From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Sun, 1 Jul 2012 11:44:26 +0000 (+0000)
Subject: If we receive a question with an EDNS section in auth, always answer with an EDNS... 
X-Git-Tag: auth-3.2-rc1~213
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f20d53711433013f409ef6685723bdaab1958349;p=thirdparty%2Fpdns.git

If we receive a question with an EDNS section in auth, always answer with an EDNS section too. Some versions of BIND intepreted our lack of EDNS section on non-DO=1 answers as an indication we did not do DNSSEC, with ensuing pain.
Spotted by the ever-vigilant Jimmy Bergman.


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2649 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/dnspacket.cc b/pdns/dnspacket.cc
index 93a2952fc8..d58df1af2f 100644
--- a/pdns/dnspacket.cc
+++ b/pdns/dnspacket.cc
@@ -92,6 +92,7 @@ DNSPacket::DNSPacket(const DNSPacket &orig)
   
   d_eso = orig.d_eso;
   d_haveednssubnet = orig.d_haveednssubnet;
+  d_haveednssection = orig.d_haveednssection;
   
   d_dnssecOk = orig.d_dnssecOk;
   d_rrs=orig.d_rrs;
@@ -281,7 +282,7 @@ void DNSPacket::wrapup()
   }
   
   
-  if(!d_rrs.empty() || !opts.empty() || d_haveednssubnet) {
+  if(!d_rrs.empty() || !opts.empty() || d_haveednssubnet || d_haveednssection) {
     try {
       uint8_t maxScopeMask=0;
       for(pos=d_rrs.begin(); pos < d_rrs.end(); ++pos) {
@@ -318,7 +319,7 @@ void DNSPacket::wrapup()
         opts.push_back(make_pair(::arg().asNum("edns-subnet-option-number"), opt));
       }
 
-      if(!opts.empty() || d_dnssecOk)
+      if(!opts.empty() || d_haveednssection || d_dnssecOk)
         pw.addOpt(2800, 0, d_dnssecOk ? EDNSOpts::DNSSECOK : 0, opts);
 
       if(!pw.getHeader()->tc) // protect against double commit from addSignature
@@ -376,6 +377,7 @@ DNSPacket *DNSPacket::replyPacket() const
   r->d_dnssecOk = d_dnssecOk;
   r->d_eso = d_eso;
   r->d_haveednssubnet = d_haveednssubnet;
+  r->d_haveednssection = d_haveednssection;
   
   if(!d_tsigkeyname.empty()) {
     r->d_tsigkeyname = d_tsigkeyname;
@@ -477,9 +479,11 @@ try
   d_ednsping.clear();
   d_havetsig = mdp.getTSIGPos();
   d_haveednssubnet = false;
+  d_haveednssection = false;
 
 
   if(getEDNSOpts(mdp, &edo)) {
+    d_haveednssection=true;
     d_maxreplylen=std::min(edo.d_packetsize, (uint16_t)1680);
 //    cerr<<edo.d_Z<<endl;
     if(edo.d_Z & EDNSOpts::DNSSECOK)
diff --git a/pdns/dnspacket.hh b/pdns/dnspacket.hh
index 3789dc27a4..5d9a74873f 100644
--- a/pdns/dnspacket.hh
+++ b/pdns/dnspacket.hh
@@ -169,6 +169,7 @@ private:
   string d_ednsping;
   bool d_wantsnsid;
   bool d_haveednssubnet;
+  bool d_haveednssection;
   EDNSSubnetOpts d_eso;
   string d_tsigsecret;
   string d_tsigkeyname;