From: Kees Monshouwer Date: Wed, 13 Dec 2023 21:45:06 +0000 (+0100) Subject: auth: wildcard CNAME trump other records X-Git-Tag: auth-4.9.0-alpha1~32^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d8f14178a650a9e3b81ab5d469c89dc95e32926;p=thirdparty%2Fpdns.git auth: wildcard CNAME trump other records --- diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 30c9580668..5c4a97e34a 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -384,6 +384,7 @@ bool PacketHandler::getBestWildcard(DNSPacket& p, const DNSName &target, DNSName DNSZoneRecord rr; DNSName subdomain(target); bool haveSomething=false; + bool haveCNAME = false; #ifdef HAVE_LUA_RECORDS bool doLua=g_doLuaRecord; @@ -402,6 +403,9 @@ bool PacketHandler::getBestWildcard(DNSPacket& p, const DNSName &target, DNSName B.lookup(QType(QType::ANY), g_wildcarddnsname+subdomain, d_sd.domain_id, &p); } while(B.get(rr)) { + if (haveCNAME) { + continue; + } #ifdef HAVE_LUA_RECORDS if (rr.dr.d_type == QType::LUA && !d_dk.isPresigned(d_sd.qname)) { if(!doLua) { @@ -424,6 +428,11 @@ bool PacketHandler::getBestWildcard(DNSPacket& p, const DNSName &target, DNSName rr.dr.d_type = rec->d_type; // might be CNAME rr.dr.setContent(r); rr.scopeMask = p.getRealRemote().getBits(); // this makes sure answer is a specific as your question + if (rr.dr.d_type == QType::CNAME) { + haveCNAME = true; + *ret = {rr}; + break; + } ret->push_back(rr); } } @@ -437,6 +446,10 @@ bool PacketHandler::getBestWildcard(DNSPacket& p, const DNSName &target, DNSName else #endif if(rr.dr.d_type != QType::ENT && (rr.dr.d_type == p.qtype.getCode() || rr.dr.d_type == QType::CNAME || (p.qtype.getCode() == QType::ANY && rr.dr.d_type != QType::RRSIG))) { + if (rr.dr.d_type == QType::CNAME) { + haveCNAME = true; + ret->clear(); + } ret->push_back(rr); }