auth: correctly respect direct-dnskey when putting DNSKEY/CDS/CDNSKEY in NSEC(3)...

author Peter van Dijk <peter.van.dijk@powerdns.com>

Mon, 21 Jun 2021 14:54:16 +0000 (16:54 +0200)

committer Peter van Dijk <peter.van.dijk@powerdns.com>

Mon, 21 Jun 2021 14:54:16 +0000 (16:54 +0200)
author Peter van Dijk <peter.van.dijk@powerdns.com>
Mon, 21 Jun 2021 14:54:16 +0000 (16:54 +0200)
committer Peter van Dijk <peter.van.dijk@powerdns.com>
Mon, 21 Jun 2021 14:54:16 +0000 (16:54 +0200)
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc

index 6c568b583f4af8f95e6041a70530b58daa06ea80..84a6bd983ec109ae63f8a85679706cf2a8dbd030 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -627,6 +627,9 @@ void PacketHandler::emitNSEC(std::unique_ptr<DNSPacket>& r, const DNSName& name,
        nrc.set(QType::A);
        nrc.set(QType::AAAA);
      }
+    else if((rr.dr.d_type == QType::DNSKEY || rr.dr.d_type == QType::CDS || rr.dr.d_type == QType::CDNSKEY) && !d_dk.isPresigned(d_sd.qname) && !::arg().mustDo("direct-dnskey")) {
+      continue;
+    }
      else if(rr.dr.d_type == QType::NS || rr.auth) {
        nrc.set(rr.dr.d_type);
      }
@@ -691,6 +694,9 @@ void PacketHandler::emitNSEC3(std::unique_ptr<DNSPacket>& r, const NSEC3PARAMRec
          n3rc.set(QType::A);
          n3rc.set(QType::AAAA);
        }
+      else if((rr.dr.d_type == QType::DNSKEY || rr.dr.d_type == QType::CDS || rr.dr.d_type == QType::CDNSKEY) && !d_dk.isPresigned(d_sd.qname) && !::arg().mustDo("direct-dnskey")) {
+        continue;
+      }
        else if(rr.dr.d_type && (rr.dr.d_type == QType::NS || rr.auth)) {
            // skip empty non-terminals
            n3rc.set(rr.dr.d_type);
author	Peter van Dijk <peter.van.dijk@powerdns.com>
	Mon, 21 Jun 2021 14:54:16 +0000 (16:54 +0200)
committer	Peter van Dijk <peter.van.dijk@powerdns.com>
	Mon, 21 Jun 2021 14:54:16 +0000 (16:54 +0200)