Merge branch 'fix-synth-from-dnssec-dname-handling' into 'master'

Don't synthesize NXDOMAIN from NSEC for records under a DNAME. Closes #386 See merge request isc-projects/bind9!481
2026-05-28 04:34:54 -04:00 · 2018-07-10 03:28:26 -04:00 · 2018-07-10 03:28:26 -04:00 · f02e3c4bab
commit f02e3c4bab
parent cd0e7df6fc 8ef23f9fb0
11 changed files with 61 additions and 1 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+4988.	[bug]		Don't synthesize NXDOMAIN from NSEC for records under
+			a DNAME.
+
 	--- 9.13.2 released ---

 4987.	[cleanup]	dns_rdataslab_tordataset() and its related
--- a/bin/tests/system/synthfromdnssec/clean.sh
+++ b/bin/tests/system/synthfromdnssec/clean.sh
@ -16,6 +16,8 @@ rm -f ns1/K*+*+*.private
 rm -f ns1/dsset-*
 rm -f ns1/example.db
 rm -f ns1/example.db.signed
+rm -f ns1/dnamed.db
+rm -f ns1/dnamed.db.signed
 rm -f ns1/root.db
 rm -f ns1/root.db.signed
 rm -f ns1/trusted.conf
--- a/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
+++ b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in
@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns1 hostmaster 1 3600 1200 604800 3600
+@		NS	ns1
+ns1		A	10.53.0.1
+a		A	10.53.0.1
--- a/bin/tests/system/synthfromdnssec/ns1/example.db.in
+++ b/bin/tests/system/synthfromdnssec/ns1/example.db.in
@ -14,3 +14,4 @@ ns1		A	10.53.0.1
 nodata		TXT	nodata
 *.wild-a	A	1.2.3.4
 *.wild-cname 	CNAME	ns1
+dnamed		DNAME	dnamed.
--- a/bin/tests/system/synthfromdnssec/ns1/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
@ -35,4 +35,9 @@ zone "example" {
 	file "example.db.signed";
 };

+zone "dnamed" {
+	type master;
+	file "dnamed.db.signed";
+};
+
 include "trusted.conf";
--- a/bin/tests/system/synthfromdnssec/ns1/root.db.in
+++ b/bin/tests/system/synthfromdnssec/ns1/root.db.in
@ -13,3 +13,5 @@ $TTL 3600
 ns1		A	10.53.0.1
 example		NS	ns1.example
 ns1.example	A	10.53.0.1
+dnamed		NS	ns1.dnamed
+ns1.dnamed	A	10.53.0.1
--- a/bin/tests/system/synthfromdnssec/ns1/sign.sh
+++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh
@ -21,6 +21,15 @@ cat $infile $keyname.key > $zonefile

 $SIGNER -P -o $zone $zonefile > /dev/null

+zone=dnamed
+infile=dnamed.db.in
+zonefile=dnamed.db
+
+keyname=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone`
+cat $infile $keyname.key > $zonefile
+
+$SIGNER -P -o $zone $zonefile > /dev/null
+
 zone=.
 infile=root.db.in
 zonefile=root.db
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@ -182,5 +182,15 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`

+
+echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)"
+ret=0
+$DIG $DIGOPTS dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1
+$DIG $DIGOPTS a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1
+grep "status: NOERROR," dig.out.ns5-1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/lib/dns/include/dns/nsec.h
+++ b/lib/dns/include/dns/nsec.h
@ -101,6 +101,9 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 * or we can determine whether there is data or not at the name.
 * If the name does not exist return the wildcard name.
 *
+ * Return DNS_R_DNAME when the NSEC indicates that name is covered by
+ * a DNAME.  'wild' is not set in this case.
+ *
 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
 */

--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@ -379,13 +379,23 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
 	{
 		/*
 		 * This NSEC record is from somewhere higher in
-		 * the DNS, and at the parent of a delegation.
+		 * the DNS, and at the parent of a delegation or
+		 * at a DNAME.
 		 * It can not be legitimately used here.
 		 */
 		(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
 		return (ISC_R_IGNORE);
 	}

+	if (relation == dns_namereln_subdomain &&
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_dname))
+	{
+		(*logit)(arg, ISC_LOG_DEBUG(3),
+			 "nsec proves covered by dname");
+		*exists = ISC_FALSE;
+		return (DNS_R_DNAME);
+	}
+
 	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
 	if (result != ISC_R_SUCCESS)
 		return (result);
--- a/util/copyrights
+++ b/util/copyrights
@ -2188,6 +2188,7 @@
 ./bin/tests/system/stub/setup.sh		SH	2018
 ./bin/tests/system/stub/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013,2016,2018
 ./bin/tests/system/synthfromdnssec/clean.sh	SH	2017,2018
+./bin/tests/system/synthfromdnssec/ns1/dnamed.db.in	ZONE	2018
 ./bin/tests/system/synthfromdnssec/ns1/example.db.in	ZONE	2017,2018
 ./bin/tests/system/synthfromdnssec/ns1/named.conf.in	CONF-C	2017,2018
 ./bin/tests/system/synthfromdnssec/ns1/root.db.in	ZONE	2017,2018