From: Christian Hofstaedtler Date: Fri, 15 Jul 2016 14:08:21 +0000 (+0200) Subject: API: prevent sending nameservers list and zone-level NS in rrsets X-Git-Tag: dnsdist-1.1.0-beta2~3^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=33e6c3e9505ac7c0e9b36850868aca1a1a91dd79;p=pdns API: prevent sending nameservers list and zone-level NS in rrsets --- diff --git a/pdns/ws-auth.cc b/pdns/ws-auth.cc index 52c73d72c..c94a6c4bf 100644 --- a/pdns/ws-auth.cc +++ b/pdns/ws-auth.cc @@ -1026,6 +1026,7 @@ static void apiServerZones(HttpRequest* req, HttpResponse* resp) { // if records/comments are given, load and check them bool have_soa = false; + bool have_zone_ns = false; vector new_records; vector new_comments; vector new_ptrs; @@ -1062,6 +1063,9 @@ static void apiServerZones(HttpRequest* req, HttpResponse* resp) { // fixup dots after serializeSOAData/increaseSOARecord rr.content = makeBackendRecordContent(rr.qtype, rr.content); } + if (rr.qtype.getCode() == QType::NS && rr.qname==zonename) { + have_zone_ns = true; + } } // synthesize RRs as needed @@ -1102,6 +1106,9 @@ static void apiServerZones(HttpRequest* req, HttpResponse* resp) { } autorr.qtype = "NS"; new_records.push_back(autorr); + if (have_zone_ns) { + throw ApiException("Nameservers list MUST NOT be mixed with zone-level NS in rrsets"); + } } // no going back after this diff --git a/regression-tests.api/test_Zones.py b/regression-tests.api/test_Zones.py index 5ef562195..cb3db73c3 100644 --- a/regression-tests.api/test_Zones.py +++ b/regression-tests.api/test_Zones.py @@ -261,6 +261,55 @@ class AuthZones(ApiTestCase, AuthZonesHelperMixin): self.assertEquals(r.status_code, 422) self.assertIn('contains unsupported characters', r.json()['error']) + def test_create_zone_mixed_nameservers_ns_rrset_zonelevel(self): + name = unique_zone_name() + rrset = { + "name": name, + "type": "NS", + "ttl": 3600, + "records": [{ + "content": "ns2.example.com.", + "disabled": False, + }], + } + payload = { + 'name': name, + 'kind': 'Native', + 'nameservers': ['ns1.example.com.'], + 'rrsets': [rrset], + } + print payload + r = self.session.post( + self.url("/api/v1/servers/localhost/zones"), + data=json.dumps(payload), + headers={'content-type': 'application/json'}) + self.assertEquals(r.status_code, 422) + self.assertIn('Nameservers list MUST NOT be mixed with zone-level NS in rrsets', r.json()['error']) + + def test_create_zone_mixed_nameservers_ns_rrset_below_zonelevel(self): + name = unique_zone_name() + rrset = { + "name": 'subzone.'+name, + "type": "NS", + "ttl": 3600, + "records": [{ + "content": "ns2.example.com.", + "disabled": False, + }], + } + payload = { + 'name': name, + 'kind': 'Native', + 'nameservers': ['ns1.example.com.'], + 'rrsets': [rrset], + } + print payload + r = self.session.post( + self.url("/api/v1/servers/localhost/zones"), + data=json.dumps(payload), + headers={'content-type': 'application/json'}) + self.assert_success_json(r) + def test_create_zone_with_symbols(self): name, payload, data = self.create_zone(name='foo/bar.'+unique_zone_name()) name = payload['name']