From: Bert Hubert <bert.hubert@netherlabs.nl>
Date: Thu, 6 Jan 2011 13:23:43 +0000 (+0000)
Subject: disable AXFR for NSEC3 zones for now - we can do it for non-narrow mode, but we can... 
X-Git-Tag: auth-3.0~433
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=83fcecffc5ca325e2684da8615280e41631b225a;p=pdns

disable AXFR for NSEC3 zones for now - we can do it for non-narrow mode, but we can't right now, so best deny it. Previously we would serve NSEC records in an AXFR of an NSEC3 zone (sorry). Spotted by Marco Davids.


git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@1814 d19b8d6e-7fed-0310-83ef-9ca221ded41b
---

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index 6d4bf5258..e93ba7085 100644
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -380,7 +380,14 @@ bool TCPNameserver::canDoAXFR(shared_ptr<DNSPacket> q)
 int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int outsock)
 {
   shared_ptr<DNSPacket> outpacket;
-  if(!canDoAXFR(q)) {
+  DNSSECKeeper dk;
+  bool noAXFRBecauseOfNSEC3=false;
+  if(dk.getNSEC3PARAM(target)) {
+    L<<Logger::Error<<"Not doing AXFR of an NSEC3 zone.."<<endl;
+    noAXFRBecauseOfNSEC3=true;
+  }
+
+  if(!canDoAXFR(q) || noAXFRBecauseOfNSEC3) {
     L<<Logger::Error<<"AXFR of domain '"<<target<<"' denied to "<<q->getRemote()<<endl;
 
     outpacket=shared_ptr<DNSPacket>(q->replyPacket());
@@ -389,6 +396,9 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     sendPacket(outpacket,outsock);
     return 0;
   }
+  
+  
+  
   L<<Logger::Error<<"AXFR of domain '"<<target<<"' initiated by "<<q->getRemote()<<endl;
   outpacket=shared_ptr<DNSPacket>(q->replyPacket());
 
@@ -462,7 +472,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
   nsecrepo_t nsecrepo;
   // this is where the DNSKEYs go
   
-  DNSSECKeeper dk;
+
   DNSSECKeeper::keyset_t keys = dk.getKeys(target);
   BOOST_FOREACH(const DNSSECKeeper::keyset_t::value_type& value, keys) {
     rr.qname = target;
@@ -510,6 +520,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     }
   }
 
+
   for(nsecrepo_t::const_iterator iter = nsecrepo.begin(); iter != nsecrepo.end(); ++iter) {
     cerr<<"Adding for '"<<iter->first<<"'\n";
     NSECRecordContent nrc;
@@ -532,6 +543,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     count++;
   }
 
+  
   if(count) {
     sendPacket(outpacket, outsock);
   }