From 9fc36e9058984600762fa4e708a0688587fa3aba Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 12 Jul 2016 13:42:55 +0200
Subject: [PATCH] Don't validate internal or out-of-band names

Closes #4149
Closes #4156
Closes #4157
---
 pdns/pdns_recursor.cc | 5 +++--
 pdns/syncres.cc       | 7 +++++--
 pdns/syncres.hh       | 6 ++++++
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index af9d057ba..f054a54d1 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -709,6 +709,7 @@ void startDoResolve(void *p)
 
     bool tracedQuery=false; // we could consider letting Lua know about this too
     bool variableAnswer = false;
+    bool shouldNotValidate = false;
 
     int res;
     DNSFilterEngine::Policy dfepol;
@@ -787,10 +788,10 @@ void startDoResolve(void *p)
       break;
     }
 
-
     if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, dc->d_local, dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_tcp, ret, dc->d_ednsOpts.empty() ? 0 : &dc->d_ednsOpts, dc->d_tag, &appliedPolicy, &dc->d_policyTags, res, &variableAnswer)) {
       try {
         res = sr.beginResolve(dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_mdp.d_qclass, ret);
+        shouldNotValidate = sr.wasOutOfBand();
       }
       catch(ImmediateServFailException &e) {
         if(g_logCommonErrors)
@@ -888,7 +889,7 @@ void startDoResolve(void *p)
       pw.getHeader()->rcode=res;
 
       // Does the validation mode or query demand validation?
-      if(g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || ((dc->d_mdp.d_header.ad || DNSSECOK) && g_dnssecmode==DNSSECMode::Process)) {
+      if(!shouldNotValidate && (g_dnssecmode == DNSSECMode::ValidateAll || g_dnssecmode==DNSSECMode::ValidateForLog || ((dc->d_mdp.d_header.ad || DNSSECOK) && g_dnssecmode==DNSSECMode::Process))) {
         try {
           if(sr.doLog()) {
             L<<Logger::Warning<<"Starting validation of answer to "<<dc->d_mdp.d_qname<<" for "<<dc->d_remote.toStringWithPort()<<endl;
diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 224945b6d..8c44f8102 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -125,6 +125,7 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
 {
   s_queries++;
   d_wasVariable=false;
+  d_wasOutOfBand=false;
 
   if( (qtype.getCode() == QType::AXFR))
     return -1;
@@ -146,6 +147,7 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
     else
       dr.d_content=shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::A, 1, "127.0.0.1"));
     ret.push_back(dr);
+    d_wasOutOfBand=true;
     return 0;
   }
 
@@ -165,6 +167,7 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
       dr.d_content=shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(QType::TXT, 3, "\""+s_serverID+"\""));
 
     ret.push_back(dr);
+    d_wasOutOfBand=true;
     return 0;
   }
 
@@ -420,7 +423,7 @@ int SyncRes::doResolve(const DNSName &qname, const QType &qtype, vector<DNSRecor
         const vector<ComboAddress>& servers = iter->second.d_servers;
         if(servers.empty()) {
           ret.clear();
-          doOOBResolve(qname, qtype, ret, depth, res);
+          d_wasOutOfBand = doOOBResolve(qname, qtype, ret, depth, res);
           return res;
         }
         else {
@@ -982,7 +985,7 @@ int SyncRes::doResolveAt(NsSet &nameservers, DNSName auth, bool flawedNSSet, con
       LWResult lwr;
       if(tns->empty() && nameservers[*tns].first.empty() ) {
         LOG(prefix<<qname<<": Domain is out-of-band"<<endl);
-        doOOBResolve(qname, qtype, lwr.d_records, depth, lwr.d_rcode);
+        d_wasOutOfBand = doOOBResolve(qname, qtype, lwr.d_records, depth, lwr.d_rcode);
         lwr.d_tcbit=false;
         lwr.d_aabit=true;
       }
diff --git a/pdns/syncres.hh b/pdns/syncres.hh
index 3287bb7ac..182666a18 100644
--- a/pdns/syncres.hh
+++ b/pdns/syncres.hh
@@ -312,6 +312,11 @@ public:
     return d_wasVariable;
   }
 
+  bool wasOutOfBand() const
+  {
+    return d_wasOutOfBand;
+  }
+
   int asyncresolveWrapper(const ComboAddress& ip, bool ednsMANDATORY, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, struct timeval* now, boost::optional<Netmask>& srcmask, LWResult* res);
 
   static void doEDNSDumpAndClose(int fd);
@@ -340,6 +345,7 @@ public:
   bool d_doDNSSEC;
   
   bool d_wasVariable{false};
+  bool d_wasOutOfBand{false};
   
   typedef multi_index_container <
     NegCacheEntry,
-- 
2.40.0