Author: simon
Date: Wed Jan 6 21:45:30 2010
New Revision: 201679
URL: http://svn.freebsd.org/changeset/base/201679
Log:
Fix BIND named(8) cache poisoning with DNSSEC validation.
[SA-10:01]
Fix ntpd mode 7 denial of service. [SA-10:02]
Fix ZFS ZIL playback with insecure permissions. [SA-10:03]
Various FreeBSD 8.0-RELEASE improvements. [EN-10:01]
Security: FreeBSD-SA-10:01.bind
Security: FreeBSD-SA-10:02.ntpd
Security: FreeBSD-SA-10:03.zfs
Errata: FreeBSD-EN-10:01.freebsd
Approved by: so (simon)
Modified:
releng/6.3/UPDATING
releng/6.3/contrib/bind9/bin/named/query.c
releng/6.3/contrib/bind9/lib/dns/include/dns/types.h
releng/6.3/contrib/bind9/lib/dns/masterdump.c
releng/6.3/contrib/bind9/lib/dns/rbtdb.c
releng/6.3/contrib/bind9/lib/dns/resolver.c
releng/6.3/contrib/bind9/lib/dns/validator.c
releng/6.3/contrib/ntp/ntpd/ntp_request.c
releng/6.3/sys/conf/newvers.sh
releng/6.4/UPDATING
releng/6.4/contrib/bind9/bin/named/query.c
releng/6.4/contrib/bind9/lib/dns/include/dns/types.h
releng/6.4/contrib/bind9/lib/dns/masterdump.c
releng/6.4/contrib/bind9/lib/dns/rbtdb.c
releng/6.4/contrib/bind9/lib/dns/resolver.c
releng/6.4/contrib/bind9/lib/dns/validator.c
releng/6.4/contrib/ntp/ntpd/ntp_request.c
releng/6.4/sys/conf/newvers.sh
releng/7.1/UPDATING
releng/7.1/contrib/bind9/bin/named/query.c
releng/7.1/contrib/bind9/lib/dns/include/dns/types.h
releng/7.1/contrib/bind9/lib/dns/masterdump.c
releng/7.1/contrib/bind9/lib/dns/rbtdb.c
releng/7.1/contrib/bind9/lib/dns/resolver.c
releng/7.1/contrib/bind9/lib/dns/validator.c
releng/7.1/contrib/ntp/ntpd/ntp_request.c
releng/7.1/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c
releng/7.1/sys/conf/newvers.sh
releng/7.2/UPDATING
releng/7.2/contrib/bind9/bin/named/query.c
releng/7.2/contrib/bind9/lib/dns/include/dns/types.h
releng/7.2/contrib/bind9/lib/dns/masterdump.c
releng/7.2/contrib/bind9/lib/dns/rbtdb.c
releng/7.2/contrib/bind9/lib/dns/resolver.c
releng/7.2/contrib/bind9/lib/dns/validator.c
releng/7.2/contrib/ntp/ntpd/ntp_request.c
releng/7.2/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c
releng/7.2/sys/conf/newvers.sh
releng/8.0/UPDATING
releng/8.0/contrib/bind9/bin/named/query.c
releng/8.0/contrib/bind9/lib/dns/include/dns/types.h
releng/8.0/contrib/bind9/lib/dns/masterdump.c
releng/8.0/contrib/bind9/lib/dns/rbtdb.c
releng/8.0/contrib/bind9/lib/dns/resolver.c
releng/8.0/contrib/bind9/lib/dns/validator.c
releng/8.0/contrib/ntp/ntpd/ntp_request.c
releng/8.0/sys/cddl/compat/opensolaris/sys/vnode.h
releng/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c
releng/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c
releng/8.0/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c
releng/8.0/sys/cddl/contrib/opensolaris/uts/common/sys/vnode.h
releng/8.0/sys/conf/newvers.sh
releng/8.0/sys/kern/vfs_lookup.c
releng/8.0/sys/netinet/ip_mroute.c
releng/8.0/sys/netinet/raw_ip.c
releng/8.0/sys/netinet/sctp_input.c
releng/8.0/sys/netinet6/raw_ip6.c
releng/8.0/sys/rpc/clnt_vc.c
Changes in other areas also in this revision:
Modified:
stable/6/contrib/bind9/bin/named/query.c
stable/6/contrib/bind9/lib/dns/include/dns/types.h
stable/6/contrib/bind9/lib/dns/masterdump.c
stable/6/contrib/bind9/lib/dns/rbtdb.c
stable/6/contrib/bind9/lib/dns/resolver.c
stable/6/contrib/bind9/lib/dns/validator.c
stable/6/contrib/ntp/ntpd/ntp_request.c
stable/7/contrib/ntp/ntpd/ntp_request.c
stable/7/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c
stable/8/contrib/ntp/ntpd/ntp_request.c
Modified: releng/6.3/UPDATING
==============================================================================
--- releng/6.3/UPDATING Wed Jan 6 21:36:33 2010 (r201678)
+++ releng/6.3/UPDATING Wed Jan 6 21:45:30 2010 (r201679)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100106: p15 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd
+ Fix BIND named(8) cache poisoning with DNSSEC validation.
+ [SA-10:01]
+
+ Fix ntpd mode 7 denial of service. [SA-10:02]
+
20091203: p14 FreeBSD-SA-09:15.ssl, FreeBSD-SA-09:17.freebsd-update
Disable SSL renegotiation in order to protect against a serious
protocol flaw. [09:15]
Modified: releng/6.3/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/6.3/contrib/bind9/bin/named/query.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.3/contrib/bind9/bin/named/query.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -92,6 +92,8 @@
#define DNS_GETDB_NOLOG 0x02U
#define DNS_GETDB_PARTIAL 0x04U
+#define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0)
+
static void
query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t
qtype);
@@ -1698,14 +1700,14 @@ query_addbestns(ns_client_t *client) {
zsigrdataset = NULL;
}
- if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 &&
- (rdataset->trust == dns_trust_pending ||
- (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)))
+ if ((DNS_TRUST_PENDING(rdataset->trust) ||
+ (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust))) &&
+ !PENDINGOK(client->query.dboptions))
goto cleanup;
- if (WANTDNSSEC(client) && SECURE(client) &&
- (rdataset->trust == dns_trust_glue ||
- (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)))
+ if ((DNS_TRUST_GLUE(rdataset->trust) ||
+ (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
+ SECURE(client) && WANTDNSSEC(client))
goto cleanup;
query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
@@ -2364,6 +2366,8 @@ query_find(ns_client_t *client, dns_fetc
unsigned int options;
isc_boolean_t empty_wild;
dns_rdataset_t *noqname;
+ dns_rdataset_t tmprdataset;
+ unsigned int dboptions;
CTRACE("query_find");
@@ -2563,9 +2567,47 @@ query_find(ns_client_t *client, dns_fetc
/*
* Now look for an answer in the database.
*/
+ dboptions = client->query.dboptions;
+ if (sigrdataset == NULL && client->view->enablednssec) {
+ /*
+ * If the client doesn't want DNSSEC we still want to
+ * look for any data pending validation to save a remote
+ * lookup if possible.
+ */
+ dns_rdataset_init(&tmprdataset);
+ sigrdataset = &tmprdataset;
+ dboptions |= DNS_DBFIND_PENDINGOK;
+ }
+ refind:
result = dns_db_find(db, client->query.qname, version, type,
- client->query.dboptions, client->now,
- &node, fname, rdataset, sigrdataset);
+ dboptions, client->now, &node, fname,
+ rdataset, sigrdataset);
+ /*
+ * If we have found pending data try to validate it.
+ * If the data does not validate as secure and we can't
+ * use the unvalidated data requery the database with
+ * pending disabled to prevent infinite looping.
+ */
+ if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
+ goto validation_done;
+ if (rdataset->trust != dns_trust_pending_answer ||
+ !PENDINGOK(client->query.dboptions)) {
+ dns_rdataset_disassociate(rdataset);
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ if (sigrdataset == &tmprdataset)
+ sigrdataset = NULL;
+ dns_db_detachnode(db, &node);
+ dboptions &= ~DNS_DBFIND_PENDINGOK;
+ goto refind;
+ }
+ validation_done:
+ if (sigrdataset == &tmprdataset) {
+ if (dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ sigrdataset = NULL;
+ }
resume:
CTRACE("query_find: resume");
Modified: releng/6.3/contrib/bind9/lib/dns/include/dns/types.h
==============================================================================
--- releng/6.3/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6
21:36:33 2010 (r201678)
+++ releng/6.3/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6
21:45:30 2010 (r201679)
@@ -226,40 +226,51 @@ enum {
dns_trust_none = 0,
#define dns_trust_none ((dns_trust_t)dns_trust_none)
- /* Subject to DNSSEC validation but has not yet been validated */
- dns_trust_pending = 1,
-#define dns_trust_pending ((dns_trust_t)dns_trust_pending)
+ /*%
+ * Subject to DNSSEC validation but has not yet been validated
+ * dns_trust_pending_additional (from the additional section).
+ */
+ dns_trust_pending_additional = 1,
+#define dns_trust_pending_additional \
+ ((dns_trust_t)dns_trust_pending_additional)
- /* Received in the additional section of a response. */
- dns_trust_additional = 2,
+ dns_trust_pending_answer = 2,
+#define dns_trust_pending_answer ((dns_trust_t)dns_trust_pending_answer)
+
+ /*% Received in the additional section of a response. */
+ dns_trust_additional = 3,
#define dns_trust_additional ((dns_trust_t)dns_trust_additional)
- /* Received in a referral response. */
- dns_trust_glue = 3,
+ /* Received in a referral response. */
+ dns_trust_glue = 4,
#define dns_trust_glue ((dns_trust_t)dns_trust_glue)
- /* Answser from a non-authoritative server */
- dns_trust_answer = 4,
+ /* Answer from a non-authoritative server */
+ dns_trust_answer = 5,
#define dns_trust_answer ((dns_trust_t)dns_trust_answer)
/* Received in the authority section as part of an
authoritative response */
- dns_trust_authauthority = 5,
+ dns_trust_authauthority = 6,
#define dns_trust_authauthority
((dns_trust_t)dns_trust_authauthority)
- /* Answser from an authoritative server */
- dns_trust_authanswer = 6,
+ /* Answer from an authoritative server */
+ dns_trust_authanswer = 7,
#define dns_trust_authanswer ((dns_trust_t)dns_trust_authanswer)
- /* Successfully DNSSEC validated */
- dns_trust_secure = 7,
+ /* Successfully DNSSEC validated */
+ dns_trust_secure = 8,
#define dns_trust_secure ((dns_trust_t)dns_trust_secure)
/* This server is authoritative */
- dns_trust_ultimate = 8
+ dns_trust_ultimate = 9
#define dns_trust_ultimate ((dns_trust_t)dns_trust_ultimate)
};
+#define DNS_TRUST_PENDING(x) ((x) == dns_trust_pending_answer || \
+ (x) == dns_trust_pending_additional)
+#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue)
+
/*
* Name checking severites.
*/
Modified: releng/6.3/contrib/bind9/lib/dns/masterdump.c
==============================================================================
--- releng/6.3/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:36:33
2010 (r201678)
+++ releng/6.3/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:45:30
2010 (r201679)
@@ -763,7 +763,8 @@ dump_order_compare(const void *a, const
static const char *trustnames[] = {
"none",
- "pending",
+ "pending-additional",
+ "pending-answer",
"additional",
"glue",
"answer",
Modified: releng/6.3/contrib/bind9/lib/dns/rbtdb.c
==============================================================================
--- releng/6.3/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.3/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -2652,7 +2652,7 @@ cache_zonecut_callback(dns_rbtnode_t *no
}
if (dname_header != NULL &&
- (dname_header->trust != dns_trust_pending ||
+ (!DNS_TRUST_PENDING(dname_header->trust) ||
(search->options & DNS_DBFIND_PENDINGOK) != 0)) {
/*
* We increment the reference count on node to ensure that
@@ -3113,7 +3113,7 @@ cache_find(dns_db_t *db, dns_name_t *nam
if (found == NULL ||
(found->trust == dns_trust_glue &&
((options & DNS_DBFIND_GLUEOK) == 0)) ||
- (found->trust == dns_trust_pending &&
+ (DNS_TRUST_PENDING(found->trust) &&
((options & DNS_DBFIND_PENDINGOK) == 0))) {
/*
* If there is an NS rdataset at this node, then this is the
Modified: releng/6.3/contrib/bind9/lib/dns/resolver.c
==============================================================================
--- releng/6.3/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.3/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -3603,6 +3603,7 @@ cache_name(fetchctx_t *fctx, dns_name_t
* for it, unless it is glue.
*/
if (secure_domain && rdataset->trust != dns_trust_glue) {
+ dns_trust_t trust;
/*
* RRSIGs are validated as part of validating the
* type they cover.
@@ -3639,12 +3640,34 @@ cache_name(fetchctx_t *fctx, dns_name_t
}
/*
+ * Reject out of bailiwick additional records
+ * without RRSIGs as they can't possibly validate
+ * as "secure" and as we will never never want to
+ * store these as "answers" after validation.
+ */
+ if (rdataset->trust == dns_trust_additional &&
+ sigrdataset == NULL && EXTERNAL(rdataset))
+ continue;
+
+ /*
+ * XXXMPA: If we store as "answer" after validating
+ * then we need to do bailiwick processing and
+ * also need to track whether RRsets are in or
+ * out of bailiwick. This will require a another
+ * pending trust level.
+ *
* Cache this rdataset/sigrdataset pair as
- * pending data.
+ * pending data. Track whether it was additional
+ * or not.
*/
- rdataset->trust = dns_trust_pending;
+ if (rdataset->trust == dns_trust_additional)
+ trust = dns_trust_pending_additional;
+ else
+ trust = dns_trust_pending_answer;
+
+ rdataset->trust = trust;
if (sigrdataset != NULL)
- sigrdataset->trust = dns_trust_pending;
+ sigrdataset->trust = trust;
if (!need_validation)
addedrdataset = ardataset;
else
@@ -3964,7 +3987,7 @@ ncache_message(fetchctx_t *fctx, dns_adb
for (trdataset = ISC_LIST_HEAD(tname->list);
trdataset != NULL;
trdataset = ISC_LIST_NEXT(trdataset, link))
- trdataset->trust = dns_trust_pending;
+ trdataset->trust = dns_trust_pending_answer;
result = dns_message_nextname(fctx->rmessage,
DNS_SECTION_AUTHORITY);
}
Modified: releng/6.3/contrib/bind9/lib/dns/validator.c
==============================================================================
--- releng/6.3/contrib/bind9/lib/dns/validator.c Wed Jan 6 21:36:33
2010 (r201678)
+++ releng/6.3/contrib/bind9/lib/dns/validator.c Wed Jan 6 21:45:30
2010 (r201679)
@@ -235,7 +235,7 @@ auth_nonpending(dns_message_t *message)
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
- if (rdataset->trust == dns_trust_pending)
+ if (DNS_TRUST_PENDING(rdataset->trust))
rdataset->trust = dns_trust_authauthority;
}
}
@@ -1146,7 +1146,7 @@ get_key(dns_validator_t *val, dns_rdata_
* We have an rrset for the given keyname.
*/
val->keyset = &val->frdataset;
- if (val->frdataset.trust == dns_trust_pending &&
+ if (DNS_TRUST_PENDING(val->frdataset.trust) &&
dns_rdataset_isassociated(&val->fsigrdataset))
{
/*
@@ -1161,7 +1161,7 @@ get_key(dns_validator_t *val, dns_rdata_
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
- } else if (val->frdataset.trust == dns_trust_pending) {
+ } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
/*
* Having a pending key with no signature means that
* something is broken.
@@ -1723,7 +1723,7 @@ validatezonekey(dns_validator_t *val) {
* We have DS records.
*/
val->dsset = &val->frdataset;
- if (val->frdataset.trust == dns_trust_pending &&
+ if (DNS_TRUST_PENDING(val->frdataset.trust) &&
dns_rdataset_isassociated(&val->fsigrdataset))
{
result = create_validator(val,
@@ -1736,7 +1736,7 @@ validatezonekey(dns_validator_t *val) {
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
- } else if (val->frdataset.trust == dns_trust_pending) {
+ } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
/*
* There should never be an unsigned DS.
*/
Modified: releng/6.3/contrib/ntp/ntpd/ntp_request.c
==============================================================================
--- releng/6.3/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.3/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -404,6 +404,7 @@ process_private(
int mod_okay
)
{
+ static u_long quiet_until;
struct req_pkt *inpkt;
struct req_pkt_tail *tailinpkt;
struct sockaddr_storage *srcadr;
@@ -439,8 +440,14 @@ process_private(
|| (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0)
|| (++ec, rbufp->recv_length < REQ_LEN_HDR)
) {
- msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d
failed, pkt from %s", ec, stoa(srcadr));
- req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ NLOG(NLOG_SYSEVENT)
+ if (current_time >= quiet_until) {
+ msyslog(LOG_ERR,
+ "process_private: drop test %d"
+ " failed, pkt from %s",
+ ec, stoa(srcadr));
+ quiet_until = current_time + 60;
+ }
return;
}
Modified: releng/6.3/sys/conf/newvers.sh
==============================================================================
--- releng/6.3/sys/conf/newvers.sh Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.3/sys/conf/newvers.sh Wed Jan 6 21:45:30 2010
(r201679)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.3"
-BRANCH="RELEASE-p14"
+BRANCH="RELEASE-p15"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/6.4/UPDATING
==============================================================================
--- releng/6.4/UPDATING Wed Jan 6 21:36:33 2010 (r201678)
+++ releng/6.4/UPDATING Wed Jan 6 21:45:30 2010 (r201679)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100106: p9 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd
+ Fix BIND named(8) cache poisoning with DNSSEC validation.
+ [SA-10:01]
+
+ Fix ntpd mode 7 denial of service. [SA-10:02]
+
20091203: p8 FreeBSD-SA-09:15.ssl, FreeBSD-SA-09:17.freebsd-update
Disable SSL renegotiation in order to protect against a serious
protocol flaw. [09:15]
Modified: releng/6.4/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/6.4/contrib/bind9/bin/named/query.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.4/contrib/bind9/bin/named/query.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -92,6 +92,8 @@
#define DNS_GETDB_NOLOG 0x02U
#define DNS_GETDB_PARTIAL 0x04U
+#define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0)
+
static void
query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t
qtype);
@@ -1698,14 +1700,14 @@ query_addbestns(ns_client_t *client) {
zsigrdataset = NULL;
}
- if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 &&
- (rdataset->trust == dns_trust_pending ||
- (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)))
+ if ((DNS_TRUST_PENDING(rdataset->trust) ||
+ (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust))) &&
+ !PENDINGOK(client->query.dboptions))
goto cleanup;
- if (WANTDNSSEC(client) && SECURE(client) &&
- (rdataset->trust == dns_trust_glue ||
- (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)))
+ if ((DNS_TRUST_GLUE(rdataset->trust) ||
+ (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
+ SECURE(client) && WANTDNSSEC(client))
goto cleanup;
query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
@@ -2367,6 +2369,8 @@ query_find(ns_client_t *client, dns_fetc
unsigned int options;
isc_boolean_t empty_wild;
dns_rdataset_t *noqname;
+ dns_rdataset_t tmprdataset;
+ unsigned int dboptions;
CTRACE("query_find");
@@ -2566,9 +2570,47 @@ query_find(ns_client_t *client, dns_fetc
/*
* Now look for an answer in the database.
*/
+ dboptions = client->query.dboptions;
+ if (sigrdataset == NULL && client->view->enablednssec) {
+ /*
+ * If the client doesn't want DNSSEC we still want to
+ * look for any data pending validation to save a remote
+ * lookup if possible.
+ */
+ dns_rdataset_init(&tmprdataset);
+ sigrdataset = &tmprdataset;
+ dboptions |= DNS_DBFIND_PENDINGOK;
+ }
+ refind:
result = dns_db_find(db, client->query.qname, version, type,
- client->query.dboptions, client->now,
- &node, fname, rdataset, sigrdataset);
+ dboptions, client->now, &node, fname,
+ rdataset, sigrdataset);
+ /*
+ * If we have found pending data try to validate it.
+ * If the data does not validate as secure and we can't
+ * use the unvalidated data requery the database with
+ * pending disabled to prevent infinite looping.
+ */
+ if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
+ goto validation_done;
+ if (rdataset->trust != dns_trust_pending_answer ||
+ !PENDINGOK(client->query.dboptions)) {
+ dns_rdataset_disassociate(rdataset);
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ if (sigrdataset == &tmprdataset)
+ sigrdataset = NULL;
+ dns_db_detachnode(db, &node);
+ dboptions &= ~DNS_DBFIND_PENDINGOK;
+ goto refind;
+ }
+ validation_done:
+ if (sigrdataset == &tmprdataset) {
+ if (dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ sigrdataset = NULL;
+ }
resume:
CTRACE("query_find: resume");
Modified: releng/6.4/contrib/bind9/lib/dns/include/dns/types.h
==============================================================================
--- releng/6.4/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6
21:36:33 2010 (r201678)
+++ releng/6.4/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6
21:45:30 2010 (r201679)
@@ -226,40 +226,51 @@ enum {
dns_trust_none = 0,
#define dns_trust_none ((dns_trust_t)dns_trust_none)
- /* Subject to DNSSEC validation but has not yet been validated */
- dns_trust_pending = 1,
-#define dns_trust_pending ((dns_trust_t)dns_trust_pending)
+ /*%
+ * Subject to DNSSEC validation but has not yet been validated
+ * dns_trust_pending_additional (from the additional section).
+ */
+ dns_trust_pending_additional = 1,
+#define dns_trust_pending_additional \
+ ((dns_trust_t)dns_trust_pending_additional)
- /* Received in the additional section of a response. */
- dns_trust_additional = 2,
+ dns_trust_pending_answer = 2,
+#define dns_trust_pending_answer ((dns_trust_t)dns_trust_pending_answer)
+
+ /*% Received in the additional section of a response. */
+ dns_trust_additional = 3,
#define dns_trust_additional ((dns_trust_t)dns_trust_additional)
- /* Received in a referral response. */
- dns_trust_glue = 3,
+ /* Received in a referral response. */
+ dns_trust_glue = 4,
#define dns_trust_glue ((dns_trust_t)dns_trust_glue)
- /* Answser from a non-authoritative server */
- dns_trust_answer = 4,
+ /* Answer from a non-authoritative server */
+ dns_trust_answer = 5,
#define dns_trust_answer ((dns_trust_t)dns_trust_answer)
/* Received in the authority section as part of an
authoritative response */
- dns_trust_authauthority = 5,
+ dns_trust_authauthority = 6,
#define dns_trust_authauthority
((dns_trust_t)dns_trust_authauthority)
- /* Answser from an authoritative server */
- dns_trust_authanswer = 6,
+ /* Answer from an authoritative server */
+ dns_trust_authanswer = 7,
#define dns_trust_authanswer ((dns_trust_t)dns_trust_authanswer)
- /* Successfully DNSSEC validated */
- dns_trust_secure = 7,
+ /* Successfully DNSSEC validated */
+ dns_trust_secure = 8,
#define dns_trust_secure ((dns_trust_t)dns_trust_secure)
/* This server is authoritative */
- dns_trust_ultimate = 8
+ dns_trust_ultimate = 9
#define dns_trust_ultimate ((dns_trust_t)dns_trust_ultimate)
};
+#define DNS_TRUST_PENDING(x) ((x) == dns_trust_pending_answer || \
+ (x) == dns_trust_pending_additional)
+#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue)
+
/*
* Name checking severites.
*/
Modified: releng/6.4/contrib/bind9/lib/dns/masterdump.c
==============================================================================
--- releng/6.4/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:36:33
2010 (r201678)
+++ releng/6.4/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:45:30
2010 (r201679)
@@ -763,7 +763,8 @@ dump_order_compare(const void *a, const
static const char *trustnames[] = {
"none",
- "pending",
+ "pending-additional",
+ "pending-answer",
"additional",
"glue",
"answer",
Modified: releng/6.4/contrib/bind9/lib/dns/rbtdb.c
==============================================================================
--- releng/6.4/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.4/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -2667,7 +2667,7 @@ cache_zonecut_callback(dns_rbtnode_t *no
}
if (dname_header != NULL &&
- (dname_header->trust != dns_trust_pending ||
+ (!DNS_TRUST_PENDING(dname_header->trust) ||
(search->options & DNS_DBFIND_PENDINGOK) != 0)) {
/*
* We increment the reference count on node to ensure that
@@ -3129,7 +3129,7 @@ cache_find(dns_db_t *db, dns_name_t *nam
if (found == NULL ||
(found->trust == dns_trust_glue &&
((options & DNS_DBFIND_GLUEOK) == 0)) ||
- (found->trust == dns_trust_pending &&
+ (DNS_TRUST_PENDING(found->trust) &&
((options & DNS_DBFIND_PENDINGOK) == 0))) {
/*
* If there is an NS rdataset at this node, then this is the
Modified: releng/6.4/contrib/bind9/lib/dns/resolver.c
==============================================================================
--- releng/6.4/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.4/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -3657,6 +3657,7 @@ cache_name(fetchctx_t *fctx, dns_name_t
* for it, unless it is glue.
*/
if (secure_domain && rdataset->trust != dns_trust_glue) {
+ dns_trust_t trust;
/*
* RRSIGs are validated as part of validating the
* type they cover.
@@ -3693,12 +3694,34 @@ cache_name(fetchctx_t *fctx, dns_name_t
}
/*
+ * Reject out of bailiwick additional records
+ * without RRSIGs as they can't possibly validate
+ * as "secure" and as we will never never want to
+ * store these as "answers" after validation.
+ */
+ if (rdataset->trust == dns_trust_additional &&
+ sigrdataset == NULL && EXTERNAL(rdataset))
+ continue;
+
+ /*
+ * XXXMPA: If we store as "answer" after validating
+ * then we need to do bailiwick processing and
+ * also need to track whether RRsets are in or
+ * out of bailiwick. This will require a another
+ * pending trust level.
+ *
* Cache this rdataset/sigrdataset pair as
- * pending data.
+ * pending data. Track whether it was additional
+ * or not.
*/
- rdataset->trust = dns_trust_pending;
+ if (rdataset->trust == dns_trust_additional)
+ trust = dns_trust_pending_additional;
+ else
+ trust = dns_trust_pending_answer;
+
+ rdataset->trust = trust;
if (sigrdataset != NULL)
- sigrdataset->trust = dns_trust_pending;
+ sigrdataset->trust = trust;
if (!need_validation)
addedrdataset = ardataset;
else
@@ -4044,7 +4067,7 @@ ncache_message(fetchctx_t *fctx, dns_adb
for (trdataset = ISC_LIST_HEAD(tname->list);
trdataset != NULL;
trdataset = ISC_LIST_NEXT(trdataset, link))
- trdataset->trust = dns_trust_pending;
+ trdataset->trust = dns_trust_pending_answer;
result = dns_message_nextname(fctx->rmessage,
DNS_SECTION_AUTHORITY);
}
Modified: releng/6.4/contrib/bind9/lib/dns/validator.c
==============================================================================
--- releng/6.4/contrib/bind9/lib/dns/validator.c Wed Jan 6 21:36:33
2010 (r201678)
+++ releng/6.4/contrib/bind9/lib/dns/validator.c Wed Jan 6 21:45:30
2010 (r201679)
@@ -238,7 +238,7 @@ auth_nonpending(dns_message_t *message)
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
- if (rdataset->trust == dns_trust_pending)
+ if (DNS_TRUST_PENDING(rdataset->trust))
rdataset->trust = dns_trust_authauthority;
}
}
@@ -1175,7 +1175,7 @@ get_key(dns_validator_t *val, dns_rdata_
* We have an rrset for the given keyname.
*/
val->keyset = &val->frdataset;
- if (val->frdataset.trust == dns_trust_pending &&
+ if (DNS_TRUST_PENDING(val->frdataset.trust) &&
dns_rdataset_isassociated(&val->fsigrdataset))
{
/*
@@ -1190,7 +1190,7 @@ get_key(dns_validator_t *val, dns_rdata_
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
- } else if (val->frdataset.trust == dns_trust_pending) {
+ } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
/*
* Having a pending key with no signature means that
* something is broken.
@@ -1758,7 +1758,7 @@ validatezonekey(dns_validator_t *val) {
* We have DS records.
*/
val->dsset = &val->frdataset;
- if (val->frdataset.trust == dns_trust_pending &&
+ if (DNS_TRUST_PENDING(val->frdataset.trust) &&
dns_rdataset_isassociated(&val->fsigrdataset))
{
result = create_validator(val,
@@ -1771,7 +1771,7 @@ validatezonekey(dns_validator_t *val) {
if (result != ISC_R_SUCCESS)
return (result);
return (DNS_R_WAIT);
- } else if (val->frdataset.trust == dns_trust_pending) {
+ } else if (DNS_TRUST_PENDING(val->frdataset.trust)) {
/*
* There should never be an unsigned DS.
*/
@@ -2564,7 +2564,7 @@ proveunsecure(dns_validator_t *val, isc_
* There is no DS. If this is a delegation,
* we maybe done.
*/
- if (val->frdataset.trust == dns_trust_pending) {
+ if (DNS_TRUST_PENDING(val->frdataset.trust)) {
result = create_fetch(val, tname,
dns_rdatatype_ds,
dsfetched2,
Modified: releng/6.4/contrib/ntp/ntpd/ntp_request.c
==============================================================================
--- releng/6.4/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.4/contrib/ntp/ntpd/ntp_request.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -409,6 +409,7 @@ process_private(
int mod_okay
)
{
+ static u_long quiet_until;
struct req_pkt *inpkt;
struct req_pkt_tail *tailinpkt;
struct sockaddr_storage *srcadr;
@@ -444,8 +445,14 @@ process_private(
|| (++ec, INFO_MBZ(inpkt->mbz_itemsize) != 0)
|| (++ec, rbufp->recv_length < REQ_LEN_HDR)
) {
- msyslog(LOG_ERR, "process_private: INFO_ERR_FMT: test %d
failed, pkt from %s", ec, stoa(srcadr));
- req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ NLOG(NLOG_SYSEVENT)
+ if (current_time >= quiet_until) {
+ msyslog(LOG_ERR,
+ "process_private: drop test %d"
+ " failed, pkt from %s",
+ ec, stoa(srcadr));
+ quiet_until = current_time + 60;
+ }
return;
}
Modified: releng/6.4/sys/conf/newvers.sh
==============================================================================
--- releng/6.4/sys/conf/newvers.sh Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/6.4/sys/conf/newvers.sh Wed Jan 6 21:45:30 2010
(r201679)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.4"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.1/UPDATING
==============================================================================
--- releng/7.1/UPDATING Wed Jan 6 21:36:33 2010 (r201678)
+++ releng/7.1/UPDATING Wed Jan 6 21:45:30 2010 (r201679)
@@ -8,6 +8,15 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100106: p10 FreeBSD-SA-10:01.bind, FreeBSD-SA-10:02.ntpd,
+ FreeBSD-SA-10:03.zfs
+ Fix BIND named(8) cache poisoning with DNSSEC validation.
+ [SA-10:01]
+
+ Fix ntpd mode 7 denial of service. [SA-10:02]
+
+ Fix ZFS ZIL playback with insecure permissions. [SA-10:03]
+
20091203: p9 FreeBSD-SA-09:15.ssl, FreeBSD-SA-09:16.rtld,
FreeBSD-SA-09:17.freebsd-update
Disable SSL renegotiation in order to protect against a serious
Modified: releng/7.1/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/7.1/contrib/bind9/bin/named/query.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/7.1/contrib/bind9/bin/named/query.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -109,6 +109,8 @@
#define DNS_GETDB_NOLOG 0x02U
#define DNS_GETDB_PARTIAL 0x04U
+#define PENDINGOK(x) (((x) & DNS_DBFIND_PENDINGOK) != 0)
+
typedef struct client_additionalctx {
ns_client_t *client;
dns_rdataset_t *rdataset;
@@ -1721,8 +1723,8 @@ query_addadditional2(void *arg, dns_name
*/
if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache &&
- (rdataset->trust == dns_trust_pending ||
- rdataset->trust == dns_trust_glue) &&
+ (DNS_TRUST_PENDING(rdataset->trust) ||
+ DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset)) {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
@@ -1761,8 +1763,8 @@ query_addadditional2(void *arg, dns_name
*/
if (result == ISC_R_SUCCESS &&
additionaltype == dns_rdatasetadditional_fromcache &&
- (rdataset->trust == dns_trust_pending ||
- rdataset->trust == dns_trust_glue) &&
+ (DNS_TRUST_PENDING(rdataset->trust) ||
+ DNS_TRUST_GLUE(rdataset->trust)) &&
!validate(client, db, fname, rdataset, sigrdataset)) {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
@@ -2547,14 +2549,14 @@ query_addbestns(ns_client_t *client) {
/*
* Attempt to validate RRsets that are pending or that are glue.
*/
- if ((rdataset->trust == dns_trust_pending ||
- (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending))
+ if ((DNS_TRUST_PENDING(rdataset->trust) ||
+ (sigrdataset != NULL && DNS_TRUST_PENDING(sigrdataset->trust)))
&& !validate(client, db, fname, rdataset, sigrdataset) &&
- (client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0)
+ !PENDINGOK(client->query.dboptions))
goto cleanup;
- if ((rdataset->trust == dns_trust_glue ||
- (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)) &&
+ if ((DNS_TRUST_GLUE(rdataset->trust) ||
+ (sigrdataset != NULL && DNS_TRUST_GLUE(sigrdataset->trust))) &&
!validate(client, db, fname, rdataset, sigrdataset) &&
SECURE(client) && WANTDNSSEC(client))
goto cleanup;
@@ -3335,6 +3337,8 @@ query_find(ns_client_t *client, dns_fetc
unsigned int options;
isc_boolean_t empty_wild;
dns_rdataset_t *noqname;
+ dns_rdataset_t tmprdataset;
+ unsigned int dboptions;
CTRACE("query_find");
@@ -3544,9 +3548,49 @@ query_find(ns_client_t *client, dns_fetc
/*
* Now look for an answer in the database.
*/
+ dboptions = client->query.dboptions;
+ if (sigrdataset == NULL && client->view->enablednssec) {
+ /*
+ * If the client doesn't want DNSSEC we still want to
+ * look for any data pending validation to save a remote
+ * lookup if possible.
+ */
+ dns_rdataset_init(&tmprdataset);
+ sigrdataset = &tmprdataset;
+ dboptions |= DNS_DBFIND_PENDINGOK;
+ }
+ refind:
result = dns_db_find(db, client->query.qname, version, type,
- client->query.dboptions, client->now,
- &node, fname, rdataset, sigrdataset);
+ dboptions, client->now, &node, fname,
+ rdataset, sigrdataset);
+ /*
+ * If we have found pending data try to validate it.
+ * If the data does not validate as secure and we can't
+ * use the unvalidated data requery the database with
+ * pending disabled to prevent infinite looping.
+ */
+ if (result != ISC_R_SUCCESS || !DNS_TRUST_PENDING(rdataset->trust))
+ goto validation_done;
+ if (validate(client, db, fname, rdataset, sigrdataset))
+ goto validation_done;
+ if (rdataset->trust != dns_trust_pending_answer ||
+ !PENDINGOK(client->query.dboptions)) {
+ dns_rdataset_disassociate(rdataset);
+ if (sigrdataset != NULL &&
+ dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ if (sigrdataset == &tmprdataset)
+ sigrdataset = NULL;
+ dns_db_detachnode(db, &node);
+ dboptions &= ~DNS_DBFIND_PENDINGOK;
+ goto refind;
+ }
+ validation_done:
+ if (sigrdataset == &tmprdataset) {
+ if (dns_rdataset_isassociated(sigrdataset))
+ dns_rdataset_disassociate(sigrdataset);
+ sigrdataset = NULL;
+ }
resume:
CTRACE("query_find: resume");
Modified: releng/7.1/contrib/bind9/lib/dns/include/dns/types.h
==============================================================================
--- releng/7.1/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6
21:36:33 2010 (r201678)
+++ releng/7.1/contrib/bind9/lib/dns/include/dns/types.h Wed Jan 6
21:45:30 2010 (r201679)
@@ -241,40 +241,52 @@ enum {
dns_trust_none = 0,
#define dns_trust_none ((dns_trust_t)dns_trust_none)
- /*% Subject to DNSSEC validation but has not yet been validated */
- dns_trust_pending = 1,
-#define dns_trust_pending ((dns_trust_t)dns_trust_pending)
-
+ /*%
+ * Subject to DNSSEC validation but has not yet been validated
+ * dns_trust_pending_additional (from the additional section).
+ */
+ dns_trust_pending_additional = 1,
+#define dns_trust_pending_additional \
+ ((dns_trust_t)dns_trust_pending_additional)
+
+ dns_trust_pending_answer = 2,
+#define dns_trust_pending_answer ((dns_trust_t)dns_trust_pending_answer)
+
/*% Received in the additional section of a response. */
- dns_trust_additional = 2,
+ dns_trust_additional = 3,
#define dns_trust_additional ((dns_trust_t)dns_trust_additional)
-
- /* Received in a referral response. */
- dns_trust_glue = 3,
+
+ /* Received in a referral response. */
+ dns_trust_glue = 4,
#define dns_trust_glue ((dns_trust_t)dns_trust_glue)
-
- /* Answser from a non-authoritative server */
- dns_trust_answer = 4,
+
+ /* Answer from a non-authoritative server */
+ dns_trust_answer = 5,
#define dns_trust_answer ((dns_trust_t)dns_trust_answer)
-
+
/* Received in the authority section as part of an
authoritative response */
- dns_trust_authauthority = 5,
+ dns_trust_authauthority = 6,
#define dns_trust_authauthority
((dns_trust_t)dns_trust_authauthority)
- /* Answser from an authoritative server */
- dns_trust_authanswer = 6,
+ /* Answer from an authoritative server */
+ dns_trust_authanswer = 7,
#define dns_trust_authanswer ((dns_trust_t)dns_trust_authanswer)
-
- /* Successfully DNSSEC validated */
- dns_trust_secure = 7,
+
+ /* Successfully DNSSEC validated */
+ dns_trust_secure = 8,
#define dns_trust_secure ((dns_trust_t)dns_trust_secure)
/* This server is authoritative */
- dns_trust_ultimate = 8
+ dns_trust_ultimate = 9
#define dns_trust_ultimate ((dns_trust_t)dns_trust_ultimate)
};
+#define DNS_TRUST_PENDING(x) ((x) == dns_trust_pending_answer || \
+ (x) == dns_trust_pending_additional)
+#define DNS_TRUST_GLUE(x) ((x) == dns_trust_glue)
+
+
/*%
* Name checking severites.
*/
Modified: releng/7.1/contrib/bind9/lib/dns/masterdump.c
==============================================================================
--- releng/7.1/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:36:33
2010 (r201678)
+++ releng/7.1/contrib/bind9/lib/dns/masterdump.c Wed Jan 6 21:45:30
2010 (r201679)
@@ -774,7 +774,8 @@ dump_order_compare(const void *a, const
static const char *trustnames[] = {
"none",
- "pending",
+ "pending-additional",
+ "pending-answer",
"additional",
"glue",
"answer",
Modified: releng/7.1/contrib/bind9/lib/dns/rbtdb.c
==============================================================================
--- releng/7.1/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/7.1/contrib/bind9/lib/dns/rbtdb.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -3070,7 +3070,7 @@ cache_zonecut_callback(dns_rbtnode_t *no
}
if (dname_header != NULL &&
- (dname_header->trust != dns_trust_pending ||
+ (!DNS_TRUST_PENDING(dname_header->trust) ||
(search->options & DNS_DBFIND_PENDINGOK) != 0)) {
/*
* We increment the reference count on node to ensure that
@@ -3584,7 +3584,7 @@ cache_find(dns_db_t *db, dns_name_t *nam
if (found == NULL ||
(found->trust == dns_trust_glue &&
((options & DNS_DBFIND_GLUEOK) == 0)) ||
- (found->trust == dns_trust_pending &&
+ (DNS_TRUST_PENDING(found->trust) &&
((options & DNS_DBFIND_PENDINGOK) == 0))) {
/*
* If there is an NS rdataset at this node, then this is the
Modified: releng/7.1/contrib/bind9/lib/dns/resolver.c
==============================================================================
--- releng/7.1/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:36:33 2010
(r201678)
+++ releng/7.1/contrib/bind9/lib/dns/resolver.c Wed Jan 6 21:45:30 2010
(r201679)
@@ -3847,6 +3847,7 @@ cache_name(fetchctx_t *fctx, dns_name_t
* for it, unless it is glue.
*/
if (secure_domain && rdataset->trust != dns_trust_glue) {
+ dns_trust_t trust;
/*
* RRSIGs are validated as part of validating the
* type they cover.
@@ -3883,12 +3884,34 @@ cache_name(fetchctx_t *fctx, dns_name_t
}
/*
+ * Reject out of bailiwick additional records
+ * without RRSIGs as they can't possibly validate
+ * as "secure" and as we will never never want to
+ * store these as "answers" after validation.
+ */
+ if (rdataset->trust == dns_trust_additional &&
+ sigrdataset == NULL && EXTERNAL(rdataset))
+ continue;
+
+ /*
+ * XXXMPA: If we store as "answer" after validating
+ * then we need to do bailiwick processing and
+ * also need to track whether RRsets are in or
+ * out of bailiwick. This will require a another
+ * pending trust level.
+ *
* Cache this rdataset/sigrdataset pair as
- * pending data.
+ * pending data. Track whether it was additional
+ * or not.
*/
- rdataset->trust = dns_trust_pending;
+ if (rdataset->trust == dns_trust_additional)
+ trust = dns_trust_pending_additional;
+ else
+ trust = dns_trust_pending_answer;
+
+ rdataset->trust = trust;
if (sigrdataset != NULL)
- sigrdataset->trust = dns_trust_pending;
+ sigrdataset->trust = trust;
if (!need_validation)
addedrdataset = ardataset;
else
@@ -4236,7 +4259,7 @@ ncache_message(fetchctx_t *fctx, dns_adb
for (trdataset = ISC_LIST_HEAD(tname->list);
trdataset != NULL;
trdataset = ISC_LIST_NEXT(trdataset, link))
- trdataset->trust = dns_trust_pending;
+ trdataset->trust = dns_trust_pending_answer;
result = dns_message_nextname(fctx->rmessage,
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
