bind - Upgraded vendor branch to 9.5.2-P1
authorJan Lentfer <Jan.Lentfer@web.de>
Fri, 27 Nov 2009 09:06:46 +0000 (10:06 +0100)
committerJan Lentfer <Jan.Lentfer@web.de>
Fri, 27 Nov 2009 09:06:46 +0000 (10:06 +0100)
contrib/bind-9.5.2/CHANGES
contrib/bind-9.5.2/bin/named/query.c
contrib/bind-9.5.2/lib/dns/api
contrib/bind-9.5.2/lib/dns/include/dns/types.h
contrib/bind-9.5.2/lib/dns/masterdump.c
contrib/bind-9.5.2/lib/dns/rbtdb.c
contrib/bind-9.5.2/lib/dns/resolver.c
contrib/bind-9.5.2/lib/dns/validator.c
contrib/bind-9.5.2/version

index ffe9985..43e1648 100644 (file)
@@ -1,3 +1,8 @@
+       --- 9.5.2-P1 released ---
+
+2772.  [security]      When validating, track whether pending data was from
+                       the additional section or not and only return it if
+                       validates as secure. [RT #20438]
 
        --- 9.5.2 released ---
 
index 08dc9c3..9565eb6 100644 (file)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.298.48.15 2009/09/16 22:28:52 marka Exp $ */
+/* $Id: query.c,v 1.298.48.15.2.1 2009/11/18 23:41:17 marka Exp $ */
 
 /*! \file */
 
 #define DNS_GETDB_NOLOG 0x02U
 #define DNS_GETDB_PARTIAL 0x04U
 
+#define PENDINGOK(x)   (((x) & DNS_DBFIND_PENDINGOK) != 0)
+
 typedef struct client_additionalctx {
        ns_client_t *client;
        dns_rdataset_t *rdataset;
@@ -1744,8 +1746,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
         */
        if (result == ISC_R_SUCCESS &&
            additionaltype == dns_rdatasetadditional_fromcache &&
-           (rdataset->trust == dns_trust_pending ||
-            rdataset->trust == dns_trust_glue) &&
+           (DNS_TRUST_PENDING(rdataset->trust) ||
+            DNS_TRUST_GLUE(rdataset->trust)) &&
            !validate(client, db, fname, rdataset, sigrdataset)) {
                dns_rdataset_disassociate(rdataset);
                if (dns_rdataset_isassociated(sigrdataset))
@@ -1784,8 +1786,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
         */
        if (result == ISC_R_SUCCESS &&
            additionaltype == dns_rdatasetadditional_fromcache &&
-           (rdataset->trust == dns_trust_pending ||
-            rdataset->trust == dns_trust_glue) &&
+           (DNS_TRUST_PENDING(rdataset->trust) ||
+            DNS_TRUST_GLUE(rdataset->trust)) &&
            !validate(client, db, fname, rdataset, sigrdataset)) {
                dns_rdataset_disassociate(rdataset);
                if (dns_rdataset_isassociated(sigrdataset))
@@ -2570,14 +2572,14 @@ query_addbestns(ns_client_t *client) {
        /*
         * Attempt to validate RRsets that are pending or that are glue.
         */
-       if ((rdataset->trust == dns_trust_pending ||
-            (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending))
+       if ((DNS_TRUST_PENDING(rdataset->trust) ||
+            (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust)))
            && !validate(client, db, fname, rdataset, sigrdataset) &&
-           (client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0)
+           !PENDINGOK(client->query.dboptions))
                goto cleanup;
 
-       if ((rdataset->trust == dns_trust_glue ||
-            (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)) &&
+       if ((DNS_TRUST_GLUE(rdataset->trust) ||
+            (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
            !validate(client, db, fname, rdataset, sigrdataset) &&
            SECURE(client) && WANTDNSSEC(client))
                goto cleanup;
@@ -3387,6 +3389,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
        dns_rdataset_t *noqname;
        isc_boolean_t resuming;
        int line = -1;
+       dns_rdataset_t tmprdataset;
+       unsigned int dboptions;
 
        CTRACE("query_find");
 
@@ -3603,9 +3607,49 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
        /*
         * Now look for an answer in the database.
         */
+       dboptions = client->query.dboptions;
+       if (sigrdataset == NULL && client->view->enablednssec) {
+               /*
+                * If the client doesn't want DNSSEC we still want to
+                * look for any data pending validation to save a remote
+                * lookup if possible.
+                */
+               dns_rdataset_init(&tmprdataset);
+               sigrdataset = &tmprdataset;
+               dboptions |= DNS_DBFIND_PENDINGOK;
+       }
+ refind:
        result = dns_db_find(db, client->query.qname, version, type,
-                            client->query.dboptions, client->now,
-                            &node, fname, rdataset, sigrdataset);
+                            dboptions, client->now, &node, fname,
+                            rdataset, sigrdataset);
+       /*
+        * If we have found pending data try to validate it.
+        * If the data does not validate as secure and we can't
+        * use the unvalidated data requery the database with
+        * pending disabled to prevent infinite looping.
+        */
+       if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
+               goto validation_done;
+       if (validate(client, db, fname, rdataset, sigrdataset))
+               goto validation_done;
+       if (rdataset->trust != dns_trust_pending_answer ||
+           !PENDINGOK(client->query.dboptions)) {
+               dns_rdataset_disassociate(rdataset);
+               if (sigrdataset != NULL &&
+                   dns_rdataset_isassociated(sigrdataset))
+                       dns_rdataset_disassociate(sigrdataset);
+               if (sigrdataset == &tmprdataset)
+                       sigrdataset = NULL;
+               dns_db_detachnode(db, &node);
+               dboptions &= ~DNS_DBFIND_PENDINGOK;
+               goto refind;
+       }
+ validation_done:
+       if (sigrdataset == &tmprdataset) {
+               if (dns_rdataset_isassociated(sigrdataset))
+                       dns_rdataset_disassociate(sigrdataset);
+               sigrdataset = NULL;
+       }
 
  resume:
        CTRACE("query_find: resume");
index 9cc4a9c..1099c30 100644 (file)
@@ -1,3 +1,3 @@
-LIBINTERFACE = 46
-LIBREVISION = 1
-LIBAGE = 1
+LIBINTERFACE = 47
+LIBREVISION = 0
+LIBAGE = 0
index 2ad332f..4d873e4 100644 (file)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.126.62.6 2009/01/29 22:41:45 jinmei Exp $ */
+/* $Id: types.h,v 1.126.62.6.2.1 2009/11/18 23:41:18 marka Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
@@ -253,40 +253,52 @@ enum {
        dns_trust_none = 0,
 #define dns_trust_none                 ((dns_trust_t)dns_trust_none)
 
-       /*% Subject to DNSSEC validation but has not yet been validated */
-       dns_trust_pending = 1,
-#define dns_trust_pending              ((dns_trust_t)dns_trust_pending)
+       /*%
+        * Subject to DNSSEC validation but has not yet been validated
+        * dns_trust_pending_additional (from the additional section).
+        */
+       dns_trust_pending_additional = 1,
+#define dns_trust_pending_additional \
+                ((dns_trust_t)dns_trust_pending_additional)
+
+       dns_trust_pending_answer = 2,
+#define dns_trust_pending_answer       ((dns_trust_t)dns_trust_pending_answer)
 
        /*% Received in the additional section of a response. */
-       dns_trust_additional = 2,
+       dns_trust_additional = 3,
 #define dns_trust_additional           ((dns_trust_t)dns_trust_additional)
 
        /* Received in a referral response. */
-       dns_trust_glue = 3,
+       dns_trust_glue = 4,
 #define dns_trust_glue                 ((dns_trust_t)dns_trust_glue)
 
        /* Answer from a non-authoritative server */
-       dns_trust_answer = 4,
+       dns_trust_answer = 5,
 #define dns_trust_answer               ((dns_trust_t)dns_trust_answer)
 
        /*  Received in the authority section as part of an
            authoritative response */
-       dns_trust_authauthority = 5,
+       dns_trust_authauthority = 6,
 #define dns_trust_authauthority                ((dns_trust_t)dns_trust_authauthority)
 
        /* Answer from an authoritative server */
-       dns_trust_authanswer = 6,
+       dns_trust_authanswer = 7,
 #define dns_trust_authanswer           ((dns_trust_t)dns_trust_authanswer)
 
        /* Successfully DNSSEC validated */
-       dns_trust_secure = 7,
+       dns_trust_secure = 8,
 #define dns_trust_secure               ((dns_trust_t)dns_trust_secure)
 
        /* This server is authoritative */
-       dns_trust_ultimate = 8
+       dns_trust_ultimate = 9
 #define dns_trust_ultimate             ((dns_trust_t)dns_trust_ultimate)
 };
 
+#define DNS_TRUST_PENDING(x)           ((x) == dns_trust_pending_answer || \
+                                        (x) == dns_trust_pending_additional)
+#define DNS_TRUST_GLUE(x)              ((x) == dns_trust_glue)
+
+
 /*%
  * Name checking severities.
  */
index 8cf7c4f..312a307 100644 (file)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.89.128.5 2009/01/19 23:47:02 tbox Exp $ */
+/* $Id: masterdump.c,v 1.89.128.5.2.1 2009/11/18 23:41:18 marka Exp $ */
 
 /*! \file */
 
@@ -774,7 +774,8 @@ dump_order_compare(const void *a, const void *b) {
 
 static const char *trustnames[] = {
        "none",
-       "pending",
+       "pending-additional",
+       "pending-answer",
        "additional",
        "glue",
        "answer",
index ad931bd..2932886 100644 (file)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.248.12.18 2009/05/06 23:34:47 jinmei Exp $ */
+/* $Id: rbtdb.c,v 1.248.12.18.2.1 2009/11/18 23:41:18 marka Exp $ */
 
 /*! \file */
 
@@ -3565,7 +3565,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
        }
 
        if (dname_header != NULL &&
-           (dname_header->trust != dns_trust_pending ||
+           (!DNS_TRUST_PENDING(dname_header->trust) ||
             (search->options & DNS_DBFIND_PENDINGOK) != 0)) {
                /*
                 * We increment the reference count on node to ensure that
@@ -4108,7 +4108,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
        if (found == NULL ||
            (found->trust == dns_trust_glue &&
             ((options & DNS_DBFIND_GLUEOK) == 0)) ||
-           (found->trust == dns_trust_pending &&
+           (DNS_TRUST_PENDING(found->trust) &&
             ((options & DNS_DBFIND_PENDINGOK) == 0))) {
                /*
                 * If there is an NS rdataset at this node, then this is the
index 1441f61..22142f0 100644 (file)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.355.12.44 2009/08/13 04:54:21 marka Exp $ */
+/* $Id: resolver.c,v 1.355.12.44.2.1 2009/11/18 23:41:18 marka Exp $ */
 
 /*! \file */
 
@@ -4243,6 +4243,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                 * for it, unless it is glue.
                 */
                if (secure_domain && rdataset->trust != dns_trust_glue) {
+                       dns_trust_t trust;
                        /*
                         * RRSIGs are validated as part of validating the
                         * type they cover.
@@ -4279,12 +4280,34 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                        }
 
                        /*
+                        * Reject out of bailiwick additional records
+                        * without RRSIGs as they can't possibly validate
+                        * as "secure" and as we will never never want to
+                        * store these as "answers" after validation.
+                        */
+                       if (rdataset->trust == dns_trust_additional &&
+                           sigrdataset == NULL && EXTERNAL(rdataset))
+                               continue;
+                               
+                       /*
+                         * XXXMPA: If we store as "answer" after validating
+                         * then we need to do bailiwick processing and
+                         * also need to track whether RRsets are in or
+                         * out of bailiwick.  This will require a another 
+                         * pending trust level.
+                         *
                         * Cache this rdataset/sigrdataset pair as
-                        * pending data.
+                        * pending data.  Track whether it was additional
+                        * or not.
                         */
-                       rdataset->trust = dns_trust_pending;
+                       if (rdataset->trust == dns_trust_additional)
+                               trust = dns_trust_pending_additional;
+                       else
+                               trust = dns_trust_pending_answer;
+
+                       rdataset->trust = trust;
                        if (sigrdataset != NULL)
-                               sigrdataset->trust = dns_trust_pending;
+                               sigrdataset->trust = trust;
                        if (!need_validation || !ANSWER(rdataset)) {
                                addedrdataset = ardataset;
                                result = dns_db_addrdataset(fctx->cache, node,
@@ -4632,7 +4655,7 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
                        for (trdataset = ISC_LIST_HEAD(tname->list);
                             trdataset != NULL;
                             trdataset = ISC_LIST_NEXT(trdataset, link))
-                               trdataset->trust = dns_trust_pending;
+                               trdataset->trust = dns_trust_pending_answer;
                        result = dns_message_nextname(fctx->rmessage,
                                                      DNS_SECTION_AUTHORITY);
                }
index 4ea5a03..a0b66be 100644 (file)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.155.52.14 2009/03/17 23:46:41 tbox Exp $ */
+/* $Id: validator.c,v 1.155.52.14.2.1 2009/11/18 23:41:18 marka Exp $ */
 
 #include <config.h>
 
@@ -1189,7 +1189,7 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
                 * We have an rrset for the given keyname.
                 */
                val->keyset = &val->frdataset;
-               if (val->frdataset.trust == dns_trust_pending &&
+               if (DNS_TRUST_PENDING(val->frdataset.trust) &&
                    dns_rdataset_isassociated(&val->fsigrdataset))
                {
                        /*
@@ -1204,7 +1204,7 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
                        if (result != ISC_R_SUCCESS)
                                return (result);
                        return (DNS_R_WAIT);
-               } else if (val->frdataset.trust == dns_trust_pending) {
+               } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
                        /*
                         * Having a pending key with no signature means that
                         * something is broken.
@@ -1825,7 +1825,7 @@ validatezonekey(dns_validator_t *val) {
                         * We have DS records.
                         */
                        val->dsset = &val->frdataset;
-                       if (val->frdataset.trust == dns_trust_pending &&
+                       if (DNS_TRUST_PENDING(val->frdataset.trust) &&
                            dns_rdataset_isassociated(&val->fsigrdataset))
                        {
                                result = create_validator(val,
@@ -1838,7 +1838,7 @@ validatezonekey(dns_validator_t *val) {
                                if (result != ISC_R_SUCCESS)
                                        return (result);
                                return (DNS_R_WAIT);
-                       } else if (val->frdataset.trust == dns_trust_pending) {
+                       } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
                                /*
                                 * There should never be an unsigned DS.
                                 */
@@ -2692,7 +2692,7 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
                         * There is no DS.  If this is a delegation,
                         * we maybe done.
                         */
-                       if (val->frdataset.trust == dns_trust_pending) {
+                       if (DNS_TRUST_PENDING(val->frdataset.trust)) {
                                result = create_fetch(val, tname,
                                                      dns_rdatatype_ds,
                                                      dsfetched2,
index a54a9d8..d926008 100644 (file)
@@ -1,4 +1,4 @@
-# $Id: version,v 1.39.18.13 2009/09/21 01:51:10 marka Exp $
+# $Id: version,v 1.39.18.13.2.1 2009/11/18 23:41:17 marka Exp $
 # 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -6,5 +6,5 @@
 MAJORVER=9
 MINORVER=5
 PATCHVER=2
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=1