From 68fa524b395dd2d5909b96beb9da1fb6e2dc02ea Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Wed, 11 Jun 2014 23:01:17 +0200 Subject: [PATCH] put Lua axfrfilter before zone type determination --- pdns/slavecommunicator.cc | 87 +++++++++++++++++++++------------------ 1 file changed, 47 insertions(+), 40 deletions(-) diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc index c0cbdb3d6..80b3ad358 100644 --- a/pdns/slavecommunicator.cc +++ b/pdns/slavecommunicator.cc @@ -170,57 +170,64 @@ void CommunicatorClass::suck(const string &domain,const string &remote) continue; } - if (i->qtype.getCode() == QType::NSEC3PARAM) { - ns3pr = NSEC3PARAMRecordContent(i->content); - isDnssecZone = isNSEC3 = true; - isNarrow = false; - continue; - } else if (i->qtype.getCode() == QType::NSEC3) { - NSEC3RecordContent ns3rc(i->content); - if (firstNSEC3) { - isDnssecZone = isPresigned = true; - firstNSEC3 = false; - } else if (optOutFlag != (ns3rc.d_flags & 1)) - throw PDNSException("Zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs are not supported."); - optOutFlag = ns3rc.d_flags & 1; - if (ns3rc.d_set.count(QType::NS) && !pdns_iequals(i->qname, domain)) - secured.insert(toLower(makeRelative(i->qname, domain))); - continue; - } else if (i->qtype.getCode() == QType::NSEC) { - isDnssecZone = isPresigned = true; - continue; + vector out; + if(!pdl || !pdl->axfrfilter(raddr, domain, *i, out)) { + out.push_back(*i); } - if(i->qtype.getCode() == QType::SOA) { - if(soa_serial != 0) - continue; //skip the last SOA - SOAData sd; - fillSOAData(i->content,sd); - soa_serial = sd.serial; - } + BOOST_FOREACH(DNSResourceRecord& rr, out) { + switch(rr.qtype.getCode()) { + case QType::NSEC3PARAM: { + ns3pr = NSEC3PARAMRecordContent(rr.content); + isDnssecZone = isNSEC3 = true; + isNarrow = false; + continue; + } + case QType::NSEC3: { + NSEC3RecordContent ns3rc(rr.content); + if (firstNSEC3) { + isDnssecZone = isPresigned = true; + firstNSEC3 = false; + } else if (optOutFlag != (ns3rc.d_flags & 1)) + throw PDNSException("Zones with a mixture of Opt-Out NSEC3 RRs and non-Opt-Out NSEC3 RRs are not supported."); + optOutFlag = ns3rc.d_flags & 1; + if (ns3rc.d_set.count(QType::NS) && !pdns_iequals(rr.qname, domain)) + secured.insert(toLower(makeRelative(rr.qname, domain))); + continue; + } + case QType::NSEC: { + isDnssecZone = isPresigned = true; + continue; + } + case QType::SOA: { + if(soa_serial != 0) + continue; //skip the last SOA + SOAData sd; + fillSOAData(rr.content,sd); + soa_serial = sd.serial; + break; + } + case QType::NS: { + if(!pdns_iequals(rr.qname, domain)) + nsset.insert(rr.qname); + break; + } + default: + break; + } - i->domain_id=domain_id; + qnames.insert(rr.qname); - vector out; - if(pdl && pdl->axfrfilter(raddr, domain, *i, out)) { - BOOST_FOREACH(const DNSResourceRecord& rr, out) { - rrs.push_back(rr); - } - } else { - rrs.push_back(*i); + rr.domain_id=domain_id; + rrs.push_back(rr); } } } + if(isNSEC3) { ns3pr.d_flags = optOutFlag ? 1 : 0; } - BOOST_FOREACH(const DNSResourceRecord& rr, rrs) { - if(rr.qtype.getCode() == QType::NS && !pdns_iequals(rr.qname, domain)) - nsset.insert(rr.qname); - qnames.insert(rr.qname); - } - if(!isPresigned) { DNSSECKeeper::keyset_t keys = dk.getKeys(domain); -- 2.40.0