From: Otto Date: Tue, 16 Mar 2021 12:22:42 +0000 (+0100) Subject: Clarify comments X-Git-Tag: rec-4.5.0-beta1~20^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=afef9a759ef9f934e8d6f5134193a4a980a2a860;p=thirdparty%2Fpdns.git Clarify comments --- diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 996717f733..2b43c6a5c5 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -2970,18 +2970,21 @@ void SyncRes::sanitizeRecords(const std::string& prefix, LWResult& lwr, const DN } if (rec->d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::NS && (isNXDomain || isNXQType)) { - /* we don't want to pick up NS records in AUTHORITY and their ADDITIONAL sections of NXDomain answers - because they are somewhat easy to insert into a large, fragmented UDP response - for an off-path attacker by injecting spoofed UDP fragments. - */ + /* + * We don't want to pick up NS records in AUTHORITY and their ADDITIONAL sections of NXDomain answers + * because they are somewhat easy to insert into a large, fragmented UDP response + * for an off-path attacker by injecting spoofed UDP fragments. So do not add these to allowedAdditionals. + */ LOG(prefix<<"Removing NS record '"<d_name<<"|"<d_type)<<"|"<d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section of a "<<(isNXDomain ? "NXD" : "NXQTYPE")<<" response received from "<d_place == DNSResourceRecord::AUTHORITY && rec->d_type == QType::NS && !d_updatingRootNS && rec->d_name == g_rootdnsname) { - /* we don't want to pick up NS records in AUTHORITY and their ADDITIONALs sections of random queries - */ + /* + * We don't want to pick up root NS records in AUTHORITY and their associated ADDITIONAL sections of random queries. + * So don't add them to allowedAdditionals. + */ LOG(prefix<<"Removing NS record '"<d_name<<"|"<d_type)<<"|"<d_content->getZoneRepresentation()<<"' in the "<<(int)rec->d_place<<" section of a response received from "<