Bug #46440 for bind9-public: check that named can validate through a forwarder which has a bad trust anchor

Report information

The Basics

Id:

46440

Status:

open

Priority:

Low/Low

Queue:

bind9-public

People

Owner:

Nobody in particular

Requestors:

Evan Hunt <Evan_Hunt@isc.org>
Mark Andrews <marka@isc.org>

Cc:

AdminCc:

BugTracker

Version Fixed:

(no value)

Version Found:

(no value)

Versions Affected:

(no value)

Versions Planned:

(no value)

Priority:

P2 Normal

Severity:

S2 Normal

CVSS Score:

(no value)

CVE ID:

(no value)

Component:

(no value)

Area:

test

Dates

Created:	Mon, 30 Oct 2017 20:28:45 -0400
Updated:	Mon, 30 Oct 2017 21:53:32 -0400
Closed:	Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History

Sun, 16 Feb 2014 21:06:36 -0500 Evan Hunt <Evan_Hunt@isc.org> - Ticket #35384: - Ticket created

Subject:

CD set incorrectly

Francis pointed out in RT #34313 and #32406 that the code for setting the CD bit in resolver.c doesn't match the comment, or the intention. Currently it always sets CD=1 on queries to forwarders. By default, it should start with CD=0 and retry with CD=1 if it gets a SERVFAIL. We should probably add another fetch option to make it *always* use CD=1, and continue to use NOCDFLAG when we want it only to use CD=0 and then give up. Possibly these options should be configurable in a "server" statement.

Sun, 16 Feb 2014 21:06:58 -0500 Evan Hunt <Evan_Hunt@isc.org> - Ticket #35384: - Reference to #34313: added

Sun, 16 Feb 2014 21:06:58 -0500 Evan Hunt <Evan_Hunt@isc.org> - Ticket #35384: - Reference to #32406: added

Thu, 27 Feb 2014 17:57:15 -0500 Brian Conry <bconry@isc.org> - Ticket #35384: - Status changed from 'new' to 'open'

Thu, 27 Feb 2014 17:57:21 -0500 Brian Conry <bconry@isc.org> - Ticket #35384: - Severity S2 Normal added

Tue, 25 Mar 2014 23:23:13 -0400 Evan Hunt <Evan_Hunt@isc.org> - Ticket #35384: - Priority P1 High added

Wed, 13 May 2015 14:11:18 -0400 Vicky Risk <vicky@isc.org> - Ticket #35384: - Versions Planned 9.11.0 added

Thu, 21 Jul 2016 16:19:25 -0400 Evan Hunt <Evan_Hunt@isc.org> - Ticket #35384: - Priority P1 High changed to P2 Normal

Thu, 21 Jul 2016 16:19:26 -0400 Evan Hunt <Evan_Hunt@isc.org> - Ticket #35384: - Versions Planned 9.11.0 changed to 9.12.0

Fri, 07 Jul 2017 16:33:12 -0400 Vicky Risk <vicky@isc.org> - Ticket #35384: - Queue changed from #6 to bind9-public

Fri, 07 Jul 2017 16:33:21 -0400 Vicky Risk <vicky@isc.org> - Ticket #35384: - Area bug added

Mon, 09 Oct 2017 17:15:15 -0400 Vicky Risk <vicky@isc.org> - Ticket #35384: - Versions Planned 9.12.0 changed to 9.13

Mon, 30 Oct 2017 20:28:45 -0400 Mark Andrews <marka@isc.org> - Ticket created

From:	marka@isc.org
Date:	Mon, 30 Oct 2017 14:28:45 -1000
Subject:	check that named can validate through a forwarder which has a bad trust anchor
To:	bind9-public@isc.org

Named should be able to validate through a forwarder that has a bad trust anchor. This is scenario likely to happen when the old TA for the root zone is remove. The forwarder should be returning SERVFAIL to CD=0 queries. We should retry with CD=1 queries.

Mon, 30 Oct 2017 21:52:32 -0400 Evan Hunt <Evan_Hunt@isc.org> - Ticket #35384: - Merged into #46440: check that named can validate through a forwarder which has a bad trust anchor

Mon, 30 Oct 2017 21:52:33 -0400 Evan Hunt <Evan_Hunt@isc.org> - Merged into #46440: check that named can validate through a forwarder which has a bad trust anchor

Mon, 30 Oct 2017 21:53:31 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

This (more or less) duplicates 35384. I've merged that one into this.