From 1cb5b5d141f386b611bdba7c0f4e041d14057b31 Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Tue, 2 Jul 2013 01:17:23 +0200 Subject: [PATCH] fix getAuth for DS queries at apex --- pdns/packethandler.cc | 13 ++++++++----- regression-tests/ds-at-apex-noerror/command | 3 +++ regression-tests/ds-at-apex-noerror/description | 1 + regression-tests/ds-at-apex-noerror/expected_result | 4 ++++ .../ds-at-apex-noerror/expected_result.dnssec | 7 +++++++ .../ds-at-apex-noerror/expected_result.narrow | 7 +++++++ .../ds-at-apex-noerror/expected_result.nsec3 | 7 +++++++ 7 files changed, 37 insertions(+), 5 deletions(-) create mode 100755 regression-tests/ds-at-apex-noerror/command create mode 100644 regression-tests/ds-at-apex-noerror/description create mode 100644 regression-tests/ds-at-apex-noerror/expected_result create mode 100644 regression-tests/ds-at-apex-noerror/expected_result.dnssec create mode 100644 regression-tests/ds-at-apex-noerror/expected_result.narrow create mode 100644 regression-tests/ds-at-apex-noerror/expected_result.nsec3 diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index f9eaa2dc01..ad2a54f8dc 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -286,20 +286,23 @@ int PacketHandler::doVersionRequest(DNSPacket *p, DNSPacket *r, string &target) /** Determines if we are authoritative for a zone, and at what level */ bool PacketHandler::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId) { + bool found=false; string subdomain(target); do { if( B.getSOA( subdomain, *sd, p ) ) { - if(p->qtype.getCode() == QType::DS && pdns_iequals(subdomain, target)) - continue; // A DS question is never answered from the apex, go one zone upwards - sd->qname = subdomain; if(zoneId) *zoneId = sd->domain_id; - return true; + + if(p->qtype.getCode() == QType::DS && pdns_iequals(subdomain, target)) { + // Found authoritative zone but look for parent zone with 'DS' record. + found=true; + } else + return true; } } while( chopOff( subdomain ) ); // 'www.powerdns.org' -> 'powerdns.org' -> 'org' -> '' - return false; + return found; } vector PacketHandler::getBestReferralNS(DNSPacket *p, SOAData& sd, const string &target) diff --git a/regression-tests/ds-at-apex-noerror/command b/regression-tests/ds-at-apex-noerror/command new file mode 100755 index 0000000000..18cf89cf6d --- /dev/null +++ b/regression-tests/ds-at-apex-noerror/command @@ -0,0 +1,3 @@ +#!/bin/sh +cleandig example.com DS dnssec + diff --git a/regression-tests/ds-at-apex-noerror/description b/regression-tests/ds-at-apex-noerror/description new file mode 100644 index 0000000000..5cc9ca5f74 --- /dev/null +++ b/regression-tests/ds-at-apex-noerror/description @@ -0,0 +1 @@ +This test tries to resolve a non-existent DS at apex diff --git a/regression-tests/ds-at-apex-noerror/expected_result b/regression-tests/ds-at-apex-noerror/expected_result new file mode 100644 index 0000000000..c27e7fe502 --- /dev/null +++ b/regression-tests/ds-at-apex-noerror/expected_result @@ -0,0 +1,4 @@ +1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='example.com.', qtype=DS diff --git a/regression-tests/ds-at-apex-noerror/expected_result.dnssec b/regression-tests/ds-at-apex-noerror/expected_result.dnssec new file mode 100644 index 0000000000..70b2b3639b --- /dev/null +++ b/regression-tests/ds-at-apex-noerror/expected_result.dnssec @@ -0,0 +1,7 @@ +1 example.com. IN NSEC 86400 double.example.com. NS SOA MX RRSIG NSEC DNSKEY +1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ... +1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... +1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='example.com.', qtype=DS diff --git a/regression-tests/ds-at-apex-noerror/expected_result.narrow b/regression-tests/ds-at-apex-noerror/expected_result.narrow new file mode 100644 index 0000000000..08641e2b4e --- /dev/null +++ b/regression-tests/ds-at-apex-noerror/expected_result.narrow @@ -0,0 +1,7 @@ +1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... +1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 +1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM +1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='example.com.', qtype=DS diff --git a/regression-tests/ds-at-apex-noerror/expected_result.nsec3 b/regression-tests/ds-at-apex-noerror/expected_result.nsec3 new file mode 100644 index 0000000000..f3c8d50f25 --- /dev/null +++ b/regression-tests/ds-at-apex-noerror/expected_result.nsec3 @@ -0,0 +1,7 @@ +1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... +1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 +1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM +1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... +2 . IN OPT 32768 +Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='example.com.', qtype=DS -- 2.47.2