From ae33c53e68a32189e0a2fd3df24821d3edce4503 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Tue, 22 Sep 2020 16:48:11 +0200 Subject: [PATCH] rec: Prevent updating the status of all cached records for a name Before that fix, it was possible to make the recursor update the DNSSEC status of all cached records for a given name using an ANY query. This real issue is that we should retrieve the needed RRSIGs and authority records for all cached records when processing an ANY query, but this fix prevents the cache pollution which is the worst part of the issue. --- pdns/syncres.cc | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pdns/syncres.cc b/pdns/syncres.cc index 8ca13cd752..89df89bd86 100644 --- a/pdns/syncres.cc +++ b/pdns/syncres.cc @@ -1303,6 +1303,11 @@ DNSName SyncRes::getBestNSNamesFromCache(const DNSName &qname, const QType& qtyp void SyncRes::updateValidationStatusInCache(const DNSName &qname, const QType& qt, bool aa, vState newState) const { + if (qt == QType::ANY || qt == QType::ADDR) { + // not doing that + return; + } + if (newState == vState::Bogus) { g_recCache->updateValidationStatus(d_now.tv_sec, qname, qt, d_cacheRemote, d_routingTag, aa, newState, s_maxbogusttl + d_now.tv_sec); } @@ -1755,7 +1760,9 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const DNSName& authname, bool w if (cachedState == vState::Bogus) { capTTL = s_maxbogusttl; } - updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState); + if (sqt != QType::ANY && sqt != QType::ADDR) { + updateValidationStatusInCache(sqname, sqt, wasCachedAuth, cachedState); + } } } -- 2.47.2