900526
From 93aec4d3d80a0d1cdb6553f70f35a2e2cb1fbaa8 Mon Sep 17 00:00:00 2001
900526
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
900526
Date: Tue, 11 Apr 2017 16:19:51 +0200
900526
Subject: [PATCH 2/3] 4578.   [security]      Some chaining (CNAME or DNAME)
900526
 responses to upstream                         queries could trigger assertion
900526
 failures.                         (CVE-2017-3137) [RT #44734]
900526
900526
(including part of commit fea8a9d)
900526
---
900526
 bin/tests/system/dname/ans3/ans.pl    |  16 +-
900526
 bin/tests/system/dname/ns1/root.db    |   2 +-
900526
 bin/tests/system/dname/ns2/example.db |   3 +-
900526
 bin/tests/system/dname/tests.sh       |  17 +-
900526
 lib/dns/name.c                        |   2 -
900526
 lib/dns/resolver.c                    | 850 +++++++++++++---------------------
900526
 6 files changed, 349 insertions(+), 541 deletions(-)
900526
900526
diff --git a/bin/tests/system/dname/ans3/ans.pl b/bin/tests/system/dname/ans3/ans.pl
900526
index 271fc7d..af338fe 100644
900526
--- a/bin/tests/system/dname/ans3/ans.pl
900526
+++ b/bin/tests/system/dname/ans3/ans.pl
900526
@@ -1,10 +1,18 @@
900526
 #!/usr/bin/env perl
900526
 #
900526
-# Copyright (C) 2014-2016  Internet Systems Consortium, Inc. ("ISC")
900526
+# Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
900526
 #
900526
-# This Source Code Form is subject to the terms of the Mozilla Public
900526
-# License, v. 2.0. If a copy of the MPL was not distributed with this
900526
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
900526
+# Permission to use, copy, modify, and/or distribute this software for any
900526
+# purpose with or without fee is hereby granted, provided that the above
900526
+# copyright notice and this permission notice appear in all copies.
900526
+#
900526
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
900526
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
900526
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
900526
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
900526
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
900526
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
900526
+# PERFORMANCE OF THIS SOFTWARE.
900526
 
900526
 use strict;
900526
 use warnings;
900526
diff --git a/bin/tests/system/dname/ns1/root.db b/bin/tests/system/dname/ns1/root.db
900526
index 2e84ae0..3d55ace 100644
900526
--- a/bin/tests/system/dname/ns1/root.db
900526
+++ b/bin/tests/system/dname/ns1/root.db
900526
@@ -1,4 +1,4 @@
900526
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
900526
+; Copyright (C) 2011, 2017  Internet Systems Consortium, Inc. ("ISC")
900526
 ;
900526
 ; Permission to use, copy, modify, and/or distribute this software for any
900526
 ; purpose with or without fee is hereby granted, provided that the above
900526
diff --git a/bin/tests/system/dname/ns2/example.db b/bin/tests/system/dname/ns2/example.db
900526
index 4289134..c0193de 100644
900526
--- a/bin/tests/system/dname/ns2/example.db
900526
+++ b/bin/tests/system/dname/ns2/example.db
900526
@@ -1,4 +1,4 @@
900526
-; Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
900526
+; Copyright (C) 2011, 2017  Internet Systems Consortium, Inc. ("ISC")
900526
 ;
900526
 ; Permission to use, copy, modify, and/or distribute this software for any
900526
 ; purpose with or without fee is hereby granted, provided that the above
900526
@@ -29,6 +29,7 @@ a.short			A	10.0.0.1
900526
 short-dname		DNAME	short
900526
 a.longlonglonglonglonglonglonglonglonglonglonglonglong	A 10.0.0.2
900526
 long-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
900526
+toolong-dname		DNAME	longlonglonglonglonglonglonglonglonglonglonglonglong
900526
 cname			CNAME	a.cnamedname
900526
 cnamedname		DNAME	target
900526
 a.target		A	10.0.0.3
900526
diff --git a/bin/tests/system/dname/tests.sh b/bin/tests/system/dname/tests.sh
900526
index 6dc9e88..1487bd9 100644
900526
--- a/bin/tests/system/dname/tests.sh
900526
+++ b/bin/tests/system/dname/tests.sh
900526
@@ -1,6 +1,6 @@
900526
 #!/bin/sh
900526
 #
900526
-# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
900526
+# Copyright (C) 2011, 2012, 2017  Internet Systems Consortium, Inc. ("ISC")
900526
 #
900526
 # Permission to use, copy, modify, and/or distribute this software for any
900526
 # purpose with or without fee is hereby granted, provided that the above
900526
@@ -57,10 +57,19 @@ grep "status: YXDOMAIN" dig.out.ns2.toolong > /dev/null || ret=1
900526
 if [ $ret != 0 ]; then echo "I:failed"; fi
900526
 status=`expr $status + $ret`
900526
 
900526
-echo "I:checking (too) long dname from recursive"
900526
+echo "I:checking (too) long dname from recursive with cached DNAME"
900526
 ret=0
900526
-$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.toolong || ret=1
900526
-grep "status: YXDOMAIN" dig.out.ns4.toolong > /dev/null || ret=1
900526
+$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.long-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cachedtoolong || ret=1
900526
+grep "status: YXDOMAIN" dig.out.ns4.cachedtoolong > /dev/null || ret=1
900526
+grep '^long-dname\.example\..*DNAME.*long' dig.out.ns4.cachedtoolong > /dev/null || ret=1
900526
+if [ $ret != 0 ]; then echo "I:failed"; fi
900526
+status=`expr $status + $ret`
900526
+
900526
+echo "I:checking (too) long dname from recursive without cached DNAME"
900526
+ret=0
900526
+$DIG 01234567890123456789012345678901234567890123456789.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglonglong.longlonglonglonglonglonglonglonglonglonglonglonglonglong.toolong-dname.example @10.53.0.4 a -p 5300 > dig.out.ns4.uncachedtoolong || ret=1
900526
+grep "status: YXDOMAIN" dig.out.ns4.uncachedtoolong > /dev/null || ret=1
900526
+grep '^toolong-dname\.example\..*DNAME.*long' dig.out.ns4.uncachedtoolong > /dev/null || ret=1
900526
 if [ $ret != 0 ]; then echo "I:failed"; fi
900526
 status=`expr $status + $ret`
900526
 
900526
diff --git a/lib/dns/name.c b/lib/dns/name.c
900526
index 93173ee..d02e713 100644
900526
--- a/lib/dns/name.c
900526
+++ b/lib/dns/name.c
900526
@@ -2119,11 +2119,9 @@ dns_name_split(dns_name_t *name, unsigned int suffixlabels,
900526
 	REQUIRE(prefix != NULL || suffix != NULL);
900526
 	REQUIRE(prefix == NULL ||
900526
 		(VALID_NAME(prefix) &&
900526
-		 prefix->buffer != NULL &&
900526
 		 BINDABLE(prefix)));
900526
 	REQUIRE(suffix == NULL ||
900526
 		(VALID_NAME(suffix) &&
900526
-		 suffix->buffer != NULL &&
900526
 		 BINDABLE(suffix)));
900526
 
900526
 	splitlabel = name->labels - suffixlabels;
900526
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
900526
index c3607fa..860a792 100644
900526
--- a/lib/dns/resolver.c
900526
+++ b/lib/dns/resolver.c
900526
@@ -3817,6 +3817,7 @@ is_lame(fetchctx_t *fctx) {
900526
 	isc_result_t result;
900526
 
900526
 	if (message->rcode != dns_rcode_noerror &&
900526
+	    message->rcode != dns_rcode_yxdomain &&
900526
 	    message->rcode != dns_rcode_nxdomain)
900526
 		return (ISC_FALSE);
900526
 
900526
@@ -5386,79 +5387,6 @@ chase_additional(fetchctx_t *fctx) {
900526
 		goto again;
900526
 }
900526
 
900526
-static inline isc_result_t
900526
-cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
900526
-	isc_result_t result;
900526
-	dns_rdata_t rdata = DNS_RDATA_INIT;
900526
-	dns_rdata_cname_t cname;
900526
-
900526
-	result = dns_rdataset_first(rdataset);
900526
-	if (result != ISC_R_SUCCESS)
900526
-		return (result);
900526
-	dns_rdataset_current(rdataset, &rdata);
900526
-	result = dns_rdata_tostruct(&rdata, &cname, NULL);
900526
-	if (result != ISC_R_SUCCESS)
900526
-		return (result);
900526
-	dns_name_init(tname, NULL);
900526
-	dns_name_clone(&cname.cname, tname);
900526
-	dns_rdata_freestruct(&cname);
900526
-
900526
-	return (ISC_R_SUCCESS);
900526
-}
900526
-
900526
-/*%
900526
- * Construct the synthesised CNAME from the existing QNAME and
900526
- * the DNAME RR and store it in 'target'.
900526
- */
900526
-static inline isc_result_t
900526
-dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
900526
-	     unsigned int nlabels, dns_name_t *target)
900526
-{
900526
-	isc_result_t result;
900526
-	dns_rdata_t rdata = DNS_RDATA_INIT;
900526
-	dns_rdata_dname_t dname;
900526
-	dns_fixedname_t prefix;
900526
-
900526
-	/*
900526
-	 * Get the target name of the DNAME.
900526
-	 */
900526
-	result = dns_rdataset_first(rdataset);
900526
-	if (result != ISC_R_SUCCESS)
900526
-		return (result);
900526
-	dns_rdataset_current(rdataset, &rdata);
900526
-	result = dns_rdata_tostruct(&rdata, &dname, NULL);
900526
-	if (result != ISC_R_SUCCESS)
900526
-		return (result);
900526
-
900526
-	dns_fixedname_init(&prefix);
900526
-	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
900526
-	result = dns_name_concatenate(dns_fixedname_name(&prefix),
900526
-				      &dname.dname, target, NULL);
900526
-	dns_rdata_freestruct(&dname);
900526
-	return (result);
900526
-}
900526
-
900526
-/*%
900526
- * Check if it was possible to construct 'qname' from 'lastcname'
900526
- * and 'rdataset'.
900526
- */
900526
-static inline isc_result_t
900526
-fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname,
900526
-	  unsigned int nlabels, const dns_name_t *qname)
900526
-{
900526
-	dns_fixedname_t fixed;
900526
-	isc_result_t result;
900526
-	dns_name_t *target;
900526
-
900526
-	dns_fixedname_init(&fixed);
900526
-	target = dns_fixedname_name(&fixed);
900526
-	result = dname_target(rdataset, lastcname, nlabels, target);
900526
-	if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target))
900526
-		return (ISC_R_NOTFOUND);
900526
-
900526
-	return (ISC_R_SUCCESS);
900526
-}
900526
-
900526
 static isc_boolean_t
900526
 is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
900526
 			 dns_rdataset_t *rdataset)
900526
@@ -5534,9 +5462,8 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
900526
 }
900526
 
900526
 static isc_boolean_t
900526
-is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
900526
-			dns_rdatatype_t type, dns_name_t *tname,
900526
-			dns_name_t *domain)
900526
+is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
900526
+			dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
900526
 {
900526
 	isc_result_t result;
900526
 	dns_rbtnode_t *node = NULL;
900526
@@ -5544,8 +5471,57 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
900526
 	char tnamebuf[DNS_NAME_FORMATSIZE];
900526
 	char classbuf[64];
900526
 	char typebuf[64];
900526
+	dns_name_t *tname = NULL;
900526
+	dns_rdata_cname_t cname;
900526
+	dns_rdata_dname_t dname;
900526
+	dns_view_t *view = fctx->res->view;
900526
+	dns_rdata_t rdata = DNS_RDATA_INIT;
900526
+	unsigned int nlabels;
900526
+	dns_fixedname_t fixed;
900526
+	dns_name_t prefix;
900526
+
900526
+	REQUIRE(rdataset != NULL);
900526
+	REQUIRE(rdataset->type == dns_rdatatype_cname ||
900526
+		rdataset->type == dns_rdatatype_dname);
900526
+
900526
+	/*
900526
+	 * By default, we allow any target name.
900526
+	 * If newqname != NULL we also need to extract the newqname.
900526
+	 */
900526
+	if (chainingp == NULL && view->denyanswernames == NULL)
900526
+		return (ISC_TRUE);
900526
+
900526
+	result = dns_rdataset_first(rdataset);
900526
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
900526
+	dns_rdataset_current(rdataset, &rdata);
900526
+	switch (rdataset->type) {
900526
+	case dns_rdatatype_cname:
900526
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
900526
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
900526
+		tname = &cname.cname;
900526
+		break;
900526
+	case dns_rdatatype_dname:
900526
+		result = dns_rdata_tostruct(&rdata, &dname, NULL);
900526
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
900526
+		dns_name_init(&prefix, NULL);
900526
+		dns_fixedname_init(&fixed);
900526
+		tname = dns_fixedname_name(&fixed);
900526
+		nlabels = dns_name_countlabels(qname) -
900526
+			  dns_name_countlabels(rname);
900526
+		dns_name_split(qname, nlabels, &prefix, NULL);
900526
+		result = dns_name_concatenate(&prefix, &dname.dname, tname,
900526
+					      NULL);
900526
+		if (result == DNS_R_NAMETOOLONG)
900526
+			return (ISC_TRUE);
900526
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
900526
+		break;
900526
+	default:
900526
+		INSIST(0);
900526
+	}
900526
+
900526
+	if (chainingp != NULL)
900526
+		*chainingp = ISC_TRUE;
900526
 
900526
-	/* By default, we allow any target name. */
900526
 	if (view->denyanswernames == NULL)
900526
 		return (ISC_TRUE);
900526
 
900526
@@ -5554,8 +5530,8 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
900526
 	 * or partially, allow it.
900526
 	 */
900526
 	if (view->answernames_exclude != NULL) {
900526
-		result = dns_rbt_findnode(view->answernames_exclude, name, NULL,
900526
-					  &node, NULL, 0, NULL, NULL);
900526
+		result = dns_rbt_findnode(view->answernames_exclude, qname,
900526
+					  NULL, &node, NULL, 0, NULL, NULL);
900526
 		if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
900526
 			return (ISC_TRUE);
900526
 	}
900526
@@ -5563,7 +5539,7 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
900526
 	/*
900526
 	 * If the target name is a subdomain of the search domain, allow it.
900526
 	 */
900526
-	if (dns_name_issubdomain(tname, domain))
900526
+	if (dns_name_issubdomain(tname, &fctx->domain))
900526
 		return (ISC_TRUE);
900526
 
900526
 	/*
900526
@@ -5572,9 +5548,9 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name,
900526
 	result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node,
900526
 				  NULL, 0, NULL, NULL);
900526
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
900526
-		dns_name_format(name, qnamebuf, sizeof(qnamebuf));
900526
+		dns_name_format(qname, qnamebuf, sizeof(qnamebuf));
900526
 		dns_name_format(tname, tnamebuf, sizeof(tnamebuf));
900526
-		dns_rdatatype_format(type, typebuf, sizeof(typebuf));
900526
+		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
900526
 		dns_rdataclass_format(view->rdclass, classbuf,
900526
 				      sizeof(classbuf));
900526
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
900526
@@ -6057,473 +6033,301 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
900526
 	return (ISC_R_SUCCESS);
900526
 }
900526
 
900526
+static isc_boolean_t
900526
+validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) {
900526
+	if (rdataset->type == dns_rdatatype_nsec3) {
900526
+		/*
900526
+		 * NSEC3 records are not allowed to
900526
+		 * appear in the answer section.
900526
+		 */
900526
+		log_formerr(fctx, "NSEC3 in answer");
900526
+		return (ISC_FALSE);
900526
+	}
900526
+	if (rdataset->type == dns_rdatatype_tkey) {
900526
+		/*
900526
+		 * TKEY is not a valid record in a
900526
+		 * response to any query we can make.
900526
+		 */
900526
+		log_formerr(fctx, "TKEY in answer");
900526
+		return (ISC_FALSE);
900526
+	}
900526
+	if (rdataset->rdclass != fctx->res->rdclass) {
900526
+		log_formerr(fctx, "Mismatched class in answer");
900526
+		return (ISC_FALSE);
900526
+	}
900526
+	return (ISC_TRUE);
900526
+}
900526
+
900526
 static isc_result_t
900526
 answer_response(fetchctx_t *fctx) {
900526
 	isc_result_t result;
900526
-	dns_message_t *message;
900526
-	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
900526
-	dns_name_t *cname = NULL, *lastcname = NULL;
900526
-	dns_rdataset_t *rdataset, *ns_rdataset;
900526
-	isc_boolean_t done, external, aa, found, want_chaining;
900526
-	isc_boolean_t have_answer, found_cname, found_dname, found_type;
900526
-	isc_boolean_t wanted_chaining;
900526
-	unsigned int aflag, chaining;
900526
+	dns_message_t *message = NULL;
900526
+	dns_name_t *name = NULL, *qname = NULL, *ns_name = NULL;
900526
+	dns_name_t *aname = NULL, *cname = NULL, *dname = NULL;
900526
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
900526
+	dns_rdataset_t *ardataset = NULL, *crdataset = NULL;
900526
+	dns_rdataset_t *drdataset = NULL, *ns_rdataset = NULL;
900526
+	isc_boolean_t done = ISC_FALSE, aa;
900526
+	unsigned int dname_labels, domain_labels;
900526
+	isc_boolean_t chaining = ISC_FALSE;
900526
 	dns_rdatatype_t type;
900526
-	dns_fixedname_t fdname, fqname;
900526
-	dns_view_t *view;
900526
+	dns_view_t *view = NULL;
900526
+	dns_trust_t trust;
900526
+
900526
+	REQUIRE(VALID_FCTX(fctx));
900526
 
900526
 	FCTXTRACE("answer_response");
900526
 
900526
 	message = fctx->rmessage;
900526
+	qname = &fctx->name;
900526
+	view = fctx->res->view;
900526
+	type = fctx->type;
900526
 
900526
 	/*
900526
-	 * Examine the answer section, marking those rdatasets which are
900526
-	 * part of the answer and should be cached.
900526
+	 * There can be multiple RRSIG and SIG records at a name so
900526
+	 * we treat these types as a subset of ANY.
900526
 	 */
900526
+	if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) {
900526
+		type = dns_rdatatype_any;
900526
+	}
900526
 
900526
-	done = ISC_FALSE;
900526
-	found_cname = ISC_FALSE;
900526
-	found_dname = ISC_FALSE;
900526
-	found_type = ISC_FALSE;
900526
-	have_answer = ISC_FALSE;
900526
-	want_chaining = ISC_FALSE;
900526
-	chaining = 0;
900526
-	POST(want_chaining);
900526
-	if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
900526
-		aa = ISC_TRUE;
900526
-	else
900526
-		aa = ISC_FALSE;
900526
-	qname = &fctx->name;
900526
-	type = fctx->type;
900526
-	view = fctx->res->view;
900526
-	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
900526
-	while (!done && result == ISC_R_SUCCESS) {
900526
-		dns_namereln_t namereln, lastreln;
900526
-		int order, lastorder;
900526
-		unsigned int nlabels, lastnlabels;
900526
+	/*
900526
+	 * Bigger than any valid DNAME label count.
900526
+	 */
900526
+	dname_labels = dns_name_countlabels(qname);
900526
+	domain_labels = dns_name_countlabels(&fctx->domain);
900526
+
900526
+	/*
900526
+	 * Perform a single pass looking for the answer, cname or covering
900526
+	 * dname.
900526
+	 */
900526
+	for (result = dns_message_firstname(message, DNS_SECTION_ANSWER);
900526
+	     result == ISC_R_SUCCESS;
900526
+	     result = dns_message_nextname(message, DNS_SECTION_ANSWER))
900526
+	{
900526
+		int order;
900526
+		unsigned int nlabels;
900526
+		dns_namereln_t namereln;
900526
 
900526
 		name = NULL;
900526
 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
900526
-		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
900526
 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
900526
-
900526
-		if (namereln == dns_namereln_equal) {
900526
-			wanted_chaining = ISC_FALSE;
900526
+		switch (namereln) {
900526
+		case dns_namereln_equal:
900526
 			for (rdataset = ISC_LIST_HEAD(name->list);
900526
 			     rdataset != NULL;
900526
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
900526
-				found = ISC_FALSE;
900526
-				want_chaining = ISC_FALSE;
900526
-				aflag = 0;
900526
-				if (rdataset->type == dns_rdatatype_nsec3) {
900526
-					/*
900526
-					 * NSEC3 records are not allowed to
900526
-					 * appear in the answer section.
900526
-					 */
900526
-					log_formerr(fctx, "NSEC3 in answer");
900526
-					return (DNS_R_FORMERR);
900526
-				}
900526
-				if (rdataset->type == dns_rdatatype_tkey) {
900526
-					/*
900526
-					 * TKEY is not a valid record in a
900526
-					 * response to any query we can make.
900526
-					 */
900526
-					log_formerr(fctx, "TKEY in answer");
900526
-					return (DNS_R_FORMERR);
900526
-				}
900526
-				if (rdataset->rdclass != fctx->res->rdclass) {
900526
-					log_formerr(fctx, "Mismatched class "
900526
-						    "in answer");
900526
-					return (DNS_R_FORMERR);
900526
-				}
900526
-
900526
-				/*
900526
-				 * Apply filters, if given, on answers to reject
900526
-				 * a malicious attempt of rebinding.
900526
-				 */
900526
-				if ((rdataset->type == dns_rdatatype_a ||
900526
-				     rdataset->type == dns_rdatatype_aaaa) &&
900526
-				    !is_answeraddress_allowed(view, name,
900526
-							      rdataset)) {
900526
-					return (DNS_R_SERVFAIL);
900526
-				}
900526
-
900526
-				if (rdataset->type == type && !found_cname) {
900526
-					/*
900526
-					 * We've found an ordinary answer.
900526
-					 */
900526
-					found = ISC_TRUE;
900526
-					found_type = ISC_TRUE;
900526
-					done = ISC_TRUE;
900526
-					aflag = DNS_RDATASETATTR_ANSWER;
900526
-				} else if (type == dns_rdatatype_any) {
900526
-					/*
900526
-					 * We've found an answer matching
900526
-					 * an ANY query.  There may be
900526
-					 * more.
900526
-					 */
900526
-					found = ISC_TRUE;
900526
-					aflag = DNS_RDATASETATTR_ANSWER;
900526
-				} else if (rdataset->type == dns_rdatatype_rrsig
900526
-					   && rdataset->covers == type
900526
-					   && !found_cname) {
900526
-					/*
900526
-					 * We've found a signature that
900526
-					 * covers the type we're looking for.
900526
-					 */
900526
-					found = ISC_TRUE;
900526
-					found_type = ISC_TRUE;
900526
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
900526
-				} else if (rdataset->type ==
900526
-					   dns_rdatatype_cname
900526
-					   && !found_type) {
900526
-					/*
900526
-					 * We're looking for something else,
900526
-					 * but we found a CNAME.
900526
-					 *
900526
-					 * Getting a CNAME response for some
900526
-					 * query types is an error, see
900526
-					 * RFC 4035, Section 2.5.
900526
-					 */
900526
-					if (type == dns_rdatatype_rrsig ||
900526
-					    type == dns_rdatatype_key ||
900526
-					    type == dns_rdatatype_nsec) {
900526
-						char buf[DNS_RDATATYPE_FORMATSIZE];
900526
-						dns_rdatatype_format(fctx->type,
900526
-							      buf, sizeof(buf));
900526
-						log_formerr(fctx,
900526
-							    "CNAME response "
900526
-							    "for %s RR", buf);
900526
-						return (DNS_R_FORMERR);
900526
-					}
900526
-					found = ISC_TRUE;
900526
-					found_cname = ISC_TRUE;
900526
-					want_chaining = ISC_TRUE;
900526
-					aflag = DNS_RDATASETATTR_ANSWER;
900526
-					result = cname_target(rdataset,
900526
-							      &tname);
900526
-					if (result != ISC_R_SUCCESS)
900526
-						return (result);
900526
-					/* Apply filters on the target name. */
900526
-					if (!is_answertarget_allowed(view,
900526
-							name,
900526
-							rdataset->type,
900526
-							&tname,
900526
-							&fctx->domain)) {
900526
-						return (DNS_R_SERVFAIL);
900526
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
900526
+			{
900526
+				if (rdataset->type == type ||
900526
+				    type == dns_rdatatype_any)
900526
+				{
900526
+					aname = name;
900526
+					if (type != dns_rdatatype_any) {
900526
+						ardataset = rdataset;
900526
 					}
900526
-					lastcname = name;
900526
-				} else if (rdataset->type == dns_rdatatype_rrsig
900526
-					   && rdataset->covers ==
900526
-					   dns_rdatatype_cname
900526
-					   && !found_type) {
900526
-					/*
900526
-					 * We're looking for something else,
900526
-					 * but we found a SIG CNAME.
900526
-					 */
900526
-					found = ISC_TRUE;
900526
-					found_cname = ISC_TRUE;
900526
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
900526
+					break;
900526
 				}
900526
-
900526
-				if (found) {
900526
-					/*
900526
-					 * We've found an answer to our
900526
-					 * question.
900526
-					 */
900526
-					name->attributes |=
900526
-						DNS_NAMEATTR_CACHE;
900526
-					rdataset->attributes |=
900526
-						DNS_RDATASETATTR_CACHE;
900526
-					rdataset->trust = dns_trust_answer;
900526
-					if (chaining == 0) {
900526
-						/*
900526
-						 * This data is "the" answer
900526
-						 * to our question only if
900526
-						 * we're not chaining (i.e.
900526
-						 * if we haven't followed
900526
-						 * a CNAME or DNAME).
900526
-						 */
900526
-						INSIST(!external);
900526
-						/*
900526
-						 * Don't use found_cname here
900526
-						 * as we have just set it
900526
-						 * above.
900526
-						 */
900526
-						if (cname == NULL &&
900526
-						    !found_dname &&
900526
-						    aflag ==
900526
-						     DNS_RDATASETATTR_ANSWER)
900526
-						{
900526
-							have_answer = ISC_TRUE;
900526
-							if (found_cname &&
900526
-							    cname == NULL)
900526
-								cname = name;
900526
-							name->attributes |=
900526
-								DNS_NAMEATTR_ANSWER;
900526
-						}
900526
-						rdataset->attributes |= aflag;
900526
-						if (aa)
900526
-							rdataset->trust =
900526
-							  dns_trust_authanswer;
900526
-					} else if (external) {
900526
-						/*
900526
-						 * This data is outside of
900526
-						 * our query domain, and
900526
-						 * may not be cached.
900526
-						 */
900526
-						rdataset->attributes |=
900526
-						    DNS_RDATASETATTR_EXTERNAL;
900526
-					}
900526
-
900526
-					/*
900526
-					 * Mark any additional data related
900526
-					 * to this rdataset.
900526
-					 */
900526
-					(void)dns_rdataset_additionaldata(
900526
-							rdataset,
900526
-							check_related,
900526
-							fctx);
900526
-
900526
-					/*
900526
-					 * CNAME chaining.
900526
-					 */
900526
-					if (want_chaining) {
900526
-						wanted_chaining = ISC_TRUE;
900526
-						name->attributes |=
900526
-							DNS_NAMEATTR_CHAINING;
900526
-						rdataset->attributes |=
900526
-						    DNS_RDATASETATTR_CHAINING;
900526
-						qname = &tname;
900526
-					}
900526
+				if (rdataset->type == dns_rdatatype_cname) {
900526
+					cname = name;
900526
+					crdataset = rdataset;
900526
+					break;
900526
 				}
900526
-				/*
900526
-				 * We could add an "else" clause here and
900526
-				 * log that we're ignoring this rdataset.
900526
-				 */
900526
 			}
900526
+			break;
900526
+
900526
+		case dns_namereln_subdomain:
900526
 			/*
900526
-			 * If wanted_chaining is true, we've done
900526
-			 * some chaining as the result of processing
900526
-			 * this node, and thus we need to set
900526
-			 * chaining to true.
900526
-			 *
900526
-			 * We don't set chaining inside of the
900526
-			 * rdataset loop because doing that would
900526
-			 * cause us to ignore the signatures of
900526
-			 * CNAMEs.
900526
+			 * In-scope DNAME records must have at least
900526
+			 * as many labels as the domain being queried.
900526
+			 * They also must be less that qname's labels
900526
+			 * and any previously found dname.
900526
 			 */
900526
-			if (wanted_chaining && chaining < 2U)
900526
-				chaining++;
900526
-		} else {
900526
-			dns_rdataset_t *dnameset = NULL;
900526
-			isc_boolean_t synthcname = ISC_FALSE;
900526
-
900526
-			if (lastcname != NULL) {
900526
-				lastreln = dns_name_fullcompare(lastcname,
900526
-								name,
900526
-								&lastorder,
900526
-								&lastnlabels);
900526
-				if (lastreln == dns_namereln_subdomain &&
900526
-				    lastnlabels == dns_name_countlabels(name))
900526
-					synthcname = ISC_TRUE;
900526
+			if (nlabels >= dname_labels || nlabels < domain_labels)
900526
+			{
900526
+				continue;
900526
 			}
900526
 
900526
 			/*
900526
-			 * Look for a DNAME (or its SIG).  Anything else is
900526
-			 * ignored.
900526
+			 * We are looking for the shortest DNAME if there
900526
+			 * are multiple ones (which there shouldn't be).
900526
 			 */
900526
-			wanted_chaining = ISC_FALSE;
900526
 			for (rdataset = ISC_LIST_HEAD(name->list);
900526
 			     rdataset != NULL;
900526
 			     rdataset = ISC_LIST_NEXT(rdataset, link))
900526
 			{
900526
-				if (rdataset->rdclass != fctx->res->rdclass) {
900526
-					log_formerr(fctx, "Mismatched class "
900526
-						    "in answer");
900526
-					return (DNS_R_FORMERR);
900526
-				}
900526
-
900526
-				/*
900526
-				 * Only pass DNAME or RRSIG(DNAME).
900526
-				 */
900526
-				if (rdataset->type != dns_rdatatype_dname &&
900526
-				    (rdataset->type != dns_rdatatype_rrsig ||
900526
-				     rdataset->covers != dns_rdatatype_dname))
900526
+				if (rdataset->type != dns_rdatatype_dname) {
900526
 					continue;
900526
-
900526
-				/*
900526
-				 * If we're not chaining, then the DNAME and
900526
-				 * its signature should not be external.
900526
-				 */
900526
-				if (chaining == 0 && external) {
900526
-					char qbuf[DNS_NAME_FORMATSIZE];
900526
-					char obuf[DNS_NAME_FORMATSIZE];
900526
-
900526
-					dns_name_format(name, qbuf,
900526
-							sizeof(qbuf));
900526
-					dns_name_format(&fctx->domain, obuf,
900526
-							sizeof(obuf));
900526
-					log_formerr(fctx, "external DNAME or "
900526
-						    "RRSIG covering DNAME "
900526
-						    "in answer: %s is "
900526
-						    "not in %s", qbuf, obuf);
900526
-					return (DNS_R_FORMERR);
900526
-				}
900526
-
900526
-				/*
900526
-				 * If DNAME + synthetic CNAME then the
900526
-				 * namereln is dns_namereln_subdomain.
900526
-				 */
900526
-				if (namereln != dns_namereln_subdomain &&
900526
-				    !synthcname)
900526
-				{
900526
-					char qbuf[DNS_NAME_FORMATSIZE];
900526
-					char obuf[DNS_NAME_FORMATSIZE];
900526
-
900526
-					dns_name_format(qname, qbuf,
900526
-							sizeof(qbuf));
900526
-					dns_name_format(name, obuf,
900526
-							sizeof(obuf));
900526
-					log_formerr(fctx, "unrelated DNAME "
900526
-						    "in answer: %s is "
900526
-						    "not in %s", qbuf, obuf);
900526
-					return (DNS_R_FORMERR);
900526
 				}
900526
+				dname = name;
900526
+				drdataset = rdataset;
900526
+				dname_labels = nlabels;
900526
+				break;
900526
+			}
900526
+			break;
900526
+		default:
900526
+			break;
900526
+		}
900526
+	}
900526
 
900526
-				aflag = 0;
900526
-				if (rdataset->type == dns_rdatatype_dname) {
900526
-					want_chaining = ISC_TRUE;
900526
-					POST(want_chaining);
900526
-					aflag = DNS_RDATASETATTR_ANSWER;
900526
-					dns_fixedname_init(&fdname);
900526
-					dname = dns_fixedname_name(&fdname);
900526
-					if (synthcname) {
900526
-						result = fromdname(rdataset,
900526
-								   lastcname,
900526
-								   lastnlabels,
900526
-								   qname);
900526
-					} else {
900526
-						result = dname_target(rdataset,
900526
-								      qname,
900526
-								      nlabels,
900526
-								      dname);
900526
-					}
900526
-					if (result == ISC_R_NOSPACE) {
900526
-						/*
900526
-						 * We can't construct the
900526
-						 * DNAME target.  Do not
900526
-						 * try to continue.
900526
-						 */
900526
-						want_chaining = ISC_FALSE;
900526
-						POST(want_chaining);
900526
-					} else if (result != ISC_R_SUCCESS)
900526
-						return (result);
900526
-					else
900526
-						dnameset = rdataset;
900526
+	if (dname != NULL) {
900526
+		aname = NULL;
900526
+		ardataset = NULL;
900526
+		cname = NULL;
900526
+		crdataset = NULL;
900526
+	} else if (aname != NULL) {
900526
+		cname = NULL;
900526
+		crdataset = NULL;
900526
+	}
900526
 
900526
-					if (!synthcname &&
900526
-					    !is_answertarget_allowed(view,
900526
-						     qname, rdataset->type,
900526
-						     dname, &fctx->domain))
900526
-					{
900526
-						return (DNS_R_SERVFAIL);
900526
-					}
900526
-				} else {
900526
-					/*
900526
-					 * We've found a signature that
900526
-					 * covers the DNAME.
900526
-					 */
900526
-					aflag = DNS_RDATASETATTR_ANSWERSIG;
900526
-				}
900526
+	aa = ISC_TF((message->flags & DNS_MESSAGEFLAG_AA) != 0);
900526
+	trust = aa ? dns_trust_authanswer : dns_trust_answer;
900526
 
900526
-				/*
900526
-				 * We've found an answer to our
900526
-				 * question.
900526
-				 */
900526
-				name->attributes |= DNS_NAMEATTR_CACHE;
900526
-				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
900526
-				rdataset->trust = dns_trust_answer;
900526
-				/*
900526
-				 * If we are not chaining or the first CNAME
900526
-				 * is a synthesised CNAME before the DNAME.
900526
-				 */
900526
-				if ((chaining == 0) ||
900526
-				    (chaining == 1U && synthcname))
900526
-				{
900526
-					/*
900526
-					 * This data is "the" answer to
900526
-					 * our question only if we're
900526
-					 * not chaining.
900526
-					 */
900526
-					INSIST(!external);
900526
-					if (aflag == DNS_RDATASETATTR_ANSWER) {
900526
-						have_answer = ISC_TRUE;
900526
-						found_dname = ISC_TRUE;
900526
-						if (cname != NULL &&
900526
-						    synthcname)
900526
-						{
900526
-							cname->attributes &=
900526
-							   ~DNS_NAMEATTR_ANSWER;
900526
-						}
900526
-						name->attributes |=
900526
-							DNS_NAMEATTR_ANSWER;
900526
-					}
900526
-					rdataset->attributes |= aflag;
900526
-					if (aa)
900526
-						rdataset->trust =
900526
-						  dns_trust_authanswer;
900526
-				} else if (external) {
900526
-					rdataset->attributes |=
900526
-					    DNS_RDATASETATTR_EXTERNAL;
900526
-				}
900526
+	if (aname != NULL && type == dns_rdatatype_any) {
900526
+		for (rdataset = ISC_LIST_HEAD(aname->list);
900526
+		     rdataset != NULL;
900526
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
900526
+		{
900526
+			if (!validinanswer(rdataset, fctx)) {
900526
+				return (DNS_R_FORMERR);
900526
 			}
900526
-
900526
-			/*
900526
-			 * DNAME chaining.
900526
-			 */
900526
-			if (dnameset != NULL) {
900526
-				if (!synthcname) {
900526
-					/*
900526
-					 * Copy the dname into the qname fixed
900526
-					 * name.
900526
-					 *
900526
-					 * Although we check for failure of the
900526
-					 * copy operation, in practice it
900526
-					 * should never fail since we already
900526
-					 * know that the result fits in a
900526
-					 * fixedname.
900526
-					 */
900526
-					dns_fixedname_init(&fqname);
900526
-					qname = dns_fixedname_name(&fqname);
900526
-					result = dns_name_copy(dname, qname,
900526
-							       NULL);
900526
-					if (result != ISC_R_SUCCESS)
900526
-						return (result);
900526
-				}
900526
-				wanted_chaining = ISC_TRUE;
900526
-				name->attributes |= DNS_NAMEATTR_CHAINING;
900526
-				dnameset->attributes |=
900526
-					    DNS_RDATASETATTR_CHAINING;
900526
+			if ((fctx->type == dns_rdatatype_sig ||
900526
+			     fctx->type == dns_rdatatype_rrsig) &&
900526
+			     rdataset->type != fctx->type)
900526
+			{
900526
+				continue;
900526
 			}
900526
-			/*
900526
-			 * Ensure that we can't ever get chaining == 1
900526
-			 * above if we have processed a DNAME.
900526
-			 */
900526
-			if (wanted_chaining && chaining < 2U)
900526
-				chaining += 2;
900526
+			if ((rdataset->type == dns_rdatatype_a ||
900526
+			     rdataset->type == dns_rdatatype_aaaa) &&
900526
+			    !is_answeraddress_allowed(view, aname, rdataset))
900526
+			{
900526
+				return (DNS_R_SERVFAIL);
900526
+			}
900526
+			if ((rdataset->type == dns_rdatatype_cname ||
900526
+			     rdataset->type == dns_rdatatype_dname) &&
900526
+			     !is_answertarget_allowed(fctx, qname, aname,
900526
+						      rdataset, NULL))
900526
+			{
900526
+				return (DNS_R_SERVFAIL);
900526
+			}
900526
+			aname->attributes |= DNS_NAMEATTR_CACHE;
900526
+			aname->attributes |= DNS_NAMEATTR_ANSWER;
900526
+			rdataset->attributes |= DNS_RDATASETATTR_ANSWER;
900526
+			rdataset->attributes |= DNS_RDATASETATTR_CACHE;
900526
+			rdataset->trust = trust;
900526
+			(void)dns_rdataset_additionaldata(rdataset,
900526
+							  check_related,
900526
+							  fctx);
900526
 		}
900526
-		result = dns_message_nextname(message, DNS_SECTION_ANSWER);
900526
-	}
900526
-	if (result == ISC_R_NOMORE)
900526
-		result = ISC_R_SUCCESS;
900526
-	if (result != ISC_R_SUCCESS)
900526
-		return (result);
900526
-
900526
-	/*
900526
-	 * We should have found an answer.
900526
-	 */
900526
-	if (!have_answer) {
900526
+	} else if (aname != NULL) {
900526
+		if (!validinanswer(ardataset, fctx))
900526
+			return (DNS_R_FORMERR);
900526
+		if ((ardataset->type == dns_rdatatype_a ||
900526
+		     ardataset->type == dns_rdatatype_aaaa) &&
900526
+		    !is_answeraddress_allowed(view, aname, ardataset)) {
900526
+			return (DNS_R_SERVFAIL);
900526
+		}
900526
+		if ((ardataset->type == dns_rdatatype_cname ||
900526
+		     ardataset->type == dns_rdatatype_dname) &&
900526
+		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
900526
+					      NULL))
900526
+		{
900526
+			return (DNS_R_SERVFAIL);
900526
+		}
900526
+		aname->attributes |= DNS_NAMEATTR_CACHE;
900526
+		aname->attributes |= DNS_NAMEATTR_ANSWER;
900526
+		ardataset->attributes |= DNS_RDATASETATTR_ANSWER;
900526
+		ardataset->attributes |= DNS_RDATASETATTR_CACHE;
900526
+		ardataset->trust = trust;
900526
+		(void)dns_rdataset_additionaldata(ardataset, check_related,
900526
+						  fctx);
900526
+		for (sigrdataset = ISC_LIST_HEAD(aname->list);
900526
+		     sigrdataset != NULL;
900526
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
900526
+			if (!validinanswer(sigrdataset, fctx))
900526
+				return (DNS_R_FORMERR);
900526
+			if (sigrdataset->type != dns_rdatatype_rrsig ||
900526
+			    sigrdataset->covers != type)
900526
+				continue;
900526
+			sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
900526
+			sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
900526
+			sigrdataset->trust = trust;
900526
+			break;
900526
+		}
900526
+	} else if (cname != NULL) {
900526
+		if (!validinanswer(crdataset, fctx)) {
900526
+			return (DNS_R_FORMERR);
900526
+		}
900526
+		if (type == dns_rdatatype_rrsig || type == dns_rdatatype_key ||
900526
+		    type == dns_rdatatype_nsec)
900526
+		{
900526
+			char buf[DNS_RDATATYPE_FORMATSIZE];
900526
+			dns_rdatatype_format(type, buf, sizeof(buf));
900526
+			log_formerr(fctx, "CNAME response for %s RR", buf);
900526
+			return (DNS_R_FORMERR);
900526
+		}
900526
+		if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
900526
+					     NULL))
900526
+		{
900526
+			return (DNS_R_SERVFAIL);
900526
+		}
900526
+		cname->attributes |= DNS_NAMEATTR_CACHE;
900526
+		cname->attributes |= DNS_NAMEATTR_ANSWER;
900526
+		cname->attributes |= DNS_NAMEATTR_CHAINING;
900526
+		crdataset->attributes |= DNS_RDATASETATTR_ANSWER;
900526
+		crdataset->attributes |= DNS_RDATASETATTR_CACHE;
900526
+		crdataset->attributes |= DNS_RDATASETATTR_CHAINING;
900526
+		crdataset->trust = trust;
900526
+		for (sigrdataset = ISC_LIST_HEAD(cname->list);
900526
+		     sigrdataset != NULL;
900526
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
900526
+		{
900526
+			if (!validinanswer(sigrdataset, fctx)) {
900526
+				return (DNS_R_FORMERR);
900526
+			}
900526
+			if (sigrdataset->type != dns_rdatatype_rrsig ||
900526
+			    sigrdataset->covers != dns_rdatatype_cname)
900526
+			{
900526
+				continue;
900526
+			}
900526
+			sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
900526
+			sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
900526
+			sigrdataset->trust = trust;
900526
+			break;
900526
+		}
900526
+		chaining = ISC_TRUE;
900526
+	} else if (dname != NULL) {
900526
+		if (!validinanswer(drdataset, fctx)) {
900526
+			return (DNS_R_FORMERR);
900526
+		}
900526
+		if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
900526
+					     &chaining)) {
900526
+			return (DNS_R_SERVFAIL);
900526
+		}
900526
+		dname->attributes |= DNS_NAMEATTR_CACHE;
900526
+		dname->attributes |= DNS_NAMEATTR_ANSWER;
900526
+		dname->attributes |= DNS_NAMEATTR_CHAINING;
900526
+		drdataset->attributes |= DNS_RDATASETATTR_ANSWER;
900526
+		drdataset->attributes |= DNS_RDATASETATTR_CACHE;
900526
+		drdataset->attributes |= DNS_RDATASETATTR_CHAINING;
900526
+		drdataset->trust = trust;
900526
+		for (sigrdataset = ISC_LIST_HEAD(dname->list);
900526
+		     sigrdataset != NULL;
900526
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
900526
+		{
900526
+			if (!validinanswer(sigrdataset, fctx)) {
900526
+				return (DNS_R_FORMERR);
900526
+			}
900526
+			if (sigrdataset->type != dns_rdatatype_rrsig ||
900526
+			    sigrdataset->covers != dns_rdatatype_dname)
900526
+			{
900526
+				continue;
900526
+			}
900526
+			sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG;
900526
+			sigrdataset->attributes |= DNS_RDATASETATTR_CACHE;
900526
+			sigrdataset->trust = trust;
900526
+			break;
900526
+		}
900526
+	} else {
900526
 		log_formerr(fctx, "reply has no answer");
900526
 		return (DNS_R_FORMERR);
900526
 	}
900526
@@ -6536,14 +6340,8 @@ answer_response(fetchctx_t *fctx) {
900526
 	/*
900526
 	 * Did chaining end before we got the final answer?
900526
 	 */
900526
-	if (chaining != 0) {
900526
-		/*
900526
-		 * Yes.  This may be a negative reply, so hand off
900526
-		 * authority section processing to the noanswer code.
900526
-		 * If it isn't a noanswer response, no harm will be
900526
-		 * done.
900526
-		 */
900526
-		return (noanswer_response(fctx, qname, 0));
900526
+	if (chaining) {
900526
+		return (ISC_R_SUCCESS);
900526
 	}
900526
 
900526
 	/*
900526
@@ -6562,11 +6360,9 @@ answer_response(fetchctx_t *fctx) {
900526
 	 * We expect there to be only one owner name for all the rdatasets
900526
 	 * in this section, and we expect that it is not external.
900526
 	 */
900526
-	done = ISC_FALSE;
900526
-	ns_name = NULL;
900526
-	ns_rdataset = NULL;
900526
 	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
900526
 	while (!done && result == ISC_R_SUCCESS) {
900526
+		isc_boolean_t external;
900526
 		name = NULL;
900526
 		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
900526
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
900526
@@ -6585,12 +6381,13 @@ answer_response(fetchctx_t *fctx) {
900526
 						DNS_NAMEATTR_CACHE;
900526
 					rdataset->attributes |=
900526
 						DNS_RDATASETATTR_CACHE;
900526
-					if (aa && chaining == 0)
900526
+					if (aa && !chaining) {
900526
 						rdataset->trust =
900526
 						    dns_trust_authauthority;
900526
-					else
900526
+					} else {
900526
 						rdataset->trust =
900526
 						    dns_trust_additional;
900526
+					}
900526
 
900526
 					if (rdataset->type == dns_rdatatype_ns)
900526
 					{
900526
@@ -7249,6 +7046,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
900526
 	 * Is the remote server broken, or does it dislike us?
900526
 	 */
900526
 	if (message->rcode != dns_rcode_noerror &&
900526
+	    message->rcode != dns_rcode_yxdomain &&
900526
 	    message->rcode != dns_rcode_nxdomain) {
900526
 		if (((message->rcode == dns_rcode_formerr ||
900526
 		      message->rcode == dns_rcode_notimp) ||
900526
@@ -7293,13 +7091,6 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
900526
 				log_formerr(fctx, "server sent FORMERR");
900526
 				result = DNS_R_FORMERR;
900526
 			}
900526
-		} else if (message->rcode == dns_rcode_yxdomain) {
900526
-			/*
900526
-			 * DNAME mapping failed because the new name
900526
-			 * was too long.  There's no chance of success
900526
-			 * for this fetch.
900526
-			 */
900526
-			result = DNS_R_YXDOMAIN;
900526
 		} else if (message->rcode == dns_rcode_badvers) {
900526
 			unsigned int flags, mask;
900526
 			unsigned int version;
900526
@@ -7404,6 +7195,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
900526
 	 */
900526
 	if (message->counts[DNS_SECTION_ANSWER] > 0 &&
900526
 	    (message->rcode == dns_rcode_noerror ||
900526
+	     message->rcode == dns_rcode_yxdomain ||
900526
 	     message->rcode == dns_rcode_nxdomain)) {
900526
 		/*
900526
 		 * [normal case]
900526
-- 
900526
2.9.3
900526