vendor/bind9/9.4-ESV-R5

5 files changed, 70 insertions, 55 deletions

diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 3ce7a4fbebc4..f2473ae443f2 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
@@ -16,7 +16,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.177.18.29 2009-07-21 06:44:32 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.177.18.31 2011-02-27 23:45:14 tbox Exp $ */
 
 /*! \file */
 
@@ -435,32 +435,32 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 			if (!expired)
 				keep = ISC_TRUE;
 		} else if (issigningkey(key)) {
-			if (!expired && setverifies(name, set, key, &sigrdata))
-			{
+			if (!expired && rrsig.originalttl == set->ttl &&
+			    setverifies(name, set, key, &sigrdata)) {
 				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
 				wassignedby[key->position] = ISC_TRUE;
 				nowsignedby[key->position] = ISC_TRUE;
 			} else {
 				vbprintf(2, "\trrsig by %s dropped - %s\n",
-					 sigstr,
-					 expired ? "expired" :
-						   "failed to verify");
+					 sigstr, expired ? "expired" :
+					 rrsig.originalttl != set->ttl ?
+					 "ttl change" : "failed to verify");
 				wassignedby[key->position] = ISC_TRUE;
 				resign = ISC_TRUE;
 			}
 		} else if (iszonekey(key)) {
-			if (!expired && setverifies(name, set, key, &sigrdata))
-			{
+			if (!expired && rrsig.originalttl == set->ttl &&
+			    setverifies(name, set, key, &sigrdata)) {
 				vbprintf(2, "\trrsig by %s retained\n", sigstr);
 				keep = ISC_TRUE;
 				wassignedby[key->position] = ISC_TRUE;
 				nowsignedby[key->position] = ISC_TRUE;
 			} else {
 				vbprintf(2, "\trrsig by %s dropped - %s\n",
-					 sigstr,
-					 expired ? "expired" :
-						   "failed to verify");
+					 sigstr, expired ? "expired" :
+					 rrsig.originalttl != set->ttl ?
+					 "ttl change" : "failed to verify");
 				wassignedby[key->position] = ISC_TRUE;
 			}
 		} else if (!expired) {
diff --git a/bin/named/client.c b/bin/named/client.c
index 1f163fb50a0d..b58a660933e7 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.219.18.33 2009-01-19 23:46:14 tbox Exp $ */
+/* $Id: client.c,v 1.219.18.35 2011-05-06 23:45:18 tbox Exp $ */
 
 #include <config.h>
 
@@ -619,6 +619,7 @@ ns_client_endrequest(ns_client_t *client) {
 		dns_message_puttemprdataset(client->message, &client->opt);
 	}
 
+	client->signer = NULL;
 	client->udpsize = 512;
 	client->extflags = 0;
 	client->ednsversion = -1;
@@ -1934,6 +1935,7 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	client->next = NULL;
 	client->shutdown = NULL;
 	client->shutdown_arg = NULL;
+	client->signer = NULL;
 	dns_name_init(&client->signername, NULL);
 	client->mortal = ISC_FALSE;
 	client->tcpquota = NULL;
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index 453a98b4456c..a554eab57e64 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.35.18.5 2006-03-02 00:37:21 marka Exp $ */
+/* $Id: logconf.c,v 1.35.18.8 2011-03-06 01:46:22 marka Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
+#include <isc/file.h>
 #include <isc/offset.h>
 #include <isc/result.h>
 #include <isc/stdio.h>
@@ -130,7 +131,7 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 	}
 
 	type = ISC_LOG_TONULL;
-	
+
 	if (fileobj != NULL) {
 		const cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
 		const cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
@@ -140,7 +141,7 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 		isc_offset_t size = 0;
 
 		type = ISC_LOG_TOFILE;
-		
+
 		if (versionsobj != NULL && cfg_obj_isuint32(versionsobj))
 			versions = cfg_obj_asuint32(versionsobj);
 		if (versionsobj != NULL && cfg_obj_isstring(versionsobj) &&
@@ -219,26 +220,38 @@ channel_fromconf(const cfg_obj_t *channel, isc_logconfig_t *lctx) {
 
 	if (result == ISC_R_SUCCESS && type == ISC_LOG_TOFILE) {
 		FILE *fp;
-		
-		/*
-		 * Test that the file can be opened, since isc_log_open()
-		 * can't effectively report failures when called in
-		 * isc_log_doit().
-		 */
-		result = isc_stdio_open(dest.file.name, "a", &fp);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(ns_g_lctx, CFG_LOGCATEGORY_CONFIG,
-				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
-				      "logging channel '%s' file '%s': %s",
-				      channelname, dest.file.name,
-				      isc_result_totext(result));
-		else
-			(void)isc_stdio_close(fp);
 
 		/*
-		 * Allow named to continue by returning success.
-		 */
-		result = ISC_R_SUCCESS;
+		 * Test to make sure that file is a plain file.
+		 * Fix defect #22771
+		*/
+		result = isc_file_isplainfile(dest.file.name);
+		if (result == ISC_R_SUCCESS ||
+		    result == ISC_R_FILENOTFOUND) {
+			/*
+			 * Test that the file can be opened, since
+			 * isc_log_open() can't effectively report
+			 * failures when called in
+			 * isc_log_doit().
+			 */
+			result = isc_stdio_open(dest.file.name, "a", &fp);
+			if (result != ISC_R_SUCCESS) {
+				syslog(LOG_ERR,
+					"isc_stdio_open '%s' failed: %s",
+					dest.file.name,
+					isc_result_totext(result));
+				fprintf(stderr,
+					"isc_stdio_open '%s' failed: %s",
+					dest.file.name,
+					isc_result_totext(result));
+			} else
+				(void)isc_stdio_close(fp);
+		} else {
+			syslog(LOG_ERR, "isc_file_isplainfile '%s' failed: %s",
+				dest.file.name, isc_result_totext(result));
+			fprintf(stderr, "isc_file_isplainfile '%s' failed: %s",
+				dest.file.name, isc_result_totext(result));
+		}
 	}
 
 	return (result);
diff --git a/bin/named/update.c b/bin/named/update.c
index da735dd70a2b..e2c78da2c94b 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.109.18.33 2009-07-28 15:57:26 marka Exp $ */
+/* $Id: update.c,v 1.109.18.35 2011-03-12 04:56:41 tbox Exp $ */
 
 #include <config.h>
 
@@ -1549,7 +1549,7 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 {
 	isc_result_t result;
 	dns_dbiterator_t *dbit = NULL;
-	isc_boolean_t has_nsec;
+	isc_boolean_t has_nsec = ISC_FALSE;
 	unsigned int wraps = 0;
 
 	CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit));
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index be872bed7de0..7ed556fbe292 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006, 2011  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.110.18.23 2006-05-16 03:39:57 marka Exp $ */
+/* $Id: zoneconf.c,v 1.110.18.25 2011-03-12 04:56:41 tbox Exp $ */
 
 /*% */
 
@@ -60,7 +60,7 @@
 static isc_result_t
 configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 		   const cfg_obj_t *config, const char *aclname,
-		   cfg_aclconfctx_t *actx, dns_zone_t *zone, 
+		   cfg_aclconfctx_t *actx, dns_zone_t *zone,
 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
 		   void (*clearzacl)(dns_zone_t *))
 {
@@ -264,11 +264,11 @@ strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp,
 	     char ***argvp, unsigned int n)
 {
 	isc_result_t result;
-	
+
 	/* Discard leading whitespace. */
 	while (*s == ' ' || *s == '\t')
 		s++;
-	
+
 	if (*s == '\0') {
 		/* We have reached the end of the string. */
 		*argcp = n;
@@ -582,10 +582,10 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		INSIST(result == ISC_R_SUCCESS);
 		if (cfg_obj_isboolean(obj))
 			ixfrdiff = cfg_obj_asboolean(obj);
-		else if (strcasecmp(cfg_obj_asstring(obj), "master") &&
+		else if (!strcasecmp(cfg_obj_asstring(obj), "master") &&
 			 ztype == dns_zone_master)
 			ixfrdiff = ISC_TRUE;
-		else if (strcasecmp(cfg_obj_asstring(obj), "slave") &&
+		else if (!strcasecmp(cfg_obj_asstring(obj), "slave") &&
 			ztype == dns_zone_slave)
 			ixfrdiff = ISC_TRUE;
 		else
@@ -614,7 +614,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "check-sibling", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING, 
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING,
 				   cfg_obj_asboolean(obj));
 
 		obj = NULL;
@@ -633,7 +633,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 					  "allow-update", ac, zone,
 					  dns_zone_setupdateacl,
 					  dns_zone_clearupdateacl));
-		
+
 		updateacl = dns_zone_getupdateacl(zone);
 		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
 			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
@@ -641,7 +641,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				      "zone '%s' allows updates by IP "
 				      "address, which is insecure",
 				      zname);
-		
+
 		RETERR(configure_zone_ssutable(zoptions, zone));
 
 		obj = NULL;
@@ -689,7 +689,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "check-integrity", &obj);
 		INSIST(obj != NULL);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, 
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY,
 				   cfg_obj_asboolean(obj));
 
 		obj = NULL;
@@ -725,7 +725,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "update-check-ksk", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, 
+		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
 				   cfg_obj_asboolean(obj));
 	}
 
@@ -739,7 +739,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 					  "allow-update", ac, zone,
 					  dns_zone_setupdateacl,
 					  dns_zone_clearupdateacl));
-		
+
 		updateacl = dns_zone_getupdateacl(zone);
 		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
 			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
@@ -747,7 +747,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				      "zone '%s' allows updates by IP "
 				      "address, which is insecure",
 				      zname);
-		
+
 		RETERR(configure_zone_ssutable(zoptions, zone));
 
 		obj = NULL;