AXFR-in can handle secure and insecure NSEC3 optout delegations

PowerDNS · Jul 4, 2013 · d3e7b17 · d3e7b17
1 parent 5aa7003
commit d3e7b17
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
@@ -155,6 +155,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
     bool gotOptOutFlag = false;
     unsigned int soa_serial = 0;
     vector<DNSResourceRecord> rrs;
+    set<string> secured;
     while(retriever.getChunk(recs)) {
       if(first) {
         L<<Logger::Error<<"AXFR started for '"<<domain<<"'"<<endl;
@@ -177,7 +178,10 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
           continue;
         } else if (i->qtype.getCode() == QType::NSEC3) {
           dnssecZone = gotPresigned = true;
-          gotOptOutFlag = NSEC3RecordContent(i->content).d_flags & 1;
+          NSEC3RecordContent ns3rc(i->content);
+          gotOptOutFlag = ns3rc.d_flags & 1;
+          if (ns3rc.d_set.count(QType::NS) && !pdns_iequals(i->qname, domain))
+            secured.insert(toLower(makeRelative(i->qname, domain)));
           continue;
         } else if (i->qtype.getCode() == QType::NSEC) {
           dnssecZone = gotPresigned = true;
@@ -210,6 +214,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
       }
     }
 
+
     BOOST_FOREACH(const DNSResourceRecord& rr, rrs) {
       if(rr.qtype.getCode() == QType::NS && !pdns_iequals(rr.qname, domain))
         nsset.insert(rr.qname);
@@ -276,8 +281,8 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
       if (dnssecZone && rr.qtype.getCode() != QType::RRSIG) {
         if (haveNSEC3) {
           // NSEC3
-          if(!narrow && (rr.auth || (rr.qtype.getCode() == QType::NS && !gotOptOutFlag))) {
-            ordername=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+          ordername=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname)));
+          if(!narrow && (rr.auth || (rr.qtype.getCode() == QType::NS && (!gotOptOutFlag || secured.count(ordername))))) {
             di.backend->feedRecord(rr, &ordername);
           } else
             di.backend->feedRecord(rr);