diff --git a/CHANGES b/CHANGES index f0ec8c64db..d604295432 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ + 651. [func] The AD bit in responses now has the meaning + specified in . + 650. [bug] SIG(0) records were being generated and verified incorrectly. [RT #606] diff --git a/bin/named/query.c b/bin/named/query.c index 237c0ebaee..7c02004376 100644 --- a/bin/named/query.c +++ b/bin/named/query.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.164 2001/01/03 00:05:08 bwelling Exp $ */ +/* $Id: query.c,v 1.165 2001/01/04 00:24:23 bwelling Exp $ */ #include @@ -3415,11 +3415,8 @@ ns_query_start(ns_client_t *client) { message->flags |= DNS_MESSAGEFLAG_AA; /* - * Set AD. We need only clear it if we add "pending" data to - * a response. - * - * XXX Note: the way AD is set will be changing in the near - * future. + * Set AD. We must clear it if we add non-validated data to a + * response. */ if (WANTDNSSEC(client)) message->flags |= DNS_MESSAGEFLAG_AD; diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 07028c45af..c8268436eb 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -15,7 +15,7 @@ # NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION # WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.27 2000/11/22 01:26:24 gson Exp $ +# $Id: tests.sh,v 1.28 2001/01/04 00:24:24 bwelling Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -65,7 +65,9 @@ ret=0 $DIG $DIGOPTS a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 $DIG $DIGOPTS a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -112,7 +114,9 @@ $DIG $DIGOPTS a.insecure.secure.example. @10.53.0.2 a \ $DIG $DIGOPTS a.insecure.secure.example. @10.53.0.4 a \ > dig.out.ns4.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -126,7 +130,9 @@ $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \ $DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \ || ret=1 $PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - this is looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` @@ -191,8 +197,9 @@ $DIG $DIGOPTS +noauth a.insecure.example. soa @10.53.0.4 \ $DIG $DIGOPTS +noauth +cdflag a.insecure.example. soa @10.53.0.5 \ > dig.out.ns5.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -# Note - this is looking for failure, hence the && +grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - these are looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi @@ -205,8 +212,9 @@ $DIG $DIGOPTS q.insecure.example. soa @10.53.0.4 \ $DIG $DIGOPTS +cdflag q.insecure.example. soa @10.53.0.5 \ > dig.out.ns5.test$n || ret=1 $PERL ../digcomp.pl dig.out.ns4.test$n dig.out.ns5.test$n || ret=1 -grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 -# Note - this is looking for failure, hence the && +grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1 +# Note - these are looking for failure, hence the && +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1 grep "flags:.*ad.*QUERY" dig.out.ns5.test$n > /dev/null && ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi diff --git a/lib/dns/message.c b/lib/dns/message.c index 562ef89aea..a8556c89ad 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.165 2001/01/03 20:42:08 bwelling Exp $ */ +/* $Id: message.c,v 1.166 2001/01/04 00:24:26 bwelling Exp $ */ /*** *** Imports @@ -1771,10 +1771,10 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, } /* - * If we have rendered pending data, ensure - * that the AD bit is not set. + * If we have rendered non-validated data, + * ensure that the AD bit is not set. */ - if (rdataset->trust == dns_trust_pending && + if (rdataset->trust != dns_trust_secure && (sectionid == DNS_SECTION_ANSWER || sectionid == DNS_SECTION_AUTHORITY)) msg->flags &= ~DNS_MESSAGEFLAG_AD;