[v9_6] prep 9.6-ESV-R10

encountered. [RT #34668]

CHANGES

@@ -1,3 +1,30 @@
+	--- 9.6-ESV-R10 released ---
+
+3638.	[cleanup]	Add the ability to handle ENOPROTOOPT in case it is 
+			encountered. [RT #34668]
+
+	--- 9.6-ESV-R10rc2 released ---
+
+3637.	[bug]		'allow-query-on' was checking the source address
+			rather than the destination address. [RT #34590]
+
+3636.	[bug]		Automatic empty zones now behave better with
+			forward only "zones" beneath them. [RT #34583]
+
+3634.	[func]		Report build-id in rndc status. Report build-id
+			when building from a git repository. [RT #20422]
+
+3633.	[cleanup]	Refactor OPT processing in named to make it easier
+			to support new EDNS options. [RT #34414]
+
+3631.	[bug]		Remove spurious warning about missing signatures when
+			qtype is SIG. [RT #34600]
+
+3630.	[bug]		Ensure correct ID computation for MD5 keys. [RT #33033]
+
+3625.	[bug]		Don't send notify messages to machines outside of the
+			test setup.
+
 	--- 9.6-ESV-R10rc1 released ---
 
 3615.	[cleanup]	"configure" now finishes by printing a summary
@@ -38,10 +65,11 @@
 3587.	[func]		'named -g' now checks the logging configuration but
 			does not use it. [RT #33473]
 
-3586.	[buf]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
+3586.	[bug]		Handle errors in xmlDocDumpFormatMemoryEnc. [RT #33706]
 
 3584.	[security]	Caching data from an incompletely signed zone could
-			trigger an assertion failure in resolver.c [RT #33690]
+			trigger an assertion failure in resolver.c
+			(CVE-2013-3919). [RT #33690]
 
 3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]
 

EXCLUDED

@@ -1,3 +1,21 @@
+3635.	[bug]		Signatures were not being removed from a zone with
+			only KSK keys for a algorithm. [RT #24439]
+
+3632.	[bug]		Signature from newly inactive keys were not being
+			removed. [RT #32178]
+
+3627.	[bug]		RPZ changes were not effective on slaves. [RT #34450]
+
+3624.	[bug]		Look for 'json_object_new_int64' when looking for a
+			the json library. [RT #34449]
+
+3622.	[tuning]	Eliminate an unnecessary lock when incrementing
+			cache statistics. [RT #34339]
+
+3621.	[security]	Incorrect bounds checking on private type 'keydata'
+			can lead to a remotely triggerable REQUIRE failure
+			(CVE-2013-4854). [RT #34238]
+
 3619.	[bug]		Fixed a bug in RPZ with "recursive-only no;"
 			[RT #33776]
 

bin/named/client.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -1170,62 +1170,30 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
 
 static inline isc_result_t
 client_addopt(ns_client_t *client) {
-	dns_rdataset_t *rdataset;
-	dns_rdatalist_t *rdatalist;
-	dns_rdata_t *rdata;
+	char nsid[BUFSIZ], *nsidp;
 	isc_result_t result;
 	dns_view_t *view;
 	dns_resolver_t *resolver;
 	isc_uint16_t udpsize;
+	dns_ednsopt_t ednsopts[2];
+	int count = 0;
+	unsigned int flags;
 
 	REQUIRE(client->opt == NULL);	/* XXXRTH free old. */
 
-	rdatalist = NULL;
-	result = dns_message_gettemprdatalist(client->message, &rdatalist);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdata = NULL;
-	result = dns_message_gettemprdata(client->message, &rdata);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	rdataset = NULL;
-	result = dns_message_gettemprdataset(client->message, &rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_init(rdataset);
-
-	rdatalist->type = dns_rdatatype_opt;
-	rdatalist->covers = 0;
-
-	/*
-	 * Set the maximum UDP buffer size.
-	 */
 	view = client->view;
 	resolver = (view != NULL) ? view->resolver : NULL;
 	if (resolver != NULL)
 		udpsize = dns_resolver_getudpsize(resolver);
 	else
 		udpsize = ns_g_udpsize;
-	rdatalist->rdclass = udpsize;
 
-	/*
-	 * Set EXTENDED-RCODE, VERSION and Z to 0.
-	 */
-	rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE);
+	flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
 
 	/* Set EDNS options if applicable */
-	if (client->attributes & NS_CLIENTATTR_WANTNSID &&
+	if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
 	    (ns_g_server->server_id != NULL ||
 	     ns_g_server->server_usehostname)) {
-		/*
-		 * Space required for NSID data:
-		 *   2 bytes for opt code
-		 * + 2 bytes for NSID length
-		 * + NSID itself
-		 */
-		char nsid[BUFSIZ], *nsidp;
-		isc_buffer_t *buffer = NULL;
-
 		if (ns_g_server->server_usehostname) {
 			isc_result_t result;
 			result = ns_os_gethostname(nsid, sizeof(nsid));
@@ -1236,35 +1204,15 @@ client_addopt(ns_client_t *client) {
 		} else
 			nsidp = ns_g_server->server_id;
 
-		rdata->length = strlen(nsidp) + 4;
-		result = isc_buffer_allocate(client->mctx, &buffer,
-					     rdata->length);
-		if (result != ISC_R_SUCCESS)
-			goto no_nsid;
-
-		isc_buffer_putuint16(buffer, DNS_OPT_NSID);
-		isc_buffer_putuint16(buffer, strlen(nsidp));
-		isc_buffer_putstr(buffer, nsidp);
-		rdata->data = buffer->base;
-		dns_message_takebuffer(client->message, &buffer);
-	} else {
-no_nsid:
-		rdata->data = NULL;
-		rdata->length = 0;
+		ednsopts[count].code = DNS_OPT_NSID;
+		ednsopts[count].length = strlen(nsidp);
+		ednsopts[count].value = (unsigned char *)nsidp;
+		count++;
 	}
-
-	rdata->rdclass = rdatalist->rdclass;
-	rdata->type = rdatalist->type;
-	rdata->flags = 0;
-
-	ISC_LIST_INIT(rdatalist->rdata);
-	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
-	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
-		      == ISC_R_SUCCESS);
-
-	client->opt = rdataset;
-
-	return (ISC_R_SUCCESS);
+ no_nsid:
+	result = dns_message_buildopt(client->message, &client->opt, 0,
+				      udpsize, flags, ednsopts, count);
+	return (result);
 }
 
 static inline isc_boolean_t
@@ -1345,6 +1293,83 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
 	return (ISC_TF(view == myview));
 }
 
+static isc_result_t
+process_opt(ns_client_t *client, dns_rdataset_t *opt) {
+	dns_rdata_t rdata;
+	isc_buffer_t optbuf;
+	isc_result_t result;
+	isc_uint16_t optcode;
+	isc_uint16_t optlen;
+
+	/*
+	 * Set the client's UDP buffer size.
+	 */
+	client->udpsize = opt->rdclass;
+
+	/*
+	 * If the requested UDP buffer size is less than 512,
+	 * ignore it and use 512.
+	 */
+	if (client->udpsize < 512)
+		client->udpsize = 512;
+
+	/*
+	 * Get the flags out of the OPT record.
+	 */
+	client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF);
+
+	/*
+	 * Do we understand this version of EDNS?
+	 *
+	 * XXXRTH need library support for this!
+	 */
+	client->ednsversion = (opt->ttl & 0x00FF0000) >> 16;
+	if (client->ednsversion > 0) {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_badednsver);
+		result = client_addopt(client);
+		if (result == ISC_R_SUCCESS)
+			result = DNS_R_BADVERS;
+		ns_client_error(client, result);
+		goto cleanup;
+	}
+
+	/* Check for NSID request */
+	result = dns_rdataset_first(opt);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(opt, &rdata);
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		while (isc_buffer_remaininglength(&optbuf) >= 4) {
+			optcode = isc_buffer_getuint16(&optbuf);
+			optlen = isc_buffer_getuint16(&optbuf);
+			switch (optcode) {
+			case DNS_OPT_NSID:
+				client->attributes |= NS_CLIENTATTR_WANTNSID;
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			default:
+				isc_buffer_forward(&optbuf, optlen);
+				break;
+			}
+		}
+	}
+
+	isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_edns0in);
+
+	/*
+	 * Create an OPT for our reply.
+	 */
+	result = client_addopt(client);
+	if (result != ISC_R_SUCCESS) {
+		ns_client_error(client, result);
+		goto cleanup;
+	}
+ cleanup:
+	return (result);
+}
+
 /*
  * Handle an incoming request event from the socket (UDP case)
  * or tcpmsg (TCP case).
@@ -1367,8 +1392,6 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	dns_messageid_t id;
 	unsigned int flags;
 	isc_boolean_t notimp;
-	dns_rdata_t rdata;
-	isc_uint16_t optcode;
 
 	REQUIRE(event != NULL);
 	client = event->ev_arg;
@@ -1568,67 +1591,9 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	 */
 	opt = dns_message_getopt(client->message);
 	if (opt != NULL) {
-		/*
-		 * Set the client's UDP buffer size.
-		 */
-		client->udpsize = opt->rdclass;
-
-		/*
-		 * If the requested UDP buffer size is less than 512,
-		 * ignore it and use 512.
-		 */
-		if (client->udpsize < 512)
-			client->udpsize = 512;
-
-		/*
-		 * Get the flags out of the OPT record.
-		 */
-		client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF);
-
-		/*
-		 * Do we understand this version of EDNS?
-		 *
-		 * XXXRTH need library support for this!
-		 */
-		client->ednsversion = (opt->ttl & 0x00FF0000) >> 16;
-		if (client->ednsversion > 0) {
-			isc_stats_increment(ns_g_server->nsstats,
-					    dns_nsstatscounter_badednsver);
-			result = client_addopt(client);
-			if (result == ISC_R_SUCCESS)
-				result = DNS_R_BADVERS;
-			ns_client_error(client, result);
+		result = process_opt(client, opt);
+		if (result != ISC_R_SUCCESS)
 			goto cleanup;
-		}
-
-		/* Check for NSID request */
-		result = dns_rdataset_first(opt);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdata_init(&rdata);
-			dns_rdataset_current(opt, &rdata);
-			if (rdata.length >= 2) {
-				isc_buffer_t nsidbuf;
-				isc_buffer_init(&nsidbuf,
-						rdata.data, rdata.length);
-				isc_buffer_add(&nsidbuf, rdata.length);
-				optcode = isc_buffer_getuint16(&nsidbuf);
-				if (optcode == DNS_OPT_NSID)
-					client->attributes |=
-						NS_CLIENTATTR_WANTNSID;
-			}
-		}
-
-		isc_stats_increment(ns_g_server->nsstats,
-				    dns_nsstatscounter_edns0in);
-
-		/*
-		 * Create an OPT for our reply.
-		 */
-		result = client_addopt(client);
-		if (result != ISC_R_SUCCESS) {
-			ns_client_error(client, result);
-			goto cleanup;
-		}
 	}
 
 	if (client->message->rdclass == 0) {

bin/named/query.c

@@ -57,6 +57,7 @@
 
 #include <named/client.h>
 #include <named/globals.h>
+#include <named/interfacemgr.h>
 #include <named/log.h>
 #include <named/server.h>
 #include <named/sortlist.h>
@@ -737,8 +738,9 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 			if (queryonacl == NULL)
 				queryonacl = client->view->queryonacl;
 
-			result = ns_client_checkaclsilent(client, NULL,
-							  queryonacl, ISC_TRUE);
+			result = ns_client_checkaclsilent(client,
+						      &client->interface->addr,
+							 queryonacl, ISC_TRUE);
 			if ((options & DNS_GETDB_NOLOG) == 0 &&
 			    result != ISC_R_SUCCESS)
 				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@@ -4785,7 +4787,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 					goto addauth;
 				}
 
-				if (dns_db_issecure(db)) {
+				if (qtype == dns_rdatatype_rrsig &&
+				    dns_db_issecure(db)) {
 					char namebuf[DNS_NAME_FORMATSIZE];
 					dns_name_format(client->query.qname,
 							namebuf,

bin/named/server.c

@@ -68,11 +68,13 @@
 #include <dns/portlist.h>
 #include <dns/rbt.h>
 #include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
 #include <dns/resolver.h>
 #include <dns/rootns.h>
 #include <dns/secalg.h>
+#include <dns/soa.h>
 #include <dns/stats.h>
 #include <dns/tkey.h>
 #include <dns/tsig.h>
@@ -1055,6 +1057,278 @@ cache_reusable(dns_view_t *originview, dns_view_t *view,
 	return (ISC_TRUE);
 }
 
+#define BINDABLE(name) \
+	((name->attributes & (DNS_NAMEATTR_READONLY|DNS_NAMEATTR_DYNAMIC)) \
+	 == 0)
+
+static isc_result_t
+dns_name_fromstring(dns_name_t *target, const char *src,
+		    unsigned int options, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fn;
+	dns_name_t *name;
+
+	REQUIRE(src != NULL);
+
+	isc_buffer_constinit(&buf, src, strlen(src));
+	isc_buffer_add(&buf, strlen(src));
+	if (BINDABLE(target) && target->buffer != NULL)
+		name = target;
+	else {
+		dns_fixedname_init(&fn);
+		name = dns_fixedname_name(&fn);
+	}
+
+	result = dns_name_fromtext(name, &buf, dns_rootname, options, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (name != target)
+		result = dns_name_dupwithoffsets(name, mctx, target);
+	return (result);
+}
+
+static isc_result_t
+add_soa(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	dns_name_t *origin, dns_name_t *contact)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_soa_t soa;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	isc_buffer_t b;
+	isc_result_t result;
+	unsigned char buf[2 * DNS_NAME_MAXWIRE + 20];
+
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+	isc_buffer_init(&b, buf, sizeof(buf));
+
+	soa.common.rdtype = dns_rdatatype_soa;
+	soa.common.rdclass = dns_db_class(db);
+	soa.mctx = NULL;
+	soa.serial = 0;
+	soa.refresh = 28800;
+	soa.retry = 7200;
+	soa.expire = 604800;
+	soa.minimum = 86400;
+	dns_name_init(&soa.origin, NULL);
+	dns_name_clone(origin, &soa.origin);
+	dns_name_init(&soa.contact, NULL);
+	dns_name_clone(contact, &soa.contact);
+
+	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_soa,
+				   &soa, &b));
+
+	rdatalist.type = rdata.type;
+	rdatalist.covers = 0;
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.ttl = 86400;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
+	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
+ cleanup:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+add_ns(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+       dns_name_t *nsname)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_ns_t ns;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	isc_buffer_t b;
+	unsigned char buf[DNS_NAME_MAXWIRE];
+
+	isc_buffer_init(&b, buf, sizeof(buf));
+
+	dns_rdataset_init(&rdataset);
+	dns_rdatalist_init(&rdatalist);
+	ns.common.rdtype = dns_rdatatype_ns;
+	ns.common.rdclass = dns_db_class(db);
+	ns.mctx = NULL;
+	dns_name_init(&ns.name, NULL);
+	dns_name_clone(nsname, &ns.name);
+	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db), dns_rdatatype_ns,
+				   &ns, &b));
+	rdatalist.type = rdata.type;
+	rdatalist.covers = 0;
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.ttl = 86400;
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	CHECK(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
+	CHECK(dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL));
+ cleanup:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+create_empty_zone(dns_zone_t *zone, dns_name_t *name, dns_view_t *view,
+		  const cfg_obj_t *zonelist, const char **empty_dbtype,
+		  int empty_dbtypec, isc_boolean_t zonestats_on)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj;
+	const cfg_obj_t *zconfig;
+	const cfg_obj_t *zoptions;
+	const char *rbt_dbtype[4] = { "rbt" };
+	const char *sep = ": view ";
+	const char *str;
+	const char *viewname = view->name;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_fixedname_t cfixed;
+	dns_fixedname_t fixed;
+	dns_fixedname_t nsfixed;
+	dns_name_t *contact;
+	dns_name_t *ns;
+	dns_name_t *zname;
+	dns_zone_t *myzone = NULL;
+	int rbt_dbtypec = 1;
+	isc_result_t result;
+	dns_namereln_t namereln;
+	int order;
+	unsigned int nlabels;
+
+	dns_fixedname_init(&fixed);
+	zname = dns_fixedname_name(&fixed);
+	dns_fixedname_init(&nsfixed);
+	ns = dns_fixedname_name(&nsfixed);
+	dns_fixedname_init(&cfixed);
+	contact = dns_fixedname_name(&cfixed);
+
+	/*
+	 * Look for forward "zones" beneath this empty zone and if so
+	 * create a custom db for the empty zone.
+	 */
+	for (element = cfg_list_first(zonelist);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+
+		zconfig = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+		CHECK(dns_name_fromstring(zname, str, 0, NULL));
+		namereln = dns_name_fullcompare(zname, name, &order, &nlabels);
+		if (namereln != dns_namereln_subdomain)
+			continue;
+
+		zoptions = cfg_tuple_get(zconfig, "options");
+
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "type", &obj);
+		INSIST(obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "forward") != 0)
+			continue;
+
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "forward", &obj);
+		if (obj == NULL)
+			continue;
+		if (strcasecmp(cfg_obj_asstring(obj), "only") != 0)
+			continue;
+		if (db == NULL) {
+			CHECK(dns_db_create(view->mctx, "rbt", name,
+					    dns_dbtype_zone, view->rdclass,
+					    0, NULL, &db));
+			CHECK(dns_db_newversion(db, &version));
+			if (strcmp(empty_dbtype[2], "@") == 0)
+				dns_name_clone(name, ns);
+			else
+				CHECK(dns_name_fromstring(ns, empty_dbtype[2],
+							  0, NULL));
+			CHECK(dns_name_fromstring(contact, empty_dbtype[3],
+						  0, NULL));
+			CHECK(add_soa(db, version, name, ns, contact));
+			CHECK(add_ns(db, version, name, ns));
+		}
+		CHECK(add_ns(db, version, zname, dns_rootname));
+	}
+
+	/*
+	 * Is the existing zone the ok to use?
+	 */
+	if (zone != NULL) {
+		if (db != NULL)
+			check_dbtype(&zone, rbt_dbtypec, rbt_dbtype,
+				     view->mctx);
+		else
+			check_dbtype(&zone, empty_dbtypec, empty_dbtype,
+				     view->mctx);
+		if (zone != NULL && dns_zone_gettype(zone) != dns_zone_master)
+			zone = NULL;
+		if (zone != NULL && dns_zone_getfile(zone) != NULL)
+			zone = NULL;
+	}
+
+	if (zone == NULL) {
+		CHECK(dns_zone_create(&myzone, view->mctx));
+		zone = myzone;
+		CHECK(dns_zone_setorigin(zone, name));
+		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
+		if (db == NULL)
+			CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
+						 empty_dbtype));
+		dns_zone_setclass(zone, view->rdclass);
+		dns_zone_settype(zone, dns_zone_master);
+		dns_zone_setstats(zone, ns_g_server->zonestats);
+	}
+
+	dns_zone_setoption(zone, ~DNS_ZONEOPT_NOCHECKNS, ISC_FALSE);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS, ISC_TRUE);
+	dns_zone_setnotifytype(zone, dns_notifytype_no);
+	dns_zone_setdialup(zone, dns_dialuptype_no);
+	if (view->queryacl)
+		dns_zone_setqueryacl(zone, view->queryacl);
+	else
+		dns_zone_clearqueryacl(zone);
+	if (view->queryonacl)
+		dns_zone_setqueryonacl(zone, view->queryonacl);
+	else
+		dns_zone_clearqueryonacl(zone);
+	dns_zone_clearupdateacl(zone);
+	dns_zone_clearxfracl(zone);
+
+	CHECK(setquerystats(zone, view->mctx, zonestats_on));
+	if (db != NULL) {
+		dns_db_closeversion(db, &version, ISC_TRUE);
+		CHECK(dns_zone_replacedb(zone, db, ISC_FALSE));
+	}
+	dns_zone_setview(zone, view);
+	CHECK(dns_view_addzone(view, zone));
+
+	if (!strcmp(viewname, "_default")) {
+		sep = "";
+		viewname = "";
+	}
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_INFO, "automatic empty zone%s%s: %s",
+		      sep, viewname, namebuf);
+
+ cleanup:
+	if (myzone != NULL)
+		dns_zone_detach(&myzone);
+	if (version != NULL)
+		dns_db_closeversion(db, &version, ISC_FALSE);
+	if (db != NULL)
+		dns_db_detach(&db);
+	return (result);
+}
+
 /*
  * Configure 'view' according to 'vconfig', taking defaults from 'config'
  * where values are missing in 'vconfig'.
@@ -1105,7 +1379,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	isc_uint32_t max_clients_per_query;
 	const char *sep = ": view ";
 	const char *viewname = view->name;
-	const char *forview = " for view ";
 	isc_boolean_t rfc1918;
 	isc_boolean_t empty_zones_enable;
 	const cfg_obj_t *disablelist = NULL;
@@ -1138,8 +1411,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	if (!strcmp(viewname, "_default")) {
 		sep = "";
 		viewname = "";
-		forview = "";
-		POST(forview);
 	}
 
 	/*
@@ -2045,43 +2316,13 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			if (pview != NULL) {
 				(void)dns_view_findzone(pview, name, &zone);
 				dns_view_detach(&pview);
-				if (zone != NULL)
-					check_dbtype(&zone, empty_dbtypec,
-						     empty_dbtype, mctx);
-				if (zone != NULL) {
-					dns_zone_setview(zone, view);
-					CHECK(dns_view_addzone(view, zone));
-					CHECK(setquerystats(zone, mctx,
-							    zonestats_on));
-					dns_zone_detach(&zone);
-					continue;
-				}
 			}
 
-			CHECK(dns_zone_create(&zone, mctx));
-			CHECK(dns_zone_setorigin(zone, name));
-			dns_zone_setview(zone, view);
-			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
-			dns_zone_setclass(zone, view->rdclass);
-			dns_zone_settype(zone, dns_zone_master);
-			dns_zone_setstats(zone, ns_g_server->zonestats);
-			CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
-						 empty_dbtype));
-			if (view->queryacl != NULL)
-				dns_zone_setqueryacl(zone, view->queryacl);
-			if (view->queryonacl != NULL)
-				dns_zone_setqueryonacl(zone, view->queryonacl);
-			dns_zone_setdialup(zone, dns_dialuptype_no);
-			dns_zone_setnotifytype(zone, dns_notifytype_no);
-			dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
-					   ISC_TRUE);
-			CHECK(setquerystats(zone, mctx, zonestats_on));
-			CHECK(dns_view_addzone(view, zone));
-			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
-				      "automatic empty zone%s%s: %s",
-				      sep, viewname,  empty);
-			dns_zone_detach(&zone);
+			CHECK(create_empty_zone(zone, name, view, zonelist,
+						empty_dbtype, empty_dbtypec,
+						zonestats_on));
+			if (zone != NULL)
+				dns_zone_detach(&zone);
 		}
 	}
 
@@ -5369,7 +5610,7 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 
 	n = snprintf((char *)isc_buffer_used(text),
 		     isc_buffer_availablelength(text),
-		     "version: %s%s%s%s\n"
+		     "version: %s%s%s%s <id:%s>\n"
 #ifdef ISC_PLATFORM_USETHREADS
 		     "CPUs found: %u\n"
 		     "worker threads: %u\n"
@@ -5383,7 +5624,7 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 		     "recursive clients: %d/%d/%d\n"
 		     "tcp clients: %d/%d\n"
 		     "server is up and running",
-		     ns_g_version, ob, alt, cb,
+		     ns_g_version, ob, alt, cb, ns_g_srcid,
 #ifdef ISC_PLATFORM_USETHREADS
 		     ns_g_cpus_detected, ns_g_cpus,
 #endif

bin/tests/system/acl/ns2/named5.conf

@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named1.conf,v 1.2 2008/01/10 01:10:01 marka Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify yes;
+	ixfr-from-differences yes;
+	check-integrity no;
+	allow-query-on { 10.53.0.2; };
+};
+
+include "../../common/controls.conf";
+
+key one {
+        algorithm hmac-md5;
+        secret "1234abcd8765";
+};
+
+key two {
+        algorithm hmac-md5;
+        secret "1234abcd8765";
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+zone "example" {
+	type master;
+	file "example.db";
+};
+
+zone "tsigzone" {
+	type master;
+	file "tsigzone.db";
+        allow-transfer { !key one; any; };
+};

bin/tests/system/acl/tests.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2008, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2008, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -140,5 +140,14 @@ $DIG $DIGOPTS tsigzone. \
     	@10.53.0.2 -b 10.53.0.3 axfr -y one:1234abcd8765 -p 5300 > dig.out
 grep "^;" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
 
+echo "I:testing allow-query-on ACL processing"
+cp -f ns2/named5.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
+sleep 5
+t=`expr $t + 1`
+$DIG +tcp soa example. \
+    	@10.53.0.2 -b 10.53.0.3 -p 5300 > dig.out
+grep "status: NOERROR" dig.out > /dev/null 2>&1 || { echo "I:test $t failed" ; status=1; }
+
 echo "I:exit status: $status"
 exit $status

bin/tests/system/forward/ns2/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -54,3 +54,8 @@ zone "example4." {
 	type master;
 	file "example.db";
 };
+
+zone "1.0.10.in-addr.arpa." {
+	type master;
+	file "example.db";
+};

bin/tests/system/forward/ns4/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -50,3 +50,9 @@ zone "example5." {
 	forward only;
 	forwarders { 10.53.0.2; };
 };
+
+zone "1.0.10.in-addr.arpa" {
+	type forward;
+	forward only;
+	forwarders { 10.53.0.2; };
+};

bin/tests/system/forward/tests.sh

@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -101,5 +101,14 @@ $PERL ../start.pl --restart --noclean . ns4 || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+echo "I:checking that forward only zone overrides empty zone"
+ret=0
+$DIG 1.0.10.in-addr.arpa TXT @10.53.0.4 -p 5300 > dig.out.f2
+grep "status: NOERROR" dig.out.f2 > /dev/null || ret=1
+$DIG 2.0.10.in-addr.arpa TXT @10.53.0.4 -p 5300 > dig.out.f2
+grep "status: NXDOMAIN" dig.out.f2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

bin/tests/system/rrsetorder/ns1/named.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -27,7 +27,7 @@ options {
 	listen-on { 10.53.0.1; };
 	listen-on-v6 { none; };
 	recursion no;
-	notify yes;
+	notify no;
 	rrset-order {
 		name "fixed.example" order fixed;
 		name "random.example" order random;
@@ -40,4 +40,6 @@ options {
 zone "." {
 	type master;
 	file "root.db";
+	notify explicit;
+	also-notify { 10.53.0.2; };
 };

configure

@@ -18672,7 +18672,7 @@ BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
 
 BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
 
-. $srcdir/version
+. "$srcdir/version"
 BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\""
 
 BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\""
@@ -18681,12 +18681,15 @@ BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASE
 
 
 BIND9_SRCID="SRCID=unset"
-if test -f $srcdir/srcid; then
-	. $srcdir/srcid
+if test -f "${srcdir}/srcid"; then
+	. "${srcdir}/srcid"
 	BIND9_SRCID="SRCID=$SRCID"
+elif test -d "${srcdir}/.git"; then
+	BIND9_SRCID="SRCID="`(cd "${srcdir}";git log -n 1 --format=%h)`
 fi
 
 
+
 if test -z "$ac_configure_args"; then
 	BIND9_CONFIGARGS="defaults"
 else
@@ -18700,22 +18703,22 @@ BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
 
 
 
-LIBISC_API=$srcdir/lib/isc/api
+LIBISC_API="$srcdir/lib/isc/api"
 
 
-LIBISCCC_API=$srcdir/lib/isccc/api
+LIBISCCC_API="$srcdir/lib/isccc/api"
 
 
-LIBISCCFG_API=$srcdir/lib/isccfg/api
+LIBISCCFG_API="$srcdir/lib/isccfg/api"
 
 
-LIBDNS_API=$srcdir/lib/dns/api
+LIBDNS_API="$srcdir/lib/dns/api"
 
 
-LIBBIND9_API=$srcdir/lib/bind9/api
+LIBBIND9_API="$srcdir/lib/bind9/api"
 
 
-LIBLWRES_API=$srcdir/lib/lwres/api
+LIBLWRES_API="$srcdir/lib/lwres/api"
 
 #
 # Configure any DLZ drivers.
@@ -21865,7 +21868,7 @@ fi
 		 /*) ;;
 		 *) srcdir="../../$srcdir";;
 		 esac
-		 ${SHELL} ${srcdir}${srcdir:+/unit/atf-src/}./configure MISSING=: --prefix $atfdir;
+		 ${SHELL} "${srcdir}${srcdir:+/unit/atf-src/}./configure" MISSING=: --prefix $atfdir;
 		)  ;;
     "chmod":C) chmod a+x isc-config.sh doc/doxygen/doxygen-input-filter ;;
 
@@ -21941,7 +21944,7 @@ test "$enable_fixed" = "yes" && \
     echo "    Fixed RRset order (--enable-fixed-rrset)"
 test "$atf" = "no" || echo "    Automated Testing Framework (--with-atf)"
 test "$use_gssapi" = "no" || echo "    GSS-API (--with-gssapi)"
-test "$use_pkcs11" = "no" || echo "    PKCS#11/Cryptoki support (--with-pks11)"
+test "$use_pkcs11" = "no" || echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
 
 
 # these lines are only printed if run with --enable-full-report
@@ -21977,7 +21980,7 @@ test "$enable_fixed" = "yes" || \
     echo "    Fixed RRset order (--enable-fixed-rrset)"
 test "$atf" = "no" && echo "    Automated Testing Framework (--with-atf)"
 test "$use_gssapi" = "no" && echo "    GSS-API (--with-gssapi)"
-test "$use_pkcs11" = "no" && echo "    PKCS#11/Cryptoki support (--with-pks11)"
+test "$use_pkcs11" = "no" && echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
 test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" && \
         echo "    IPv6 support (--enable-ipv6)"
 test "X$USE_OPENSSL" = "X" && \

configure.in

@@ -2791,7 +2791,7 @@ if test "$atf" = yes; then
 		 /*) ;;
 		 *) srcdir="../../$srcdir";;
 		 esac
-		 ${SHELL} ${srcdir}${srcdir:+/unit/atf-src/}./configure MISSING=: --prefix $atfdir;
+		 ${SHELL} "${srcdir}${srcdir:+/unit/atf-src/}./configure" MISSING=: --prefix $atfdir;
 		) ],
 		[atfdir=`pwd`/unit/atf])
 	AC_MSG_RESULT(building ATF from bind9/unit/atf-src)
@@ -2849,7 +2849,7 @@ BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
 AC_SUBST_FILE(BIND9_MAKE_RULES)
 BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
 
-. $srcdir/version
+. "$srcdir/version"
 BIND9_PRODUCT="PRODUCT=\"${PRODUCT}\""
 AC_SUBST(BIND9_PRODUCT)
 BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\""
@@ -2858,10 +2858,13 @@ BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASE
 AC_SUBST(BIND9_VERSION)
 
 BIND9_SRCID="SRCID=unset"
-if test -f $srcdir/srcid; then
-	. $srcdir/srcid
+if test -f "${srcdir}/srcid"; then
+	. "${srcdir}/srcid"
 	BIND9_SRCID="SRCID=$SRCID"
+elif test -d "${srcdir}/.git"; then
+	BIND9_SRCID="SRCID="`(cd "${srcdir}";git log -n 1 --format=%h)`
 fi
+
 AC_SUBST(BIND9_SRCID)
 
 if test -z "$ac_configure_args"; then
@@ -2877,22 +2880,22 @@ BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
 AC_SUBST(BIND9_CONFIGARGS)
 
 AC_SUBST_FILE(LIBISC_API)
-LIBISC_API=$srcdir/lib/isc/api
+LIBISC_API="$srcdir/lib/isc/api"
 
 AC_SUBST_FILE(LIBISCCC_API)
-LIBISCCC_API=$srcdir/lib/isccc/api
+LIBISCCC_API="$srcdir/lib/isccc/api"
 
 AC_SUBST_FILE(LIBISCCFG_API)
-LIBISCCFG_API=$srcdir/lib/isccfg/api
+LIBISCCFG_API="$srcdir/lib/isccfg/api"
 
 AC_SUBST_FILE(LIBDNS_API)
-LIBDNS_API=$srcdir/lib/dns/api
+LIBDNS_API="$srcdir/lib/dns/api"
 
 AC_SUBST_FILE(LIBBIND9_API)
-LIBBIND9_API=$srcdir/lib/bind9/api
+LIBBIND9_API="$srcdir/lib/bind9/api"
 
 AC_SUBST_FILE(LIBLWRES_API)
-LIBLWRES_API=$srcdir/lib/lwres/api
+LIBLWRES_API="$srcdir/lib/lwres/api"
 
 #
 # Configure any DLZ drivers.
@@ -3196,7 +3199,7 @@ test "$enable_fixed" = "yes" && \
     echo "    Fixed RRset order (--enable-fixed-rrset)"
 test "$atf" = "no" || echo "    Automated Testing Framework (--with-atf)"
 test "$use_gssapi" = "no" || echo "    GSS-API (--with-gssapi)"
-test "$use_pkcs11" = "no" || echo "    PKCS#11/Cryptoki support (--with-pks11)"
+test "$use_pkcs11" = "no" || echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
 
 
 # these lines are only printed if run with --enable-full-report 
@@ -3232,7 +3235,7 @@ test "$enable_fixed" = "yes" || \
     echo "    Fixed RRset order (--enable-fixed-rrset)"
 test "$atf" = "no" && echo "    Automated Testing Framework (--with-atf)"
 test "$use_gssapi" = "no" && echo "    GSS-API (--with-gssapi)"
-test "$use_pkcs11" = "no" && echo "    PKCS#11/Cryptoki support (--with-pks11)"
+test "$use_pkcs11" = "no" && echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
 test "$enable_ipv6" = "no" -o "$found_ipv6" = "no" && \
         echo "    IPv6 support (--enable-ipv6)"
 test "X$USE_OPENSSL" = "X" && \

lib/dns/api

@@ -5,5 +5,5 @@
 # 9.9: 90-109
 # 9.9-sub: 130-139
 LIBINTERFACE = 113
-LIBREVISION = 3
+LIBREVISION = 4
 LIBAGE = 0

lib/dns/rdata/generic/dnskey_48.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -32,6 +32,7 @@
 
 static inline isc_result_t
 fromtext_dnskey(ARGS_FROMTEXT) {
+	isc_result_t result;
 	isc_token_t token;
 	dns_secalg_t alg;
 	dns_secproto_t proto;
@@ -67,7 +68,15 @@ fromtext_dnskey(ARGS_FROMTEXT) {
 	if ((flags & 0xc000) == 0xc000)
 		return (ISC_R_SUCCESS);
 
-	return (isc_base64_tobuffer(lexer, target, -1));
+	result = isc_base64_tobuffer(lexer, target, -1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Ensure there's at least enough data to compute a key ID for MD5 */
+	if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 7)
+		return (ISC_R_UNEXPECTEDEND);
+
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -134,6 +143,7 @@ totext_dnskey(ARGS_TOTEXT) {
 static inline isc_result_t
 fromwire_dnskey(ARGS_FROMWIRE) {
 	isc_region_t sr;
+	unsigned char algorithm;
 
 	REQUIRE(type == 48);
 
@@ -146,6 +156,15 @@ fromwire_dnskey(ARGS_FROMWIRE) {
 	if (sr.length < 4)
 		return (ISC_R_UNEXPECTEDEND);
 
+	/*
+	 * RSAMD5 computes key ID differently from other
+	 * algorithms: we need to ensure there's enough data
+	 * present for the computation
+	 */
+	algorithm = sr.base[3];
+	if (algorithm == DST_ALG_RSAMD5 && sr.length < 7)
+		return (ISC_R_UNEXPECTEDEND);
+
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }

lib/dns/rdata/generic/key_25.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -32,6 +32,7 @@
 
 static inline isc_result_t
 fromtext_key(ARGS_FROMTEXT) {
+	isc_result_t result;
 	isc_token_t token;
 	dns_secalg_t alg;
 	dns_secproto_t proto;
@@ -67,7 +68,15 @@ fromtext_key(ARGS_FROMTEXT) {
 	if ((flags & 0xc000) == 0xc000)
 		return (ISC_R_SUCCESS);
 
-	return (isc_base64_tobuffer(lexer, target, -1));
+	result = isc_base64_tobuffer(lexer, target, -1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Ensure there's at least enough data to compute a key ID for MD5 */
+	if (alg == DST_ALG_RSAMD5 && isc_buffer_usedlength(target) < 7)
+		return (ISC_R_UNEXPECTEDEND);
+
+	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
@@ -134,6 +143,7 @@ totext_key(ARGS_TOTEXT) {
 static inline isc_result_t
 fromwire_key(ARGS_FROMWIRE) {
 	isc_region_t sr;
+	unsigned char algorithm;
 
 	REQUIRE(type == 25);
 
@@ -146,6 +156,15 @@ fromwire_key(ARGS_FROMWIRE) {
 	if (sr.length < 4)
 		return (ISC_R_UNEXPECTEDEND);
 
+	/*
+	 * RSAMD5 computes key ID differently from other
+	 * algorithms: we need to ensure there's enough data
+	 * present for the computation
+	 */
+	algorithm = sr.base[3];
+	if (algorithm == DST_ALG_RSAMD5 && sr.length < 3)
+		return (ISC_R_UNEXPECTEDEND);
+
 	isc_buffer_forward(source, sr.length);
 	return (mem_tobuffer(target, sr.base, sr.length));
 }

lib/dns/resolver.c

@@ -1108,6 +1108,10 @@ log_edns(fetchctx_t *fctx) {
 	if (fctx->reason == NULL)
 		return;
 
+	/*
+	 * We do not know if fctx->domain is the actual domain the record
+	 * lives in or a parent domain so we have a '?' after it.
+	 */
 	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
 		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,

lib/isc/api

@@ -5,5 +5,5 @@
 # 9.9: 90-109
 # 9.9-sub: 130-139
 LIBINTERFACE = 59
-LIBREVISION = 0
+LIBREVISION = 1
 LIBAGE = 2

lib/isc/unix/socket.c

@@ -1529,6 +1529,10 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 		/* HPUX 11.11 can return EADDRNOTAVAIL. */
 		SOFT_OR_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
 		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
+		/* Should never get this one but it was seen. */
+#ifdef ENOPROTOOPT
+		SOFT_OR_HARD(ENOPROTOOPT, ISC_R_HOSTUNREACH);
+#endif
 		/*
 		 * HPUX returns EPROTO and EINVAL on receiving some ICMP/ICMPv6
 		 * errors.

util/copyrights

@@ -102,7 +102,7 @@
 ./bin/named/bind9.xsl				SGML	2006,2007,2008,2009,2012
 ./bin/named/bind9.xsl.h				X	2007,2008,2009,2011,2012
 ./bin/named/builtin.c				C	2001,2002,2003,2004,2005,2007,2010,2012
-./bin/named/client.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012
+./bin/named/client.c				C	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013
 ./bin/named/config.c				C	2001,2002,2003,2004,2005,2006,2007,2008,2009,2012,2013
 ./bin/named/control.c				C	2001,2002,2003,2004,2005,2006,2007,2009,2010,2012
 ./bin/named/controlconf.c			C	2001,2002,2003,2004,2005,2006,2007,2008,2011,2012,2013
@@ -457,8 +457,9 @@
 ./bin/tests/system/acl/ns2/named2.conf		CONF-C	2008
 ./bin/tests/system/acl/ns2/named3.conf		CONF-C	2008
 ./bin/tests/system/acl/ns2/named4.conf		CONF-C	2008
+./bin/tests/system/acl/ns2/named5.conf		CONF-C	2013
 ./bin/tests/system/acl/setup.sh			SH	2008,2012
-./bin/tests/system/acl/tests.sh			SH	2008,2012
+./bin/tests/system/acl/tests.sh			SH	2008,2012,2013
 ./bin/tests/system/additional/clean.sh		SH	2013
 ./bin/tests/system/additional/ns1/named.args	X	2013
 ./bin/tests/system/additional/ns1/named1.conf	CONF-C	2013
@@ -691,15 +692,15 @@
 ./bin/tests/system/forward/ns1/named.conf	CONF-C	2000,2001,2004,2007
 ./bin/tests/system/forward/ns1/root.db		ZONE	2000,2001,2004,2007
 ./bin/tests/system/forward/ns2/example.db	X	2000,2001
-./bin/tests/system/forward/ns2/named.conf	CONF-C	2000,2001,2004,2007
+./bin/tests/system/forward/ns2/named.conf	CONF-C	2000,2001,2004,2007,2013
 ./bin/tests/system/forward/ns2/root.db		ZONE	2000,2001,2004,2007
 ./bin/tests/system/forward/ns3/named.conf	CONF-C	2000,2001,2004,2007
 ./bin/tests/system/forward/ns3/root.db		ZONE	2000,2001,2004,2007
-./bin/tests/system/forward/ns4/named.conf	CONF-C	2000,2001,2004,2007
+./bin/tests/system/forward/ns4/named.conf	CONF-C	2000,2001,2004,2007,2013
 ./bin/tests/system/forward/ns4/root.db		ZONE	2000,2001,2004,2007
 ./bin/tests/system/forward/ns5/named.conf	CONF-C	2011,2012
 ./bin/tests/system/forward/ns5/root.db		ZONE	2011,2012
-./bin/tests/system/forward/tests.sh		SH	2000,2001,2004,2007,2011,2012
+./bin/tests/system/forward/tests.sh		SH	2000,2001,2004,2007,2011,2012,2013
 ./bin/tests/system/genzone.sh			SH	2001,2002,2003,2004,2007,2012,2013
 ./bin/tests/system/glue/clean.sh		SH	2000,2001,2004,2007,2012
 ./bin/tests/system/glue/fi.good			X	2000,2001
@@ -889,7 +890,7 @@
 ./bin/tests/system/rrsetorder/dig.out.random.good7	X	2006
 ./bin/tests/system/rrsetorder/dig.out.random.good8	X	2006
 ./bin/tests/system/rrsetorder/dig.out.random.good9	X	2006
-./bin/tests/system/rrsetorder/ns1/named.conf	CONF-C	2006,2007
+./bin/tests/system/rrsetorder/ns1/named.conf	CONF-C	2006,2007,2013
 ./bin/tests/system/rrsetorder/ns1/root.db	ZONE	2006,2007,2012
 ./bin/tests/system/rrsetorder/ns2/named.conf	CONF-C	2006,2007
 ./bin/tests/system/rrsetorder/ns3/named.conf	CONF-C	2006,2007
@@ -1902,7 +1903,7 @@
 ./lib/dns/rdata/generic/dlv_32769.h		C	2004,2006,2007
 ./lib/dns/rdata/generic/dname_39.c		C	1999,2000,2001,2004,2007,2012
 ./lib/dns/rdata/generic/dname_39.h		C	1999,2000,2001,2004,2005,2007
-./lib/dns/rdata/generic/dnskey_48.c		C	2003,2004,2005,2007,2012
+./lib/dns/rdata/generic/dnskey_48.c		C	2003,2004,2005,2007,2012,2013
 ./lib/dns/rdata/generic/dnskey_48.h		C	2003,2004,2005,2007
 ./lib/dns/rdata/generic/ds_43.c			C	2002,2004,2005,2007,2012
 ./lib/dns/rdata/generic/ds_43.h			C	2002,2004,2005,2007
@@ -1920,7 +1921,7 @@
 ./lib/dns/rdata/generic/ipseckey_45.h		C	2005,2007
 ./lib/dns/rdata/generic/isdn_20.c		C	1999,2000,2001,2002,2004,2005,2007,2012
 ./lib/dns/rdata/generic/isdn_20.h		C	1999,2000,2001,2004,2005,2007
-./lib/dns/rdata/generic/key_25.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2012
+./lib/dns/rdata/generic/key_25.c		C	1999,2000,2001,2002,2003,2004,2005,2007,2012,2013
 ./lib/dns/rdata/generic/key_25.h		C	1999,2000,2001,2004,2005,2007
 ./lib/dns/rdata/generic/l32_105.c		C	2013
 ./lib/dns/rdata/generic/l32_105.h		C	2013

version

@@ -9,4 +9,4 @@ MAJORVER=9
 MINORVER=6
 PATCHVER=
 RELEASETYPE=-ESV
-RELEASEVER=-R10rc1
+RELEASEVER=-R10