add <dns/rdataclass.h>

type, class and responding nameserver.

CHANGES

@@ -1,3 +1,25 @@
+
+	--- 9.2.2-P3 released ---
+
+1512.	[bug]		Extend the delegation-only logging to return query
+			type, class and responding nameserver.
+
+1511.	[bug]		delegation-only was generating false positives
+			on negative answers from subzones.
+
+	--- 9.2.2-P2 released ---
+
+1509.	[bug]		Hint zones should accept delegation-only.  Forward
+			zone should not accept delegation-only.
+
+1508.	[bug]		Don't apply delegation-only checks to answers from
+			forwarders.
+
+1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
+			when making delegation-only checks.
+
+1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
+
 	--- 9.2.2-P1 released ---
 
 1504.	[func]		New zone type "delegation-only".

README

@@ -43,6 +43,13 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
+BIND 9.2.2-P3
+
+	Fix a false positive with delegation-only.
+
+BIND 9.2.2-P2
+
+	Fix problems identified with delegation-only.
 
 BIND 9.2.2-P1
 

bin/named/server.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.339.2.8.4.3.2.1 2003/09/17 05:40:36 explorer Exp $ */
+/* $Id: server.c,v 1.339.2.8.4.3.2.2 2003/09/19 06:29:58 marka Exp $ */
 
 #include <config.h>
 
@@ -1250,6 +1250,7 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
 	cfg_obj_t *forwardtype = NULL;
 	cfg_obj_t *only = NULL;
 	isc_result_t result;
+	isc_result_t tresult;
 	isc_buffer_t buffer;
 	dns_fixedname_t fixorigin;
 	dns_name_t *origin;
@@ -1315,14 +1316,25 @@ configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
 		}
 		if (dns_name_equal(origin, dns_rootname)) {
 			char *hintsfile = cfg_obj_asstring(fileobj);
+
 			result = configure_hints(view, hintsfile);
-			if (result != ISC_R_SUCCESS)
+			if (result != ISC_R_SUCCESS) {
 				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 					      NS_LOGMODULE_SERVER,
 					      ISC_LOG_ERROR,
 					      "could not configure root hints "
 					      "from '%s': %s", hintsfile,
 					      isc_result_totext(result));
+				goto cleanup;
+			}
+			/*
+			 * Hint zones may also refer to delegation only points.
+			 */
+			only = NULL;
+			tresult = cfg_map_get(zoptions, "delegation-only",
+					      &only);
+			if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
+				CHECK(dns_view_adddelegationonly(view, origin));
 		} else {
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,

doc/arm/Bv9ARM-book.xml

@@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.22.4.1.2.1 2003/09/17 05:40:37 explorer Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.22.4.1.2.2 2003/09/19 06:29:59 marka Exp $ -->
 
 <book>
 <title>BIND 9 Administrator Reference Manual</title>
@@ -2710,8 +2710,7 @@ those servers during resolution.
 <entry colname = "1"><para><command>delegation-only</command></para></entry>
 <entry colname = "2"><para>Delegation only.  Logs queries that have have
 been forced to NXDOMAIN as the result of a delegation-only zone or
-a <command>delegation-only</command> in a stub or forward
-zone declartation.
+a <command>delegation-only</command> in a hint or stub zone declartation.
 </para></entry>
 </row>
 </tbody>
@@ -4225,7 +4224,7 @@ view "external" {
 <sect2 id="zone_statement_grammar"><title><command>zone</command>
 Statement Grammar</title>
       <programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> <optional>{ 
-    type ( master | slave | hint | stub | forward /| delegation-only ) ;
+    type ( master | slave | hint | stub | forward | delegation-only ) ;
     <optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
@@ -4364,7 +4363,9 @@ Classes other than IN have no built-in defaults hints.</para></entry>
 status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
 is received without a explicit or implict delegation in the authority
 section will be treated as NXDOMAIN.  This does not apply to the zone
-apex.  This SHOULD NOT be applied to leaf zones.</para></entry>
+apex.  This SHOULD NOT be applied to leaf zones.</para>
+<para><varname>delegation-only</varname> has no effect on answers received
+from forwarders.</para></entry>
 </row>
 </tbody>
 </tgroup></informaltable></sect3>
@@ -4472,7 +4473,7 @@ with the distribution but none are linked in by default.</para>
 </listitem></varlistentry>
 
 <varlistentry><term><command>delegation-only</command></term>
-<listitem><para>The flag only applies to forward and stub zones.  If set
+<listitem><para>The flag only applies to hint and stub zones.  If set
 to <userinput>yes</userinput> then the zone will also be treated as if it
 is also a delegation-only type zone.
 </para>

lib/dns/resolver.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.218.2.12.4.4.2.2 2003/09/17 05:56:16 explorer Exp $ */
+/* $Id: resolver.c,v 1.218.2.12.4.4.2.6 2003/09/22 00:31:32 marka Exp $ */
 
 #include <config.h>
 
@@ -35,6 +35,7 @@
 #include <dns/ncache.h>
 #include <dns/peer.h>
 #include <dns/rdata.h>
+#include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
@@ -292,9 +293,9 @@ static isc_result_t ncache_adderesult(dns_message_t *message,
 				      isc_result_t *eresultp);
 
 static isc_boolean_t
-fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) {
-
+fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
 	dns_name_t *name;
+	dns_name_t *domain = &fctx->domain;
 	dns_rdataset_t *rdataset;
 	dns_rdatatype_t type;
 	isc_result_t result;
@@ -303,6 +304,33 @@ fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) {
 	if (message->rcode == dns_rcode_nxdomain)
 		return (ISC_FALSE);
 
+	/*
+	 * Look for BIND 8 style delegations.
+	 * Also look for answers to ANY queries where the duplicate NS RRset
+	 * may have been stripped from the authority section.
+	 */
+	if (message->counts[DNS_SECTION_ANSWER] != 0 &&
+	    (fctx->type == dns_rdatatype_ns ||
+	     fctx->type == dns_rdatatype_any)) {
+		result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+		while (result == ISC_R_SUCCESS) {
+			name = NULL;
+			dns_message_currentname(message, DNS_SECTION_ANSWER,
+						&name);
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				type = rdataset->type;
+				if (type != dns_rdatatype_ns)
+					continue;
+				if (dns_name_issubdomain(name, domain))
+					return (ISC_FALSE);
+			}
+			result = dns_message_nextname(message,
+						      DNS_SECTION_ANSWER);
+		}
+	}
+
 	/* Look for referral. */
 	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
 		goto munge;
@@ -310,8 +338,7 @@ fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) {
 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
 	while (result == ISC_R_SUCCESS) {
 		name = NULL;
-		dns_message_currentname(message, DNS_SECTION_AUTHORITY,
-					&name);
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
 		for (rdataset = ISC_LIST_HEAD(name->list);
 		     rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
@@ -319,7 +346,8 @@ fix_mustbedelegationornxdomain(dns_message_t *message, dns_name_t *domain) {
 			if (type == dns_rdatatype_soa &&
 			    dns_name_equal(name, domain))
 				keep_auth = ISC_TRUE;
-			if (type != dns_rdatatype_ns)
+			if (type != dns_rdatatype_ns &&
+			    type != dns_rdatatype_soa)
 				continue;
 			if (dns_name_equal(name, domain))
 				goto munge;
@@ -4425,19 +4453,29 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	/*
 	 * Enforce delegations only zones like NET and COM.
 	 */
-	if (dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
+	if (!ISFORWARDER(query->addrinfo) &&
+	    dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
 	    !dns_name_equal(&fctx->domain, &fctx->name) &&
-	    fix_mustbedelegationornxdomain(message, &fctx->domain)) {
+	    fix_mustbedelegationornxdomain(message, fctx)) {
 		char namebuf[DNS_NAME_FORMATSIZE];
 		char domainbuf[DNS_NAME_FORMATSIZE];
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+		char classbuf[64];
+		char typebuf[64];
 
 		dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
 		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+		dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
+		dns_rdataclass_format(fctx->res->rdclass, classbuf,
+				      sizeof(classbuf));
+		isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
+				    sizeof(addrbuf));
 
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
 			     DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
-			     "enforced delegation-only for '%s' (%s)",
-			     domainbuf, namebuf);
+			     "enforced delegation-only for '%s' (%s/%s/%s) "
+			     "from %s",
+			     domainbuf, namebuf, typebuf, classbuf, addrbuf);
 	}
 
 	/*

lib/dns/view.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.103.2.2.6.1 2003/09/17 05:40:40 explorer Exp $ */
+/* $Id: view.c,v 1.103.2.2.6.2 2003/09/18 01:00:04 marka Exp $ */
 
 #include <config.h>
 
@@ -1191,7 +1191,7 @@ dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
 	return (result);
 }
 
-isc_result_t
+isc_boolean_t
 dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) {
 	dns_name_t *new;
 	isc_uint32_t hash;

lib/isccfg/check.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.14.2.16.6.1 2003/09/17 05:40:40 explorer Exp $ */
+/* $Id: check.c,v 1.14.2.16.6.2 2003/09/19 06:30:01 marka Exp $ */
 
 #include <config.h>
 
@@ -131,7 +131,7 @@ check_zoneconf(cfg_obj_t *zconfig, isc_symtab_t *symtab, isc_log_t *logctx,
 	{ "notify", MASTERZONE | SLAVEZONE },
 	{ "also-notify", MASTERZONE | SLAVEZONE },
 	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
-	{ "delegation-only", STUBZONE | FORWARDZONE},
+	{ "delegation-only", HINTZONE | STUBZONE },
 	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
 	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
 	{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE },

version

@@ -1,4 +1,4 @@
-# $Id: version,v 1.26.2.15.4.1.2.1 2003/09/17 06:54:01 marka Exp $
+# $Id: version,v 1.26.2.15.4.1.2.3 2003/09/22 00:22:17 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=2
 PATCHVER=2
 RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=3