rec: Detect a loop when the denial of the DS comes from the child zone

author Remi Gacogne <remi.gacogne@powerdns.com>

Sun, 1 Aug 2021 21:58:42 +0000 (23:58 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Sun, 1 Aug 2021 21:58:42 +0000 (23:58 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Sun, 1 Aug 2021 21:58:42 +0000 (23:58 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Sun, 1 Aug 2021 21:58:42 +0000 (23:58 +0200)
diff --git a/pdns/syncres.cc b/pdns/syncres.cc

index 86ee77ae5b12808e20a376f68de7af8858532ae2..d0b0d7d55847c7eeb68bb2211f4df30898baf722 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2840,6 +2840,13 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname
          state = vState::BogusSelfSignedDS;
          dsFailed = true;
        }
+      else if (qtype == QType::DS && signer == qname && !signer.isRoot() && (type == QType::SOA || type == QType::NSEC || type == QType::NSEC3)) {
+        /* if we are trying to validate the DS or more likely NSEC(3)s proving that it does not exist, we have a problem.
+           In that case let's go Bogus (we will check later if we missed a cut)
+        */
+        state = vState::BogusSelfSignedDS;
+        dsFailed = true;
+      }
        else if (qtype == QType::DNSKEY && signer == qname) {
          /* that actually does happen when a server returns NS records in authority
             along with the DNSKEY, leading us to trying to validate the RRSIGs for
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Sun, 1 Aug 2021 21:58:42 +0000 (23:58 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Sun, 1 Aug 2021 21:58:42 +0000 (23:58 +0200)