fix getAuth for DS queries at apex

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index f9eaa2dc01ff6e3aae71d0b52625a8565d0d6206..ad2a54f8dcc37bbb7020ee12860d1388e822d6e4 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -286,20 +286,23 @@ int PacketHandler::doVersionRequest(DNSPacket *p, DNSPacket *r, string &target)
 /** Determines if we are authoritative for a zone, and at what level */
 bool PacketHandler::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId)
 {
+  bool found=false;
   string subdomain(target);
   do {
     if( B.getSOA( subdomain, *sd, p ) ) {
-      if(p->qtype.getCode() == QType::DS && pdns_iequals(subdomain, target)) 
-        continue; // A DS question is never answered from the apex, go one zone upwards 
-      
       sd->qname = subdomain;
       if(zoneId)
         *zoneId = sd->domain_id;
-      return true;
+
+      if(p->qtype.getCode() == QType::DS && pdns_iequals(subdomain, target)) {
+        // Found authoritative zone but look for parent zone with 'DS' record.
+        found=true;
+      } else
+        return true;
     }
   }
   while( chopOff( subdomain ) );   // 'www.powerdns.org' -> 'powerdns.org' -> 'org' -> ''
-  return false;
+  return found;
 }
 
 vector<DNSResourceRecord> PacketHandler::getBestReferralNS(DNSPacket *p, SOAData& sd, const string &target)

diff --git a/regression-tests/ds-at-apex-noerror/command b/regression-tests/ds-at-apex-noerror/command
new file mode 100755 (executable)
index 0000000..18cf89c
--- /dev/null
+++ b/regression-tests/ds-at-apex-noerror/command
@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig example.com DS dnssec
+

diff --git a/regression-tests/ds-at-apex-noerror/description b/regression-tests/ds-at-apex-noerror/description
new file mode 100644 (file)
index 0000000..5cc9ca5
--- /dev/null
+++ b/regression-tests/ds-at-apex-noerror/description
@@ -0,0 +1 @@
+This test tries to resolve a non-existent DS at apex

diff --git a/regression-tests/ds-at-apex-noerror/expected_result b/regression-tests/ds-at-apex-noerror/expected_result
new file mode 100644 (file)
index 0000000..c27e7fe
--- /dev/null
+++ b/regression-tests/ds-at-apex-noerror/expected_result
@@ -0,0 +1,4 @@
+1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=DS

diff --git a/regression-tests/ds-at-apex-noerror/expected_result.dnssec b/regression-tests/ds-at-apex-noerror/expected_result.dnssec
new file mode 100644 (file)
index 0000000..70b2b36
--- /dev/null
+++ b/regression-tests/ds-at-apex-noerror/expected_result.dnssec
@@ -0,0 +1,7 @@
+1      example.com.    IN      NSEC    86400   double.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1      example.com.    IN      RRSIG   86400   NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=DS

diff --git a/regression-tests/ds-at-apex-noerror/expected_result.narrow b/regression-tests/ds-at-apex-noerror/expected_result.narrow
new file mode 100644 (file)
index 0000000..08641e2
--- /dev/null
+++ b/regression-tests/ds-at-apex-noerror/expected_result.narrow
@@ -0,0 +1,7 @@
+1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=DS

diff --git a/regression-tests/ds-at-apex-noerror/expected_result.nsec3 b/regression-tests/ds-at-apex-noerror/expected_result.nsec3
new file mode 100644 (file)
index 0000000..f3c8d50
--- /dev/null
+++ b/regression-tests/ds-at-apex-noerror/expected_result.nsec3
@@ -0,0 +1,7 @@
+1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=DS