Module Name: src Committed By: christos Date: Thu Apr 13 19:11:20 UTC 2017
Modified Files: src/external/bsd/bind/dist: CHANGES README configure srcid version src/external/bsd/bind/dist/bin/named: query.c src/external/bsd/bind/dist/doc/arm: Bv9ARM.ch04.html Bv9ARM.ch06.html Bv9ARM.ch07.html Bv9ARM.ch08.html Bv9ARM.ch09.html Bv9ARM.html Bv9ARM.pdf man.arpaname.html man.ddns-confgen.html man.delv.html man.dig.html man.dnssec-checkds.html man.dnssec-coverage.html man.dnssec-dsfromkey.html man.dnssec-importkey.html man.dnssec-keyfromlabel.html man.dnssec-keygen.html man.dnssec-revoke.html man.dnssec-settime.html man.dnssec-signzone.html man.dnssec-verify.html man.genrandom.html man.host.html man.isc-hmac-fixup.html man.named-checkconf.html man.named-checkzone.html man.named-journalprint.html man.named-rrchecker.html man.named.html man.nsec3hash.html man.nsupdate.html man.rndc-confgen.html man.rndc.conf.html man.rndc.html src/external/bsd/bind/dist/lib/dns: api rdataset.c resolver.c src/external/bsd/bind/dist/lib/isc: lex.c src/external/bsd/bind/dist/lib/isc/include/isc: lex.h Log Message: merge conflicts. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/external/bsd/bind/dist/CHANGES cvs rdiff -u -r1.13 -r1.14 src/external/bsd/bind/dist/README cvs rdiff -u -r1.6 -r1.7 src/external/bsd/bind/dist/configure cvs rdiff -u -r1.19 -r1.20 src/external/bsd/bind/dist/srcid cvs rdiff -u -r1.23 -r1.24 src/external/bsd/bind/dist/version cvs rdiff -u -r1.23 -r1.24 src/external/bsd/bind/dist/bin/named/query.c cvs rdiff -u -r1.13 -r1.14 \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html \ src/external/bsd/bind/dist/doc/arm/Bv9ARM.html \ src/external/bsd/bind/dist/doc/arm/man.arpaname.html \ src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html \ src/external/bsd/bind/dist/doc/arm/man.delv.html \ src/external/bsd/bind/dist/doc/arm/man.dig.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html \ src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html \ src/external/bsd/bind/dist/doc/arm/man.genrandom.html \ src/external/bsd/bind/dist/doc/arm/man.host.html \ src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html \ src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html \ src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html \ src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html \ src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html \ src/external/bsd/bind/dist/doc/arm/man.named.html \ src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html \ src/external/bsd/bind/dist/doc/arm/man.nsupdate.html \ src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html \ src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html \ src/external/bsd/bind/dist/doc/arm/man.rndc.html cvs rdiff -u -r1.18 -r1.19 src/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf cvs rdiff -u -r1.13 -r1.14 src/external/bsd/bind/dist/lib/dns/api cvs rdiff -u -r1.9 -r1.10 src/external/bsd/bind/dist/lib/dns/rdataset.c cvs rdiff -u -r1.29 -r1.30 src/external/bsd/bind/dist/lib/dns/resolver.c cvs rdiff -u -r1.7 -r1.8 src/external/bsd/bind/dist/lib/isc/lex.c cvs rdiff -u -r1.4 -r1.5 src/external/bsd/bind/dist/lib/isc/include/isc/lex.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/bsd/bind/dist/CHANGES diff -u src/external/bsd/bind/dist/CHANGES:1.25 src/external/bsd/bind/dist/CHANGES:1.26 --- src/external/bsd/bind/dist/CHANGES:1.25 Wed Feb 8 19:23:26 2017 +++ src/external/bsd/bind/dist/CHANGES Thu Apr 13 15:11:19 2017 @@ -1,7 +1,27 @@ + --- 9.10.4-P8 released --- + +4582. [security] 'rndc ""' could trigger a assertion failure in named. + (CVE-2017-3138) [RT #44924] + +4580. [bug] 4578 introduced a regression when handling CNAME to + referral below the current domain. [RT #44850] + + --- 9.10.4-P7 released --- + +4578. [security] Some chaining (CNAME or DNAME) responses to upstream + queries could trigger assertion failures. + (CVE-2017-3137) [RT #44734] + +4575. [security] DNS64 with "break-dnssec yes;" can result in an + assertion failure. (CVE-2017-3136) [RT #44653] + +4564. [maint] Update the built in managed keys to include the + upcoming root KSK. [RT #44579] + --- 9.10.4-P6 released --- 4558. [bug] Synthesised CNAME before matching DNAME was still - being cached when it should have been. [RT #44318] + being cached when it should not have been. [RT #44318] 4557. [security] Combining dns64 and rpz can result in dereferencing a NULL pointer (read). (CVE-2017-3135) [RT#44434] Index: src/external/bsd/bind/dist/README diff -u src/external/bsd/bind/dist/README:1.13 src/external/bsd/bind/dist/README:1.14 --- src/external/bsd/bind/dist/README:1.13 Wed Feb 8 19:23:26 2017 +++ src/external/bsd/bind/dist/README Thu Apr 13 15:11:19 2017 @@ -51,6 +51,11 @@ BIND 9 For up-to-date release notes and errata, see http://www.isc.org/software/bind9/releasenotes +BIND 9.10.4-P7 + + This version contains fixes for CVE-2017-3136 and CVE-2017-3137, + and updates the built in trusted keys for the root zone. + BIND 9.10.4-P6 This version contains a fix for CVE-2017-3135, and a bug fix Index: src/external/bsd/bind/dist/configure diff -u src/external/bsd/bind/dist/configure:1.6 src/external/bsd/bind/dist/configure:1.7 --- src/external/bsd/bind/dist/configure:1.6 Thu May 26 12:49:55 2016 +++ src/external/bsd/bind/dist/configure Thu Apr 13 15:11:19 2017 @@ -1,5 +1,5 @@ #! /bin/sh -# Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") # Copyright (C) 1996-2003 Internet Software Consortium. # # Permission to use, copy, modify, and/or distribute this software for any Index: src/external/bsd/bind/dist/srcid diff -u src/external/bsd/bind/dist/srcid:1.19 src/external/bsd/bind/dist/srcid:1.20 --- src/external/bsd/bind/dist/srcid:1.19 Wed Feb 8 19:23:26 2017 +++ src/external/bsd/bind/dist/srcid Thu Apr 13 15:11:19 2017 @@ -1 +1 @@ -SRCID=a6837d0 +SRCID=9f5232e Index: src/external/bsd/bind/dist/version diff -u src/external/bsd/bind/dist/version:1.23 src/external/bsd/bind/dist/version:1.24 --- src/external/bsd/bind/dist/version:1.23 Wed Feb 8 19:23:26 2017 +++ src/external/bsd/bind/dist/version Thu Apr 13 15:11:19 2017 @@ -7,5 +7,5 @@ MAJORVER=9 MINORVER=10 PATCHVER=4 RELEASETYPE=-P -RELEASEVER=6 +RELEASEVER=8 EXTENSIONS= Index: src/external/bsd/bind/dist/bin/named/query.c diff -u src/external/bsd/bind/dist/bin/named/query.c:1.23 src/external/bsd/bind/dist/bin/named/query.c:1.24 --- src/external/bsd/bind/dist/bin/named/query.c:1.23 Wed Feb 8 19:23:26 2017 +++ src/external/bsd/bind/dist/bin/named/query.c Thu Apr 13 15:11:19 2017 @@ -1,7 +1,7 @@ -/* $NetBSD: query.c,v 1.23 2017/02/09 00:23:26 christos Exp $ */ +/* $NetBSD: query.c,v 1.24 2017/04/13 19:11:19 christos Exp $ */ /* - * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -8221,6 +8221,7 @@ query_find(ns_client_t *client, dns_fetc result = query_dns64(client, &fname, rdataset, sigrdataset, dbuf, DNS_SECTION_ANSWER); + noqname = NULL; dns_rdataset_disassociate(rdataset); dns_message_puttemprdataset(client->message, &rdataset); if (result == ISC_R_NOMORE) { Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.13 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.14 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html:1.13 Wed Feb 8 19:23:26 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch04.html Thu Apr 13 15:11:20 2017 @@ -2326,6 +2326,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2. </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.13 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.14 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html:1.13 Wed Feb 8 19:23:26 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch06.html Thu Apr 13 15:11:20 2017 @@ -12845,6 +12845,6 @@ HOST-127.EXAMPLE. MX 0 . </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.13 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.14 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch07.html Thu Apr 13 15:11:20 2017 @@ -248,6 +248,6 @@ zone "example.com" { </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.13 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.14 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch08.html Thu Apr 13 15:11:20 2017 @@ -134,6 +134,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.13 src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.14 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.ch09.html Thu Apr 13 15:11:20 2017 @@ -44,10 +44,11 @@ <div class="toc"> <p><b>Table of Contents</b></p> <dl class="toc"> -<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P8</a></span></dt> <dd><dl> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt> @@ -60,7 +61,7 @@ </div> <div class="section"> <div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P6</h2></div></div></div> +<a name="id-1.10.2"></a>Release Notes for BIND Version 9.10.4-P8</h2></div></div></div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_intro"></a>Introduction</h3></div></div></div> @@ -68,6 +69,11 @@ This document summarizes changes since BIND 9.10.4: </p> <p> + BIND 9.10.4-P7 addresses the security issue described in + CVE-2017-3136, and updates the built in trusted keys for + the root zone. + </p> +<p> BIND 9.10.4-P6 addresses the security issue described in CVE-2017-3135, and fixes a regression introduced in a prior security release. @@ -109,9 +115,52 @@ </div> <div class="section"> <div class="titlepage"><div><div><h3 class="title"> +<a name="root_key"></a>New DNSSEC Root Key</h3></div></div></div> +<p> + ICANN is in the process of introducing a new Key Signing Key (KSK) for + the global root zone. BIND has multiple methods for managing DNSSEC + trust anchors, with somewhat different behaviors. If the root + key is configured using the <span class="command"><strong>managed-keys</strong></span> + statement, or if the pre-configured root key is enabled by using + <span class="command"><strong>dnssec-validation auto</strong></span>, then BIND can keep + keys up to date automatically. Servers configured in this way + will roll seamlessly to the new key when it is published in + the root zone. However, keys configured using the + <span class="command"><strong>trusted-keys</strong></span> statement are not automatically + maintained. If your server is performing DNSSEC validation + and is configured using <span class="command"><strong>trusted-keys</strong></span>, you are + advised to change your configuration before the root zone begins + signing with the new KSK. This is currently scheduled for + October 11, 2017. + </p> +<p> + This release includes an updated version of the + <code class="filename">bind.keys</code> file containing the new root + key. This file can also be downloaded from + <a class="link" href="https://www.isc.org/bind-keys" target="_top"> + https://www.isc.org/bind-keys + </a>. + </p> +</div> +<div class="section"> +<div class="titlepage"><div><div><h3 class="title"> <a name="relnotes_security"></a>Security Fixes</h3></div></div></div> <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "> <li class="listitem"><p> + 'rndc ""' could trigger a assertion failure in named. This flaw + is disclosed in (CVE-2017-3138). [RT #44924] + </p></li> +<li class="listitem"><p> + Some chaining (i.e., type CNAME or DNAME) responses to upstream + queries could trigger assertion failures. This flaw is disclosed + in CVE-2017-3137. [RT #44734] + </p></li> +<li class="listitem"><p> + <span class="command"><strong>dns64</strong></span> with <span class="command"><strong>break-dnssec yes;</strong></span> + can result in an assertion failure. This flaw is disclosed in + CVE-2017-3136. [RT #44653] + </p></li> +<li class="listitem"><p> If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read @@ -245,6 +294,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.html diff -u src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.13 src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.14 --- src/external/bsd/bind/dist/doc/arm/Bv9ARM.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/Bv9ARM.html Thu Apr 13 15:11:20 2017 @@ -40,7 +40,7 @@ <div> <div><h1 class="title"> <a name="id-1"></a>BIND 9 Administrator Reference Manual</h1></div> -<div><p class="releaseinfo">BIND Version 9.10.4-P6</p></div> +<div><p class="releaseinfo">BIND Version 9.10.4-P8</p></div> <div><p class="copyright">Copyright © 2004-2015 Internet Systems Consortium, Inc. ("ISC")</p></div> <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div> </div> @@ -239,10 +239,11 @@ </dl></dd> <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Release Notes</a></span></dt> <dd><dl> -<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P6</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#id-1.10.2">Release Notes for BIND Version 9.10.4-P8</a></span></dt> <dd><dl> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_intro">Introduction</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_download">Download</a></span></dt> +<dt><span class="section"><a href="Bv9ARM.ch09.html#root_key">New DNSSEC Root Key</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_security">Security Fixes</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_features">New Features</a></span></dt> <dt><span class="section"><a href="Bv9ARM.ch09.html#relnotes_changes">Feature Changes</a></span></dt> @@ -385,6 +386,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.arpaname.html diff -u src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.13 src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.arpaname.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.arpaname.html Thu Apr 13 15:11:20 2017 @@ -81,6 +81,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html diff -u src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.13 src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.ddns-confgen.html Thu Apr 13 15:11:20 2017 @@ -185,6 +185,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.delv.html diff -u src/external/bsd/bind/dist/doc/arm/man.delv.html:1.13 src/external/bsd/bind/dist/doc/arm/man.delv.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.delv.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.delv.html Thu Apr 13 15:11:20 2017 @@ -498,6 +498,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dig.html diff -u src/external/bsd/bind/dist/doc/arm/man.dig.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dig.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dig.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dig.html Thu Apr 13 15:11:20 2017 @@ -809,6 +809,6 @@ dig +qr www.isc.org any -x 127.0.0.1 isc </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-checkds.html Thu Apr 13 15:11:20 2017 @@ -112,6 +112,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-coverage.html Thu Apr 13 15:11:20 2017 @@ -219,6 +219,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-dsfromkey.html Thu Apr 13 15:11:20 2017 @@ -213,6 +213,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-importkey.html Thu Apr 13 15:11:20 2017 @@ -177,6 +177,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-keyfromlabel.html Thu Apr 13 15:11:20 2017 @@ -381,6 +381,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-keygen.html Thu Apr 13 15:11:20 2017 @@ -455,6 +455,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-revoke.html Thu Apr 13 15:11:20 2017 @@ -134,6 +134,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-settime.html Thu Apr 13 15:11:20 2017 @@ -264,6 +264,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-signzone.html Thu Apr 13 15:11:20 2017 @@ -564,6 +564,6 @@ db.example.com.signed </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html diff -u src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.13 src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.dnssec-verify.html Thu Apr 13 15:11:20 2017 @@ -164,6 +164,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.genrandom.html diff -u src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.13 src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.genrandom.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.genrandom.html Thu Apr 13 15:11:20 2017 @@ -102,6 +102,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.host.html diff -u src/external/bsd/bind/dist/doc/arm/man.host.html:1.13 src/external/bsd/bind/dist/doc/arm/man.host.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.host.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.host.html Thu Apr 13 15:11:20 2017 @@ -247,6 +247,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html diff -u src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.13 src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.isc-hmac-fixup.html Thu Apr 13 15:11:20 2017 @@ -112,6 +112,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html diff -u src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.13 src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named-checkconf.html Thu Apr 13 15:11:20 2017 @@ -151,6 +151,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html diff -u src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.13 src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named-checkzone.html Thu Apr 13 15:11:20 2017 @@ -338,6 +338,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html diff -u src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.13 src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named-journalprint.html Thu Apr 13 15:11:20 2017 @@ -102,6 +102,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html diff -u src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.13 src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named-rrchecker.html Thu Apr 13 15:11:20 2017 @@ -104,6 +104,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.named.html diff -u src/external/bsd/bind/dist/doc/arm/man.named.html:1.13 src/external/bsd/bind/dist/doc/arm/man.named.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.named.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.named.html Thu Apr 13 15:11:20 2017 @@ -369,6 +369,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html diff -u src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.13 src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.nsec3hash.html Thu Apr 13 15:11:20 2017 @@ -103,6 +103,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.nsupdate.html diff -u src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.13 src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.nsupdate.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.nsupdate.html Thu Apr 13 15:11:20 2017 @@ -663,6 +663,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html diff -u src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.13 src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.rndc-confgen.html Thu Apr 13 15:11:20 2017 @@ -223,6 +223,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html diff -u src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.13 src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.rndc.conf.html Thu Apr 13 15:11:20 2017 @@ -246,6 +246,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/man.rndc.html diff -u src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.13 src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.14 --- src/external/bsd/bind/dist/doc/arm/man.rndc.html:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/doc/arm/man.rndc.html Thu Apr 13 15:11:20 2017 @@ -621,6 +621,6 @@ </tr> </table> </div> -<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P6</p> +<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.10.4-P8</p> </body> </html> Index: src/external/bsd/bind/dist/doc/arm/Bv9ARM.pdf Binary files are different Index: src/external/bsd/bind/dist/lib/dns/api diff -u src/external/bsd/bind/dist/lib/dns/api:1.13 src/external/bsd/bind/dist/lib/dns/api:1.14 --- src/external/bsd/bind/dist/lib/dns/api:1.13 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/lib/dns/api Thu Apr 13 15:11:20 2017 @@ -6,5 +6,5 @@ # 9.9-sub: 130-139, 150-159 # 9.10: 140-149, 160-169 LIBINTERFACE = 165 -LIBREVISION = 5 +LIBREVISION = 7 LIBAGE = 0 Index: src/external/bsd/bind/dist/lib/dns/rdataset.c diff -u src/external/bsd/bind/dist/lib/dns/rdataset.c:1.9 src/external/bsd/bind/dist/lib/dns/rdataset.c:1.10 --- src/external/bsd/bind/dist/lib/dns/rdataset.c:1.9 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/lib/dns/rdataset.c Thu Apr 13 15:11:20 2017 @@ -1,7 +1,7 @@ -/* $NetBSD: rdataset.c,v 1.9 2017/02/09 00:23:27 christos Exp $ */ +/* $NetBSD: rdataset.c,v 1.10 2017/04/13 19:11:20 christos Exp $ */ /* - * Copyright (C) 2004-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2012, 2014, 2015, 2017 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any Index: src/external/bsd/bind/dist/lib/dns/resolver.c diff -u src/external/bsd/bind/dist/lib/dns/resolver.c:1.29 src/external/bsd/bind/dist/lib/dns/resolver.c:1.30 --- src/external/bsd/bind/dist/lib/dns/resolver.c:1.29 Wed Feb 8 19:23:27 2017 +++ src/external/bsd/bind/dist/lib/dns/resolver.c Thu Apr 13 15:11:20 2017 @@ -1,7 +1,7 @@ -/* $NetBSD: resolver.c,v 1.29 2017/02/09 00:23:27 christos Exp $ */ +/* $NetBSD: resolver.c,v 1.30 2017/04/13 19:11:20 christos Exp $ */ /* - * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2017 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -4469,6 +4469,7 @@ is_lame(fetchctx_t *fctx) { isc_result_t result; if (message->rcode != dns_rcode_noerror && + message->rcode != dns_rcode_yxdomain && message->rcode != dns_rcode_nxdomain) return (ISC_FALSE); @@ -6081,79 +6082,6 @@ chase_additional(fetchctx_t *fctx) { goto again; } -static inline isc_result_t -cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_cname_t cname; - - result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) - return (result); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &cname, NULL); - if (result != ISC_R_SUCCESS) - return (result); - dns_name_init(tname, NULL); - dns_name_clone(&cname.cname, tname); - dns_rdata_freestruct(&cname); - - return (ISC_R_SUCCESS); -} - -/*% - * Construct the synthesised CNAME from the existing QNAME and - * the DNAME RR and store it in 'target'. - */ -static inline isc_result_t -dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, - unsigned int nlabels, dns_name_t *target) -{ - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdata_dname_t dname; - dns_fixedname_t prefix; - - /* - * Get the target name of the DNAME. - */ - result = dns_rdataset_first(rdataset); - if (result != ISC_R_SUCCESS) - return (result); - dns_rdataset_current(rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &dname, NULL); - if (result != ISC_R_SUCCESS) - return (result); - - dns_fixedname_init(&prefix); - dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); - result = dns_name_concatenate(dns_fixedname_name(&prefix), - &dname.dname, target, NULL); - dns_rdata_freestruct(&dname); - return (result); -} - -/*% - * Check if it was possible to construct 'qname' from 'lastcname' - * and 'rdataset'. - */ -static inline isc_result_t -fromdname(dns_rdataset_t *rdataset, dns_name_t *lastcname, - unsigned int nlabels, const dns_name_t *qname) -{ - dns_fixedname_t fixed; - isc_result_t result; - dns_name_t *target; - - dns_fixedname_init(&fixed); - target = dns_fixedname_name(&fixed); - result = dname_target(rdataset, lastcname, nlabels, target); - if (result != ISC_R_SUCCESS || !dns_name_equal(qname, target)) - return (ISC_R_NOTFOUND); - - return (ISC_R_SUCCESS); -} - static isc_boolean_t is_answeraddress_allowed(dns_view_t *view, dns_name_t *name, dns_rdataset_t *rdataset) @@ -6229,9 +6157,8 @@ is_answeraddress_allowed(dns_view_t *vie } static isc_boolean_t -is_answertarget_allowed(dns_view_t *view, dns_name_t *name, - dns_rdatatype_t type, dns_name_t *tname, - dns_name_t *domain) +is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, + dns_rdataset_t *rdataset, isc_boolean_t *chainingp) { isc_result_t result; dns_rbtnode_t *node = NULL; @@ -6239,8 +6166,57 @@ is_answertarget_allowed(dns_view_t *view char tnamebuf[DNS_NAME_FORMATSIZE]; char classbuf[64]; char typebuf[64]; + dns_name_t *tname = NULL; + dns_rdata_cname_t cname; + dns_rdata_dname_t dname; + dns_view_t *view = fctx->res->view; + dns_rdata_t rdata = DNS_RDATA_INIT; + unsigned int nlabels; + dns_fixedname_t fixed; + dns_name_t prefix; + + REQUIRE(rdataset != NULL); + REQUIRE(rdataset->type == dns_rdatatype_cname || + rdataset->type == dns_rdatatype_dname); + + /* + * By default, we allow any target name. + * If newqname != NULL we also need to extract the newqname. + */ + if (chainingp == NULL && view->denyanswernames == NULL) + return (ISC_TRUE); + + result = dns_rdataset_first(rdataset); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_rdataset_current(rdataset, &rdata); + switch (rdataset->type) { + case dns_rdatatype_cname: + result = dns_rdata_tostruct(&rdata, &cname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + tname = &cname.cname; + break; + case dns_rdatatype_dname: + result = dns_rdata_tostruct(&rdata, &dname, NULL); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + dns_name_init(&prefix, NULL); + dns_fixedname_init(&fixed); + tname = dns_fixedname_name(&fixed); + nlabels = dns_name_countlabels(qname) - + dns_name_countlabels(rname); + dns_name_split(qname, nlabels, &prefix, NULL); + result = dns_name_concatenate(&prefix, &dname.dname, tname, + NULL); + if (result == DNS_R_NAMETOOLONG) + return (ISC_TRUE); + RUNTIME_CHECK(result == ISC_R_SUCCESS); + break; + default: + INSIST(0); + } + + if (chainingp != NULL) + *chainingp = ISC_TRUE; - /* By default, we allow any target name. */ if (view->denyanswernames == NULL) return (ISC_TRUE); @@ -6249,8 +6225,8 @@ is_answertarget_allowed(dns_view_t *view * or partially, allow it. */ if (view->answernames_exclude != NULL) { - result = dns_rbt_findnode(view->answernames_exclude, name, NULL, - &node, NULL, 0, NULL, NULL); + result = dns_rbt_findnode(view->answernames_exclude, qname, + NULL, &node, NULL, 0, NULL, NULL); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) return (ISC_TRUE); } @@ -6258,7 +6234,7 @@ is_answertarget_allowed(dns_view_t *view /* * If the target name is a subdomain of the search domain, allow it. */ - if (dns_name_issubdomain(tname, domain)) + if (dns_name_issubdomain(tname, &fctx->domain)) return (ISC_TRUE); /* @@ -6267,9 +6243,9 @@ is_answertarget_allowed(dns_view_t *view result = dns_rbt_findnode(view->denyanswernames, tname, NULL, &node, NULL, 0, NULL, NULL); if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) { - dns_name_format(name, qnamebuf, sizeof(qnamebuf)); + dns_name_format(qname, qnamebuf, sizeof(qnamebuf)); dns_name_format(tname, tnamebuf, sizeof(tnamebuf)); - dns_rdatatype_format(type, typebuf, sizeof(typebuf)); + dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf)); dns_rdataclass_format(view->rdclass, classbuf, sizeof(classbuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, @@ -6765,473 +6741,301 @@ noanswer_response(fetchctx_t *fctx, dns_ return (ISC_R_SUCCESS); } +static isc_boolean_t +validinanswer(dns_rdataset_t *rdataset, fetchctx_t *fctx) { + if (rdataset->type == dns_rdatatype_nsec3) { + /* + * NSEC3 records are not allowed to + * appear in the answer section. + */ + log_formerr(fctx, "NSEC3 in answer"); + return (ISC_FALSE); + } + if (rdataset->type == dns_rdatatype_tkey) { + /* + * TKEY is not a valid record in a + * response to any query we can make. + */ + log_formerr(fctx, "TKEY in answer"); + return (ISC_FALSE); + } + if (rdataset->rdclass != fctx->res->rdclass) { + log_formerr(fctx, "Mismatched class in answer"); + return (ISC_FALSE); + } + return (ISC_TRUE); +} + static isc_result_t answer_response(fetchctx_t *fctx) { isc_result_t result; - dns_message_t *message; - dns_name_t *name, *dname = NULL, *qname, tname, *ns_name; - dns_name_t *cname = NULL, *lastcname = NULL; - dns_rdataset_t *rdataset, *ns_rdataset; - isc_boolean_t done, external, aa, found, want_chaining; - isc_boolean_t have_answer, found_cname, found_dname, found_type; - isc_boolean_t wanted_chaining; - unsigned int aflag, chaining; + dns_message_t *message = NULL; + dns_name_t *name = NULL, *qname = NULL, *ns_name = NULL; + dns_name_t *aname = NULL, *cname = NULL, *dname = NULL; + dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL; + dns_rdataset_t *ardataset = NULL, *crdataset = NULL; + dns_rdataset_t *drdataset = NULL, *ns_rdataset = NULL; + isc_boolean_t done = ISC_FALSE, aa; + unsigned int dname_labels, domain_labels; + isc_boolean_t chaining = ISC_FALSE; dns_rdatatype_t type; - dns_fixedname_t fdname, fqname; - dns_view_t *view; + dns_view_t *view = NULL; + dns_trust_t trust; + + REQUIRE(VALID_FCTX(fctx)); FCTXTRACE("answer_response"); message = fctx->rmessage; + qname = &fctx->name; + view = fctx->res->view; + type = fctx->type; /* - * Examine the answer section, marking those rdatasets which are - * part of the answer and should be cached. + * There can be multiple RRSIG and SIG records at a name so + * we treat these types as a subset of ANY. */ + if (type == dns_rdatatype_rrsig || type == dns_rdatatype_sig) { + type = dns_rdatatype_any; + } - done = ISC_FALSE; - found_cname = ISC_FALSE; - found_dname = ISC_FALSE; - found_type = ISC_FALSE; - have_answer = ISC_FALSE; - want_chaining = ISC_FALSE; - chaining = 0; - POST(want_chaining); - if ((message->flags & DNS_MESSAGEFLAG_AA) != 0) - aa = ISC_TRUE; - else - aa = ISC_FALSE; - qname = &fctx->name; - type = fctx->type; - view = fctx->res->view; - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (!done && result == ISC_R_SUCCESS) { - dns_namereln_t namereln, lastreln; - int order, lastorder; - unsigned int nlabels, lastnlabels; + /* + * Bigger than any valid DNAME label count. + */ + dname_labels = dns_name_countlabels(qname); + domain_labels = dns_name_countlabels(&fctx->domain); + + /* + * Perform a single pass looking for the answer, cname or covering + * dname. + */ + for (result = dns_message_firstname(message, DNS_SECTION_ANSWER); + result == ISC_R_SUCCESS; + result = dns_message_nextname(message, DNS_SECTION_ANSWER)) + { + int order; + unsigned int nlabels; + dns_namereln_t namereln; name = NULL; dns_message_currentname(message, DNS_SECTION_ANSWER, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); namereln = dns_name_fullcompare(qname, name, &order, &nlabels); - - if (namereln == dns_namereln_equal) { - wanted_chaining = ISC_FALSE; + switch (namereln) { + case dns_namereln_equal: for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; - rdataset = ISC_LIST_NEXT(rdataset, link)) { - found = ISC_FALSE; - want_chaining = ISC_FALSE; - aflag = 0; - if (rdataset->type == dns_rdatatype_nsec3) { - /* - * NSEC3 records are not allowed to - * appear in the answer section. - */ - log_formerr(fctx, "NSEC3 in answer"); - return (DNS_R_FORMERR); - } - if (rdataset->type == dns_rdatatype_tkey) { - /* - * TKEY is not a valid record in a - * response to any query we can make. - */ - log_formerr(fctx, "TKEY in answer"); - return (DNS_R_FORMERR); - } - if (rdataset->rdclass != fctx->res->rdclass) { - log_formerr(fctx, "Mismatched class " - "in answer"); - return (DNS_R_FORMERR); - } - - /* - * Apply filters, if given, on answers to reject - * a malicious attempt of rebinding. - */ - if ((rdataset->type == dns_rdatatype_a || - rdataset->type == dns_rdatatype_aaaa) && - !is_answeraddress_allowed(view, name, - rdataset)) { - return (DNS_R_SERVFAIL); - } - - if (rdataset->type == type && !found_cname) { - /* - * We've found an ordinary answer. - */ - found = ISC_TRUE; - found_type = ISC_TRUE; - done = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWER; - } else if (type == dns_rdatatype_any) { - /* - * We've found an answer matching - * an ANY query. There may be - * more. - */ - found = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWER; - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == type - && !found_cname) { - /* - * We've found a signature that - * covers the type we're looking for. - */ - found = ISC_TRUE; - found_type = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; - } else if (rdataset->type == - dns_rdatatype_cname - && !found_type) { - /* - * We're looking for something else, - * but we found a CNAME. - * - * Getting a CNAME response for some - * query types is an error, see - * RFC 4035, Section 2.5. - */ - if (type == dns_rdatatype_rrsig || - type == dns_rdatatype_key || - type == dns_rdatatype_nsec) { - char buf[DNS_RDATATYPE_FORMATSIZE]; - dns_rdatatype_format(fctx->type, - buf, sizeof(buf)); - log_formerr(fctx, - "CNAME response " - "for %s RR", buf); - return (DNS_R_FORMERR); - } - found = ISC_TRUE; - found_cname = ISC_TRUE; - want_chaining = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWER; - result = cname_target(rdataset, - &tname); - if (result != ISC_R_SUCCESS) - return (result); - /* Apply filters on the target name. */ - if (!is_answertarget_allowed(view, - name, - rdataset->type, - &tname, - &fctx->domain)) { - return (DNS_R_SERVFAIL); + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + if (rdataset->type == type || + type == dns_rdatatype_any) + { + aname = name; + if (type != dns_rdatatype_any) { + ardataset = rdataset; } - lastcname = name; - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == - dns_rdatatype_cname - && !found_type) { - /* - * We're looking for something else, - * but we found a SIG CNAME. - */ - found = ISC_TRUE; - found_cname = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; + break; } - - if (found) { - /* - * We've found an answer to our - * question. - */ - name->attributes |= - DNS_NAMEATTR_CACHE; - rdataset->attributes |= - DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; - if (chaining == 0) { - /* - * This data is "the" answer - * to our question only if - * we're not chaining (i.e. - * if we haven't followed - * a CNAME or DNAME). - */ - INSIST(!external); - /* - * Don't use found_cname here - * as we have just set it - * above. - */ - if (cname == NULL && - !found_dname && - aflag == - DNS_RDATASETATTR_ANSWER) - { - have_answer = ISC_TRUE; - if (found_cname && - cname == NULL) - cname = name; - name->attributes |= - DNS_NAMEATTR_ANSWER; - } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = - dns_trust_authanswer; - } else if (external) { - /* - * This data is outside of - * our query domain, and - * may not be cached. - */ - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; - } - - /* - * Mark any additional data related - * to this rdataset. - */ - (void)dns_rdataset_additionaldata( - rdataset, - check_related, - fctx); - - /* - * CNAME chaining. - */ - if (want_chaining) { - wanted_chaining = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_CHAINING; - rdataset->attributes |= - DNS_RDATASETATTR_CHAINING; - qname = &tname; - } + if (rdataset->type == dns_rdatatype_cname) { + cname = name; + crdataset = rdataset; + break; } - /* - * We could add an "else" clause here and - * log that we're ignoring this rdataset. - */ } + break; + + case dns_namereln_subdomain: /* - * If wanted_chaining is true, we've done - * some chaining as the result of processing - * this node, and thus we need to set - * chaining to true. - * - * We don't set chaining inside of the - * rdataset loop because doing that would - * cause us to ignore the signatures of - * CNAMEs. + * In-scope DNAME records must have at least + * as many labels as the domain being queried. + * They also must be less that qname's labels + * and any previously found dname. */ - if (wanted_chaining && chaining < 2U) - chaining++; - } else { - dns_rdataset_t *dnameset = NULL; - isc_boolean_t synthcname = ISC_FALSE; - - if (lastcname != NULL) { - lastreln = dns_name_fullcompare(lastcname, - name, - &lastorder, - &lastnlabels); - if (lastreln == dns_namereln_subdomain && - lastnlabels == dns_name_countlabels(name)) - synthcname = ISC_TRUE; + if (nlabels >= dname_labels || nlabels < domain_labels) + { + continue; } /* - * Look for a DNAME (or its SIG). Anything else is - * ignored. + * We are looking for the shortest DNAME if there + * are multiple ones (which there shouldn't be). */ - wanted_chaining = ISC_FALSE; for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL; rdataset = ISC_LIST_NEXT(rdataset, link)) { - if (rdataset->rdclass != fctx->res->rdclass) { - log_formerr(fctx, "Mismatched class " - "in answer"); - return (DNS_R_FORMERR); - } - - /* - * Only pass DNAME or RRSIG(DNAME). - */ - if (rdataset->type != dns_rdatatype_dname && - (rdataset->type != dns_rdatatype_rrsig || - rdataset->covers != dns_rdatatype_dname)) + if (rdataset->type != dns_rdatatype_dname) { continue; - - /* - * If we're not chaining, then the DNAME and - * its signature should not be external. - */ - if (chaining == 0 && external) { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(name, qbuf, - sizeof(qbuf)); - dns_name_format(&fctx->domain, obuf, - sizeof(obuf)); - log_formerr(fctx, "external DNAME or " - "RRSIG covering DNAME " - "in answer: %s is " - "not in %s", qbuf, obuf); - return (DNS_R_FORMERR); - } - - /* - * If DNAME + synthetic CNAME then the - * namereln is dns_namereln_subdomain. - */ - if (namereln != dns_namereln_subdomain && - !synthcname) - { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(qname, qbuf, - sizeof(qbuf)); - dns_name_format(name, obuf, - sizeof(obuf)); - log_formerr(fctx, "unrelated DNAME " - "in answer: %s is " - "not in %s", qbuf, obuf); - return (DNS_R_FORMERR); } + dname = name; + drdataset = rdataset; + dname_labels = nlabels; + break; + } + break; + default: + break; + } + } - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { - want_chaining = ISC_TRUE; - POST(want_chaining); - aflag = DNS_RDATASETATTR_ANSWER; - dns_fixedname_init(&fdname); - dname = dns_fixedname_name(&fdname); - if (synthcname) { - result = fromdname(rdataset, - lastcname, - lastnlabels, - qname); - } else { - result = dname_target(rdataset, - qname, - nlabels, - dname); - } - if (result == ISC_R_NOSPACE) { - /* - * We can't construct the - * DNAME target. Do not - * try to continue. - */ - want_chaining = ISC_FALSE; - POST(want_chaining); - } else if (result != ISC_R_SUCCESS) - return (result); - else - dnameset = rdataset; + if (dname != NULL) { + aname = NULL; + ardataset = NULL; + cname = NULL; + crdataset = NULL; + } else if (aname != NULL) { + cname = NULL; + crdataset = NULL; + } - if (!synthcname && - !is_answertarget_allowed(view, - qname, rdataset->type, - dname, &fctx->domain)) - { - return (DNS_R_SERVFAIL); - } - } else { - /* - * We've found a signature that - * covers the DNAME. - */ - aflag = DNS_RDATASETATTR_ANSWERSIG; - } + aa = ISC_TF((message->flags & DNS_MESSAGEFLAG_AA) != 0); + trust = aa ? dns_trust_authanswer : dns_trust_answer; - /* - * We've found an answer to our - * question. - */ - name->attributes |= DNS_NAMEATTR_CACHE; - rdataset->attributes |= DNS_RDATASETATTR_CACHE; - rdataset->trust = dns_trust_answer; - /* - * If we are not chaining or the first CNAME - * is a synthesised CNAME before the DNAME. - */ - if ((chaining == 0) || - (chaining == 1U && synthcname)) - { - /* - * This data is "the" answer to - * our question only if we're - * not chaining. - */ - INSIST(!external); - if (aflag == DNS_RDATASETATTR_ANSWER) { - have_answer = ISC_TRUE; - found_dname = ISC_TRUE; - if (cname != NULL && - synthcname) - { - cname->attributes &= - ~DNS_NAMEATTR_ANSWER; - } - name->attributes |= - DNS_NAMEATTR_ANSWER; - } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = - dns_trust_authanswer; - } else if (external) { - rdataset->attributes |= - DNS_RDATASETATTR_EXTERNAL; - } + if (aname != NULL && type == dns_rdatatype_any) { + for (rdataset = ISC_LIST_HEAD(aname->list); + rdataset != NULL; + rdataset = ISC_LIST_NEXT(rdataset, link)) + { + if (!validinanswer(rdataset, fctx)) { + return (DNS_R_FORMERR); } - - /* - * DNAME chaining. - */ - if (dnameset != NULL) { - if (!synthcname) { - /* - * Copy the dname into the qname fixed - * name. - * - * Although we check for failure of the - * copy operation, in practice it - * should never fail since we already - * know that the result fits in a - * fixedname. - */ - dns_fixedname_init(&fqname); - qname = dns_fixedname_name(&fqname); - result = dns_name_copy(dname, qname, - NULL); - if (result != ISC_R_SUCCESS) - return (result); - } - wanted_chaining = ISC_TRUE; - name->attributes |= DNS_NAMEATTR_CHAINING; - dnameset->attributes |= - DNS_RDATASETATTR_CHAINING; + if ((fctx->type == dns_rdatatype_sig || + fctx->type == dns_rdatatype_rrsig) && + rdataset->type != fctx->type) + { + continue; } - /* - * Ensure that we can't ever get chaining == 1 - * above if we have processed a DNAME. - */ - if (wanted_chaining && chaining < 2U) - chaining += 2; + if ((rdataset->type == dns_rdatatype_a || + rdataset->type == dns_rdatatype_aaaa) && + !is_answeraddress_allowed(view, aname, rdataset)) + { + return (DNS_R_SERVFAIL); + } + if ((rdataset->type == dns_rdatatype_cname || + rdataset->type == dns_rdatatype_dname) && + !is_answertarget_allowed(fctx, qname, aname, + rdataset, NULL)) + { + return (DNS_R_SERVFAIL); + } + aname->attributes |= DNS_NAMEATTR_CACHE; + aname->attributes |= DNS_NAMEATTR_ANSWER; + rdataset->attributes |= DNS_RDATASETATTR_ANSWER; + rdataset->attributes |= DNS_RDATASETATTR_CACHE; + rdataset->trust = trust; + (void)dns_rdataset_additionaldata(rdataset, + check_related, + fctx); } - result = dns_message_nextname(message, DNS_SECTION_ANSWER); - } - if (result == ISC_R_NOMORE) - result = ISC_R_SUCCESS; - if (result != ISC_R_SUCCESS) - return (result); - - /* - * We should have found an answer. - */ - if (!have_answer) { + } else if (aname != NULL) { + if (!validinanswer(ardataset, fctx)) + return (DNS_R_FORMERR); + if ((ardataset->type == dns_rdatatype_a || + ardataset->type == dns_rdatatype_aaaa) && + !is_answeraddress_allowed(view, aname, ardataset)) { + return (DNS_R_SERVFAIL); + } + if ((ardataset->type == dns_rdatatype_cname || + ardataset->type == dns_rdatatype_dname) && + !is_answertarget_allowed(fctx, qname, aname, ardataset, + NULL)) + { + return (DNS_R_SERVFAIL); + } + aname->attributes |= DNS_NAMEATTR_CACHE; + aname->attributes |= DNS_NAMEATTR_ANSWER; + ardataset->attributes |= DNS_RDATASETATTR_ANSWER; + ardataset->attributes |= DNS_RDATASETATTR_CACHE; + ardataset->trust = trust; + (void)dns_rdataset_additionaldata(ardataset, check_related, + fctx); + for (sigrdataset = ISC_LIST_HEAD(aname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) { + if (!validinanswer(sigrdataset, fctx)) + return (DNS_R_FORMERR); + if (sigrdataset->type != dns_rdatatype_rrsig || + sigrdataset->covers != type) + continue; + sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG; + sigrdataset->attributes |= DNS_RDATASETATTR_CACHE; + sigrdataset->trust = trust; + break; + } + } else if (cname != NULL) { + if (!validinanswer(crdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (type == dns_rdatatype_rrsig || type == dns_rdatatype_key || + type == dns_rdatatype_nsec) + { + char buf[DNS_RDATATYPE_FORMATSIZE]; + dns_rdatatype_format(type, buf, sizeof(buf)); + log_formerr(fctx, "CNAME response for %s RR", buf); + return (DNS_R_FORMERR); + } + if (!is_answertarget_allowed(fctx, qname, cname, crdataset, + NULL)) + { + return (DNS_R_SERVFAIL); + } + cname->attributes |= DNS_NAMEATTR_CACHE; + cname->attributes |= DNS_NAMEATTR_ANSWER; + cname->attributes |= DNS_NAMEATTR_CHAINING; + crdataset->attributes |= DNS_RDATASETATTR_ANSWER; + crdataset->attributes |= DNS_RDATASETATTR_CACHE; + crdataset->attributes |= DNS_RDATASETATTR_CHAINING; + crdataset->trust = trust; + for (sigrdataset = ISC_LIST_HEAD(cname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) + { + if (!validinanswer(sigrdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (sigrdataset->type != dns_rdatatype_rrsig || + sigrdataset->covers != dns_rdatatype_cname) + { + continue; + } + sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG; + sigrdataset->attributes |= DNS_RDATASETATTR_CACHE; + sigrdataset->trust = trust; + break; + } + chaining = ISC_TRUE; + } else if (dname != NULL) { + if (!validinanswer(drdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (!is_answertarget_allowed(fctx, qname, dname, drdataset, + &chaining)) { + return (DNS_R_SERVFAIL); + } + dname->attributes |= DNS_NAMEATTR_CACHE; + dname->attributes |= DNS_NAMEATTR_ANSWER; + dname->attributes |= DNS_NAMEATTR_CHAINING; + drdataset->attributes |= DNS_RDATASETATTR_ANSWER; + drdataset->attributes |= DNS_RDATASETATTR_CACHE; + drdataset->attributes |= DNS_RDATASETATTR_CHAINING; + drdataset->trust = trust; + for (sigrdataset = ISC_LIST_HEAD(dname->list); + sigrdataset != NULL; + sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) + { + if (!validinanswer(sigrdataset, fctx)) { + return (DNS_R_FORMERR); + } + if (sigrdataset->type != dns_rdatatype_rrsig || + sigrdataset->covers != dns_rdatatype_dname) + { + continue; + } + sigrdataset->attributes |= DNS_RDATASETATTR_ANSWERSIG; + sigrdataset->attributes |= DNS_RDATASETATTR_CACHE; + sigrdataset->trust = trust; + break; + } + } else { log_formerr(fctx, "reply has no answer"); return (DNS_R_FORMERR); } @@ -7244,14 +7048,8 @@ answer_response(fetchctx_t *fctx) { /* * Did chaining end before we got the final answer? */ - if (chaining != 0) { - /* - * Yes. This may be a negative reply, so hand off - * authority section processing to the noanswer code. - * If it isn't a noanswer response, no harm will be - * done. - */ - return (noanswer_response(fctx, qname, 0)); + if (chaining) { + return (ISC_R_SUCCESS); } /* @@ -7270,11 +7068,9 @@ answer_response(fetchctx_t *fctx) { * We expect there to be only one owner name for all the rdatasets * in this section, and we expect that it is not external. */ - done = ISC_FALSE; - ns_name = NULL; - ns_rdataset = NULL; result = dns_message_firstname(message, DNS_SECTION_AUTHORITY); while (!done && result == ISC_R_SUCCESS) { + isc_boolean_t external; name = NULL; dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name); external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); @@ -7293,12 +7089,13 @@ answer_response(fetchctx_t *fctx) { DNS_NAMEATTR_CACHE; rdataset->attributes |= DNS_RDATASETATTR_CACHE; - if (aa && chaining == 0) + if (aa && !chaining) { rdataset->trust = dns_trust_authauthority; - else + } else { rdataset->trust = dns_trust_additional; + } if (rdataset->type == dns_rdatatype_ns) { @@ -8099,6 +7896,7 @@ resquery_response(isc_task_t *task, isc_ * Is the remote server broken, or does it dislike us? */ if (message->rcode != dns_rcode_noerror && + message->rcode != dns_rcode_yxdomain && message->rcode != dns_rcode_nxdomain) { isc_buffer_t b; char code[64]; @@ -8163,13 +7961,6 @@ resquery_response(isc_task_t *task, isc_ log_formerr(fctx, "server sent FORMERR"); result = DNS_R_FORMERR; } - } else if (message->rcode == dns_rcode_yxdomain) { - /* - * DNAME mapping failed because the new name - * was too long. There's no chance of success - * for this fetch. - */ - result = DNS_R_YXDOMAIN; } else if (message->rcode == dns_rcode_badvers) { unsigned int flags, mask; unsigned int version; @@ -8328,6 +8119,7 @@ resquery_response(isc_task_t *task, isc_ */ if (message->counts[DNS_SECTION_ANSWER] > 0 && (message->rcode == dns_rcode_noerror || + message->rcode == dns_rcode_yxdomain || message->rcode == dns_rcode_nxdomain)) { /* * [normal case] Index: src/external/bsd/bind/dist/lib/isc/lex.c diff -u src/external/bsd/bind/dist/lib/isc/lex.c:1.7 src/external/bsd/bind/dist/lib/isc/lex.c:1.8 --- src/external/bsd/bind/dist/lib/isc/lex.c:1.7 Wed Dec 16 23:00:45 2015 +++ src/external/bsd/bind/dist/lib/isc/lex.c Thu Apr 13 15:11:20 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: lex.c,v 1.7 2015/12/17 04:00:45 christos Exp $ */ +/* $NetBSD: lex.c,v 1.8 2017/04/13 19:11:20 christos Exp $ */ /* * Copyright (C) 2004, 2005, 2007, 2013-2015 Internet Systems Consortium, Inc. ("ISC") @@ -96,9 +96,10 @@ isc_lex_create(isc_mem_t *mctx, size_t m /* * Create a lexer. */ - REQUIRE(lexp != NULL && *lexp == NULL); - REQUIRE(max_token > 0U); + + if (max_token == 0U) + max_token = 1; lex = isc_mem_get(mctx, sizeof(*lex)); if (lex == NULL) Index: src/external/bsd/bind/dist/lib/isc/include/isc/lex.h diff -u src/external/bsd/bind/dist/lib/isc/include/isc/lex.h:1.4 src/external/bsd/bind/dist/lib/isc/include/isc/lex.h:1.5 --- src/external/bsd/bind/dist/lib/isc/include/isc/lex.h:1.4 Tue Dec 9 23:38:00 2014 +++ src/external/bsd/bind/dist/lib/isc/include/isc/lex.h Thu Apr 13 15:11:20 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: lex.h,v 1.4 2014/12/10 04:38:00 christos Exp $ */ +/* $NetBSD: lex.h,v 1.5 2017/04/13 19:11:20 christos Exp $ */ /* * Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") @@ -154,8 +154,6 @@ isc_lex_create(isc_mem_t *mctx, size_t m * Requires: *\li '*lexp' is a valid lexer. * - *\li max_token > 0. - * * Ensures: *\li On success, *lexp is attached to the newly created lexer. *