From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Fri, 5 Mar 2021 22:35:09 +0000 (+0100)
Subject: rec: DNAME redirects DNS names subordinate to its owner name
X-Git-Tag: rec-4.5.0-beta1~4^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7eb8c9a4037dd1c8280716167a284a4d4d85735;p=thirdparty%2Fpdns.git

rec: DNAME redirects DNS names subordinate to its owner name
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index bf37dbe9fe..3e91cf5ea5 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -308,7 +308,7 @@ static bool provesNoWildCard(const DNSName& qname, const uint16_t qtype, const D
         const DNSName owner = getNSECOwnerName(v.first.first, v.second.signatures);
         LOG("Comparing owner: "<<owner<<" with target: "<<wildcard<<endl);
 
-        if (qname.isPartOf(owner) && nsec->isSet(QType::DNAME)) {
+        if (qname != owner && qname.isPartOf(owner) && nsec->isSet(QType::DNAME)) {
           /* rfc6672 section 5.3.2: DNAME Bit in NSEC Type Map
 
              In any negative response, the NSEC or NSEC3 [RFC5155] record type
diff --git a/pdns/validate.hh b/pdns/validate.hh
index daafe962c5..ec11f0b27b 100644
--- a/pdns/validate.hh
+++ b/pdns/validate.hh
@@ -110,9 +110,5 @@ template <typename NSEC> bool isTypeDenied(const NSEC& nsec, const QType& type)
     return false;
   }
 
-  if (nsec->isSet(QType::DNAME)) {
-    return false;
-  }
-
   return true;
 }