include <dns/rdataclass.h>

type, class and responding nameserver.

CHANGES

@@ -1,3 +1,25 @@
+
+	--- 9.1.3-P3 released ---
+
+1512.	[bug]		Extend the delegation-only logging to return query
+			type, class and responding nameserver.
+
+1511.	[bug]		delegation-only was generating false positives
+			on negative answers from subzones.
+
+	--- 9.1.3-P2 released ---
+
+1509.	[bug]		Hint zones should accept delegation-only.  Forward
+			zone should not accept delegation-only.
+
+1508.	[bug]		Don't apply delegation-only checks to answers from
+			forwarders.
+
+1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
+			when making delegation-only checks.
+
+1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
+
 	--- 9.1.3-P1 released ---
 
 1504.	[func]		New zone type "delegation-only".

README

@@ -45,6 +45,14 @@ BIND 9
 
 
 
+BIND 9.1.3-P3
+
+	Fix a false positive with delegation-only.
+
+BIND 9.1.3-P2
+
+	Fix problems identified with delegation-only.
+
 BIND 9.1.3-P1
 
 	A new zone type delegation-only is now supported.

bin/named/server.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.276.2.3.6.1 2003/09/17 07:19:47 tale Exp $ */
+/* $Id: server.c,v 1.276.2.3.6.2 2003/09/19 07:06:43 marka Exp $ */
 
 #include <config.h>
 
@@ -1151,6 +1151,15 @@ configure_zone(dns_c_ctx_t *cctx, dns_c_zone_t *czone, dns_c_view_t *cview,
 			goto cleanup;
 		}
 		result = configure_hints(view, czone->u.hzone.file);
+		/*
+		 * Hint zones may also refer to delegation only points.
+		 */
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		only = ISC_FALSE;
+		if (dns_c_zone_getdelegationonly(czone, &only) ==
+		    ISC_R_SUCCESS && only)
+			result = dns_view_adddelegationonly(view, origin);
 		goto cleanup;
 	}
 
@@ -1241,11 +1250,10 @@ configure_zone(dns_c_ctx_t *cctx, dns_c_zone_t *czone, dns_c_view_t *cview,
 	}
 
 	/*
-	 * Stub and forward zones may also refer to delegation only points.
+	 * Stub zones may also refer to delegation only points.
 	 */
 	only = ISC_FALSE;
-	if ((czone->ztype == dns_c_zone_stub ||
-	     czone->ztype == dns_c_zone_forward) &&
+	if (czone->ztype == dns_c_zone_stub &&
 	    dns_c_zone_getdelegationonly(czone, &only) == ISC_R_SUCCESS) {
 		if (only)
 			CHECK(dns_view_adddelegationonly(view, origin));

doc/arm/Bv9ARM-book.xml

@@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.72.2.22.6.1 2003/09/17 08:17:30 marka Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.72.2.22.6.2 2003/09/19 07:06:44 marka Exp $ -->
 
 <book>
 
@@ -2450,8 +2450,7 @@ those servers during resolution.
 <entry colname = "1"><para><command>delegation-only</command></para></entry>
 <entry colname = "2"><para>Delegation only.  Logs queries that have have
 been forced to NXDOMAIN as the result of a delegation-only zone or
-a <command>delegation-only</command> in a stub or forward
-zone declartation.
+a <command>delegation-only</command> in a hint or stub zone declartation.
 </para></entry>
 </row>
 </tbody>
@@ -3922,7 +3921,9 @@ Classes other than IN have no built-in defaults hints.</para></entry>
 status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
 is received without a explicit or implict delegation in the authority
 section will be treated as NXDOMAIN.  This does not apply to the zone
-apex.  This SHOULD NOT be applied to leaf zones.</para></entry>
+apex.  This SHOULD NOT be applied to leaf zones.</para>
+<para><varname>delegation-only</varname> has no effect on answers received
+from forwarders.</para></entry>
 </row>
 </tbody>
 </tgroup></informaltable></sect3>
@@ -4039,7 +4040,7 @@ with the distribution but none are linked in by default.</para>
 <row rowsep = "0">
 <entry colname = "1">
 <para><command>delegation-only</command></para></entry>
-<entry colname = "2"><para>The flag only applies to forward and stub zones.  If set
+<entry colname = "2"><para>The flag only applies to hint and stub zones.  If set
 to <userinput>yes</userinput> then the zone will also be treated as if it
 is also a delegation-only type zone.
 </para>

lib/dns/config/confparser.y.dirty

@@ -33,7 +33,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: confparser.y.dirty,v 1.44.2.8.10.1 2003/09/17 07:19:49 tale Exp $ */
+/* $Id: confparser.y.dirty,v 1.44.2.8.10.2 2003/09/19 06:55:44 marka Exp $ */
 
 #include <config.h>
 
@@ -1889,7 +1889,7 @@ ordering_name: /* nothing */
 			$$ = $2;
 		}
 	}
-
+	;
 
 rrset_ordering_element: ordering_class ordering_type ordering_name
 	L_ORDER L_STRING
@@ -1919,7 +1919,7 @@ rrset_ordering_element: ordering_class ordering_type ordering_name
 		isc_mem_free(memctx, $5);
 		isc_mem_free(memctx, $3);
 	}
-
+	;
 
 transfer_format: L_ONE_ANSWER
 	{
@@ -2189,6 +2189,7 @@ yea_or_nay: L_YES
 			$$ = isc_boolean_true;
 		}
 	}
+	;
 
 notify_setting: yea_or_nay
 	{
@@ -4959,6 +4960,7 @@ class_name: any_string
 		isc_mem_free(memctx, $1);
 		$$ = cl;
 	}
+	;
 
 wild_class_name: any_string
 	{
@@ -4982,6 +4984,7 @@ wild_class_name: any_string
 		isc_mem_free(memctx, $1);
 		$$ = cl;
 	}
+	;
 
 optional_class: /* Empty */
 	{

lib/dns/config/confzone.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: confzone.c,v 1.72.2.5.10.1 2003/09/17 07:19:50 tale Exp $ */
+/* $Id: confzone.c,v 1.72.2.5.10.2 2003/09/19 07:06:48 marka Exp $ */
 
 #include <config.h>
 
@@ -1089,14 +1089,14 @@ dns_c_zone_setdelegationonly(dns_c_zone_t *zone, isc_boolean_t only) {
 		bit = TZ_DELEGATION_ONLY_BIT;
 		break;
 
-	case dns_c_zone_forward:
+	case dns_c_zone_hint:
 		bits = &zone->u.fzone.setflags;
 		bit = FZ_DELEGATION_ONLY_BIT;
 		break;
 
 	case dns_c_zone_master:
 	case dns_c_zone_slave:
-	case dns_c_zone_hint:
+	case dns_c_zone_forward:
 	case dns_c_zone_delegationonly:
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,
@@ -1137,14 +1137,14 @@ dns_c_zone_getdelegationonly(dns_c_zone_t *zone, isc_boolean_t *retval) {
 		bit = TZ_DELEGATION_ONLY_BIT;
 		break;
 
-	case dns_c_zone_forward:
+	case dns_c_zone_hint:
 		bits = &zone->u.fzone.setflags;
 		bit = FZ_DELEGATION_ONLY_BIT;
 		break;
 
 	case dns_c_zone_master:
 	case dns_c_zone_slave:
-	case dns_c_zone_hint:
+	case dns_c_zone_forward:
 	case dns_c_zone_delegationonly:
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_CONFIG,
 			      DNS_LOGMODULE_CONFIG, ISC_LOG_CRITICAL,

lib/dns/resolver.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.187.2.10.6.1 2003/09/17 07:19:48 tale Exp $ */
+/* $Id: resolver.c,v 1.187.2.10.6.6 2003/09/22 00:35:12 marka Exp $ */
 
 #include <config.h>
 
@@ -35,6 +35,7 @@
 #include <dns/ncache.h>
 #include <dns/peer.h>
 #include <dns/rdata.h>
+#include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
@@ -295,9 +296,9 @@ static isc_result_t ncache_adderesult(dns_message_t *message,
 				      isc_result_t *eresultp);
 
 static isc_boolean_t
-fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) {
-
+fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
 	dns_name_t *name;
+	dns_name_t *domain = &fctx->domain;
 	dns_rdataset_t *rdataset;
 	dns_rdatatype_t type;
 	isc_result_t result;
@@ -306,6 +307,33 @@ fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) {
 	if (message->rcode == dns_rcode_nxdomain)
 		return (ISC_FALSE);
 
+	/*
+	 * Look for BIND 8 style delegations.
+	 * Also look for answers to ANY queries where the duplicate NS RRset
+	 * may have been stripped from the authority section.
+	 */
+	if (message->counts[DNS_SECTION_ANSWER] != 0 &&
+	    (fctx->type == dns_rdatatype_ns ||
+	     fctx->type == dns_rdatatype_any)) {
+		result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+		while (result == ISC_R_SUCCESS) {
+			name = NULL;
+			dns_message_currentname(message, DNS_SECTION_ANSWER,
+						&name);
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				type = rdataset->type;
+				if (type != dns_rdatatype_ns)
+					continue;
+				if (dns_name_issubdomain(name, domain))
+					return (ISC_FALSE);
+			}
+			result = dns_message_nextname(message,
+						      DNS_SECTION_ANSWER);
+		}
+	}
+
 	/* Look for referral. */
 	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
 		goto munge;
@@ -313,8 +341,7 @@ fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) {
 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
 	while (result == ISC_R_SUCCESS) {
 		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY,
-					&name);
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
 		for (rdataset = ISC_LIST_HEAD(name->list);
 		     rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
@@ -322,7 +349,8 @@ fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) {
 			if (type == dns_rdatatype_soa &&
 			    dns_name_equal(name, domain))
 				keep_auth = ISC_TRUE;
-			if (type != dns_rdatatype_ns)
+			if (type != dns_rdatatype_ns &&
+			    type != dns_rdatatype_soa)
 				continue;
 			if (dns_name_equal(name, domain))
 				goto munge;
@@ -4277,19 +4305,29 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Enforce delegations only zones like NET and COM.
 	 */
-	if (dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
+	if (!ISFORWARDER(query->addrinfo) &&
+	    dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
 	    !dns_name_equal(&fctx->domain, &fctx->name) &&
-	    fix_mustbedelegationornxdomain(message, &fctx->domain)) {
+	    fix_mustbedelegationornxdomain(message, fctx)) {
 		char namebuf[DNS_NAME_FORMATSIZE];
 		char domainbuf[DNS_NAME_FORMATSIZE];
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+		char classbuf[64];
+		char typebuf[64];
 
 		dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
 		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+		dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
+		dns_rdataclass_format(fctx->res->rdclass, classbuf,
+				      sizeof(classbuf));
+		isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
+				    sizeof(addrbuf));
 
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
 			     DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-			     "enforced delegation-only for '%s' (%s)",
-			     domainbuf, namebuf);
+			     "enforced delegation-only for '%s' (%s/%s/%s) "
+			     "from %s",
+			     domainbuf, namebuf, typebuf, classbuf, addrbuf);
 	}
 
 	/*

lib/dns/view.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.89.2.1.10.1 2003/09/17 07:19:49 tale Exp $ */
+/* $Id: view.c,v 1.89.2.1.10.2 2003/09/18 00:58:03 marka Exp $ */
 
 #include <config.h>
 
@@ -1180,7 +1180,7 @@ dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
 	return (result);
 }
 
-isc_result_t
+isc_boolean_t
 dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) {
 	dns_name_t *new;
 	isc_uint32_t hash;

version

@@ -1,4 +1,4 @@
-# $Id: version,v 1.18.4.19.6.1 2003/09/17 08:19:55 marka Exp $
+# $Id: version,v 1.18.4.19.6.3 2003/09/22 00:15:00 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=1
 PATCHVER=3
 RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=3