ensure we try to validate glue records so RRSIG TTLs will be capped

(cherry picked from commit dfd73d7e16)

CHANGES

@@ -1,3 +1,6 @@
+4966.	[bug]		If glue records are signed, attempt to validate them.
+			[GL #209]
+
 4965.	[func]		Add support for marking options as deprecated.
 			[GL #322]
 
@@ -25,6 +28,9 @@
 4949.	[bug]		lib/isc/print.c failed to handle floating point
 			output correctly. [GL #261]
 
+4946.	[bug]		Additional glue was not being returned by resolver
+			for unsigned zones since change 4596. [GL #209]
+
 4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
 
 4933.	[bug]		Not creating signing keys for an inline signed zone

bin/named/bind9.xsl.h

@@ -5,7 +5,7 @@
 static char xslmsg[] =
 	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
 	"<!--\n"
-	" - Copyright (C) 2006-2009, 2012-2015 Internet Systems Consortium, Inc. (\"ISC\")\n"
+	" - Copyright (C) Internet Systems Consortium, Inc. (\"ISC\")\n"
 	" -\n"
 	" - Permission to use, copy, modify, and/or distribute this software for any\n"
 	" - purpose with or without fee is hereby granted, provided that the above\n"

bin/named/query.c

@@ -1578,20 +1578,26 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 				dns_rdataset_disassociate(sigrdataset);
 		}
 		if (result == ISC_R_SUCCESS) {
+			isc_boolean_t invalid = ISC_FALSE;
 			mname = NULL;
 #ifdef ALLOW_FILTER_AAAA
 			have_a = ISC_TRUE;
 #endif
-			if (additionaltype == dns_rdatasetadditional_fromcache &&
+			if (additionaltype ==
+			    dns_rdatasetadditional_fromcache &&
 			    (DNS_TRUST_PENDING(rdataset->trust) ||
-			     DNS_TRUST_GLUE(rdataset->trust)) &&
-			    !validate(client, db, fname, rdataset, sigrdataset))
+			     DNS_TRUST_GLUE(rdataset->trust)))
 			{
+				/* validate() may change rdataset->trust */
+				invalid = ISC_TF(!validate(client, db, fname,
+							   rdataset,
+							   sigrdataset));
+			}
+			if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
 				dns_rdataset_disassociate(rdataset);
 				if (sigrdataset != NULL &&
 				    dns_rdataset_isassociated(sigrdataset))
 					dns_rdataset_disassociate(sigrdataset);
-				/* treat as if not found */
 			} else if (!query_isduplicate(client, fname,
 					       dns_rdatatype_a, &mname))
 			{
@@ -1641,6 +1647,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 				dns_rdataset_disassociate(sigrdataset);
 		}
 		if (result == ISC_R_SUCCESS) {
+			isc_boolean_t invalid = ISC_FALSE;
 			mname = NULL;
 			/*
 			 * There's an A; check whether we're filtering AAAA
@@ -1653,16 +1660,21 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 			      !dns_rdataset_isassociated(sigrdataset)))))
 				goto addname;
 #endif
-			if (additionaltype == dns_rdatasetadditional_fromcache &&
+			if (additionaltype ==
+			    dns_rdatasetadditional_fromcache &&
 			    (DNS_TRUST_PENDING(rdataset->trust) ||
-			     DNS_TRUST_GLUE(rdataset->trust)) &&
-			    !validate(client, db, fname, rdataset, sigrdataset))
+			     DNS_TRUST_GLUE(rdataset->trust)))
 			{
+				/* validate() may change rdataset->trust */
+				invalid = ISC_TF(!validate(client, db, fname,
+							   rdataset,
+							   sigrdataset));
+			}
+			if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
 				dns_rdataset_disassociate(rdataset);
 				if (sigrdataset != NULL &&
 				    dns_rdataset_isassociated(sigrdataset))
 					dns_rdataset_disassociate(sigrdataset);
-				/* treat as if not found */
 			} else if (!query_isduplicate(client, fname,
 					       dns_rdatatype_aaaa, &mname))
 			{
@@ -1819,6 +1831,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	dns_rdatasetadditional_t additionaltype;
 	dns_clientinfomethods_t cm;
 	dns_clientinfo_t ci;
+	isc_boolean_t invalid;
 
 	/*
 	 * If we don't have an additional cache call query_addadditional.
@@ -2120,11 +2133,16 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 * If we can't promote glue/pending from the cache to secure
 	 * then drop it.
 	 */
+	invalid = ISC_FALSE;
 	if (result == ISC_R_SUCCESS &&
 	    additionaltype == dns_rdatasetadditional_fromcache &&
 	    (DNS_TRUST_PENDING(rdataset->trust) ||
-	     DNS_TRUST_GLUE(rdataset->trust)) &&
-	    !validate(client, db, fname, rdataset, sigrdataset)) {
+	     DNS_TRUST_GLUE(rdataset->trust)))
+	{
+		invalid = ISC_TF(!validate(client, db, fname,
+					   rdataset, sigrdataset));
+	}
+	if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
 		dns_rdataset_disassociate(rdataset);
 		if (dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);
@@ -2162,11 +2180,16 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	 * If we can't promote glue/pending from the cache to secure
 	 * then drop it.
 	 */
+	invalid = ISC_FALSE;
 	if (result == ISC_R_SUCCESS &&
 	    additionaltype == dns_rdatasetadditional_fromcache &&
 	    (DNS_TRUST_PENDING(rdataset->trust) ||
-	     DNS_TRUST_GLUE(rdataset->trust)) &&
-	    !validate(client, db, fname, rdataset, sigrdataset)) {
+	     DNS_TRUST_GLUE(rdataset->trust)))
+	{
+		invalid = ISC_TF(!validate(client, db, fname,
+					   rdataset, sigrdataset));
+	}
+	if (invalid && DNS_TRUST_PENDING(rdataset->trust)) {
 		dns_rdataset_disassociate(rdataset);
 		if (dns_rdataset_isassociated(sigrdataset))
 			dns_rdataset_disassociate(sigrdataset);

bin/tests/system/dnssec/tests.sh

@@ -23,6 +23,7 @@ n=1
 rm -f dig.out.*
 
 DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p ${PORT}"
+ADDITIONALOPTS="+noall +additional +dnssec -p ${PORT}"
 ANSWEROPTS="+noall +answer +dnssec -p ${PORT}"
 DELVOPTS="-a ns1/trusted.conf -p ${PORT}"
 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
@@ -78,6 +79,18 @@ stripns () {
     awk '($4 == "NS") || ($4 == "RRSIG" && $5 == "NS") { next} { print }' $1
 }
 
+# Check that for a query against a validating resolver where the
+# authoritative zone is unsigned (insecure delegation), glue is returned
+# in the additional section
+echo_i "checking that additional glue is returned for unsigned delegation ($n)"
+ret=0
+$DIG +tcp +dnssec -p ${PORT} a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+grep "ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ns\.insecure\.example\..*A.10\.53\.0\.3" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 # Check the example. domain
 
 echo_i "checking that zone transfer worked ($n)"
@@ -2328,12 +2341,30 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section ($n)"
+echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (NS) ($n)"
 ret=0
 $RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
 sleep 1
-$DIG $ANSWEROPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
-$DIG $ANSWEROPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
+$DIG $ADDITIONALOPTS +cd expiring.example ns @10.53.0.4 > dig.out.ns4.1.$n
+$DIG $ADDITIONALOPTS expiring.example ns @10.53.0.4 > dig.out.ns4.2.$n
+ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
+ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
+for ttl in ${ttls:-300}; do
+    [ ${ttl:-0} -eq 300 ] || ret=1
+done
+for ttl in ${ttls2:-0}; do
+    [ ${ttl:-0} -le 60 ] || ret=1
+done
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section (MX) ($n)"
+ret=0
+$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
+sleep 1
+$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
+$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
 for ttl in ${ttls:-300}; do
@@ -2390,8 +2421,8 @@ sleep 3
 echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with dnssec-accept-expired yes; ($n)"
 ret=0
 $RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
-$DIG $ANSWEROPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
-$DIG $ANSWEROPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
+$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
+$DIG $ADDITIONALOPTS  expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
 for ttl in ${ttls:-300}; do
@@ -2406,9 +2437,9 @@ status=`expr $status + $ret`
 
 echo_i "testing TTL is capped at RRSIG expiry time for records in the additional section with acache off; ($n)"
 ret=0
-$RNDCCMD 10.53.0.4 flush
-$DIG $DIGOPTS +noall +additional +dnssec +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
-$DIG $DIGOPTS +noall +additional +dnssec expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
+$RNDCCMD 10.53.0.4 flush 2>&1 | sed 's/^/ns4 /' | cat_i
+$DIG $ADDITIONALOPTS +cd expiring.example mx @10.53.0.4 > dig.out.ns4.1.$n
+$DIG $ADDITIONALOPTS expiring.example mx @10.53.0.4 > dig.out.ns4.2.$n
 ttls=`awk '$1 != ";;" {print $2}' dig.out.ns4.1.$n`
 ttls2=`awk '$1 != ";;" {print $2}' dig.out.ns4.2.$n`
 for ttl in ${ttls:-300}; do