From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 2 Sep 2020 12:03:44 +0000 (+0200)
Subject: When deciding if we are auth in the local auth or forwarding case,
X-Git-Tag: rec-4.5.0-alpha0~17^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68f6b16cb2709d5cc9ca53823def2781cc2f1f06;p=thirdparty%2Fpdns.git

When deciding if we are auth in the local auth or forwarding case,
for DS records we need to look at the parent of the particular name.

Seems to fix #9433
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index efa6343b2c..df689a6f69 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2942,6 +2942,10 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr
         if (!t_sstorage.domainmap->empty()) {
           // Check if we are authoritative for a zone in this answer
           DNSName tmp_qname(rec.d_name);
+          // We may be auth for domain example.com, but the DS record needs to come from the parent (.com) nameserver
+          if (rec.d_type == QType::DS) {
+            tmp_qname.chopOff();
+          }
           auto auth_domain_iter=getBestAuthZone(&tmp_qname);
           if(auth_domain_iter!=t_sstorage.domainmap->end() &&
              auth.countLabels() <= auth_domain_iter->first.countLabels()) {