set AA on CNAME into referral, fixes #589

Peter van Dijk · mind04 · commit 55b0653a56e1 · 2015-05-01T00:12:17.000+02:00
diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
@@ -361,7 +361,7 @@ bool PacketHandler::getBestWildcard(DNSPacket *p, SOAData& sd, const string &tar
 }
 
 /** dangling is declared true if we were unable to resolve everything */
-int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& soadata)
+int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& soadata, bool retargeted)
 {
   DNSResourceRecord rr;
   SOAData sd;
@@ -381,7 +381,7 @@ int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, c
 
     // we now have a copy, push_back on packet might reallocate!
     for(vector<DNSResourceRecord>::const_iterator i=crrs.begin(); i!=crrs.end(); ++i) {
-      if(r->d.aa && !i->qname.empty() && i->qtype.getCode()==QType::NS && !B.getSOA(i->qname,sd,p)) { // drop AA in case of non-SOA-level NS answer, except for root referral
+      if(r->d.aa && !i->qname.empty() && i->qtype.getCode()==QType::NS && !B.getSOA(i->qname,sd,p) && !retargeted) { // drop AA in case of non-SOA-level NS answer, except for root referral
         r->setA(false);
         //	i->d_place=DNSResourceRecord::AUTHORITY; // XXX FIXME
       }
@@ -895,7 +895,7 @@ bool PacketHandler::addDSforNS(DNSPacket* p, DNSPacket* r, SOAData& sd, const st
   return gotOne;
 }
 
-bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const string &target)
+bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const string &target, bool retargeted)
 {
   vector<DNSResourceRecord> rrset = getBestReferralNS(p, sd, target);
   if(rrset.empty())
@@ -907,7 +907,8 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const st
     rr.d_place=DNSResourceRecord::AUTHORITY;
     r->addRecord(rr);
   }
-  r->setA(false);
+  if(!retargeted)
+    r->setA(false);
 
   if(d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->qname))
     addNSECX(p, r, rrset.begin()->qname, "", sd.qname, 1);
@@ -1144,7 +1145,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     }
 
     DLOG(L<<"Checking for referrals first, unless this is a DS query"<<endl);
-    if(p->qtype.getCode() != QType::DS && tryReferral(p, r, sd, target))
+    if(p->qtype.getCode() != QType::DS && tryReferral(p, r, sd, target, retargetcount))
       goto sendit;
 
     DLOG(L<<"Got no referrals, trying ANY"<<endl);
@@ -1194,7 +1195,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       if(p->qtype.getCode() == QType::DS)
       {
         DLOG(L<<"DS query found no direct result, trying referral now"<<endl);
-        if(tryReferral(p, r, sd, target))
+        if(tryReferral(p, r, sd, target, retargetcount))
         {
           DLOG(L<<"got referral for DS query"<<endl);
           goto sendit;
@@ -1253,7 +1254,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     }
     else if(weHaveUnauth) {
       DLOG(L<<"Have unauth data, so need to hunt for best NS records"<<endl);
-      if(tryReferral(p, r, sd, target))
+      if(tryReferral(p, r, sd, target, retargetcount))
         goto sendit;
       // check whether this could be fixed easily
       if (*(rr.qname.rbegin()) == '.') {
@@ -1268,7 +1269,7 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
     }
     
   sendit:;
-    if(doAdditionalProcessingAndDropAA(p, r, sd)<0) {
+    if(doAdditionalProcessingAndDropAA(p, r, sd, retargetcount)<0) {
       delete r;
       return 0;
     }
diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh
@@ -96,7 +96,7 @@ private:
   bool addNSEC3PARAM(DNSPacket *p, DNSPacket *r, const SOAData& sd);
   bool getAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
   bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
-  int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& sd);
+  int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& sd, bool retargeted);
   bool doDNSSECProcessing(DNSPacket* p, DNSPacket *r);
   void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const string &wildcard, const std::string &auth, int mode);
   void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const string &wildcard, const std::string& auth, int mode);
@@ -109,7 +109,7 @@ private:
   void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd);
   void makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd, int mode);
   vector<DNSResourceRecord> getBestReferralNS(DNSPacket *p, SOAData& sd, const string &target);
-  bool tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const string &target);
+  bool tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const string &target, bool retargeted);
 
   bool getBestWildcard(DNSPacket *p, SOAData& sd, const string &target, string &wildcard, vector<DNSResourceRecord>* ret);
   bool tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, string &target, string &wildcard, bool& retargeted, bool& nodata);

Original file line number	Diff line number	Diff line change
`@@ -361,7 +361,7 @@ bool PacketHandler::getBestWildcard(DNSPacket *p, SOAData& sd, const string &tar`
`361`	`361`	`}`
`362`	`362`
`363`	`363`	`/** dangling is declared true if we were unable to resolve everything */`
`364`		`-int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket p, DNSPacket r, const SOAData& soadata)`
	`364`	`+int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket p, DNSPacket r, const SOAData& soadata, bool retargeted)`
`365`	`365`	`{`
`366`	`366`	`DNSResourceRecord rr;`
`367`	`367`	`SOAData sd;`
`@@ -381,7 +381,7 @@ int PacketHandler::doAdditionalProcessingAndDropAA(DNSPacket p, DNSPacket r, c`
`381`	`381`
`382`	`382`	`// we now have a copy, push_back on packet might reallocate!`
`383`	`383`	`for(vector<DNSResourceRecord>::const_iterator i=crrs.begin(); i!=crrs.end(); ++i) {`
`384`		`- if(r->d.aa && !i->qname.empty() && i->qtype.getCode()==QType::NS && !B.getSOA(i->qname,sd,p)) { // drop AA in case of non-SOA-level NS answer, except for root referral`
	`384`	`+ if(r->d.aa && !i->qname.empty() && i->qtype.getCode()==QType::NS && !B.getSOA(i->qname,sd,p) && !retargeted) { // drop AA in case of non-SOA-level NS answer, except for root referral`
`385`	`385`	`r->setA(false);`
`386`	`386`	`// i->d_place=DNSResourceRecord::AUTHORITY; // XXX FIXME`
`387`	`387`	`}`
`@@ -895,7 +895,7 @@ bool PacketHandler::addDSforNS(DNSPacket* p, DNSPacket* r, SOAData& sd, const st`
`895`	`895`	`return gotOne;`
`896`	`896`	`}`
`897`	`897`
`898`		`-bool PacketHandler::tryReferral(DNSPacket p, DNSPacketr, SOAData& sd, const string &target)`
	`898`	`+bool PacketHandler::tryReferral(DNSPacket p, DNSPacketr, SOAData& sd, const string &target, bool retargeted)`
`899`	`899`	`{`
`900`	`900`	`vector<DNSResourceRecord> rrset = getBestReferralNS(p, sd, target);`
`901`	`901`	`if(rrset.empty())`
`@@ -907,7 +907,8 @@ bool PacketHandler::tryReferral(DNSPacket p, DNSPacketr, SOAData& sd, const st`
`907`	`907`	`rr.d_place=DNSResourceRecord::AUTHORITY;`
`908`	`908`	`r->addRecord(rr);`
`909`	`909`	`}`
`910`		`- r->setA(false);`
	`910`	`+ if(!retargeted)`
	`911`	`+ r->setA(false);`
`911`	`912`
`912`	`913`	`if(d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->qname))`
`913`	`914`	`addNSECX(p, r, rrset.begin()->qname, "", sd.qname, 1);`
`@@ -1144,7 +1145,7 @@ DNSPacket PacketHandler::questionOrRecurse(DNSPacket p, bool *shouldRecurse)`
`1144`	`1145`	`}`
`1145`	`1146`
`1146`	`1147`	`DLOG(L<<"Checking for referrals first, unless this is a DS query"<<endl);`
`1147`		`- if(p->qtype.getCode() != QType::DS && tryReferral(p, r, sd, target))`
	`1148`	`+ if(p->qtype.getCode() != QType::DS && tryReferral(p, r, sd, target, retargetcount))`
`1148`	`1149`	`goto sendit;`
`1149`	`1150`
`1150`	`1151`	`DLOG(L<<"Got no referrals, trying ANY"<<endl);`
`@@ -1194,7 +1195,7 @@ DNSPacket PacketHandler::questionOrRecurse(DNSPacket p, bool *shouldRecurse)`
`1194`	`1195`	`if(p->qtype.getCode() == QType::DS)`
`1195`	`1196`	`{`
`1196`	`1197`	`DLOG(L<<"DS query found no direct result, trying referral now"<<endl);`
`1197`		`- if(tryReferral(p, r, sd, target))`
	`1198`	`+ if(tryReferral(p, r, sd, target, retargetcount))`
`1198`	`1199`	`{`
`1199`	`1200`	`DLOG(L<<"got referral for DS query"<<endl);`
`1200`	`1201`	`goto sendit;`
`@@ -1253,7 +1254,7 @@ DNSPacket PacketHandler::questionOrRecurse(DNSPacket p, bool *shouldRecurse)`
`1253`	`1254`	`}`
`1254`	`1255`	`else if(weHaveUnauth) {`
`1255`	`1256`	`DLOG(L<<"Have unauth data, so need to hunt for best NS records"<<endl);`
`1256`		`- if(tryReferral(p, r, sd, target))`
	`1257`	`+ if(tryReferral(p, r, sd, target, retargetcount))`
`1257`	`1258`	`goto sendit;`
`1258`	`1259`	`// check whether this could be fixed easily`
`1259`	`1260`	`if (*(rr.qname.rbegin()) == '.') {`
`@@ -1268,7 +1269,7 @@ DNSPacket PacketHandler::questionOrRecurse(DNSPacket p, bool *shouldRecurse)`
`1268`	`1269`	`}`
`1269`	`1270`
`1270`	`1271`	`sendit:;`
`1271`		`- if(doAdditionalProcessingAndDropAA(p, r, sd)<0) {`
	`1272`	`+ if(doAdditionalProcessingAndDropAA(p, r, sd, retargetcount)<0) {`
`1272`	`1273`	`delete r;`
`1273`	`1274`	`return 0;`
`1274`	`1275`	`}`