From: Klaus Darilion <klaus.darilion@nic.at>
Date: Fri, 12 Oct 2018 19:51:10 +0000 (+0000)
Subject: reject NXDOMAIN response during SOA-check
X-Git-Tag: auth-4.2.0-alpha1~33^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d247207cef14bcf97efe4ad9980eb61371448cb;p=thirdparty%2Fpdns.git

reject NXDOMAIN response during SOA-check

Without this patch PowerDNS even parses NXDOMAIN responses and falsely uses
wrong SOA records, i.e. the SOA record of a parent zone in authority section
when answering with NXDOMAIN.
---

diff --git a/pdns/resolver.cc b/pdns/resolver.cc
index d01baa690e..2d274bff7f 100644
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -271,6 +271,9 @@ bool Resolver::tryGetSOASerial(DNSName *domain, ComboAddress* remote, uint32_t *
   if(mdp.d_qtype != QType::SOA)
     throw ResolverException("Query to '" + remote->toStringWithPort() + "' for SOA of '" + domain->toLogString() + "' returned wrong record type");
 
+  if(mdp.d_header.rcode != 0)
+    throw ResolverException("Query to '" + remote->toStringWithPort() + "' for SOA of '" + domain->toLogString() + "' returned Rcode " + RCode::to_s(mdp.d_header.rcode));
+
   *theirInception = *theirExpire = 0;
   bool gotSOA=false;
   for(const MOADNSParser::answers_t::value_type& drc :  mdp.d_answers) {