From: Remi Gacogne Date: Wed, 28 Nov 2018 16:21:24 +0000 (+0100) Subject: rec: Fix DNSSEC validation with forward-zone-recurse X-Git-Tag: rec-4.2.0-alpha1~40^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba40d3d78b3f6542072e0851cd977c64082c566d;p=thirdparty%2Fpdns.git rec: Fix DNSSEC validation with forward-zone-recurse --- diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 9cc9a13fab..7950d54bc7 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -1137,9 +1137,7 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w giveNegative = true; cachedState = ne->d_validationState; } - else if (t_sstorage.negcache.get(qname, qtype, d_now, &ne) && - !(wasForwardedOrAuthZone && ne->d_auth != authname)) { // Only the authname nameserver can neg cache entries - + else if (t_sstorage.negcache.get(qname, qtype, d_now, &ne)) { /* If we are looking for a DS, discard NXD if auth == qname and ask for a specific denial instead */ if (qtype != QType::DS || ne->d_qtype.getCode() || ne->d_auth != qname || @@ -1971,8 +1969,9 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname return Bogus; } -RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional ednsmask, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount) +RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional ednsmask, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery) { + bool wasForwardRecurse = wasForwarded && rdQuery; tcache_t tcache; string prefix; @@ -2143,7 +2142,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr if (shouldValidate() && recordState == Secure) { vState initialState = recordState; - if (isAA) { + if (isAA || wasForwardRecurse) { if (i->first.place != DNSResourceRecord::ADDITIONAL) { /* the additional entries can be insecure, like glue: @@ -2173,7 +2172,7 @@ RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr } } - if (initialState == Secure && state != recordState && isAA) { + if (initialState == Secure && state != recordState && (isAA || wasForwardRecurse)) { updateValidationState(state, recordState); } } @@ -2566,7 +2565,7 @@ bool SyncRes::processAnswer(unsigned int depth, LWResult& lwr, const DNSName& qn bool needWildcardProof = false; unsigned int wildcardLabelsCount; - *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, wildcardLabelsCount); + *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, wildcardLabelsCount, sendRDQuery); if (*rcode != RCode::NoError) { return true; } diff --git a/pdns/syncres.hh b/pdns/syncres.hh index cb2a448591..aff5df1196 100644 --- a/pdns/syncres.hh +++ b/pdns/syncres.hh @@ -770,7 +770,7 @@ private: bool throttledOrBlocked(const std::string& prefix, const ComboAddress& remoteIP, const DNSName& qname, const QType& qtype, bool pierceDontQuery); vector retrieveAddressesForNS(const std::string& prefix, const DNSName& qname, vector::const_iterator& tns, const unsigned int depth, set& beenthere, const vector& rnameservers, NsSet& nameservers, bool& sendRDQuery, bool& pierceDontQuery, bool& flawedNSSet, bool cacheOnly); - RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount); + RCode::rcodes_ updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery); bool processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector& ret, set& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount); bool doSpecialNamesResolve(const DNSName &qname, const QType &qtype, const uint16_t qclass, vector &ret);