Permalink
Browse files

Make the negcache forwarded zones aware

Because of DNSSEC (without NTAs configured), we 'leak' the forwarded
name to the cache when looking for the DNSKEY. This resulted in NXDOMAIN
answers for actual NXDOMAINs, but with the root SOA record. Leading to
inconsistent answers to the client.
  • Loading branch information...
1 parent 0dbcd62 commit d8cd67be324881403d99733d5efd3c83410a9fc8 @pieterlexis pieterlexis committed Aug 29, 2016
Showing with 7 additions and 2 deletions.
  1. +7 −2 pdns/syncres.cc
View
@@ -758,9 +758,13 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
pair<negcache_t::const_iterator, negcache_t::const_iterator> range;
QType qtnull(0);
+ DNSName authname(qname);
+ bool wasForwardedOrAuth = (getBestAuthZone(&authname) != t_sstorage->domainmap->end());
+
if(s_rootNXTrust &&
(range.first=t_sstorage->negcache.find(tie(getLastLabel(qname), qtnull))) != t_sstorage->negcache.end() &&
- range.first->d_qname.isRoot() && (uint32_t)d_now.tv_sec < range.first->d_ttd ) {
+ !(wasForwardedOrAuth && !authname.isRoot()) && // when forwarding, the root may only neg-cache if it was forwarded to.
+ range.first->d_qname.isRoot() && (uint32_t)d_now.tv_sec < range.first->d_ttd) {
sttl=range.first->d_ttd - d_now.tv_sec;
LOG(prefix<<qname<<": Entire name '"<<qname<<"', is negatively cached via '"<<range.first->d_name<<"' & '"<<range.first->d_qname<<"' for another "<<sttl<<" seconds"<<endl);
@@ -776,7 +780,8 @@ bool SyncRes::doCacheCheck(const DNSName &qname, const QType &qtype, vector<DNSR
negcache_t::iterator ni;
for(ni=range.first; ni != range.second; ni++) {
// we have something
- if(ni->d_qtype.getCode() == 0 || ni->d_qtype == qtype) {
+ if(!(wasForwardedOrAuth && ni->d_qname != authname) && // Only the authname nameserver can neg cache entries
+ (ni->d_qtype.getCode() == 0 || ni->d_qtype == qtype)) {
res=0;
if((uint32_t)d_now.tv_sec < ni->d_ttd) {
sttl=ni->d_ttd - d_now.tv_sec;

0 comments on commit d8cd67b

Please sign in to comment.