reject NXDOMAIN response during SOA-check

Without this patch PowerDNS even parses NXDOMAIN responses and falsely uses
wrong SOA records, i.e. the SOA record of a parent zone in authority section
when answering with NXDOMAIN.

diff --git a/pdns/resolver.cc b/pdns/resolver.cc
index d01baa690e28656904e7f845e5d41771a3019b03..2d274bff7fe8544b7dd58a548bc33bf09a71c3a3 100644 (file)
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -271,6 +271,9 @@ bool Resolver::tryGetSOASerial(DNSName *domain, ComboAddress* remote, uint32_t *
   if(mdp.d_qtype != QType::SOA)
     throw ResolverException("Query to '" + remote->toStringWithPort() + "' for SOA of '" + domain->toLogString() + "' returned wrong record type");
 
+  if(mdp.d_header.rcode != 0)
+    throw ResolverException("Query to '" + remote->toStringWithPort() + "' for SOA of '" + domain->toLogString() + "' returned Rcode " + RCode::to_s(mdp.d_header.rcode));
+
   *theirInception = *theirExpire = 0;
   bool gotSOA=false;
   for(const MOADNSParser::answers_t::value_type& drc :  mdp.d_answers) {