From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Sun, 1 Aug 2021 21:58:42 +0000 (+0200)
Subject: rec: Detect a loop when the denial of the DS comes from the child zone
X-Git-Tag: dnsdist-1.7.0-alpha1~58^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3e96dca178cf355324ab34a08b3578e4fc44a31;p=thirdparty%2Fpdns.git

rec: Detect a loop when the denial of the DS comes from the child zone
---

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 86ee77ae5b..d0b0d7d558 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -2840,6 +2840,13 @@ vState SyncRes::validateRecordsWithSigs(unsigned int depth, const DNSName& qname
         state = vState::BogusSelfSignedDS;
         dsFailed = true;
       }
+      else if (qtype == QType::DS && signer == qname && !signer.isRoot() && (type == QType::SOA || type == QType::NSEC || type == QType::NSEC3)) {
+        /* if we are trying to validate the DS or more likely NSEC(3)s proving that it does not exist, we have a problem.
+           In that case let's go Bogus (we will check later if we missed a cut)
+        */
+        state = vState::BogusSelfSignedDS;
+        dsFailed = true;
+      }
       else if (qtype == QType::DNSKEY && signer == qname) {
         /* that actually does happen when a server returns NS records in authority
            along with the DNSKEY, leading us to trying to validate the RRSIGs for