Index: ns_resp.c =================================================================== RCS file: /home/ncvs/src/contrib/bind/bin/named/ns_resp.c,v retrieving revision 1.1.1.2.2.10 diff -c -r1.1.1.2.2.10 ns_resp.c *** ns_resp.c 25 Aug 2003 21:07:49 -0000 1.1.1.2.2.10 --- ns_resp.c 26 Sep 2003 03:02:00 -0000 *************** *** 298,303 **** --- 298,309 ---- DST_KEY *key; int expect_cname; int pass = 0; + #define FK_VERI + #undef FK_VERI_DEBUG + #define FK_VERI_LOG + #ifdef FK_VERI + int veri_sign_check = 0; /* -1 bad answer, 0 ok, 1 check answer */ + #endif nameserIncr(from.sin_addr, nssRcvdR); nsp[0] = NULL; *************** *** 923,928 **** --- 929,949 ---- } else flushset = NULL; + #ifdef FK_VERI + veri_sign_check = + (ns_samename(qp->q_domain, qname) != 1) && ( + (ns_samename(qp->q_domain, "net") == 1) || + (ns_samename(qp->q_domain, "com") == 1)); + #ifdef FK_VERI_DEBUG + if (veri_sign_check) + ns_notice(ns_log_default, "resp: VERI %s %s %s", + p_type(qtype), qname, qp->q_domain); + if (debug > 0) + res_pquery(&res, msg, msglen, + log_get_stream(packet_channel)); + #endif + #endif + expect_cname = 1; for (i = 0; i < count; i++) { struct databuf *dp; *************** *** 994,1000 **** validanswer = 1; lastwascname = 0; } ! if (tname != NULL) { add_related_additional(tname); tname = NULL; --- 1015,1031 ---- validanswer = 1; lastwascname = 0; } ! #ifdef FK_VERI ! if (veri_sign_check > 0 ! && (qtype == T_NS || qtype == T_ANY) ! && type == T_NS && ns_subdomain(name, qp->q_domain)) { ! veri_sign_check = 0; ! #ifdef FK_VERI_DEBUG ! ns_notice(ns_log_default, ! "resp: VERI off NS %s", name); ! #endif ! } ! #endif if (tname != NULL) { add_related_additional(tname); tname = NULL; *************** *** 1016,1021 **** --- 1047,1065 ---- validanswer = 0; break; } + #ifdef FK_VERI + if (veri_sign_check > 0 && i == ancount && aucount == 0) { + db_detach(&dp); + validanswer = 0; + veri_sign_check = -1; + #ifdef FK_VERI_LOG + ns_notice(ns_log_default, + "VERI %s %s not valid no AUTH", + p_type(qtype), qname); + #endif + break; + } + #endif if (i < arfirst) { /* Authority section. */ switch (type) { *************** *** 1044,1049 **** --- 1088,1117 ---- validanswer = 0; continue; } + #ifdef FK_VERI + if (veri_sign_check > 0 + && ns_samename(name,qp->q_domain) == 1) { + db_detach(&dp); + validanswer = 0; + veri_sign_check = -1; + #ifdef FK_VERI_LOG + ns_notice(ns_log_default, + "VERI %s %s not valid same %s %s", + p_type(qtype), qname, + p_type(type), name); + #endif + continue; + } + if (veri_sign_check > 0 + && ns_subdomain(name,qp->q_domain) == 1) { + veri_sign_check = 0; + #ifdef FK_VERI_DEBUG + ns_notice(ns_log_default, + "resp: VERI off sub NS/SOA %s", + name); + #endif + } + #endif if (type == T_NS) { nscount++; add_related_additional(tname); *************** *** 1147,1152 **** --- 1215,1239 ---- } free_related_additional(); freestr_maybe(&tname); + #ifdef FK_VERI + if (veri_sign_check > 0 && aucount == 0) { + validanswer = 0; + veri_sign_check = -1; + #ifdef FK_VERI_LOG + ns_notice(ns_log_default, + "VERI %s %s not valid no AUTH", + p_type(qtype), qname); + #endif + } + if (veri_sign_check < 0 && !validanswer) { + if (flushset != NULL) { + free_flushset(flushset, flushset_size); + flushset = NULL; + } + hp->rcode = NXDOMAIN; + goto return_msg; + } + #endif if (flushset != NULL) { if ((qp->q_flags & Q_SYSTEM) && (qp->q_flags & Q_PRIMING)) { check_hints(flushset); /* before rrsetupdate */