rec: Refuse DS records received from child zones

author Remi Gacogne <remi.gacogne@powerdns.com>

Tue, 2 Jun 2020 15:19:42 +0000 (17:19 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Tue, 7 Jul 2020 09:02:34 +0000 (11:02 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Tue, 2 Jun 2020 15:19:42 +0000 (17:19 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Tue, 7 Jul 2020 09:02:34 +0000 (11:02 +0200)
diff --git a/pdns/syncres.cc b/pdns/syncres.cc

index 352229058d3c4aac1b6bc7aaff4375353510fb73..de96b98eb664536665972a1ef5e9cf2f5571f7db 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2661,10 +2661,13 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
      }
  
      if(rec.d_name.isPartOf(auth)) {
-      if(rec.d_type == QType::RRSIG) {
+      if (rec.d_type == QType::RRSIG) {
          LOG("RRSIG - separate"<<endl);
        }
-      else if(lwr.d_aabit && lwr.d_rcode==RCode::NoError && rec.d_place==DNSResourceRecord::ANSWER && ((rec.d_type != QType::DNSKEY && rec.d_type != QType::DS) || rec.d_name != auth) && s_delegationOnly.count(auth)) {
+      else if (rec.d_type == QType::DS && rec.d_name == auth) {
+        LOG("NO - DS provided by child zone"<<endl);
+      }
+      else if (lwr.d_aabit && lwr.d_rcode==RCode::NoError && rec.d_place==DNSResourceRecord::ANSWER && ((rec.d_type != QType::DNSKEY && rec.d_type != QType::DS) || rec.d_name != auth) && s_delegationOnly.count(auth)) {
          LOG("NO! Is from delegation-only zone"<<endl);
          s_nodelegated++;
          return RCode::NXDomain;
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 2 Jun 2020 15:19:42 +0000 (17:19 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 7 Jul 2020 09:02:34 +0000 (11:02 +0200)