Handle CNAME at secure zone apex to secure zone

Closes #4466

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index a3455f057119ccfecdbfdc8acd2c4c473f08e8cc..0cc1ca247df0a66064d905281d072854d38d3348 100644 (file)
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -443,7 +443,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
       }
     }
 
-    if(qtype != QType::DS && doCNAMECacheCheck(qname,qtype,ret,depth,res)) // will reroute us if needed
+    if(!d_skipCNAMECheck && doCNAMECacheCheck(qname,qtype,ret,depth,res)) // will reroute us if needed
       return res;
 
     if(doCacheCheck(qname,qtype,ret,depth,res)) // we done

diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index 8820d359680ff424f60e1e31738893beec57d7a1..1763052b3efa198b54cb93da3897741e68a5a2f9 100644 (file)
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -339,6 +339,11 @@ public:
     return d_wasOutOfBand;
   }
 
+  void setSkipCNAMECheck(bool skip = false)
+  {
+    d_skipCNAMECheck = skip;
+  }
+
   int asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res);
 
   static void doEDNSDumpAndClose(int fd);
@@ -371,6 +376,7 @@ public:
   bool d_wasVariable{false};
   bool d_wasOutOfBand{false};
   bool d_wantsRPZ{true};
+  bool d_skipCNAMECheck{false};
   
   typedef multi_index_container <
     NegCacheEntry,

diff --git a/pdns/validate-recursor.cc b/pdns/validate-recursor.cc
index 5819cfe7a91b16aa25795b721312d0b11d1ae386..12a9984d6d38691a279d862d94e1460125d248cc 100644 (file)
--- a/pdns/validate-recursor.cc
+++ b/pdns/validate-recursor.cc
@@ -19,6 +19,8 @@ public:
 
     vector<DNSRecord> ret;
     sr.d_doDNSSEC=true;
+    if (qtype == QType::DS || qtype == QType::DNSKEY || qtype == QType::NS)
+      sr.setSkipCNAMECheck(true);
     sr.beginResolve(qname, QType(qtype), 1, ret);
     d_queries += sr.d_outqueries;
     return ret;