ALIAS: Ensure A and AAAA are in the NSEC bitmap

This ensures that NODATA responses from names with an ALIAS record don't
blank out A/AAAA on resolvers using aggressive NSEC caching.

Closes #6667

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 773b90a84fdd5e075ee39ffde601d6904894e071..7fa38a6335f14ad9c5b2445af1313e779d801aab 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -589,8 +589,17 @@ void PacketHandler::emitNSEC(std::unique_ptr<DNSPacket>& r, const DNSName& name,
       nrc.set(getRR<LUARecordContent>(rr.dr)->d_type);
     else
 #endif
-      if(rr.dr.d_type == QType::NS || rr.auth)
+    if(rr.dr.d_type == QType::ALIAS) {
+      // Set the A and AAAA in the NSEC bitmap so aggressive NSEC
+      // does not falsely deny the type for this name.
+      // This does NOT add the ALIAS to the bitmap, as that record cannot
+      // be requested.
+      nrc.set(QType::A);
+      nrc.set(QType::AAAA);
+    }
+    else if(rr.dr.d_type == QType::NS || rr.auth) {
       nrc.set(rr.dr.d_type);
+    }
   }
 
   rr.dr.d_name = name;
@@ -644,8 +653,18 @@ void PacketHandler::emitNSEC3(std::unique_ptr<DNSPacket>& r, const NSEC3PARAMRec
         n3rc.set(getRR<LUARecordContent>(rr.dr)->d_type);
       else
 #endif
-        if(rr.dr.d_type && (rr.dr.d_type == QType::NS || rr.auth)) // skip empty non-terminals
-        n3rc.set(rr.dr.d_type);
+      if(rr.dr.d_type == QType::ALIAS) {
+        // Set the A and AAAA in the NSEC3 bitmap so aggressive NSEC
+        // does not falsely deny the type for this name.
+        // This does NOT add the ALIAS to the bitmap, as that record cannot
+        // be requested.
+        n3rc.set(QType::A);
+        n3rc.set(QType::AAAA);
+      }
+      else if(rr.dr.d_type && (rr.dr.d_type == QType::NS || rr.auth)) {
+          // skip empty non-terminals
+          n3rc.set(rr.dr.d_type);
+      }
     }
   }
 

diff --git a/regression-tests/tests/alias-address/command b/regression-tests/tests/alias-address/command
index 21bdacffb3f23d2f494d77ea04a48af4f32930f7..9806b0fd767432fdfe742a29f9632e8bac7b3e91 100755 (executable)
--- a/regression-tests/tests/alias-address/command
+++ b/regression-tests/tests/alias-address/command
@@ -3,3 +3,6 @@ cleandig google-alias.example.com A hidettl
 cleandig google-alias.example.com AAAA hidettl
 cleandig google-alias.example.com A hidettl tcp
 cleandig google-alias.example.com AAAA hidettl tcp
+
+# Test if the NSEC bitmap is correct
+cleandig google-alias1.example.com A hidettl hidesoadetails dnssec

diff --git a/regression-tests/tests/alias-address/expected_result b/regression-tests/tests/alias-address/expected_result
index bc2b061a7aefcc7f21c120dc2512a8f5120ae708..a9601f9c7d15bed45c3234ffaf0b72dcb2b7181e 100644 (file)
--- a/regression-tests/tests/alias-address/expected_result
+++ b/regression-tests/tests/alias-address/expected_result
@@ -10,3 +10,7 @@ Reply to question for qname='google-alias.example.com.', qtype=A
 0      google-alias.example.com.       IN      AAAA    [ttl]   2001:4860:4860::8888
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='google-alias.example.com.', qtype=AAAA
+1      example.com.    IN      SOA     [ttl]   ns1.example.com. ahu.example.com. [serial] 28800 7200 604800 86400
+2      .       IN      OPT     [ttl]   
+Rcode: 3 (Non-Existent domain), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias1.example.com.', qtype=A

diff --git a/regression-tests/tests/alias-address/expected_result.dnssec b/regression-tests/tests/alias-address/expected_result.dnssec
new file mode 100644 (file)
index 0000000..b5ab5e5
--- /dev/null
+++ b/regression-tests/tests/alias-address/expected_result.dnssec
@@ -0,0 +1,21 @@
+0      google-alias.example.com.       IN      A       [ttl]   8.8.8.8
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias.example.com.', qtype=A
+0      google-alias.example.com.       IN      AAAA    [ttl]   2001:4860:4860::8888
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias.example.com.', qtype=AAAA
+0      google-alias.example.com.       IN      A       [ttl]   8.8.8.8
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias.example.com.', qtype=A
+0      google-alias.example.com.       IN      AAAA    [ttl]   2001:4860:4860::8888
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias.example.com.', qtype=AAAA
+1      example.com.    IN      NSEC    [ttl]   _imap._tcp.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1      example.com.    IN      RRSIG   [ttl]   NSEC 13 2 86400 [expiry] [inception] [keytag] example.com. ...
+1      example.com.    IN      RRSIG   [ttl]   SOA 13 2 100000 [expiry] [inception] [keytag] example.com. ...
+1      example.com.    IN      SOA     [ttl]   ns1.example.com. ahu.example.com. [serial] 28800 7200 604800 86400
+1      google-alias.example.com.       IN      NSEC    [ttl]   hightype.example.com. A AAAA RRSIG NSEC
+1      google-alias.example.com.       IN      RRSIG   [ttl]   NSEC 13 3 86400 [expiry] [inception] [keytag] example.com. ...
+2      .       IN      OPT     [ttl]   
+Rcode: 3 (Non-Existent domain), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias1.example.com.', qtype=A

diff --git a/regression-tests/tests/alias-address/skip.narrow b/regression-tests/tests/alias-address/skip.narrow
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/regression-tests/tests/alias-address/skip.nsec3 b/regression-tests/tests/alias-address/skip.nsec3
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/regression-tests/tests/alias-address/skip.optout b/regression-tests/tests/alias-address/skip.optout
new file mode 100644 (file)
index 0000000..e69de29