From 669004579aa873e34c6acbc61e6d84b6bc57d37b Mon Sep 17 00:00:00 2001 From: Peter van Dijk Date: Wed, 23 Jun 2021 13:00:22 +0200 Subject: [PATCH] auth SVCB additional processing: do not chase chains outside of zone fixes #10521 --- modules/tinydnsbackend/data | 1 + modules/tinydnsbackend/data.cdb | Bin 1355579 -> 1355665 bytes pdns/packethandler.cc | 5 +++++ .../tinydns-data-check/expected_result | 4 ++-- regression-tests/tests/svcb-aliasmode/command | 3 ++- .../tests/svcb-aliasmode/expected_result | 4 ++++ .../svcb-aliasmode/expected_result.dnssec | 5 +++++ regression-tests/zones/example.com | 5 ++++- 8 files changed, 23 insertions(+), 4 deletions(-) diff --git a/modules/tinydnsbackend/data b/modules/tinydnsbackend/data index 2944749db1..f8adb95c3d 100644 --- a/modules/tinydnsbackend/data +++ b/modules/tinydnsbackend/data @@ -20108,6 +20108,7 @@ :bar.svcb.example.com:28:\040\001\015\270\000\000\000\000\000\000\000\000\000\003\000\004:120 :bar.svcb.example.com:64:\000\001\000\000\001\000\003\002h2:120 :bar.svcb.example.com:64:\000\003\000\000\001\000\003\002h3\000\003\000\002\005\334:120 +:baz.svcb.example.com:64:\000\000\004foo1\004svcb\007example\003net\000:120 :dsdelegation.example.com:43:m\341\010\001\312\361\352\256\315\253\347afpx\217\220\042EK\365\375\237\332:120 :escapedtext.example.com:16:\005begin\022the\040\042middle\042\040p\134art\007the\040end:120 :foo.svcb.example.com:64:\000\000\004foo1\004svcb\007example\003com\000:120 diff --git a/modules/tinydnsbackend/data.cdb b/modules/tinydnsbackend/data.cdb index 022974b84f416bda36d2a55e64c11dce133286f1..5460277209efc0e6299c0e6564158ef252e271ba 100644 GIT binary patch delta 4991 zc-m!G2~-qE8m{Vr8D<#huI?5QyoQKZvdADoG_G;n7%+;$tcgchaWvu?6puudWEjOD zc)+02ULfPG@ggdPASz1Gcq9@9RE&zNXkwxnv#S`5Y<1P_GjEso>V5P5e;xn#Rdsb! zal`7oX|+3!@L&-Dz*))ARmFqPRsJ;(G6|M^!-I5{U*JK8inSiB^W?AcU?)NM4IXSI zi0<%Uqss5|pjgFUJn`Rnu#cdlg~c6z&~bK9#R*_F3D|T3SWnPw6u??_pdiqRYTK}U zYLEc(3Bpb+-t-#l=jtwi6Do#zFj4?#)$#oV@U1$pMF1z&@i788qZS;;;---*+KG~} z0#)o7CxDgezzG6aK(H!Vph~NzG44zes1vEP8Ml1G#+ete!l7NDPFONofu?MRaHT*M z!&L%x!nD>CFC=lh`eU;I3e?KBGliBf1+ZLIvY#om9b#xY!knn8Wc?COvV~2j1yHSy zyTBZB)NzyLU3ZxiB@bBM;TC{h?cjduQT&`KDrsft(jXd7)gkbSx{xmd zIV$H7&D$iFH@8KgNX@rLOqq#scPQhvJsFntLR3gqGWQ@vop8k< zkf%;K4ACud#4kEBwLyc~dWUti{m2y7{=)JJk69i*W#ixrj}t%y z$5f}ZB30-zigfRhBvPgBK#@A+?kG|xP$GN(mD1s|0FK2Q0 zapn-L5y?GaSNDWjQT4sZp7(mDsP-CDSark0Z!>Ia7Qs?=uOBc+QXjE?w%J3HwjL6D{=+2d1nMo( zg_`X$;F-k|gScd6ER|Y6tf;iC&qOREa*% zXr4qB!8C~~MxROGXSJ|QiJtz1r4n^2VL9t($zyTTYF3zgEi1UBP-0uNnF(|5V1-)t zFm5W5>`YN93%JWAx~ILiHLCMoc9|wD2AN%%f(#C+6}OSuTd$qW-f|ses<^}?Q_J0np0W7+Icc{%DF(MXU0SXse6l-$W)0|H~J|V_jm!H ziWQDRxDaQ&CyX$_6nt@{5Tk`#ao~qSAB{d@H4jXQZ}JP3(c^?iTeXzT ziN%7^2y^kQJwzDiwHmMcN;szDKo%ZTE+l)y+4#h9VN)>2?Zmc5VWk%Sj(=?uvVveE zp8rC4>dy^crlk6!0L#d&JQ#d^*xK*g=)vI1+EtHR{J>ycUC}NzPOydS(cs6r$JK{@ zDUbV-#W#D06Mqwk3N)N$1GcqC z4-veH?TUhz@=!nqzAU@Z$@ zl(~*zTG2PlKUA6|AxLZeWyp&DPZX0Z1lg^%IpJeZYk@Vwv8Z#N4p>DY?rsk~_}@Qk z4a_nolKj2qQ`f`5|L23Q=;y|I0qckPS;j^PtnI;f@&XQ6cMs~>^DjQH`X%k0zHbi6 z1Iz5M5;fg`)$O{I0{_(E(%*aC8lZW_>uzU#ltznv*E(e7(DOh1Y0-*++%;W%U-7uD zy`q00V)m_fl!cLEAB}9?SmymI@7OzFXS7lhEQBb_h9JG)pUH^#qC3N`F+MSfJd0zMC(LTWX z&tBVoDip_iNDAG)%$V56>(vy2LrSJ?BBiy=ne|gNDQ(QOlQVWHtS1DDoNP2T(QugJSWYyIZ4#XZNICsU&GsFM1KQYB`%x)qZy|du+bdCsm zmeTxH9raQ%#-dJIYu+#37t0kGE%fxa7CecYd7aE(I(hL6PH~AsP&e!J3)LAz$VA5E zbD0rjqQ(hZ2P%K6?dJTYbNh4n>`=5V4qn5v)}dA{dbFPh6Ca+4?{a|Q7$u_^W$9-Z z6WW-rS)&Lp)UC$>7o+lKg3oTP`{517t(zIH^x!Ex-i2oR8XCwooqV}6E=a*w_n>2b zhMFBbnCiNCK41@am7}hjpo3(+X(wJz+CAJCOglF;>aNNOwk^R;mFNRKwBzX0XoN<; zco`37WE-y5D|u&83>=NGoJEs0uo4ga7A5(>WL#X2M)`7mv)KFN_1kEM7uWR*_4*3I z70u{q7dRcy_Z4$Ba0&L|#ctkkBo3FwBpv(?=LL%~f#edr(p%(pTvr#n^rW{$V+X@x zQgZesbIjZOSoH6s#Y7){B5XRv2Lnj!qMG25wR|dtZIHSe&7S|Hfys#Vj41f#aQGD-RQJyh|M674*heJXrg% zH=g6cau2?Lkd3~yP5g+5#W?z~__ijZVLcBvl(Y;qZeSQ+L@>Q*Mo65F@*I_qbN?Di zo^+KD+JtwNi79$GM+rPB_TtL(m}Lu3ijjy5D8eO|M1LI@wh~ue6PqD)>I@vFagL`MB(yG)e;%EPN-u?G5MQ_{-7=4*BQvpzdh% zk-vJdK{-$_wKY6n%P3lpYwO9PFh`knRmwt6ClBhUd8fykA*lEJ$AlA#&o${0cWMdy zs_5M)$y|pOO6pZf!ikNNMgw0e<8Mf9(c9z;s$q)H&U@P#CgY_yr2WA?Cy}Feec;Ba zpPuys*Y{0&y-4K*H*I2g#e=9A+kTf;>ftW@t47ut;2*ffPu}m%9a_QMI48;NHQYOE z@Q(qq){7H8Uwy9y%d!^!Ly0!Yt>~=+9^APeKIrp6A8_Zu>CduoY>3QjV4*TPRPF}P z;*3!Fo=&Vh$b;q;2K#dl_C18t{vy|Kh6gKoaBsxFD~{wSP1ndL=k##-yqHo#f*UTz zxIB2dM6vXeiF~vCw;=MxRy%_npoMjT;&Asj{RbGTw88)Y delta 5207 zc-n1O30M?I+OF<~8HOI|b49=lNL%hZq_17RlC7I27!Qw^@Mlk3`+(aRaM8XIt zmu5yCMKFlRL_{MNIEwKIvJNX61)^iTqL^e8abUHA7gTIg|BQn(|X$4YqCkOEz6 z2|CvEn6aaX$4a=Ys(&l;o0K1=Jg_L0l@o@Zy*yZ_FxgKS1|1^kswPUL9wT||NwTo3 zjt8fe=NgCto^N?@M3MYE!qjk`#AELeC6e4EZfNI$NlCDGsEj>?QPMMlv5bKIp;`g_ zLs`gI06B`y2{;}kk+{3N0E(4(kU*IACANJ4v2%wIOd2L&BB2oiRwQ(cV8Q`*ynvb6 zCka@I*hm4l!Wm7_@D}mA-ysv&=aBs9coKKa7cg_j`vPX_N+#$@5kR%#U#0q23s?bn zmH>__^RF`rSPEMaVU%kTaF3I=2>3Ll77Ik`F9h(h@<2I>+xH51_d6@dbB==o*rC{v z6qtKdz`eGgAWGQk1n{L&kdxT%^F#r+sY(5DMF0iL!q*AYpxY#o{fRJ4y-(tvb`rNg zBG1`9suDm1wTe<25i^X|i@5g=QN&DbJw&XKt+$AkaP%i}Q)nnjV8cbsDD+j4^mdGh z6$pKepkbnjd!IW+#7aa*kvzk65|4gc1m#MhGYQ&bMSL3Ee-jD8_e4;s5KJO|`!eh| z0s9IOOXpZ6VyUA|1YK)HETwI&h?U4)FJk6~A`vU$u!xv>tc@%XTOxu6#a~X8uzxAy z^X@(l%5bNlD-x3c~5F4j8d-~A98+-^$31U(vw+zYIPZ^CE+*~`0L?Bm2h^X6#6lz&)j~ObPFPk6FS>d2&gfJD>QS8%SZcO{C!1 zZ4znC4noYZixld%6WduSnFymQ;;9TMIXp5G);rzr1bl5xPTlkq*^;AC(}srXMaW@HGE@u`UI zC1b|1!7`TIHh{!aLx}AdDuXO#o^TnTdv=se_JTpi3b-c7pm%2j6N*Pwkc+WV~W!zgwri>Z7b7b6FLm?r^ zT4kcpHj<}fzmW0fNLtgWHFs($G-xy!G`!I8Mni*!67xYrhlVd2EE;+=x}o6*JGESo zG&n1hn>mIOV8t=6k1yku!&yshVmPGgxzl>84Ax!Zj#G5oCTMQv2KJ&a6j}E__Jca z=al$iJ8Cbo4=kMY>rEdr&0>llM^md{Im5STgqeppAZ#dW8CFFw*P7?c`%|p7+?Rhw zjfLebf1F}!E7Te?y75=_^!crDULZe`rn*B*PkxYw3Wv4*_%j^+^IB*g!6*CB|IULQ zWBFu;%7F>v`BA)~+IMI9$BK=xO2uEySd}QKi{g(`?5hRH{qRZB zm1J*a;SkvQCg0PS9c<%3pQy=YaSJrW9rYJp)==>O6Z&c)gyAf``9Er0LoX@cKc%R!bkrg4>Vq3EtGpQ1dmvJ%~QK3+{69 zc^c{v9C?d32U4HI+9!O6U%;~*4oo?2XvkWp2VH+tv`xi+)^n`jAF`l~!{$NMvnju5 ze>q*nVq0q`{x}u&RzJPahpK^Ldf|*da2%R-YOc9onu5jo=k5mTvE5z(xd6e!(4H-D zS5M)AKy8MWFoE--{tC-S3SL53+dI#;R(k_ukEjEQ+bLj7oBQ{I4;f%A&(+6`@&d+p zEjco;0mg_uk!g!@Cjv$qdxA!J6%CAgCk+`g)CU+Vwq#U?Y5$LpQRJuJ3DE&##=h~p zM|b(Hjc*G5tOYe3+J(_VU;NA8IBV>1Is~ovf#Zj1{%ES$BD3B_DeDBAjO#}JID9-> z{P3bRPv}3)KQC(M{0!vZZAnj~QIQvNhR;2N?7;7IDN~W%bj!SOrS~85cPCXWN90b` zguc~5ga7|$Y??UZ5IX6`f@ux+HXvRr*4`;_qmOQ5@BBfhlTlR*=4D@c+ErC;#Ao$p z?enuN>b`5pPR;ZFjq@v~R-x4&FJJcaXhd~o@jutadOe?)^sm#aqrmh2fpH-||AUHf zbkG01KRX&2ha6fh%P%NkY38lwwiirXN163;THL!n#_HjpW^QJF4}ysw9*jd(Mdd{| zd=IRZQ-uKQUYj`BWE_$4Y2SiBsBU>Qed$%CvTJ_X1nciSjXxDFEeb+gXnNVO(ciy- zzw1Qex@^S1KQ}q$Ta-C)xby{F_Ru&Do)eRW=UOyQJqXOq7o?NmAQ5riVv;PMu{==|xAIA#{ zOIg3Peg^ZrKeFWI4{wH}1q<$bpGU6-&}5!P)Mo@sKpNMb25 z&neh>WApbf6I;K7;8Ybqfrm?lrL1ouy7Ce(9h-j10*CDrYPOknCC6HAsx?f$rF_2$9n=H%inyb+JLz_hMf|RcBuekL=vnb=A%m z<9u`vkUQt|kKP_<^?O%5P9H0Vjqi%%edr%@A(tpt(3Bn4E)g5`6b18EidtW$PqzA^ zIXf&TwKUe zb75YU_&PJ9a0>@)2OdwTQ_;5=VOsH$e$%zso~+pM?f;JW9$@=PF??1nChMr7*5s4o zFearyRqnz`F+yO^Z$tm_?>SQYovc$=yCmMz&_Aw+{w}eVLfoES6=N9s+ubnchWJ#+ zoQI?=>*Alqqf{^)=oZgV)M)tNo)|-iyU+(g`JTG8@#O@U??%|8ptX0SAGTlFNBkBQ zO)$Al+@+<`VfPO4`b%_u73>I<-k_Pm+tf1u-bwoArI{-S zyFN?8r3i+di@qPK_Vso*9ai1%Mo4iC^%krhB`wlYJK@0BC96N(o(Yf7lKY$5tyIaN0{w$LKo_SH2aQO@>A8?X_kmr5-hDbrgXNc`7{*RDzXgNF1$d-m#tt&2Z8>jkb>ycarKu@TPMPOwNt=XMBx zmGX4Vg1oLqddc^66ofPUthXUEBG{SQYbNakxAy5PgL{ik9cG>_W6> z+TOdKz5GAEN=*}C=`8s)%_MYf&5XHn98Hab*W%pX`GTKoE z(6UgrcBh|gwGK;_9|gRzl>;3?wQnDGbpsu7#|EY-Ho_fne3~5TOT7=XvgCY;ev}XW Wx5yS6eVtWol^c1=4Ab|?68*nJrV`2k diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index c1d70bd5a8..5cf2acf42f 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -460,6 +460,11 @@ DNSName PacketHandler::doAdditionalServiceProcessing(const DNSName &firstTarget, while (!done && ctr > 0) { DNSZoneRecord rr; done = true; + + if(!ret.isPartOf(d_sd.qname)) { + continue; + } + B.lookup(QType(qtype), ret, d_sd.domain_id); while (B.get(rr)) { rr.dr.d_place = DNSResourceRecord::ADDITIONAL; diff --git a/regression-tests.nobackend/tinydns-data-check/expected_result b/regression-tests.nobackend/tinydns-data-check/expected_result index 2fb50a0f9c..22cb2e036f 100644 --- a/regression-tests.nobackend/tinydns-data-check/expected_result +++ b/regression-tests.nobackend/tinydns-data-check/expected_result @@ -1,4 +1,4 @@ -034a2b6c643ef42a58d19aaed62c6b27 ../regression-tests/zones/example.com +229dad9ea0464a429685d3dda8a8e9ef ../regression-tests/zones/example.com fe49d2784b1bcc3b91ddd5619f0b6cc1 ../regression-tests/zones/test.com f0df67fa656d33fd85098cbe43893395 ../regression-tests/zones/test.dyndns dee3e8b568549d9450134b555ca73990 ../regression-tests/zones/sub.test.dyndns @@ -15,4 +15,4 @@ a98864b315f16bcf49ce577426063c42 ../regression-tests/zones/cdnskey-cds-test.com 9aeed2c26d0c3ba3baf22dfa9568c451 ../regression-tests/zones/2.0.192.in-addr.arpa 99c73e8b5db5781fec1ac3fa6a2662a9 ../regression-tests/zones/cryptokeys.org 1f9e19be0cff67330f3a0a5347654f91 ../regression-tests/zones/hiddencryptokeys.org -8d42198e3c989c38edb715407bc9c4ae ../modules/tinydnsbackend/data.cdb +31595b9c5e078fa22dd1716a34ca1323 ../modules/tinydnsbackend/data.cdb diff --git a/regression-tests/tests/svcb-aliasmode/command b/regression-tests/tests/svcb-aliasmode/command index a1fd95a7b5..4026472b51 100755 --- a/regression-tests/tests/svcb-aliasmode/command +++ b/regression-tests/tests/svcb-aliasmode/command @@ -1,2 +1,3 @@ #!/bin/sh -cleandig foo.svcb.example.com SVCB dnssec \ No newline at end of file +cleandig foo.svcb.example.com SVCB dnssec +cleandig baz.svcb.example.com SVCB dnssec \ No newline at end of file diff --git a/regression-tests/tests/svcb-aliasmode/expected_result b/regression-tests/tests/svcb-aliasmode/expected_result index dc76059243..145d33364c 100644 --- a/regression-tests/tests/svcb-aliasmode/expected_result +++ b/regression-tests/tests/svcb-aliasmode/expected_result @@ -4,3 +4,7 @@ 2 foo1.svcb.example.com. IN SVCB 120 1 . alpn=h2,h3 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='foo.svcb.example.com.', qtype=SVCB +0 baz.svcb.example.com. IN SVCB 120 0 foo1.svcb.example.net. +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='baz.svcb.example.com.', qtype=SVCB diff --git a/regression-tests/tests/svcb-aliasmode/expected_result.dnssec b/regression-tests/tests/svcb-aliasmode/expected_result.dnssec index 83d814f887..64f1189e0c 100644 --- a/regression-tests/tests/svcb-aliasmode/expected_result.dnssec +++ b/regression-tests/tests/svcb-aliasmode/expected_result.dnssec @@ -7,3 +7,8 @@ 2 foo1.svcb.example.com. IN SVCB 120 1 . alpn=h2,h3 Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='foo.svcb.example.com.', qtype=SVCB +0 baz.svcb.example.com. IN RRSIG 120 SVCB 13 4 120 [expiry] [inception] [keytag] example.com. ... +0 baz.svcb.example.com. IN SVCB 120 0 foo1.svcb.example.net. +2 . IN OPT 32768 +Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 +Reply to question for qname='baz.svcb.example.com.', qtype=SVCB diff --git a/regression-tests/zones/example.com b/regression-tests/zones/example.com index c1e82902fb..f2decf231d 100644 --- a/regression-tests/zones/example.com +++ b/regression-tests/zones/example.com @@ -20215,8 +20215,11 @@ foo1.svcb IN SVCB 1 . alpn=h2,h3 foo.svcb IN A 192.0.2.1 ; Should not show up in additional foo1.svcb IN A 192.0.2.2 ; Should show up in additional + bar.svcb IN SVCB 1 . alpn=h2 bar.svcb IN SVCB 3 . alpn=h3 port=1500 bar.svcb IN AAAA 2001:db8::3:1 bar.svcb IN AAAA 2001:db8::3:4 -bar.svcb IN A 192.0.2.1 \ No newline at end of file +bar.svcb IN A 192.0.2.1 + +baz.svcb IN SVCB 0 foo1.svcb.example.net. ; AliasMode - should not trigger additional processing, the target is in another zone -- 2.47.2