Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
bind
bind-CVE-2021-25220.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bind-CVE-2021-25220.patch of Package bind
Index: bind-9.9.9-P1/bin/named/include/named/query.h =================================================================== --- bind-9.9.9-P1.orig/bin/named/include/named/query.h +++ bind-9.9.9-P1/bin/named/include/named/query.h @@ -66,6 +66,19 @@ struct ns_query { unsigned int dns64_aaaaoklen; unsigned int dns64_options; unsigned int dns64_ttl; + struct { + dns_db_t * db; + dns_zone_t * zone; + dns_dbnode_t * node; + dns_rdatatype_t qtype; + dns_name_t * fname; + dns_fixedname_t fixed; + isc_result_t result; + dns_rdataset_t * rdataset; + dns_rdataset_t * sigrdataset; + isc_boolean_t authoritative; + isc_boolean_t is_zone; + } redirect; }; #define NS_QUERYATTR_RECURSIONOK 0x0001 Index: bind-9.9.9-P1/bin/named/query.c =================================================================== --- bind-9.9.9-P1.orig/bin/named/query.c +++ bind-9.9.9-P1/bin/named/query.c @@ -661,6 +661,17 @@ ns_query_init(ns_client_t *client) { client->query.dns64_sigaaaa = NULL; client->query.dns64_aaaaok = NULL; client->query.dns64_aaaaoklen = 0; + client->query.redirect.db = NULL; + client->query.redirect.node = NULL; + client->query.redirect.zone = NULL; + client->query.redirect.qtype = dns_rdatatype_none; + client->query.redirect.result = ISC_R_SUCCESS; + client->query.redirect.rdataset = NULL; + client->query.redirect.sigrdataset = NULL; + client->query.redirect.authoritative = isc_boolean_false; + client->query.redirect.is_zone = isc_boolean_false; + client->query.redirect.fname = + dns_fixedname_initname(&client->query.redirect.fixed); query_reset(client, ISC_FALSE); result = query_newdbversion(client, 3); if (result != ISC_R_SUCCESS) { @@ -2676,8 +2687,7 @@ query_addsoa(ns_client_t *client, dns_db dns_fixedname_t foundname; dns_name_t *fname; - dns_fixedname_init(&foundname); - fname = dns_fixedname_name(&foundname); + fname = dns_fixedname_initname(&foundname); result = dns_db_findext(db, name, version, dns_rdatatype_soa, client->query.dboptions, 0, &node, @@ -2761,8 +2771,7 @@ query_addns(ns_client_t *client, dns_db_ name = NULL; rdataset = NULL; node = NULL; - dns_fixedname_init(&foundname); - fname = dns_fixedname_name(&foundname); + fname = dns_fixedname_initname(&foundname); dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client); @@ -3492,8 +3501,7 @@ query_addwildcardproof(ns_client_t *clie * wild *.example */ options = client->query.dboptions | DNS_DBFIND_NOWILD; - dns_fixedname_init(&wfixed); - wname = dns_fixedname_name(&wfixed); + wname = dns_fixedname_initname(&wfixed); again: have_wname = ISC_FALSE; /* @@ -3518,8 +3526,7 @@ query_addwildcardproof(ns_client_t *clie /* * No NSEC proof available, return NSEC3 proofs instead. */ - dns_fixedname_init(&cfixed); - cname = dns_fixedname_name(&cfixed); + cname = dns_fixedname_initname(&cfixed); /* * Find the closest encloser. */ @@ -4097,8 +4104,7 @@ rpz_rrset_find(ns_client_t *client, dns_ } node = NULL; - dns_fixedname_init(&fixed); - found = dns_fixedname_name(&fixed); + found = dns_fixedname_initname(&fixed); result = dns_db_findext(*dbp, name, version, type, DNS_DBFIND_GLUEOK, client->now, &node, found, &cm, &ci, *rdatasetp, NULL); @@ -4335,8 +4341,7 @@ rpz_find(ns_client_t *client, dns_rdatat return (DNS_R_NXDOMAIN); } - dns_fixedname_init(&fixed); - found = dns_fixedname_name(&fixed); + found = dns_fixedname_initname(&fixed); result = dns_db_findext(*dbp, qnamef, *versionp, dns_rdatatype_any, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); @@ -4491,15 +4496,13 @@ rpz_rewrite_name(ns_client_t *client, dn /* * Construct the policy's owner name. */ - dns_fixedname_init(&prefixf); - prefix = dns_fixedname_name(&prefixf); + prefix = dns_fixedname_initname(&prefixf); dns_name_split(qname, 1, prefix, NULL); if (rpz_type == DNS_RPZ_TYPE_NSDNAME) suffix = &rpz->nsdname; else suffix = &rpz->origin; - dns_fixedname_init(&rpz_qnamef); - rpz_qname = dns_fixedname_name(&rpz_qnamef); + rpz_qname = dns_fixedname_initname(&rpz_qnamef); for (;;) { result = dns_name_concatenate(prefix, suffix, rpz_qname, NULL); @@ -4674,12 +4677,9 @@ rpz_rewrite(ns_client_t *client, dns_rda st->m.ttl = ~0; memset(&st->r, 0, sizeof(st->r)); memset(&st->q, 0, sizeof(st->q)); - dns_fixedname_init(&st->_qnamef); - dns_fixedname_init(&st->_r_namef); - dns_fixedname_init(&st->_fnamef); - st->qname = dns_fixedname_name(&st->_qnamef); - st->r_name = dns_fixedname_name(&st->_r_namef); - st->fname = dns_fixedname_name(&st->_fnamef); + st->qname = dns_fixedname_initname(&st->_qnamef); + st->r_name = dns_fixedname_initname(&st->_r_namef); + st->fname = dns_fixedname_initname(&st->_fnamef); client->query.rpz_st = st; } @@ -4957,8 +4957,7 @@ rpz_ck_dnssec(ns_client_t *client, isc_r */ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) == 0) return (ISC_TRUE); - dns_fixedname_init(&fixed); - found = dns_fixedname_name(&fixed); + found = dns_fixedname_initname(&fixed); dns_rdataset_init(&trdataset); for (result = dns_rdataset_first(rdataset); result == ISC_R_SUCCESS; @@ -5544,8 +5543,7 @@ redirect(ns_client_t *client, dns_name_t if (client->view->redirect == NULL) return (ISC_R_NOTFOUND); - dns_fixedname_init(&fixed); - found = dns_fixedname_name(&fixed); + found = dns_fixedname_initname(&fixed); dns_rdataset_init(&trdataset); dns_clientinfomethods_init(&cm, ns_client_sourceip); @@ -6709,8 +6707,7 @@ query_find(ns_client_t *client, dns_fetc dns_name_t *found; dns_name_t *qname; - dns_fixedname_init(&fixed); - found = dns_fixedname_name(&fixed); + found = dns_fixedname_initname(&fixed); qname = client->query.qname; query_findclosestnsec3(qname, db, version, @@ -7153,8 +7150,7 @@ query_find(ns_client_t *client, dns_fetc * Construct the new qname consisting of * <found name prefix>.<dname target> */ - dns_fixedname_init(&fixed); - prefix = dns_fixedname_name(&fixed); + prefix = dns_fixedname_initname(&fixed); dns_name_split(client->query.qname, nlabels, prefix, NULL); INSIST(fname == NULL); dbuf = query_getnamebuf(client); Index: bind-9.9.9-P1/bin/named/tkeyconf.c =================================================================== --- bind-9.9.9-P1.orig/bin/named/tkeyconf.c +++ bind-9.9.9-P1/bin/named/tkeyconf.c @@ -75,8 +75,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *o n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid")); isc_buffer_constinit(&b, s, strlen(s)); isc_buffer_add(&b, strlen(s)); - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); + name = dns_fixedname_initname(&fname); RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY; RETERR(dst_key_fromfile(name, (dns_keytag_t) n, DNS_KEYALG_DH, @@ -89,8 +88,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *o s = cfg_obj_asstring(obj); isc_buffer_constinit(&b, s, strlen(s)); isc_buffer_add(&b, strlen(s)); - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); + name = dns_fixedname_initname(&fname); RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t)); if (tctx->domain == NULL) { @@ -108,8 +106,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *o isc_buffer_constinit(&b, s, strlen(s)); isc_buffer_add(&b, strlen(s)); - dns_fixedname_init(&fname); - name = dns_fixedname_name(&fname); + name = dns_fixedname_initname(&fname); RETERR(dns_name_fromtext(name, &b, dns_rootname, 0, NULL)); RETERR(dst_gssapi_acquirecred(name, ISC_FALSE, &tctx->gsscred)); } Index: bind-9.9.9-P1/lib/dns/forward.c =================================================================== --- bind-9.9.9-P1.orig/lib/dns/forward.c +++ bind-9.9.9-P1/lib/dns/forward.c @@ -81,12 +81,62 @@ dns_fwdtable_create(isc_mem_t *mctx, dns } isc_result_t +dns_fwdtable_addfwd(dns_fwdtable_t *fwdtable, dns_name_t *name, + dns_forwarderlist_t *fwdrs, dns_fwdpolicy_t fwdpolicy) +{ + isc_result_t result; + dns_forwarders_t *forwarders; + dns_forwarder_t *fwd, *nfwd; + + REQUIRE(VALID_FWDTABLE(fwdtable)); + + forwarders = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarders_t)); + if (forwarders == NULL) + return (ISC_R_NOMEMORY); + + ISC_LIST_INIT(forwarders->fwdrs); + for (fwd = ISC_LIST_HEAD(*fwdrs); + fwd != NULL; + fwd = ISC_LIST_NEXT(fwd, link)) + { + nfwd = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarder_t)); + if (nfwd == NULL) { + result = ISC_R_NOMEMORY; + goto cleanup; + } + *nfwd = *fwd; + ISC_LINK_INIT(nfwd, link); + ISC_LIST_APPEND(forwarders->fwdrs, nfwd, link); + } + forwarders->fwdpolicy = fwdpolicy; + + RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write); + result = dns_rbt_addname(fwdtable->table, name, forwarders); + RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write); + + if (result != ISC_R_SUCCESS) + goto cleanup; + + return (ISC_R_SUCCESS); + + cleanup: + while (!ISC_LIST_EMPTY(forwarders->fwdrs)) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link); + isc_mem_put(fwdtable->mctx, fwd, sizeof(isc_sockaddr_t)); + } + isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t)); + return (result); +} + +isc_result_t dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name, isc_sockaddrlist_t *addrs, dns_fwdpolicy_t fwdpolicy) { isc_result_t result; dns_forwarders_t *forwarders; - isc_sockaddr_t *sa, *nsa; + dns_forwarder_t *fwd; + isc_sockaddr_t *sa; REQUIRE(VALID_FWDTABLE(fwdtable)); @@ -94,19 +144,20 @@ dns_fwdtable_add(dns_fwdtable_t *fwdtabl if (forwarders == NULL) return (ISC_R_NOMEMORY); - ISC_LIST_INIT(forwarders->addrs); + ISC_LIST_INIT(forwarders->fwdrs); for (sa = ISC_LIST_HEAD(*addrs); sa != NULL; sa = ISC_LIST_NEXT(sa, link)) { - nsa = isc_mem_get(fwdtable->mctx, sizeof(isc_sockaddr_t)); - if (nsa == NULL) { + fwd = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarder_t)); + if (fwd == NULL) { result = ISC_R_NOMEMORY; goto cleanup; } - *nsa = *sa; - ISC_LINK_INIT(nsa, link); - ISC_LIST_APPEND(forwarders->addrs, nsa, link); + fwd->addr = *sa; + fwd->dscp = -1; + ISC_LINK_INIT(fwd, link); + ISC_LIST_APPEND(forwarders->fwdrs, fwd, link); } forwarders->fwdpolicy = fwdpolicy; @@ -120,10 +171,10 @@ dns_fwdtable_add(dns_fwdtable_t *fwdtabl return (ISC_R_SUCCESS); cleanup: - while (!ISC_LIST_EMPTY(forwarders->addrs)) { - sa = ISC_LIST_HEAD(forwarders->addrs); - ISC_LIST_UNLINK(forwarders->addrs, sa, link); - isc_mem_put(fwdtable->mctx, sa, sizeof(isc_sockaddr_t)); + while (!ISC_LIST_EMPTY(forwarders->fwdrs)) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link); + isc_mem_put(fwdtable->mctx, fwd, sizeof(dns_forwarder_t)); } isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t)); return (result); @@ -199,14 +250,14 @@ static void auto_detach(void *data, void *arg) { dns_forwarders_t *forwarders = data; dns_fwdtable_t *fwdtable = arg; - isc_sockaddr_t *sa; + dns_forwarder_t *fwd; UNUSED(arg); - while (!ISC_LIST_EMPTY(forwarders->addrs)) { - sa = ISC_LIST_HEAD(forwarders->addrs); - ISC_LIST_UNLINK(forwarders->addrs, sa, link); - isc_mem_put(fwdtable->mctx, sa, sizeof(isc_sockaddr_t)); + while (!ISC_LIST_EMPTY(forwarders->fwdrs)) { + fwd = ISC_LIST_HEAD(forwarders->fwdrs); + ISC_LIST_UNLINK(forwarders->fwdrs, fwd, link); + isc_mem_put(fwdtable->mctx, fwd, sizeof(dns_forwarder_t)); } isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t)); } Index: bind-9.9.9-P1/lib/dns/include/dns/fixedname.h =================================================================== --- bind-9.9.9-P1.orig/lib/dns/include/dns/fixedname.h +++ bind-9.9.9-P1/lib/dns/include/dns/fixedname.h @@ -83,4 +83,10 @@ struct dns_fixedname { #define dns_fixedname_name(fn) (&((fn)->name)) +static inline dns_name_t * +dns_fixedname_initname(dns_fixedname_t *fixed) { + dns_fixedname_init(fixed); + return (dns_fixedname_name(fixed)); +} + #endif /* DNS_FIXEDNAME_H */ Index: bind-9.9.9-P1/lib/dns/include/dns/forward.h =================================================================== --- bind-9.9.9-P1.orig/lib/dns/include/dns/forward.h +++ bind-9.9.9-P1/lib/dns/include/dns/forward.h @@ -28,8 +28,16 @@ ISC_LANG_BEGINDECLS +struct dns_forwarder { + isc_sockaddr_t addr; + isc_dscp_t dscp; + ISC_LINK(dns_forwarder_t) link; +}; + +typedef ISC_LIST(struct dns_forwarder) dns_forwarderlist_t; + struct dns_forwarders { - isc_sockaddrlist_t addrs; + dns_forwarderlist_t fwdrs; dns_fwdpolicy_t fwdpolicy; }; @@ -48,17 +56,23 @@ dns_fwdtable_create(isc_mem_t *mctx, dns */ isc_result_t +dns_fwdtable_addfwd(dns_fwdtable_t *fwdtable, dns_name_t *name, + dns_forwarderlist_t *fwdrs, dns_fwdpolicy_t policy); + +isc_result_t dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name, isc_sockaddrlist_t *addrs, dns_fwdpolicy_t policy); /*%< * Adds an entry to the forwarding table. The entry associates * a domain with a list of forwarders and a forwarding policy. The - * addrs list is copied if not empty, so the caller should free its copy. + * addrs/fwdrs list is copied if not empty, so the caller should free + * its copy. * * Requires: * \li fwdtable is a valid forwarding table. * \li name is a valid name - * \li addrs is a valid list of sockaddrs, which may be empty. + * \li addrs/fwdrs is a valid list of isc_sockaddr/dns_forwarder + * structures, which may be empty. * * Returns: * \li #ISC_R_SUCCESS Index: bind-9.9.9-P1/lib/dns/include/dns/types.h =================================================================== --- bind-9.9.9-P1.orig/lib/dns/include/dns/types.h +++ bind-9.9.9-P1/lib/dns/include/dns/types.h @@ -77,6 +77,7 @@ typedef struct dns_ednsopt dns_ednsopt typedef struct dns_fetch dns_fetch_t; typedef struct dns_fixedname dns_fixedname_t; typedef struct dns_forwarders dns_forwarders_t; +typedef struct dns_forwarder dns_forwarder_t; typedef struct dns_fwdtable dns_fwdtable_t; typedef struct dns_iptable dns_iptable_t; typedef isc_uint32_t dns_iterations_t; Index: bind-9.9.9-P1/lib/dns/resolver.c =================================================================== --- bind-9.9.9-P1.orig/lib/dns/resolver.c +++ bind-9.9.9-P1/lib/dns/resolver.c @@ -61,6 +61,7 @@ #include <dns/stats.h> #include <dns/tsig.h> #include <dns/validator.h> +#include <dns/zone.h> #ifdef WANT_QUERYTRACE #define RTRACE(m) isc_log_write(dns_lctx, \ @@ -282,7 +283,7 @@ struct fetchctx { dns_adbfind_t * altfind; dns_adbaddrinfolist_t forwaddrs; dns_adbaddrinfolist_t altaddrs; - isc_sockaddrlist_t forwarders; + dns_forwarderlist_t forwarders; dns_fwdpolicy_t fwdpolicy; isc_sockaddrlist_t bad; isc_sockaddrlist_t edns; @@ -295,6 +296,8 @@ struct fetchctx { isc_boolean_t ns_ttl_ok; isc_uint32_t ns_ttl; isc_counter_t * qc; + dns_fixedname_t fwdfname; + dns_name_t *fwdname; /*% * The number of events we're waiting for. @@ -2887,7 +2890,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ dns_resolver_t *res; isc_stdtime_t now; unsigned int stdoptions = 0; - isc_sockaddr_t *sa; + dns_forwarder_t *fwd; dns_adbaddrinfo_t *ai; isc_boolean_t all_bad; dns_rdata_ns_t ns; @@ -2931,8 +2934,8 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ * selective forwarders specified in the view; otherwise use the * resolver's forwarders (if any). */ - sa = ISC_LIST_HEAD(fctx->forwarders); - if (sa == NULL) { + fwd = ISC_LIST_HEAD(fctx->forwarders); + if (fwd == NULL) { dns_forwarders_t *forwarders = NULL; dns_name_t *name = &fctx->name; dns_name_t suffix; @@ -2952,13 +2955,13 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ name = &suffix; } - dns_fixedname_init(&fixed); - domain = dns_fixedname_name(&fixed); + domain = dns_fixedname_initname(&fixed); result = dns_fwdtable_find2(res->view->fwdtable, name, domain, &forwarders); if (result == ISC_R_SUCCESS) { - sa = ISC_LIST_HEAD(forwarders->addrs); + fwd = ISC_LIST_HEAD(forwarders->fwdrs); fctx->fwdpolicy = forwarders->fwdpolicy; + dns_name_copy(domain, fctx->fwdname, NULL); if (fctx->fwdpolicy == dns_fwdpolicy_only && isstrictsubdomain(domain, &fctx->domain)) { #ifdef ENABLE_FETCHLIMIT @@ -2981,17 +2984,16 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ } } - while (sa != NULL) { - if ((isc_sockaddr_pf(sa) == AF_INET && + while (fwd != NULL) { + if ((isc_sockaddr_pf(&fwd->addr) == AF_INET && fctx->res->dispatches4 == NULL) || - (isc_sockaddr_pf(sa) == AF_INET6 && + (isc_sockaddr_pf(&fwd->addr) == AF_INET6 && fctx->res->dispatches6 == NULL)) { - sa = ISC_LIST_NEXT(sa, link); + fwd = ISC_LIST_NEXT(fwd, link); continue; } ai = NULL; - result = dns_adb_findaddrinfo(fctx->adb, - sa, &ai, 0); /* XXXMLG */ + result = dns_adb_findaddrinfo(fctx->adb, &fwd->addr, &ai, 0); if (result == ISC_R_SUCCESS) { dns_adbaddrinfo_t *cur; ai->flags |= FCTX_ADDRINFO_FORWARDER; @@ -3004,7 +3006,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ else ISC_LIST_APPEND(fctx->forwaddrs, ai, publink); } - sa = ISC_LIST_NEXT(sa, link); + fwd = ISC_LIST_NEXT(fwd, link); } /* @@ -4012,6 +4014,9 @@ fctx_create(dns_resolver_t *res, dns_nam fctx->restarts = 0; fctx->querysent = 0; fctx->referrals = 0; + + fctx->fwdname = dns_fixedname_initname(&fctx->fwdfname); + TIME_NOW(&fctx->start); fctx->timeouts = 0; fctx->lamecount = 0; @@ -5715,6 +5720,107 @@ mark_related(dns_name_t *name, dns_rdata rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL; } +/* + * Returns true if 'name' is external to the namespace for which + * the server being queried can answer, either because it's not a + * subdomain or because it's below a forward declaration or a + * locally served zone. + */ +static inline isc_boolean_t +name_external(dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { + isc_result_t result; + dns_forwarders_t *forwarders = NULL; + dns_fixedname_t fixed, zfixed; + dns_name_t *fname = dns_fixedname_initname(&fixed); + dns_name_t *zfname = dns_fixedname_initname(&zfixed); + dns_name_t *apex = NULL; + dns_name_t suffix; + dns_zone_t *zone = NULL; + unsigned int labels; + dns_namereln_t rel; + + apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; + + /* + * The name is outside the queried namespace. + */ + rel = dns_name_fullcompare(name, apex, &(int){ 0 }, + &(unsigned int){ 0U }); + if (rel != dns_namereln_subdomain && rel != dns_namereln_equal) { + return (ISC_TRUE); + } + + /* + * If the record lives in the parent zone, adjust the name so we + * look for the correct zone or forward clause. + */ + labels = dns_name_countlabels(name); + if (dns_rdatatype_atparent(type) && labels > 1U) { + dns_name_init(&suffix, NULL); + dns_name_getlabelsequence(name, 1, labels - 1, &suffix); + name = &suffix; + } else if (rel == dns_namereln_equal) { + /* If 'name' is 'apex', no further checking is needed. */ + return (ISC_FALSE); + } + + /* + * If there is a locally served zone between 'apex' and 'name' + * then don't cache. + */ + LOCK(&fctx->res->view->lock); + if (fctx->res->view->zonetable != NULL) { + unsigned int options = DNS_ZTFIND_NOEXACT; + result = dns_zt_find(fctx->res->view->zonetable, name, options, + zfname, &zone); + if (zone != NULL) { + dns_zone_detach(&zone); + } + if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { + if (dns_name_fullcompare(zfname, apex, &(int){ 0 }, + &(unsigned int){ 0U }) == + dns_namereln_subdomain) + { + UNLOCK(&fctx->res->view->lock); + return (ISC_TRUE); + } + } + } + UNLOCK(&fctx->res->view->lock); + + /* + * Look for a forward declaration below 'name'. + */ + result = dns_fwdtable_find2(fctx->res->view->fwdtable, name, fname, + &forwarders); + + if (ISFORWARDER(fctx->addrinfo)) { + /* + * See if the forwarder declaration is better. + */ + if (result == ISC_R_SUCCESS) { + return (!dns_name_equal(fname, fctx->fwdname)); + } + + /* + * If the lookup failed, the configuration must have + * changed: play it safe and don't cache. + */ + return (ISC_TRUE); + } else if (result == ISC_R_SUCCESS && + forwarders->fwdpolicy == dns_fwdpolicy_only && + !ISC_LIST_EMPTY(forwarders->fwdrs)) + { + /* + * If 'name' is covered by a 'forward only' clause then we + * can't cache this repsonse. + */ + return (ISC_TRUE); + } + + return (ISC_FALSE); +} + static isc_result_t check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type, dns_section_t section) @@ -5743,7 +5849,7 @@ check_section(void *arg, dns_name_t *add result = dns_message_findname(fctx->rmessage, section, addname, dns_rdatatype_any, 0, &name, NULL); if (result == ISC_R_SUCCESS) { - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); + external = ISC_TF(name_external(name, type, fctx)); if (type == dns_rdatatype_a) { for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; @@ -6602,6 +6708,13 @@ answer_response(fetchctx_t *fctx) { case dns_namereln_subdomain: /* + * Don't accept DNAME from parent namespace. + */ + if (name_external(name, dns_rdatatype_dname, fctx)) { + continue; + } + + /* * In-scope DNAME records must have at least * as many labels as the domain being queried. * They also must be less that qname's labels @@ -6829,11 +6942,9 @@ answer_response(fetchctx_t *fctx) { */ result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); while (!done && result == ISC_R_SUCCESS) { - isc_boolean_t external; name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); - if (!external) { + if (ISC_TF(!name_external(name, dns_rdatatype_ns, fctx))) { /* * We expect to find NS or SIG NS rdatasets, and * nothing else. Index: bind-9.9.9-P1/lib/isc/include/isc/types.h =================================================================== --- bind-9.9.9-P1.orig/lib/isc/include/isc/types.h +++ bind-9.9.9-P1/lib/isc/include/isc/types.h @@ -51,6 +51,7 @@ typedef ISC_LIST(isc_buffer_t) isc_buff typedef struct isc_constregion isc_constregion_t; /*%< Const region */ typedef struct isc_consttextregion isc_consttextregion_t; /*%< Const Text Region */ typedef struct isc_counter isc_counter_t; /*%< Counter */ +typedef int16_t isc_dscp_t; /*%< Diffserv code point */ typedef struct isc_entropy isc_entropy_t; /*%< Entropy */ typedef struct isc_entropysource isc_entropysource_t; /*%< Entropy Source */ typedef struct isc_event isc_event_t; /*%< Event */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor