Responses erroneously marked "invalid response"?

Thu Oct 4 22:19:07 UTC 2012

>> So I'm sitting here scrathing my head even more confused than
>> usual.  Anyone have any insights?
>
> The SOA has the wrong owner name. Bind followed a referral for
> map.media6degrees.com but the SOA wrongly says the zone apex is
> media6degrees.com.
>
> https://lists.isc.org/pipermail/bind-users/2009-December/078403.html
> http://fanf.livejournal.com/107721.html

Ah!  OK, then let me offer the following patch to reduce
confusion among those who might inadvertently start following my
tracks:

--- lib/dns/resolver.c.orig	2012-08-24 04:40:57.000000000 +0000
+++ lib/dns/resolver.c
@@ -5418,10 +5418,10 @@ noanswer_response(fetchctx_t *fctx, dns_
 {
 	isc_result_t result;
 	dns_message_t *message;
-	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name;
+	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name, *save_name;
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	isc_boolean_t aa, negative_response;
-	dns_rdatatype_t type;
+	dns_rdatatype_t type, save_type;
 	dns_section_t section;
 
 	FCTXTRACE("noanswer_response");
@@ -5488,6 +5488,8 @@ noanswer_response(fetchctx_t *fctx, dns_
 	ns_rdataset = NULL;
 	soa_name = NULL;
 	ds_name = NULL;
+	save_name = NULL;
+	save_type = dns_rdatatype_none;
 	result = dns_message_firstname(message, section);
 	while (result == ISC_R_SUCCESS) {
 		name = NULL;
@@ -5580,6 +5582,9 @@ noanswer_response(fetchctx_t *fctx, dns_
 							dns_trust_additional;
 				}
 			}
+		} else {
+			save_name = name;
+			save_type = ISC_LIST_HEAD(name->list)->type;
 		}
 		result = dns_message_nextname(message, section);
 		if (result == ISC_R_NOMORE)
@@ -5721,7 +5726,35 @@ noanswer_response(fetchctx_t *fctx, dns_
 			/*
 			 * The responder is insane.
 			 */
-			log_formerr(fctx, "invalid response");
+			if (save_name == NULL) {
+				log_formerr(fctx, "invalid response");
+				return (DNS_R_FORMERR);
+			}
+			if (!dns_name_issubdomain(save_name, &fctx->domain)) {
+				char nbuf[DNS_NAME_FORMATSIZE];
+				char dbuf[DNS_NAME_FORMATSIZE];
+				char tbuf[DNS_RDATATYPE_FORMATSIZE];
+				const char *s;
+
+				dns_rdatatype_format(save_type,
+					tbuf, sizeof(tbuf));
+				dns_name_format(save_name, nbuf,
+					sizeof(nbuf));
+				dns_name_format(&fctx->domain, dbuf,
+					sizeof(dbuf));
+
+				if (section == DNS_SECTION_ANSWER)
+					s = "answer";
+				else
+					s = "authority";
+
+				log_formerr(fctx, "Name %s (%s) in %s section"
+						" not subdomain of"
+						" known-to-be zone %s --"
+						" invalid response",
+						nbuf, tbuf, s, dbuf);
+			} else
+				log_formerr(fctx, "invalid response");
 			return (DNS_R_FORMERR);
 		}
 	}

- Havard

