From: Pieter Lexis Date: Tue, 16 Feb 2021 07:37:50 +0000 (+0100) Subject: pdnsutil: Warn on CNAME targets for NS, MX and SRV X-Git-Tag: dnsdist-1.6.0-alpha2~33^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b0ca8370dff1e3cf07bcf638de7d1eb8994f5b1f;p=thirdparty%2Fpdns.git pdnsutil: Warn on CNAME targets for NS, MX and SRV Fixes #10085 --- diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index f5194473ef..6fcd28aa91 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -324,6 +324,7 @@ static int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone, con bool hasNsAtApex = false; set tlsas, cnames, noncnames, glue, checkglue, addresses, svcbAliases, httpsAliases, svcbRecords, httpsRecords; + vector checkCNAME; set > checkOcclusion; set recordcontents; map ttl; @@ -531,6 +532,10 @@ static int checkZone(DNSSECKeeper &dk, UeberBackend &B, const DNSName& zone, con noncnames.insert(rr.qname); } + if (rr.qtype == QType::MX || rr.qtype == QType::NS || rr.qtype == QType::SRV) { + checkCNAME.push_back(rr); + } + if(rr.qtype.getCode() == QType::NSEC || rr.qtype.getCode() == QType::NSEC3) { cout<<"[Error] NSEC or NSEC3 found at '"< drc(DNSRecordContent::mastermake(rr.qtype.getCode(), QClass::IN, rr.content)); + switch (rr.qtype) { + case QType::MX: + target = std::dynamic_pointer_cast(drc)->d_mxname; + break; + case QType::SRV: + target = std::dynamic_pointer_cast(drc)->d_target; + break; + case QType::NS: + target = std::dynamic_pointer_cast(drc)->getNS(); + break; + default: + // programmer error, but let's not abort() :) + break; + } + if (target.isPartOf(zone) && cnames.count(target) != 0) { + cout<<"[Warning] '" << rr.qname << "|" << rr.qtype.getName() << " has a target (" << target << ") that is a CNAME." << endl; + numwarnings++; + } + } + bool ok, ds_ns, done; for( const auto &rr : records ) { ok = ( rr.auth == 1 );