rec: Refuse queries for rfc6895 section 3.1 meta types

(cherry picked from commit ab1b5574d15a62e67a133828fc98502de830842c)
(cherry picked from commit 834b326fb0ebda4622360a0e0c40888e6dceb946)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 55ce1a71145f83cd5a46434fc3909fdcceccb605..434b29fd479417788b2b884456b823be0785b09d 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -124,6 +124,8 @@ SyncRes::SyncRes(const struct timeval& now) :  d_outqueries(0), d_tcpoutqueries(
 /** everything begins here - this is the entry point just after receiving a packet */
 int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qclass, vector<DNSRecord>&ret)
 {
+  /* rfc6895 section 3.1 + RRSIG and NSEC3 */
+  static const std::set<uint16_t> metaTypes = { QType::AXFR, QType::IXFR, QType::RRSIG, QType::NSEC3, QType::OPT, QType::TSIG, QType::TKEY, QType::MAILA, QType::MAILB };
   s_queries++;
   d_wasVariable=false;
   d_wasOutOfBand=false;
@@ -172,6 +174,10 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
     return 0;
   }
 
+  if (metaTypes.count(qtype.getCode())) {
+    return -1;
+  }
+
   if(qclass==QClass::ANY)
     qclass=QClass::IN;
   else if(qclass!=QClass::IN)