Permalink
Browse files

make superfluous 'bind' NSEC3 record optional

  • Loading branch information...
1 parent aa0976b commit 16cf9135f3e3fd4af95f0945bd95a4dbf57e9bf6 @mind04 mind04 committed with mind04 May 28, 2013
Showing with 11 additions and 2 deletions.
  1. +3 −0 pdns/common_startup.cc
  2. +1 −0 pdns/common_startup.hh
  3. +2 −2 pdns/packethandler.cc
  4. +5 −0 pdns/pdns.conf-dist
@@ -17,6 +17,7 @@
*/
#include "common_startup.hh"
bool g_anyToTcp;
+bool g_addSuperfluousNSEC3;
typedef Distributor<DNSPacket,DNSPacket,PacketHandler> DNSDistributor;
@@ -141,6 +142,7 @@ void declareArguments()
::arg().setSwitch("traceback-handler","Enable the traceback handler (Linux only)")="yes";
::arg().setSwitch("experimental-direct-dnskey","EXPERIMENTAL: fetch DNSKEY RRs from backend during DNSKEY synthesis")="no";
+ ::arg().setSwitch("add-superfluous-nsec3-for-old-bind","Add superfluous NSEC3 record to positive wildcard response")="yes";
::arg().set("default-ksk-algorithms","Default KSK algorithms")="rsasha256";
::arg().set("default-ksk-size","Default KSK size (0 means default)")="0";
::arg().set("default-zsk-algorithms","Default ZSK algorithms")="rsasha256";
@@ -334,6 +336,7 @@ void mainthread()
newuid=Utility::makeUidNumeric(::arg()["setuid"]);
g_anyToTcp = ::arg().mustDo("any-to-tcp");
+ g_addSuperfluousNSEC3 = ::arg().mustDo("add-superfluous-nsec3-for-old-bind");
DNSPacket::s_doEDNSSubnetProcessing = ::arg().mustDo("edns-subnet-processing");
#ifndef WIN32
@@ -50,5 +50,6 @@ extern void mainthread();
extern int isGuarded( char ** );
extern bool g_anyToTcp;
+extern bool g_addSuperfluousNSEC3;
#endif // COMMON_STARTUP_HH
@@ -603,7 +603,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
// add matching NSEC3 RR
// we used to skip this one for mode 3, but old BIND needs it
// see https://github.com/PowerDNS/pdns/issues/814
- // if (mode != 3) {
+ if (mode != 3 || g_addSuperfluousNSEC3) {
unhashed=(mode == 0 || mode == 5) ? target : closest;
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
@@ -612,7 +612,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
getNSEC3Hashes(narrow, sd.db, sd.domain_id, hashed, false, unhashed, before, after);
DLOG(L<<"Done calling for matching, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
emitNSEC3(ns3rc, sd, unhashed, before, after, target, r, mode);
- // }
+ }
// add covering NSEC3 RR
if (mode != 0 && mode != 5) {
View
@@ -1,5 +1,10 @@
# Autogenerated configuration file template
#################################
+# add-superfluous-nsec3-for-old-bind Add superfluous NSEC3 record to positive wildcard response
+#
+# add-superfluous-nsec3-for-old-bind=yes
+
+#################################
# allow-axfr-ips Allow zonetransfers only to these subnets
#
# allow-axfr-ips=0.0.0.0/0,::/0

0 comments on commit 16cf913

Please sign in to comment.