diff --git a/CHANGES b/CHANGES index 25ca425762..6a02539dc2 100644 --- a/CHANGES +++ b/CHANGES @@ -1,10 +1,14 @@ +3273. [bug] AAAA responses could be returned in the additional + section even when filter-aaaa-on-v4 was in use. + [RT #27292] + +3272. [func] New "rndc zonestatus" command prints information + about the specified zone. [RT #21671] + 3271. [port] darwin: mksymtbl is not always stable, loop several times before giving up. mksymtbl was using non portable perl to covert 64 bit hex strings. [RT #27653] -3271. [func] New "rndc zonestatus" command prints information - about the specified zone. [RT #21671] - --- 9.9.0rc2 released --- 3270. [bug] "rndc reload" didn't reuse existing zones correctly diff --git a/bin/named/client.c b/bin/named/client.c index 1dd0fe8a22..78281df7fb 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.284 2011/11/09 22:05:09 each Exp $ */ +/* $Id: client.c,v 1.285 2012/01/31 06:58:38 each Exp $ */ #include @@ -929,6 +929,15 @@ ns_client_send(ns_client_t *client) { render_opts = 0; else render_opts = DNS_MESSAGERENDER_OMITDNSSEC; + + preferred_glue = 0; + if (client->view != NULL) { + if (client->view->preferred_glue == dns_rdatatype_a) + preferred_glue = DNS_MESSAGERENDER_PREFER_A; + else if (client->view->preferred_glue == dns_rdatatype_aaaa) + preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA; + } + #ifdef ALLOW_FILTER_AAAA_ON_V4 /* * filter-aaaa-on-v4 yes or break-dnssec option to suppress @@ -937,17 +946,15 @@ ns_client_send(ns_client_t *client) { * that we have both AAAA and A records, * and that we either have no signatures that the client wants * or we are supposed to break DNSSEC. + * + * Override preferred glue if necessary. */ - if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0) + if ((client->attributes & NS_CLIENTATTR_FILTER_AAAA) != 0) { render_opts |= DNS_MESSAGERENDER_FILTER_AAAA; -#endif - preferred_glue = 0; - if (client->view != NULL) { - if (client->view->preferred_glue == dns_rdatatype_a) + if (preferred_glue == DNS_MESSAGERENDER_PREFER_AAAA) preferred_glue = DNS_MESSAGERENDER_PREFER_A; - else if (client->view->preferred_glue == dns_rdatatype_aaaa) - preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA; } +#endif /* * XXXRTH The following doesn't deal with TCP buffer resizing. @@ -2110,6 +2117,9 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) { client->recursionquota = NULL; client->interface = NULL; client->peeraddr_valid = ISC_FALSE; +#ifdef ALLOW_FILTER_AAAA_ON_V4 + client->filter_aaaa = dns_v4_aaaa_ok; +#endif ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL, NS_EVENT_CLIENTCONTROL, client_start, client, client, NULL, NULL); diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h index 3481256da4..05ec235da5 100644 --- a/bin/named/include/named/client.h +++ b/bin/named/include/named/client.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.h,v 1.94 2011/10/11 23:46:44 tbox Exp $ */ +/* $Id: client.h,v 1.95 2012/01/31 06:58:38 each Exp $ */ #ifndef NAMED_CLIENT_H #define NAMED_CLIENT_H 1 @@ -141,6 +141,9 @@ struct ns_client { isc_netaddr_t destaddr; struct in6_pktinfo pktinfo; isc_event_t ctlevent; +#ifdef ALLOW_FILTER_AAAA_ON_V4 + dns_v4_aaaa_t filter_aaaa; +#endif /*% * Information about recent FORMERR response(s), for * FORMERR loop avoidance. This is separate for each diff --git a/bin/named/query.c b/bin/named/query.c index 9f6c86e694..3d97bc7ae3 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.381 2012/01/07 00:19:59 each Exp $ */ +/* $Id: query.c,v 1.382 2012/01/31 06:58:38 each Exp $ */ /*! \file */ @@ -1352,6 +1352,10 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } if (qtype == dns_rdatatype_a) { +#ifdef ALLOW_FILTER_AAAA_ON_V4 + isc_boolean_t have_a = ISC_FALSE; +#endif + /* * We now go looking for A and AAAA records, along with * their signatures. @@ -1390,6 +1394,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } if (result == ISC_R_SUCCESS) { mname = NULL; +#ifdef ALLOW_FILTER_AAAA_ON_V4 + have_a = ISC_TRUE; +#endif if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { if (mname != NULL) { @@ -1436,6 +1443,17 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { } if (result == ISC_R_SUCCESS) { mname = NULL; + /* + * There's an A; check whether we're filtering AAAA + */ +#ifdef ALLOW_FILTER_AAAA_ON_V4 + if (have_a && + (client->filter_aaaa == dns_v4_aaaa_break_dnssec || + (client->filter_aaaa == dns_v4_aaaa_filter && + (!WANTDNSSEC(client) || sigrdataset == NULL || + !dns_rdataset_isassociated(sigrdataset))))) + goto addname; +#endif if (!query_isduplicate(client, fname, dns_rdatatype_aaaa, &mname)) { if (mname != NULL) { @@ -6638,9 +6656,21 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) need_wildcardproof = ISC_TRUE; } +#ifdef ALLOW_FILTER_AAAA_ON_V4 + if (client->view->v4_aaaa != dns_v4_aaaa_ok && + is_v4_client(client) && + ns_client_checkaclsilent(client, NULL, + client->view->v4_aaaa_acl, + ISC_TRUE) == ISC_R_SUCCESS) + client->filter_aaaa = client->view->v4_aaaa; + else + client->filter_aaaa = dns_v4_aaaa_ok; + +#endif + if (type == dns_rdatatype_any) { #ifdef ALLOW_FILTER_AAAA_ON_V4 - isc_boolean_t have_aaaa, have_a, have_sig, filter_aaaa; + isc_boolean_t have_aaaa, have_a, have_sig; /* * The filter-aaaa-on-v4 option should @@ -6652,14 +6682,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) have_aaaa = ISC_FALSE; have_a = !authoritative; have_sig = ISC_FALSE; - if (client->view->v4_aaaa != dns_v4_aaaa_ok && - is_v4_client(client) && - ns_client_checkaclsilent(client, NULL, - client->view->v4_aaaa_acl, - ISC_TRUE) == ISC_R_SUCCESS) - filter_aaaa = ISC_TRUE; - else - filter_aaaa = ISC_FALSE; #endif /* * XXXRTH Need to handle zonecuts with special case @@ -6694,7 +6716,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * Notice the presence of A and AAAAs so * that AAAAs can be hidden from IPv4 clients. */ - if (filter_aaaa) { + if (client->filter_aaaa != dns_v4_aaaa_ok) { if (rdataset->type == dns_rdatatype_aaaa) have_aaaa = ISC_TRUE; else if (rdataset->type == dns_rdatatype_a) @@ -6751,10 +6773,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * Filter AAAAs if there is an A and there is no signature * or we are supposed to break DNSSEC. */ - if (filter_aaaa && have_aaaa && have_a && - (!have_sig || !WANTDNSSEC(client) || - client->view->v4_aaaa == dns_v4_aaaa_break_dnssec)) + if (client->filter_aaaa == dns_v4_aaaa_break_dnssec) client->attributes |= NS_CLIENTATTR_FILTER_AAAA; + else if (client->filter_aaaa != dns_v4_aaaa_ok && + have_aaaa && have_a && + (!have_sig || !WANTDNSSEC(client))) + client->attributes |= NS_CLIENTATTR_FILTER_AAAA; #endif if (fname != NULL) dns_message_puttempname(client->message, &fname); @@ -6815,15 +6839,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) * so fundamentally wrong, unavoidably inaccurate, and * unneeded that it is best to keep it as short as possible. */ - if (client->view->v4_aaaa != dns_v4_aaaa_ok && - is_v4_client(client) && - ns_client_checkaclsilent(client, NULL, - client->view->v4_aaaa_acl, - ISC_TRUE) == ISC_R_SUCCESS && - (!WANTDNSSEC(client) || - sigrdataset == NULL || - !dns_rdataset_isassociated(sigrdataset) || - client->view->v4_aaaa == dns_v4_aaaa_break_dnssec)) { + if (client->filter_aaaa == dns_v4_aaaa_break_dnssec || + (client->filter_aaaa == dns_v4_aaaa_filter && + (!WANTDNSSEC(client) || sigrdataset == NULL || + !dns_rdataset_isassociated(sigrdataset)))) + { if (qtype == dns_rdatatype_aaaa) { trdataset = query_newrdataset(client); result = dns_db_findrdataset(db, node, version, diff --git a/bin/tests/system/filter-aaaa/ns1/root.db b/bin/tests/system/filter-aaaa/ns1/root.db index 400f011ff7..df69781bee 100644 --- a/bin/tests/system/filter-aaaa/ns1/root.db +++ b/bin/tests/system/filter-aaaa/ns1/root.db @@ -12,12 +12,13 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db,v 1.2 2010/06/22 03:58:37 marka Exp $ +; $Id: root.db,v 1.3 2012/01/31 06:58:38 each Exp $ $TTL 120 @ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 ) @ NS ns.utld ns.utld A 10.53.0.1 +ns.utld AAAA fd92:7065:b8e:ffff::1 ; signed NS ns.utld unsigned NS ns.utld diff --git a/bin/tests/system/filter-aaaa/ns1/signed.db.in b/bin/tests/system/filter-aaaa/ns1/signed.db.in index e5042b8787..a66503556a 100644 --- a/bin/tests/system/filter-aaaa/ns1/signed.db.in +++ b/bin/tests/system/filter-aaaa/ns1/signed.db.in @@ -12,12 +12,15 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: signed.db.in,v 1.2 2010/06/22 03:58:37 marka Exp $ +; $Id: signed.db.in,v 1.3 2012/01/31 06:58:38 each Exp $ $TTL 120 @ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 ) @ NS ns.utld. +@ MX 10 mx a-only NS 1.0.0.1 aaaa-only AAAA 2001:db8::2 dual A 1.0.0.3 dual AAAA 2001:db8::3 +mx A 1.0.0.3 +mx AAAA 2001:db8::3 diff --git a/bin/tests/system/filter-aaaa/ns1/unsigned.db b/bin/tests/system/filter-aaaa/ns1/unsigned.db index 350cceec23..71d1045a83 100644 --- a/bin/tests/system/filter-aaaa/ns1/unsigned.db +++ b/bin/tests/system/filter-aaaa/ns1/unsigned.db @@ -12,12 +12,15 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: unsigned.db,v 1.2 2010/06/22 03:58:37 marka Exp $ +; $Id: unsigned.db,v 1.3 2012/01/31 06:58:38 each Exp $ $TTL 120 @ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 ) @ NS ns.utld. +@ MX 10 mx a-only NS 1.0.0.4 aaaa-only AAAA 2001:db8::5 dual A 1.0.0.6 dual AAAA 2001:db8::6 +mx A 1.0.0.3 +mx AAAA 2001:db8::3 diff --git a/bin/tests/system/filter-aaaa/ns4/root.db b/bin/tests/system/filter-aaaa/ns4/root.db index f99dfeabe3..df69781bee 100644 --- a/bin/tests/system/filter-aaaa/ns4/root.db +++ b/bin/tests/system/filter-aaaa/ns4/root.db @@ -12,12 +12,13 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db,v 1.2 2010/06/22 03:58:38 marka Exp $ +; $Id: root.db,v 1.3 2012/01/31 06:58:38 each Exp $ $TTL 120 @ SOA ns.utld hostmaster.ns.utld ( 1 3600 1200 604800 60 ) @ NS ns.utld ns.utld A 10.53.0.1 +ns.utld AAAA fd92:7065:b8e:ffff::1 ; signed NS ns.utld unsigned NS ns.utld diff --git a/bin/tests/system/filter-aaaa/ns4/signed.db.in b/bin/tests/system/filter-aaaa/ns4/signed.db.in index d4889c7f12..a66503556a 100644 --- a/bin/tests/system/filter-aaaa/ns4/signed.db.in +++ b/bin/tests/system/filter-aaaa/ns4/signed.db.in @@ -12,12 +12,15 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: signed.db.in,v 1.2 2010/06/22 03:58:38 marka Exp $ +; $Id: signed.db.in,v 1.3 2012/01/31 06:58:38 each Exp $ $TTL 120 @ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 ) @ NS ns.utld. +@ MX 10 mx a-only NS 1.0.0.1 aaaa-only AAAA 2001:db8::2 dual A 1.0.0.3 dual AAAA 2001:db8::3 +mx A 1.0.0.3 +mx AAAA 2001:db8::3 diff --git a/bin/tests/system/filter-aaaa/ns4/unsigned.db b/bin/tests/system/filter-aaaa/ns4/unsigned.db index a1d3b77ca1..7ff69b94ae 100644 --- a/bin/tests/system/filter-aaaa/ns4/unsigned.db +++ b/bin/tests/system/filter-aaaa/ns4/unsigned.db @@ -12,12 +12,15 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: unsigned.db,v 1.2 2010/06/22 03:58:38 marka Exp $ +; $Id: unsigned.db,v 1.3 2012/01/31 06:58:39 each Exp $ $TTL 120 @ SOA ns.utld. hostmaster.ns.utld. ( 1 3600 1200 604800 60 ) @ NS ns.utld. +@ MX 10 mx a-only NS 1.0.0.4 aaaa-only AAAA 2001:db8::5 dual A 1.0.0.6 dual AAAA 2001:db8::6 +mx A 1.0.0.3 +mx AAAA 2001:db8::3 diff --git a/bin/tests/system/filter-aaaa/tests.sh b/bin/tests/system/filter-aaaa/tests.sh index e0d710b6c2..9df28c5137 100644 --- a/bin/tests/system/filter-aaaa/tests.sh +++ b/bin/tests/system/filter-aaaa/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.2 2010/06/22 03:58:36 marka Exp $ +# $Id: tests.sh,v 1.3 2012/01/31 06:58:38 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -174,6 +174,45 @@ else echo "I: skipped." fi +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)" +ret=0 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep AAAA dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.1 @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)" +if $TESTSOCK6 fd92:7065:b8e:ffff::1 +then +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::1 @fd92:7065:b8e:ffff::1 > dig.out.ns1.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns1.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +else +echo "I: skipped." +fi + + # # Authoritative tests against: # filter-aaaa-on-v4 break-dnssec; @@ -303,6 +342,45 @@ else echo "I: skipped." fi +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=NS, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep AAAA dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.4 @10.53.0.4 > dig.out.ns4.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, with break-dnssec ($n)" +if $TESTSOCK6 fd92:7065:b8e:ffff::4 +then +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::4 @fd92:7065:b8e:ffff::4 > dig.out.ns4.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns4.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +else +echo "I: skipped." +fi + + # # Recursive tests against: # filter-aaaa-on-v4 yes; @@ -431,6 +509,45 @@ else echo "I: skipped." fi +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=NS ($n)" +ret=0 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep AAAA dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is included in additional section, qtype=MX, signed ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.2 @10.53.0.2 > dig.out.ns2.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6 ($n)" +if $TESTSOCK6 fd92:7065:b8e:ffff::2 +then +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::2 @fd92:7065:b8e:ffff::2 > dig.out.ns2.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns2.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +else +echo "I: skipped." +fi + + # # Recursive tests against: # filter-aaaa-on-v4 break-dnssec; @@ -559,5 +676,43 @@ else echo "I: skipped." fi +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=NS, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add ns unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep AAAA dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +grep "ADDITIONAL: 2" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=MX, unsigned, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is omitted from additional section, qtype=MX, signed, recursive with break-dnssec ($n)" +ret=0 +$DIG $DIGOPTS +add +dnssec mx signed -b 10.53.0.3 @10.53.0.3 > dig.out.ns3.test$n || ret=1 +grep "^mx.signed.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 && ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + +n=`expr $n + 1` +echo "I:checking that AAAA is included in additional section, qtype=MX, unsigned, over IPV6, recursive with break-dnssec ($n)" +if $TESTSOCK6 fd92:7065:b8e:ffff::3 +then +ret=0 +$DIG $DIGOPTS +add +dnssec mx unsigned -b fd92:7065:b8e:ffff::3 @fd92:7065:b8e:ffff::3 > dig.out.ns3.test$n || ret=1 +grep "^mx.unsigned.*AAAA" dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` +else +echo "I: skipped." +fi + echo "I:exit status: $status" exit $status