auth SVCB additional processing: do not chase chains outside of zone

author Peter van Dijk <peter.van.dijk@powerdns.com>

Wed, 23 Jun 2021 11:00:22 +0000 (13:00 +0200)

committer Peter van Dijk <peter.van.dijk@powerdns.com>

Thu, 24 Jun 2021 10:07:51 +0000 (12:07 +0200)
author Peter van Dijk <peter.van.dijk@powerdns.com>
Wed, 23 Jun 2021 11:00:22 +0000 (13:00 +0200)
committer Peter van Dijk <peter.van.dijk@powerdns.com>
Thu, 24 Jun 2021 10:07:51 +0000 (12:07 +0200)
diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data

index 2944749db1bcc56032791bbd66764bd05c392004..f8adb95c3d3b6ed08ee236b9a791cea39d69ec6a 100644 (file)
--- a/modules/tinydnsbackend/data
+++ b/modules/tinydnsbackend/data
@@ -20108,6 +20108,7 @@
  :bar.svcb.example.com:28:\040\001\015\270\000\000\000\000\000\000\000\000\000\003\000\004:120
  :bar.svcb.example.com:64:\000\001\000\000\001\000\003\002h2:120
  :bar.svcb.example.com:64:\000\003\000\000\001\000\003\002h3\000\003\000\002\005\334:120
+:baz.svcb.example.com:64:\000\000\004foo1\004svcb\007example\003net\000:120
  :dsdelegation.example.com:43:m\341\010\001\312\361\352\256\315\253\347afpx\217\220\042EK\365\375\237\332:120
  :escapedtext.example.com:16:\005begin\022the\040\042middle\042\040p\134art\007the\040end:120
  :foo.svcb.example.com:64:\000\000\004foo1\004svcb\007example\003com\000:120
diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb

index 022974b84f416bda36d2a55e64c11dce133286f1..5460277209efc0e6299c0e6564158ef252e271ba 100644 (file)

Binary files a/modules/tinydnsbackend/data.cdb and b/modules/tinydnsbackend/data.cdb differ
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc

index c1d70bd5a8952f02537ecbc9431d030b551d5b9f..5cf2acf42f4cd2f3b9507e5c8b273352ec2e7048 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -460,6 +460,11 @@ DNSName PacketHandler::doAdditionalServiceProcessing(const DNSName &firstTarget,
    while (!done && ctr > 0) {
      DNSZoneRecord rr;
      done = true;
+
+    if(!ret.isPartOf(d_sd.qname)) {
+      continue;
+    }
+
      B.lookup(QType(qtype), ret, d_sd.domain_id);
      while (B.get(rr)) {
        rr.dr.d_place = DNSResourceRecord::ADDITIONAL;
diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result

index 2fb50a0f9cd13860e6d48c6474701dd300151c2b..22cb2e036f74e2ed32a296bd30bad10f785d1238 100644 (file)
--- a/regression-tests.nobackend/tinydns-data-check/expected_result
+++ b/regression-tests.nobackend/tinydns-data-check/expected_result
@@ -1,4 +1,4 @@
-034a2b6c643ef42a58d19aaed62c6b27  ../regression-tests/zones/example.com
+229dad9ea0464a429685d3dda8a8e9ef  ../regression-tests/zones/example.com
  fe49d2784b1bcc3b91ddd5619f0b6cc1  ../regression-tests/zones/test.com
  f0df67fa656d33fd85098cbe43893395  ../regression-tests/zones/test.dyndns
  dee3e8b568549d9450134b555ca73990  ../regression-tests/zones/sub.test.dyndns
@@ -15,4 +15,4 @@ a98864b315f16bcf49ce577426063c42  ../regression-tests/zones/cdnskey-cds-test.com
  9aeed2c26d0c3ba3baf22dfa9568c451  ../regression-tests/zones/2.0.192.in-addr.arpa
  99c73e8b5db5781fec1ac3fa6a2662a9  ../regression-tests/zones/cryptokeys.org
  1f9e19be0cff67330f3a0a5347654f91  ../regression-tests/zones/hiddencryptokeys.org
-8d42198e3c989c38edb715407bc9c4ae  ../modules/tinydnsbackend/data.cdb
+31595b9c5e078fa22dd1716a34ca1323  ../modules/tinydnsbackend/data.cdb
diff --git a/regression-tests/tests/svcb-aliasmode/command b/regression-tests/tests/svcb-aliasmode/command

index a1fd95a7b52a1af366f0ad2e9776820a2d069f5a..4026472b513227b204295242d4ce0a7fd2a5a221 100755 (executable)
--- a/regression-tests/tests/svcb-aliasmode/command
+++ b/regression-tests/tests/svcb-aliasmode/command
@@ -1,2 +1,3 @@
  #!/bin/sh
-cleandig foo.svcb.example.com SVCB dnssec
-\ No newline at end of file
+cleandig foo.svcb.example.com SVCB dnssec
+cleandig baz.svcb.example.com SVCB dnssec
+\ No newline at end of file
diff --git a/regression-tests/tests/svcb-aliasmode/expected_result b/regression-tests/tests/svcb-aliasmode/expected_result

index dc76059243c5af67249a0c907f6a059401034f72..145d33364c1a178a615ebfcc25a5e0d7dcc2e49a 100644 (file)
--- a/regression-tests/tests/svcb-aliasmode/expected_result
+++ b/regression-tests/tests/svcb-aliasmode/expected_result
@@ -4,3 +4,7 @@
  2      foo1.svcb.example.com.  IN      SVCB    120     1 . alpn=h2,h3
  Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
  Reply to question for qname='foo.svcb.example.com.', qtype=SVCB
+0      baz.svcb.example.com.   IN      SVCB    120     0 foo1.svcb.example.net.
+2      .       IN      OPT     32768   
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='baz.svcb.example.com.', qtype=SVCB
diff --git a/regression-tests/tests/svcb-aliasmode/expected_result.dnssec b/regression-tests/tests/svcb-aliasmode/expected_result.dnssec

index 83d814f88790a53cf621e12b3bd4f80efc0900d9..64f1189e0ce4bd698ae4ee9a18491ef015dcc3de 100644 (file)
--- a/regression-tests/tests/svcb-aliasmode/expected_result.dnssec
+++ b/regression-tests/tests/svcb-aliasmode/expected_result.dnssec
@@ -7,3 +7,8 @@
  2      foo1.svcb.example.com.  IN      SVCB    120     1 . alpn=h2,h3
  Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
  Reply to question for qname='foo.svcb.example.com.', qtype=SVCB
+0      baz.svcb.example.com.   IN      RRSIG   120     SVCB 13 4 120 [expiry] [inception] [keytag] example.com. ...
+0      baz.svcb.example.com.   IN      SVCB    120     0 foo1.svcb.example.net.
+2      .       IN      OPT     32768   
+Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='baz.svcb.example.com.', qtype=SVCB
diff --git a/regression-tests/zones/example.com b/regression-tests/zones/example.com

index c1e82902fb54db78d13eaefc99fdd7942ff6be54..f2decf231d74584a4d497056a1610858d82adfac 100644 (file)
--- a/regression-tests/zones/example.com
+++ b/regression-tests/zones/example.com
@@ -20215,8 +20215,11 @@ foo1.svcb IN SVCB 1 . alpn=h2,h3
  foo.svcb IN A 192.0.2.1 ; Should not show up in additional
  foo1.svcb IN A 192.0.2.2 ; Should show up in additional
  
+
  bar.svcb IN SVCB 1 . alpn=h2
  bar.svcb IN SVCB 3 . alpn=h3 port=1500
  bar.svcb IN AAAA 2001:db8::3:1
  bar.svcb IN AAAA 2001:db8::3:4
-bar.svcb IN A 192.0.2.1
-\ No newline at end of file
+bar.svcb IN A 192.0.2.1
+
+baz.svcb IN SVCB 0 foo1.svcb.example.net. ; AliasMode - should not trigger additional processing, the target is in another zone
author	Peter van Dijk <peter.van.dijk@powerdns.com>
	Wed, 23 Jun 2021 11:00:22 +0000 (13:00 +0200)
committer	Peter van Dijk <peter.van.dijk@powerdns.com>
	Thu, 24 Jun 2021 10:07:51 +0000 (12:07 +0200)
modules/tinydnsbackend/data		patch \| blob \| blame \| history
modules/tinydnsbackend/data.cdb		patch \| blob \| blame \| history
pdns/packethandler.cc		patch \| blob \| blame \| history
regression-tests.nobackend/tinydns-data-check/expected_result		patch \| blob \| blame \| history
regression-tests/tests/svcb-aliasmode/command		patch \| blob \| blame \| history
regression-tests/tests/svcb-aliasmode/expected_result		patch \| blob \| blame \| history
regression-tests/tests/svcb-aliasmode/expected_result.dnssec		patch \| blob \| blame \| history
regression-tests/zones/example.com		patch \| blob \| blame \| history