2931. [bug] Temporarily and partially disable change 2864

because it would cause inifinite attempts of RRSIG
			queries.  This is an urgent care fix; we'll
			revisit the issue and complete the fix later.
			[RT #21710]

CHANGES

@@ -1,3 +1,9 @@
+2931.	[bug]		Temporarily and partially disable change 2864
+			because it would cause inifinite attempts of RRSIG
+			queries.  This is an urgent care fix; we'll
+			revisit the issue and complete the fix later.
+			[RT #21710]
+
 	--- 9.7.2b1 released ---
 
 2930.	[experimental]	New "rndc addzone" and "rndc delzone" commads

bin/named/query.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.335.8.7 2010/06/26 23:46:27 tbox Exp $ */
+/* $Id: query.c,v 1.335.8.8 2010/07/15 01:26:10 jinmei Exp $ */
 
 /*! \file */
 
@@ -4782,7 +4782,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		if (fname != NULL)
 			dns_message_puttempname(client->message, &fname);
 
-		if (n == 0) {
+		if (n == 0 && is_zone) {
 			/*
 			 * We didn't match any rdatasets.
 			 */
@@ -4796,6 +4796,18 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				 * glue.  Ugh.
 				 */
 				if (!is_zone) {
+					/*
+					 * Note: this is dead code because
+					 * is_zone is always true due to the
+					 * condition above.  But naive
+					 * recursion would cause infinite
+					 * attempts of recursion because
+					 * the answer to (RR)SIG queries
+					 * won't be cached.  Until we figure
+					 * out what we should do and implement
+					 * it we intentionally keep this code
+					 * dead.
+					 */
 					authoritative = ISC_FALSE;
 					dns_rdatasetiter_destroy(&rdsiter);
 					if (RECURSIONOK(client)) {

bin/tests/system/dnssec/ns3/secure.example.db.in

@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: secure.example.db.in,v 1.13.268.2 2010/06/26 23:46:27 tbox Exp $
+; $Id: secure.example.db.in,v 1.13.268.3 2010/07/15 01:26:10 jinmei Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -41,3 +41,6 @@ ns.insecure		A	10.53.0.2
 
 nosoa 			NS	ns.nosoa
 ns.nosoa		A	10.53.0.7
+
+normalthenrrsig		A	10.0.0.28
+rrsigonly		A	10.0.0.29

bin/tests/system/dnssec/tests.sh

@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: tests.sh,v 1.55.32.10 2010/06/28 01:37:20 marka Exp $
+# $Id: tests.sh,v 1.55.32.11 2010/07/15 01:26:10 jinmei Exp $
 
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -981,5 +981,28 @@ else
     echo "I:The DNSSEC update test requires the Net::DNS library." >&2
 fi
 
+# Check direct query for RRSIG.  If we first ask for normal (non RRSIG)
+# record, the corresponding RRSIG should be cached and subsequent query
+# for RRSIG will be returned with the cached record.
+echo "I:checking RRSIG query from cache ($n)"
+ret=0
+$DIG $DIGOPTS normalthenrrsig.secure.example. @10.53.0.4 a > /dev/null || ret=1
+ans=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.4 rrsig` || ret=1
+expect=`$DIG $DIGOPTS +short normalthenrrsig.secure.example. @10.53.0.3 rrsig | grep '^A' ` || ret=1
+test "$ans" = "$expect" || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# Check direct query for RRSIG: If it's not cached with other records,
+# it should result in an empty response.
+echo "I:checking RRSIG query not in cache ($n)"
+ret=0
+ans=`$DIG $DIGOPTS +short rrsigonly.secure.example. @10.53.0.4 rrsig` || ret=1
+test -z "$ans" || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status