AXFR-in can handle secure and insecure NSEC3 optout delegations

author Kees Monshouwer <mind04@monshouwer.org>

Wed, 3 Jul 2013 22:32:51 +0000 (00:32 +0200)

committer Peter van Dijk <peter.van.dijk@netherlabs.nl>

Thu, 4 Jul 2013 18:29:08 +0000 (20:29 +0200)
author Kees Monshouwer <mind04@monshouwer.org>
Wed, 3 Jul 2013 22:32:51 +0000 (00:32 +0200)
committer Peter van Dijk <peter.van.dijk@netherlabs.nl>
Thu, 4 Jul 2013 18:29:08 +0000 (20:29 +0200)
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc

index 58aebbc6b6370ebec593ba67c27cd899dc26e37a..9d9433411df5b12a839d656d281475b63710a7b3 100644 (file)
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -155,6 +155,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
      bool gotOptOutFlag = false;
      unsigned int soa_serial = 0;
      vector<DNSResourceRecord> rrs;
+    set<string> secured;
      while(retriever.getChunk(recs)) {
        if(first) {
          L<<Logger::Error<<"AXFR started for '"<<domain<<"'"<<endl;
@@ -177,7 +178,10 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
            continue;
          } else if (i->qtype.getCode() == QType::NSEC3) {
            dnssecZone = gotPresigned = true;
-          gotOptOutFlag = NSEC3RecordContent(i->content).d_flags & 1;
+          NSEC3RecordContent ns3rc(i->content);
+          gotOptOutFlag = ns3rc.d_flags & 1;
+          if (ns3rc.d_set.count(QType::NS) && !pdns_iequals(i->qname, domain))
+            secured.insert(toLower(makeRelative(i->qname, domain)));
            continue;
          } else if (i->qtype.getCode() == QType::NSEC) {
            dnssecZone = gotPresigned = true;
@@ -210,6 +214,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
        }
      }
  
+
      BOOST_FOREACH(const DNSResourceRecord& rr, rrs) {
        if(rr.qtype.getCode() == QType::NS && !pdns_iequals(rr.qname, domain))
          nsset.insert(rr.qname);
@@ -276,8 +281,8 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
        if (dnssecZone && rr.qtype.getCode() != QType::RRSIG) {
          if (haveNSEC3) {
            // NSEC3
-          if(!narrow && (rr.auth || (rr.qtype.getCode() == QType::NS && !gotOptOutFlag))) {
-            ordername=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+          ordername=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+          if(!narrow && (rr.auth || (rr.qtype.getCode() == QType::NS && (!gotOptOutFlag || secured.count(ordername))))) {
              di.backend->feedRecord(rr, &ordername);
            } else
              di.backend->feedRecord(rr);
author	Kees Monshouwer <mind04@monshouwer.org>
	Wed, 3 Jul 2013 22:32:51 +0000 (00:32 +0200)
committer	Peter van Dijk <peter.van.dijk@netherlabs.nl>
	Thu, 4 Jul 2013 18:29:08 +0000 (20:29 +0200)