commit pdns-recursor for openSUSE:Factory

Source-Sync Mon, 05 Jul 2021 13:27:08 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package pdns-recursor for openSUSE:Factory 
checked in at 2021-07-05 22:22:59
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pdns-recursor (Old)
 and      /work/SRC/openSUSE:Factory/.pdns-recursor.new.2625 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "pdns-recursor"

Mon Jul  5 22:22:59 2021 rev:46 rq:904048 version:4.5.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/pdns-recursor/pdns-recursor.changes      
2021-06-25 15:02:18.208222243 +0200
+++ /work/SRC/openSUSE:Factory/.pdns-recursor.new.2625/pdns-recursor.changes    
2021-07-05 22:23:31.917465667 +0200
@@ -1,0 +2,7 @@
+Mon Jul  5 07:27:02 UTC 2021 - Wolfgang Rosenauer <[email protected]>
+
+- update to 4.5.4:
+  * Make sure that we pass the SOA along the NSEC(3) proof for
+    DS queries.
+
+-------------------------------------------------------------------

Old:
----
  pdns-recursor-4.5.2.tar.bz2
  pdns-recursor-4.5.2.tar.bz2.sig

New:
----
  pdns-recursor-4.5.4.tar.bz2
  pdns-recursor-4.5.4.tar.bz2.sig

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pdns-recursor.spec ++++++
--- /var/tmp/diff_new_pack.ro8heY/_old  2021-07-05 22:23:32.469461395 +0200
+++ /var/tmp/diff_new_pack.ro8heY/_new  2021-07-05 22:23:32.473461364 +0200
@@ -31,7 +31,7 @@
 %endif
 
 Name:           pdns-recursor
-Version:        4.5.2
+Version:        4.5.4
 Release:        0
 BuildRequires:  autoconf
 BuildRequires:  automake

++++++ pdns-recursor-4.5.2.tar.bz2 -> pdns-recursor-4.5.4.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-4.5.2/configure 
new/pdns-recursor-4.5.4/configure
--- old/pdns-recursor-4.5.2/configure   2021-06-08 09:10:08.000000000 +0200
+++ new/pdns-recursor-4.5.4/configure   2021-06-30 13:46:50.000000000 +0200
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for pdns-recursor 4.5.2.
+# Generated by GNU Autoconf 2.69 for pdns-recursor 4.5.4.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
 # Identity of this package.
 PACKAGE_NAME='pdns-recursor'
 PACKAGE_TARNAME='pdns-recursor'
-PACKAGE_VERSION='4.5.2'
-PACKAGE_STRING='pdns-recursor 4.5.2'
+PACKAGE_VERSION='4.5.4'
+PACKAGE_STRING='pdns-recursor 4.5.4'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''
 
@@ -1530,7 +1530,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures pdns-recursor 4.5.2 to adapt to many kinds of systems.
+\`configure' configures pdns-recursor 4.5.4 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1601,7 +1601,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of pdns-recursor 4.5.2:";;
+     short | recursive ) echo "Configuration of pdns-recursor 4.5.4:";;
    esac
   cat <<\_ACEOF
 
@@ -1780,7 +1780,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-pdns-recursor configure 4.5.2
+pdns-recursor configure 4.5.4
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2497,7 +2497,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by pdns-recursor $as_me 4.5.2, which was
+It was created by pdns-recursor $as_me 4.5.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -3365,7 +3365,7 @@
 
 # Define the identity of the package.
  PACKAGE='pdns-recursor'
- VERSION='4.5.2'
+ VERSION='4.5.4'
 
 
 cat >>confdefs.h <<_ACEOF
@@ -27384,7 +27384,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by pdns-recursor $as_me 4.5.2, which was
+This file was extended by pdns-recursor $as_me 4.5.4, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -27450,7 +27450,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; 
s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-pdns-recursor config.status 4.5.2
+pdns-recursor config.status 4.5.4
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-4.5.2/configure.ac 
new/pdns-recursor-4.5.4/configure.ac
--- old/pdns-recursor-4.5.2/configure.ac        2021-06-08 09:09:57.000000000 
+0200
+++ new/pdns-recursor-4.5.4/configure.ac        2021-06-30 13:46:38.000000000 
+0200
@@ -1,6 +1,6 @@
 AC_PREREQ([2.69])
 
-AC_INIT([pdns-recursor], [4.5.2])
+AC_INIT([pdns-recursor], [4.5.4])
 AC_CONFIG_AUX_DIR([build-aux])
 AM_INIT_AUTOMAKE([foreign dist-bzip2 no-dist-gzip tar-ustar -Wno-portability 
subdir-objects parallel-tests 1.11])
 AM_SILENT_RULES([yes])
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-4.5.2/effective_tld_names.dat 
new/pdns-recursor-4.5.4/effective_tld_names.dat
--- old/pdns-recursor-4.5.2/effective_tld_names.dat     2021-06-08 
09:11:28.000000000 +0200
+++ new/pdns-recursor-4.5.4/effective_tld_names.dat     2021-06-30 
13:48:34.000000000 +0200
@@ -734,7 +734,6 @@
 // cl : https://www.nic.cl
 // Confirmed by .CL registry <[email protected]>
 cl
-aprendemas.cl
 co.cl
 gob.cl
 gov.cl
@@ -7126,7 +7125,7 @@
 
 // newGTLDs
 
-// List of new gTLDs imported from 
https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 
2021-05-11T15:13:51Z
+// List of new gTLDs imported from 
https://www.icann.org/resources/registries/gtlds/v2/gtlds.json on 
2021-06-26T15:13:33Z
 // This list is auto-generated, don't edit it manually.
 // aaa : 2015-02-26 American Automobile Association, Inc.
 aaa
@@ -7545,7 +7544,7 @@
 // broadway : 2014-12-22 Celebrate Broadway, Inc.
 broadway
 
-// broker : 2014-12-11 Dotbroker Registry Limited
+// broker : 2014-12-11 Dog Beach, LLC
 broker
 
 // brother : 2015-01-29 Brother Industries, Ltd.
@@ -8226,7 +8225,7 @@
 // ford : 2014-11-13 Ford Motor Company
 ford
 
-// forex : 2014-12-11 Dotforex Registry Limited
+// forex : 2014-12-11 Dog Beach, LLC
 forex
 
 // forsale : 2014-05-22 Dog Beach, LLC
@@ -8964,7 +8963,7 @@
 // marketing : 2013-11-07 Binky Moon, LLC
 marketing
 
-// markets : 2014-12-11 Dotmarkets Registry Limited
+// markets : 2014-12-11 Dog Beach, LLC
 markets
 
 // marriott : 2014-10-09 Marriott Worldwide Corporation
@@ -10041,7 +10040,7 @@
 // trade : 2014-01-23 Elite Registry Limited
 trade
 
-// trading : 2014-12-11 Dottrading Registry Limited
+// trading : 2014-12-11 Dog Beach, LLC
 trading
 
 // training : 2013-11-07 Binky Moon, LLC
@@ -10902,6 +10901,10 @@
 bplaced.net
 square7.net
 
+// Brendly : https://brendly.rs
+// Submitted by Dusan Radovanovic <[email protected]>
+shop.brendly.rs
+
 // BrowserSafetyMark
 // Submitted by Dave Tharp <[email protected]>
 browsersafetymark.io
@@ -11203,6 +11206,10 @@
 // Submitted by Richard Li <[email protected]>
 edgestack.me
 
+// DDNS5 : https://ddns5.com
+// Submitted by Cameron Elliott <[email protected]>
+ddns5.com
+
 // Debian : https://www.debian.org/
 // Submitted by Peter Palfrader / Debian Sysadmin Team 
<[email protected]>
 debian.net
@@ -12544,6 +12551,11 @@
 mcpre.ru
 vps.mcdir.ru
 
+// Mediatech : https://mediatech.by
+// Submitted by Evgeniy Kozhuhovskiy <[email protected]>
+mediatech.by
+mediatech.dev
+
 // Medicom Health : https://medicomhealth.com
 // Submitted by Michael Olson <[email protected]>
 hra.health
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-4.5.2/pdns_recursor.1 
new/pdns-recursor-4.5.4/pdns_recursor.1
--- old/pdns-recursor-4.5.2/pdns_recursor.1     2021-06-08 09:11:28.000000000 
+0200
+++ new/pdns-recursor-4.5.4/pdns_recursor.1     2021-06-30 13:48:34.000000000 
+0200
@@ -27,7 +27,7 @@
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "PDNS_RECURSOR" "1" "Jun 08, 2021" "" "PowerDNS Recursor"
+.TH "PDNS_RECURSOR" "1" "Jun 30, 2021" "" "PowerDNS Recursor"
 .SH NAME
 pdns_recursor \- The PowerDNS Recursor binary
 .SH SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-4.5.2/pubsuffix.cc 
new/pdns-recursor-4.5.4/pubsuffix.cc
--- old/pdns-recursor-4.5.2/pubsuffix.cc        2021-06-08 09:11:28.000000000 
+0200
+++ new/pdns-recursor-4.5.4/pubsuffix.cc        2021-06-30 13:48:34.000000000 
+0200
@@ -534,7 +534,6 @@
 "presse.ci",
 "md.ci",
 "gouv.ci",
-"aprendemas.cl",
 "co.cl",
 "gob.cl",
 "gov.cl",
@@ -5659,6 +5658,7 @@
 "square7.de",
 "bplaced.net",
 "square7.net",
+"shop.brendly.rs",
 "browsersafetymark.io",
 "uk0.bigv.io",
 "dh.bytemark.co.uk",
@@ -5791,6 +5791,7 @@
 "dyndns.dappnode.io",
 "builtwithdark.com",
 "edgestack.me",
+"ddns5.com",
 "debian.net",
 "deno.dev",
 "deno-staging.dev",
@@ -6703,6 +6704,8 @@
 "mcdir.ru",
 "mcpre.ru",
 "vps.mcdir.ru",
+"mediatech.by",
+"mediatech.dev",
 "hra.health",
 "miniserver.com",
 "memset.net",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-4.5.2/rec_control.1 
new/pdns-recursor-4.5.4/rec_control.1
--- old/pdns-recursor-4.5.2/rec_control.1       2021-06-08 09:11:28.000000000 
+0200
+++ new/pdns-recursor-4.5.4/rec_control.1       2021-06-30 13:48:34.000000000 
+0200
@@ -27,7 +27,7 @@
 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
 ..
-.TH "REC_CONTROL" "1" "Jun 08, 2021" "" "PowerDNS Recursor"
+.TH "REC_CONTROL" "1" "Jun 30, 2021" "" "PowerDNS Recursor"
 .SH NAME
 rec_control \- Command line tool to control a running Recursor
 .SH SYNOPSIS
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-4.5.2/syncres.cc 
new/pdns-recursor-4.5.4/syncres.cc
--- old/pdns-recursor-4.5.2/syncres.cc  2021-06-08 09:09:15.000000000 +0200
+++ new/pdns-recursor-4.5.4/syncres.cc  2021-06-30 09:14:21.000000000 +0200
@@ -145,6 +145,13 @@
   else if(qclass!=QClass::IN)
     return -1;
 
+  if (qtype == QType::DS) {
+    d_externalDSQuery = qname;
+  }
+  else {
+    d_externalDSQuery.clear();
+  }
+
   set<GetBestNSAnswer> beenthere;
   int res=doResolve(qname, qtype, ret, depth, beenthere, state);
   d_queryValidationState = state;
@@ -1618,6 +1625,11 @@
   }
 }
 
+static bool negativeCacheEntryHasSOA(const NegCache::NegCacheEntry& ne)
+{
+  return !ne.authoritySOA.records.empty();
+}
+
 static void reapRecordsForValidation(std::map<QType, CacheEntry>& entries, 
const vector<DNSRecord>& records)
 {
   for (const auto& rec : records) {
@@ -1728,15 +1740,23 @@
     if (qtype != QType::DS || ne.d_qtype.getCode() || ne.d_auth != qname ||
         g_negCache->get(qname, qtype, d_now, ne, true))
     {
-      res = RCode::NXDomain;
-      sttl = ne.d_ttd - d_now.tv_sec;
-      giveNegative = true;
-      cachedState = ne.d_validationState;
-      if (ne.d_qtype.getCode()) {
-        LOG(prefix<<qname<<": "<<qtype.getName()<<" is negatively cached via 
'"<<ne.d_auth<<"' for another "<<sttl<<" seconds"<<endl);
-        res = RCode::NoError;
-      } else {
-        LOG(prefix<<qname<<": Entire name '"<<qname<<"' is negatively cached 
via '"<<ne.d_auth<<"' for another "<<sttl<<" seconds"<<endl);
+      /* Careful! If the client is asking for a DS that does not exist, we 
need to provide the SOA along with the NSEC(3) proof
+         and we might not have it if we picked up the proof from a delegation, 
in which case we need to keep on to do the actual DS
+         query. */
+      if (qtype == QType::DS && ne.d_qtype.getCode() && 
!d_externalDSQuery.empty() && qname == d_externalDSQuery && 
!negativeCacheEntryHasSOA(ne)) {
+        giveNegative = false;
+      }
+      else {
+        res = RCode::NXDomain;
+        sttl = ne.d_ttd - d_now.tv_sec;
+        giveNegative = true;
+        cachedState = ne.d_validationState;
+        if (ne.d_qtype.getCode()) {
+          LOG(prefix<<qname<<": "<<qtype.getName()<<" is negatively cached via 
'"<<ne.d_auth<<"' for another "<<sttl<<" seconds"<<endl);
+          res = RCode::NoError;
+        } else {
+          LOG(prefix<<qname<<": Entire name '"<<qname<<"' is negatively cached 
via '"<<ne.d_auth<<"' for another "<<sttl<<" seconds"<<endl);
+        }
       }
     }
   } else if (s_hardenNXD != HardenNXD::No && !qname.isRoot() && 
!wasForwardedOrAuthZone) {
@@ -3648,7 +3668,10 @@
               g_negCache->add(ne);
             }
 
-            if (qtype == QType::DS && qname == newauth) {
+            /* Careful! If the client is asking for a DS that does not exist, 
we need to provide the SOA along with the NSEC(3) proof
+               and we might not have it if we picked up the proof from a 
delegation, in which case we need to keep on to do the actual DS
+               query. */
+            if (qtype == QType::DS && qname == newauth && 
(d_externalDSQuery.empty() || qname != d_externalDSQuery)) {
               /* we are actually done! */
               negindic = true;
               negIndicHasSignatures = !ne.authoritySOA.signatures.empty() || 
!ne.DNSSECRecords.signatures.empty();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-4.5.2/syncres.hh 
new/pdns-recursor-4.5.4/syncres.hh
--- old/pdns-recursor-4.5.2/syncres.hh  2021-06-08 09:09:15.000000000 +0200
+++ new/pdns-recursor-4.5.4/syncres.hh  2021-06-30 09:14:21.000000000 +0200
@@ -905,6 +905,9 @@
   boost::optional<const boost::uuids::uuid&> d_initialRequestId;
   asyncresolve_t d_asyncResolve{nullptr};
   struct timeval d_now;
+  /* if the client is asking for a DS that does not exist, we need to provide 
the SOA along with the NSEC(3) proof
+     and we might not have it if we picked up the proof from a delegation */
+  DNSName d_externalDSQuery;
   string d_prefix;
   vState d_queryValidationState{vState::Indeterminate};
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/pdns-recursor-4.5.2/test-syncres_cc7.cc 
new/pdns-recursor-4.5.4/test-syncres_cc7.cc
--- old/pdns-recursor-4.5.2/test-syncres_cc7.cc 2021-06-08 09:09:15.000000000 
+0200
+++ new/pdns-recursor-4.5.4/test-syncres_cc7.cc 2021-06-23 15:43:01.000000000 
+0200
@@ -244,6 +244,23 @@
   BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Insecure);
   BOOST_REQUIRE_EQUAL(ret.size(), 1U);
   BOOST_CHECK_EQUAL(queriesCount, 5U);
+
+  /* Request the DS for powerdns.com, which does not exist. We should get
+     the denial proof AND the SOA */
+  ret.clear();
+  res = sr->beginResolve(target, QType(QType::DS), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, RCode::NoError);
+  BOOST_CHECK_EQUAL(sr->getValidationState(), vState::Secure);
+  BOOST_REQUIRE_EQUAL(ret.size(), 4U);
+  bool soaFound = false;
+  for (const auto& record : ret) {
+    if (record.d_type == QType::SOA) {
+      soaFound = true;
+      break;
+    }
+  }
+  BOOST_CHECK_EQUAL(soaFound, true);
+  BOOST_CHECK_EQUAL(queriesCount, 6U);
 }
 
 BOOST_AUTO_TEST_CASE(test_dnssec_secure_to_insecure_cname)

commit pdns-recursor for openSUSE:Factory

Reply via email to