rec: Prevent updating the status of all cached records for a name

Before that fix, it was possible to make the recursor update the
DNSSEC status of all cached records for a given name using an ANY
query.
This real issue is that we should retrieve the needed RRSIGs and
authority records for all cached records when processing an ANY
query, but this fix prevents the cache pollution which is the worst
part of the issue.

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 8ca13cd752f346cfff23b80504ed11df9fc83236..89df89bd86fa38ea0ddd5e2acd56b2737f1048f3 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1303,6 +1303,11 @@ DNSName SyncRes::getBestNSNamesFromCache(const DNSName &qname, const QType& qtyp
 
 void SyncRes::updateValidationStatusInCache(const DNSName &qname, const QType& qt, bool aa, vState newState) const
 {
+  if (qt == QType::ANY || qt == QType::ADDR) {
+    // not doing that
+    return;
+  }
+
   if (newState == vState::Bogus) {
     g_recCache->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, d_routingTag, aa, newState, s_maxbogusttl + d_now.tv_sec);
   }
@@ -1755,7 +1760,9 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w
         if (cachedState == vState::Bogus) {
           capTTL = s_maxbogusttl;
         }
-        updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState);
+        if (sqt != QType::ANY && sqt != QType::ADDR) {
+          updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState);
+        }
       }
     }