From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 22 Sep 2020 14:48:11 +0000 (+0200)
Subject: rec: Prevent updating the status of all cached records for a name
X-Git-Tag: auth-4.4.0-alpha2~39^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae33c53e68a32189e0a2fd3df24821d3edce4503;p=thirdparty%2Fpdns.git

rec: Prevent updating the status of all cached records for a name

Before that fix, it was possible to make the recursor update the
DNSSEC status of all cached records for a given name using an ANY
query.
This real issue is that we should retrieve the needed RRSIGs and
authority records for all cached records when processing an ANY
query, but this fix prevents the cache pollution which is the worst
part of the issue.
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 8ca13cd752..89df89bd86 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1303,6 +1303,11 @@ DNSName SyncRes::getBestNSNamesFromCache(const DNSName &qname, const QType& qtyp
 
 void SyncRes::updateValidationStatusInCache(const DNSName &qname, const QType& qt, bool aa, vState newState) const
 {
+  if (qt == QType::ANY || qt == QType::ADDR) {
+    // not doing that
+    return;
+  }
+
   if (newState == vState::Bogus) {
     g_recCache->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, d_routingTag, aa, newState, s_maxbogusttl + d_now.tv_sec);
   }
@@ -1755,7 +1760,9 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w
         if (cachedState == vState::Bogus) {
           capTTL = s_maxbogusttl;
         }
-        updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState);
+        if (sqt != QType::ANY && sqt != QType::ADDR) {
+          updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState);
+        }
       }
     }