From 7ce0f7fb9e070e1e2562257c59a18e18c77e719e Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 13 Jan 2023 14:13:59 +0100 Subject: [PATCH 1/3] Add checkds test case with resolver parental-agent Add a test case for a server that uses a resolver as an parental-agent. We need two root servers, ns1 and ns10, one that delegates to the 'checkds' tld with the DS published (ns2), and one that delegates to the 'checkds' tld with the DS removed (ns5). Both root zones are being setup in the 'ns1/setup.sh' script. We also need two resolvers, ns3 and ns8, that use different root hints (one uses ns1 address as a hint, the other uses ns10). Then add the checks to test_checkds.py is similar to the existing tests. Update 'types' because for zones that have the DS withdrawn (or to be withdrawn), the CDS and CDNSKEY records should not be published and thus should not be in the NSEC bitmap. (cherry picked from commit 0b9a9f99553bd332709163fd982bb2fad2ac803f) --- bin/tests/system/checkds/clean.sh | 1 + bin/tests/system/checkds/ns1/named.conf.in | 32 ++++++++++++++ bin/tests/system/checkds/ns1/root.db.in | 24 +++++++++++ bin/tests/system/checkds/ns1/setup.sh | 46 +++++++++++++++++++++ bin/tests/system/checkds/ns10/named.conf.in | 32 ++++++++++++++ bin/tests/system/checkds/ns10/root.db.in | 24 +++++++++++ bin/tests/system/checkds/ns2/setup.sh | 4 +- bin/tests/system/checkds/ns2/template.db.in | 3 +- bin/tests/system/checkds/ns3/named.conf.in | 41 ++++++++++++++++++ bin/tests/system/checkds/ns5/template.db.in | 2 + bin/tests/system/checkds/ns8/named.conf.in | 41 ++++++++++++++++++ bin/tests/system/checkds/ns8/root.hint | 14 +++++++ bin/tests/system/checkds/ns9/named.conf.in | 23 +++++++++++ bin/tests/system/checkds/ns9/setup.sh | 4 +- bin/tests/system/checkds/setup.sh | 8 ++++ bin/tests/system/checkds/tests_checkds.py | 20 ++++++++- 16 files changed, 314 insertions(+), 5 deletions(-) create mode 100644 bin/tests/system/checkds/ns1/named.conf.in create mode 100644 bin/tests/system/checkds/ns1/root.db.in create mode 100644 bin/tests/system/checkds/ns1/setup.sh create mode 100644 bin/tests/system/checkds/ns10/named.conf.in create mode 100644 bin/tests/system/checkds/ns10/root.db.in create mode 100644 bin/tests/system/checkds/ns3/named.conf.in create mode 100644 bin/tests/system/checkds/ns8/named.conf.in create mode 100644 bin/tests/system/checkds/ns8/root.hint diff --git a/bin/tests/system/checkds/clean.sh b/bin/tests/system/checkds/clean.sh index 74bf4217cb..c73067f46f 100644 --- a/bin/tests/system/checkds/clean.sh +++ b/bin/tests/system/checkds/clean.sh @@ -21,6 +21,7 @@ rm -f ns*/dsset-* rm -f ns*/*.db ns*/*.jnl ns*/*.jbk ns*/*.db.signed ns*/*.db.infile rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* rm -f ns*/managed-keys.bind* +rm -f ns*/trusted.conf rm -f ns*/*.mkeys rm -f ns*/zones rm -f *.checkds.out diff --git a/bin/tests/system/checkds/ns1/named.conf.in b/bin/tests/system/checkds/ns1/named.conf.in new file mode 100644 index 0000000000..5b1c9fe7ca --- /dev/null +++ b/bin/tests/system/checkds/ns1/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; diff --git a/bin/tests/system/checkds/ns1/root.db.in b/bin/tests/system/checkds/ns1/root.db.in new file mode 100644 index 0000000000..b2b9924150 --- /dev/null +++ b/bin/tests/system/checkds/ns1/root.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +checkds. NS ns2.checkds. +ns2.checkds. A 10.53.0.2 diff --git a/bin/tests/system/checkds/ns1/setup.sh b/bin/tests/system/checkds/ns1/setup.sh new file mode 100644 index 0000000000..537fb42a6f --- /dev/null +++ b/bin/tests/system/checkds/ns1/setup.sh @@ -0,0 +1,46 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +zone=. +infile=root.db.in +zonefile=root.db + +echo_i "ns1/setup.sh" + +cp "../ns2/dsset-checkds." . + +ksk=$("$KEYGEN" -q -fk -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") +cp "$ksk.key" "../ns10/" +cp "$zsk.key" "../ns10/" +cp "$ksk.private" "../ns10/" +cp "$zsk.private" "../ns10/" + +cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" +"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 + +( + cd ../ns10 + cat "$infile" "$ksk.key" "$zsk.key" > "$zonefile" + "$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 +) + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$ksk" > trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns8/trusted.conf diff --git a/bin/tests/system/checkds/ns10/named.conf.in b/bin/tests/system/checkds/ns10/named.conf.in new file mode 100644 index 0000000000..e7e5f0ca4b --- /dev/null +++ b/bin/tests/system/checkds/ns10/named.conf.in @@ -0,0 +1,32 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS10 + +options { + query-source address 10.53.0.10; + notify-source 10.53.0.10; + transfer-source 10.53.0.10; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.10; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + dnssec-validation no; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; diff --git a/bin/tests/system/checkds/ns10/root.db.in b/bin/tests/system/checkds/ns10/root.db.in new file mode 100644 index 0000000000..988d7d1ec5 --- /dev/null +++ b/bin/tests/system/checkds/ns10/root.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.10 + +checkds. NS ns5.checkds. +ns5.checkds. A 10.53.0.5 diff --git a/bin/tests/system/checkds/ns2/setup.sh b/bin/tests/system/checkds/ns2/setup.sh index bdec45e59a..37019480c1 100644 --- a/bin/tests/system/checkds/ns2/setup.sh +++ b/bin/tests/system/checkds/ns2/setup.sh @@ -18,8 +18,10 @@ echo_i "ns2/setup.sh" for subdomain in dspublished reference missing-dspublished bad-dspublished \ multiple-dspublished incomplete-dspublished bad2-dspublished \ + resolver-dspublished \ dswithdrawn missing-dswithdrawn bad-dswithdrawn \ - multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn + multiple-dswithdrawn incomplete-dswithdrawn bad2-dswithdrawn \ + resolver-dswithdrawn do cp "../ns9/dsset-$subdomain.checkds." . done diff --git a/bin/tests/system/checkds/ns2/template.db.in b/bin/tests/system/checkds/ns2/template.db.in index ede62efec4..13d814f871 100644 --- a/bin/tests/system/checkds/ns2/template.db.in +++ b/bin/tests/system/checkds/ns2/template.db.in @@ -28,6 +28,7 @@ bad-dspublished NS ns9.bad-dspublished multiple-dspublished NS ns9.multiple-dspublished incomplete-dspublished NS ns9.incomplete-dspublished bad2-dspublished NS ns9.bad2-dspublished +resolver-dspublished NS ns9.resolver-dspublished dswithdrawn NS ns9.dswithdrawn missing-dswithdrawn NS ns9.missing-dswithdrawn @@ -35,4 +36,4 @@ bad-dswithdrawn NS ns9.bad-dswithdrawn multiple-dswithdrawn NS ns9.multiple-dswithdrawn incomplete-dswithdrawn NS ns9.incomplete-dswithdrawn bad2-dswithdrawn NS ns9.bad2-dswithdrawn - +resolver-dswithdrawn NS ns9.resolver-dswithdrawn diff --git a/bin/tests/system/checkds/ns3/named.conf.in b/bin/tests/system/checkds/ns3/named.conf.in new file mode 100644 index 0000000000..54bfc99898 --- /dev/null +++ b/bin/tests/system/checkds/ns3/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + session-keyfile "session.key"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "../../common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/checkds/ns5/template.db.in b/bin/tests/system/checkds/ns5/template.db.in index ac3eb8e6b1..54e4881a6f 100644 --- a/bin/tests/system/checkds/ns5/template.db.in +++ b/bin/tests/system/checkds/ns5/template.db.in @@ -28,6 +28,7 @@ bad-dspublished NS ns9.bad-dspublished multiple-dspublished NS ns9.multiple-dspublished incomplete-dspublished NS ns9.incomplete-dspublished bad2-dspublished NS ns9.bad2-dspublished +resolver-dspublished NS ns9.resolver-dspublished dswithdrawn NS ns9.dswithdrawn missing-dswithdrawn NS ns9.missing-dswithdrawn @@ -35,4 +36,5 @@ bad-dswithdrawn NS ns9.bad-dswithdrawn multiple-dswithdrawn NS ns9.multiple-dswithdrawn incomplete-dswithdrawn NS ns9.incomplete-dswithdrawn bad2-dswithdrawn NS ns9.bad2-dswithdrawn +resolver-dswithdrawn NS ns9.resolver-dswithdrawn diff --git a/bin/tests/system/checkds/ns8/named.conf.in b/bin/tests/system/checkds/ns8/named.conf.in new file mode 100644 index 0000000000..5fc52aaf6a --- /dev/null +++ b/bin/tests/system/checkds/ns8/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS8 + +options { + query-source address 10.53.0.8; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.8; }; + listen-on-v6 { none; }; + recursion yes; + dnssec-validation yes; + session-keyfile "session.key"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.8 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "." { + type hint; + file "root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/checkds/ns8/root.hint b/bin/tests/system/checkds/ns8/root.hint new file mode 100644 index 0000000000..3d543735d1 --- /dev/null +++ b/bin/tests/system/checkds/ns8/root.hint @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 999999 +. IN NS a.root-servers.nil. +a.root-servers.nil. IN A 10.53.0.10 diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in index 73e5d80bb6..d4f56a318d 100644 --- a/bin/tests/system/checkds/ns9/named.conf.in +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -145,6 +145,19 @@ zone "bad2-dspublished.checkds" { }; }; +/* + * Zone with resolver parental agent configured, due for DS checking. + */ +zone "resolver-dspublished.checkds" { + type primary; + file "resolver-dspublished.checkds.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.3 port @PORT@; + }; +}; + // TODO: Other test cases: // - Test with bogus response // - check with TSIG @@ -216,3 +229,13 @@ zone "bad2-dswithdrawn.checkds" { 10.53.0.6 port @PORT@; // bad }; }; + +zone "resolver-dswithdrawn.checkds" { + type primary; + file "resolver-dswithdrawn.checkds.db"; + inline-signing yes; + dnssec-policy "default"; + parental-agents { + 10.53.0.8 port @PORT@; + }; +}; diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh index 0990fa3c6b..e4d1586612 100644 --- a/bin/tests/system/checkds/ns9/setup.sh +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -34,7 +34,7 @@ Y="now-1y" # DS Publication. for zn in dspublished reference missing-dspublished bad-dspublished \ - multiple-dspublished incomplete-dspublished bad2-dspublished + multiple-dspublished incomplete-dspublished bad2-dspublished resolver-dspublished do setup "${zn}.checkds" cp template.db.in "$zonefile" @@ -49,7 +49,7 @@ done # DS Withdrawal. for zn in dswithdrawn missing-dswithdrawn bad-dswithdrawn multiple-dswithdrawn \ - incomplete-dswithdrawn bad2-dswithdrawn + incomplete-dswithdrawn bad2-dswithdrawn resolver-dswithdrawn do setup "${zn}.checkds" cp template.db.in "$zonefile" diff --git a/bin/tests/system/checkds/setup.sh b/bin/tests/system/checkds/setup.sh index 93c73b6b76..828b2e6ace 100644 --- a/bin/tests/system/checkds/setup.sh +++ b/bin/tests/system/checkds/setup.sh @@ -18,12 +18,16 @@ set -e $SHELL clean.sh +copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf copy_setports ns7/named.conf.in ns7/named.conf +copy_setports ns8/named.conf.in ns8/named.conf copy_setports ns9/named.conf.in ns9/named.conf +copy_setports ns10/named.conf.in ns10/named.conf # Setup zones ( @@ -38,3 +42,7 @@ copy_setports ns9/named.conf.in ns9/named.conf cd ns2 $SHELL setup.sh ) +( + cd ns1 + $SHELL setup.sh +) diff --git a/bin/tests/system/checkds/tests_checkds.py b/bin/tests/system/checkds/tests_checkds.py index f3146c25fe..fbd0c74bdc 100755 --- a/bin/tests/system/checkds/tests_checkds.py +++ b/bin/tests/system/checkds/tests_checkds.py @@ -36,7 +36,7 @@ def has_signed_apex_nsec(zone, response): ttl = 300 nextname = "a." - types = "NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY" + types = "NS SOA RRSIG NSEC DNSKEY" match = "{0} {1} IN NSEC {2}{0} {3}".format(zone, ttl, nextname, types) sig = "{0} {1} IN RRSIG NSEC 13 2 300".format(zone, ttl) @@ -346,6 +346,15 @@ def test_checkds_dspublished(named_port): ) keystate_check(parent, "bad2-dspublished.checkds.", "!DSPublish") + # Check with resolver parental-agent. + zone_check(server, "resolver-dspublished.checkds.") + wait_for_log( + "ns9/named.run", + "zone resolver-dspublished.checkds/IN (signed): checkds: " + "DS response from 10.53.0.3", + ) + keystate_check(parent, "resolver-dspublished.checkds.", "DSPublish") + # TBD: DS published in all parents, but one has bogus signature. # TBD: Check with TSIG @@ -444,4 +453,13 @@ def test_checkds_dswithdrawn(named_port): ) keystate_check(parent, "bad2-dswithdrawn.checkds.", "!DSRemoved") + # Check with resolver parental-agent. + zone_check(server, "resolver-dswithdrawn.checkds.") + wait_for_log( + "ns9/named.run", + "zone resolver-dswithdrawn.checkds/IN (signed): checkds: " + "empty DS response from 10.53.0.8", + ) + keystate_check(parent, "resolver-dswithdrawn.checkds.", "DSRemoved") + # TBD: DS withdrawn from all parents, but one has bogus signature. From 89089817d37340f107b253e63ebee66b531a9664 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 13 Jan 2023 14:20:53 +0100 Subject: [PATCH 2/3] Set RD bit on checkds requests It is allowed to point parental-agents to a resolver. Therefore, the RD bit should be set on requests. Upon receiving a DS response, ensure that the message has either the AA or the RA bit set. (cherry picked from commit e34722ed43442f4c856d0f29a48886e741cc5699) --- lib/dns/zone.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 994195359f..4b32d0b6c0 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -20826,6 +20826,7 @@ checkds_done(isc_task_t *task, isc_event_t *event) { /* Validate response. */ CHECK(validate_ds(zone, message)); + /* Check RCODE. */ if (message->rcode != dns_rcode_noerror) { dns_zone_log(zone, ISC_LOG_NOTICE, "checkds: bad DS response from %s: %.*s", addrbuf, @@ -20833,6 +20834,17 @@ checkds_done(isc_task_t *task, isc_event_t *event) { goto failure; } + /* Make sure that either AA or RA bit is set. */ + if ((message->flags & DNS_MESSAGEFLAG_AA) == 0 && + (message->flags & DNS_MESSAGEFLAG_RA) == 0) + { + dns_zone_log(zone, ISC_LOG_NOTICE, + "checkds: bad DS response from %s: expected AA or " + "RA bit set", + addrbuf); + goto failure; + } + /* Lookup DS RRset. */ result = dns_message_firstname(message, DNS_SECTION_ANSWER); while (result == ISC_R_SUCCESS) { @@ -21055,6 +21067,7 @@ checkds_createmessage(dns_zone_t *zone, dns_message_t **messagep) { message->opcode = dns_opcode_query; message->rdclass = zone->rdclass; + message->flags |= DNS_MESSAGEFLAG_RD; result = dns_message_gettempname(message, &tempname); if (result != ISC_R_SUCCESS) { From 8ab8918c646d117238a8f7f9a1845c1753f2f0a6 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 13 Jan 2023 14:50:27 +0100 Subject: [PATCH 3/3] Add CHANGES and release note for GL #3783 News worthy. (cherry picked from commit dbbacd910f9d8e31c7a22a7bb44e8d5c4be6bfaa) --- CHANGES | 2 ++ doc/notes/notes-current.rst | 3 +++ 2 files changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 56f7a1c79d..debb9c1b91 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,8 @@ 6074. [func] Refactor the isc_nm_xfr_allowed() function to return isc_result_t instead of boolean. [GL #3808] +6073. [bug] Set RD=1 on DS requests to parental-agents. [GL #3783] + 6072. [bug] Avoid the OpenSSL lock contention when initializing Message Digest Contexts by using explicit algorithm fetching, initializing static contexts for every diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index c4fc060d68..c3e58a7acd 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -42,6 +42,9 @@ Bug Fixes - Improve the speed of the message digest algorithms (MD5, SHA-1, SHA-2) and NSEC3 hashing. :gl:`#3795` +- Setting :any:`parental-agents` to a resolver did not work because the RD bit + was not set on DS requests. This has been fixed. :gl:`#3783` + Known Issues ~~~~~~~~~~~~