Handle CNAME at secure zone apex to secure zone

Closes #4466

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 3b20a1693b05c586bad345991d029bb436076fcb..4a18ae7475425b1ab55833738f3a86ae517e6b2c 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -443,7 +443,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
       }
     }
 
-    if(qtype != QType::DS && doCNAMECacheCheck(qname,qtype,ret,depth,res)) // will reroute us if needed
+    if(!d_skipCNAMECheck && doCNAMECacheCheck(qname,qtype,ret,depth,res)) // will reroute us if needed
       return res;
 
     if(doCacheCheck(qname,qtype,ret,depth,res)) // we done

diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index 8820d359680ff424f60e1e31738893beec57d7a1..1763052b3efa198b54cb93da3897741e68a5a2f9 100644 (file)
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -339,6 +339,11 @@ public:
     return d_wasOutOfBand;
   }
 
+  void setSkipCNAMECheck(bool skip = false)
+  {
+    d_skipCNAMECheck = skip;
+  }
+
   int asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res);
 
   static void doEDNSDumpAndClose(int fd);
@@ -371,6 +376,7 @@ public:
   bool d_wasVariable{false};
   bool d_wasOutOfBand{false};
   bool d_wantsRPZ{true};
+  bool d_skipCNAMECheck{false};
   
   typedef multi_index_container <
     NegCacheEntry,

diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc
index 9da1c7847e7b5986b2d8a6bb3ba95353148ea597..e6b6406442827cc33971c4bc76bc22b888842875 100644 (file)
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -19,6 +19,8 @@ public:
     sr.setId(MT->getTid());
     vector<DNSRecord> ret;
     sr.d_doDNSSEC=true;
+    if (qtype == QType::DS || qtype == QType::DNSKEY || qtype == QType::NS)
+      sr.setSkipCNAMECheck(true);
     sr.beginResolve(qname, QType(qtype), 1, ret);
     d_queries += sr.d_outqueries;
     return ret;