|
1 This patch was derived from a source code patch provided by ISC to |
|
2 resolve ISC ticket RT #43779. [9.6-ESV-R11-S10] |
|
3 |
|
4 --- old/./CHANGES Thu Jan 12 00:28:22 2017 |
|
5 +++ new/./CHANGES Thu Jan 12 00:28:22 2017 |
|
6 @@ -1,5 +1,9 @@ |
|
7 --- 9.6-ESV-R11-S10 released --- |
|
8 |
|
9 +4530. [bug] Change 4489 broke the handling of CNAME -> DNAME |
|
10 + in responses resulting in SERVFAIL being returned. |
|
11 + [RT #43779] |
|
12 + |
|
13 4517. [security] Named could mishandle authority sections that were |
|
14 missing RRSIGs triggering an assertion failure. |
|
15 (CVE-2016-9444) [RT #43632] |
|
16 --- old/bin/tests/system/dname/ns2/example.db Thu Jan 12 00:28:22 2017 |
|
17 +++ new/bin/tests/system/dname/ns2/example.db Thu Jan 12 00:28:22 2017 |
|
18 @@ -29,4 +29,6 @@ |
|
19 short-dname DNAME short |
|
20 a.longlonglonglonglonglonglonglonglonglonglonglonglong A 10.0.0.2 |
|
21 long-dname DNAME longlonglonglonglonglonglonglonglonglonglonglonglong |
|
22 -; |
|
23 +cname CNAME a.cnamedname |
|
24 +cnamedname DNAME target |
|
25 +a.target A 10.0.0.3 |
|
26 --- old/bin/tests/system/dname/tests.sh Thu Jan 12 00:28:22 2017 |
|
27 +++ new/bin/tests/system/dname/tests.sh Thu Jan 12 00:28:22 2017 |
|
28 @@ -63,6 +63,24 @@ |
|
29 if [ $ret != 0 ]; then echo "I:failed"; fi |
|
30 status=`expr $status + $ret` |
|
31 |
|
32 +echo "I:checking cname to dname from authoritative" |
|
33 +ret=0 |
|
34 +$DIG cname.example @10.53.0.2 a -p 5300 > dig.out.ns2.cname |
|
35 +grep "status: NOERROR" dig.out.ns2.cname > /dev/null || ret=1 |
|
36 +if [ $ret != 0 ]; then echo "I:failed"; fi |
|
37 +status=`expr $status + $ret` |
|
38 + |
|
39 +echo "I:checking cname to dname from recursive" |
|
40 +ret=0 |
|
41 +$DIG cname.example @10.53.0.4 a -p 5300 > dig.out.ns4.cname |
|
42 +grep "status: NOERROR" dig.out.ns4.cname > /dev/null || ret=1 |
|
43 +grep '^cname.example.' dig.out.ns4.cname > /dev/null || ret=1 |
|
44 +grep '^cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 |
|
45 +grep '^a.cnamedname.example.' dig.out.ns4.cname > /dev/null || ret=1 |
|
46 +grep '^a.target.example.' dig.out.ns4.cname > /dev/null || ret=1 |
|
47 +if [ $ret != 0 ]; then echo "I:failed"; fi |
|
48 +status=`expr $status + $ret` |
|
49 + |
|
50 echo "I:exit status: $status" |
|
51 |
|
52 exit $status |
|
53 --- old/lib/dns/resolver.c Thu Jan 12 00:28:23 2017 |
|
54 +++ new/lib/dns/resolver.c Thu Jan 12 00:28:23 2017 |
|
55 @@ -5776,7 +5776,7 @@ |
|
56 answer_response(fetchctx_t *fctx) { |
|
57 isc_result_t result; |
|
58 dns_message_t *message; |
|
59 - dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; |
|
60 + dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; |
|
61 dns_name_t *cname = NULL; |
|
62 dns_rdataset_t *rdataset, *ns_rdataset; |
|
63 isc_boolean_t done, external, chaining, aa, found, want_chaining; |
|
64 @@ -5784,7 +5784,7 @@ |
|
65 isc_boolean_t wanted_chaining; |
|
66 unsigned int aflag; |
|
67 dns_rdatatype_t type; |
|
68 - dns_fixedname_t fdname, fqname, fqdname; |
|
69 + dns_fixedname_t fdname, fqname; |
|
70 |
|
71 FCTXTRACE("answer_response"); |
|
72 |
|
73 @@ -5807,12 +5807,11 @@ |
|
74 aa = ISC_TRUE; |
|
75 else |
|
76 aa = ISC_FALSE; |
|
77 - dqname = qname = &fctx->name; |
|
78 + qname = &fctx->name; |
|
79 type = fctx->type; |
|
80 - dns_fixedname_init(&fqdname); |
|
81 result = dns_message_firstname(message, DNS_SECTION_ANSWER); |
|
82 while (!done && result == ISC_R_SUCCESS) { |
|
83 - dns_namereln_t namereln, dnamereln; |
|
84 + dns_namereln_t namereln; |
|
85 |
|
86 int order; |
|
87 unsigned int nlabels; |
|
88 @@ -5821,8 +5820,6 @@ |
|
89 dns_message_currentname(message, DNS_SECTION_ANSWER, &name); |
|
90 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); |
|
91 namereln = dns_name_fullcompare(qname, name, &order, &nlabels); |
|
92 - dnamereln = dns_name_fullcompare(dqname, name, &order, |
|
93 - &nlabels); |
|
94 if (namereln == dns_namereln_equal) { |
|
95 wanted_chaining = ISC_FALSE; |
|
96 for (rdataset = ISC_LIST_HEAD(name->list); |
|
97 @@ -6074,11 +6071,24 @@ |
|
98 return (DNS_R_FORMERR); |
|
99 } |
|
100 |
|
101 - if (dnamereln != dns_namereln_subdomain) { |
|
102 + /* |
|
103 + * If DNAME + synthetic CNAME then the |
|
104 + * namereln is dns_namereln_subdomain. |
|
105 + * |
|
106 + * If synthetic CNAME + DNAME then the |
|
107 + * namereln is dns_namereln_commonancestor |
|
108 + * and the number of label must match the |
|
109 + * DNAME. This order is not RFC compliant. |
|
110 + */ |
|
111 + |
|
112 + if (namereln != dns_namereln_subdomain && |
|
113 + (namereln != dns_namereln_commonancestor || |
|
114 + nlabels != dns_name_countlabels(name))) |
|
115 + { |
|
116 char qbuf[DNS_NAME_FORMATSIZE]; |
|
117 char obuf[DNS_NAME_FORMATSIZE]; |
|
118 |
|
119 - dns_name_format(dqname, qbuf, |
|
120 + dns_name_format(qname, qbuf, |
|
121 sizeof(qbuf)); |
|
122 dns_name_format(name, obuf, |
|
123 sizeof(obuf)); |
|
124 @@ -6097,7 +6107,7 @@ |
|
125 want_chaining = ISC_TRUE; |
|
126 POST(want_chaining); |
|
127 aflag = DNS_RDATASETATTR_ANSWER; |
|
128 - result = dname_target(rdataset, dqname, |
|
129 + result = dname_target(rdataset, qname, |
|
130 nlabels, &fdname); |
|
131 if (result == ISC_R_NOSPACE) { |
|
132 /* |
|
133 @@ -6113,8 +6123,6 @@ |
|
134 dnameset = rdataset; |
|
135 |
|
136 dname = dns_fixedname_name(&fdname); |
|
137 - dqname = dns_fixedname_name(&fqdname); |
|
138 - dns_name_copy(dname, dqname, NULL); |
|
139 } else { |
|
140 /* |
|
141 * We've found a signature that |
|
142 @@ -6261,7 +6269,8 @@ |
|
143 rdataset->trust = |
|
144 dns_trust_additional; |
|
145 |
|
146 - if (rdataset->type == dns_rdatatype_ns) { |
|
147 + if (rdataset->type == dns_rdatatype_ns) |
|
148 + { |
|
149 ns_name = name; |
|
150 ns_rdataset = rdataset; |
|
151 } |