From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 22 Jun 2015 11:02:48 +0000 (+0200)
Subject: Check if the recursor is not auth for zone in a RR
X-Git-Tag: dnsdist-1.0.0-alpha1~248^2~77^2~5^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46743019b2348e2023a970ff0aa4914529802d3c;p=thirdparty%2Fpdns.git

Check if the recursor is not auth for zone in a RR

This patch checks every resource record name in a packet from an
authoritative server and determines if we (the recursor) are
authoritative
for a zone where the qname is part of. If this is the case, we don't
allow the use of that record.

Closes #2600
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 65908af370..be0777e9db 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1089,7 +1089,22 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
           LOG("NO! - we don't accept 'ANY' data"<<endl);
           continue;
         }
-          
+
+        // Check if we are authoritative for a zone in this answer
+        if (!t_sstorage->domainmap->empty()) {
+          string tmp_qname(i->qname);
+          auto auth_domain_iter=getBestAuthZone(&tmp_qname);
+          if(auth_domain_iter!=t_sstorage->domainmap->end()) {
+            if (auth_domain_iter->first != auth) {
+              LOG("NO! - we are authoritative for the zone "<<auth_domain_iter->first<<endl);
+              continue;
+            } else {
+              // ugly...
+              LOG("YES! - This answer was retrieved from the local auth store"<<endl);
+            }
+          }
+        }
+
         if(dottedEndsOn(i->qname, auth)) {
           if(lwr.d_aabit && lwr.d_rcode==RCode::NoError && i->d_place==DNSResourceRecord::ANSWER && ::arg().contains("delegation-only",auth)) {
             LOG("NO! Is from delegation-only zone"<<endl);