rec: Refuse DS records received from child zones

author Remi Gacogne <remi.gacogne@powerdns.com>

Tue, 2 Jun 2020 15:19:42 +0000 (17:19 +0200)

committer Otto Moerbeek <otto.moerbeek@open-xchange.com>

Mon, 13 Jul 2020 13:53:49 +0000 (15:53 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Tue, 2 Jun 2020 15:19:42 +0000 (17:19 +0200)
committer Otto Moerbeek <otto.moerbeek@open-xchange.com>
Mon, 13 Jul 2020 13:53:49 +0000 (15:53 +0200)
diff --git a/pdns/syncres.cc b/pdns/syncres.cc

index cd86a67f9fdc14f6a398acb7bdeeb17d0a327f34..5942b81989fa98c8d9c47f42d7b2208f38bc4d72 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2653,10 +2653,13 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
      }
  
      if(rec.d_name.isPartOf(auth)) {
-      if(rec.d_type == QType::RRSIG) {
+      if (rec.d_type == QType::RRSIG) {
          LOG("RRSIG - separate"<<endl);
        }
-      else if(lwr.d_aabit && lwr.d_rcode==RCode::NoError && rec.d_place==DNSResourceRecord::ANSWER && ((rec.d_type != QType::DNSKEY && rec.d_type != QType::DS) || rec.d_name != auth) && s_delegationOnly.count(auth)) {
+      else if (rec.d_type == QType::DS && rec.d_name == auth) {
+        LOG("NO - DS provided by child zone"<<endl);
+      }
+      else if (lwr.d_aabit && lwr.d_rcode==RCode::NoError && rec.d_place==DNSResourceRecord::ANSWER && ((rec.d_type != QType::DNSKEY && rec.d_type != QType::DS) || rec.d_name != auth) && s_delegationOnly.count(auth)) {
          LOG("NO! Is from delegation-only zone"<<endl);
          s_nodelegated++;
          return RCode::NXDomain;
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 2 Jun 2020 15:19:42 +0000 (17:19 +0200)
committer	Otto Moerbeek <otto.moerbeek@open-xchange.com>
	Mon, 13 Jul 2020 13:53:49 +0000 (15:53 +0200)