Permalink
Browse files

AXFR-in can handle secure and insecure NSEC3 optout delegations

  • Loading branch information...
1 parent 5aa7003 commit d3e7b177b95e613fef1fe2a31584c1e914991b26 @mind04 mind04 committed with Habbie Jul 3, 2013
Showing with 8 additions and 3 deletions.
  1. +8 −3 pdns/slavecommunicator.cc
@@ -155,6 +155,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
bool gotOptOutFlag = false;
unsigned int soa_serial = 0;
vector<DNSResourceRecord> rrs;
+ set<string> secured;
while(retriever.getChunk(recs)) {
if(first) {
L<<Logger::Error<<"AXFR started for '"<<domain<<"'"<<endl;
@@ -177,7 +178,10 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
continue;
} else if (i->qtype.getCode() == QType::NSEC3) {
dnssecZone = gotPresigned = true;
- gotOptOutFlag = NSEC3RecordContent(i->content).d_flags & 1;
+ NSEC3RecordContent ns3rc(i->content);
+ gotOptOutFlag = ns3rc.d_flags & 1;
+ if (ns3rc.d_set.count(QType::NS) && !pdns_iequals(i->qname, domain))
+ secured.insert(toLower(makeRelative(i->qname, domain)));
continue;
} else if (i->qtype.getCode() == QType::NSEC) {
dnssecZone = gotPresigned = true;
@@ -210,6 +214,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
}
}
+
BOOST_FOREACH(const DNSResourceRecord& rr, rrs) {
if(rr.qtype.getCode() == QType::NS && !pdns_iequals(rr.qname, domain))
nsset.insert(rr.qname);
@@ -276,8 +281,8 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
if (dnssecZone && rr.qtype.getCode() != QType::RRSIG) {
if (haveNSEC3) {
// NSEC3
- if(!narrow && (rr.auth || (rr.qtype.getCode() == QType::NS && !gotOptOutFlag))) {
- ordername=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+ ordername=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+ if(!narrow && (rr.auth || (rr.qtype.getCode() == QType::NS && (!gotOptOutFlag || secured.count(ordername))))) {
di.backend->feedRecord(rr, &ordername);
} else
di.backend->feedRecord(rr);

0 comments on commit d3e7b17

Please sign in to comment.