From: Kees Monshouwer <mind04@monshouwer.org>
Date: Mon, 19 Nov 2012 10:27:04 +0000 (+0100)
Subject: Don't add dnssec info, to any query results, for non validating resolvers.
X-Git-Tag: auth-3.3-rc1~56^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=df554502f32671bb64bec267de48ec84da319dc6;p=thirdparty%2Fpdns.git

Don't add dnssec info, to any query results, for non validating resolvers.
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 1fabbf49ab..79eb8128fb 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1035,8 +1035,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const st
 void PacketHandler::completeANYRecords(DNSPacket *p, DNSPacket*r, SOAData& sd, const string &target)
 {
   if(!p->d_dnssecOk)
-    ; // cerr<<"Need to add all the RRSIGs too for '"<<target<<"', should do this manually since DNSSEC was not requested"<<endl;
-  //  cerr<<"Need to add all the NSEC too.."<<endl; /// XXX FIXME THE ABOVE IF IS WEIRD
+    return; // Don't send dnssec info to non validating resolvers.
   
   if(!d_dk.isSecuredZone(sd.qname))
     return;
@@ -1262,8 +1261,12 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     weDone = weRedirected = weHaveUnauth = 0;
     
     while(B.get(rr)) {
-      if (p->qtype.getCode() == QType::ANY && rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
-        continue; //TODO: this actually means addRRSig should check if the RRSig is already there.
+      if (p->qtype.getCode() == QType::ANY) {
+        if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
+          continue; // TODO: this actually means addRRSig should check if the RRSig is already there.
+        if (!p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
+          continue; // Don't send dnssec info to non validating resolvers.
+      }
 
       if(rr.qtype.getCode() == QType::DS)
         rr.auth = 1;
diff --git a/regression-tests/any-query/expected_result.dnssec b/regression-tests/any-query/expected_result.dnssec
deleted file mode 100644
index 0294db1935..0000000000
--- a/regression-tests/any-query/expected_result.dnssec
+++ /dev/null
@@ -1,16 +0,0 @@
-0	example.com.	IN	DNSKEY	86400	256 3 8 ...
-0	example.com.	IN	DNSKEY	86400	256 3 8 ...
-0	example.com.	IN	DNSKEY	86400	257 3 8 ...
-0	example.com.	IN	MX	120	10 smtp-servers.example.com.
-0	example.com.	IN	MX	120	15 smtp-servers.test.com.
-0	example.com.	IN	NS	120	ns1.example.com.
-0	example.com.	IN	NS	120	ns2.example.com.
-0	example.com.	IN	SOA	100000	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-2	.	IN	OPT	0	
-2	ns1.example.com.	IN	A	120	192.168.1.1
-2	ns2.example.com.	IN	A	120	192.168.1.2
-2	smtp-servers.example.com.	IN	A	120	192.168.0.2
-2	smtp-servers.example.com.	IN	A	120	192.168.0.3
-2	smtp-servers.example.com.	IN	A	120	192.168.0.4
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-Reply to question for qname='example.com.', qtype=ANY
diff --git a/regression-tests/any-query/expected_result.narrow b/regression-tests/any-query/expected_result.narrow
deleted file mode 100644
index 2abf1093f0..0000000000
--- a/regression-tests/any-query/expected_result.narrow
+++ /dev/null
@@ -1,17 +0,0 @@
-0	example.com.	IN	DNSKEY	86400	256 3 8 ...
-0	example.com.	IN	DNSKEY	86400	256 3 8 ...
-0	example.com.	IN	DNSKEY	86400	257 3 8 ...
-0	example.com.	IN	MX	120	10 smtp-servers.example.com.
-0	example.com.	IN	MX	120	15 smtp-servers.test.com.
-0	example.com.	IN	NS	120	ns1.example.com.
-0	example.com.	IN	NS	120	ns2.example.com.
-0	example.com.	IN	NSEC3PARAM	86400	1 0 1 abcd
-0	example.com.	IN	SOA	100000	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-2	.	IN	OPT	0	
-2	ns1.example.com.	IN	A	120	192.168.1.1
-2	ns2.example.com.	IN	A	120	192.168.1.2
-2	smtp-servers.example.com.	IN	A	120	192.168.0.2
-2	smtp-servers.example.com.	IN	A	120	192.168.0.3
-2	smtp-servers.example.com.	IN	A	120	192.168.0.4
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-Reply to question for qname='example.com.', qtype=ANY
diff --git a/regression-tests/any-query/expected_result.nsec3 b/regression-tests/any-query/expected_result.nsec3
deleted file mode 100644
index 2abf1093f0..0000000000
--- a/regression-tests/any-query/expected_result.nsec3
+++ /dev/null
@@ -1,17 +0,0 @@
-0	example.com.	IN	DNSKEY	86400	256 3 8 ...
-0	example.com.	IN	DNSKEY	86400	256 3 8 ...
-0	example.com.	IN	DNSKEY	86400	257 3 8 ...
-0	example.com.	IN	MX	120	10 smtp-servers.example.com.
-0	example.com.	IN	MX	120	15 smtp-servers.test.com.
-0	example.com.	IN	NS	120	ns1.example.com.
-0	example.com.	IN	NS	120	ns2.example.com.
-0	example.com.	IN	NSEC3PARAM	86400	1 0 1 abcd
-0	example.com.	IN	SOA	100000	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-2	.	IN	OPT	0	
-2	ns1.example.com.	IN	A	120	192.168.1.1
-2	ns2.example.com.	IN	A	120	192.168.1.2
-2	smtp-servers.example.com.	IN	A	120	192.168.0.2
-2	smtp-servers.example.com.	IN	A	120	192.168.0.3
-2	smtp-servers.example.com.	IN	A	120	192.168.0.4
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-Reply to question for qname='example.com.', qtype=ANY