From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 12 Mar 2015 16:38:51 +0000 (+0100)
Subject: NSEC3 and related RRSIGS are not part of the dnstree
X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~98^2~51^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F2348%2Fhead;p=thirdparty%2Fpdns.git

NSEC3 and related RRSIGS are not part of the dnstree
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index ef5599d414..a5ebfed096 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1232,12 +1232,10 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     weDone = weRedirected = weHaveUnauth =  false;
     
     while(B.get(rr)) {
-      if (p->qtype.getCode() == QType::ANY) {
-        if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
-          continue; // TODO: this actually means addRRSig should check if the RRSig is already there.
-        if (!p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
-          continue; // Don't send dnssec info to non validating resolvers.
-      }
+      if (p->qtype.getCode() == QType::ANY && !p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
+        continue; // Don't send dnssec info to non validating resolvers.
+      if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
+        continue; // TODO: this actually means addRRSig should check if the RRSig is already there
 
       // cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
       if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth) 
diff --git a/regression-tests/tests/nsec3-hash-query/command b/regression-tests/tests/nsec3-hash-query/command
new file mode 100755
index 0000000000..a41f17c9d7
--- /dev/null
+++ b/regression-tests/tests/nsec3-hash-query/command
@@ -0,0 +1,2 @@
+#!/bin/sh
+cleandig vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com A
diff --git a/regression-tests/tests/nsec3-hash-query/description b/regression-tests/tests/nsec3-hash-query/description
new file mode 100644
index 0000000000..8f9f06d25c
--- /dev/null
+++ b/regression-tests/tests/nsec3-hash-query/description
@@ -0,0 +1 @@
+NSEC3 hashes are not part of the dns tree.
diff --git a/regression-tests/tests/nsec3-hash-query/expected_result b/regression-tests/tests/nsec3-hash-query/expected_result
new file mode 100644
index 0000000000..e178b01024
--- /dev/null
+++ b/regression-tests/tests/nsec3-hash-query/expected_result
@@ -0,0 +1,3 @@
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.', qtype=A