From 7f60bb39df472dd241ee818758d4f1fbe631285d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= Date: Thu, 5 Jul 2018 12:58:49 +0200 Subject: [PATCH 1/2] Don't synthesize NXDOMAIN from NSEC for records under a DNAME --- CHANGES | 3 +++ bin/tests/system/synthfromdnssec/clean.sh | 2 ++ bin/tests/system/synthfromdnssec/ns1/dnamed.db.in | 14 ++++++++++++++ bin/tests/system/synthfromdnssec/ns1/example.db.in | 1 + bin/tests/system/synthfromdnssec/ns1/named.conf.in | 5 +++++ bin/tests/system/synthfromdnssec/ns1/root.db.in | 2 ++ bin/tests/system/synthfromdnssec/ns1/sign.sh | 9 +++++++++ bin/tests/system/synthfromdnssec/tests.sh | 10 ++++++++++ lib/dns/nsec.c | 6 ++++-- util/copyrights | 1 + 10 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 bin/tests/system/synthfromdnssec/ns1/dnamed.db.in diff --git a/CHANGES b/CHANGES index 09b101ea5e..f528315d10 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4988. [bug] Don't synthesize NXDOMAIN from NSEC for records under + a DNAME. + --- 9.13.2 released --- 4987. [cleanup] dns_rdataslab_tordataset() and its related diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh index 1e6e164c12..705820ab18 100644 --- a/bin/tests/system/synthfromdnssec/clean.sh +++ b/bin/tests/system/synthfromdnssec/clean.sh @@ -16,6 +16,8 @@ rm -f ns1/K*+*+*.private rm -f ns1/dsset-* rm -f ns1/example.db rm -f ns1/example.db.signed +rm -f ns1/dnamed.db +rm -f ns1/dnamed.db.signed rm -f ns1/root.db rm -f ns1/root.db.signed rm -f ns1/trusted.conf diff --git a/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in new file mode 100644 index 0000000000..659403a17b --- /dev/null +++ b/bin/tests/system/synthfromdnssec/ns1/dnamed.db.in @@ -0,0 +1,14 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 3600 +@ SOA ns1 hostmaster 1 3600 1200 604800 3600 +@ NS ns1 +ns1 A 10.53.0.1 +a A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns1/example.db.in b/bin/tests/system/synthfromdnssec/ns1/example.db.in index 87069cb82a..5300256590 100644 --- a/bin/tests/system/synthfromdnssec/ns1/example.db.in +++ b/bin/tests/system/synthfromdnssec/ns1/example.db.in @@ -14,3 +14,4 @@ ns1 A 10.53.0.1 nodata TXT nodata *.wild-a A 1.2.3.4 *.wild-cname CNAME ns1 +dnamed DNAME dnamed. diff --git a/bin/tests/system/synthfromdnssec/ns1/named.conf.in b/bin/tests/system/synthfromdnssec/ns1/named.conf.in index 6b7c575f1e..650cc30f08 100644 --- a/bin/tests/system/synthfromdnssec/ns1/named.conf.in +++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in @@ -35,4 +35,9 @@ zone "example" { file "example.db.signed"; }; +zone "dnamed" { + type master; + file "dnamed.db.signed"; +}; + include "trusted.conf"; diff --git a/bin/tests/system/synthfromdnssec/ns1/root.db.in b/bin/tests/system/synthfromdnssec/ns1/root.db.in index 8c05adf6a8..f396106fdb 100644 --- a/bin/tests/system/synthfromdnssec/ns1/root.db.in +++ b/bin/tests/system/synthfromdnssec/ns1/root.db.in @@ -13,3 +13,5 @@ $TTL 3600 ns1 A 10.53.0.1 example NS ns1.example ns1.example A 10.53.0.1 +dnamed NS ns1.dnamed +ns1.dnamed A 10.53.0.1 diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh index b82ed7b5bb..7444b740e6 100644 --- a/bin/tests/system/synthfromdnssec/ns1/sign.sh +++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh @@ -21,6 +21,15 @@ cat $infile $keyname.key > $zonefile $SIGNER -P -o $zone $zonefile > /dev/null +zone=dnamed +infile=dnamed.db.in +zonefile=dnamed.db + +keyname=`$KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone` +cat $infile $keyname.key > $zonefile + +$SIGNER -P -o $zone $zonefile > /dev/null + zone=. infile=root.db.in zonefile=root.db diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh index dc9e34f5e9..4294cc13b3 100644 --- a/bin/tests/system/synthfromdnssec/tests.sh +++ b/bin/tests/system/synthfromdnssec/tests.sh @@ -182,5 +182,15 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` + +echo_i "check DNAME handling (synth-from-dnssec yes;) ($n)" +ret=0 +$DIG $DIGOPTS dnamed.example. ns @10.53.0.5 > dig.out.ns5.test$n || ret=1 +$DIG $DIGOPTS a.dnamed.example. a @10.53.0.5 > dig.out.ns5-1.test$n || ret=1 +grep "status: NOERROR," dig.out.ns5-1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c index bbf23f3a1a..991391b7a6 100644 --- a/lib/dns/nsec.c +++ b/lib/dns/nsec.c @@ -374,12 +374,14 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, } if (relation == dns_namereln_subdomain && - dns_nsec_typepresent(&rdata, dns_rdatatype_ns) && + (dns_nsec_typepresent(&rdata, dns_rdatatype_dname) || + dns_nsec_typepresent(&rdata, dns_rdatatype_ns)) && !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) { /* * This NSEC record is from somewhere higher in - * the DNS, and at the parent of a delegation. + * the DNS, and at the parent of a delegation or + * at a DNAME. * It can not be legitimately used here. */ (*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec"); diff --git a/util/copyrights b/util/copyrights index 990fc8cb53..acb60baa46 100644 --- a/util/copyrights +++ b/util/copyrights @@ -2188,6 +2188,7 @@ ./bin/tests/system/stub/setup.sh SH 2018 ./bin/tests/system/stub/tests.sh SH 2000,2001,2004,2007,2011,2012,2013,2016,2018 ./bin/tests/system/synthfromdnssec/clean.sh SH 2017,2018 +./bin/tests/system/synthfromdnssec/ns1/dnamed.db.in ZONE 2018 ./bin/tests/system/synthfromdnssec/ns1/example.db.in ZONE 2017,2018 ./bin/tests/system/synthfromdnssec/ns1/named.conf.in CONF-C 2017,2018 ./bin/tests/system/synthfromdnssec/ns1/root.db.in ZONE 2017,2018 From 8ef23f9fb07a57d2f76e35e992f9c9d152fbf2b3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 6 Jul 2018 15:07:59 +1000 Subject: [PATCH 2/2] the presence of a DNAME record proves that the name does not exist in the zone but as we don't want to use that for NXDMOMAIN return DNS_R_DNAME from dns_nsec_noexistnodata --- lib/dns/include/dns/nsec.h | 3 +++ lib/dns/nsec.c | 12 ++++++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/dns/include/dns/nsec.h b/lib/dns/include/dns/nsec.h index da1d5d695a..623dfb70a8 100644 --- a/lib/dns/include/dns/nsec.h +++ b/lib/dns/include/dns/nsec.h @@ -101,6 +101,9 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, * or we can determine whether there is data or not at the name. * If the name does not exist return the wildcard name. * + * Return DNS_R_DNAME when the NSEC indicates that name is covered by + * a DNAME. 'wild' is not set in this case. + * * Return ISC_R_IGNORE when the NSEC is not the appropriate one. */ diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c index 991391b7a6..ad081d89fc 100644 --- a/lib/dns/nsec.c +++ b/lib/dns/nsec.c @@ -374,8 +374,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, } if (relation == dns_namereln_subdomain && - (dns_nsec_typepresent(&rdata, dns_rdatatype_dname) || - dns_nsec_typepresent(&rdata, dns_rdatatype_ns)) && + dns_nsec_typepresent(&rdata, dns_rdatatype_ns) && !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) { /* @@ -388,6 +387,15 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name, return (ISC_R_IGNORE); } + if (relation == dns_namereln_subdomain && + dns_nsec_typepresent(&rdata, dns_rdatatype_dname)) + { + (*logit)(arg, ISC_LOG_DEBUG(3), + "nsec proves covered by dname"); + *exists = ISC_FALSE; + return (DNS_R_DNAME); + } + result = dns_rdata_tostruct(&rdata, &nsec, NULL); if (result != ISC_R_SUCCESS) return (result);