bool hasNsAtApex = false;
- set<DNSName> cnames, noncnames, glue, checkglue;
+ set<DNSName> tlsas, cnames, noncnames, glue, checkglue;
set<string> records;
map<string, unsigned int> ttl;
numrecords++;
+ if(rr.qtype.getCode() == QType::TLSA)
+ tlsas.insert(rr.qname);
if(rr.qtype.getCode() == QType::SOA) {
vector<string>parts;
stringtok(parts, rr.content);
}
}
+ for(const auto &i: tlsas) {
+ DNSName name = DNSName(i);
+ name.trimToLabels(name.getRawLabels().size()-2);
+ if (cnames.find(name) == cnames.end() && noncnames.find(name) == noncnames.end()) {
+ // No specific record for the name in the TLSA record exists, this
+ // is already worth emitting a warning. Let's see if a wildcard exist.
+ cout<<"[Warning] ";
+ DNSName wcname(name);
+ wcname.chopOff();
+ wcname.prependRawLabel("*");
+ if (cnames.find(wcname) != cnames.end() || noncnames.find(wcname) != noncnames.end()) {
+ cout<<"A wildcard record exist for '"<<wcname.toString()<<"' and a TLSA record for '"<<i.toString()<<"'.";
+ } else {
+ cout<<"No record for '"<<name.toString()<<"' exists, but a TLSA record for '"<<i.toString()<<"' does.";
+ }
+ numwarnings++;
+ cout<<" A query for '"<<name.toString()<<"' will yield an empty response. This is most likely a mistake, please create records for '"<<name.toString()<<"'."<<endl;
+ }
+ }
+
if(!hasNsAtApex) {
cout<<"[Error] No NS record at zone apex in zone '"<<zone.toString()<<"'"<<endl;
numerrors++;
projects / pdns / commitdiff