From: Otto Moerbeek Date: Fri, 5 Jul 2024 07:48:19 +0000 (+0200) Subject: Disallow irrelevant SOA records in ANSWER section and adapt test_bogus_does_not_repla... X-Git-Tag: rec-5.2.0-alpha1~181^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a8ea586d53a52d449f8c5c973943e9ba90dd4b38;p=thirdparty%2Fpdns.git Disallow irrelevant SOA records in ANSWER section and adapt test_bogus_does_not_replace_secure_in_the_cache test to not use them --- diff --git a/pdns/recursordist/syncres.cc b/pdns/recursordist/syncres.cc index 1bc9047bcd..3343d84646 100644 --- a/pdns/recursordist/syncres.cc +++ b/pdns/recursordist/syncres.cc @@ -4270,8 +4270,7 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN } // Disallow answer records not anwering the QType requested. ANY, CNAME, DNAME, RRSIG complicate matters here - // Question: is the SOA check OK? See RFC2181 section 7.1 - if (rec->d_place == DNSResourceRecord::ANSWER && (qtype != QType::ANY && rec->d_type != qtype.getCode() && !isRedirection(rec->d_type) && rec->d_type != QType::SOA && rec->d_type != QType::RRSIG)) { + if (rec->d_place == DNSResourceRecord::ANSWER && (qtype != QType::ANY && rec->d_type != qtype.getCode() && !isRedirection(rec->d_type) && rec->d_type != QType::RRSIG)) { LOG(prefix << qname << ": Removing irrelevant record '" << rec->toString() << "' in the ANSWER section received from " << auth << endl); rec = lwr.d_records.erase(rec); continue; diff --git a/pdns/recursordist/test-syncres_cc9.cc b/pdns/recursordist/test-syncres_cc9.cc index eae64d6d1b..88525c34d2 100644 --- a/pdns/recursordist/test-syncres_cc9.cc +++ b/pdns/recursordist/test-syncres_cc9.cc @@ -992,13 +992,13 @@ BOOST_AUTO_TEST_CASE(test_bogus_does_not_replace_secure_in_the_cache) if (domain == DNSName("powerdns.com.") && type == QType::A) { addRecordToLW(res, domain, QType::A, "192.0.2.1"); addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); - addRecordToLW(res, domain, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400"); + addRecordToLW(res, domain, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY); addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); } else if (domain == DNSName("powerdns.com.") && type == QType::AAAA) { addRecordToLW(res, domain, QType::AAAA, "2001:db8::1"); addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); - addRecordToLW(res, domain, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400"); + addRecordToLW(res, domain, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY); /* no RRSIG this time! */ } @@ -1011,7 +1011,7 @@ BOOST_AUTO_TEST_CASE(test_bogus_does_not_replace_secure_in_the_cache) vector ret; int res = sr->beginResolve(DNSName("powerdns.com."), QType(QType::A), QClass::IN, ret); BOOST_CHECK_EQUAL(res, RCode::NoError); - BOOST_REQUIRE_EQUAL(ret.size(), 3U); + BOOST_CHECK_EQUAL(ret.size(), 2U); const ComboAddress who; vector cached;