From d3e7b177b95e613fef1fe2a31584c1e914991b26 Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Thu, 4 Jul 2013 00:32:51 +0200 Subject: [PATCH] AXFR-in can handle secure and insecure NSEC3 optout delegations --- pdns/slavecommunicator.cc | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index 58aebbc6b6..9d9433411d 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -155,6 +155,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote) bool gotOptOutFlag = false; unsigned int soa_serial = 0; vector rrs; + set secured; while(retriever.getChunk(recs)) { if(first) { L<qtype.getCode() == QType::NSEC3) { dnssecZone = gotPresigned = true; - gotOptOutFlag = NSEC3RecordContent(i->content).d_flags & 1; + NSEC3RecordContent ns3rc(i->content); + gotOptOutFlag = ns3rc.d_flags & 1; + if (ns3rc.d_set.count(QType::NS) && !pdns_iequals(i->qname, domain)) + secured.insert(toLower(makeRelative(i->qname, domain))); continue; } else if (i->qtype.getCode() == QType::NSEC) { dnssecZone = gotPresigned = true; @@ -210,6 +214,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote) } } + BOOST_FOREACH(const DNSResourceRecord& rr, rrs) { if(rr.qtype.getCode() == QType::NS && !pdns_iequals(rr.qname, domain)) nsset.insert(rr.qname); @@ -276,8 +281,8 @@ void CommunicatorClass::suck(const string &domain,const string &remote) if (dnssecZone && rr.qtype.getCode() != QType::RRSIG) { if (haveNSEC3) { // NSEC3 - if(!narrow && (rr.auth || (rr.qtype.getCode() == QType::NS && !gotOptOutFlag))) { - ordername=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname))); + ordername=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname))); + if(!narrow && (rr.auth || (rr.qtype.getCode() == QType::NS && (!gotOptOutFlag || secured.count(ordername))))) { di.backend->feedRecord(rr, &ordername); } else di.backend->feedRecord(rr); -- 2.47.3