dnsdist had problems with large AXFR as it checked first record of second envelope...

With this commit, the check against spoofing is only performed against the first message, and not against subsequent ones.
Thanks to Janne for help debugging this issue.

diff --git a/pdns/dnsdist-tcp.cc b/pdns/dnsdist-tcp.cc
index 74d03b06c6d7f32969581ada8a7b8175ff503456..f23b4c15845a4b177e62a09ee53b6eb15bd5785d 100644 (file)
--- a/pdns/dnsdist-tcp.cc
+++ b/pdns/dnsdist-tcp.cc
@@ -484,7 +484,7 @@ void* tcpClientThread(int pipefd)
           sendSizeAndMsgWithTimeout(dsock, dq.len, query, ds->tcpSendTimeout, &ds->remote, &ds->sourceAddr, ds->sourceItf, 0, socketFlags);
         }
         catch(const runtime_error& e) {
-          vinfolog("Downstream connection to %s died on us, getting a new one!", ds->getName());
+          vinfolog("Downstream connection to %s died on us (%s), getting a new one!", ds->getName(), e.what());
           close(dsock);
           dsock=-1;
           sockets.erase(ds->remote);
@@ -502,7 +502,7 @@ void* tcpClientThread(int pipefd)
         if (isXFR) {
           dq.skipCache = true;
         }
-
+        bool firstPacket=true;
       getpacket:;
 
         if(!getNonBlockingMsgLen(dsock, &rlen, ds->tcpRecvTimeout)) {
@@ -544,10 +544,10 @@ void* tcpClientThread(int pipefd)
           break;
         }
 
-        if (!responseContentMatches(response, responseLen, qname, qtype, qclass, ds->remote)) {
+        if (firstPacket && !responseContentMatches(response, responseLen, qname, qtype, qclass, ds->remote)) {
           break;
         }
-
+        firstPacket=false;
         if (!fixUpResponse(&response, &responseLen, &responseSize, qname, origFlags, ednsAdded, ecsAdded, rewrittenResponse, addRoom)) {
           break;
         }