From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 9 Mar 2021 15:46:30 +0000 (+0100)
Subject: ALIAS: Ensure A and AAAA are in the NSEC bitmap
X-Git-Tag: rec-4.5.0-beta1~23^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa216e980dee708efc42349fee7dcadb0edcc0dd;p=thirdparty%2Fpdns.git

ALIAS: Ensure A and AAAA are in the NSEC bitmap

This ensures that NODATA responses from names with an ALIAS record don't
blank out A/AAAA on resolvers using aggressive NSEC caching.

Closes #6667
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 773b90a84f..7fa38a6335 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -589,8 +589,17 @@ void PacketHandler::emitNSEC(std::unique_ptr<DNSPacket>& r, const DNSName& name,
       nrc.set(getRR<LUARecordContent>(rr.dr)->d_type);
     else
 #endif
-      if(rr.dr.d_type == QType::NS || rr.auth)
+    if(rr.dr.d_type == QType::ALIAS) {
+      // Set the A and AAAA in the NSEC bitmap so aggressive NSEC
+      // does not falsely deny the type for this name.
+      // This does NOT add the ALIAS to the bitmap, as that record cannot
+      // be requested.
+      nrc.set(QType::A);
+      nrc.set(QType::AAAA);
+    }
+    else if(rr.dr.d_type == QType::NS || rr.auth) {
       nrc.set(rr.dr.d_type);
+    }
   }
 
   rr.dr.d_name = name;
@@ -644,8 +653,18 @@ void PacketHandler::emitNSEC3(std::unique_ptr<DNSPacket>& r, const NSEC3PARAMRec
         n3rc.set(getRR<LUARecordContent>(rr.dr)->d_type);
       else
 #endif
-        if(rr.dr.d_type && (rr.dr.d_type == QType::NS || rr.auth)) // skip empty non-terminals
-        n3rc.set(rr.dr.d_type);
+      if(rr.dr.d_type == QType::ALIAS) {
+        // Set the A and AAAA in the NSEC3 bitmap so aggressive NSEC
+        // does not falsely deny the type for this name.
+        // This does NOT add the ALIAS to the bitmap, as that record cannot
+        // be requested.
+        n3rc.set(QType::A);
+        n3rc.set(QType::AAAA);
+      }
+      else if(rr.dr.d_type && (rr.dr.d_type == QType::NS || rr.auth)) {
+          // skip empty non-terminals
+          n3rc.set(rr.dr.d_type);
+      }
     }
   }
 
diff --git a/regression-tests/tests/alias-address/command b/regression-tests/tests/alias-address/command
index 21bdacffb3..9806b0fd76 100755
--- a/regression-tests/tests/alias-address/command
+++ b/regression-tests/tests/alias-address/command
@@ -3,3 +3,6 @@ cleandig google-alias.example.com A hidettl
 cleandig google-alias.example.com AAAA hidettl
 cleandig google-alias.example.com A hidettl tcp
 cleandig google-alias.example.com AAAA hidettl tcp
+
+# Test if the NSEC bitmap is correct
+cleandig google-alias1.example.com A hidettl hidesoadetails dnssec
diff --git a/regression-tests/tests/alias-address/expected_result b/regression-tests/tests/alias-address/expected_result
index bc2b061a7a..a9601f9c7d 100644
--- a/regression-tests/tests/alias-address/expected_result
+++ b/regression-tests/tests/alias-address/expected_result
@@ -10,3 +10,7 @@ Reply to question for qname='google-alias.example.com.', qtype=A
 0	google-alias.example.com.	IN	AAAA	[ttl]	2001:4860:4860::8888
 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
 Reply to question for qname='google-alias.example.com.', qtype=AAAA
+1	example.com.	IN	SOA	[ttl]	ns1.example.com. ahu.example.com. [serial] 28800 7200 604800 86400
+2	.	IN	OPT	[ttl]	
+Rcode: 3 (Non-Existent domain), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias1.example.com.', qtype=A
diff --git a/regression-tests/tests/alias-address/expected_result.dnssec b/regression-tests/tests/alias-address/expected_result.dnssec
new file mode 100644
index 0000000000..b5ab5e53d6
--- /dev/null
+++ b/regression-tests/tests/alias-address/expected_result.dnssec
@@ -0,0 +1,21 @@
+0	google-alias.example.com.	IN	A	[ttl]	8.8.8.8
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias.example.com.', qtype=A
+0	google-alias.example.com.	IN	AAAA	[ttl]	2001:4860:4860::8888
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias.example.com.', qtype=AAAA
+0	google-alias.example.com.	IN	A	[ttl]	8.8.8.8
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias.example.com.', qtype=A
+0	google-alias.example.com.	IN	AAAA	[ttl]	2001:4860:4860::8888
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias.example.com.', qtype=AAAA
+1	example.com.	IN	NSEC	[ttl]	_imap._tcp.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	[ttl]	NSEC 13 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	[ttl]	SOA 13 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	[ttl]	ns1.example.com. ahu.example.com. [serial] 28800 7200 604800 86400
+1	google-alias.example.com.	IN	NSEC	[ttl]	hightype.example.com. A AAAA RRSIG NSEC
+1	google-alias.example.com.	IN	RRSIG	[ttl]	NSEC 13 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	[ttl]	
+Rcode: 3 (Non-Existent domain), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='google-alias1.example.com.', qtype=A
diff --git a/regression-tests/tests/alias-address/skip.narrow b/regression-tests/tests/alias-address/skip.narrow
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/regression-tests/tests/alias-address/skip.nsec3 b/regression-tests/tests/alias-address/skip.nsec3
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/regression-tests/tests/alias-address/skip.optout b/regression-tests/tests/alias-address/skip.optout
new file mode 100644
index 0000000000..e69de29bb2