diff --git a/external/bsd/bind/dist/CHANGES b/external/bsd/bind/dist/CHANGES index 4c4381b3010b..2003f402fef9 100644 --- a/external/bsd/bind/dist/CHANGES +++ b/external/bsd/bind/dist/CHANGES @@ -1,7 +1,27 @@ + --- 9.10.4-P8 released --- + +4582. [security] 'rndc ""' could trigger a assertion failure in named. + (CVE-2017-3138) [RT #44924] + +4580. [bug] 4578 introduced a regression when handling CNAME to + referral below the current domain. [RT #44850] + + --- 9.10.4-P7 released --- + +4578. [security] Some chaining (CNAME or DNAME) responses to upstream + queries could trigger assertion failures. + (CVE-2017-3137) [RT #44734] + +4575. [security] DNS64 with "break-dnssec yes;" can result in an + assertion failure. (CVE-2017-3136) [RT #44653] + +4564. [maint] Update the built in managed keys to include the + upcoming root KSK. [RT #44579] + --- 9.10.4-P6 released --- 4558. [bug] Synthesised CNAME before matching DNAME was still - being cached when it should have been. [RT #44318] + being cached when it should not have been. [RT #44318] 4557. [security] Combining dns64 and rpz can result in dereferencing a NULL pointer (read). (CVE-2017-3135) [RT#44434] diff --git a/external/bsd/bind/dist/README b/external/bsd/bind/dist/README index e3d5222551ea..20d7d698b2dc 100644 --- a/external/bsd/bind/dist/README +++ b/external/bsd/bind/dist/README @@ -51,6 +51,11 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.10.4-P7 + + This version contains fixes for CVE-2017-3136 and CVE-2017-3137, + and updates the built in trusted keys for the root zone. + BIND 9.10.4-P6 This version contains a fix for CVE-2017-3135, and a bug fix diff --git a/external/bsd/bind/dist/bin/named/query.c b/external/bsd/bind/dist/bin/named/query.c index 538c65e1ef89..6a72fef3ecf2 100644 --- a/external/bsd/bind/dist/bin/named/query.c +++ b/external/bsd/bind/dist/bin/named/query.c @@ -1,7 +1,7 @@ -/* $NetBSD: query.c,v 1.23 2017/02/09 00:23:26 christos Exp $ */ +/* $NetBSD: query.c,v 1.24 2017/04/13 19:11:19 christos Exp $ */ /* - * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -8221,6 +8221,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) result = query_dns64(client, &fname, rdataset, sigrdataset, dbuf, DNS_SECTION_ANSWER); + noqname = NULL; dns_rdataset_disassociate(rdataset); dns_message_puttemprdataset(client->message, &rdataset); if (result == ISC_R_NOMORE) { diff --git a/external/bsd/bind/dist/configure b/external/bsd/bind/dist/configure index 0b120ce41aec..c3842e56104e 100644 --- a/external/bsd/bind/dist/configure +++ b/external/bsd/bind/dist/configure @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1996-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any diff --git a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html index e048a249d5d5..20149f6b1d9f 100644 --- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html +++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html @@ -2326,6 +2326,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html index c944e34a6049..f86e4a783f0f 100644 --- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html +++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html @@ -12845,6 +12845,6 @@ HOST-127.EXAMPLE. MX 0 . -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html index 7bf6f518de45..68803c0d97ff 100644 --- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html +++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html @@ -248,6 +248,6 @@ zone "example.com" { -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html index 99d1e4f95104..108bdaac9299 100644 --- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html +++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html @@ -134,6 +134,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html index 0b416673683f..35c5dd9af80c 100644 --- a/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html +++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html @@ -44,10 +44,11 @@

Table of Contents

-
Release Notes for BIND Version 9.10.4-P6
+
Release Notes for BIND Version 9.10.4-P8
Introduction
Download
+
New DNSSEC Root Key
Security Fixes
New Features
Feature Changes
@@ -60,13 +61,18 @@

-Release Notes for BIND Version 9.10.4-P6

+Release Notes for BIND Version 9.10.4-P8

Introduction

This document summarizes changes since BIND 9.10.4:

+

+ BIND 9.10.4-P7 addresses the security issue described in + CVE-2017-3136, and updates the built in trusted keys for + the root zone. +

BIND 9.10.4-P6 addresses the security issue described in CVE-2017-3135, and fixes a regression introduced in a prior @@ -109,8 +115,51 @@

+New DNSSEC Root Key

+

+ ICANN is in the process of introducing a new Key Signing Key (KSK) for + the global root zone. BIND has multiple methods for managing DNSSEC + trust anchors, with somewhat different behaviors. If the root + key is configured using the managed-keys + statement, or if the pre-configured root key is enabled by using + dnssec-validation auto, then BIND can keep + keys up to date automatically. Servers configured in this way + will roll seamlessly to the new key when it is published in + the root zone. However, keys configured using the + trusted-keys statement are not automatically + maintained. If your server is performing DNSSEC validation + and is configured using trusted-keys, you are + advised to change your configuration before the root zone begins + signing with the new KSK. This is currently scheduled for + October 11, 2017. +

+

+ This release includes an updated version of the + bind.keys file containing the new root + key. This file can also be downloaded from + + https://www.isc.org/bind-keys + . +

+
+
+

Security Fixes

-

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/Bv9ARM.html b/external/bsd/bind/dist/doc/arm/Bv9ARM.html index 06e5477fa366..c7856ac9ef02 100644 --- a/external/bsd/bind/dist/doc/arm/Bv9ARM.html +++ b/external/bsd/bind/dist/doc/arm/Bv9ARM.html @@ -40,7 +40,7 @@

BIND 9 Administrator Reference Manual

-

BIND Version 9.10.4-P6

+

BIND Version 9.10.4-P8

Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")

Copyright © 2000-2003 Internet Software Consortium.

@@ -239,10 +239,11 @@
A. Release Notes
-
Release Notes for BIND Version 9.10.4-P6
+
Release Notes for BIND Version 9.10.4-P8
Introduction
Download
+
New DNSSEC Root Key
Security Fixes
New Features
Feature Changes
@@ -385,6 +386,6 @@
-

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf b/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf index ddfbafb2b595..8c5613d9f8b9 100755 Binary files a/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf and b/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf differ diff --git a/external/bsd/bind/dist/doc/arm/man.arpaname.html b/external/bsd/bind/dist/doc/arm/man.arpaname.html index c5b493b7b718..dff70f3d9b80 100644 --- a/external/bsd/bind/dist/doc/arm/man.arpaname.html +++ b/external/bsd/bind/dist/doc/arm/man.arpaname.html @@ -81,6 +81,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html b/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html index b6aabe37f21a..cc67c2cf5021 100644 --- a/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html +++ b/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html @@ -185,6 +185,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.delv.html b/external/bsd/bind/dist/doc/arm/man.delv.html index 1dc6293981a9..7cb0fc30ddb0 100644 --- a/external/bsd/bind/dist/doc/arm/man.delv.html +++ b/external/bsd/bind/dist/doc/arm/man.delv.html @@ -498,6 +498,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dig.html b/external/bsd/bind/dist/doc/arm/man.dig.html index 971a5b55de66..bcad1df007b9 100644 --- a/external/bsd/bind/dist/doc/arm/man.dig.html +++ b/external/bsd/bind/dist/doc/arm/man.dig.html @@ -809,6 +809,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html b/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html index b6cbbd35f82e..0945dd5bbdba 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html @@ -112,6 +112,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html b/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html index e89b3d5767e0..1fc71a0d0c09 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html @@ -219,6 +219,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html b/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html index 22cd9c27dc57..8fb7b4478f86 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html @@ -213,6 +213,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html b/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html index 60dfd99659ef..6d25a452841c 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html @@ -177,6 +177,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html b/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html index 524d477f64ba..4bc4a7f8ad0f 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html @@ -381,6 +381,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html b/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html index 1ddccf31dcfb..e486084e8796 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html @@ -455,6 +455,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html b/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html index bab1e794f111..d42232e21473 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html @@ -134,6 +134,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html b/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html index 5182bbc6a0e1..748653cd4260 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html @@ -264,6 +264,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html b/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html index 58a277332a31..24fe53a7f2b7 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html @@ -564,6 +564,6 @@ db.example.com.signed -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html b/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html index 5bbb5361082b..9b87ba42ee7d 100644 --- a/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html +++ b/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html @@ -164,6 +164,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.genrandom.html b/external/bsd/bind/dist/doc/arm/man.genrandom.html index 74a42a9c2881..b973b8cd1b27 100644 --- a/external/bsd/bind/dist/doc/arm/man.genrandom.html +++ b/external/bsd/bind/dist/doc/arm/man.genrandom.html @@ -102,6 +102,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.host.html b/external/bsd/bind/dist/doc/arm/man.host.html index 3912313fa95c..1c0f4f48e6d8 100644 --- a/external/bsd/bind/dist/doc/arm/man.host.html +++ b/external/bsd/bind/dist/doc/arm/man.host.html @@ -247,6 +247,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html b/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html index d5979c25f91d..acdd2b21f88e 100644 --- a/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html +++ b/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html @@ -112,6 +112,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.named-checkconf.html b/external/bsd/bind/dist/doc/arm/man.named-checkconf.html index dafefbd1e036..d0e91817b4e1 100644 --- a/external/bsd/bind/dist/doc/arm/man.named-checkconf.html +++ b/external/bsd/bind/dist/doc/arm/man.named-checkconf.html @@ -151,6 +151,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.named-checkzone.html b/external/bsd/bind/dist/doc/arm/man.named-checkzone.html index ccdbd4b96862..2c87c268dc8e 100644 --- a/external/bsd/bind/dist/doc/arm/man.named-checkzone.html +++ b/external/bsd/bind/dist/doc/arm/man.named-checkzone.html @@ -338,6 +338,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.named-journalprint.html b/external/bsd/bind/dist/doc/arm/man.named-journalprint.html index a2b1eff61f92..2ec3af6a1f89 100644 --- a/external/bsd/bind/dist/doc/arm/man.named-journalprint.html +++ b/external/bsd/bind/dist/doc/arm/man.named-journalprint.html @@ -102,6 +102,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html b/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html index bf4f86ee736c..5a6681c2f620 100644 --- a/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html +++ b/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html @@ -104,6 +104,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.named.html b/external/bsd/bind/dist/doc/arm/man.named.html index 476cc26f67d2..7a4678f35753 100644 --- a/external/bsd/bind/dist/doc/arm/man.named.html +++ b/external/bsd/bind/dist/doc/arm/man.named.html @@ -369,6 +369,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.nsec3hash.html b/external/bsd/bind/dist/doc/arm/man.nsec3hash.html index ba5f102ca59b..122690d039d6 100644 --- a/external/bsd/bind/dist/doc/arm/man.nsec3hash.html +++ b/external/bsd/bind/dist/doc/arm/man.nsec3hash.html @@ -103,6 +103,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.nsupdate.html b/external/bsd/bind/dist/doc/arm/man.nsupdate.html index 5a708ac6ba35..871729540195 100644 --- a/external/bsd/bind/dist/doc/arm/man.nsupdate.html +++ b/external/bsd/bind/dist/doc/arm/man.nsupdate.html @@ -663,6 +663,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html b/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html index 72913bcb5605..7d959389a29c 100644 --- a/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html +++ b/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html @@ -223,6 +223,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.rndc.conf.html b/external/bsd/bind/dist/doc/arm/man.rndc.conf.html index 151f2a60aab5..a42c411caac8 100644 --- a/external/bsd/bind/dist/doc/arm/man.rndc.conf.html +++ b/external/bsd/bind/dist/doc/arm/man.rndc.conf.html @@ -246,6 +246,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/doc/arm/man.rndc.html b/external/bsd/bind/dist/doc/arm/man.rndc.html index 7b3c08387a87..74c97926f7eb 100644 --- a/external/bsd/bind/dist/doc/arm/man.rndc.html +++ b/external/bsd/bind/dist/doc/arm/man.rndc.html @@ -621,6 +621,6 @@ -

BIND 9.10.4-P6

+

BIND 9.10.4-P8

diff --git a/external/bsd/bind/dist/lib/dns/api b/external/bsd/bind/dist/lib/dns/api index 2bbf23e8c44a..263a3eceec16 100644 --- a/external/bsd/bind/dist/lib/dns/api +++ b/external/bsd/bind/dist/lib/dns/api @@ -6,5 +6,5 @@ # 9.9-sub: 130-139, 150-159 # 9.10: 140-149, 160-169 LIBINTERFACE = 165 -LIBREVISION = 5 +LIBREVISION = 7 LIBAGE = 0 diff --git a/external/bsd/bind/dist/lib/dns/rdataset.c b/external/bsd/bind/dist/lib/dns/rdataset.c index cbd6035dcbd0..8157e0731ba6 100644 --- a/external/bsd/bind/dist/lib/dns/rdataset.c +++ b/external/bsd/bind/dist/lib/dns/rdataset.c @@ -1,7 +1,7 @@ -/* $NetBSD: rdataset.c,v 1.9 2017/02/09 00:23:27 christos Exp $ */ +/* $NetBSD: rdataset.c,v 1.10 2017/04/13 19:11:20 christos Exp $ */ /* - * Copyright (C) 2004-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012, 2014, 2015, 2017 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any diff --git a/external/bsd/bind/dist/lib/dns/resolver.c b/external/bsd/bind/dist/lib/dns/resolver.c index 49fb5f99e5a7..dc95e269899e 100644 --- a/external/bsd/bind/dist/lib/dns/resolver.c +++ b/external/bsd/bind/dist/lib/dns/resolver.c @@ -1,7 +1,7 @@ -/* $NetBSD: resolver.c,v 1.29 2017/02/09 00:23:27 christos Exp $ */ +/* $NetBSD: resolver.c,v 1.30 2017/04/13 19:11:20 christos Exp $ */ /* - * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -4469,6 +4469,7 @@ is_lame(fetchctx_t *fctx) { isc_result_t result; if (message->rcode != dns_rcode_noerror && + message->rcode != dns_rcode_yxdomain && message->rcode != dns_rcode_nxdomain) return (ISC_FALSE); @@ -6081,79 +6082,6 @@ chase_additional(fetchctx_t *fctx) { goto again; } -static inline isc_result_t -cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_cname_t cname; - - result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) - return (result); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &cname, NULL); - if (result != ISC_R_SUCCESS) - return (result); - dns_name_init(tname, NULL); - dns_name_clone(&cname.cname, tname); - dns_rdata_freestruct(&cname); - - return (ISC_R_SUCCESS); -} - -/*% - * Construct the synthesised CNAME from the existing QNAME and - * the DNAME RR and store it in 'target'. - */ -static inline isc_result_t -dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, - unsigned int nlabels, dns_name_t *target) -{ - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_dname_t dname; - dns_fixedname_t prefix; - - /* - * Get the target name of the DNAME. - */ - result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) - return (result); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &dname, NULL); - if (result != ISC_R_SUCCESS) - return (result); - - dns_fixedname_init(&prefix); - dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); - result = dns_name_concatenate(dns_fixedname_name(&prefix), - &dname.dname, target, NULL); - dns_rdata_freestruct(&dname); - return (result); -} - -/*% - * Check if it was possible to construct 'qname' from 'lastcname' - * and 'rdataset'. - */ -static inline isc_result_t -fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname, - unsigned int nlabels, const dns_name_t *qname) -{ - dns_fixedname_t fixed; - isc_result_t result; - dns_name_t *target; - - dns_fixedname_init(&fixed); - target = dns_fixedname_name(&fixed); - result = dname_target(rdataset, lastcname, nlabels, target); - if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target)) - return (ISC_R_NOTFOUND); - - return (ISC_R_SUCCESS); -} - static isc_boolean_t is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, dns_rdataset_t *rdataset) @@ -6229,9 +6157,8 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, } static isc_boolean_t -is_answertarget_allowed(dns_view_t *view, dns_name_t *name, - dns_rdatatype_t type, dns_name_t *tname, - dns_name_t *domain) +is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + dns_rdataset_t *rdataset, isc_boolean_t *chainingp) { isc_result_t result; dns_rbtnode_t *node = NULL; @@ -6239,8 +6166,57 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name, char tnamebuf[DNS_NAME_FORMATSIZE]; char classbuf[64]; char typebuf[64]; + dns_name_t *tname = NULL; + dns_rdata_cname_t cname; + dns_rdata_dname_t dname; + dns_view_t *view = fctx->res->view; + dns_rdata_t rdata = DNS_RDATA_INIT; + unsigned int nlabels; + dns_fixedname_t fixed; + dns_name_t prefix; + + REQUIRE(rdataset != NULL); + REQUIRE(rdataset->type == dns_rdatatype_cname || + rdataset->type == dns_rdatatype_dname); + + /* + * By default, we allow any target name. + * If newqname != NULL we also need to extract the newqname. + */ + if (chainingp == NULL && view->denyanswernames == NULL) + return (ISC_TRUE); + + result = dns_rdataset_first(rdataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(rdataset, &rdata); + switch (rdataset->type) { + case dns_rdatatype_cname: + result = dns_rdata_tostruct(&rdata, &cname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + tname = &cname.cname; + break; + case dns_rdatatype_dname: + result = dns_rdata_tostruct(&rdata, &dname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_name_init(&prefix, NULL); + dns_fixedname_init(&fixed); + tname = dns_fixedname_name(&fixed); + nlabels = dns_name_countlabels(qname) - + dns_name_countlabels(rname); + dns_name_split(qname, nlabels, &prefix, NULL); + result = dns_name_concatenate(&prefix, &dname.dname, tname, + NULL); + if (result == DNS_R_NAMETOOLONG) + return (ISC_TRUE); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + default: + INSIST(0); + } + + if (chainingp != NULL) + *chainingp = ISC_TRUE; - /* By default, we allow any target name. */ if (view->denyanswernames == NULL) return (ISC_TRUE); @@ -6249,8 +6225,8 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name, * or partially, allow it. */ if (view->answernames_exclude != NULL) { - result = dns_rbt_findnode(view->answernames_exclude, name, NULL, - &node, NULL, 0, NULL, NULL); + result = dns_rbt_findnode(view->answernames_exclude, qname, + NULL, &node, NULL, 0, NULL, NULL); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) return (ISC_TRUE); } @@ -6258,7 +6234,7 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name, /* * If the target name is a subdomain of the search domain, allow it. */ - if (dns_name_issubdomain(tname, domain)) + if (dns_name_issubdomain(tname, &fctx->domain)) return (ISC_TRUE); /* @@ -6267,9 +6243,9 @@ is_answertarget_allowed(dns_view_t *view, dns_name_t *name, result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node, NULL, 0, NULL, NULL); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { - dns_name_format(name, qnamebuf, sizeof(qnamebuf)); + dns_name_format(qname, qnamebuf, sizeof(qnamebuf)); dns_name_format(tname, tnamebuf, sizeof(tnamebuf)); - dns_rdatatype_format(type, typebuf, sizeof(typebuf)); + dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); dns_rdataclass_format(view->rdclass, classbuf, sizeof(classbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, @@ -6765,473 +6741,301 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname, return (ISC_R_SUCCESS); } +static isc_boolean_t +validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) { + if (rdataset->type == dns_rdatatype_nsec3) { + /* + * NSEC3 records are not allowed to + * appear in the answer section. + */ + log_formerr(fctx, "NSEC3 in answer"); + return (ISC_FALSE); + } + if (rdataset->type == dns_rdatatype_tkey) { + /* + * TKEY is not a valid record in a + * response to any query we can make. + */ + log_formerr(fctx, "TKEY in answer"); + return (ISC_FALSE); + } + if (rdataset->rdclass != fctx->res->rdclass) { + log_formerr(fctx, "Mismatched class in answer"); + return (ISC_FALSE); + } + return (ISC_TRUE); +} + static isc_result_t answer_response(fetchctx_t *fctx) { isc_result_t result; - dns_message_t *message; - dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; - dns_name_t *cname = NULL, *lastcname = NULL; - dns_rdataset_t *rdataset, *ns_rdataset; - isc_boolean_t done, external, aa, found, want_chaining; - isc_boolean_t have_answer, found_cname, found_dname, found_type; - isc_boolean_t wanted_chaining; - unsigned int aflag, chaining; + dns_message_t *message = NULL; + dns_name_t *name = NULL, *qname = NULL, *ns_name = NULL; + dns_name_t *aname = NULL, *cname = NULL, *dname = NULL; + dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; + dns_rdataset_t *ardataset = NULL, *crdataset = NULL; + dns_rdataset_t *drdataset = NULL, *ns_rdataset = NULL; + isc_boolean_t done = ISC_FALSE, aa; + unsigned int dname_labels, domain_labels; + isc_boolean_t chaining = ISC_FALSE; dns_rdatatype_t type; - dns_fixedname_t fdname, fqname; - dns_view_t *view; + dns_view_t *view = NULL; + dns_trust_t trust; + + REQUIRE(VALID_FCTX(fctx)); FCTXTRACE("answer_response"); message = fctx->rmessage; + qname = &fctx->name; + view = fctx->res->view; + type = fctx->type; /* - * Examine the answer section, marking those rdatasets which are - * part of the answer and should be cached. + * There can be multiple RRSIG and SIG records at a name so + * we treat these types as a subset of ANY. */ + if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) { + type = dns_rdatatype_any; + } - done = ISC_FALSE; - found_cname = ISC_FALSE; - found_dname = ISC_FALSE; - found_type = ISC_FALSE; - have_answer = ISC_FALSE; - want_chaining = ISC_FALSE; - chaining = 0; - POST(want_chaining); - if ((message->flags & DNS_MESSAGEFLAG_AA) != 0) - aa = ISC_TRUE; - else - aa = ISC_FALSE; - qname = &fctx->name; - type = fctx->type; - view = fctx->res->view; - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (!done && result == ISC_R_SUCCESS) { - dns_namereln_t namereln, lastreln; - int order, lastorder; - unsigned int nlabels, lastnlabels; + /* + * Bigger than any valid DNAME label count. + */ + dname_labels = dns_name_countlabels(qname); + domain_labels = dns_name_countlabels(&fctx->domain); + + /* + * Perform a single pass looking for the answer, cname or covering + * dname. + */ + for (result = dns_message_firstname(message, DNS_SECTION_ANSWER); + result == ISC_R_SUCCESS; + result = dns_message_nextname(message, DNS_SECTION_ANSWER)) + { + int order; + unsigned int nlabels; + dns_namereln_t namereln; name = NULL; dns_message_currentname(message, DNS_SECTION_ANSWER, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); namereln = dns_name_fullcompare(qname, name, &order, &nlabels); - - if (namereln == dns_namereln_equal) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) { - found = ISC_FALSE; - want_chaining = ISC_FALSE; - aflag = 0; - if (rdataset->type == dns_rdatatype_nsec3) { - /* - * NSEC3 records are not allowed to - * appear in the answer section. - */ - log_formerr(fctx, "NSEC3 in answer"); - return (DNS_R_FORMERR); - } - if (rdataset->type == dns_rdatatype_tkey) { - /* - * TKEY is not a valid record in a - * response to any query we can make. - */ - log_formerr(fctx, "TKEY in answer"); - return (DNS_R_FORMERR); - } - if (rdataset->rdclass != fctx->res->rdclass) { - log_formerr(fctx, "Mismatched class " - "in answer"); - return (DNS_R_FORMERR); - } - - /* - * Apply filters, if given, on answers to reject - * a malicious attempt of rebinding. - */ - if ((rdataset->type == dns_rdatatype_a || - rdataset->type == dns_rdatatype_aaaa) && - !is_answeraddress_allowed(view, name, - rdataset)) { - return (DNS_R_SERVFAIL); - } - - if (rdataset->type == type && !found_cname) { - /* - * We've found an ordinary answer. - */ - found = ISC_TRUE; - found_type = ISC_TRUE; - done = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWER; - } else if (type == dns_rdatatype_any) { - /* - * We've found an answer matching - * an ANY query. There may be - * more. - */ - found = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWER; - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == type - && !found_cname) { - /* - * We've found a signature that - * covers the type we're looking for. - */ - found = ISC_TRUE; - found_type = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; - } else if (rdataset->type == - dns_rdatatype_cname - && !found_type) { - /* - * We're looking for something else, - * but we found a CNAME. - * - * Getting a CNAME response for some - * query types is an error, see - * RFC 4035, Section 2.5. - */ - if (type == dns_rdatatype_rrsig || - type == dns_rdatatype_key || - type == dns_rdatatype_nsec) { - char buf[DNS_RDATATYPE_FORMATSIZE]; - dns_rdatatype_format(fctx->type, - buf, sizeof(buf)); - log_formerr(fctx, - "CNAME response " - "for %s RR", buf); - return (DNS_R_FORMERR); - } - found = ISC_TRUE; - found_cname = ISC_TRUE; - want_chaining = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWER; - result = cname_target(rdataset, - &tname); - if (result != ISC_R_SUCCESS) - return (result); - /* Apply filters on the target name. */ - if (!is_answertarget_allowed(view, - name, - rdataset->type, - &tname, - &fctx->domain)) { - return (DNS_R_SERVFAIL); - } - lastcname = name; - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == - dns_rdatatype_cname - && !found_type) { - /* - * We're looking for something else, - * but we found a SIG CNAME. - */ - found = ISC_TRUE; - found_cname = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; - } - - if (found) { - /* - * We've found an answer to our - * question. - */ - name->attributes |= - DNS_NAMEATTR_CACHE; - rdataset->attributes |= - DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; - if (chaining == 0) { - /* - * This data is "the" answer - * to our question only if - * we're not chaining (i.e. - * if we haven't followed - * a CNAME or DNAME). - */ - INSIST(!external); - /* - * Don't use found_cname here - * as we have just set it - * above. - */ - if (cname == NULL && - !found_dname && - aflag == - DNS_RDATASETATTR_ANSWER) - { - have_answer = ISC_TRUE; - if (found_cname && - cname == NULL) - cname = name; - name->attributes |= - DNS_NAMEATTR_ANSWER; - } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = - dns_trust_authanswer; - } else if (external) { - /* - * This data is outside of - * our query domain, and - * may not be cached. - */ - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; - } - - /* - * Mark any additional data related - * to this rdataset. - */ - (void)dns_rdataset_additionaldata( - rdataset, - check_related, - fctx); - - /* - * CNAME chaining. - */ - if (want_chaining) { - wanted_chaining = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_CHAINING; - rdataset->attributes |= - DNS_RDATASETATTR_CHAINING; - qname = &tname; - } - } - /* - * We could add an "else" clause here and - * log that we're ignoring this rdataset. - */ - } - /* - * If wanted_chaining is true, we've done - * some chaining as the result of processing - * this node, and thus we need to set - * chaining to true. - * - * We don't set chaining inside of the - * rdataset loop because doing that would - * cause us to ignore the signatures of - * CNAMEs. - */ - if (wanted_chaining && chaining < 2U) - chaining++; - } else { - dns_rdataset_t *dnameset = NULL; - isc_boolean_t synthcname = ISC_FALSE; - - if (lastcname != NULL) { - lastreln = dns_name_fullcompare(lastcname, - name, - &lastorder, - &lastnlabels); - if (lastreln == dns_namereln_subdomain && - lastnlabels == dns_name_countlabels(name)) - synthcname = ISC_TRUE; - } - - /* - * Look for a DNAME (or its SIG). Anything else is - * ignored. - */ - wanted_chaining = ISC_FALSE; + switch (namereln) { + case dns_namereln_equal: for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { - if (rdataset->rdclass != fctx->res->rdclass) { - log_formerr(fctx, "Mismatched class " - "in answer"); - return (DNS_R_FORMERR); + if (rdataset->type == type || + type == dns_rdatatype_any) + { + aname = name; + if (type != dns_rdatatype_any) { + ardataset = rdataset; + } + break; } + if (rdataset->type == dns_rdatatype_cname) { + cname = name; + crdataset = rdataset; + break; + } + } + break; - /* - * Only pass DNAME or RRSIG(DNAME). - */ - if (rdataset->type != dns_rdatatype_dname && - (rdataset->type != dns_rdatatype_rrsig || - rdataset->covers != dns_rdatatype_dname)) + case dns_namereln_subdomain: + /* + * In-scope DNAME records must have at least + * as many labels as the domain being queried. + * They also must be less that qname's labels + * and any previously found dname. + */ + if (nlabels >= dname_labels || nlabels < domain_labels) + { + continue; + } + + /* + * We are looking for the shortest DNAME if there + * are multiple ones (which there shouldn't be). + */ + for (rdataset = ISC_LIST_HEAD(name->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + if (rdataset->type != dns_rdatatype_dname) { continue; - - /* - * If we're not chaining, then the DNAME and - * its signature should not be external. - */ - if (chaining == 0 && external) { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(name, qbuf, - sizeof(qbuf)); - dns_name_format(&fctx->domain, obuf, - sizeof(obuf)); - log_formerr(fctx, "external DNAME or " - "RRSIG covering DNAME " - "in answer: %s is " - "not in %s", qbuf, obuf); - return (DNS_R_FORMERR); - } - - /* - * If DNAME + synthetic CNAME then the - * namereln is dns_namereln_subdomain. - */ - if (namereln != dns_namereln_subdomain && - !synthcname) - { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(qname, qbuf, - sizeof(qbuf)); - dns_name_format(name, obuf, - sizeof(obuf)); - log_formerr(fctx, "unrelated DNAME " - "in answer: %s is " - "not in %s", qbuf, obuf); - return (DNS_R_FORMERR); - } - - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { - want_chaining = ISC_TRUE; - POST(want_chaining); - aflag = DNS_RDATASETATTR_ANSWER; - dns_fixedname_init(&fdname); - dname = dns_fixedname_name(&fdname); - if (synthcname) { - result = fromdname(rdataset, - lastcname, - lastnlabels, - qname); - } else { - result = dname_target(rdataset, - qname, - nlabels, - dname); - } - if (result == ISC_R_NOSPACE) { - /* - * We can't construct the - * DNAME target. Do not - * try to continue. - */ - want_chaining = ISC_FALSE; - POST(want_chaining); - } else if (result != ISC_R_SUCCESS) - return (result); - else - dnameset = rdataset; - - if (!synthcname && - !is_answertarget_allowed(view, - qname, rdataset->type, - dname, &fctx->domain)) - { - return (DNS_R_SERVFAIL); - } - } else { - /* - * We've found a signature that - * covers the DNAME. - */ - aflag = DNS_RDATASETATTR_ANSWERSIG; - } - - /* - * We've found an answer to our - * question. - */ - name->attributes |= DNS_NAMEATTR_CACHE; - rdataset->attributes |= DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; - /* - * If we are not chaining or the first CNAME - * is a synthesised CNAME before the DNAME. - */ - if ((chaining == 0) || - (chaining == 1U && synthcname)) - { - /* - * This data is "the" answer to - * our question only if we're - * not chaining. - */ - INSIST(!external); - if (aflag == DNS_RDATASETATTR_ANSWER) { - have_answer = ISC_TRUE; - found_dname = ISC_TRUE; - if (cname != NULL && - synthcname) - { - cname->attributes &= - ~DNS_NAMEATTR_ANSWER; - } - name->attributes |= - DNS_NAMEATTR_ANSWER; - } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = - dns_trust_authanswer; - } else if (external) { - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; } + dname = name; + drdataset = rdataset; + dname_labels = nlabels; + break; } - - /* - * DNAME chaining. - */ - if (dnameset != NULL) { - if (!synthcname) { - /* - * Copy the dname into the qname fixed - * name. - * - * Although we check for failure of the - * copy operation, in practice it - * should never fail since we already - * know that the result fits in a - * fixedname. - */ - dns_fixedname_init(&fqname); - qname = dns_fixedname_name(&fqname); - result = dns_name_copy(dname, qname, - NULL); - if (result != ISC_R_SUCCESS) - return (result); - } - wanted_chaining = ISC_TRUE; - name->attributes |= DNS_NAMEATTR_CHAINING; - dnameset->attributes |= - DNS_RDATASETATTR_CHAINING; - } - /* - * Ensure that we can't ever get chaining == 1 - * above if we have processed a DNAME. - */ - if (wanted_chaining && chaining < 2U) - chaining += 2; + break; + default: + break; } - result = dns_message_nextname(message, DNS_SECTION_ANSWER); } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - if (result != ISC_R_SUCCESS) - return (result); - /* - * We should have found an answer. - */ - if (!have_answer) { + if (dname != NULL) { + aname = NULL; + ardataset = NULL; + cname = NULL; + crdataset = NULL; + } else if (aname != NULL) { + cname = NULL; + crdataset = NULL; + } + + aa = ISC_TF((message->flags & DNS_MESSAGEFLAG_AA) != 0); + trust = aa ? dns_trust_authanswer : dns_trust_answer; + + if (aname != NULL && type == dns_rdatatype_any) { + for (rdataset = ISC_LIST_HEAD(aname->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + if (!validinanswer(rdataset, fctx)) { + return (DNS_R_FORMERR); + } + if ((fctx->type == dns_rdatatype_sig || + fctx->type == dns_rdatatype_rrsig) && + rdataset->type != fctx->type) + { + continue; + } + if ((rdataset->type == dns_rdatatype_a || + rdataset->type == dns_rdatatype_aaaa) && + !is_answeraddress_allowed(view, aname, rdataset)) + { + return (DNS_R_SERVFAIL); + } + if ((rdataset->type == dns_rdatatype_cname || + rdataset->type == dns_rdatatype_dname) && + !is_answertarget_allowed(fctx, qname, aname, + rdataset, NULL)) + { + return (DNS_R_SERVFAIL); + } + aname->attributes |= DNS_NAMEATTR_CACHE; + aname->attributes |= DNS_NAMEATTR_ANSWER; + rdataset->attributes |= DNS_RDATASETATTR_ANSWER; + rdataset->attributes |= DNS_RDATASETATTR_CACHE; + rdataset->trust = trust; + (void)dns_rdataset_additionaldata(rdataset, + check_related, + fctx); + } + } else if (aname != NULL) { + if (!validinanswer(ardataset, fctx)) + return (DNS_R_FORMERR); + if ((ardataset->type == dns_rdatatype_a || + ardataset->type == dns_rdatatype_aaaa) && + !is_answeraddress_allowed(view, aname, ardataset)) { + return (DNS_R_SERVFAIL); + } + if ((ardataset->type == dns_rdatatype_cname || + ardataset->type == dns_rdatatype_dname) && + !is_answertarget_allowed(fctx, qname, aname, ardataset, + NULL)) + { + return (DNS_R_SERVFAIL); + } + aname->attributes |= DNS_NAMEATTR_CACHE; + aname->attributes |= DNS_NAMEATTR_ANSWER; + ardataset->attributes |= DNS_RDATASETATTR_ANSWER; + ardataset->attributes |= DNS_RDATASETATTR_CACHE; + ardataset->trust = trust; + (void)dns_rdataset_additionaldata(ardataset, check_related, + fctx); + for (sigrdataset = ISC_LIST_HEAD(aname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { + if (!validinanswer(sigrdataset, fctx)) + return (DNS_R_FORMERR); + if (sigrdataset->type != dns_rdatatype_rrsig || + sigrdataset->covers != type) + continue; + sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG; + sigrdataset->attributes |= DNS_RDATASETATTR_CACHE; + sigrdataset->trust = trust; + break; + } + } else if (cname != NULL) { + if (!validinanswer(crdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (type == dns_rdatatype_rrsig || type == dns_rdatatype_key || + type == dns_rdatatype_nsec) + { + char buf[DNS_RDATATYPE_FORMATSIZE]; + dns_rdatatype_format(type, buf, sizeof(buf)); + log_formerr(fctx, "CNAME response for %s RR", buf); + return (DNS_R_FORMERR); + } + if (!is_answertarget_allowed(fctx, qname, cname, crdataset, + NULL)) + { + return (DNS_R_SERVFAIL); + } + cname->attributes |= DNS_NAMEATTR_CACHE; + cname->attributes |= DNS_NAMEATTR_ANSWER; + cname->attributes |= DNS_NAMEATTR_CHAINING; + crdataset->attributes |= DNS_RDATASETATTR_ANSWER; + crdataset->attributes |= DNS_RDATASETATTR_CACHE; + crdataset->attributes |= DNS_RDATASETATTR_CHAINING; + crdataset->trust = trust; + for (sigrdataset = ISC_LIST_HEAD(cname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) + { + if (!validinanswer(sigrdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (sigrdataset->type != dns_rdatatype_rrsig || + sigrdataset->covers != dns_rdatatype_cname) + { + continue; + } + sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG; + sigrdataset->attributes |= DNS_RDATASETATTR_CACHE; + sigrdataset->trust = trust; + break; + } + chaining = ISC_TRUE; + } else if (dname != NULL) { + if (!validinanswer(drdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (!is_answertarget_allowed(fctx, qname, dname, drdataset, + &chaining)) { + return (DNS_R_SERVFAIL); + } + dname->attributes |= DNS_NAMEATTR_CACHE; + dname->attributes |= DNS_NAMEATTR_ANSWER; + dname->attributes |= DNS_NAMEATTR_CHAINING; + drdataset->attributes |= DNS_RDATASETATTR_ANSWER; + drdataset->attributes |= DNS_RDATASETATTR_CACHE; + drdataset->attributes |= DNS_RDATASETATTR_CHAINING; + drdataset->trust = trust; + for (sigrdataset = ISC_LIST_HEAD(dname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) + { + if (!validinanswer(sigrdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (sigrdataset->type != dns_rdatatype_rrsig || + sigrdataset->covers != dns_rdatatype_dname) + { + continue; + } + sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG; + sigrdataset->attributes |= DNS_RDATASETATTR_CACHE; + sigrdataset->trust = trust; + break; + } + } else { log_formerr(fctx, "reply has no answer"); return (DNS_R_FORMERR); } @@ -7244,14 +7048,8 @@ answer_response(fetchctx_t *fctx) { /* * Did chaining end before we got the final answer? */ - if (chaining != 0) { - /* - * Yes. This may be a negative reply, so hand off - * authority section processing to the noanswer code. - * If it isn't a noanswer response, no harm will be - * done. - */ - return (noanswer_response(fctx, qname, 0)); + if (chaining) { + return (ISC_R_SUCCESS); } /* @@ -7270,11 +7068,9 @@ answer_response(fetchctx_t *fctx) { * We expect there to be only one owner name for all the rdatasets * in this section, and we expect that it is not external. */ - done = ISC_FALSE; - ns_name = NULL; - ns_rdataset = NULL; result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); while (!done && result == ISC_R_SUCCESS) { + isc_boolean_t external; name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); @@ -7293,12 +7089,13 @@ answer_response(fetchctx_t *fctx) { DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; - if (aa && chaining == 0) + if (aa && !chaining) { rdataset->trust = dns_trust_authauthority; - else + } else { rdataset->trust = dns_trust_additional; + } if (rdataset->type == dns_rdatatype_ns) { @@ -8099,6 +7896,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { * Is the remote server broken, or does it dislike us? */ if (message->rcode != dns_rcode_noerror && + message->rcode != dns_rcode_yxdomain && message->rcode != dns_rcode_nxdomain) { isc_buffer_t b; char code[64]; @@ -8163,13 +7961,6 @@ resquery_response(isc_task_t *task, isc_event_t *event) { log_formerr(fctx, "server sent FORMERR"); result = DNS_R_FORMERR; } - } else if (message->rcode == dns_rcode_yxdomain) { - /* - * DNAME mapping failed because the new name - * was too long. There's no chance of success - * for this fetch. - */ - result = DNS_R_YXDOMAIN; } else if (message->rcode == dns_rcode_badvers) { unsigned int flags, mask; unsigned int version; @@ -8328,6 +8119,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) { */ if (message->counts[DNS_SECTION_ANSWER] > 0 && (message->rcode == dns_rcode_noerror || + message->rcode == dns_rcode_yxdomain || message->rcode == dns_rcode_nxdomain)) { /* * [normal case] diff --git a/external/bsd/bind/dist/lib/isc/include/isc/lex.h b/external/bsd/bind/dist/lib/isc/include/isc/lex.h index 170db054dfa4..a2d67373b044 100644 --- a/external/bsd/bind/dist/lib/isc/include/isc/lex.h +++ b/external/bsd/bind/dist/lib/isc/include/isc/lex.h @@ -1,4 +1,4 @@ -/* $NetBSD: lex.h,v 1.4 2014/12/10 04:38:00 christos Exp $ */ +/* $NetBSD: lex.h,v 1.5 2017/04/13 19:11:20 christos Exp $ */ /* * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") @@ -154,8 +154,6 @@ isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp); * Requires: *\li '*lexp' is a valid lexer. * - *\li max_token > 0. - * * Ensures: *\li On success, *lexp is attached to the newly created lexer. * diff --git a/external/bsd/bind/dist/lib/isc/lex.c b/external/bsd/bind/dist/lib/isc/lex.c index f90e100f9969..8c57012824ef 100644 --- a/external/bsd/bind/dist/lib/isc/lex.c +++ b/external/bsd/bind/dist/lib/isc/lex.c @@ -1,4 +1,4 @@ -/* $NetBSD: lex.c,v 1.7 2015/12/17 04:00:45 christos Exp $ */ +/* $NetBSD: lex.c,v 1.8 2017/04/13 19:11:20 christos Exp $ */ /* * Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC") @@ -96,9 +96,10 @@ isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp) { /* * Create a lexer. */ - REQUIRE(lexp != NULL && *lexp == NULL); - REQUIRE(max_token > 0U); + + if (max_token == 0U) + max_token = 1; lex = isc_mem_get(mctx, sizeof(*lex)); if (lex == NULL) diff --git a/external/bsd/bind/dist/srcid b/external/bsd/bind/dist/srcid index 4fa48e1dfeae..885322003134 100644 --- a/external/bsd/bind/dist/srcid +++ b/external/bsd/bind/dist/srcid @@ -1 +1 @@ -SRCID=a6837d0 +SRCID=9f5232e diff --git a/external/bsd/bind/dist/version b/external/bsd/bind/dist/version index 03dc7ed29e1b..1964d308efd2 100644 --- a/external/bsd/bind/dist/version +++ b/external/bsd/bind/dist/version @@ -7,5 +7,5 @@ MAJORVER=9 MINORVER=10 PATCHVER=4 RELEASETYPE=-P -RELEASEVER=6 +RELEASEVER=8 EXTENSIONS=