From: Peter van Dijk <peter.van.dijk@netherlabs.nl>
Date: Fri, 23 Nov 2012 19:45:27 +0000 (+0000)
Subject: fix direct-dnskey outgoing AXFR operation; enforce correct TTL in direct DNSKEY query... 
X-Git-Tag: auth-3.2-rc2~80
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6dae726d3d1d43b636b6a62c685428db57e98d86;p=pdns

fix direct-dnskey outgoing AXFR operation; enforce correct TTL in direct DNSKEY query with direct-dnskey

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2921 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index d2c8c29bb..e86bbb21f 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -225,6 +225,7 @@ bool PacketHandler::addDNSKEY(DNSPacket *p, DNSPacket *r, const SOAData& sd)
   if(::arg().mustDo("direct-dnskey")) {
     B.lookup(QType(QType::DNSKEY), p->qdomain, p, sd.domain_id);
     while(B.get(rr)) {
+      rr.ttl=sd.default_ttl;
       r->addRecord(rr);
       haveOne=true;
     }
diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index d0cbbb221..68f50fcbf 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -607,6 +607,14 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     csp.submit(rr);
   }
   
+  if(::arg().mustDo("direct-dnskey")) {
+    sd.db->lookup(QType(QType::DNSKEY), target, NULL, sd.domain_id);
+    while(sd.db->get(rr)) {
+      rr.ttl = sd.default_ttl;
+      csp.submit(rr);
+    }
+  }
+
   if(NSEC3Zone) { // now stuff in the NSEC3PARAM
     rr.qtype = QType(QType::NSEC3PARAM);
     ns3pr.d_flags = 0;
@@ -636,6 +644,12 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
   while(sd.db->get(rr)) {
     if (rr.qtype.getCode() == QType::RRSIG)
       continue;
+
+    // only skip the DNSKEY if direct-dnskey is enabled, to avoid changing behaviour
+    // when it is not enabled.
+    if(::arg().mustDo("direct-dnskey") && rr.qtype.getCode() == QType::DNSKEY)
+      continue;
+
     records++;
     if(securedZone && (rr.auth || (!NSEC3Zone && rr.qtype.getCode() == QType::NS) || rr.qtype.getCode() == QType::DS)) { // this is probably NSEC specific, NSEC3 is different
       if (NSEC3Zone || rr.qtype.getCode()) {