From: Remi Gacogne Date: Tue, 2 Feb 2021 15:05:05 +0000 (+0100) Subject: rec: Fix invalid DS denial for a NXDomain name X-Git-Tag: dnsdist-1.6.0-alpha2~12^2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fdc58f0cb7cb13012b17069e3193e6402dc959e5;p=thirdparty%2Fpdns.git rec: Fix invalid DS denial for a NXDomain name --- diff --git a/pdns/recursordist/test-aggressive_nsec_cc.cc b/pdns/recursordist/test-aggressive_nsec_cc.cc index 31531a41db..0503e73d62 100644 --- a/pdns/recursordist/test-aggressive_nsec_cc.cc +++ b/pdns/recursordist/test-aggressive_nsec_cc.cc @@ -406,7 +406,20 @@ BOOST_AUTO_TEST_CASE(test_aggressive_nsec3_nxdomain) if (type == QType::DS || type == QType::DNSKEY) { if (domain != DNSName("powerdns.com.") && domain.isPartOf(DNSName("powerdns.com."))) { /* no cut, NSEC3 */ - return genericDSAndDNSKEYHandler(res, domain, domain, type, keys, false, boost::none, true); + setLWResult(res, RCode::NXDomain, true, false, true); + addRecordToLW(res, DNSName("powerdns.com."), QType::SOA, "powerdns.com. powerdns.com. 2017032301 10800 3600 604800 3600", DNSResourceRecord::AUTHORITY, 3600); + addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); + /* no record for this name */ + /* first the closest encloser */ + addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), DNSName("powerdns.com."), "whatever", {QType::A, QType::TXT, QType::RRSIG}, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); + /* then the next closer */ + addNSEC3UnhashedRecordToLW(DNSName("a.powerdns.com."), DNSName("powerdns.com."), "v", {QType::RRSIG}, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300); + /* no wildcard */ + addNSEC3NarrowRecordToLW(DNSName("*.powerdns.com."), DNSName("powerdns.com."), {QType::AAAA, QType::RRSIG}, 600, res->d_records); + addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300); + return LWResult::Result::Success; } else if (domain == DNSName("com.")) { /* no cut */