fix getAuth for DS queries at apex

Author: mind04

pdns/packethandler.cc

@@ -286,20 +286,23 @@ int PacketHandler::doVersionRequest(DNSPacket *p, DNSPacket *r, string &target)
 /** Determines if we are authoritative for a zone, and at what level */
 bool PacketHandler::getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId)
 {
+  bool found=false;
   string subdomain(target);
   do {
     if( B.getSOA( subdomain, *sd, p ) ) {
-      if(p->qtype.getCode() == QType::DS && pdns_iequals(subdomain, target)) 
-        continue; // A DS question is never answered from the apex, go one zone upwards 
-      
       sd->qname = subdomain;
       if(zoneId)
         *zoneId = sd->domain_id;
-      return true;
+
+      if(p->qtype.getCode() == QType::DS && pdns_iequals(subdomain, target)) {
+        // Found authoritative zone but look for parent zone with 'DS' record.
+        found=true;
+      } else
+        return true;
     }
   }
   while( chopOff( subdomain ) );   // 'www.powerdns.org' -> 'powerdns.org' -> 'org' -> ''
-  return false;
+  return found;
 }
 
 vector<DNSResourceRecord> PacketHandler::getBestReferralNS(DNSPacket *p, SOAData& sd, const string &target)

regression-tests/ds-at-apex-noerror/command

@@ -0,0 +1,3 @@
+#!/bin/sh
+cleandig example.com DS dnssec
+

regression-tests/ds-at-apex-noerror/description

@@ -0,0 +1 @@
+This test tries to resolve a non-existent DS at apex

regression-tests/ds-at-apex-noerror/expected_result

@@ -0,0 +1,4 @@
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=DS

regression-tests/ds-at-apex-noerror/expected_result.dnssec

@@ -0,0 +1,7 @@
+1	example.com.	IN	NSEC	86400	double.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1	example.com.	IN	RRSIG	86400	NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=DS

regression-tests/ds-at-apex-noerror/expected_result.narrow

@@ -0,0 +1,7 @@
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=DS

regression-tests/ds-at-apex-noerror/expected_result.nsec3

@@ -0,0 +1,7 @@
+1	example.com.	IN	RRSIG	86400	SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1	example.com.	IN	SOA	86400	ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	NSEC3	86400	1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1	vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.	IN	RRSIG	86400	NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2	.	IN	OPT	32768	
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='example.com.', qtype=DS