From: Kees Monshouwer <mind04@monshouwer.org>
Date: Thu, 3 Apr 2014 14:13:37 +0000 (+0200)
Subject: AXFR in: don't accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
X-Git-Tag: rec-3.6.0-rc1~73^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=82fb538654fe176a1231bdccea79f74b62f7774a;p=pdns

AXFR in: don't accept zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs
---

diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index 9ccbdbc55..dd36a504f 100644
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -156,6 +156,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
     vector<DNSResourceRecord> rrs;
     set<string> secured;
     bool first=true;
+    bool firstNSEC3=true;
     while(retriever.getChunk(recs)) {
       if(first) {
         L<<Logger::Error<<"AXFR started for '"<<domain<<"'"<<endl;
@@ -177,8 +178,12 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
           dnssecZone = haveNSEC3 = gotPresigned = gotNSEC3 = true;
           continue;
         } else if (i->qtype.getCode() == QType::NSEC3) {
-          dnssecZone = gotPresigned = true;
           NSEC3RecordContent ns3rc(i->content);
+          if (firstNSEC3) {
+            dnssecZone = gotPresigned = true;
+            firstNSEC3 = false;
+          } else if (gotOptOutFlag != (ns3rc.d_flags & 1))
+            throw PDNSException("Zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs are not supported.");
           gotOptOutFlag = ns3rc.d_flags & 1;
           if (ns3rc.d_set.count(QType::NS) && !pdns_iequals(i->qname, domain))
             secured.insert(toLower(makeRelative(i->qname, domain)));