From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 5 Oct 2017 14:48:27 +0000 (+0200)
Subject: rec: Set TC=1 if we had to omit part of the AUTHORITY section
X-Git-Tag: rec-4.1.0-rc1~9^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a0fdbef72c1e8a88a139a7efe3eceec47c11c970;p=pdns

rec: Set TC=1 if we had to omit part of the AUTHORITY section

The client might need them for validation purpose, for example, so
it needs to know the answer has been truncated.
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 1875668f0..01fc6e341 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1123,11 +1123,10 @@ static void startDoResolve(void *p)
 	i->d_content->toPacket(pw);
 	if(pw.size() > static_cast<size_t>(maxanswersize)) {
 	  pw.rollback();
-	  if(i->d_place==DNSResourceRecord::ANSWER)  // only truncate if we actually omitted parts of the answer
-            {
-              pw.getHeader()->tc=1;
-              pw.truncate();
-            }
+	  if(i->d_place != DNSResourceRecord::ADDITIONAL) {
+            pw.getHeader()->tc=1;
+            pw.truncate();
+          }
 	  goto sendit; // need to jump over pw.commit
 	}
 	needCommit = true;
diff --git a/regression-tests.recursor-dnssec/basicDNSSEC.py b/regression-tests.recursor-dnssec/basicDNSSEC.py
index b8990ad85..a630fac17 100644
--- a/regression-tests.recursor-dnssec/basicDNSSEC.py
+++ b/regression-tests.recursor-dnssec/basicDNSSEC.py
@@ -12,11 +12,13 @@ class BasicDNSSEC(RecursorTest):
         cls.wipeRecursorCache(confdir)
 
     @classmethod
-    def sendQuery(self, name, rdtype):
+    def sendQuery(self, name, rdtype, useTCP=False):
         """Helper function that creates the query"""
         msg = dns.message.make_query(name, rdtype, want_dnssec=True)
         msg.flags |= dns.flags.AD
 
+        if useTCP:
+            return self.sendTCPQuery(msg)
         return self.sendUDPQuery(msg)
 
     def testSecureAnswer(self):
@@ -101,7 +103,8 @@ class BasicDNSSEC(RecursorTest):
         self.assertMessageIsAuthenticated(res)
 
     def testSecureCNAMEWildCardNXDOMAIN(self):
-        res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A')
+        # the answer to this query reaches the UDP truncation threshold, so let's use TCP
+        res = self.sendQuery('something.cnamewildcardnxdomain.secure.example.', 'A', useTCP=True)
         expectedCNAME = dns.rrset.from_text('something.cnamewildcardnxdomain.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'doesntexist.secure.example.')
 
         self.assertRcodeEqual(res, dns.rcode.NXDOMAIN)