auth: check for signaling zone preconditions

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 5940ec682e6c1d7e7994af70b220a43ebd81b740..518b10e523b4b8dcc2f5d0e4ddc8db172b19fe07 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1343,6 +1343,17 @@ void PacketHandler::completeANYRecords(DNSPacket& p, std::unique_ptr<DNSPacket>&
 bool PacketHandler::tryAuthSignal(DNSPacket& p, std::unique_ptr<DNSPacket>& r, DNSName &target) {
   DLOG(g_log<<Logger::Warning<<"Let's try authenticated DNSSEC bootstrapping (RFC 9615) ..."<<endl);
 
+  // Check that we're doing online signing in narrow mode (as we don't know next owner names)
+  if(!d_dk.isSecuredZone(d_sd.zonename) || d_dk.isPresigned(d_sd.zonename)) {
+    g_log << Logger::Warning << "Signaling zone '" << d_sd.zonename << "' must be secured (but not presigned!); synthesis disabled (" << target << "/" << p.qtype << " from " << p.getRemoteString() << ")" << endl;
+    return false;
+  }
+  bool narrow{false};
+  if (!d_dk.getNSEC3PARAM(d_sd.zonename, nullptr, &narrow) || !narrow) {
+    g_log << Logger::Warning << "Signaling zone '" << d_sd.zonename << "' must use NSEC3 narrow; synthesis disabled (" << target << "/" << p.qtype << ")" << " from " << p.getRemoteString() << ")" << endl;
+    return false;
+  }
+
   // Check for prefix mismatch
   if(target.getRawLabel(0) != "_dsboot") {
     makeNOError(p, r, target, DNSName(), 0); // could be ENT