auth: ignore NSEC3PARAM in an unsigned zone

author Kees Monshouwer <mind04@monshouwer.org>

Sat, 3 Jun 2017 14:25:02 +0000 (16:25 +0200)

committer mind04 <mind04@monshouwer.org>

Sun, 4 Jun 2017 12:36:29 +0000 (14:36 +0200)
author Kees Monshouwer <mind04@monshouwer.org>
Sat, 3 Jun 2017 14:25:02 +0000 (16:25 +0200)
committer mind04 <mind04@monshouwer.org>
Sun, 4 Jun 2017 12:36:29 +0000 (14:36 +0200)
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc

index 4bff18f2cb1f716c09b8b24f5fb6093cf44a920f..9d29a29cdc2e3a5211f02eac8217550797ed3936 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -1308,7 +1308,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
          if(addCDS(p,r, sd))
            goto sendit;
        }
-      else if(p->qtype.getCode() == QType::NSEC3PARAM)
+      else if(p->qtype.getCode() == QType::NSEC3PARAM && d_dk.isSecuredZone(sd.qname))
        {
          if(addNSEC3PARAM(p,r, sd))
            goto sendit;
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc

index c4c047147dbdb201c66b1a548860414a1c4a1ddf..837aa86cd74d66507c4d1f17f2dbe7752b65434f 100644 (file)
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -597,7 +597,7 @@ int TCPNameserver::doAXFR(const DNSName &target, shared_ptr<DNSPacket> q, int ou
    NSEC3PARAMRecordContent ns3pr;
    bool narrow;
    bool NSEC3Zone=false;
-  if(dk.getNSEC3PARAM(target, &ns3pr, &narrow)) {
+  if(securedZone && dk.getNSEC3PARAM(target, &ns3pr, &narrow)) {
      NSEC3Zone=true;
      if(narrow) {
        L<<Logger::Error<<"Not doing AXFR of an NSEC3 narrow zone '"<<target<<"' for "<<q->getRemote()<<endl;
author	Kees Monshouwer <mind04@monshouwer.org>
	Sat, 3 Jun 2017 14:25:02 +0000 (16:25 +0200)
committer	mind04 <mind04@monshouwer.org>
	Sun, 4 Jun 2017 12:36:29 +0000 (14:36 +0200)
pdns/packethandler.cc		patch \| blob \| history
pdns/tcpreceiver.cc		patch \| blob \| history