From: Remi Gacogne Date: Tue, 23 Aug 2016 09:06:51 +0000 (+0200) Subject: rec: Fix delegation-only X-Git-Tag: rec-4.0.2~8^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ea28e46c7c9db7d1db0a2cd13eb04f33cb6a2d6;p=thirdparty%2Fpdns.git rec: Fix delegation-only * use a unordered_set instead of a `SuffixMatchNode` * allow RRSIG and DNSKEY from delegation-only servers --- diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc index 529cd7dce7..50f3e970c0 100644 --- a/pdns/pdns_recursor.cc +++ b/pdns/pdns_recursor.cc @@ -2468,13 +2468,13 @@ void parseEDNSSubnetWhitelist(const std::string& wlist) } } -SuffixMatchNode g_delegationOnly; +std::unordered_set g_delegationOnly; static void setupDelegationOnly() { vector parts; stringtok(parts, ::arg()["delegation-only"], ", \t"); for(const auto& p : parts) { - g_delegationOnly.add(DNSName(p)); + g_delegationOnly.insert(DNSName(p)); } } diff --git a/pdns/syncres.cc b/pdns/syncres.cc index aa6e64c8ab..d9d1ceacfb 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -1197,14 +1197,14 @@ int SyncRes::doResolveAt(NsSet &nameservers, DNSName auth, bool flawedNSSet, con } if(rec.d_name.isPartOf(auth)) { - if(lwr.d_aabit && lwr.d_rcode==RCode::NoError && rec.d_place==DNSResourceRecord::ANSWER && g_delegationOnly.check(auth)) { + if(rec.d_type == QType::RRSIG) { + LOG("RRSIG - separate"<domainmap->empty()) { diff --git a/pdns/syncres.hh b/pdns/syncres.hh index 182666a185..4eebc719ad 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -7,6 +7,7 @@ #include "qtype.hh" #include #include +#include #include #include #include @@ -662,7 +663,7 @@ string doTraceRegex(vector::const_iterator begin, vector::const_ void parseACLs(); extern RecursorStats g_stats; extern unsigned int g_numThreads; -extern SuffixMatchNode g_delegationOnly; +extern std::unordered_set g_delegationOnly; extern uint16_t g_outgoingEDNSBufsize;