From: bert hubert Date: Sun, 14 Jan 2018 19:17:48 +0000 (+0100) Subject: dnsdist had problems with large AXFR as it checked first record of second envelope... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F6316%2Fhead;p=thirdparty%2Fpdns.git dnsdist had problems with large AXFR as it checked first record of second envelope against the original qname. With this commit, the check against spoofing is only performed against the first message, and not against subsequent ones. Thanks to Janne for help debugging this issue. (cherry picked from commit 5af7506d106b85773d0b157e025fe5ac31d983b6) --- diff --git a/pdns/dnsdist-tcp.cc b/pdns/dnsdist-tcp.cc index 6deae5f1a4..89a69163e2 100644 --- a/pdns/dnsdist-tcp.cc +++ b/pdns/dnsdist-tcp.cc @@ -496,7 +496,7 @@ void* tcpClientThread(int pipefd) sendSizeAndMsgWithTimeout(dsock, dq.len, query, ds->tcpSendTimeout, &ds->remote, &ds->sourceAddr, ds->sourceItf, 0, socketFlags); } catch(const runtime_error& e) { - vinfolog("Downstream connection to %s died on us, getting a new one!", ds->getName()); + vinfolog("Downstream connection to %s died on us (%s), getting a new one!", ds->getName(), e.what()); close(dsock); dsock=-1; sockets.erase(ds->remote); @@ -514,7 +514,7 @@ void* tcpClientThread(int pipefd) if (isXFR) { dq.skipCache = true; } - + bool firstPacket=true; getpacket:; if(!getNonBlockingMsgLen(dsock, &rlen, ds->tcpRecvTimeout)) { @@ -556,10 +556,10 @@ void* tcpClientThread(int pipefd) break; } - if (!responseContentMatches(response, responseLen, qname, qtype, qclass, ds->remote)) { + if (firstPacket && !responseContentMatches(response, responseLen, qname, qtype, qclass, ds->remote)) { break; } - + firstPacket=false; if (!fixUpResponse(&response, &responseLen, &responseSize, qname, origFlags, ednsAdded, ecsAdded, rewrittenResponse, addRoom)) { break; }