From e6d4f36b935567256ddcb01a9539bc784a3b814e Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Sun, 28 May 2023 23:05:35 +0200 Subject: [PATCH] auth: do not answer with broken TYPE0 data when expanding an ENT wildcard --- pdns/packethandler.cc | 2 +- regression-tests/tests/ent-asterisk/command | 1 + regression-tests/tests/ent-asterisk/expected_result | 4 ++++ .../tests/ent-asterisk/expected_result.dnssec | 9 +++++++++ .../tests/ent-asterisk/expected_result.narrow | 11 +++++++++++ .../tests/ent-asterisk/expected_result.nsec3 | 11 +++++++++++ 6 files changed, 37 insertions(+), 1 deletion(-) diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 5d603648c5..d83b8393d1 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -436,7 +436,7 @@ bool PacketHandler::getBestWildcard(DNSPacket& p, const DNSName &target, DNSName } else #endif - if(rr.dr.d_type == p.qtype.getCode() || rr.dr.d_type == QType::CNAME || (p.qtype.getCode() == QType::ANY && rr.dr.d_type != QType::RRSIG)) { + if(rr.dr.d_type != QType::ENT && (rr.dr.d_type == p.qtype.getCode() || rr.dr.d_type == QType::CNAME || (p.qtype.getCode() == QType::ANY && rr.dr.d_type != QType::RRSIG))) { ret->push_back(rr); } diff --git a/regression-tests/tests/ent-asterisk/command b/regression-tests/tests/ent-asterisk/command index bce5a5ec68..b183ea74b6 100755 --- a/regression-tests/tests/ent-asterisk/command +++ b/regression-tests/tests/ent-asterisk/command @@ -1,3 +1,4 @@ #!/bin/sh cleandig sub.host.sub.example.com a dnssec +cleandig sub.host.sub.example.com any dnssec tcp diff --git a/regression-tests/tests/ent-asterisk/expected_result b/regression-tests/tests/ent-asterisk/expected_result index c07355b8cd..51e64a592f 100644 --- a/regression-tests/tests/ent-asterisk/expected_result +++ b/regression-tests/tests/ent-asterisk/expected_result @@ -2,3 +2,7 @@ 2 . 32768 IN OPT Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='sub.host.sub.example.com.', qtype=A +1 example.com. 86400 IN SOA ns1.example.com. ahu.example.com. 2847484148 28800 7200 604800 86400 +2 . 32768 IN OPT +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='sub.host.sub.example.com.', qtype=ANY diff --git a/regression-tests/tests/ent-asterisk/expected_result.dnssec b/regression-tests/tests/ent-asterisk/expected_result.dnssec index 6be3db6d85..3c5498c78e 100644 --- a/regression-tests/tests/ent-asterisk/expected_result.dnssec +++ b/regression-tests/tests/ent-asterisk/expected_result.dnssec @@ -7,3 +7,12 @@ 2 . 32768 IN OPT Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='sub.host.sub.example.com.', qtype=A +1 example.com. 86400 IN RRSIG SOA 13 2 100000 [expiry] [inception] [keytag] example.com. ... +1 example.com. 86400 IN SOA ns1.example.com. ahu.example.com. 2847484148 28800 7200 604800 86400 +1 host.*.sub.example.com. 86400 IN NSEC bar.svcb.example.com. A RRSIG NSEC +1 host.*.sub.example.com. 86400 IN RRSIG NSEC 13 5 86400 [expiry] [inception] [keytag] example.com. ... +1 start4.example.com. 86400 IN NSEC host.*.sub.example.com. A RRSIG NSEC +1 start4.example.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] example.com. ... +2 . 32768 IN OPT +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='sub.host.sub.example.com.', qtype=ANY diff --git a/regression-tests/tests/ent-asterisk/expected_result.narrow b/regression-tests/tests/ent-asterisk/expected_result.narrow index d0f8c68d65..fa87e0b259 100644 --- a/regression-tests/tests/ent-asterisk/expected_result.narrow +++ b/regression-tests/tests/ent-asterisk/expected_result.narrow @@ -9,3 +9,14 @@ 2 . 32768 IN OPT Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='sub.host.sub.example.com.', qtype=A +1 5ui8h56r4776maicvhpdegs6chr19i99.example.com. 86400 IN NSEC3 1 [flags] 1 abcd 5UI8H56R4776MAICVHPDEGS6CHR19I9A +1 5ui8h56r4776maicvhpdegs6chr19i99.example.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] example.com. ... +1 example.com. 86400 IN RRSIG SOA 13 2 100000 [expiry] [inception] [keytag] example.com. ... +1 example.com. 86400 IN SOA ns1.example.com. ahu.example.com. 2847484148 28800 7200 604800 86400 +1 hhrsadparthvtuou67trentjstdodla0.example.com. 86400 IN NSEC3 1 [flags] 1 abcd HHRSADPARTHVTUOU67TRENTJSTDODLA1 +1 hhrsadparthvtuou67trentjstdodla0.example.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] example.com. ... +1 pbl3rtqv3mt7eb29gqp0a17o0h42nj76.example.com. 86400 IN NSEC3 1 [flags] 1 abcd PBL3RTQV3MT7EB29GQP0A17O0H42NJ78 +1 pbl3rtqv3mt7eb29gqp0a17o0h42nj76.example.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] example.com. ... +2 . 32768 IN OPT +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='sub.host.sub.example.com.', qtype=ANY diff --git a/regression-tests/tests/ent-asterisk/expected_result.nsec3 b/regression-tests/tests/ent-asterisk/expected_result.nsec3 index 04967be403..1279454097 100644 --- a/regression-tests/tests/ent-asterisk/expected_result.nsec3 +++ b/regression-tests/tests/ent-asterisk/expected_result.nsec3 @@ -9,3 +9,14 @@ 2 . 32768 IN OPT Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='sub.host.sub.example.com.', qtype=A +1 5ui8h56r4776maicvhpdegs6chr19i99.example.com. 86400 IN NSEC3 1 [flags] 1 abcd 5UMB87SUFNRRMLILGL48A5GUUHG7RI58 +1 5ui8h56r4776maicvhpdegs6chr19i99.example.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] example.com. ... +1 example.com. 86400 IN RRSIG SOA 13 2 100000 [expiry] [inception] [keytag] example.com. ... +1 example.com. 86400 IN SOA ns1.example.com. ahu.example.com. 2847484148 28800 7200 604800 86400 +1 hhrsadparthvtuou67trentjstdodla0.example.com. 86400 IN NSEC3 1 [flags] 1 abcd HHTKKD5HB125SGANBTKMQK84LULH60LH +1 hhrsadparthvtuou67trentjstdodla0.example.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] example.com. ... +1 pbkjnd53pnsru5jmaqnk3k936pv2pq5j.example.com. 86400 IN NSEC3 1 [flags] 1 abcd PBL4SE96F8T4H4Q24UQMRQ4KS96AHPV3 A RRSIG +1 pbkjnd53pnsru5jmaqnk3k936pv2pq5j.example.com. 86400 IN RRSIG NSEC3 13 3 86400 [expiry] [inception] [keytag] example.com. ... +2 . 32768 IN OPT +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='sub.host.sub.example.com.', qtype=ANY -- 2.47.2