Don't validate internal or out-of-band names

author Pieter Lexis <pieter.lexis@powerdns.com>

Tue, 12 Jul 2016 11:42:55 +0000 (13:42 +0200)

committer Pieter Lexis <pieter.lexis@powerdns.com>

Thu, 14 Jul 2016 15:41:35 +0000 (17:41 +0200)
author Pieter Lexis <pieter.lexis@powerdns.com>
Tue, 12 Jul 2016 11:42:55 +0000 (13:42 +0200)
committer Pieter Lexis <pieter.lexis@powerdns.com>
Thu, 14 Jul 2016 15:41:35 +0000 (17:41 +0200)
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc

index af9d057baeeb915921cb7c8241422026373e4355..f054a54d1e016cf98b211836c5b86b2d9287eccd 100644 (file)
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -709,6 +709,7 @@ void startDoResolve(void *p)
  
      bool tracedQuery=false; // we could consider letting Lua know about this too
      bool variableAnswer = false;
+    bool shouldNotValidate = false;
  
      int res;
      DNSFilterEngine::Policy dfepol;
@@ -787,10 +788,10 @@ void startDoResolve(void *p)
        break;
      }
  
-
      if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, dc->d_local, dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_tcp, ret, dc->d_ednsOpts.empty() ? 0 : &dc->d_ednsOpts, dc->d_tag, &appliedPolicy, &dc->d_policyTags, res, &variableAnswer)) {
        try {
          res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+        shouldNotValidate = sr.wasOutOfBand();
        }
        catch(ImmediateServFailException &e) {
          if(g_logCommonErrors)
@@ -888,7 +889,7 @@ void startDoResolve(void *p)
        pw.getHeader()->rcode=res;
  
        // Does the validation mode or query demand validation?
-      if(g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || ((dc->d_mdp.d_header.ad || DNSSECOK) && g_dnssecmode==DNSSECMode::Process)) {
+      if(!shouldNotValidate && (g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || ((dc->d_mdp.d_header.ad || DNSSECOK) && g_dnssecmode==DNSSECMode::Process))) {
          try {
            if(sr.doLog()) {
              L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<endl;
diff --git a/pdns/syncres.cc b/pdns/syncres.cc

index 224945b6d3c411dba654ed439b10944ff71a7a7d..8c44f8102454e5ce7212b7b2b7a1e09192ef43b1 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -125,6 +125,7 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
  {
    s_queries++;
    d_wasVariable=false;
+  d_wasOutOfBand=false;
  
    if( (qtype.getCode() == QType::AXFR))
      return -1;
@@ -146,6 +147,7 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
      else
        dr.d_content=shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::A, 1, "127.0.0.1"));
      ret.push_back(dr);
+    d_wasOutOfBand=true;
      return 0;
    }
  
@@ -165,6 +167,7 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
        dr.d_content=shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::TXT, 3, "\""+s_serverID+"\""));
  
      ret.push_back(dr);
+    d_wasOutOfBand=true;
      return 0;
    }
  
@@ -420,7 +423,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
          const vector<ComboAddress>& servers = iter->second.d_servers;
          if(servers.empty()) {
            ret.clear();
-          doOOBResolve(qname, qtype, ret, depth, res);
+          d_wasOutOfBand = doOOBResolve(qname, qtype, ret, depth, res);
            return res;
          }
          else {
@@ -982,7 +985,7 @@ int SyncRes::doResolveAt(NsSet &nameservers, DNSName auth, bool flawedNSSet, con
        LWResult lwr;
        if(tns->empty() && nameservers[*tns].first.empty() ) {
          LOG(prefix<<qname<<": Domain is out-of-band"<<endl);
-        doOOBResolve(qname, qtype, lwr.d_records, depth, lwr.d_rcode);
+        d_wasOutOfBand = doOOBResolve(qname, qtype, lwr.d_records, depth, lwr.d_rcode);
          lwr.d_tcbit=false;
          lwr.d_aabit=true;
        }
diff --git a/pdns/syncres.hh b/pdns/syncres.hh

index 3287bb7acf881fb2c09698b62cb6228bc5292294..182666a1859ef59b941d17f5e450a5754cf02b07 100644 (file)
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -312,6 +312,11 @@ public:
      return d_wasVariable;
    }
  
+  bool wasOutOfBand() const
+  {
+    return d_wasOutOfBand;
+  }
+
    int asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res);
  
    static void doEDNSDumpAndClose(int fd);
@@ -340,6 +345,7 @@ public:
    bool d_doDNSSEC;
    
    bool d_wasVariable{false};
+  bool d_wasOutOfBand{false};
    
    typedef multi_index_container <
      NegCacheEntry,
author	Pieter Lexis <pieter.lexis@powerdns.com>
	Tue, 12 Jul 2016 11:42:55 +0000 (13:42 +0200)
committer	Pieter Lexis <pieter.lexis@powerdns.com>
	Thu, 14 Jul 2016 15:41:35 +0000 (17:41 +0200)
pdns/pdns_recursor.cc		patch \| blob \| history
pdns/syncres.cc		patch \| blob \| history
pdns/syncres.hh		patch \| blob \| history