- Fix expired zones to give SERVFAIL, also when parent zone loaded.

git-svn-id: file:///svn/nsd/trunk@4189 a26ef69c-88ff-0310-839f-98b793d9c207

Author: wcawijngaards

axfr.c

@@ -51,11 +51,12 @@ query_axfr(struct nsd *nsd, struct query *query)
 				      &closest_encloser);
 
 		qdomain = closest_encloser;
-		query->axfr_zone = domain_find_zone(closest_encloser);
+		query->axfr_zone = domain_find_zone(nsd->db, closest_encloser);
 
 		if (!exact
 		    || query->axfr_zone == NULL
-		    || query->axfr_zone->apex != qdomain)
+		    || query->axfr_zone->apex != qdomain
+		    || query->axfr_zone->soa_rrset == NULL)
 		{
 			/* No SOA no transfer */
 			RCODE_SET(query->packet, RCODE_NOTAUTH);

difffile.c

@@ -1185,7 +1185,7 @@ check_for_bad_serial(namedb_type* db, const char* zone_str, uint32_t old_serial)
 	zone_type* zone = 0;
 	domain = domain_table_find(db->domains, zone_name);
 	if(domain)
-		zone = domain_find_zone(domain);
+		zone = domain_find_zone(db, domain);
 	if(zone && zone->apex == domain && zone->soa_rrset && old_serial)
 	{
 		uint32_t memserial;

doc/ChangeLog

@@ -1,3 +1,6 @@
+30 January 2014: Wouter
+	- Fix expired zones to give SERVFAIL, also when parent zone loaded.
+
 27 January 2014: Wouter
 	- tag 4.0.1.
 	- trunk is 4.0.2 in development.

namedb.c

@@ -508,14 +508,17 @@ domain_find_any_rrset(domain_type* domain, zone_type* zone)
 }
 
 zone_type *
-domain_find_zone(domain_type* domain)
+domain_find_zone(namedb_type* db, domain_type* domain)
 {
 	rrset_type* rrset;
 	while (domain) {
-		for (rrset = domain->rrsets; rrset; rrset = rrset->next) {
-			if (rrset_rrtype(rrset) == TYPE_SOA) {
-				return rrset->zone;
+		if(domain->is_apex) {
+			for (rrset = domain->rrsets; rrset; rrset = rrset->next) {
+				if (rrset_rrtype(rrset) == TYPE_SOA) {
+					return rrset->zone;
+				}
 			}
+			return namedb_find_zone(db, domain_dname(domain));
 		}
 		domain = domain->parent;
 	}

namedb.h

@@ -32,6 +32,7 @@ typedef struct rr rr_type;
 typedef struct domain_table domain_table_type;
 typedef struct domain domain_type;
 typedef struct zone zone_type;
+typedef struct namedb namedb_type;
 
 struct domain_table
 {
@@ -236,7 +237,7 @@ void domain_add_rrset(domain_type* domain, rrset_type* rrset);
 rrset_type* domain_find_rrset(domain_type* domain, zone_type* zone, uint16_t type);
 rrset_type* domain_find_any_rrset(domain_type* domain, zone_type* zone);
 
-zone_type* domain_find_zone(domain_type* domain);
+zone_type* domain_find_zone(namedb_type* db, domain_type* domain);
 zone_type* domain_find_parent_zone(zone_type* zone);
 
 domain_type* domain_find_ns_rrsets(domain_type* domain, zone_type* zone, rrset_type **ns);
@@ -281,7 +282,6 @@ static inline const char* domain_to_string(domain_type* domain)
  */
 uint16_t rr_rrsig_type_covered(rr_type* rr);
 
-typedef struct namedb namedb_type;
 struct namedb
 {
 	region_type*       region;

query.c

@@ -1137,12 +1137,19 @@ answer_lookup_zone(struct nsd *nsd, struct query *q, answer_type *answer,
 	size_t domain_number, int exact, domain_type *closest_match,
 	domain_type *closest_encloser, const dname_type *qname)
 {
-	q->zone = domain_find_zone(closest_encloser);
+	q->zone = domain_find_zone(nsd->db, closest_encloser);
 	if (!q->zone) {
+		/* no zone for this */
 		if(q->cname_count == 0)
 			RCODE_SET(q->packet, RCODE_REFUSE);
 		return;
 	}
+	if(!q->zone->apex || !q->zone->soa_rrset) {
+		/* zone is configured but not loaded */
+		if(q->cname_count == 0)
+			RCODE_SET(q->packet, RCODE_SERVFAIL);
+		return;
+	}
 
 	/*
 	 * See RFC 4035 (DNSSEC protocol) section 3.1.4.1 Responding