From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 5 Sep 2017 10:23:12 +0000 (+0200)
Subject: rec: Go Bogus if the name exists but retrieving the DS results in NXD
X-Git-Tag: rec-4.1.0-rc1~48^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3ca6d908ea3fd3ab5254f3c64f93a00fe081a5fc;p=thirdparty%2Fpdns.git

rec: Go Bogus if the name exists but retrieving the DS results in NXD
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index a4c0fdb63f..f6a959e939 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1350,7 +1350,7 @@ static size_t countSupportedDS(const dsmap_t& dsmap)
   return count;
 }
 
-vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsigned int depth)
+vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsigned int depth, bool bogusOnNXD)
 {
   vState result = getTA(zone, ds);
 
@@ -1376,7 +1376,7 @@ vState SyncRes::getDSRecords(const DNSName& zone, dsmap_t& ds, bool taOnly, unsi
   d_skipCNAMECheck = oldSkipCNAME;
   d_requireAuthData = oldRequireAuthData;
 
-  if (rcode == RCode::NoError || rcode == RCode::NXDomain) {
+  if (rcode == RCode::NoError || (rcode == RCode::NXDomain && !bogusOnNXD)) {
     if (state == Secure) {
       for (const auto& record : dsrecords) {
         if (record.d_type == QType::DS) {
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index afc52bf8d1..980650f6d3 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -753,7 +753,7 @@ private:
   void updateValidationState(vState& state, const vState stateUpdate);
   vState validateRecordsWithSigs(unsigned int depth, const DNSName& qname, const QType& qtype, const DNSName& name, const std::vector<DNSRecord>& records, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures);
   vState validateDNSKeys(const DNSName& zone, const std::vector<DNSRecord>& dnskeys, const std::vector<std::shared_ptr<RRSIGRecordContent> >& signatures, unsigned int depth);
-  vState getDSRecords(const DNSName& zone, dsmap_t& ds, bool onlyTA, unsigned int depth);
+  vState getDSRecords(const DNSName& zone, dsmap_t& ds, bool onlyTA, unsigned int depth, bool bogusOnNXD=true);
   vState getDNSKeys(const DNSName& signer, skeyset_t& keys, unsigned int depth);
   void getDenialValidationState(NegCache::NegCacheEntry& ne, vState& state, const dState expectedState, bool allowOptOut);
   vState getTA(const DNSName& zone, dsmap_t& ds);