|
|
900526 |
From 93aec4d3d80a0d1cdb6553f70f35a2e2cb1fbaa8 Mon Sep 17 00:00:00 2001
|
|
|
900526 |
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
|
900526 |
Date: Tue, 11 Apr 2017 16:19:51 +0200
|
|
|
900526 |
Subject: [PATCH 2/3] 4578. [security] Some chaining (CNAME or DNAME)
|
|
|
900526 |
responses to upstream queries could trigger assertion
|
|
|
900526 |
failures. (CVE-2017-3137) [RT #44734]
|
|
|
900526 |
|
|
|
900526 |
(including part of commit fea8a9d)
|
|
|
900526 |
---
|
|
|
900526 |
bin/tests/system/dname/ans3/ans.pl | 16 +-
|
|
|
900526 |
bin/tests/system/dname/ns1/root.db | 2 +-
|
|
|
900526 |
bin/tests/system/dname/ns2/example.db | 3 +-
|
|
|
900526 |
bin/tests/system/dname/tests.sh | 17 +-
|
|
|
900526 |
lib/dns/name.c | 2 -
|
|
|
900526 |
lib/dns/resolver.c | 850 +++++++++++++---------------------
|
|
|
900526 |
6 files changed, 349 insertions(+), 541 deletions(-)
|
|
|
900526 |
|
|
|
900526 |
diff --git a/bin/tests/system/dname/ans3/ans.pl b/bin/tests/system/dname/ans3/ans.pl
|
|
|
900526 |
index 271fc7d..af338fe 100644
|
|
|
900526 |
--- a/bin/tests/system/dname/ans3/ans.pl
|
|
|
900526 |
+++ b/bin/tests/system/dname/ans3/ans.pl
|
|
|
900526 |
@@ -1,10 +1,18 @@
|
|
|
900526 |
#!/usr/bin/env perl
|
|
|
900526 |
#
|
|
|
900526 |
-# Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
+# Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
#
|
|
|
900526 |
-# This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
900526 |
-# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
|
900526 |
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
900526 |
+# Permission to use, copy, modify, and/or distribute this software for any
|
|
|
900526 |
+# purpose with or without fee is hereby granted, provided that the above
|
|
|
900526 |
+# copyright notice and this permission notice appear in all copies.
|
|
|
900526 |
+#
|
|
|
900526 |
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
|
900526 |
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
|
900526 |
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
|
900526 |
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
|
900526 |
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
|
900526 |
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
|
900526 |
+# PERFORMANCE OF THIS SOFTWARE.
|
|
|
900526 |
|
|
|
900526 |
use strict;
|
|
|
900526 |
use warnings;
|
|
|
900526 |
diff --git a/bin/tests/system/dname/ns1/root.db b/bin/tests/system/dname/ns1/root.db
|
|
|
900526 |
index 2e84ae0..3d55ace 100644
|
|
|
900526 |
--- a/bin/tests/system/dname/ns1/root.db
|
|
|
900526 |
+++ b/bin/tests/system/dname/ns1/root.db
|
|
|
900526 |
@@ -1,4 +1,4 @@
|
|
|
900526 |
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
+; Copyright (C) 2011, 2017 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
;
|
|
|
900526 |
; Permission to use, copy, modify, and/or distribute this software for any
|
|
|
900526 |
; purpose with or without fee is hereby granted, provided that the above
|
|
|
900526 |
diff --git a/bin/tests/system/dname/ns2/example.db b/bin/tests/system/dname/ns2/example.db
|
|
|
900526 |
index 4289134..c0193de 100644
|
|
|
900526 |
--- a/bin/tests/system/dname/ns2/example.db
|
|
|
900526 |
+++ b/bin/tests/system/dname/ns2/example.db
|
|
|
900526 |
@@ -1,4 +1,4 @@
|
|
|
900526 |
-; Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
+; Copyright (C) 2011, 2017 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
;
|
|
|
900526 |
; Permission to use, copy, modify, and/or distribute this software for any
|
|
|
900526 |
; purpose with or without fee is hereby granted, provided that the above
|
|
|
900526 |
@@ -29,6 +29,7 @@ a.short A 10.0.0.1
|
|
|
900526 |
short-dname DNAME short
|
|
|
900526 |
a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2
|
|
|
900526 |
long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong
|
|
|
900526 |
+toolong-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong
|
|
|
900526 |
cname CNAME a.cnamedname
|
|
|
900526 |
cnamedname DNAME target
|
|
|
900526 |
a.target A 10.0.0.3
|
|
|
900526 |
diff --git a/bin/tests/system/dname/tests.sh b/bin/tests/system/dname/tests.sh
|
|
|
900526 |
index 6dc9e88..1487bd9 100644
|
|
|
900526 |
--- a/bin/tests/system/dname/tests.sh
|
|
|
900526 |
+++ b/bin/tests/system/dname/tests.sh
|
|
|
900526 |
@@ -1,6 +1,6 @@
|
|
|
900526 |
#!/bin/sh
|
|
|
900526 |
#
|
|
|
900526 |
-# Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
+# Copyright (C) 2011, 2012, 2017 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
#
|
|
|
900526 |
# Permission to use, copy, modify, and/or distribute this software for any
|
|
|
900526 |
# purpose with or without fee is hereby granted, provided that the above
|
|
|
900526 |
@@ -57,10 +57,19 @@ grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1
|
|
|
900526 |
if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
900526 |
status=`expr $status + $ret`
|
|
|
900526 |
|
|
|
900526 |
-echo "I:checking (too) long dname from recursive"
|
|
|
900526 |
+echo "I:checking (too) long dname from recursive with cached DNAME"
|
|
|
900526 |
ret=0
|
|
|
900526 |
-$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.toolong || ret=1
|
|
|
900526 |
-grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1
|
|
|
900526 |
+$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cachedtoolong || ret=1
|
|
|
900526 |
+grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
|
|
|
900526 |
+grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1
|
|
|
900526 |
+if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
900526 |
+status=`expr $status + $ret`
|
|
|
900526 |
+
|
|
|
900526 |
+echo "I:checking (too) long dname from recursive without cached DNAME"
|
|
|
900526 |
+ret=0
|
|
|
900526 |
+$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.uncachedtoolong || ret=1
|
|
|
900526 |
+grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
|
|
|
900526 |
+grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1
|
|
|
900526 |
if [ $ret != 0 ]; then echo "I:failed"; fi
|
|
|
900526 |
status=`expr $status + $ret`
|
|
|
900526 |
|
|
|
900526 |
diff --git a/lib/dns/name.c b/lib/dns/name.c
|
|
|
900526 |
index 93173ee..d02e713 100644
|
|
|
900526 |
--- a/lib/dns/name.c
|
|
|
900526 |
+++ b/lib/dns/name.c
|
|
|
900526 |
@@ -2119,11 +2119,9 @@ dns_name_split(dns_name_t *name, unsigned int suffixlabels,
|
|
|
900526 |
REQUIRE(prefix != NULL || suffix != NULL);
|
|
|
900526 |
REQUIRE(prefix == NULL ||
|
|
|
900526 |
(VALID_NAME(prefix) &&
|
|
|
900526 |
- prefix->buffer != NULL &&
|
|
|
900526 |
BINDABLE(prefix)));
|
|
|
900526 |
REQUIRE(suffix == NULL ||
|
|
|
900526 |
(VALID_NAME(suffix) &&
|
|
|
900526 |
- suffix->buffer != NULL &&
|
|
|
900526 |
BINDABLE(suffix)));
|
|
|
900526 |
|
|
|
900526 |
splitlabel = name->labels - suffixlabels;
|
|
|
900526 |
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
|
|
|
900526 |
index c3607fa..860a792 100644
|
|
|
900526 |
--- a/lib/dns/resolver.c
|
|
|
900526 |
+++ b/lib/dns/resolver.c
|
|
|
900526 |
@@ -3817,6 +3817,7 @@ is_lame(fetchctx_t *fctx) {
|
|
|
900526 |
isc_result_t result;
|
|
|
900526 |
|
|
|
900526 |
if (message->rcode != dns_rcode_noerror &&
|
|
|
900526 |
+ message->rcode != dns_rcode_yxdomain &&
|
|
|
900526 |
message->rcode != dns_rcode_nxdomain)
|
|
|
900526 |
return (ISC_FALSE);
|
|
|
900526 |
|
|
|
900526 |
@@ -5386,79 +5387,6 @@ chase_additional(fetchctx_t *fctx) {
|
|
|
900526 |
goto again;
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
-static inline isc_result_t
|
|
|
900526 |
-cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
|
|
|
900526 |
- isc_result_t result;
|
|
|
900526 |
- dns_rdata_t rdata = DNS_RDATA_INIT;
|
|
|
900526 |
- dns_rdata_cname_t cname;
|
|
|
900526 |
-
|
|
|
900526 |
- result = dns_rdataset_first(rdataset);
|
|
|
900526 |
- if (result != ISC_R_SUCCESS)
|
|
|
900526 |
- return (result);
|
|
|
900526 |
- dns_rdataset_current(rdataset, &rdata);
|
|
|
900526 |
- result = dns_rdata_tostruct(&rdata, &cname, NULL);
|
|
|
900526 |
- if (result != ISC_R_SUCCESS)
|
|
|
900526 |
- return (result);
|
|
|
900526 |
- dns_name_init(tname, NULL);
|
|
|
900526 |
- dns_name_clone(&cname.cname, tname);
|
|
|
900526 |
- dns_rdata_freestruct(&cname);
|
|
|
900526 |
-
|
|
|
900526 |
- return (ISC_R_SUCCESS);
|
|
|
900526 |
-}
|
|
|
900526 |
-
|
|
|
900526 |
-/*%
|
|
|
900526 |
- * Construct the synthesised CNAME from the existing QNAME and
|
|
|
900526 |
- * the DNAME RR and store it in 'target'.
|
|
|
900526 |
- */
|
|
|
900526 |
-static inline isc_result_t
|
|
|
900526 |
-dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
|
|
|
900526 |
- unsigned int nlabels, dns_name_t *target)
|
|
|
900526 |
-{
|
|
|
900526 |
- isc_result_t result;
|
|
|
900526 |
- dns_rdata_t rdata = DNS_RDATA_INIT;
|
|
|
900526 |
- dns_rdata_dname_t dname;
|
|
|
900526 |
- dns_fixedname_t prefix;
|
|
|
900526 |
-
|
|
|
900526 |
- /*
|
|
|
900526 |
- * Get the target name of the DNAME.
|
|
|
900526 |
- */
|
|
|
900526 |
- result = dns_rdataset_first(rdataset);
|
|
|
900526 |
- if (result != ISC_R_SUCCESS)
|
|
|
900526 |
- return (result);
|
|
|
900526 |
- dns_rdataset_current(rdataset, &rdata);
|
|
|
900526 |
- result = dns_rdata_tostruct(&rdata, &dname, NULL);
|
|
|
900526 |
- if (result != ISC_R_SUCCESS)
|
|
|
900526 |
- return (result);
|
|
|
900526 |
-
|
|
|
900526 |
- dns_fixedname_init(&prefix);
|
|
|
900526 |
- dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
|
|
|
900526 |
- result = dns_name_concatenate(dns_fixedname_name(&prefix),
|
|
|
900526 |
- &dname.dname, target, NULL);
|
|
|
900526 |
- dns_rdata_freestruct(&dname);
|
|
|
900526 |
- return (result);
|
|
|
900526 |
-}
|
|
|
900526 |
-
|
|
|
900526 |
-/*%
|
|
|
900526 |
- * Check if it was possible to construct 'qname' from 'lastcname'
|
|
|
900526 |
- * and 'rdataset'.
|
|
|
900526 |
- */
|
|
|
900526 |
-static inline isc_result_t
|
|
|
900526 |
-fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname,
|
|
|
900526 |
- unsigned int nlabels, const dns_name_t *qname)
|
|
|
900526 |
-{
|
|
|
900526 |
- dns_fixedname_t fixed;
|
|
|
900526 |
- isc_result_t result;
|
|
|
900526 |
- dns_name_t *target;
|
|
|
900526 |
-
|
|
|
900526 |
- dns_fixedname_init(&fixed);
|
|
|
900526 |
- target = dns_fixedname_name(&fixed);
|
|
|
900526 |
- result = dname_target(rdataset, lastcname, nlabels, target);
|
|
|
900526 |
- if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target))
|
|
|
900526 |
- return (ISC_R_NOTFOUND);
|
|
|
900526 |
-
|
|
|
900526 |
- return (ISC_R_SUCCESS);
|
|
|
900526 |
-}
|
|
|
900526 |
-
|
|
|
900526 |
static isc_boolean_t
|
|
|
900526 |
is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
|
|
|
900526 |
dns_rdataset_t *rdataset)
|
|
|
900526 |
@@ -5534,9 +5462,8 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
static isc_boolean_t
|
|
|
900526 |
-is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
|
|
|
900526 |
- dns_rdatatype_t type, dns_name_t *tname,
|
|
|
900526 |
- dns_name_t *domain)
|
|
|
900526 |
+is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
|
|
|
900526 |
+ dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
|
|
|
900526 |
{
|
|
|
900526 |
isc_result_t result;
|
|
|
900526 |
dns_rbtnode_t *node = NULL;
|
|
|
900526 |
@@ -5544,8 +5471,57 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
|
|
|
900526 |
char tnamebuf[DNS_NAME_FORMATSIZE];
|
|
|
900526 |
char classbuf[64];
|
|
|
900526 |
char typebuf[64];
|
|
|
900526 |
+ dns_name_t *tname = NULL;
|
|
|
900526 |
+ dns_rdata_cname_t cname;
|
|
|
900526 |
+ dns_rdata_dname_t dname;
|
|
|
900526 |
+ dns_view_t *view = fctx->res->view;
|
|
|
900526 |
+ dns_rdata_t rdata = DNS_RDATA_INIT;
|
|
|
900526 |
+ unsigned int nlabels;
|
|
|
900526 |
+ dns_fixedname_t fixed;
|
|
|
900526 |
+ dns_name_t prefix;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(rdataset != NULL);
|
|
|
900526 |
+ REQUIRE(rdataset->type == dns_rdatatype_cname ||
|
|
|
900526 |
+ rdataset->type == dns_rdatatype_dname);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * By default, we allow any target name.
|
|
|
900526 |
+ * If newqname != NULL we also need to extract the newqname.
|
|
|
900526 |
+ */
|
|
|
900526 |
+ if (chainingp == NULL && view->denyanswernames == NULL)
|
|
|
900526 |
+ return (ISC_TRUE);
|
|
|
900526 |
+
|
|
|
900526 |
+ result = dns_rdataset_first(rdataset);
|
|
|
900526 |
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
|
|
900526 |
+ dns_rdataset_current(rdataset, &rdata);
|
|
|
900526 |
+ switch (rdataset->type) {
|
|
|
900526 |
+ case dns_rdatatype_cname:
|
|
|
900526 |
+ result = dns_rdata_tostruct(&rdata, &cname, NULL);
|
|
|
900526 |
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
|
|
900526 |
+ tname = &cname.cname;
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ case dns_rdatatype_dname:
|
|
|
900526 |
+ result = dns_rdata_tostruct(&rdata, &dname, NULL);
|
|
|
900526 |
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
|
|
900526 |
+ dns_name_init(&prefix, NULL);
|
|
|
900526 |
+ dns_fixedname_init(&fixed);
|
|
|
900526 |
+ tname = dns_fixedname_name(&fixed);
|
|
|
900526 |
+ nlabels = dns_name_countlabels(qname) -
|
|
|
900526 |
+ dns_name_countlabels(rname);
|
|
|
900526 |
+ dns_name_split(qname, nlabels, &prefix, NULL);
|
|
|
900526 |
+ result = dns_name_concatenate(&prefix, &dname.dname, tname,
|
|
|
900526 |
+ NULL);
|
|
|
900526 |
+ if (result == DNS_R_NAMETOOLONG)
|
|
|
900526 |
+ return (ISC_TRUE);
|
|
|
900526 |
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ default:
|
|
|
900526 |
+ INSIST(0);
|
|
|
900526 |
+ }
|
|
|
900526 |
+
|
|
|
900526 |
+ if (chainingp != NULL)
|
|
|
900526 |
+ *chainingp = ISC_TRUE;
|
|
|
900526 |
|
|
|
900526 |
- /* By default, we allow any target name. */
|
|
|
900526 |
if (view->denyanswernames == NULL)
|
|
|
900526 |
return (ISC_TRUE);
|
|
|
900526 |
|
|
|
900526 |
@@ -5554,8 +5530,8 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
|
|
|
900526 |
* or partially, allow it.
|
|
|
900526 |
*/
|
|
|
900526 |
if (view->answernames_exclude != NULL) {
|
|
|
900526 |
- result = dns_rbt_findnode(view->answernames_exclude, name, NULL,
|
|
|
900526 |
- &node, NULL, 0, NULL, NULL);
|
|
|
900526 |
+ result = dns_rbt_findnode(view->answernames_exclude, qname,
|
|
|
900526 |
+ NULL, &node, NULL, 0, NULL, NULL);
|
|
|
900526 |
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
|
|
|
900526 |
return (ISC_TRUE);
|
|
|
900526 |
}
|
|
|
900526 |
@@ -5563,7 +5539,7 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
|
|
|
900526 |
/*
|
|
|
900526 |
* If the target name is a subdomain of the search domain, allow it.
|
|
|
900526 |
*/
|
|
|
900526 |
- if (dns_name_issubdomain(tname, domain))
|
|
|
900526 |
+ if (dns_name_issubdomain(tname, &fctx->domain))
|
|
|
900526 |
return (ISC_TRUE);
|
|
|
900526 |
|
|
|
900526 |
/*
|
|
|
900526 |
@@ -5572,9 +5548,9 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
|
|
|
900526 |
result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
|
|
|
900526 |
NULL, 0, NULL, NULL);
|
|
|
900526 |
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
|
|
|
900526 |
- dns_name_format(name, qnamebuf, sizeof(qnamebuf));
|
|
|
900526 |
+ dns_name_format(qname, qnamebuf, sizeof(qnamebuf));
|
|
|
900526 |
dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
|
|
|
900526 |
- dns_rdatatype_format(type, typebuf, sizeof(typebuf));
|
|
|
900526 |
+ dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
|
|
|
900526 |
dns_rdataclass_format(view->rdclass, classbuf,
|
|
|
900526 |
sizeof(classbuf));
|
|
|
900526 |
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
|
|
|
900526 |
@@ -6057,473 +6033,301 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
+static isc_boolean_t
|
|
|
900526 |
+validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) {
|
|
|
900526 |
+ if (rdataset->type == dns_rdatatype_nsec3) {
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * NSEC3 records are not allowed to
|
|
|
900526 |
+ * appear in the answer section.
|
|
|
900526 |
+ */
|
|
|
900526 |
+ log_formerr(fctx, "NSEC3 in answer");
|
|
|
900526 |
+ return (ISC_FALSE);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ if (rdataset->type == dns_rdatatype_tkey) {
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * TKEY is not a valid record in a
|
|
|
900526 |
+ * response to any query we can make.
|
|
|
900526 |
+ */
|
|
|
900526 |
+ log_formerr(fctx, "TKEY in answer");
|
|
|
900526 |
+ return (ISC_FALSE);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ if (rdataset->rdclass != fctx->res->rdclass) {
|
|
|
900526 |
+ log_formerr(fctx, "Mismatched class in answer");
|
|
|
900526 |
+ return (ISC_FALSE);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ return (ISC_TRUE);
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
static isc_result_t
|
|
|
900526 |
answer_response(fetchctx_t *fctx) {
|
|
|
900526 |
isc_result_t result;
|
|
|
900526 |
- dns_message_t *message;
|
|
|
900526 |
- dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
|
|
|
900526 |
- dns_name_t *cname = NULL, *lastcname = NULL;
|
|
|
900526 |
- dns_rdataset_t *rdataset, *ns_rdataset;
|
|
|
900526 |
- isc_boolean_t done, external, aa, found, want_chaining;
|
|
|
900526 |
- isc_boolean_t have_answer, found_cname, found_dname, found_type;
|
|
|
900526 |
- isc_boolean_t wanted_chaining;
|
|
|
900526 |
- unsigned int aflag, chaining;
|
|
|
900526 |
+ dns_message_t *message = NULL;
|
|
|
900526 |
+ dns_name_t *name = NULL, *qname = NULL, *ns_name = NULL;
|
|
|
900526 |
+ dns_name_t *aname = NULL, *cname = NULL, *dname = NULL;
|
|
|
900526 |
+ dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
|
|
|
900526 |
+ dns_rdataset_t *ardataset = NULL, *crdataset = NULL;
|
|
|
900526 |
+ dns_rdataset_t *drdataset = NULL, *ns_rdataset = NULL;
|
|
|
900526 |
+ isc_boolean_t done = ISC_FALSE, aa;
|
|
|
900526 |
+ unsigned int dname_labels, domain_labels;
|
|
|
900526 |
+ isc_boolean_t chaining = ISC_FALSE;
|
|
|
900526 |
dns_rdatatype_t type;
|
|
|
900526 |
- dns_fixedname_t fdname, fqname;
|
|
|
900526 |
- dns_view_t *view;
|
|
|
900526 |
+ dns_view_t *view = NULL;
|
|
|
900526 |
+ dns_trust_t trust;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(VALID_FCTX(fctx));
|
|
|
900526 |
|
|
|
900526 |
FCTXTRACE("answer_response");
|
|
|
900526 |
|
|
|
900526 |
message = fctx->rmessage;
|
|
|
900526 |
+ qname = &fctx->name;
|
|
|
900526 |
+ view = fctx->res->view;
|
|
|
900526 |
+ type = fctx->type;
|
|
|
900526 |
|
|
|
900526 |
/*
|
|
|
900526 |
- * Examine the answer section, marking those rdatasets which are
|
|
|
900526 |
- * part of the answer and should be cached.
|
|
|
900526 |
+ * There can be multiple RRSIG and SIG records at a name so
|
|
|
900526 |
+ * we treat these types as a subset of ANY.
|
|
|
900526 |
*/
|
|
|
900526 |
+ if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) {
|
|
|
900526 |
+ type = dns_rdatatype_any;
|
|
|
900526 |
+ }
|
|
|
900526 |
|
|
|
900526 |
- done = ISC_FALSE;
|
|
|
900526 |
- found_cname = ISC_FALSE;
|
|
|
900526 |
- found_dname = ISC_FALSE;
|
|
|
900526 |
- found_type = ISC_FALSE;
|
|
|
900526 |
- have_answer = ISC_FALSE;
|
|
|
900526 |
- want_chaining = ISC_FALSE;
|
|
|
900526 |
- chaining = 0;
|
|
|
900526 |
- POST(want_chaining);
|
|
|
900526 |
- if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
|
|
|
900526 |
- aa = ISC_TRUE;
|
|
|
900526 |
- else
|
|
|
900526 |
- aa = ISC_FALSE;
|
|
|
900526 |
- qname = &fctx->name;
|
|
|
900526 |
- type = fctx->type;
|
|
|
900526 |
- view = fctx->res->view;
|
|
|
900526 |
- result = dns_message_firstname(message, DNS_SECTION_ANSWER);
|
|
|
900526 |
- while (!done && result == ISC_R_SUCCESS) {
|
|
|
900526 |
- dns_namereln_t namereln, lastreln;
|
|
|
900526 |
- int order, lastorder;
|
|
|
900526 |
- unsigned int nlabels, lastnlabels;
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Bigger than any valid DNAME label count.
|
|
|
900526 |
+ */
|
|
|
900526 |
+ dname_labels = dns_name_countlabels(qname);
|
|
|
900526 |
+ domain_labels = dns_name_countlabels(&fctx->domain);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Perform a single pass looking for the answer, cname or covering
|
|
|
900526 |
+ * dname.
|
|
|
900526 |
+ */
|
|
|
900526 |
+ for (result = dns_message_firstname(message, DNS_SECTION_ANSWER);
|
|
|
900526 |
+ result == ISC_R_SUCCESS;
|
|
|
900526 |
+ result = dns_message_nextname(message, DNS_SECTION_ANSWER))
|
|
|
900526 |
+ {
|
|
|
900526 |
+ int order;
|
|
|
900526 |
+ unsigned int nlabels;
|
|
|
900526 |
+ dns_namereln_t namereln;
|
|
|
900526 |
|
|
|
900526 |
name = NULL;
|
|
|
900526 |
dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
|
|
|
900526 |
- external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
|
|
|
900526 |
namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
|
|
|
900526 |
-
|
|
|
900526 |
- if (namereln == dns_namereln_equal) {
|
|
|
900526 |
- wanted_chaining = ISC_FALSE;
|
|
|
900526 |
+ switch (namereln) {
|
|
|
900526 |
+ case dns_namereln_equal:
|
|
|
900526 |
for (rdataset = ISC_LIST_HEAD(name->list);
|
|
|
900526 |
rdataset != NULL;
|
|
|
900526 |
- rdataset = ISC_LIST_NEXT(rdataset, link)) {
|
|
|
900526 |
- found = ISC_FALSE;
|
|
|
900526 |
- want_chaining = ISC_FALSE;
|
|
|
900526 |
- aflag = 0;
|
|
|
900526 |
- if (rdataset->type == dns_rdatatype_nsec3) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * NSEC3 records are not allowed to
|
|
|
900526 |
- * appear in the answer section.
|
|
|
900526 |
- */
|
|
|
900526 |
- log_formerr(fctx, "NSEC3 in answer");
|
|
|
900526 |
- return (DNS_R_FORMERR);
|
|
|
900526 |
- }
|
|
|
900526 |
- if (rdataset->type == dns_rdatatype_tkey) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * TKEY is not a valid record in a
|
|
|
900526 |
- * response to any query we can make.
|
|
|
900526 |
- */
|
|
|
900526 |
- log_formerr(fctx, "TKEY in answer");
|
|
|
900526 |
- return (DNS_R_FORMERR);
|
|
|
900526 |
- }
|
|
|
900526 |
- if (rdataset->rdclass != fctx->res->rdclass) {
|
|
|
900526 |
- log_formerr(fctx, "Mismatched class "
|
|
|
900526 |
- "in answer");
|
|
|
900526 |
- return (DNS_R_FORMERR);
|
|
|
900526 |
- }
|
|
|
900526 |
-
|
|
|
900526 |
- /*
|
|
|
900526 |
- * Apply filters, if given, on answers to reject
|
|
|
900526 |
- * a malicious attempt of rebinding.
|
|
|
900526 |
- */
|
|
|
900526 |
- if ((rdataset->type == dns_rdatatype_a ||
|
|
|
900526 |
- rdataset->type == dns_rdatatype_aaaa) &&
|
|
|
900526 |
- !is_answeraddress_allowed(view, name,
|
|
|
900526 |
- rdataset)) {
|
|
|
900526 |
- return (DNS_R_SERVFAIL);
|
|
|
900526 |
- }
|
|
|
900526 |
-
|
|
|
900526 |
- if (rdataset->type == type && !found_cname) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We've found an ordinary answer.
|
|
|
900526 |
- */
|
|
|
900526 |
- found = ISC_TRUE;
|
|
|
900526 |
- found_type = ISC_TRUE;
|
|
|
900526 |
- done = ISC_TRUE;
|
|
|
900526 |
- aflag = DNS_RDATASETATTR_ANSWER;
|
|
|
900526 |
- } else if (type == dns_rdatatype_any) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We've found an answer matching
|
|
|
900526 |
- * an ANY query. There may be
|
|
|
900526 |
- * more.
|
|
|
900526 |
- */
|
|
|
900526 |
- found = ISC_TRUE;
|
|
|
900526 |
- aflag = DNS_RDATASETATTR_ANSWER;
|
|
|
900526 |
- } else if (rdataset->type == dns_rdatatype_rrsig
|
|
|
900526 |
- && rdataset->covers == type
|
|
|
900526 |
- && !found_cname) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We've found a signature that
|
|
|
900526 |
- * covers the type we're looking for.
|
|
|
900526 |
- */
|
|
|
900526 |
- found = ISC_TRUE;
|
|
|
900526 |
- found_type = ISC_TRUE;
|
|
|
900526 |
- aflag = DNS_RDATASETATTR_ANSWERSIG;
|
|
|
900526 |
- } else if (rdataset->type ==
|
|
|
900526 |
- dns_rdatatype_cname
|
|
|
900526 |
- && !found_type) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We're looking for something else,
|
|
|
900526 |
- * but we found a CNAME.
|
|
|
900526 |
- *
|
|
|
900526 |
- * Getting a CNAME response for some
|
|
|
900526 |
- * query types is an error, see
|
|
|
900526 |
- * RFC 4035, Section 2.5.
|
|
|
900526 |
- */
|
|
|
900526 |
- if (type == dns_rdatatype_rrsig ||
|
|
|
900526 |
- type == dns_rdatatype_key ||
|
|
|
900526 |
- type == dns_rdatatype_nsec) {
|
|
|
900526 |
- char buf[DNS_RDATATYPE_FORMATSIZE];
|
|
|
900526 |
- dns_rdatatype_format(fctx->type,
|
|
|
900526 |
- buf, sizeof(buf));
|
|
|
900526 |
- log_formerr(fctx,
|
|
|
900526 |
- "CNAME response "
|
|
|
900526 |
- "for %s RR", buf);
|
|
|
900526 |
- return (DNS_R_FORMERR);
|
|
|
900526 |
- }
|
|
|
900526 |
- found = ISC_TRUE;
|
|
|
900526 |
- found_cname = ISC_TRUE;
|
|
|
900526 |
- want_chaining = ISC_TRUE;
|
|
|
900526 |
- aflag = DNS_RDATASETATTR_ANSWER;
|
|
|
900526 |
- result = cname_target(rdataset,
|
|
|
900526 |
- &tname);
|
|
|
900526 |
- if (result != ISC_R_SUCCESS)
|
|
|
900526 |
- return (result);
|
|
|
900526 |
- /* Apply filters on the target name. */
|
|
|
900526 |
- if (!is_answertarget_allowed(view,
|
|
|
900526 |
- name,
|
|
|
900526 |
- rdataset->type,
|
|
|
900526 |
- &tname,
|
|
|
900526 |
- &fctx->domain)) {
|
|
|
900526 |
- return (DNS_R_SERVFAIL);
|
|
|
900526 |
+ rdataset = ISC_LIST_NEXT(rdataset, link))
|
|
|
900526 |
+ {
|
|
|
900526 |
+ if (rdataset->type == type ||
|
|
|
900526 |
+ type == dns_rdatatype_any)
|
|
|
900526 |
+ {
|
|
|
900526 |
+ aname = name;
|
|
|
900526 |
+ if (type != dns_rdatatype_any) {
|
|
|
900526 |
+ ardataset = rdataset;
|
|
|
900526 |
}
|
|
|
900526 |
- lastcname = name;
|
|
|
900526 |
- } else if (rdataset->type == dns_rdatatype_rrsig
|
|
|
900526 |
- && rdataset->covers ==
|
|
|
900526 |
- dns_rdatatype_cname
|
|
|
900526 |
- && !found_type) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We're looking for something else,
|
|
|
900526 |
- * but we found a SIG CNAME.
|
|
|
900526 |
- */
|
|
|
900526 |
- found = ISC_TRUE;
|
|
|
900526 |
- found_cname = ISC_TRUE;
|
|
|
900526 |
- aflag = DNS_RDATASETATTR_ANSWERSIG;
|
|
|
900526 |
+ break;
|
|
|
900526 |
}
|
|
|
900526 |
-
|
|
|
900526 |
- if (found) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We've found an answer to our
|
|
|
900526 |
- * question.
|
|
|
900526 |
- */
|
|
|
900526 |
- name->attributes |=
|
|
|
900526 |
- DNS_NAMEATTR_CACHE;
|
|
|
900526 |
- rdataset->attributes |=
|
|
|
900526 |
- DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
- rdataset->trust = dns_trust_answer;
|
|
|
900526 |
- if (chaining == 0) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * This data is "the" answer
|
|
|
900526 |
- * to our question only if
|
|
|
900526 |
- * we're not chaining (i.e.
|
|
|
900526 |
- * if we haven't followed
|
|
|
900526 |
- * a CNAME or DNAME).
|
|
|
900526 |
- */
|
|
|
900526 |
- INSIST(!external);
|
|
|
900526 |
- /*
|
|
|
900526 |
- * Don't use found_cname here
|
|
|
900526 |
- * as we have just set it
|
|
|
900526 |
- * above.
|
|
|
900526 |
- */
|
|
|
900526 |
- if (cname == NULL &&
|
|
|
900526 |
- !found_dname &&
|
|
|
900526 |
- aflag ==
|
|
|
900526 |
- DNS_RDATASETATTR_ANSWER)
|
|
|
900526 |
- {
|
|
|
900526 |
- have_answer = ISC_TRUE;
|
|
|
900526 |
- if (found_cname &&
|
|
|
900526 |
- cname == NULL)
|
|
|
900526 |
- cname = name;
|
|
|
900526 |
- name->attributes |=
|
|
|
900526 |
- DNS_NAMEATTR_ANSWER;
|
|
|
900526 |
- }
|
|
|
900526 |
- rdataset->attributes |= aflag;
|
|
|
900526 |
- if (aa)
|
|
|
900526 |
- rdataset->trust =
|
|
|
900526 |
- dns_trust_authanswer;
|
|
|
900526 |
- } else if (external) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * This data is outside of
|
|
|
900526 |
- * our query domain, and
|
|
|
900526 |
- * may not be cached.
|
|
|
900526 |
- */
|
|
|
900526 |
- rdataset->attributes |=
|
|
|
900526 |
- DNS_RDATASETATTR_EXTERNAL;
|
|
|
900526 |
- }
|
|
|
900526 |
-
|
|
|
900526 |
- /*
|
|
|
900526 |
- * Mark any additional data related
|
|
|
900526 |
- * to this rdataset.
|
|
|
900526 |
- */
|
|
|
900526 |
- (void)dns_rdataset_additionaldata(
|
|
|
900526 |
- rdataset,
|
|
|
900526 |
- check_related,
|
|
|
900526 |
- fctx);
|
|
|
900526 |
-
|
|
|
900526 |
- /*
|
|
|
900526 |
- * CNAME chaining.
|
|
|
900526 |
- */
|
|
|
900526 |
- if (want_chaining) {
|
|
|
900526 |
- wanted_chaining = ISC_TRUE;
|
|
|
900526 |
- name->attributes |=
|
|
|
900526 |
- DNS_NAMEATTR_CHAINING;
|
|
|
900526 |
- rdataset->attributes |=
|
|
|
900526 |
- DNS_RDATASETATTR_CHAINING;
|
|
|
900526 |
- qname = &tname;
|
|
|
900526 |
- }
|
|
|
900526 |
+ if (rdataset->type == dns_rdatatype_cname) {
|
|
|
900526 |
+ cname = name;
|
|
|
900526 |
+ crdataset = rdataset;
|
|
|
900526 |
+ break;
|
|
|
900526 |
}
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We could add an "else" clause here and
|
|
|
900526 |
- * log that we're ignoring this rdataset.
|
|
|
900526 |
- */
|
|
|
900526 |
}
|
|
|
900526 |
+ break;
|
|
|
900526 |
+
|
|
|
900526 |
+ case dns_namereln_subdomain:
|
|
|
900526 |
/*
|
|
|
900526 |
- * If wanted_chaining is true, we've done
|
|
|
900526 |
- * some chaining as the result of processing
|
|
|
900526 |
- * this node, and thus we need to set
|
|
|
900526 |
- * chaining to true.
|
|
|
900526 |
- *
|
|
|
900526 |
- * We don't set chaining inside of the
|
|
|
900526 |
- * rdataset loop because doing that would
|
|
|
900526 |
- * cause us to ignore the signatures of
|
|
|
900526 |
- * CNAMEs.
|
|
|
900526 |
+ * In-scope DNAME records must have at least
|
|
|
900526 |
+ * as many labels as the domain being queried.
|
|
|
900526 |
+ * They also must be less that qname's labels
|
|
|
900526 |
+ * and any previously found dname.
|
|
|
900526 |
*/
|
|
|
900526 |
- if (wanted_chaining && chaining < 2U)
|
|
|
900526 |
- chaining++;
|
|
|
900526 |
- } else {
|
|
|
900526 |
- dns_rdataset_t *dnameset = NULL;
|
|
|
900526 |
- isc_boolean_t synthcname = ISC_FALSE;
|
|
|
900526 |
-
|
|
|
900526 |
- if (lastcname != NULL) {
|
|
|
900526 |
- lastreln = dns_name_fullcompare(lastcname,
|
|
|
900526 |
- name,
|
|
|
900526 |
- &lastorder,
|
|
|
900526 |
- &lastnlabels);
|
|
|
900526 |
- if (lastreln == dns_namereln_subdomain &&
|
|
|
900526 |
- lastnlabels == dns_name_countlabels(name))
|
|
|
900526 |
- synthcname = ISC_TRUE;
|
|
|
900526 |
+ if (nlabels >= dname_labels || nlabels < domain_labels)
|
|
|
900526 |
+ {
|
|
|
900526 |
+ continue;
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
/*
|
|
|
900526 |
- * Look for a DNAME (or its SIG). Anything else is
|
|
|
900526 |
- * ignored.
|
|
|
900526 |
+ * We are looking for the shortest DNAME if there
|
|
|
900526 |
+ * are multiple ones (which there shouldn't be).
|
|
|
900526 |
*/
|
|
|
900526 |
- wanted_chaining = ISC_FALSE;
|
|
|
900526 |
for (rdataset = ISC_LIST_HEAD(name->list);
|
|
|
900526 |
rdataset != NULL;
|
|
|
900526 |
rdataset = ISC_LIST_NEXT(rdataset, link))
|
|
|
900526 |
{
|
|
|
900526 |
- if (rdataset->rdclass != fctx->res->rdclass) {
|
|
|
900526 |
- log_formerr(fctx, "Mismatched class "
|
|
|
900526 |
- "in answer");
|
|
|
900526 |
- return (DNS_R_FORMERR);
|
|
|
900526 |
- }
|
|
|
900526 |
-
|
|
|
900526 |
- /*
|
|
|
900526 |
- * Only pass DNAME or RRSIG(DNAME).
|
|
|
900526 |
- */
|
|
|
900526 |
- if (rdataset->type != dns_rdatatype_dname &&
|
|
|
900526 |
- (rdataset->type != dns_rdatatype_rrsig ||
|
|
|
900526 |
- rdataset->covers != dns_rdatatype_dname))
|
|
|
900526 |
+ if (rdataset->type != dns_rdatatype_dname) {
|
|
|
900526 |
continue;
|
|
|
900526 |
-
|
|
|
900526 |
- /*
|
|
|
900526 |
- * If we're not chaining, then the DNAME and
|
|
|
900526 |
- * its signature should not be external.
|
|
|
900526 |
- */
|
|
|
900526 |
- if (chaining == 0 && external) {
|
|
|
900526 |
- char qbuf[DNS_NAME_FORMATSIZE];
|
|
|
900526 |
- char obuf[DNS_NAME_FORMATSIZE];
|
|
|
900526 |
-
|
|
|
900526 |
- dns_name_format(name, qbuf,
|
|
|
900526 |
- sizeof(qbuf));
|
|
|
900526 |
- dns_name_format(&fctx->domain, obuf,
|
|
|
900526 |
- sizeof(obuf));
|
|
|
900526 |
- log_formerr(fctx, "external DNAME or "
|
|
|
900526 |
- "RRSIG covering DNAME "
|
|
|
900526 |
- "in answer: %s is "
|
|
|
900526 |
- "not in %s", qbuf, obuf);
|
|
|
900526 |
- return (DNS_R_FORMERR);
|
|
|
900526 |
- }
|
|
|
900526 |
-
|
|
|
900526 |
- /*
|
|
|
900526 |
- * If DNAME + synthetic CNAME then the
|
|
|
900526 |
- * namereln is dns_namereln_subdomain.
|
|
|
900526 |
- */
|
|
|
900526 |
- if (namereln != dns_namereln_subdomain &&
|
|
|
900526 |
- !synthcname)
|
|
|
900526 |
- {
|
|
|
900526 |
- char qbuf[DNS_NAME_FORMATSIZE];
|
|
|
900526 |
- char obuf[DNS_NAME_FORMATSIZE];
|
|
|
900526 |
-
|
|
|
900526 |
- dns_name_format(qname, qbuf,
|
|
|
900526 |
- sizeof(qbuf));
|
|
|
900526 |
- dns_name_format(name, obuf,
|
|
|
900526 |
- sizeof(obuf));
|
|
|
900526 |
- log_formerr(fctx, "unrelated DNAME "
|
|
|
900526 |
- "in answer: %s is "
|
|
|
900526 |
- "not in %s", qbuf, obuf);
|
|
|
900526 |
- return (DNS_R_FORMERR);
|
|
|
900526 |
}
|
|
|
900526 |
+ dname = name;
|
|
|
900526 |
+ drdataset = rdataset;
|
|
|
900526 |
+ dname_labels = nlabels;
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ }
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ default:
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ }
|
|
|
900526 |
+ }
|
|
|
900526 |
|
|
|
900526 |
- aflag = 0;
|
|
|
900526 |
- if (rdataset->type == dns_rdatatype_dname) {
|
|
|
900526 |
- want_chaining = ISC_TRUE;
|
|
|
900526 |
- POST(want_chaining);
|
|
|
900526 |
- aflag = DNS_RDATASETATTR_ANSWER;
|
|
|
900526 |
- dns_fixedname_init(&fdname);
|
|
|
900526 |
- dname = dns_fixedname_name(&fdname);
|
|
|
900526 |
- if (synthcname) {
|
|
|
900526 |
- result = fromdname(rdataset,
|
|
|
900526 |
- lastcname,
|
|
|
900526 |
- lastnlabels,
|
|
|
900526 |
- qname);
|
|
|
900526 |
- } else {
|
|
|
900526 |
- result = dname_target(rdataset,
|
|
|
900526 |
- qname,
|
|
|
900526 |
- nlabels,
|
|
|
900526 |
- dname);
|
|
|
900526 |
- }
|
|
|
900526 |
- if (result == ISC_R_NOSPACE) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We can't construct the
|
|
|
900526 |
- * DNAME target. Do not
|
|
|
900526 |
- * try to continue.
|
|
|
900526 |
- */
|
|
|
900526 |
- want_chaining = ISC_FALSE;
|
|
|
900526 |
- POST(want_chaining);
|
|
|
900526 |
- } else if (result != ISC_R_SUCCESS)
|
|
|
900526 |
- return (result);
|
|
|
900526 |
- else
|
|
|
900526 |
- dnameset = rdataset;
|
|
|
900526 |
+ if (dname != NULL) {
|
|
|
900526 |
+ aname = NULL;
|
|
|
900526 |
+ ardataset = NULL;
|
|
|
900526 |
+ cname = NULL;
|
|
|
900526 |
+ crdataset = NULL;
|
|
|
900526 |
+ } else if (aname != NULL) {
|
|
|
900526 |
+ cname = NULL;
|
|
|
900526 |
+ crdataset = NULL;
|
|
|
900526 |
+ }
|
|
|
900526 |
|
|
|
900526 |
- if (!synthcname &&
|
|
|
900526 |
- !is_answertarget_allowed(view,
|
|
|
900526 |
- qname, rdataset->type,
|
|
|
900526 |
- dname, &fctx->domain))
|
|
|
900526 |
- {
|
|
|
900526 |
- return (DNS_R_SERVFAIL);
|
|
|
900526 |
- }
|
|
|
900526 |
- } else {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We've found a signature that
|
|
|
900526 |
- * covers the DNAME.
|
|
|
900526 |
- */
|
|
|
900526 |
- aflag = DNS_RDATASETATTR_ANSWERSIG;
|
|
|
900526 |
- }
|
|
|
900526 |
+ aa = ISC_TF((message->flags & DNS_MESSAGEFLAG_AA) != 0);
|
|
|
900526 |
+ trust = aa ? dns_trust_authanswer : dns_trust_answer;
|
|
|
900526 |
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We've found an answer to our
|
|
|
900526 |
- * question.
|
|
|
900526 |
- */
|
|
|
900526 |
- name->attributes |= DNS_NAMEATTR_CACHE;
|
|
|
900526 |
- rdataset->attributes |= DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
- rdataset->trust = dns_trust_answer;
|
|
|
900526 |
- /*
|
|
|
900526 |
- * If we are not chaining or the first CNAME
|
|
|
900526 |
- * is a synthesised CNAME before the DNAME.
|
|
|
900526 |
- */
|
|
|
900526 |
- if ((chaining == 0) ||
|
|
|
900526 |
- (chaining == 1U && synthcname))
|
|
|
900526 |
- {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * This data is "the" answer to
|
|
|
900526 |
- * our question only if we're
|
|
|
900526 |
- * not chaining.
|
|
|
900526 |
- */
|
|
|
900526 |
- INSIST(!external);
|
|
|
900526 |
- if (aflag == DNS_RDATASETATTR_ANSWER) {
|
|
|
900526 |
- have_answer = ISC_TRUE;
|
|
|
900526 |
- found_dname = ISC_TRUE;
|
|
|
900526 |
- if (cname != NULL &&
|
|
|
900526 |
- synthcname)
|
|
|
900526 |
- {
|
|
|
900526 |
- cname->attributes &=
|
|
|
900526 |
- ~DNS_NAMEATTR_ANSWER;
|
|
|
900526 |
- }
|
|
|
900526 |
- name->attributes |=
|
|
|
900526 |
- DNS_NAMEATTR_ANSWER;
|
|
|
900526 |
- }
|
|
|
900526 |
- rdataset->attributes |= aflag;
|
|
|
900526 |
- if (aa)
|
|
|
900526 |
- rdataset->trust =
|
|
|
900526 |
- dns_trust_authanswer;
|
|
|
900526 |
- } else if (external) {
|
|
|
900526 |
- rdataset->attributes |=
|
|
|
900526 |
- DNS_RDATASETATTR_EXTERNAL;
|
|
|
900526 |
- }
|
|
|
900526 |
+ if (aname != NULL && type == dns_rdatatype_any) {
|
|
|
900526 |
+ for (rdataset = ISC_LIST_HEAD(aname->list);
|
|
|
900526 |
+ rdataset != NULL;
|
|
|
900526 |
+ rdataset = ISC_LIST_NEXT(rdataset, link))
|
|
|
900526 |
+ {
|
|
|
900526 |
+ if (!validinanswer(rdataset, fctx)) {
|
|
|
900526 |
+ return (DNS_R_FORMERR);
|
|
|
900526 |
}
|
|
|
900526 |
-
|
|
|
900526 |
- /*
|
|
|
900526 |
- * DNAME chaining.
|
|
|
900526 |
- */
|
|
|
900526 |
- if (dnameset != NULL) {
|
|
|
900526 |
- if (!synthcname) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * Copy the dname into the qname fixed
|
|
|
900526 |
- * name.
|
|
|
900526 |
- *
|
|
|
900526 |
- * Although we check for failure of the
|
|
|
900526 |
- * copy operation, in practice it
|
|
|
900526 |
- * should never fail since we already
|
|
|
900526 |
- * know that the result fits in a
|
|
|
900526 |
- * fixedname.
|
|
|
900526 |
- */
|
|
|
900526 |
- dns_fixedname_init(&fqname);
|
|
|
900526 |
- qname = dns_fixedname_name(&fqname);
|
|
|
900526 |
- result = dns_name_copy(dname, qname,
|
|
|
900526 |
- NULL);
|
|
|
900526 |
- if (result != ISC_R_SUCCESS)
|
|
|
900526 |
- return (result);
|
|
|
900526 |
- }
|
|
|
900526 |
- wanted_chaining = ISC_TRUE;
|
|
|
900526 |
- name->attributes |= DNS_NAMEATTR_CHAINING;
|
|
|
900526 |
- dnameset->attributes |=
|
|
|
900526 |
- DNS_RDATASETATTR_CHAINING;
|
|
|
900526 |
+ if ((fctx->type == dns_rdatatype_sig ||
|
|
|
900526 |
+ fctx->type == dns_rdatatype_rrsig) &&
|
|
|
900526 |
+ rdataset->type != fctx->type)
|
|
|
900526 |
+ {
|
|
|
900526 |
+ continue;
|
|
|
900526 |
}
|
|
|
900526 |
- /*
|
|
|
900526 |
- * Ensure that we can't ever get chaining == 1
|
|
|
900526 |
- * above if we have processed a DNAME.
|
|
|
900526 |
- */
|
|
|
900526 |
- if (wanted_chaining && chaining < 2U)
|
|
|
900526 |
- chaining += 2;
|
|
|
900526 |
+ if ((rdataset->type == dns_rdatatype_a ||
|
|
|
900526 |
+ rdataset->type == dns_rdatatype_aaaa) &&
|
|
|
900526 |
+ !is_answeraddress_allowed(view, aname, rdataset))
|
|
|
900526 |
+ {
|
|
|
900526 |
+ return (DNS_R_SERVFAIL);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ if ((rdataset->type == dns_rdatatype_cname ||
|
|
|
900526 |
+ rdataset->type == dns_rdatatype_dname) &&
|
|
|
900526 |
+ !is_answertarget_allowed(fctx, qname, aname,
|
|
|
900526 |
+ rdataset, NULL))
|
|
|
900526 |
+ {
|
|
|
900526 |
+ return (DNS_R_SERVFAIL);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ aname->attributes |= DNS_NAMEATTR_CACHE;
|
|
|
900526 |
+ aname->attributes |= DNS_NAMEATTR_ANSWER;
|
|
|
900526 |
+ rdataset->attributes |= DNS_RDATASETATTR_ANSWER;
|
|
|
900526 |
+ rdataset->attributes |= DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
+ rdataset->trust = trust;
|
|
|
900526 |
+ (void)dns_rdataset_additionaldata(rdataset,
|
|
|
900526 |
+ check_related,
|
|
|
900526 |
+ fctx);
|
|
|
900526 |
}
|
|
|
900526 |
- result = dns_message_nextname(message, DNS_SECTION_ANSWER);
|
|
|
900526 |
- }
|
|
|
900526 |
- if (result == ISC_R_NOMORE)
|
|
|
900526 |
- result = ISC_R_SUCCESS;
|
|
|
900526 |
- if (result != ISC_R_SUCCESS)
|
|
|
900526 |
- return (result);
|
|
|
900526 |
-
|
|
|
900526 |
- /*
|
|
|
900526 |
- * We should have found an answer.
|
|
|
900526 |
- */
|
|
|
900526 |
- if (!have_answer) {
|
|
|
900526 |
+ } else if (aname != NULL) {
|
|
|
900526 |
+ if (!validinanswer(ardataset, fctx))
|
|
|
900526 |
+ return (DNS_R_FORMERR);
|
|
|
900526 |
+ if ((ardataset->type == dns_rdatatype_a ||
|
|
|
900526 |
+ ardataset->type == dns_rdatatype_aaaa) &&
|
|
|
900526 |
+ !is_answeraddress_allowed(view, aname, ardataset)) {
|
|
|
900526 |
+ return (DNS_R_SERVFAIL);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ if ((ardataset->type == dns_rdatatype_cname ||
|
|
|
900526 |
+ ardataset->type == dns_rdatatype_dname) &&
|
|
|
900526 |
+ !is_answertarget_allowed(fctx, qname, aname, ardataset,
|
|
|
900526 |
+ NULL))
|
|
|
900526 |
+ {
|
|
|
900526 |
+ return (DNS_R_SERVFAIL);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ aname->attributes |= DNS_NAMEATTR_CACHE;
|
|
|
900526 |
+ aname->attributes |= DNS_NAMEATTR_ANSWER;
|
|
|
900526 |
+ ardataset->attributes |= DNS_RDATASETATTR_ANSWER;
|
|
|
900526 |
+ ardataset->attributes |= DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
+ ardataset->trust = trust;
|
|
|
900526 |
+ (void)dns_rdataset_additionaldata(ardataset, check_related,
|
|
|
900526 |
+ fctx);
|
|
|
900526 |
+ for (sigrdataset = ISC_LIST_HEAD(aname->list);
|
|
|
900526 |
+ sigrdataset != NULL;
|
|
|
900526 |
+ sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
|
|
|
900526 |
+ if (!validinanswer(sigrdataset, fctx))
|
|
|
900526 |
+ return (DNS_R_FORMERR);
|
|
|
900526 |
+ if (sigrdataset->type != dns_rdatatype_rrsig ||
|
|
|
900526 |
+ sigrdataset->covers != type)
|
|
|
900526 |
+ continue;
|
|
|
900526 |
+ sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
|
|
|
900526 |
+ sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
+ sigrdataset->trust = trust;
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ }
|
|
|
900526 |
+ } else if (cname != NULL) {
|
|
|
900526 |
+ if (!validinanswer(crdataset, fctx)) {
|
|
|
900526 |
+ return (DNS_R_FORMERR);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ if (type == dns_rdatatype_rrsig || type == dns_rdatatype_key ||
|
|
|
900526 |
+ type == dns_rdatatype_nsec)
|
|
|
900526 |
+ {
|
|
|
900526 |
+ char buf[DNS_RDATATYPE_FORMATSIZE];
|
|
|
900526 |
+ dns_rdatatype_format(type, buf, sizeof(buf));
|
|
|
900526 |
+ log_formerr(fctx, "CNAME response for %s RR", buf);
|
|
|
900526 |
+ return (DNS_R_FORMERR);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
|
|
|
900526 |
+ NULL))
|
|
|
900526 |
+ {
|
|
|
900526 |
+ return (DNS_R_SERVFAIL);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ cname->attributes |= DNS_NAMEATTR_CACHE;
|
|
|
900526 |
+ cname->attributes |= DNS_NAMEATTR_ANSWER;
|
|
|
900526 |
+ cname->attributes |= DNS_NAMEATTR_CHAINING;
|
|
|
900526 |
+ crdataset->attributes |= DNS_RDATASETATTR_ANSWER;
|
|
|
900526 |
+ crdataset->attributes |= DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
+ crdataset->attributes |= DNS_RDATASETATTR_CHAINING;
|
|
|
900526 |
+ crdataset->trust = trust;
|
|
|
900526 |
+ for (sigrdataset = ISC_LIST_HEAD(cname->list);
|
|
|
900526 |
+ sigrdataset != NULL;
|
|
|
900526 |
+ sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
|
|
|
900526 |
+ {
|
|
|
900526 |
+ if (!validinanswer(sigrdataset, fctx)) {
|
|
|
900526 |
+ return (DNS_R_FORMERR);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ if (sigrdataset->type != dns_rdatatype_rrsig ||
|
|
|
900526 |
+ sigrdataset->covers != dns_rdatatype_cname)
|
|
|
900526 |
+ {
|
|
|
900526 |
+ continue;
|
|
|
900526 |
+ }
|
|
|
900526 |
+ sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
|
|
|
900526 |
+ sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
+ sigrdataset->trust = trust;
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ }
|
|
|
900526 |
+ chaining = ISC_TRUE;
|
|
|
900526 |
+ } else if (dname != NULL) {
|
|
|
900526 |
+ if (!validinanswer(drdataset, fctx)) {
|
|
|
900526 |
+ return (DNS_R_FORMERR);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
|
|
|
900526 |
+ &chaining)) {
|
|
|
900526 |
+ return (DNS_R_SERVFAIL);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ dname->attributes |= DNS_NAMEATTR_CACHE;
|
|
|
900526 |
+ dname->attributes |= DNS_NAMEATTR_ANSWER;
|
|
|
900526 |
+ dname->attributes |= DNS_NAMEATTR_CHAINING;
|
|
|
900526 |
+ drdataset->attributes |= DNS_RDATASETATTR_ANSWER;
|
|
|
900526 |
+ drdataset->attributes |= DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
+ drdataset->attributes |= DNS_RDATASETATTR_CHAINING;
|
|
|
900526 |
+ drdataset->trust = trust;
|
|
|
900526 |
+ for (sigrdataset = ISC_LIST_HEAD(dname->list);
|
|
|
900526 |
+ sigrdataset != NULL;
|
|
|
900526 |
+ sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
|
|
|
900526 |
+ {
|
|
|
900526 |
+ if (!validinanswer(sigrdataset, fctx)) {
|
|
|
900526 |
+ return (DNS_R_FORMERR);
|
|
|
900526 |
+ }
|
|
|
900526 |
+ if (sigrdataset->type != dns_rdatatype_rrsig ||
|
|
|
900526 |
+ sigrdataset->covers != dns_rdatatype_dname)
|
|
|
900526 |
+ {
|
|
|
900526 |
+ continue;
|
|
|
900526 |
+ }
|
|
|
900526 |
+ sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
|
|
|
900526 |
+ sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
+ sigrdataset->trust = trust;
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ }
|
|
|
900526 |
+ } else {
|
|
|
900526 |
log_formerr(fctx, "reply has no answer");
|
|
|
900526 |
return (DNS_R_FORMERR);
|
|
|
900526 |
}
|
|
|
900526 |
@@ -6536,14 +6340,8 @@ answer_response(fetchctx_t *fctx) {
|
|
|
900526 |
/*
|
|
|
900526 |
* Did chaining end before we got the final answer?
|
|
|
900526 |
*/
|
|
|
900526 |
- if (chaining != 0) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * Yes. This may be a negative reply, so hand off
|
|
|
900526 |
- * authority section processing to the noanswer code.
|
|
|
900526 |
- * If it isn't a noanswer response, no harm will be
|
|
|
900526 |
- * done.
|
|
|
900526 |
- */
|
|
|
900526 |
- return (noanswer_response(fctx, qname, 0));
|
|
|
900526 |
+ if (chaining) {
|
|
|
900526 |
+ return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
/*
|
|
|
900526 |
@@ -6562,11 +6360,9 @@ answer_response(fetchctx_t *fctx) {
|
|
|
900526 |
* We expect there to be only one owner name for all the rdatasets
|
|
|
900526 |
* in this section, and we expect that it is not external.
|
|
|
900526 |
*/
|
|
|
900526 |
- done = ISC_FALSE;
|
|
|
900526 |
- ns_name = NULL;
|
|
|
900526 |
- ns_rdataset = NULL;
|
|
|
900526 |
result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
|
|
|
900526 |
while (!done && result == ISC_R_SUCCESS) {
|
|
|
900526 |
+ isc_boolean_t external;
|
|
|
900526 |
name = NULL;
|
|
|
900526 |
dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
|
|
|
900526 |
external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
|
|
|
900526 |
@@ -6585,12 +6381,13 @@ answer_response(fetchctx_t *fctx) {
|
|
|
900526 |
DNS_NAMEATTR_CACHE;
|
|
|
900526 |
rdataset->attributes |=
|
|
|
900526 |
DNS_RDATASETATTR_CACHE;
|
|
|
900526 |
- if (aa && chaining == 0)
|
|
|
900526 |
+ if (aa && !chaining) {
|
|
|
900526 |
rdataset->trust =
|
|
|
900526 |
dns_trust_authauthority;
|
|
|
900526 |
- else
|
|
|
900526 |
+ } else {
|
|
|
900526 |
rdataset->trust =
|
|
|
900526 |
dns_trust_additional;
|
|
|
900526 |
+ }
|
|
|
900526 |
|
|
|
900526 |
if (rdataset->type == dns_rdatatype_ns)
|
|
|
900526 |
{
|
|
|
900526 |
@@ -7249,6 +7046,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
|
|
|
900526 |
* Is the remote server broken, or does it dislike us?
|
|
|
900526 |
*/
|
|
|
900526 |
if (message->rcode != dns_rcode_noerror &&
|
|
|
900526 |
+ message->rcode != dns_rcode_yxdomain &&
|
|
|
900526 |
message->rcode != dns_rcode_nxdomain) {
|
|
|
900526 |
if (((message->rcode == dns_rcode_formerr ||
|
|
|
900526 |
message->rcode == dns_rcode_notimp) ||
|
|
|
900526 |
@@ -7293,13 +7091,6 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
|
|
|
900526 |
log_formerr(fctx, "server sent FORMERR");
|
|
|
900526 |
result = DNS_R_FORMERR;
|
|
|
900526 |
}
|
|
|
900526 |
- } else if (message->rcode == dns_rcode_yxdomain) {
|
|
|
900526 |
- /*
|
|
|
900526 |
- * DNAME mapping failed because the new name
|
|
|
900526 |
- * was too long. There's no chance of success
|
|
|
900526 |
- * for this fetch.
|
|
|
900526 |
- */
|
|
|
900526 |
- result = DNS_R_YXDOMAIN;
|
|
|
900526 |
} else if (message->rcode == dns_rcode_badvers) {
|
|
|
900526 |
unsigned int flags, mask;
|
|
|
900526 |
unsigned int version;
|
|
|
900526 |
@@ -7404,6 +7195,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
|
|
|
900526 |
*/
|
|
|
900526 |
if (message->counts[DNS_SECTION_ANSWER] > 0 &&
|
|
|
900526 |
(message->rcode == dns_rcode_noerror ||
|
|
|
900526 |
+ message->rcode == dns_rcode_yxdomain ||
|
|
|
900526 |
message->rcode == dns_rcode_nxdomain)) {
|
|
|
900526 |
/*
|
|
|
900526 |
* [normal case]
|
|
|
900526 |
--
|
|
|
900526 |
2.9.3
|
|
|
900526 |
|