diff options
| author | dougb <dougb@FreeBSD.org> | 2011-02-06 22:46:07 +0000 |
|---|---|---|
| committer | dougb <dougb@FreeBSD.org> | 2011-02-06 22:46:07 +0000 |
| commit | 31eda3d2ca1e9ed626d5939e944ccfbf3544cc85 (patch) | |
| tree | 29f19579e118cac909f58ae061a7319418f2e0ed /contrib/bind9/lib/dns/validator.c | |
| parent | 3364c35469daaa167b9e79a0d6e1983ed75c616e (diff) | |
| parent | 8287cb3f73a2d36684fdf69f4009f28e17dd3800 (diff) | |
| download | FreeBSD-src-31eda3d2ca1e9ed626d5939e944ccfbf3544cc85.zip FreeBSD-src-31eda3d2ca1e9ed626d5939e944ccfbf3544cc85.tar.gz | |
Update to BIND 9.6.3, the latest from ISC on the 9.6 branch.
All 9.6 users with DNSSEC validation enabled should upgrade to this
version, or the latest version in the 9.7 branch, prior to 2011-03-31
in order to avoid validation failures for names in .COM as described
here:
https://www.isc.org/announcement/bind-9-dnssec-validation-fails-new-ds-record
In addition the fixes for this and other bugs, there are also the
following:
* Various fixes to kerberos support, including GSS-TSIG
* Various fixes to avoid leaking memory, and to problems that could
prevent a clean shutdown of named
Diffstat (limited to 'contrib/bind9/lib/dns/validator.c')
| -rw-r--r-- | contrib/bind9/lib/dns/validator.c | 74 |
1 files changed, 45 insertions, 29 deletions
diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c index fc6f454..054c5a6 100644 --- a/contrib/bind9/lib/dns/validator.c +++ b/contrib/bind9/lib/dns/validator.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.11.10.7 2010/11/16 01:48:32 marka Exp $ */ +/* $Id: validator.c,v 1.164.12.23 2010-11-16 02:23:44 marka Exp $ */ #include <config.h> @@ -2135,7 +2135,7 @@ dlv_validatezonekey(dns_validator_t *val) { &sigrdata); result = dns_rdata_tostruct(&sigrdata, &sig, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); - if (dlv.key_tag != sig.keyid && + if (dlv.key_tag != sig.keyid || dlv.algorithm != sig.algorithm) continue; dstkey = NULL; @@ -2218,6 +2218,17 @@ validatezonekey(dns_validator_t *val) { return (dlv_validatezonekey(val)); if (val->dsset == NULL) { + + /* + * We have a dlv sep. Skip looking up the SEP from + * {trusted,managed}-keys. If the dlv sep is for the + * root then it will have been handled above so we don't + * need to check whether val->event->name is "." prior to + * looking up the DS. + */ + if (val->havedlvsep) + goto find_ds; + /* * First, see if this key was signed by a trusted key. */ @@ -2250,13 +2261,13 @@ validatezonekey(dns_validator_t *val) { val->event->name, found) != ISC_R_SUCCESS) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, - "must be secure failure, " - "not beneath secure root"); + "must be secure failure, " + "not beneath secure root"); return (DNS_R_MUSTBESECURE); } else validator_log(val, ISC_LOG_DEBUG(3), - "not beneath secure root"); - if (val->view->dlv == NULL || DLVTRIED(val)) { + "not beneath secure root"); + if (val->view->dlv == NULL) { markanswer(val, "validatezonekey (1)"); return (ISC_R_SUCCESS); } @@ -2292,17 +2303,6 @@ validatezonekey(dns_validator_t *val) { } } - /* - * If this is the root name and there was no trusted key, - * give up, since there's no DS at the root. - */ - if (dns_name_equal(event->name, dns_rootname)) { - if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) - return (DNS_R_NOVALIDSIG); - else - return (DNS_R_NOVALIDDS); - } - if (atsep) { /* * We have not found a key to verify this DNSKEY @@ -2323,6 +2323,22 @@ validatezonekey(dns_validator_t *val) { } /* + * If this is the root name and there was no trusted key, + * give up, since there's no DS at the root. + */ + if (dns_name_equal(event->name, dns_rootname)) { + if ((val->attributes & VALATTR_TRIEDVERIFY) != 0) { + validator_log(val, ISC_LOG_DEBUG(3), + "root key failed to validate"); + return (DNS_R_NOVALIDSIG); + } else { + validator_log(val, ISC_LOG_DEBUG(3), + "no trusted root key"); + return (DNS_R_NOVALIDDS); + } + } + find_ds: + /* * Otherwise, try to find the DS record. */ result = view_find(val, val->event->name, dns_rdatatype_ds); @@ -4038,19 +4054,19 @@ dns_validator_cancel(dns_validator_t *validator) { validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel"); - if (validator->event != NULL) { - if (validator->fetch != NULL) - dns_resolver_cancelfetch(validator->fetch); - - if (validator->subvalidator != NULL) - dns_validator_cancel(validator->subvalidator); - if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { - isc_task_t *task = validator->event->ev_sender; - validator->options &= ~DNS_VALIDATOR_DEFER; - isc_event_free((isc_event_t **)&validator->event); - isc_task_detach(&task); - } + if ((validator->attributes & VALATTR_CANCELED) == 0) { validator->attributes |= VALATTR_CANCELED; + if (validator->event != NULL) { + if (validator->fetch != NULL) + dns_resolver_cancelfetch(validator->fetch); + + if (validator->subvalidator != NULL) + dns_validator_cancel(validator->subvalidator); + if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { + validator->options &= ~DNS_VALIDATOR_DEFER; + validator_done(validator, ISC_R_CANCELED); + } + } } UNLOCK(&validator->lock); } |
