From d970dbd11f0985430c040e7469332b2e040bb162 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Wed, 21 Feb 2018 15:25:05 +0100 Subject: [PATCH] - rel 3; more fixes for 3512; run test suite --- unbound-bug-3512.patch | 221 ++++++++++++++++++++++++++++++++++++++++- unbound.spec | 7 +- 2 files changed, 224 insertions(+), 4 deletions(-) diff --git a/unbound-bug-3512.patch b/unbound-bug-3512.patch index e58a4e5..eea16a0 100644 --- a/unbound-bug-3512.patch +++ b/unbound-bug-3512.patch @@ -1,5 +1,5 @@ diff --git a/iterator/iterator.c b/iterator/iterator.c -index 7f3c6573..26660059 100644 +index 7f3c6573..33fb02dd 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -1157,6 +1157,13 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, @@ -16,7 +16,7 @@ index 7f3c6573..26660059 100644 return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } -@@ -1246,6 +1253,10 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -1246,6 +1253,11 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, iq->qchase.qname_len = slen; /* This *is* a query restart, even if it is a cheap * one. */ @@ -24,10 +24,11 @@ index 7f3c6573..26660059 100644 + msg->rep->ns_numrrsets = 0; + msg->rep->ar_numrrsets = 0; + msg->rep->rrset_count = 0; ++ iq->response = msg; iq->dp = NULL; iq->refetch_glue = 0; iq->query_restart_count++; -@@ -2739,6 +2750,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -2739,6 +2751,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, if (qstate->env->cfg->qname_minimisation) iq->minimisation_state = INIT_MINIMISE_STATE; /* Clear the query state, since this is a query restart. */ @@ -38,3 +39,217 @@ index 7f3c6573..26660059 100644 iq->deleg_msg = NULL; iq->dp = NULL; iq->dsns_point = NULL; +diff --git a/testdata/iter_dname_insec.rpl b/testdata/iter_dname_insec.rpl +index 8f4a29c7..1ce8c2cb 100644 +--- a/testdata/iter_dname_insec.rpl ++++ b/testdata/iter_dname_insec.rpl +@@ -776,12 +776,18 @@ ENTRY_END + + ; Expected result is defined by RFC 1034 section 3.6.2: + ; CNAME chains should be followed and CNAME loops signalled as an error ++; but bug#3512: return partial contents with NOERROR. + STEP 221002 CHECK_ANSWER + ENTRY_BEGIN + MATCH all +-REPLY QR RD RA DO SERVFAIL ++REPLY QR RD RA DO NOERROR + SECTION QUESTION + cyc2.example.com. IN A ++SECTION ANSWER ++example.com. 0 IN DNAME cyc2.example.net. ++cyc2.example.com. 0 IN CNAME cyc2.cyc2.example.net. ++cyc2.example.net. 0 IN DNAME example.com. ++cyc2.cyc2.example.net. 0 IN CNAME cyc2.example.com. + ENTRY_END + + ; ns1.example.com. +diff --git a/testdata/val_cname_loop1.rpl b/testdata/val_cname_loop1.rpl +index 61fcdb70..b942cb26 100644 +--- a/testdata/val_cname_loop1.rpl ++++ b/testdata/val_cname_loop1.rpl +@@ -5,6 +5,7 @@ server: + val-override-date: "20070916134226" + target-fetch-policy: "0 0 0 0 0" + fake-sha1: yes ++ trust-anchor-signaling: no + + stub-zone: + name: "." +@@ -86,6 +87,17 @@ ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} + ENTRY_END + ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR NOERROR ++SECTION QUESTION ++ns.example.com. IN AAAA ++SECTION AUTHORITY ++ns.example.com. IN NSEC www.example.com. A RRSIG NSEC ++ns.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AE+zfHodyVCTnni/bur8IiUhTUtdac6ip/znrYYN0l1nqll1fon2+kQ= ++ENTRY_END ++ + ; response to DNSKEY priming query + ENTRY_BEGIN + MATCH opcode qtype qname +@@ -104,6 +116,18 @@ ns.example.com. IN A 1.2.3.4 + ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} + ENTRY_END + ++; response to DNSKEY priming query ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR NOERROR ++SECTION QUESTION ++www.example.com. IN DS ++SECTION AUTHORITY ++www.example.com. IN NSEC z.example.com. CNAME RRSIG NSEC ++www.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AJ8hqdeoKtvR094y+0KjO6LkCe1SCs6z5YhuY2YZCmzvUiYHP9wiMTw= ++ENTRY_END ++ + ; response to query of interest + ENTRY_BEGIN + MATCH opcode qtype qname +@@ -134,10 +158,12 @@ ENTRY_END + STEP 10 CHECK_ANSWER + ENTRY_BEGIN + MATCH all +-REPLY QR RD RA DO SERVFAIL ++REPLY QR RD RA DO AD NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER ++www.example.com. 3600 IN CNAME www.example.com. ++www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854} + SECTION AUTHORITY + SECTION ADDITIONAL + ENTRY_END +diff --git a/testdata/val_cname_loop2.rpl b/testdata/val_cname_loop2.rpl +index 26644bc1..d42bbd2c 100644 +--- a/testdata/val_cname_loop2.rpl ++++ b/testdata/val_cname_loop2.rpl +@@ -5,6 +5,7 @@ server: + val-override-date: "20070916134226" + target-fetch-policy: "0 0 0 0 0" + fake-sha1: yes ++ trust-anchor-signaling: no + + stub-zone: + name: "." +@@ -113,7 +114,7 @@ SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. IN CNAME foo.example.com. +-www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854} ++www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg= + SECTION AUTHORITY + SECTION ADDITIONAL + ENTRY_END +@@ -126,7 +127,7 @@ SECTION QUESTION + foo.example.com. IN A + SECTION ANSWER + foo.example.com. IN CNAME www.example.com. +-foo.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC7kcWPsMnGbjvzj5UNnxQzM0YvnAhUAgxIKgs1huJHvcAP2Xt3p8Adpy/c= ;{id = 2854} ++foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg= + SECTION AUTHORITY + SECTION ADDITIONAL + ENTRY_END +@@ -143,10 +144,14 @@ ENTRY_END + STEP 10 CHECK_ANSWER + ENTRY_BEGIN + MATCH all +-REPLY QR RD RA DO SERVFAIL ++REPLY QR RD RA DO AD NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER ++www.example.com. 3600 IN CNAME foo.example.com. ++www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg= ;{id = 2854} ++foo.example.com. 3600 IN CNAME www.example.com. ++foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AEEIVUwbtfcn2RP41l0PDO+Sk4YdJ0HyRVsgq20fJnrDDC6eFXFGqUg= ;{id = 2854} + SECTION AUTHORITY + SECTION ADDITIONAL + ENTRY_END +diff --git a/testdata/val_cname_loop3.rpl b/testdata/val_cname_loop3.rpl +index fbd0d8ab..30e6abfb 100644 +--- a/testdata/val_cname_loop3.rpl ++++ b/testdata/val_cname_loop3.rpl +@@ -5,6 +5,7 @@ server: + val-override-date: "20070916134226" + target-fetch-policy: "0 0 0 0 0" + fake-sha1: yes ++ trust-anchor-signaling: no + + stub-zone: + name: "." +@@ -113,7 +114,7 @@ SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. IN CNAME foo.example.com. +-www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFH0SwLHe7u56TshoVciFRHEl1KqbAhQ3zBOZMlL8bt1DqoDoM5ni8U/1UA== ;{id = 2854} ++www.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AD50yy1elnzRmjGCd7FBiWEkYlhQYXaZu0g1JoJMr/ONiXVnV2yiONg= + SECTION AUTHORITY + SECTION ADDITIONAL + ENTRY_END +@@ -126,7 +127,7 @@ SECTION QUESTION + foo.example.com. IN A + SECTION ANSWER + foo.example.com. IN CNAME bar.example.com. +-foo.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFFMlXuWrNL/8aYOl9U9WYjgif8gAAhUAqsC/xOXakHP1SYxMSLANziOik94= ;{id = 2854} ++foo.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AILRq+NAK+k+qCNJAmByoTAkGNveSHT+au0u360OeUa56b8zU7gi6+I= + SECTION AUTHORITY + SECTION ADDITIONAL + ENTRY_END +@@ -139,7 +140,7 @@ SECTION QUESTION + bar.example.com. IN A + SECTION ANSWER + bar.example.com. IN CNAME www.example.com. +-bar.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFAsalUJJSV86uPlfiGS3kKDc0JB7AhQ+qmHqagY/r36Re/J3Q1OfvcA1dA== ;{id = 2854} ++bar.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKA7eO4DAGPB8vg/OdBLk41/2txpklOJrszT8Gvp+UOVSLYtddNGz+k= + SECTION AUTHORITY + SECTION ADDITIONAL + ENTRY_END +@@ -156,10 +157,13 @@ ENTRY_END + STEP 10 CHECK_ANSWER + ENTRY_BEGIN + MATCH all +-REPLY QR RD RA SERVFAIL ++REPLY QR RD RA NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER ++www.example.com. 3600 IN CNAME foo.example.com. ++foo.example.com. 3600 IN CNAME bar.example.com. ++bar.example.com. 3600 IN CNAME www.example.com. + SECTION AUTHORITY + SECTION ADDITIONAL + ENTRY_END +diff --git a/validator/validator.c b/validator/validator.c +index a924a3f8..81d67cd3 100644 +--- a/validator/validator.c ++++ b/validator/validator.c +@@ -1529,6 +1529,22 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq, + if(verbosity >= VERB_ALGO) + log_dns_msg("chased extract", &vq->qchase, + vq->chase_reply); ++ /* we skipped cnames, and now the reply is empty, is this ++ * a CNAME loop? */ ++ if(vq->rrset_skip > 0 && vq->chase_reply->rrset_count == 0) { ++ if(reply_find_rrset_section_an(vq->orig_msg->rep, ++ lookup_name, lookup_len, LDNS_RR_TYPE_CNAME, ++ vq->qchase.qclass)) { ++ if(anchor) { ++ lock_basic_unlock(&anchor->lock); ++ } ++ verbose(VERB_ALGO, "validator: encountered " ++ "CNAME loop - terminating"); ++ vq->chase_reply->security = vq->orig_msg->rep->security; ++ vq->state = VAL_FINISHED_STATE; ++ return 1; ++ } ++ } + } + + vq->key_entry = key_cache_obtain(ve->kcache, lookup_name, lookup_len, diff --git a/unbound.spec b/unbound.spec index 6f402e1..24a1d95 100644 --- a/unbound.spec +++ b/unbound.spec @@ -3,12 +3,13 @@ %bcond_without python # Python binding %bcond_with dnstap # dnstap replication support %bcond_with systemd # systemd support +%bcond_without tests # Summary: Recursive, validating DNS resolver Summary(pl.UTF-8): Rekurencyjny, weryfikujący resolver DNS Name: unbound Version: 1.6.8 -Release: 2 +Release: 3 License: BSD Group: Applications/Network Source0: http://www.unbound.net/downloads/%{name}-%{version}.tar.gz @@ -171,6 +172,10 @@ touch $RPM_BUILD_ROOT/var/lib/%{name}/root.key %py_postclean %endif +%if %{with tests} +%{__make} check +%endif + %clean rm -rf $RPM_BUILD_ROOT -- 2.44.0