From 389b7a054f87163ff604265093dfbd5443e2f737 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 7 Mar 2017 13:48:44 +0100
Subject: [PATCH] ALIAS: disable expansion by default

Closes #5119
---
 docs/markdown/authoritative/howtos.md   |  7 +++++--
 docs/markdown/authoritative/settings.md | 13 +++++++++++++
 pdns/common_startup.cc                  |  1 +
 pdns/packethandler.cc                   |  5 +++++
 pdns/packethandler.hh                   |  1 +
 regression-tests/backends/gsql-common   |  1 +
 6 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/docs/markdown/authoritative/howtos.md b/docs/markdown/authoritative/howtos.md
index 4c2bb973b..466ca7da7 100644
--- a/docs/markdown/authoritative/howtos.md
+++ b/docs/markdown/authoritative/howtos.md
@@ -178,11 +178,11 @@ If you have multiple IP addresses on the internet on one machine, UNIX often sen
 # Using ALIAS records
 The ALIAS record provides a way to have CNAME-like behaviour on the zone apex.
 
-In order to correctly serve ALIAS records, set the [`resolver`](settings.md#resolver)
-setting to an existing resolver: 
+In order to correctly serve ALIAS records, set the [`resolver`](settings.md#resolver) setting to an existing resolver and enable [`expand-alias`](settings.md#expand-alias):
 
 ```
 resolver=[::1]:5300
+expand-alias=yes
 ```
 
 and add the ALIAS record to your zone apex. e.g.:
@@ -213,6 +213,9 @@ Set `outgoing-axfr-expand-alias` to 'yes' if your slaves don't understand ALIAS
 or should not look up the addresses themselves. Note that slaves will not
 automatically follow changes in those A/AAAA records unless you AXFR regularly.
 
+**note:** The `expand-alias` setting does not exist in PowerDNS Authoritative Server 4.0.x.
+Hence, ALIAS records are always expanded on a direct A or AAAA query.
+
 ## ALIAS and DNSSEC
 Starting with the PowerDNS Authoritative Server 4.0.0, DNSSEC 'washing' of ALIAS
 records is supported on AXFR (**not** on live-signing). Set `outgoing-axfr-expand-alias`
diff --git a/docs/markdown/authoritative/settings.md b/docs/markdown/authoritative/settings.md
index 732f733fd..cd5fd42f6 100644
--- a/docs/markdown/authoritative/settings.md
+++ b/docs/markdown/authoritative/settings.md
@@ -342,6 +342,19 @@ Enables EDNS subnet processing, for backends that support it.
 
 Entropy source file to use.
 
+## `expand-alias`
+* Boolean
+* Default: no
+* Since: 4.1.0
+
+If this is enabled, ALIAS records are expanded (synthesised to their A/AAAA).
+
+If this is disabled (the default), ALIAS records will not expanded and the server will will return NODATA for A/AAAA queries for such names.
+
+**note**: [`resolver`](#resolver) must also be set for ALIAS expansion to work!
+
+**note**: In PowerDNS Authoritative Server 4.0.x, this setting did not exist and ALIAS was always expanded.
+
 ## `forward-dnsupdate`
 * Boolean
 * Default: no
diff --git a/pdns/common_startup.cc b/pdns/common_startup.cc
index 8eaa5b92c..0add72451 100644
--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -191,6 +191,7 @@ void declareArguments()
   ::arg().set("include-dir","Include *.conf files from this directory");
   ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
 
+  ::arg().setSwitch("expand-alias", "Expand ALIAS records")="no";
   ::arg().setSwitch("outgoing-axfr-expand-alias", "Expand ALIAS records during outgoing AXFR")="no";
   ::arg().setSwitch("8bit-dns", "Allow 8bit dns queries")="no";
   ::arg().setSwitch("axfr-lower-serial", "Also AXFR a zone from a master with a lower serial")="no";
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 05f206d4b..6ebb66c13 100644
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -59,6 +59,7 @@ PacketHandler::PacketHandler():B(s_programname), d_dk(&B)
 {
   ++s_count;
   d_doDNAME=::arg().mustDo("dname-processing");
+  d_doExpandALIAS = ::arg().mustDo("expand-alias");
   d_logDNSDetails= ::arg().mustDo("log-dns-details");
   d_doIPv6AdditionalProcessing = ::arg().mustDo("do-ipv6-additional-processing");
   string fname= ::arg()["lua-prequery-script"];
@@ -1355,6 +1356,10 @@ DNSPacket *PacketHandler::doQuestion(DNSPacket *p)
         weRedirected=1;
 
       if(DP && rr.dr.d_type == QType::ALIAS && (p->qtype.getCode() == QType::A || p->qtype.getCode() == QType::AAAA || p->qtype.getCode() == QType::ANY)) {
+        if (!d_doExpandALIAS) {
+          L<<Logger::Info<<"ALIAS record found for "<<target<<", but ALIAS expansion is disabled."<<endl;
+          continue;
+        }
         haveAlias=getRR<ALIASRecordContent>(rr.dr)->d_content;
       }
 
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
index 6cf5b06f9..77a4c3788 100644
--- a/pdns/packethandler.hh
+++ b/pdns/packethandler.hh
@@ -108,6 +108,7 @@ private:
   bool d_logDNSDetails;
   bool d_doIPv6AdditionalProcessing;
   bool d_doDNAME;
+  bool d_doExpandALIAS;
   std::unique_ptr<AuthLua> d_pdl;
   std::unique_ptr<AuthLua4> d_update_policy_lua;
 
diff --git a/regression-tests/backends/gsql-common b/regression-tests/backends/gsql-common
index e1a9259d5..5ccdc85e8 100644
--- a/regression-tests/backends/gsql-common
+++ b/regression-tests/backends/gsql-common
@@ -38,6 +38,7 @@ gsql_master()
 	$RUNWRAPPER $PDNS --daemon=no --local-port=$port --config-dir=. \
 		--config-name=$backend --socket-dir=./ --no-shuffle \
 		--dnsupdate=yes --resolver=8.8.8.8 --outgoing-axfr-expand-alias=yes \
+		--expand-alias=yes \
 		--cache-ttl=$cachettl --dname-processing \
 		--disable-axfr-rectify=yes $lua_prequery &
 
-- 
2.40.0