From 29b1ebf435aa685e447d2b28b1ea8eb79ecc70ae Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 29 May 2008 05:30:30 +0000 Subject: [PATCH] 2376. [bug] Change #2144 was not complete. --- CHANGES | 84 ++++++++++++++++++++++++---------------------- lib/dns/resolver.c | 4 +-- 2 files changed, 45 insertions(+), 43 deletions(-) diff --git a/CHANGES b/CHANGES index c72107d21a..4f3ad4de11 100644 --- a/CHANGES +++ b/CHANGES @@ -1,7 +1,9 @@ -2375. [security] Fully randomize UDP query ports to improve +2376. [bug] Change #2144 was not complete. + +2375. [security] Fully randomize UDP query ports to improve forgery resilience. [RT #17949] -2372. [bug] fixed incorrect TAG_HMACSHA256_BITS value [RT #18047] +2372. [bug] fixed incorrect TAG_HMACSHA256_BITS value [RT #18047] 2369. [bug] libbind: Array bounds overrun on read in bitncmp(). [RT #18054] @@ -51,12 +53,12 @@ 2337. [bug] BUILD_LDFLAGS was not being correctly set. [RT #17614] -2335. [port] sunos: libbind and *printf() support for long long. +2335. [port] sunos: libbind and *printf() support for long long. [RT #17513] 2334. [bug] Bad REQUIRES in fromstruct_in_naptr(), off by one bug in fromstruct_txt(). [RT #17609] - + 2333. [bug] Fix off by one error in isc_time_nowplusinterval(). [RT #17608] @@ -90,7 +92,7 @@ 2322. [port] MacOS: work around the limitation of setrlimit() for RLIMIT_NOFILE. [RT #17526] -2319. [bug] Silence Coverity warnings in +2319. [bug] Silence Coverity warnings in lib/dns/rdata/in_1/apl_42.c. [RT #17469] 2318. [port] sunos fixes for libbind. [RT #17514] @@ -104,9 +106,9 @@ 2312. [cleanup] Silence Coverity warning in lib/isc/unix/socket.c. [RT #17458] -2311. [func] Update ACL regression test. [RT #17462] +2311. [func] Update ACL regression test. [RT #17462] -2310. [bug] dig, host, nslookup: flush stdout before emitting +2310. [bug] dig, host, nslookup: flush stdout before emitting debug/fatal messages. [RT #17501] 2308. [cleanup] Silence Coverity warning in bin/named/controlconf.c. @@ -130,7 +132,7 @@ 2301. [bug] Remove resource leak and fix error messages in bin/tests/system/lwresd/lwtest.c. [RT #17474] -2300. [bug] Fixed failure to close open file in +2300. [bug] Fixed failure to close open file in bin/tests/names/t_names.c. [RT #17473] 2299. [bug] Remove unnecessary NULL check in @@ -153,7 +155,7 @@ 2292. [bug] Log if the working directory is not writable. [RT #17312] -2291. [bug] PR_SET_DUMPABLE may be set too late. Also report +2291. [bug] PR_SET_DUMPABLE may be set too late. Also report failure to set PR_SET_DUMPABLE. [RT #17312] 2290. [bug] Let AD in the query signal that the client wants AD @@ -172,7 +174,7 @@ memory context rather than the clients memory context. [RT #17377] -2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available, +2279. [bug] Use setsockopt(SO_NOSIGPIPE), when available, to protect applications from receiving spurious SIGPIPE signals when using the resolver. @@ -248,10 +250,10 @@ reality. Note there is behaviour change for BIND 9.5. [RT #17113] -2249. [bug] Only set Authentic Data bit if client requested - DNSSEC, per RFC 3655 [RT #17175] +2249. [bug] Only set Authentic Data bit if client requested + DNSSEC, per RFC 3655 [RT #17175] -2248. [cleanup] Fix several errors reported by Coverity. [RT #17160] +2248. [cleanup] Fix several errors reported by Coverity. [RT #17160] 2245. [bug] Validating lack of DS records at trust anchors wasn't working. [RT #17151] @@ -266,8 +268,8 @@ 2235. [bug] was not being installed. [RT #17135] -2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] - +2234. [port] Correct some compiler warnings on SCO OSr5 [RT #17134] + 2232. [bug] dns_adb_findaddrinfo() could fail and return ISC_R_SUCCESS. [RT #17137] @@ -282,7 +284,7 @@ 2227. [cleanup] Tidied up the FAQ. [RT #17121] 2225. [bug] More support for systems with no IPv4 addresses. - [RT #17111] + [RT #17111] 2224. [bug] Defer journal compaction if a xfrin is in progress. [RT #17119] @@ -296,7 +298,7 @@ 2220. [bug] win32: Address a race condition in final shutdown of the Windows socket code. [RT #17028] - + 2219. [bug] Apply zone consistency checks to additions, not removals, when updating. [RT #17049] @@ -304,7 +306,7 @@ [RT #16976] 2216. [cleanup] Fix a number of errors reported by Coverity. - [RT #17094] + [RT #17094] 2215. [bug] Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094] @@ -347,13 +349,13 @@ localhost;) is used. [RT #16987] - + 2205. [bug] libbind: change #2119 broke thread support. [RT #16982] 2203. [security] Query id generation was cryptographically weak. [RT # 16915] -2202. [security] The default acls for allow-query-cache and +2202. [security] The default acls for allow-query-cache and allow-recursion were not being applied. [RT #16960] 2200. [bug] The search for cached NSEC records was stopping to @@ -446,7 +448,7 @@ a server address as a name to be looked up, causing unexpected output. [RT #16743] -2164. [bug] The code to determine how named-checkzone / +2164. [bug] The code to determine how named-checkzone / named-compilezone was called failed under windows. [RT #16764] @@ -629,14 +631,14 @@ 2095. [port] libbind: alway prototype inet_cidr_ntop_ipv6() and net_cidr_ntop_ipv6(). [RT #16388] - + 2094. [contrib] Update named-bootconf. [RT# 16404] 2093. [bug] named-checkzone -s was broken. 2092. [bug] win32: dig, host, nslookup. Use registry config if resolv.conf does not exist or no nameservers - listed. [RT #15877] + listed. [RT #15877] 2091. [port] dighost.c: race condition on cleanup. [RT #16417] @@ -1044,7 +1046,7 @@ 1964. [func] Separate out MX and SRV to CNAME checks. [RT #15723] -1963. [port] Tru64 4.0E doesn't support send() and recv(). +1963. [port] Tru64 4.0E doesn't support send() and recv(). [RT #15586] 1962. [bug] Named failed to clear old update-policy when it @@ -1087,7 +1089,7 @@ 1951. [security] Drop queries from particular well known ports. Don't return FORMERR to queries from particular well known ports. [RT #15636] - + 1950. [port] Solaris 2.5.1 and earlier cannot bind() then connect() a TCP socket. This prevents the source address being set for TCP connections. [RT #15628] @@ -1109,7 +1111,7 @@ 1945. [cleanup] dnssec-keygen: RSA (RSAMD5) is no longer recommended. To generate a RSAMD5 key you must explicitly request RSAMD5. [RT #13780] - + 1944. [cleanup] isc_hash_create() does not need a read/write lock. [RT #15522] @@ -1231,7 +1233,7 @@ [RT #15034] 1905. [bug] Strings returned from cfg_obj_asstring() should be - treated as read-only. The prototype for + treated as read-only. The prototype for cfg_obj_asstring() has been updated to reflect this. [RT #15256] @@ -1361,10 +1363,10 @@ 1863. [bug] rrset-order "fixed" error messages not complete. 1862. [func] Add additional zone data constancy checks. - named-checkzone has extended checking of NS, MX and + named-checkzone has extended checking of NS, MX and SRV record and the hosts they reference. named has extended post zone load checks. - New zone options: check-mx and integrity-check. + New zone options: check-mx and integrity-check. [RT #4940] 1861. [bug] dig could trigger a INSIST on certain malformed @@ -1407,9 +1409,9 @@ 1848. [bug] Improve SMF integration. [RT #13238] 1847. [bug] isc_ondestroy_init() is called too late in - dns_rbtdb_create()/dns_rbtdb64_create(). + dns_rbtdb_create()/dns_rbtdb64_create(). [RT #13661] - + 1846. [contrib] query-loc-0.3.0 from Stephane Bortzmeyer . @@ -1695,7 +1697,7 @@ [RT #12866] 1748. [func] dig now returns the byte count for axfr/ixfr. - + 1747. [bug] BIND 8 compatibility: named/named-checkconf failed to parse "host-statistics-max" in named.conf. @@ -1713,7 +1715,7 @@ requested number of worker threads then destruction of the manager would trigger an INSIST() failure. [RT #12790] - + 1742. [bug] Deleting all records at a node then adding a previously existing record, in a single UPDATE transaction, failed to leave / regenerate the @@ -1724,7 +1726,7 @@ 1740. [bug] Replace rbt's hash algorithm as it performed badly with certain zones. [RT #12729] - + NOTE: a hash context now needs to be established via isc_hash_create() if the application was not already doing this. @@ -1739,7 +1741,7 @@ 1736. [bug] dst_key_fromnamedfile() could fail to read a public key. [RT #12687] - + 1735. [bug] 'dig +sigtrace' could die with a REQUIRE failure. [RE #12688] @@ -1916,7 +1918,7 @@ 1675. [bug] named would sometimes add extra NSEC records to the authority section. - + 1674. [port] linux: increase buffer size used to scan /proc/net/if_inet6. @@ -1988,7 +1990,7 @@ 1648. [func] Update dnssec-lookaside named.conf syntax to support multiple dnssec-lookaside namespaces (not yet - implemented). + implemented). 1647. [bug] It was possible trigger a INSIST when chasing a DS record that required walking back over a empty node. @@ -2018,7 +2020,7 @@ 1638. [bug] "ixfr-from-differences" could generate a REQUIRE failure if the journal open failed. [RT #11347] - + 1637. [bug] Node reference leak on error in addnoqname(). 1636. [bug] The dump done callback could get ISC_R_SUCCESS even if @@ -2112,21 +2114,21 @@ 1607. [bug] dig, host and nslookup were still using random() to generate query ids. [RT# 11013] -1606. [bug] DLV insecurity proof was failing. +1606. [bug] DLV insecurity proof was failing. 1605. [func] New dns_db_find() option DNS_DBFIND_COVERINGNSEC. 1604. [bug] A xfrout_ctx_create() failure would result in xfrout_ctx_destroy() being called with a partially initialized structure. - + 1603. [bug] nsupdate: set interactive based on isatty(). [RT# 10929] 1602. [bug] Logging to a file failed unless a size was specified. [RT# 10925] -1601. [bug] Silence spurious warning 'both "recursion no;" and +1601. [bug] Silence spurious warning 'both "recursion no;" and "allow-recursion" active' warning from view "_bind". [RT# 10920] diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 5357845729..c85cf2a00c 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.284.18.72 2008/05/22 21:16:05 each Exp $ */ +/* $Id: resolver.c,v 1.284.18.73 2008/05/29 05:30:30 marka Exp $ */ /*! \file */ @@ -1928,7 +1928,7 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason) { return; if (reason == DNS_R_UNEXPECTEDRCODE && - fctx->rmessage->opcode == dns_rcode_servfail && + fctx->rmessage->rcode == dns_rcode_servfail && ISFORWARDER(addrinfo)) return;