Permalink
Browse files

Don't add dnssec info, to any query results, for non validating resol…

…vers.
  • Loading branch information...
1 parent 95cea9b commit df554502f32671bb64bec267de48ec84da319dc6 @mind04 mind04 committed with mind04 Nov 19, 2012
View
@@ -1035,8 +1035,7 @@ bool PacketHandler::tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const st
void PacketHandler::completeANYRecords(DNSPacket *p, DNSPacket*r, SOAData& sd, const string &target)
{
if(!p->d_dnssecOk)
- ; // cerr<<"Need to add all the RRSIGs too for '"<<target<<"', should do this manually since DNSSEC was not requested"<<endl;
- // cerr<<"Need to add all the NSEC too.."<<endl; /// XXX FIXME THE ABOVE IF IS WEIRD
+ return; // Don't send dnssec info to non validating resolvers.
if(!d_dk.isSecuredZone(sd.qname))
return;
@@ -1262,8 +1261,12 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
weDone = weRedirected = weHaveUnauth = 0;
while(B.get(rr)) {
- if (p->qtype.getCode() == QType::ANY && rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
- continue; //TODO: this actually means addRRSig should check if the RRSig is already there.
+ if (p->qtype.getCode() == QType::ANY) {
+ if (rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
+ continue; // TODO: this actually means addRRSig should check if the RRSig is already there.
+ if (!p->d_dnssecOk && (rr.qtype.getCode() == QType:: DNSKEY || rr.qtype.getCode() == QType::NSEC3PARAM))
+ continue; // Don't send dnssec info to non validating resolvers.
+ }
if(rr.qtype.getCode() == QType::DS)
rr.auth = 1;
@@ -1,16 +0,0 @@
-0 example.com. IN DNSKEY 86400 256 3 8 ...
-0 example.com. IN DNSKEY 86400 256 3 8 ...
-0 example.com. IN DNSKEY 86400 257 3 8 ...
-0 example.com. IN MX 120 10 smtp-servers.example.com.
-0 example.com. IN MX 120 15 smtp-servers.test.com.
-0 example.com. IN NS 120 ns1.example.com.
-0 example.com. IN NS 120 ns2.example.com.
-0 example.com. IN SOA 100000 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-2 . IN OPT 0
-2 ns1.example.com. IN A 120 192.168.1.1
-2 ns2.example.com. IN A 120 192.168.1.2
-2 smtp-servers.example.com. IN A 120 192.168.0.2
-2 smtp-servers.example.com. IN A 120 192.168.0.3
-2 smtp-servers.example.com. IN A 120 192.168.0.4
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-Reply to question for qname='example.com.', qtype=ANY
@@ -1,17 +0,0 @@
-0 example.com. IN DNSKEY 86400 256 3 8 ...
-0 example.com. IN DNSKEY 86400 256 3 8 ...
-0 example.com. IN DNSKEY 86400 257 3 8 ...
-0 example.com. IN MX 120 10 smtp-servers.example.com.
-0 example.com. IN MX 120 15 smtp-servers.test.com.
-0 example.com. IN NS 120 ns1.example.com.
-0 example.com. IN NS 120 ns2.example.com.
-0 example.com. IN NSEC3PARAM 86400 1 0 1 abcd
-0 example.com. IN SOA 100000 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-2 . IN OPT 0
-2 ns1.example.com. IN A 120 192.168.1.1
-2 ns2.example.com. IN A 120 192.168.1.2
-2 smtp-servers.example.com. IN A 120 192.168.0.2
-2 smtp-servers.example.com. IN A 120 192.168.0.3
-2 smtp-servers.example.com. IN A 120 192.168.0.4
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-Reply to question for qname='example.com.', qtype=ANY
@@ -1,17 +0,0 @@
-0 example.com. IN DNSKEY 86400 256 3 8 ...
-0 example.com. IN DNSKEY 86400 256 3 8 ...
-0 example.com. IN DNSKEY 86400 257 3 8 ...
-0 example.com. IN MX 120 10 smtp-servers.example.com.
-0 example.com. IN MX 120 15 smtp-servers.test.com.
-0 example.com. IN NS 120 ns1.example.com.
-0 example.com. IN NS 120 ns2.example.com.
-0 example.com. IN NSEC3PARAM 86400 1 0 1 abcd
-0 example.com. IN SOA 100000 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-2 . IN OPT 0
-2 ns1.example.com. IN A 120 192.168.1.1
-2 ns2.example.com. IN A 120 192.168.1.2
-2 smtp-servers.example.com. IN A 120 192.168.0.2
-2 smtp-servers.example.com. IN A 120 192.168.0.3
-2 smtp-servers.example.com. IN A 120 192.168.0.4
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
-Reply to question for qname='example.com.', qtype=ANY

0 comments on commit df55450

Please sign in to comment.