Index: ns_resp.c =================================================================== RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_resp.c,v retrieving revision 1.1.1.1.2.3 diff -c -r1.1.1.1.2.3 ns_resp.c *** ns_resp.c 30 Jan 2001 11:54:14 -0000 1.1.1.1.2.3 --- ns_resp.c 26 Sep 2003 03:12:09 -0000 *************** *** 306,311 **** --- 306,317 ---- u_char sig[TSIG_SIG_SIZE]; time_t tsig_time; DST_KEY *key; + #define FK_VERI + #undef FK_VERI_DEBUG + #define FK_VERI_LOG + #ifdef FK_VERI + int veri_sign_check = 0; /* -1 bad answer, 0 ok, 1 check answer */ + #endif nameserIncr(from.sin_addr, nssRcvdR); nsp[0] = NULL; *************** *** 913,918 **** --- 919,939 ---- } else flushset = NULL; + #ifdef FK_VERI + veri_sign_check = + (ns_samename(qp->q_domain, qname) != 1) && ( + (ns_samename(qp->q_domain, "net") == 1) || + (ns_samename(qp->q_domain, "com") == 1)); + #ifdef FK_VERI_DEBUG + if (veri_sign_check) + ns_notice(ns_log_default, "resp: VERI %s %s %s", + p_type(qtype), qname, qp->q_domain); + if (debug > 0) + res_pquery(&res, msg, msglen, + log_get_stream(packet_channel)); + #endif + #endif + for (i = 0; i < count; i++) { struct databuf *dp; int type; *************** *** 968,974 **** validanswer = 1; lastwascname = 0; } ! if (tname != NULL) { add_related_additional(tname); tname = NULL; --- 989,1005 ---- validanswer = 1; lastwascname = 0; } ! #ifdef FK_VERI ! if (veri_sign_check > 0 ! && (qtype == T_NS || qtype == T_ANY) ! && type == T_NS && ns_subdomain(name, qp->q_domain)) { ! veri_sign_check = 0; ! #ifdef FK_VERI_DEBUG ! ns_notice(ns_log_default, ! "resp: VERI off NS %s", name); ! #endif ! } ! #endif if (tname != NULL) { add_related_additional(tname); tname = NULL; *************** *** 985,990 **** --- 1016,1034 ---- db_freedata(dp); break; } + #ifdef FK_VERI + if (veri_sign_check > 0 && i == ancount && aucount == 0) { + db_freedata(dp); + validanswer = 0; + veri_sign_check = -1; + #ifdef FK_VERI_LOG + ns_notice(ns_log_default, + "VERI %s %s not valid no AUTH", + p_type(qtype), qname); + #endif + break; + } + #endif if (i < arfirst) { /* Authority section. */ switch (type) { *************** *** 1011,1016 **** --- 1055,1084 ---- db_freedata(dp); continue; } + #ifdef FK_VERI + if (veri_sign_check > 0 + && ns_samename(name,qp->q_domain) == 1) { + db_freedata(dp); + validanswer = 0; + veri_sign_check = -1; + #ifdef FK_VERI_LOG + ns_notice(ns_log_default, + "VERI %s %s not valid same %s %s", + p_type(qtype), qname, + p_type(type), name); + #endif + continue; + } + if (veri_sign_check > 0 + && ns_subdomain(name,qp->q_domain) == 1) { + veri_sign_check = 0; + #ifdef FK_VERI_DEBUG + ns_notice(ns_log_default, + "resp: VERI off sub NS/SOA %s", + name); + #endif + } + #endif if (type == T_NS) { nscount++; add_related_additional(tname); *************** *** 1093,1098 **** --- 1161,1185 ---- } free_related_additional(); freestr_maybe(&tname); + #ifdef FK_VERI + if (veri_sign_check > 0 && aucount == 0) { + validanswer = 0; + veri_sign_check = -1; + #ifdef FK_VERI_LOG + ns_notice(ns_log_default, + "VERI %s %s not valid no AUTH", + p_type(qtype), qname); + #endif + } + if (veri_sign_check < 0 && !validanswer) { + if (flushset != NULL) { + free_flushset(flushset, flushset_size); + flushset = NULL; + } + hp->rcode = NXDOMAIN; + goto return_msg; + } + #endif if (flushset != NULL) { if ((qp->q_flags & Q_SYSTEM) && (qp->q_flags & Q_PRIMING)) { check_hints(flushset); /* before rrsetupdate */