]> granicus.if.org Git - pdns/commit
rec: Store additional records as non-auth, even on AA=1 answers
authorRemi Gacogne <remi.gacogne@powerdns.com>
Mon, 27 Nov 2017 10:21:21 +0000 (11:21 +0100)
committerRemi Gacogne <remi.gacogne@powerdns.com>
Mon, 27 Nov 2017 10:21:21 +0000 (11:21 +0100)
commit405a26bd69cdc8e64e5ef11ba5e0a1bb0a04a459
tree0374aebd95b1e9d6f9163848517e5ef459578ebc
parent43fd645d76a7c557fcc0a39a2e5f4f1f4c59ccc8
rec: Store additional records as non-auth, even on AA=1 answers

We used to store additional records in AA=1 answers as auth. In addition
to being wrong, it also broke DNSSEC validation if the record was stored
as Indeterminate because while we take care of not validating additional
records when processing an answer, we have no way of knowing in which
section a record was originally located when we retrieve it from the cache.
When an answer becomes too big to fit in the requester UDP payload,
rfc4035 allows the sender to keep records in the additional section
while omitting the corresponding RRSIGs, without setting the TC bit.
pdns/recursordist/test-syncres_cc.cc
pdns/syncres.cc