From: Pieter Lexis Date: Mon, 29 Aug 2016 09:05:17 +0000 (+0200) Subject: Make the negcache forwarded zones aware X-Git-Tag: dnsdist-1.1.0-beta2~79^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64a8b6a1c1e1f165c8eb716f399e4da6d71156e7;p=thirdparty%2Fpdns.git Make the negcache forwarded zones aware Because of DNSSEC (without NTAs configured), we 'leak' the forwarded name to the cache when looking for the DNSKEY. This resulted in NXDOMAIN answers for actual NXDOMAINs, but with the root SOA record. Leading to inconsistent answers to the client. --- diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 2894f1701d..7ad3503ab2 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -758,9 +758,13 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector range; QType qtnull(0); + DNSName authname(qname); + bool wasForwardedOrAuth = (getBestAuthZone(&authname) != t_sstorage->domainmap->end()); + if(s_rootNXTrust && (range.first=t_sstorage->negcache.find(tie(getLastLabel(qname), qtnull))) != t_sstorage->negcache.end() && - range.first->d_qname.isRoot() && (uint32_t)d_now.tv_sec < range.first->d_ttd ) { + !(wasForwardedOrAuth && !authname.isRoot()) && // when forwarding, the root may only neg-cache if it was forwarded to. + range.first->d_qname.isRoot() && (uint32_t)d_now.tv_sec < range.first->d_ttd) { sttl=range.first->d_ttd - d_now.tv_sec; LOG(prefix<d_name<<"' & '"<d_qname<<"' for another "<d_qtype.getCode() == 0 || ni->d_qtype == qtype) { + if(!(wasForwardedOrAuth && ni->d_qname != authname) && // Only the authname nameserver can neg cache entries + (ni->d_qtype.getCode() == 0 || ni->d_qtype == qtype)) { res=0; if((uint32_t)d_now.tv_sec < ni->d_ttd) { sttl=ni->d_ttd - d_now.tv_sec;