From owner-svn-src-stable@FreeBSD.ORG Wed Jul 6 00:50:55 2011 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74CC8106567A; Wed, 6 Jul 2011 00:50:55 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 62D118FC15; Wed, 6 Jul 2011 00:50:55 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p660ot0i092612; Wed, 6 Jul 2011 00:50:55 GMT (envelope-from dougb@svn.freebsd.org) Received: (from dougb@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p660otTN092598; Wed, 6 Jul 2011 00:50:55 GMT (envelope-from dougb@svn.freebsd.org) Message-Id: <201107060050.p660otTN092598@svn.freebsd.org> From: Doug Barton Date: Wed, 6 Jul 2011 00:50:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r223815 - in stable/8/contrib/bind9: . bin/named lib/dns lib/dns/include/dns X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2011 00:50:55 -0000 Author: dougb Date: Wed Jul 6 00:50:54 2011 New Revision: 223815 URL: http://svn.freebsd.org/changeset/base/223815 Log: Update to version 9.6-ESV-R4-P3 ALL BIND USERS ARE ENCOURAGED TO UPGRADE IMMEDIATELY This update addresses the following vulnerability: CVE-2011-2464 ============= Severity: High Exploitable: Remotely Description: A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packet. This defect affects both recursive and authoritative servers. The code location of the defect makes it impossible to protect BIND using ACLs configured within named.conf or by disabling any features at compile-time or run-time. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 https://www.isc.org/software/bind/advisories/cve-2011-2464 Modified: stable/8/contrib/bind9/CHANGES stable/8/contrib/bind9/bin/named/bind9.xsl.h stable/8/contrib/bind9/lib/dns/api stable/8/contrib/bind9/lib/dns/include/dns/masterdump.h stable/8/contrib/bind9/lib/dns/include/dns/rdataset.h stable/8/contrib/bind9/lib/dns/masterdump.c stable/8/contrib/bind9/lib/dns/message.c stable/8/contrib/bind9/lib/dns/ncache.c stable/8/contrib/bind9/lib/dns/rbtdb.c stable/8/contrib/bind9/lib/dns/rdataset.c stable/8/contrib/bind9/lib/dns/resolver.c stable/8/contrib/bind9/lib/dns/validator.c stable/8/contrib/bind9/version Directory Properties: stable/8/contrib/bind9/ (props changed) Modified: stable/8/contrib/bind9/CHANGES ============================================================================== --- stable/8/contrib/bind9/CHANGES Wed Jul 6 00:50:27 2011 (r223814) +++ stable/8/contrib/bind9/CHANGES Wed Jul 6 00:50:54 2011 (r223815) @@ -1,3 +1,16 @@ + --- 9.6-ESV-R4-P3 released --- + +3124. [bug] Use an rdataset attribute flag to indicate + negative-cache records rather than using rrtype 0; + this will prevent problems when that rrtype is + used in actual DNS packets. [RT #24777] + + --- 9.6-ESV-R4-P2 released (withdrawn) --- + +3123. [security] Change #2912 exposed a latent flaw in + dns_rdataset_totext() that could cause named to + crash with an assertion failure. [RT #24777] + --- 9.6-ESV-R4-P1 released --- 3121. [security] An authoritative name server sending a negative Modified: stable/8/contrib/bind9/bin/named/bind9.xsl.h ============================================================================== --- stable/8/contrib/bind9/bin/named/bind9.xsl.h Wed Jul 6 00:50:27 2011 (r223814) +++ stable/8/contrib/bind9/bin/named/bind9.xsl.h Wed Jul 6 00:50:54 2011 (r223815) @@ -1,6 +1,6 @@ /* - * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp - * From bind9.xsl 1.19.82.2 2009/01/29 23:47:43 tbox Exp + * Generated by convertxsl.pl 1.14 2008-07-17 23:43:26 jinmei Exp + * From bind9.xsl 1.19.82.2 2009-01-29 23:47:43 tbox Exp */ static char xslmsg[] = "\n" @@ -20,7 +20,7 @@ static char xslmsg[] = " - PERFORMANCE OF THIS SOFTWARE.\n" "-->\n" "\n" - "\n" + "\n" "\n" "type == 0) { + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { type = rdataset->covers; } else { type = rdataset->type; } - { - unsigned int type_start; - INDENT_TO(type_column); - type_start = target->used; - if (rdataset->type == 0) - RETERR(str_totext("\\-", target)); - result = dns_rdatatype_totext(type, target); - if (result != ISC_R_SUCCESS) - return (result); - column += (target->used - type_start); - } + INDENT_TO(type_column); + type_start = target->used; + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) + RETERR(str_totext("\\-", target)); + result = dns_rdatatype_totext(type, target); + if (result != ISC_R_SUCCESS) + return (result); + column += (target->used - type_start); /* * Rdata. */ INDENT_TO(rdata_column); - if (rdataset->type == 0) { + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { if (NXDOMAIN(rdataset)) RETERR(str_totext(";-$NXDOMAIN\n", target)); else @@ -814,7 +812,7 @@ dump_rdatasets_text(isc_mem_t *mctx, dns if (ctx->style.flags & DNS_STYLEFLAG_TRUST) { fprintf(f, "; %s\n", dns_trust_totext(rds->trust)); } - if (rds->type == 0 && + if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) && (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) { /* Omit negative cache entries */ } else { @@ -979,7 +977,7 @@ dump_rdatasets_raw(isc_mem_t *mctx, dns_ dns_rdataset_init(&rdataset); dns_rdatasetiter_current(rdsiter, &rdataset); - if (rdataset.type == 0 && + if (((rdataset.attributes & DNS_RDATASETATTR_NEGATIVE) != 0) && (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) { /* Omit negative cache entries */ } else { Modified: stable/8/contrib/bind9/lib/dns/message.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/message.c Wed Jul 6 00:50:27 2011 (r223814) +++ stable/8/contrib/bind9/lib/dns/message.c Wed Jul 6 00:50:54 2011 (r223815) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: message.c,v 1.245.50.7 2010-06-03 05:29:03 marka Exp $ */ +/* $Id: message.c,v 1.245.50.7.6.3 2011-06-21 20:13:22 each Exp $ */ /*! \file */ @@ -2469,7 +2469,7 @@ dns_message_peekheader(isc_buffer_t *sou isc_result_t dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) { - unsigned int first_section; + unsigned int clear_after; isc_result_t result; REQUIRE(DNS_MESSAGE_VALID(msg)); @@ -2481,15 +2481,15 @@ dns_message_reply(dns_message_t *msg, is msg->opcode != dns_opcode_notify) want_question_section = ISC_FALSE; if (msg->opcode == dns_opcode_update) - first_section = DNS_SECTION_ADDITIONAL; + clear_after = DNS_SECTION_PREREQUISITE; else if (want_question_section) { if (!msg->question_ok) return (DNS_R_FORMERR); - first_section = DNS_SECTION_ANSWER; + clear_after = DNS_SECTION_ANSWER; } else - first_section = DNS_SECTION_QUESTION; + clear_after = DNS_SECTION_QUESTION; msg->from_to_wire = DNS_MESSAGE_INTENTRENDER; - msgresetnames(msg, first_section); + msgresetnames(msg, clear_after); msgresetopt(msg); msgresetsigs(msg, ISC_TRUE); msginitprivate(msg); Modified: stable/8/contrib/bind9/lib/dns/ncache.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/ncache.c Wed Jul 6 00:50:27 2011 (r223814) +++ stable/8/contrib/bind9/lib/dns/ncache.c Wed Jul 6 00:50:54 2011 (r223815) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2005, 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2005, 2007, 2008, 2010, 2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: ncache.c,v 1.43.48.7.6.1 2011-05-27 00:19:19 each Exp $ */ +/* $Id: ncache.c,v 1.43.48.7.6.3 2011-06-21 20:13:22 each Exp $ */ /*! \file */ @@ -294,6 +294,7 @@ dns_ncache_addoptout(dns_message_t *mess RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset) == ISC_R_SUCCESS); ncrdataset.trust = trust; + ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE; if (message->rcode == dns_rcode_nxdomain) ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN; if (optout) @@ -324,6 +325,7 @@ dns_ncache_towire(dns_rdataset_t *rdatas REQUIRE(rdataset != NULL); REQUIRE(rdataset->type == 0); + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0); savedbuffer = *target; count = 0; @@ -552,6 +554,7 @@ dns_ncache_getrdataset(dns_rdataset_t *n REQUIRE(ncacherdataset != NULL); REQUIRE(ncacherdataset->type == 0); + REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0); REQUIRE(name != NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); REQUIRE(type != dns_rdatatype_rrsig); @@ -628,6 +631,7 @@ dns_ncache_getsigrdataset(dns_rdataset_t REQUIRE(ncacherdataset != NULL); REQUIRE(ncacherdataset->type == 0); + REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0); REQUIRE(name != NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); @@ -727,6 +731,7 @@ dns_ncache_current(dns_rdataset_t *ncach REQUIRE(ncacherdataset != NULL); REQUIRE(ncacherdataset->type == 0); + REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0); REQUIRE(found != NULL); REQUIRE(!dns_rdataset_isassociated(rdataset)); Modified: stable/8/contrib/bind9/lib/dns/rbtdb.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/rbtdb.c Wed Jul 6 00:50:27 2011 (r223814) +++ stable/8/contrib/bind9/lib/dns/rbtdb.c Wed Jul 6 00:50:54 2011 (r223815) @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.270.12.26 2010-12-02 05:09:58 marka Exp $ */ +/* $Id: rbtdb.c,v 1.270.12.26.4.1 2011-06-21 20:13:23 each Exp $ */ /*! \file */ @@ -278,6 +278,7 @@ typedef ISC_LIST(dns_rbtnode_t) #define RDATASET_ATTR_RESIGN 0x0020 #define RDATASET_ATTR_STATCOUNT 0x0040 #define RDATASET_ATTR_OPTOUT 0x0080 +#define RDATASET_ATTR_NEGATIVE 0x0100 typedef struct acache_cbarg { dns_rdatasetadditional_t type; @@ -316,6 +317,8 @@ struct acachectl { (((header)->attributes & RDATASET_ATTR_RESIGN) != 0) #define OPTOUT(header) \ (((header)->attributes & RDATASET_ATTR_OPTOUT) != 0) +#define NEGATIVE(header) \ + (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0) #define DEFAULT_NODE_LOCK_COUNT 7 /*%< Should be prime. */ @@ -391,12 +394,15 @@ typedef ISC_LIST(rbtdb_version_t) typedef struct { /* Unlocked. */ dns_db_t common; + /* Locks the data in this struct */ #if DNS_RBTDB_USERWLOCK isc_rwlock_t lock; #else isc_mutex_t lock; #endif + /* Locks the tree structure (prevents nodes appearing/disappearing) */ isc_rwlock_t tree_lock; + /* Locks for individual tree nodes */ unsigned int node_lock_count; rbtdb_nodelock_t * node_locks; dns_rbtnode_t * origin_node; @@ -689,11 +695,13 @@ update_rrsetstats(dns_rbtdb_t *rbtdb, rd /* At the moment we count statistics only for cache DB */ INSIST(IS_CACHE(rbtdb)); - if (NXDOMAIN(header)) - statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN; - else if (RBTDB_RDATATYPE_BASE(header->type) == 0) { - statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET; - base = RBTDB_RDATATYPE_EXT(header->type); + if (NEGATIVE(header)) { + if (NXDOMAIN(header)) + statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN; + else { + statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET; + base = RBTDB_RDATATYPE_EXT(header->type); + } } else base = RBTDB_RDATATYPE_BASE(header->type); @@ -2727,6 +2735,8 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rb rdataset->covers = RBTDB_RDATATYPE_EXT(header->type); rdataset->ttl = header->rdh_ttl - now; rdataset->trust = header->trust; + if (NEGATIVE(header)) + rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE; if (NXDOMAIN(header)) rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN; if (OPTOUT(header)) @@ -4636,7 +4646,7 @@ cache_find(dns_db_t *db, dns_name_t *nam *nodep = node; } - if (RBTDB_RDATATYPE_BASE(found->type) == 0) { + if (NEGATIVE(found)) { /* * We found a negative cache entry. */ @@ -5305,7 +5315,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn if (found == NULL) return (ISC_R_NOTFOUND); - if (RBTDB_RDATATYPE_BASE(found->type) == 0) { + if (NEGATIVE(found)) { /* * We found a negative cache entry. */ @@ -5516,7 +5526,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *r negtype = 0; if (rbtversion == NULL && !newheader_nx) { rdtype = RBTDB_RDATATYPE_BASE(newheader->type); - if (rdtype == 0) { + if (NEGATIVE(newheader)) { /* * We're adding a negative cache entry. */ @@ -6056,6 +6066,8 @@ addrdataset(dns_db_t *db, dns_dbnode_t * } else { newheader->serial = 1; newheader->resign = 0; + if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) + newheader->attributes |= RDATASET_ATTR_NEGATIVE; if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) newheader->attributes |= RDATASET_ATTR_NXDOMAIN; if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0) @@ -6780,7 +6792,7 @@ getsigningtime(dns_db_t *db, dns_rdatase REQUIRE(VALID_RBTDB(rbtdb)); - RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read); + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); for (i = 0; i < rbtdb->node_lock_count; i++) { NODE_LOCK(&rbtdb->node_locks[i].lock, isc_rwlocktype_read); @@ -6816,7 +6828,7 @@ getsigningtime(dns_db_t *db, dns_rdatase result = ISC_R_SUCCESS; unlock: - RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read); + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); return (result); } @@ -6838,7 +6850,7 @@ resigned(dns_db_t *db, dns_rdataset_t *r header = rdataset->private3; header--; - RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); NODE_LOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write); /* @@ -6852,7 +6864,7 @@ resigned(dns_db_t *db, dns_rdataset_t *r NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock, isc_rwlocktype_write); - RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); } static dns_stats_t * @@ -7638,7 +7650,7 @@ rdatasetiter_next(dns_rdatasetiter_t *it type = header->type; rdtype = RBTDB_RDATATYPE_BASE(header->type); - if (rdtype == 0) { + if (NEGATIVE(header)) { covers = RBTDB_RDATATYPE_EXT(header->type); negtype = RBTDB_RDATATYPE_VALUE(covers, 0); } else Modified: stable/8/contrib/bind9/lib/dns/rdataset.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/rdataset.c Wed Jul 6 00:50:27 2011 (r223814) +++ stable/8/contrib/bind9/lib/dns/rdataset.c Wed Jul 6 00:50:54 2011 (r223815) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rdataset.c,v 1.82.50.4.6.1 2011-05-27 00:19:19 each Exp $ */ +/* $Id: rdataset.c,v 1.82.50.4.6.3 2011-06-21 20:13:23 each Exp $ */ /*! \file */ @@ -345,7 +345,7 @@ towiresorted(dns_rdataset_t *rdataset, c count = 1; result = dns_rdataset_first(rdataset); INSIST(result == ISC_R_NOMORE); - } else if (rdataset->type == 0) { + } else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) { /* * This is a negative caching rdataset. */ Modified: stable/8/contrib/bind9/lib/dns/resolver.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/resolver.c Wed Jul 6 00:50:27 2011 (r223814) +++ stable/8/contrib/bind9/lib/dns/resolver.c Wed Jul 6 00:50:54 2011 (r223815) @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.384.14.30 2011-01-27 23:45:47 tbox Exp $ */ +/* $Id: resolver.c,v 1.384.14.30.4.1 2011-06-21 20:13:23 each Exp $ */ /*! \file */ @@ -424,6 +424,7 @@ struct dns_resolver { FCTX_ADDRINFO_TRIED) != 0) #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) +#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) static void destroy(dns_resolver_t *res); static void empty_bucket(dns_resolver_t *res); @@ -1047,7 +1048,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_re * Negative results must be indicated in event->result. */ if (dns_rdataset_isassociated(event->rdataset) && - event->rdataset->type == dns_rdatatype_none) { + NEGATIVE(event->rdataset)) { INSIST(event->result == DNS_R_NCACHENXDOMAIN || event->result == DNS_R_NCACHENXRRSET); } @@ -4177,7 +4178,7 @@ validated(isc_task_t *task, isc_event_t if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) goto noanswer_response; - if (ardataset != NULL && ardataset->type == 0) { + if (ardataset != NULL && NEGATIVE(ardataset)) { if (NXDOMAIN(ardataset)) eresult = DNS_R_NCACHENXDOMAIN; else @@ -4498,7 +4499,7 @@ cache_name(fetchctx_t *fctx, dns_name_t result = ISC_R_SUCCESS; if (!need_validation && ardataset != NULL && - ardataset->type == 0) { + NEGATIVE(ardataset)) { /* * The answer in the cache is * better than the answer we @@ -4628,7 +4629,7 @@ cache_name(fetchctx_t *fctx, dns_name_t if (result == DNS_R_UNCHANGED) { if (ANSWER(rdataset) && ardataset != NULL && - ardataset->type == 0) { + NEGATIVE(ardataset)) { /* * The answer in the cache is better * than the answer we found, and is @@ -4658,7 +4659,7 @@ cache_name(fetchctx_t *fctx, dns_name_t * Negative results must be indicated in event->result. */ if (dns_rdataset_isassociated(event->rdataset) && - event->rdataset->type == dns_rdatatype_none) { + NEGATIVE(event->rdataset)) { INSIST(eresult == DNS_R_NCACHENXDOMAIN || eresult == DNS_R_NCACHENXRRSET); } @@ -4738,7 +4739,7 @@ ncache_adderesult(dns_message_t *message * care about whether it is DNS_R_NCACHENXDOMAIN or * DNS_R_NCACHENXRRSET then extract it. */ - if (ardataset->type == 0) { + if (NEGATIVE(ardataset)) { /* * The cache data is a negative cache entry. */ Modified: stable/8/contrib/bind9/lib/dns/validator.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/validator.c Wed Jul 6 00:50:27 2011 (r223814) +++ stable/8/contrib/bind9/lib/dns/validator.c Wed Jul 6 00:50:54 2011 (r223815) @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.164.12.23.4.1 2011-05-27 00:19:19 each Exp $ */ +/* $Id: validator.c,v 1.164.12.23.4.3 2011-06-21 20:13:23 each Exp $ */ #include @@ -129,6 +129,8 @@ #define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0) #define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0) +#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) + static void destroy(dns_validator_t *val); @@ -733,7 +735,7 @@ dsvalidated(isc_task_t *task, isc_event_ name = dns_fixedname_name(&val->fname); if ((val->attributes & VALATTR_INSECURITY) != 0 && val->frdataset.covers == dns_rdatatype_ds && - val->frdataset.type == 0 && + NEGATIVE(&val->frdataset) && isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) { if (val->mustbesecure) { validator_log(val, ISC_LOG_WARNING, @@ -3909,7 +3911,7 @@ validator_start(isc_task_t *task, isc_ev val->attributes |= VALATTR_NEEDNODATA; result = nsecvalidate(val, ISC_FALSE); } else if (val->event->rdataset != NULL && - val->event->rdataset->type == 0) + NEGATIVE(val->event->rdataset)) { /* * This is a nonexistence validation. Modified: stable/8/contrib/bind9/version ============================================================================== --- stable/8/contrib/bind9/version Wed Jul 6 00:50:27 2011 (r223814) +++ stable/8/contrib/bind9/version Wed Jul 6 00:50:54 2011 (r223815) @@ -1,4 +1,4 @@ -# $Id: version,v 1.43.12.11.2.2.2.1 2011-05-27 00:19:16 each Exp $ +# $Id: version,v 1.43.12.11.2.2.2.3 2011-06-21 20:35:59 each Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=6 PATCHVER= RELEASETYPE=-ESV -RELEASEVER=-R4-P1 +RELEASEVER=-R4-P3