From ebb4504339b45151ef7f81b42f1ad3d681e3c105 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 12 Sep 2018 16:12:46 +0200
Subject: [PATCH] rec: Refuse queries for rfc6895 section 3.1 meta types

(cherry picked from commit ab1b5574d15a62e67a133828fc98502de830842c)
(cherry picked from commit 6bf06d65b9c9b9c2c41351ca4b56d54e7619d925)
---
 pdns/syncres.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pdns/syncres.cc b/pdns/syncres.cc
index 3c8bad405..f2813b4a8 100644
--- a/pdns/syncres.cc
+++ b/pdns/syncres.cc
@@ -117,6 +117,8 @@ SyncRes::SyncRes(const struct timeval& now) :  d_authzonequeries(0), d_outquerie
 /** everything begins here - this is the entry point just after receiving a packet */
 int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qclass, vector<DNSRecord>&ret)
 {
+  /* rfc6895 section 3.1 + RRSIG and NSEC3 */
+  static const std::set<uint16_t> metaTypes = { QType::AXFR, QType::IXFR, QType::RRSIG, QType::NSEC3, QType::OPT, QType::TSIG, QType::TKEY, QType::MAILA, QType::MAILB };
   vState state = Indeterminate;
   s_queries++;
   d_wasVariable=false;
@@ -127,8 +129,9 @@ int SyncRes::beginResolve(const DNSName &qname, const QType &qtype, uint16_t qcl
     return 0;                          // so do check before updating counters (we do now)
   }
 
-  if( (qtype.getCode() == QType::AXFR) || (qtype.getCode() == QType::IXFR) || (qtype.getCode() == QType::RRSIG) || (qtype.getCode() == QType::NSEC3))
+  if (metaTypes.count(qtype.getCode())) {
     return -1;
+  }
 
   if(qclass==QClass::ANY)
     qclass=QClass::IN;
-- 
2.40.0