1187. [bug] named was incorrectly returning DNSSEC records

in negative responses when the DO bit was not set.

CHANGES

@@ -1,3 +1,6 @@
+1187.	[bug]		named was incorrectly returning DNSSEC records
+			in negative responses when the DO bit was not set.
+
 1181.	[func]		Add the "key-directory" configuration statement,
 			which allows the server to look for online signing
 			keys in alternate directories.

lib/dns/include/dns/masterdump.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.h,v 1.22.12.1 2003/08/01 23:19:13 marka Exp $ */
+/* $Id: masterdump.h,v 1.22.12.2 2003/08/13 01:56:03 marka Exp $ */
 
 #ifndef DNS_MASTERDUMP_H
 #define DNS_MASTERDUMP_H 1
@@ -217,22 +217,6 @@ dns_master_questiontotext(dns_name_t *owner_name,
 			  dns_rdataset_t *rdataset,
 			  const dns_master_style_t *style,
 			  isc_buffer_t *target);
-/*
- * Print a text representation of 'rdataset', a pseudo-rdataset
- * representing a questino.
- *
- * Requires:
- *	'rdataset' is a valid question rdataset.
- *
- *	'rdataset' is not empty.
- */
-
-isc_result_t
-dns_rdataset_towire(dns_rdataset_t *rdataset,
-		    dns_name_t *owner_name,
-		    dns_compress_t *cctx,
-		    isc_buffer_t *target,
-		    unsigned int *countp);
 
 isc_result_t
 dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,

lib/dns/include/dns/message.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.100.2.3.8.1 2003/08/11 05:58:18 marka Exp $ */
+/* $Id: message.h,v 1.100.2.3.8.2 2003/08/13 01:56:03 marka Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -161,6 +161,7 @@ typedef int dns_messagetextflag_t;
  */
 #define DNS_MESSAGERENDER_ORDERED	0x0001	/* don't change order */
 #define DNS_MESSAGERENDER_PARTIAL	0x0002	/* allow a partial rdataset */
+#define DNS_MESSAGERENDER_OMITDNSSEC	0x0004	/* omit DNSSEC records */
 
 typedef struct dns_msgblock dns_msgblock_t;
 

lib/dns/include/dns/ncache.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.h,v 1.12 2001/01/09 21:53:07 bwelling Exp $ */
+/* $Id: ncache.h,v 1.12.12.1 2003/08/13 01:56:03 marka Exp $ */
 
 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
@@ -85,11 +85,13 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 
 isc_result_t
 dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int *countp);
+		  isc_buffer_t *target, isc_boolean_t omit_dnssec,
+		  unsigned int *countp);
 /*
  * Convert the negative caching rdataset 'rdataset' to wire format,
  * compressing names as specified in 'cctx', and storing the result in
- * 'target'.
+ * 'target'.  If 'omit_dnssec' is set, DNSSEC records will not
+ * be added to 'target'.
  *
  * Notes:
  *	The number of RRs added to target will be added to *countp.

lib/dns/include/dns/rdataset.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.41.2.5 2003/07/22 04:03:45 marka Exp $ */
+/* $Id: rdataset.h,v 1.41.2.5.2.1 2003/08/13 01:56:03 marka Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -131,6 +131,12 @@ struct dns_rdataset {
 #define DNS_RDATASETATTR_CHASE		0x1000		/* Used by resolver. */
 #define DNS_RDATASETATTR_NXDOMAIN	0x2000
 
+/*
+ * _OMITDNSSEC:
+ * 	Omit DNSSEC records when rendering ncache records.
+ */
+#define DNS_RDATASETTOWIRE_OMITDNSSEC	0x0001
+
 void
 dns_rdataset_init(dns_rdataset_t *rdataset);
 /*
@@ -306,6 +312,7 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 		    dns_name_t *owner_name,
 		    dns_compress_t *cctx,
 		    isc_buffer_t *target,
+		    unsigned int options,
 		    unsigned int *countp);
 /*
  * Convert 'rdataset' to wire format, compressing names as specified
@@ -346,6 +353,7 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
 			  void *order_arg,
+			  unsigned int options,
 			  unsigned int *countp);
 /*
  * Like dns_rdataset_towire(), but sorting the rdatasets according to
@@ -364,6 +372,7 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
 			   void *order_arg,
+			  unsigned int options,
 			   unsigned int *countp,
 			   void **state);
 /*

lib/dns/message.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.194.2.10.2.2 2003/08/11 05:58:18 marka Exp $ */
+/* $Id: message.c,v 1.194.2.10.2.3 2003/08/13 01:56:01 marka Exp $ */
 
 /***
  *** Imports
@@ -1739,6 +1739,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 	isc_buffer_t st; /* for rollbacks */
 	int pass;
 	isc_boolean_t partial = ISC_FALSE;
+	unsigned int rd_options;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(msg->buffer != NULL);
@@ -1752,6 +1753,11 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 	else
 		pass = 1;
 
+	if ((options & DNS_MESSAGERENDER_OMITDNSSEC) == 0)
+		rd_options = 0;
+	else
+		rd_options = DNS_RDATASETTOWIRE_OMITDNSSEC;
+
 	/*
 	 * Shrink the space in the buffer by the reserved amount.
 	 */
@@ -1797,6 +1803,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 							  msg->buffer,
 							  msg->order,
 							  msg->order_arg,
+							  rd_options,
 							  &count,
 							  NULL);
 				else
@@ -1807,6 +1814,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 							  msg->buffer,
 							  msg->order,
 							  msg->order_arg,
+							  rd_options,
 							  &count);
 
 				total += count;
@@ -1933,7 +1941,8 @@ dns_message_renderend(dns_message_t *msg) {
 		 */
 		count = 0;
 		result = dns_rdataset_towire(msg->opt, dns_rootname,
-					     msg->cctx, msg->buffer, &count);
+					     msg->cctx, msg->buffer, 0,
+					     &count);
 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
 		if (result != ISC_R_SUCCESS)
 			return (result);
@@ -1974,7 +1983,8 @@ dns_message_renderend(dns_message_t *msg) {
 			return (result);
 		count = 0;
 		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
-					     msg->cctx, msg->buffer, &count);
+					     msg->cctx, msg->buffer, 0,
+					     &count);
 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
 		if (result != ISC_R_SUCCESS)
 			return (result);
@@ -1996,7 +2006,8 @@ dns_message_renderend(dns_message_t *msg) {
 		 * be set in a message being rendered.
 		 */
 		result = dns_rdataset_towire(msg->sig0, dns_rootname,
-					     msg->cctx, msg->buffer, &count);
+					     msg->cctx, msg->buffer, 0,
+					     &count);
 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
 		if (result != ISC_R_SUCCESS)
 			return (result);

lib/dns/ncache.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.24.2.4.2.1 2003/08/11 05:28:16 marka Exp $ */
+/* $Id: ncache.c,v 1.24.2.4.2.2 2003/08/13 01:56:02 marka Exp $ */
 
 #include <config.h>
 
@@ -256,7 +256,8 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 
 isc_result_t
 dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
-		  isc_buffer_t *target, unsigned int *countp)
+		  isc_buffer_t *target, isc_boolean_t omit_dnssec,
+		  unsigned int *countp)
 {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
@@ -314,6 +315,9 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 			INSIST(remaining.length >= rdata.length);
 			isc_buffer_forward(&source, rdata.length);
 
+			if (omit_dnssec && dns_rdatatype_isdnssec(type))
+				continue;
+
 			/*
 			 * Write the name.
 			 */

lib/dns/rdataset.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.58.2.2 2003/07/22 04:03:43 marka Exp $ */
+/* $Id: rdataset.c,v 1.58.2.2.2.1 2003/08/13 01:56:02 marka Exp $ */
 
 #include <config.h>
 
@@ -273,8 +273,8 @@ static isc_result_t
 towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 	     dns_compress_t *cctx, isc_buffer_t *target,
 	     dns_rdatasetorderfunc_t order, void *order_arg,
-	     isc_boolean_t partial, unsigned int *countp,
-	     void **state)
+	     isc_boolean_t partial, unsigned int options,
+	     unsigned int *countp, void **state)
 {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_region_t r;
@@ -308,7 +308,10 @@ towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 		/*
 		 * This is a negative caching rdataset.
 		 */
-		return (dns_ncache_towire(rdataset, cctx, target, countp));
+		isc_boolean_t omit_dnssec;
+		omit_dnssec = ISC_TF(DNS_RDATASETTOWIRE_OMITDNSSEC != 0);
+		return (dns_ncache_towire(rdataset, cctx, target, omit_dnssec,
+					  countp));
 	} else {
 		count = (rdataset->methods->count)(rdataset);
 		result = dns_rdataset_first(rdataset);
@@ -469,10 +472,12 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 			  isc_buffer_t *target,
 			  dns_rdatasetorderfunc_t order,
 			  void *order_arg,
+			  unsigned int options,
 			  unsigned int *countp)
 {
 	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_FALSE, countp, NULL));
+			     order, order_arg, ISC_FALSE, options,
+			     countp, NULL));
 }
 
 isc_result_t
@@ -482,12 +487,14 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
 			   isc_buffer_t *target,
 			   dns_rdatasetorderfunc_t order,
 			   void *order_arg,
+			   unsigned int options,
 			   unsigned int *countp,
 			   void **state)
 {
 	REQUIRE(state == NULL);	/* XXX remove when implemented */
 	return (towiresorted(rdataset, owner_name, cctx, target,
-			     order, order_arg, ISC_TRUE, countp, state));
+			     order, order_arg, ISC_TRUE, options,
+			     countp, state));
 }
 
 isc_result_t
@@ -495,10 +502,11 @@ dns_rdataset_towire(dns_rdataset_t *rdataset,
 		    dns_name_t *owner_name,
 		    dns_compress_t *cctx,
 		    isc_buffer_t *target,
+		    unsigned int options,
 		    unsigned int *countp)
 {
 	return (towiresorted(rdataset, owner_name, cctx, target,
-			     NULL, NULL, ISC_FALSE, countp, NULL));
+			     NULL, NULL, ISC_FALSE, options, countp, NULL));
 }
 
 isc_result_t