From 9745e98876535f1a32258150f953e1e5dbf67696 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 30 Dec 2009 08:19:52 +0000 Subject: [PATCH 01/22] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index f84f388263..3d8c80b775 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.95 2009/12/30 07:17:54 tbox Exp $ +# $Id: SRCID,v 1.96 2009/12/30 08:19:52 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2009/12/30 07:17:54 $ )" +SRCID="( $Date: 2009/12/30 08:19:52 $ )" From 6473a5d888a90aba1b557ab5102a42154e40837b Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 30 Dec 2009 23:30:48 +0000 Subject: [PATCH 02/22] newcopyrights --- util/copyrights | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index c14d7f89e4..e1b59f9878 100644 --- a/util/copyrights +++ b/util/copyrights @@ -818,6 +818,7 @@ ./bin/tests/system/pending/ns1/named.conf CONF-C 2009 ./bin/tests/system/pending/ns1/root.db.in ZONE 2009 ./bin/tests/system/pending/ns1/sign.sh SH 2009 +./bin/tests/system/pending/ns2/example.com.db.in ZONE 2009 ./bin/tests/system/pending/ns2/example.db.in ZONE 2009 ./bin/tests/system/pending/ns2/named.conf CONF-C 2009 ./bin/tests/system/pending/ns2/sign.sh SH 2009 @@ -1887,7 +1888,7 @@ ./lib/dns/include/dns/masterdump.h C 1999,2000,2001,2002,2004,2005,2006,2007,2008 ./lib/dns/include/dns/message.h C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/include/dns/name.h C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2009 -./lib/dns/include/dns/ncache.h C 1999,2000,2001,2002,2004,2005,2006,2007,2008 +./lib/dns/include/dns/ncache.h C 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009 ./lib/dns/include/dns/nsec.h C 1999,2000,2001,2003,2004,2005,2006,2007,2008 ./lib/dns/include/dns/nsec3.h C 2008,2009 ./lib/dns/include/dns/opcode.h C 2002,2004,2005,2006,2007 From 400615c2942dd77f1a4070669c4de455957655c5 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 30 Dec 2009 23:49:14 +0000 Subject: [PATCH 03/22] update copyright notice --- lib/dns/include/dns/ncache.h | 4 ++-- lib/dns/zone.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h index 4ab32c8c8d..8f5f8f21a5 100644 --- a/lib/dns/include/dns/ncache.h +++ b/lib/dns/include/dns/ncache.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2002 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.h,v 1.26 2009/12/30 06:46:58 each Exp $ */ +/* $Id: ncache.h,v 1.27 2009/12/30 23:49:14 tbox Exp $ */ #ifndef DNS_NCACHE_H #define DNS_NCACHE_H 1 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index c87e468e26..644a8419a7 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.548 2009/12/30 03:38:57 each Exp $ */ +/* $Id: zone.c,v 1.549 2009/12/30 23:49:12 tbox Exp $ */ /*! \file */ @@ -13774,7 +13774,7 @@ zone_rekey(dns_zone_t *zone) { dns_db_closeversion(db, &ver, commit); if (commit) { - LOCK_ZONE(zone); + LOCK_ZONE(zone); DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOTIFYRESIGN); for (key = ISC_LIST_HEAD(rmkeys); @@ -13795,7 +13795,7 @@ zone_rekey(dns_zone_t *zone) { key->first_sign = ISC_FALSE; } } - UNLOCK_ZONE(zone); + UNLOCK_ZONE(zone); } isc_time_settoepoch(&zone->refreshkeytime); From 7549cd6daa83addf71896323151b3ccaf9f386c3 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 31 Dec 2009 00:20:02 +0000 Subject: [PATCH 04/22] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 3d8c80b775..f9efe6d813 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.96 2009/12/30 08:19:52 tbox Exp $ +# $Id: SRCID,v 1.97 2009/12/31 00:20:02 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2009/12/30 08:19:52 $ )" +SRCID="( $Date: 2009/12/31 00:20:02 $ )" From 845bb3195a4f50d438ec0fcd5d79593010314319 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Mon, 4 Jan 2010 22:30:14 +0000 Subject: [PATCH 05/22] 2829. [bug] Fixed potential node inconsistency in rbtdb.c. [RT #20808] --- CHANGES | 3 +++ lib/dns/rbtdb.c | 13 ++++++++----- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 6306d3604a..30fac84d5b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2829. [bug] Fixed potential node inconsistency in rbtdb.c. + [RT #20808] + 2828. [security] Cached CNAME or DNAME RR could be returned to clients without DNSSEC validation. [RT #20737] diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index d50ef92f67..cec7aa5e05 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.296 2009/12/30 08:02:23 jinmei Exp $ */ +/* $Id: rbtdb.c,v 1.297 2010/01/04 22:30:14 each Exp $ */ /*! \file */ @@ -2377,7 +2377,8 @@ add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) { result = dns_rbt_addnode(rbtdb->tree, &foundname, &node); if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) return (result); - node->nsec = DNS_RBT_NSEC_NORMAL; + if (result == ISC_R_SUCCESS) + node->nsec = DNS_RBT_NSEC_NORMAL; node->find_callback = 1; node->wild = 1; return (ISC_R_SUCCESS); @@ -2405,7 +2406,8 @@ add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) { &node); if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS) return (result); - node->nsec = DNS_RBT_NSEC_NORMAL; + if (result == ISC_R_SUCCESS) + node->nsec = DNS_RBT_NSEC_NORMAL; } i++; } @@ -5762,6 +5764,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, free_rdataset(rbtdb, rbtdb->common.mctx, newheader); newheader = (rdatasetheader_t *)merged; + init_rdataset(rbtdb, newheader); if (loading && RESIGN(newheader) && RESIGN(header) && header->resign < newheader->resign) @@ -6512,7 +6515,7 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep, * just now getting an NSEC record. */ if ((*nodep)->nsec == DNS_RBT_NSEC_HAS_NSEC) - return noderesult; + return (noderesult); } else if (noderesult != ISC_R_SUCCESS) { return (noderesult); } @@ -6932,7 +6935,7 @@ setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) { } else if (resign < oldresign) isc_heap_increased(rbtdb->heaps[header->node->locknum], header->heap_index); - else + else if (resign > oldresign) isc_heap_decreased(rbtdb->heaps[header->node->locknum], header->heap_index); } else if (resign && header->heap_index == 0) { From d3a6cd7c7e13707d0c26e1af0e026dd6c22c5e99 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Mon, 4 Jan 2010 22:47:58 +0000 Subject: [PATCH 06/22] 2830. [bug] Changing the OPTOUT setting could take multiple passes. [RT #20813] --- CHANGES | 3 +++ lib/dns/nsec3.c | 33 ++++++++++++++++----------------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/CHANGES b/CHANGES index 30fac84d5b..0986721973 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2830. [bug] Changing the OPTOUT setting could take multiple + passes. [RT #20813] + 2829. [bug] Fixed potential node inconsistency in rbtdb.c. [RT #20808] diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index 3ae4f2daaa..05395ba293 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec3.c,v 1.13 2009/12/01 05:28:40 marka Exp $ */ +/* $Id: nsec3.c,v 1.14 2010/01/04 22:47:58 each Exp $ */ #include @@ -557,7 +557,7 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, dns_rdataset_t rdataset; int pass; isc_boolean_t exists; - isc_boolean_t remove_unsecure = ISC_FALSE; + isc_boolean_t maybe_remove_unsecure = ISC_FALSE; isc_uint8_t flags; isc_buffer_t buffer; isc_result_t result; @@ -638,8 +638,12 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, */ if (!unsecure) goto addnsec3; - else - remove_unsecure = ISC_TRUE; + else if (CREATE(nsec3param->flags) && OPTOUT(flags)) { + result = dns_nsec3_delnsec3(db, version, name, + nsec3param, diff); + goto failure; + } else + maybe_remove_unsecure = ISC_TRUE; } else { dns_rdataset_disassociate(&rdataset); if (result != ISC_R_NOMORE) @@ -675,26 +679,19 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version, if (result != ISC_R_SUCCESS) goto failure; - if (remove_unsecure) { + if (maybe_remove_unsecure) { dns_rdataset_disassociate(&rdataset); /* - * We have found the previous NSEC3 record and can now - * see if the existing NSEC3 record needs to be - * updated or deleted. + * If we have OPTOUT set in the previous NSEC3 record + * we actually need to delete the NSEC3 record. + * Otherwise we just need to replace the NSEC3 record. */ - if (!OPTOUT(nsec3.flags)) { - /* - * Just update the NSEC3 record. - */ - goto addnsec3; - } else { - /* - * This is actually a deletion not a add. - */ + if (OPTOUT(nsec3.flags)) { result = dns_nsec3_delnsec3(db, version, name, nsec3param, diff); goto failure; } + goto addnsec3; } else { /* * Is this is a unsecure delegation we are adding? @@ -1273,6 +1270,8 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name, */ nsec3.next = nexthash; nsec3.next_length = next_length; + if (CREATE(nsec3param->flags)) + nsec3.flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT; isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf)); CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass, dns_rdatatype_nsec3, &nsec3, From 9ee9011747e805ce0fa9566edbf0a0afd9d1c0f4 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Mon, 4 Jan 2010 23:17:18 +0000 Subject: [PATCH 07/22] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index f9efe6d813..13664ae372 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.97 2009/12/31 00:20:02 tbox Exp $ +# $Id: SRCID,v 1.98 2010/01/04 23:17:18 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2009/12/31 00:20:02 $ )" +SRCID="( $Date: 2010/01/04 23:17:18 $ )" From 205c10066a0acfeac52d1a135671f41d207b8557 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Mon, 4 Jan 2010 23:30:43 +0000 Subject: [PATCH 08/22] newcopyrights --- util/copyrights | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/util/copyrights b/util/copyrights index e1b59f9878..003ba84db3 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1,6 +1,6 @@ ./.cvsignore X 1998,1999,2000,2001,2004 -./CHANGES X 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 -./COPYRIGHT TXT 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./CHANGES X 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 +./COPYRIGHT TXT 1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./FAQ X 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./FAQ.xml SGML 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./Makefile.in MAKE 1998,1999,2000,2001,2002,2004,2005,2006,2007,2008,2009 @@ -1759,7 +1759,7 @@ ./doc/misc/sdb TXT.BRIEF 2000,2001,2004 ./doc/misc/sort-options.pl PERL 2007 ./doc/private/CHANGES X 2000,2001 -./doc/private/SRCID X 2009 +./doc/private/SRCID X 2009,2010 ./doc/private/branches X 2002,2003,2004,2005,2006,2007,2008,2009 ./doc/private/bugfix-by-assertion X 2001 ./doc/private/delete-list X 2005,2006,2007,2008,2009 @@ -1952,7 +1952,7 @@ ./lib/dns/name.c C 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/ncache.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008 ./lib/dns/nsec.c C 1999,2000,2001,2003,2004,2005,2007,2008,2009 -./lib/dns/nsec3.c C 2006,2008,2009 +./lib/dns/nsec3.c C 2006,2008,2009,2010 ./lib/dns/openssl_link.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./lib/dns/openssldh_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009 ./lib/dns/openssldsa_link.c C.NAI 1999,2000,2001,2002,2004,2005,2006,2007,2008,2009 @@ -1962,7 +1962,7 @@ ./lib/dns/portlist.c C 2003,2004,2005,2006,2007 ./lib/dns/private.c C 2009 ./lib/dns/rbt.c C 1999,2000,2001,2002,2003,2004,2005,2007,2008,2009 -./lib/dns/rbtdb.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./lib/dns/rbtdb.c C 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./lib/dns/rbtdb.h C 1999,2000,2001,2004,2005,2007 ./lib/dns/rbtdb64.c C 1999,2000,2001,2004,2005,2007 ./lib/dns/rbtdb64.h C 1999,2000,2001,2004,2005,2007 From 842920c7db2db1de1a0f9571f77aee5ea92ae5bb Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Mon, 4 Jan 2010 23:48:51 +0000 Subject: [PATCH 09/22] update copyright notice --- COPYRIGHT | 4 ++-- lib/dns/nsec3.c | 4 ++-- lib/dns/rbtdb.c | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/COPYRIGHT b/COPYRIGHT index 452f97d7b0..855b960290 100644 --- a/COPYRIGHT +++ b/COPYRIGHT @@ -1,4 +1,4 @@ -Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") Copyright (C) 1996-2003 Internet Software Consortium. Permission to use, copy, modify, and/or distribute this software for any @@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -$Id: COPYRIGHT,v 1.15 2009/01/05 23:47:53 tbox Exp $ +$Id: COPYRIGHT,v 1.16 2010/01/04 23:48:51 tbox Exp $ Portions Copyright (C) 1996-2001 Nominum, Inc. diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index 05395ba293..c291c7ea66 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006, 2008, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2006, 2008-2010 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: nsec3.c,v 1.14 2010/01/04 22:47:58 each Exp $ */ +/* $Id: nsec3.c,v 1.15 2010/01/04 23:48:51 tbox Exp $ */ #include diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c index cec7aa5e05..cf491d3183 100644 --- a/lib/dns/rbtdb.c +++ b/lib/dns/rbtdb.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.297 2010/01/04 22:30:14 each Exp $ */ +/* $Id: rbtdb.c,v 1.298 2010/01/04 23:48:51 tbox Exp $ */ /*! \file */ From fa0736a34119b60d90fb16dfb9929739fdd42790 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 5 Jan 2010 00:19:28 +0000 Subject: [PATCH 10/22] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 13664ae372..668a150426 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.98 2010/01/04 23:17:18 tbox Exp $ +# $Id: SRCID,v 1.99 2010/01/05 00:19:28 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/01/04 23:17:18 $ )" +SRCID="( $Date: 2010/01/05 00:19:28 $ )" From 564d6871323ee7fb04014584e311ea1bc5898242 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 5 Jan 2010 15:31:58 +0000 Subject: [PATCH 11/22] missing newline in dnssec-signzone usage --- bin/dnssec/dnssec-signzone.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 1d327a10fe..6ed529b96f 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.258 2009/12/04 22:06:37 tbox Exp $ */ +/* $Id: dnssec-signzone.c,v 1.259 2010/01/05 15:31:58 each Exp $ */ /*! \file */ @@ -3256,7 +3256,7 @@ usage(void) { fprintf(stderr, "use pseudorandom data (faster but less secure)\n"); fprintf(stderr, "\t-P:\t"); fprintf(stderr, "disable post-sign verification\n"); - fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs"); + fprintf(stderr, "\t-T TTL:\tTTL for newly added DNSKEYs\n"); fprintf(stderr, "\t-t:\t"); fprintf(stderr, "print statistics\n"); fprintf(stderr, "\t-u:\t"); From f9205dd2efa763e14d9b8a99270f5af04195df7d Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 5 Jan 2010 16:17:10 +0000 Subject: [PATCH 12/22] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 668a150426..cf8eeeec0b 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.99 2010/01/05 00:19:28 tbox Exp $ +# $Id: SRCID,v 1.100 2010/01/05 16:17:10 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/01/05 00:19:28 $ )" +SRCID="( $Date: 2010/01/05 16:17:10 $ )" From 0261624e843edaab7e276c43fe3d39c7029716a7 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 5 Jan 2010 23:18:43 +0000 Subject: [PATCH 13/22] auto update --- doc/private/branches | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/private/branches b/doc/private/branches index 62f167c29a..8bf665e248 100644 --- a/doc/private/branches +++ b/doc/private/branches @@ -299,6 +299,7 @@ rt20759 new marka // 2009-12-22 22:09 +0000 rt20760 new each // 2009-12-19 03:42 +0000 rt20784 new fdupont // 2009-12-29 15:30 +0000 rt20801 new fdupont // 2009-12-29 15:34 +0000 +rt20831 new sar // 2010-01-05 20:15 +0000 shane_dbbackend open skan open explorer skan-metazones1 private explorer From 0977f3f39ef6728516be7976452b9122c8f5607a Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 5 Jan 2010 23:30:42 +0000 Subject: [PATCH 14/22] newcopyrights --- util/copyrights | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/util/copyrights b/util/copyrights index 003ba84db3..70bbb71aa4 100644 --- a/util/copyrights +++ b/util/copyrights @@ -110,7 +110,7 @@ ./bin/dnssec/dnssec-settime.docbook SGML 2009 ./bin/dnssec/dnssec-settime.html HTML 2009 ./bin/dnssec/dnssec-signzone.8 MAN DOCBOOK -./bin/dnssec/dnssec-signzone.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./bin/dnssec/dnssec-signzone.c C.NAI 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./bin/dnssec/dnssec-signzone.docbook SGML 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 ./bin/dnssec/dnssec-signzone.html HTML DOCBOOK ./bin/dnssec/dnssectool.c C 2000,2001,2003,2004,2005,2007,2009 @@ -1760,7 +1760,7 @@ ./doc/misc/sort-options.pl PERL 2007 ./doc/private/CHANGES X 2000,2001 ./doc/private/SRCID X 2009,2010 -./doc/private/branches X 2002,2003,2004,2005,2006,2007,2008,2009 +./doc/private/branches X 2002,2003,2004,2005,2006,2007,2008,2009,2010 ./doc/private/bugfix-by-assertion X 2001 ./doc/private/delete-list X 2005,2006,2007,2008,2009 ./doc/private/options TXT.BRIEF 2000,2001,2004 @@ -2759,7 +2759,7 @@ ./util/check-instincludes.sh SH 2000,2001,2004,2007 ./util/check-pullups.pl PERL 2001,2002,2003,2004,2007 ./util/check-sources.pl PERL 2000,2001,2004,2007 -./util/copyrights X 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009 +./util/copyrights X 1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 ./util/kit.sh SH 2000,2001,2002,2003,2004,2007,2008,2009 ./util/mandoc2docbook.pl PERL 2001,2004,2007 ./util/mdnbuildtest.sh SH 2000,2001,2004,2007 From 3ee13712120f9bfbd7e752978acbeeecd6c920f2 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Tue, 5 Jan 2010 23:48:37 +0000 Subject: [PATCH 15/22] update copyright notice --- bin/dnssec/dnssec-signzone.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 6ed529b96f..7e325a67db 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.259 2010/01/05 15:31:58 each Exp $ */ +/* $Id: dnssec-signzone.c,v 1.260 2010/01/05 23:48:37 tbox Exp $ */ /*! \file */ From f977f347f04c2fbddb56d8cce568dca0d0454be3 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 6 Jan 2010 00:19:50 +0000 Subject: [PATCH 16/22] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index cf8eeeec0b..1376a7ca5f 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.100 2010/01/05 16:17:10 tbox Exp $ +# $Id: SRCID,v 1.101 2010/01/06 00:19:50 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/01/05 16:17:10 $ )" +SRCID="( $Date: 2010/01/06 00:19:50 $ )" From b1fbf2a4db3b65b9c624ed627d4b4a8cafc5246a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 6 Jan 2010 00:53:45 +0000 Subject: [PATCH 17/22] fix spacing --- bin/dnssec/dnssec-settime.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index ace041b026..24cc2f6541 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-settime.c,v 1.21 2009/12/18 23:49:02 tbox Exp $ */ +/* $Id: dnssec-settime.c,v 1.22 2010/01/06 00:53:45 each Exp $ */ /*! \file */ @@ -58,10 +58,10 @@ usage(void) { fprintf(stderr, "Version: %s\n", VERSION); fprintf(stderr, "General options:\n"); #ifdef USE_PKCS11 - fprintf(stderr, " -E engine: specify OpenSSL engine " + fprintf(stderr, " -E engine: specify OpenSSL engine " "(default \"pkcs11\")\n"); #else - fprintf(stderr, " -E engine: specify OpenSSL engine\n"); + fprintf(stderr, " -E engine: specify OpenSSL engine\n"); #endif fprintf(stderr, " -f: force update of old-style " "keys\n"); From 76e65f91518c6986ec09e3356080ccfa1b4cc825 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 6 Jan 2010 01:16:55 +0000 Subject: [PATCH 18/22] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 1376a7ca5f..008b12349e 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.101 2010/01/06 00:19:50 tbox Exp $ +# $Id: SRCID,v 1.102 2010/01/06 01:16:55 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/01/06 00:19:50 $ )" +SRCID="( $Date: 2010/01/06 01:16:55 $ )" From b29e5c56eb74a6de1a84c29879afc90ffc6b1436 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 6 Jan 2010 23:30:45 +0000 Subject: [PATCH 19/22] newcopyrights --- util/copyrights | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/util/copyrights b/util/copyrights index 70bbb71aa4..38f3dd6c56 100644 --- a/util/copyrights +++ b/util/copyrights @@ -106,7 +106,7 @@ ./bin/dnssec/dnssec-revoke.docbook SGML 2009 ./bin/dnssec/dnssec-revoke.html HTML 2009 ./bin/dnssec/dnssec-settime.8 MAN 2009 -./bin/dnssec/dnssec-settime.c C 2009 +./bin/dnssec/dnssec-settime.c C 2009,2010 ./bin/dnssec/dnssec-settime.docbook SGML 2009 ./bin/dnssec/dnssec-settime.html HTML 2009 ./bin/dnssec/dnssec-signzone.8 MAN DOCBOOK From 247f299fb05235185bfacb19262b8799cbb3e0e0 Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Wed, 6 Jan 2010 23:48:47 +0000 Subject: [PATCH 20/22] update copyright notice --- bin/dnssec/dnssec-settime.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index 24cc2f6541..003642d406 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-settime.c,v 1.22 2010/01/06 00:53:45 each Exp $ */ +/* $Id: dnssec-settime.c,v 1.23 2010/01/06 23:48:47 tbox Exp $ */ /*! \file */ From 4715754ba988e7e50ef53256a42d320df745553f Mon Sep 17 00:00:00 2001 From: Automatic Updater Date: Thu, 7 Jan 2010 00:19:43 +0000 Subject: [PATCH 21/22] update --- doc/private/SRCID | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/private/SRCID b/doc/private/SRCID index 008b12349e..a75b5ac99f 100644 --- a/doc/private/SRCID +++ b/doc/private/SRCID @@ -1,6 +1,6 @@ -# $Id: SRCID,v 1.102 2010/01/06 01:16:55 tbox Exp $ +# $Id: SRCID,v 1.103 2010/01/07 00:19:43 tbox Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. # -SRCID="( $Date: 2010/01/06 01:16:55 $ )" +SRCID="( $Date: 2010/01/07 00:19:43 $ )" From 597642c0baaf66172ca44104ed5a18957a969748 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 7 Jan 2010 16:48:23 +0000 Subject: [PATCH 22/22] 2831. [security] Do not attempt to validate or cache out-of-bailiwick data returned with a secure answer; it must be re-fetched from its original source and validated in that context. [RT #20819] --- CHANGES | 5 +++ bin/tests/system/pending/ns1/root.db.in | 3 +- bin/tests/system/pending/ns1/sign.sh | 4 +-- bin/tests/system/pending/ns2/example.db.in | 5 ++- bin/tests/system/pending/ns2/forgery.db | 13 ++++++++ bin/tests/system/pending/ns2/named.conf | 8 ++++- bin/tests/system/pending/ns2/sign.sh | 4 +-- bin/tests/system/pending/tests.sh | 23 +++++++++++++- lib/dns/resolver.c | 36 ++++++++-------------- 9 files changed, 70 insertions(+), 31 deletions(-) create mode 100644 bin/tests/system/pending/ns2/forgery.db diff --git a/CHANGES b/CHANGES index 0986721973..db9a6d23dc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +2831. [security] Do not attempt to validate or cache + out-of-bailiwick data returned with a secure + answer; it must be re-fetched from its original + source and validated in that context. [RT #20819] + 2830. [bug] Changing the OPTOUT setting could take multiple passes. [RT #20813] diff --git a/bin/tests/system/pending/ns1/root.db.in b/bin/tests/system/pending/ns1/root.db.in index 41d868142d..7dc3bdb736 100644 --- a/bin/tests/system/pending/ns1/root.db.in +++ b/bin/tests/system/pending/ns1/root.db.in @@ -12,7 +12,7 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: root.db.in,v 1.4 2009/12/30 08:02:22 jinmei Exp $ +; $Id: root.db.in,v 1.5 2010/01/07 16:48:23 each Exp $ $TTL 30 . IN SOA marka.isc.org. a.root.servers.nil. ( @@ -31,3 +31,4 @@ example.com. NS ns2.example.com. ns2.example.com. A 10.53.0.2 hostile. NS ns3.hostile. ns3.hostile. A 10.53.0.3 +nice.good. A 10.10.10.10 diff --git a/bin/tests/system/pending/ns1/sign.sh b/bin/tests/system/pending/ns1/sign.sh index 6a76323e09..5188fe6b69 100644 --- a/bin/tests/system/pending/ns1/sign.sh +++ b/bin/tests/system/pending/ns1/sign.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.3 2009/12/30 08:02:22 jinmei Exp $ +# $Id: sign.sh,v 1.4 2010/01/07 16:48:23 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -34,7 +34,7 @@ keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone` keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -f KSK -n zone $zone` cat $infile $keyname1.key $keyname2.key > $zonefile -$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null +$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 # Configure the resolving server with a trusted key. diff --git a/bin/tests/system/pending/ns2/example.db.in b/bin/tests/system/pending/ns2/example.db.in index ca0d596b21..c5ee977676 100644 --- a/bin/tests/system/pending/ns2/example.db.in +++ b/bin/tests/system/pending/ns2/example.db.in @@ -12,9 +12,10 @@ ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR ; PERFORMANCE OF THIS SOFTWARE. -; $Id: example.db.in,v 1.2 2009/11/17 23:55:18 marka Exp $ +; $Id: example.db.in,v 1.3 2010/01/07 16:48:23 each Exp $ $TTL 30 +$ORIGIN example. @ IN SOA mname1. . ( 2009110300 ; serial 20 ; refresh (20 seconds) @@ -26,3 +27,5 @@ $TTL 30 MX 10 mail ns2 A 10.53.0.2 mail A 10.0.0.2 +bad CNAME nice.good. +worse A 6.6.6.6 diff --git a/bin/tests/system/pending/ns2/forgery.db b/bin/tests/system/pending/ns2/forgery.db new file mode 100644 index 0000000000..e320ab1121 --- /dev/null +++ b/bin/tests/system/pending/ns2/forgery.db @@ -0,0 +1,13 @@ +$TTL 30 +$ORIGIN good. +@ IN SOA mname1. . ( + 2009110300 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + NS ns2 +ns2 A 10.53.0.2 + +nice.good. CNAME worse.example. diff --git a/bin/tests/system/pending/ns2/named.conf b/bin/tests/system/pending/ns2/named.conf index 7cc1ffbc63..811bc8d39f 100644 --- a/bin/tests/system/pending/ns2/named.conf +++ b/bin/tests/system/pending/ns2/named.conf @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: named.conf,v 1.4 2009/12/30 08:02:22 jinmei Exp $ */ +/* $Id: named.conf,v 1.5 2010/01/07 16:48:23 each Exp $ */ // NS2 @@ -51,3 +51,9 @@ zone "example.com" { file "example.com.db.signed"; allow-update { 10.53.0.0/8; }; }; + +zone "good" { + type master; + file "forgery.db"; + allow-query { any; }; +}; diff --git a/bin/tests/system/pending/ns2/sign.sh b/bin/tests/system/pending/ns2/sign.sh index 626927aa06..b5390f5dd6 100644 --- a/bin/tests/system/pending/ns2/sign.sh +++ b/bin/tests/system/pending/ns2/sign.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: sign.sh,v 1.4 2009/12/30 08:02:22 jinmei Exp $ +# $Id: sign.sh,v 1.5 2010/01/07 16:48:23 each Exp $ SYSTEMTESTTOP=../.. . $SYSTEMTESTTOP/conf.sh @@ -31,5 +31,5 @@ for domain in example example.com; do cat $infile $keyname1.key $keyname2.key >$zonefile - $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null + $SIGNER -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1 done diff --git a/bin/tests/system/pending/tests.sh b/bin/tests/system/pending/tests.sh index c27b072a01..464bf6d864 100644 --- a/bin/tests/system/pending/tests.sh +++ b/bin/tests/system/pending/tests.sh @@ -14,7 +14,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: tests.sh,v 1.4 2009/12/30 08:02:22 jinmei Exp $ +# $Id: tests.sh,v 1.5 2010/01/07 16:48:23 each Exp $ SYSTEMTESTTOP=.. . $SYSTEMTESTTOP/conf.sh @@ -158,5 +158,26 @@ test "$ans" = "$expect" || ret=1 test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" status=`expr $status + $ret` +# +# Try to fool the resolver with an out-of-bailiwick CNAME +# +echo I:Trying to Prime out-of-bailiwick pending answer with CD +ret=0 +expect="10.10.10.10" +ans=`$DIG $DIGOPTS_CD @10.53.0.4 bad.example. A` || ret=1 +ans=`echo $ans | awk '{print $NF}'` +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" +status=`expr $status + $ret` + +echo I:Confirming the out-of-bailiwick answer is not cached or reused with CD +ret=0 +expect="10.10.10.10" +ans=`$DIG $DIGOPTS_CD @10.53.0.4 nice.good. A` || ret=1 +ans=`echo $ans | awk '{print $NF}'` +test "$ans" = "$expect" || ret=1 +test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'" +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 4381d03913..6dc5791622 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.413 2009/11/18 23:48:07 tbox Exp $ */ +/* $Id: resolver.c,v 1.414 2010/01/07 16:48:23 each Exp $ */ /*! \file */ @@ -4359,11 +4359,19 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, rdataset->ttl = res->view->maxcachettl; /* - * If this rrset is in a secure domain, do DNSSEC validation - * for it, unless it is glue. + * If this RRset is in a secure domain, is in bailiwick, + * and is not glue, attempt DNSSEC validation. (We do not + * attempt to validate glue or out-of-bailiwick data--even + * though there might be some performance benefit to doing + * so--because it makes it simpler and safer to ensure that + * records from a secure domain are only cached if validated + * within the context of a query to the domain that owns + * them.) */ - if (secure_domain && rdataset->trust != dns_trust_glue) { + if (secure_domain && rdataset->trust != dns_trust_glue && + !EXTERNAL(rdataset)) { dns_trust_t trust; + /* * RRSIGs are validated as part of validating the * type they cover. @@ -4400,22 +4408,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, } /* - * Reject out of bailiwick additional records - * without RRSIGs as they can't possibly validate - * as "secure" and as we will never never want to - * store these as "answers" after validation. - */ - if (rdataset->trust == dns_trust_additional && - sigrdataset == NULL && EXTERNAL(rdataset)) - continue; - - /* - * XXXMPA: If we store as "answer" after validating - * then we need to do bailiwick processing and - * also need to track whether RRsets are in or - * out of bailiwick. This will require a another - * pending trust level. - * * Cache this rdataset/sigrdataset pair as * pending data. Track whether it was additional * or not. @@ -5784,9 +5776,7 @@ answer_response(fetchctx_t *fctx) { /* * This data is outside of * our query domain, and - * may only be cached if it - * comes from a secure zone - * and validates. + * may not be cached. */ rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;