Check if the recursor is not auth for zone in a RR

This patch checks every resource record name in a packet from an
authoritative server and determines if we (the recursor) are
authoritative
for a zone where the qname is part of. If this is the case, we don't
allow the use of that record.

Closes #2600

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 65908af370eb05376fe10ef352f8baab944bcd6f..be0777e9db42befb175e09c017f57315b107b0eb 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -1089,7 +1089,22 @@ int SyncRes::doResolveAt(set<string, CIStringCompare> nameservers, string auth,
           LOG("NO! - we don't accept 'ANY' data"<<endl);
           continue;
         }
-          
+
+        // Check if we are authoritative for a zone in this answer
+        if (!t_sstorage->domainmap->empty()) {
+          string tmp_qname(i->qname);
+          auto auth_domain_iter=getBestAuthZone(&tmp_qname);
+          if(auth_domain_iter!=t_sstorage->domainmap->end()) {
+            if (auth_domain_iter->first != auth) {
+              LOG("NO! - we are authoritative for the zone "<<auth_domain_iter->first<<endl);
+              continue;
+            } else {
+              // ugly...
+              LOG("YES! - This answer was retrieved from the local auth store"<<endl);
+            }
+          }
+        }
+
         if(dottedEndsOn(i->qname, auth)) {
           if(lwr.d_aabit && lwr.d_rcode==RCode::NoError && i->d_place==DNSResourceRecord::ANSWER && ::arg().contains("delegation-only",auth)) {
             LOG("NO! Is from delegation-only zone"<<endl);