packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bind/backport-0052-Handle-DNS_R_NCACHENXRRSET-in-fetch_callback_-dnskey.patch
jiangheng ad37c37958 backport some patches from community 
(cherry picked from commit a9fd9ece9b9436b6103d084920c6897ef1adbae6)
2022-09-03 21:36:21 +08:00

56 lines
2.0 KiB
Diff
Raw Blame History

From 4a4605fbefd74ae8417f4601950e313ea2977eba Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 28 Oct 2020 11:58:38 +1100
Subject: [PATCH] Handle DNS_R_NCACHENXRRSET in
fetch_callback_{dnskey,validator}()
DNS_R_NCACHENXRRSET can be return when zones are in transition state
from being unsigned to signed and signed to unsigned. The validation
should be resumed and should result in a insecure answer.
(cherry picked from commit 718e597def1daaae7edf9b151f6b24e0acc5c87a)
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/4a4605fbefd74ae8417f4601950e313ea2977eba
---
lib/dns/validator.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 1605261a48..9d966f7bb1 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -418,17 +418,24 @@ fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
val->fetch = NULL;
if (CANCELED(val)) {
validator_done(val, ISC_R_CANCELED);
- } else if (eresult == ISC_R_SUCCESS) {
- validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %s",
+ } else if (eresult == ISC_R_SUCCESS || eresult == DNS_R_NCACHENXRRSET) {
+ /*
+ * We have an answer to our DNSKEY query. Either the DNSKEY
+ * RRset or a NODATA response.
+ */
+ validator_log(val, ISC_LOG_DEBUG(3), "%s with trust %s",
+ eresult == ISC_R_SUCCESS ? "keyset"
+ : "NCACHENXRRSET",
dns_trust_totext(rdataset->trust));
/*
- * Only extract the dst key if the keyset is secure.
+ * Only extract the dst key if the keyset exists and is secure.
*/
- if (rdataset->trust >= dns_trust_secure) {
+ if (eresult == ISC_R_SUCCESS &&
+ rdataset->trust >= dns_trust_secure) {
result = get_dst_key(val, val->siginfo, rdataset);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
val->keyset = &val->frdataset;
+ }
}
result = validate(val, true);
if (result == DNS_R_NOVALIDSIG &&
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink