return result;
}
-bool SyncRes::doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res) const
+bool SyncRes::doOOBResolve(const AuthDomain& domain, const DNSName &qname, const QType &qtype, vector<DNSRecord>&ret, int& res)
{
+ d_authzonequeries++;
+
res = domain.getRecords(qname, qtype.getCode(), ret);
return true;
}
if(t_RC->get(d_now.tv_sec, qname, QType(QType::CNAME), d_requireAuthData, &cset, d_incomingECSFound ? d_incomingECSNetwork : d_requestor, d_doDNSSEC ? &signatures : nullptr, d_doDNSSEC ? &authorityRecs : nullptr, &d_wasVariable, &state, &wasAuth) > 0) {
for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) {
+ if (j->d_class != QClass::IN) {
+ continue;
+ }
+
if(j->d_ttl>(unsigned int) d_now.tv_sec) {
if (!wasAuthZone && shouldValidate() && wasAuth && state == Indeterminate && d_requireAuthData) {
}
for(auto j=cset.cbegin() ; j != cset.cend() ; ++j) {
+
LOG(j->d_content->getZoneRepresentation());
+
+ if (j->d_class != QClass::IN) {
+ continue;
+ }
+
if(j->d_ttl>(unsigned int) d_now.tv_sec) {
DNSRecord dr=*j;
ttl = (dr.d_ttl-=d_now.tv_sec);
return Bogus;
}
-RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof)
+RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount)
{
tcache_t tcache;
const unsigned int labelCount = qname.countLabels();
bool isCNAMEAnswer = false;
for(const auto& rec : lwr.d_records) {
+ if (rec.d_class != QClass::IN) {
+ continue;
+ }
+
if(!isCNAMEAnswer && rec.d_place == DNSResourceRecord::ANSWER && rec.d_type == QType::CNAME && (!(qtype==QType(QType::CNAME))) && rec.d_name == qname) {
isCNAMEAnswer = true;
}
if (rec.d_name == qname && rrsig->d_labels < labelCount) {
LOG(prefix<<qname<<": RRSIG indicates the name was synthetized from a wildcard, we need a wildcard proof"<<endl);
needWildcardProof = true;
+ wildcardLabelsCount = rrsig->d_labels;
}
// cerr<<"Got an RRSIG for "<<DNSRecordContent::NumberToType(rrsig->d_type)<<" with name '"<<rec.d_name<<"'"<<endl;
}
LOG(prefix<<qname<<": accept answer '"<<rec.d_name<<"|"<<DNSRecordContent::NumberToType(rec.d_type)<<"|"<<rec.d_content->getZoneRepresentation()<<"' from '"<<auth<<"' nameservers? ttl="<<rec.d_ttl<<", place="<<(int)rec.d_place<<" ");
if(rec.d_type == QType::ANY) {
- LOG("NO! - we don't accept 'ANY' data"<<endl);
+ LOG("NO! - we don't accept 'ANY'-typed data"<<endl);
+ continue;
+ }
+
+ if(rec.d_class != QClass::IN) {
+ LOG("NO! - we don't accept records for any other class than 'IN'"<<endl);
continue;
}
set the TC bit solely because these RRSIG RRs didn't fit."
*/
bool isAA = lwr.d_aabit && i->first.place != DNSResourceRecord::ADDITIONAL;
- if (isAA && isCNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i->first.type != QType::CNAME)) {
+ if (isAA && isCNAMEAnswer && (i->first.place != DNSResourceRecord::ANSWER || i->first.type != QType::CNAME || i->first.name != qname)) {
/*
rfc2181 states:
Note that the answer section of an authoritative answer normally
}
}
else {
+ recordState = Indeterminate;
+
/* in a non authoritative answer, we only care about the DS record (or lack of) */
if ((i->first.type == QType::DS || i->first.type == QType::NSEC || i->first.type == QType::NSEC3) && i->first.place == DNSResourceRecord::AUTHORITY) {
LOG(d_prefix<<"Validating DS record for "<<i->first.name<<endl);
}
}
- if (initialState == Secure && state != recordState) {
+ if (initialState == Secure && state != recordState && isAA) {
updateValidationState(state, recordState);
}
}
return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, expectedState == NXQTYPE);
}
-bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, bool needWildcardProof)
+bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount)
{
bool done = false;
harvestNXRecords(lwr.d_records, ne, d_now.tv_sec, &lowestTTL);
cspmap_t csp = harvestCSPFromNE(ne);
- dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false);
+ dState res = getDenial(csp, qname, ne.d_qtype.getCode(), false, false, false, wildcardLabelsCount);
if (res != NXDOMAIN) {
vState st = Bogus;
if (res == INSECURE) {
}
bool needWildcardProof = false;
- *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof);
+ unsigned int wildcardLabelsCount;
+ *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, wildcardLabelsCount);
if (*rcode != RCode::NoError) {
return true;
}
DNSName newauth;
DNSName newtarget;
- bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof);
+ bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, wildcardLabelsCount);
if(done){
LOG(prefix<<qname<<": status=got results, this level of recursion done"<<endl);