diff --git a/bin/tests/system/redirect/clean.sh b/bin/tests/system/redirect/clean.sh index 27a65d2..b8bba0d 100644 --- a/bin/tests/system/redirect/clean.sh +++ b/bin/tests/system/redirect/clean.sh @@ -27,5 +27,10 @@ rm -f ns3/dsset-signed. rm -f ns3/nsec3.db* rm -f ns3/signed.db* rm -f ns4/*.db +rm -f ns5/dsset-* +rm -f ns5/K* ns5/sign.ns5.* +rm -f ns5/root.db ns5/root.db.signed +rm -f ns5/signed.db ns5/signed.db.signed +rm -f ns6/signed.db.signed rm -f rndc.out rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/redirect/ns1/root.db b/bin/tests/system/redirect/ns1/root.db index 532063c..7b8caea 100644 --- a/bin/tests/system/redirect/ns1/root.db +++ b/bin/tests/system/redirect/ns1/root.db @@ -11,7 +11,7 @@ $TTL 3600 @ SOA a.root-servers.nil. marka.isc.org. 0 0 0 0 0 @ NS a.root-servers.nil. a.root-servers.nil. A 10.53.0.1 -example NS ns1.example. +example NS ns1.example. ns1.example. A 10.53.0.1 signed NS ns1.example. ns1.signed. A 10.53.0.1 diff --git a/bin/tests/system/redirect/ns4/named.conf.in b/bin/tests/system/redirect/ns4/named.conf.in index 70f0df0..bb42168 100644 --- a/bin/tests/system/redirect/ns4/named.conf.in +++ b/bin/tests/system/redirect/ns4/named.conf.in @@ -16,7 +16,7 @@ controls { /* empty */ }; acl rfc1918 { 10/8; 192.168/16; 172.16/12; }; options { - query-source address 10.53.0.2; /* note this is not 10.53.0.3 */ + query-source address 10.53.0.2; /* note this is not 10.53.0.4 */ notify-source 10.53.0.4; transfer-source 10.53.0.4; port @PORT@; @@ -28,7 +28,6 @@ options { dnssec-enable yes; dnssec-validation yes; nxdomain-redirect "redirect"; - }; key rndc_key { diff --git a/bin/tests/system/redirect/ns5/named.conf.in b/bin/tests/system/redirect/ns5/named.conf.in new file mode 100644 index 0000000..e06deb0 --- /dev/null +++ b/bin/tests/system/redirect/ns5/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS5 + +options { + port @PORT@; + listen-on port @PORT@ { 10.53.0.5; }; + pid-file "named.pid"; + nxdomain-redirect signed; +}; + +zone "." { + type master; + file "root.db.signed"; +}; + +// An unsigned zone that ns6 has a delegation for. +zone "unsigned." { + type master; + file "unsigned.db"; +}; diff --git a/bin/tests/system/redirect/ns5/root.db.in b/bin/tests/system/redirect/ns5/root.db.in new file mode 100644 index 0000000..90c6347 --- /dev/null +++ b/bin/tests/system/redirect/ns5/root.db.in @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 86400 IN SOA a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400 +. 518400 IN NS a.root-servers.nil. +a.root-servers.nil. 518400 IN A 10.53.0.5 +signed. 172800 IN NS ns.signed. +ns.signed. 172800 IN A 10.53.0.6 +unsigned. 172800 IN NS ns.unsigned. +ns.unsigned. 172800 IN A 10.53.0.5 diff --git a/bin/tests/system/redirect/ns5/sign.sh b/bin/tests/system/redirect/ns5/sign.sh new file mode 100644 index 0000000..e26904a --- /dev/null +++ b/bin/tests/system/redirect/ns5/sign.sh @@ -0,0 +1,43 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=../.. +. $SYSTEMTESTTOP/conf.sh + +# We sign the zone here and move the signed zone to ns6. +# The ns5 server actually does not serve this zone but +# the DS and NS records are in the test root zone, and +# delegate to ns6. +zone=signed. +infile=signed.db.in +zonefile=signed.db + +key1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null` +key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null` + +cat $infile $key1.key $key2.key > $zonefile + +$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out 2>&1 + +cp signed.db.signed ../ns6 + +# Root zone. +zone=. +infile=root.db.in +zonefile=root.db + +key1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null` +key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null` + +# cat $infile $key1.key $key2.key > $zonefile +cat $infile dsset-signed. $key1.key $key2.key > $zonefile + +$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out 2>&1 diff --git a/bin/tests/system/redirect/ns5/signed.db.in b/bin/tests/system/redirect/ns5/signed.db.in new file mode 100644 index 0000000..8884120 --- /dev/null +++ b/bin/tests/system/redirect/ns5/signed.db.in @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns.signed. hostmaster.signed. 0 0 0 0 0 +@ IN NS ns.signed. + +ns.signed. IN A 10.0.53.6 +domain.signed. IN A 10.0.53.1 + +* IN A 100.100.100.1 +* IN AAAA 2001:ffff:ffff::100.100.100.1 diff --git a/bin/tests/system/redirect/ns5/unsigned.db b/bin/tests/system/redirect/ns5/unsigned.db new file mode 100644 index 0000000..0f0604d --- /dev/null +++ b/bin/tests/system/redirect/ns5/unsigned.db @@ -0,0 +1,18 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA ns.unsigned. hostmaster.unsigned. 0 0 0 0 0 +@ IN NS ns.unsigned. + +ns.unsigned. IN A 10.53.0.6 +domain.unsigned. IN A 10.0.53.1 + +* IN A 100.100.100.1 +* IN AAAA 2001:ffff:ffff::100.100.100.1 diff --git a/bin/tests/system/redirect/ns6/named.conf.in b/bin/tests/system/redirect/ns6/named.conf.in new file mode 100644 index 0000000..bca355c --- /dev/null +++ b/bin/tests/system/redirect/ns6/named.conf.in @@ -0,0 +1,30 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +options { + port @PORT@; + listen-on port @PORT@ { 10.53.0.6; }; + pid-file "named.pid"; + nxdomain-redirect unsigned; +}; + +zone "." { + type master; + file "root.db"; +}; + +// A signed zone that ns5 has a delegation for. +zone "signed." { + type master; + file "signed.db.signed"; +}; diff --git a/bin/tests/system/redirect/ns6/root.db b/bin/tests/system/redirect/ns6/root.db new file mode 100644 index 0000000..5e78d23 --- /dev/null +++ b/bin/tests/system/redirect/ns6/root.db @@ -0,0 +1,16 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +. 86400 IN SOA a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400 +. 518400 IN NS a.root-servers.nil. +a.root-servers.nil. 518400 IN A 10.53.0.6 +signed. 172800 IN NS ns.signed. +ns.signed. 172800 IN A 10.53.0.6 +unsigned. 172800 IN NS ns.unsigned. +ns.unsigned. 172800 IN A 10.53.0.5 diff --git a/bin/tests/system/redirect/setup.sh b/bin/tests/system/redirect/setup.sh index c540020..cad235b 100644 --- a/bin/tests/system/redirect/setup.sh +++ b/bin/tests/system/redirect/setup.sh @@ -18,6 +18,8 @@ copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf +copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf cp ns2/redirect.db.in ns2/redirect.db cp ns2/example.db.in ns2/example.db @@ -25,3 +27,4 @@ cp ns2/example.db.in ns2/example.db cp ns4/example.db.in ns4/example.db ( cd ns3 && $SHELL sign.sh ) +( cd ns5 && $SHELL sign.sh ) diff --git a/bin/tests/system/redirect/tests.sh b/bin/tests/system/redirect/tests.sh index 9eb6b42..810e43e 100644 --- a/bin/tests/system/redirect/tests.sh +++ b/bin/tests/system/redirect/tests.sh @@ -517,5 +517,21 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` +echo_i "checking tld nxdomain-redirect against signed root zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf > dig.out.ns5.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns5.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + +echo_i "checking tld nxdomain-redirect against unsigned root zone ($n)" +ret=0 +$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf > dig.out.ns6.test$n || ret=1 +grep "status: NXDOMAIN" dig.out.ns6.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/ns/query.c b/lib/ns/query.c index 477a11a..e8ecd96 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -1312,7 +1312,6 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, dns_dbversion_t **versionp, bool *is_zonep) { isc_result_t result; - isc_result_t tresult; unsigned int namelabels; unsigned int zonelabels; @@ -1329,8 +1328,9 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, dbp, versionp); /* See how many labels are in the zone's name. */ - if (result == ISC_R_SUCCESS && zone != NULL) + if (result == ISC_R_SUCCESS && zone != NULL) { zonelabels = dns_name_countlabels(dns_zone_getorigin(zone)); + } /* * If # zone labels < # name labels, try to find an even better match @@ -1397,8 +1397,11 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype, * If neither attempt above succeeded, return the cache instead */ *is_zonep = true; - } else if (result == ISC_R_NOTFOUND) { - result = query_getcachedb(client, name, qtype, dbp, options); + } else { + if (result == ISC_R_NOTFOUND) { + result = query_getcachedb(client, name, qtype, dbp, + options); + } *is_zonep = false; } return (result); @@ -4672,15 +4675,18 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, dns_dbversion_t *version = NULL; dns_zone_t *zone = NULL; bool is_zone; + unsigned int labels; unsigned int options; CTRACE(ISC_LOG_DEBUG(3), "redirect2"); - if (client->view->redirectzone == NULL) + if (client->view->redirectzone == NULL) { return (ISC_R_NOTFOUND); + } - if (dns_name_issubdomain(name, client->view->redirectzone)) + if (dns_name_issubdomain(name, client->view->redirectzone)) { return (ISC_R_NOTFOUND); + } found = dns_fixedname_initname(&fixed); dns_rdataset_init(&trdataset); @@ -4688,8 +4694,9 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, dns_clientinfomethods_init(&cm, ns_client_sourceip); dns_clientinfo_init(&ci, client, NULL); - if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) + if (WANTDNSSEC(client) && dns_db_iszone(*dbp) && dns_db_issecure(*dbp)) { return (ISC_R_NOTFOUND); + } if (WANTDNSSEC(client) && dns_rdataset_isassociated(rdataset)) { if (rdataset->trust == dns_trust_secure) @@ -4714,27 +4721,31 @@ redirect2(ns_client_t *client, dns_name_t *name, dns_rdataset_t *rdataset, } redirectname = dns_fixedname_initname(&fixedredirect); - if (dns_name_countlabels(name) > 1U) { + labels = dns_name_countlabels(client->query.qname); + if (labels > 1U) { dns_name_t prefix; - unsigned int labels = dns_name_countlabels(name) - 1; dns_name_init(&prefix, NULL); - dns_name_getlabelsequence(name, 0, labels, &prefix); + dns_name_getlabelsequence(client->query.qname, 0, labels - 1, + &prefix); result = dns_name_concatenate(&prefix, client->view->redirectzone, redirectname, NULL); if (result != ISC_R_SUCCESS) return (ISC_R_NOTFOUND); - } else + } else { dns_name_copy(redirectname, client->view->redirectzone, NULL); + } options = 0; result = query_getdb(client, redirectname, qtype, options, &zone, &db, &version, &is_zone); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { return (ISC_R_NOTFOUND); - if (zone != NULL) + } + if (zone != NULL) { dns_zone_detach(&zone); + } /* * Lookup the requested data in the redirect zone. @@ -5392,7 +5403,6 @@ query_lookup(query_ctx_t *qctx) { return (ns_query_done(qctx)); } } - return (query_gotanswer(qctx, result)); cleanup: @@ -5784,7 +5794,6 @@ query_resume(query_ctx_t *qctx) { RESTORE(qctx->zone, qctx->client->query.redirect.zone); qctx->authoritative = qctx->client->query.redirect.authoritative; - qctx->is_zone = qctx->client->query.redirect.is_zone; /* * Free resources used while recursing. @@ -5893,7 +5902,6 @@ query_resume(query_ctx_t *qctx) { ISC_EVENT_PTR(&qctx->event), &qctx->event); } else if (REDIRECT(qctx->client)) { result = qctx->client->query.redirect.result; - qctx->is_zone = qctx->client->query.redirect.is_zone; } else { result = qctx->event->result; }