From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 27 Sep 2017 14:14:49 +0000 (+0200)
Subject: rec: Do not allow direct queries for RRSIG or NSEC3
X-Git-Tag: rec-4.1.0-rc1~16^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F5738%2Fhead;p=thirdparty%2Fpdns.git

rec: Do not allow direct queries for RRSIG or NSEC3
---

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 36f5d34c40..92d82045eb 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -2151,13 +2151,13 @@ BOOST_AUTO_TEST_CASE(test_qclass_none) {
   BOOST_CHECK_EQUAL(queriesCount, 0);
 }
 
-BOOST_AUTO_TEST_CASE(test_xfr) {
+BOOST_AUTO_TEST_CASE(test_special_types) {
   std::unique_ptr<SyncRes> sr;
   initSR(sr);
 
   primeHints();
 
-  /* {A,I}XFR should be rejected right away */
+  /* {A,I}XFR, RRSIG and NSEC3 should be rejected right away */
   size_t queriesCount = 0;
 
   sr->setAsyncCallback([&queriesCount](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional<const ResolveContext&> context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res) {
@@ -2178,6 +2178,16 @@ BOOST_AUTO_TEST_CASE(test_xfr) {
   BOOST_CHECK_EQUAL(res, -1);
   BOOST_CHECK_EQUAL(ret.size(), 0);
   BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  res = sr->beginResolve(target, QType(QType::RRSIG), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, -1);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
+
+  res = sr->beginResolve(target, QType(QType::NSEC3), QClass::IN, ret);
+  BOOST_CHECK_EQUAL(res, -1);
+  BOOST_CHECK_EQUAL(ret.size(), 0);
+  BOOST_CHECK_EQUAL(queriesCount, 0);
 }
 
 BOOST_AUTO_TEST_CASE(test_special_names) {
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 665c150eca..43652604ed 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -125,7 +125,7 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
     return 0;
   }
 
-  if( (qtype.getCode() == QType::AXFR) || (qtype.getCode() == QType::IXFR))
+  if( (qtype.getCode() == QType::AXFR) || (qtype.getCode() == QType::IXFR) || (qtype.getCode() == QType::RRSIG) || (qtype.getCode() == QType::NSEC3))
     return -1;
 
   if(qclass==QClass::ANY)