-		    unsigned int *countp);
 
 isc_result_t
 dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,

lib/dns/include/dns/message.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.105 2001/12/08 02:14:46 bwelling Exp $ */
+/* $Id: message.h,v 1.106 2002/01/22 09:07:26 bwelling Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -159,6 +159,7 @@ typedef int dns_messagetextflag_t;
  */
 #define DNS_MESSAGERENDER_ORDERED	0x0001	/* don't change order */
 #define DNS_MESSAGERENDER_PARTIAL	0x0002	/* allow a partial rdataset */
+#define DNS_MESSAGERENDER_OMITDNSSEC	0x0004	/* omit DNSSEC records */
 
 typedef struct dns_msgblock dns_msgblock_t;
 

lib/dns/include/dns/ncache.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.h,v 1.12 2001/01/09 21:53:07 bwelling Exp $ */
+/* $Id: ncache.h,v 1.13 2002/01/22 09:07:27 bwelling Exp $ */
 
 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
@@ -85,11 +85,13 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 
 isc_result_t
 dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int *countp);
+		  isc_buffer_t *target, isc_boolean_t omit_dnssec,
+		  unsigned int *countp);
 /*
  * Convert the negative caching rdataset 'rdataset' to wire format,
  * compressing names as specified in 'cctx', and storing the result in
- * 'target'.
+ * 'target'.  If 'omit_dnssec' is set, DNSSEC records will not
+ * be added to 'target'.
  *
  * Notes:
  *	The number of RRs added to target will be added to *countp.

lib/dns/include/dns/rdataset.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.42 2002/01/17 00:16:30 marka Exp $ */
+/* $Id: rdataset.h,v 1.43 2002/01/22 09:07:28 bwelling Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -130,6 +130,12 @@ struct dns_rdataset {
 #define DNS_RDATASETATTR_RANDOMIZE	0x0800
 #define DNS_RDATASETATTR_CHASE		0x1000		/* Used by resolver. */
 
+/*
+ * _OMITDNSSEC:
+ * 	Omit DNSSEC records when rendering ncache records.
+ */
+#define DNS_RDATASETTOWIRE_OMITDNSSEC	0x0001
+
 void
 dns_rdataset_init(dns_rdataset_t *rdataset);
 /*
@@ -305,6 +311,7 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 		    dns_name_t *owner_name,
 		    dns_compress_t *cctx,
 		    isc_buffer_t *target,
+		    unsigned int options,
 		    unsigned int *countp);
 /*
  * Convert 'rdataset' to wire format, compressing names as specified
@@ -345,6 +352,7 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
 			  void *order_arg,
+			  unsigned int options,
 			  unsigned int *countp);
 /*
  * Like dns_rdataset_towire(), but sorting the rdatasets according to
@@ -363,6 +371,7 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
 			   void *order_arg,
+			  unsigned int options,
 			   unsigned int *countp,
 			   void **state);
 /*

lib/dns/message.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.203 2002/01/21 09:47:09 bwelling Exp $ */
+/* $Id: message.c,v 1.204 2002/01/22 09:07:21 bwelling Exp $ */
 
 /***
  *** Imports
@@ -1721,6 +1721,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 	isc_buffer_t st; /* for rollbacks */
 	int pass;
 	isc_boolean_t partial = ISC_FALSE;
+	unsigned int rd_options;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(msg->buffer != NULL);
@@ -1734,6 +1735,11 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 	else
 		pass = 1;
 
+	if ((options & DNS_MESSAGERENDER_OMITDNSSEC) == 0)
+		rd_options = 0;
+	else
+		rd_options = DNS_RDATASETTOWIRE_OMITDNSSEC;
+
 	/*
 	 * Shrink the space in the buffer by the reserved amount.
 	 */
@@ -1779,6 +1785,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 							  msg->buffer,
 							  msg->order,
 							  msg->order_arg,
+							  rd_options,
 							  &count,
 							  NULL);
 				else
@@ -1789,6 +1796,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 							  msg->buffer,
 							  msg->order,
 							  msg->order_arg,
+							  rd_options,
 							  &count);
 
 				total += count;
@@ -1915,7 +1923,8 @@ dns_message_renderend(dns_message_t *msg) {
 		 */
 		count = 0;
 		result = dns_rdataset_towire(msg->opt, dns_rootname,
-					     msg->cctx, msg->buffer, &count);
+					     msg->cctx, msg->buffer, 0,
+					     &count);
 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
 		if (result != ISC_R_SUCCESS)
 			return (result);
@@ -1956,7 +1965,8 @@ dns_message_renderend(dns_message_t *msg) {
 			return (result);
 		count = 0;
 		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
-					     msg->cctx, msg->buffer, &count);
+					     msg->cctx, msg->buffer, 0,
+					     &count);
 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
 		if (result != ISC_R_SUCCESS)
 			return (result);
@@ -1978,7 +1988,8 @@ dns_message_renderend(dns_message_t *msg) {
 		 * be set in a message being rendered.
 		 */
 		result = dns_rdataset_towire(msg->sig0, dns_rootname,
-					     msg->cctx, msg->buffer, &count);
+					     msg->cctx, msg->buffer, 0,
+					     &count);
 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
 		if (result != ISC_R_SUCCESS)
 			return (result);

lib/dns/ncache.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.26 2002/01/21 16:26:06 bwelling Exp $ */
+/* $Id: ncache.c,v 1.27 2002/01/22 09:07:22 bwelling Exp $ */
 
 #include <config.h>
 
@@ -254,7 +254,8 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 
 isc_result_t
 dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int *countp)
+		  isc_buffer_t *target, isc_boolean_t omit_dnssec,
+		  unsigned int *countp)
 {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
@@ -312,6 +313,9 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 			INSIST(remaining.length >= rdata.length);
 			isc_buffer_forward(&source, rdata.length);
 
+			if (omit_dnssec && dns_rdatatype_isdnssec(type))
+				continue;
+
 			/*
 			 * Write the name.
 			 */

lib/dns/rdataset.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.58 2001/06/05 09:23:14 marka Exp $ */
+/* $Id: rdataset.c,v 1.59 2002/01/22 09:07:23 bwelling Exp $ */
 
 #include <config.h>
 
@@ -273,8 +273,8 @@ static isc_result_t
 towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 	     dns_compress_t *cctx, isc_buffer_t *target,
 	     dns_rdatasetorderfunc_t order, void *order_arg,
-	     isc_boolean_t partial, unsigned int *countp,
-	     void **state)
+	     isc_boolean_t partial, unsigned int options,
+	     unsigned int *countp, void **state)
 {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_region_t r;
@@ -308,7 +308,10 @@ towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 		/*
 		 * This is a negative caching rdataset.
 		 */
-		return (dns_ncache_towire(rdataset, cctx, target, countp));
+		isc_boolean_t omit_dnssec;
+		omit_dnssec = ISC_TF(DNS_RDATASETTOWIRE_OMITDNSSEC != 0);
+		return (dns_ncache_towire(rdataset, cctx, target, omit_dnssec,
+					  countp));
 	} else {
 		count = (rdataset->methods->count)(rdataset);
 		result = dns_rdataset_first(rdataset);
@@ -469,10 +472,12 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
 			  void *order_arg,
+			  unsigned int options,
 			  unsigned int *countp)
 {
 	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_FALSE, countp, NULL));
+			     order, order_arg, ISC_FALSE, options,
+			     countp, NULL));
 }
 
 isc_result_t
@@ -482,12 +487,14 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
 			   void *order_arg,
+			   unsigned int options,
 			   unsigned int *countp,
 			   void **state)
 {
 	REQUIRE(state == NULL);	/* XXX remove when implemented */
 	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_TRUE, countp, state));
+			     order, order_arg, ISC_TRUE, options,
+			     countp, state));
 }
 
 isc_result_t
@@ -495,10 +502,11 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 		    dns_name_t *owner_name,
 		    dns_compress_t *cctx,
 		    isc_buffer_t *target,
+		    unsigned int options,
 		    unsigned int *countp)
 {
 	return (towiresorted(rdataset, owner_name, cctx, target,
-			     NULL, NULL, ISC_FALSE, countp, NULL));
+			     NULL, NULL, ISC_FALSE, options, countp, NULL));
 }
 
 isc_result_t