From: Remi Gacogne <rgacogne@users.noreply.github.com>
Date: Wed, 16 Jan 2019 09:46:49 +0000 (+0100)
Subject: Merge pull request #7178 from rgacogne/rec-skip-cname-ns-zone
X-Git-Tag: rec-4.2.0-alpha1~29
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fb670df42ca0a09ba683917c43c27b2d2d18423e;p=pdns

Merge pull request #7178 from rgacogne/rec-skip-cname-ns-zone

rec: Skip NS for the exact zone in CNAME answers
---

fb670df42ca0a09ba683917c43c27b2d2d18423e
diff --cc pdns/syncres.cc
index 6d224cea0,75d495aa1..c463a5320
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@@ -2138,9 -2135,20 +2138,21 @@@ RCode::rcodes_ SyncRes::updateCacheFrom
          associated with the alias.
        */
        isAA = false;
 +      expectSignature = false;
      }
  
+     if (isCNAMEAnswer && i->first.place == DNSResourceRecord::AUTHORITY && i->first.type == QType::NS && auth == i->first.name) {
+       /* These NS can't be authoritative since we have a CNAME answer for which (see above) only the
+          record describing that alias is necessarily authoritative.
+          But if we allow the current auth, which might be serving the child zone, to raise the TTL
+          of non-authoritative NS in the cache, they might be able to keep a "ghost" zone alive forever,
+          even after the delegation is gone from the parent.
+          So let's just do nothing with them, we can fetch them directly if we need them.
+       */
+       LOG(d_prefix<<": skipping authority NS from '"<<auth<<"' nameservers in CNAME answer "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);
+       continue;
+     }
+ 
      vState recordState = getValidationStatus(i->first.name, false);
      LOG(d_prefix<<": got initial zone status "<<vStates[recordState]<<" for record "<<i->first.name<<"|"<<DNSRecordContent::NumberToType(i->first.type)<<endl);