SOA-EDIT isn't applied to serials in non-apex negative responses

[mnordhoff]

• Program: Authoritative
• Issue type: Bug report

Short description

When using SOA-EDIT, the edited serial number is used for important things, like SOA queries and zone transfers.

However, the backend database's original serial number is used for the SOA record in NXDOMAIN responses, and for NODATA responses that are not for the zone apex.

Zone apex NODATA responses also use the edited serial number.

I'm using DNSSEC; both SOA records are apparently signed correctly.

The SOA serial number in a negative response doesn't matter for anything, but creative resolvers will cache it as the zone's real SOA record.

Environment

• Operating system: Ubuntu 16.04
• Software version: 0.0.15744+0.g7c94d361cd and 0.0.15793+0.g732fda289a
• Software source: PowerDNS repository

Steps to reproduce

1. dig +dnssec +norecurse dns-l.mn9.us @ns2.mattnordhoffdns.org
2. dig +dnssec +norecurse dns-l.mn9.us soa @ns2.mattnordhoffdns.org
3. dig +dnssec +norecurse foo.dns-l.mn9.us aaaa @ns2.mattnordhoffdns.org
4. dig +dnssec +norecurse nxdomain.dns-l.mn9.us @ns2.mattnordhoffdns.org
5. Configure the zone below.
6. sudo pdnsutil set-meta dns-l.mn9.us SOA-EDIT INCEPTION-INCREMENT
7. sudo pdnsutil set-nsec3 dns-l.mn9.us "1 0 0 -"
8. sudo pdnsutil secure-zone dns-l.mn9.us

Expected behaviour

The edited serial number everywhere.

Actual behaviour

Both serial numbers.

Other information

Related code?

pdns/pdns/packethandler.cc

Lines 969 to 1007 in c6bdd14

	void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const DNSName& target, const DNSName& wildcard, SOAData& sd)
	{
	DNSZoneRecord rr;
	rr.dr.d_name=sd.qname;
	rr.dr.d_type=QType::SOA;
	rr.dr.d_content=makeSOAContent(sd);
	rr.dr.d_ttl=min(sd.ttl, sd.default_ttl);
	rr.signttl=sd.ttl;
	rr.domain_id=sd.domain_id;
	rr.dr.d_place=DNSResourceRecord::AUTHORITY;
	rr.auth = 1;
	r->addRecord(rr);
	if(d_dk.isSecuredZone(sd.qname))
	addNSECX(p, r, target, wildcard, sd.qname, 4);
	r->setRcode(RCode::NXDomain);
	}
	void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const DNSName& target, const DNSName& wildcard, SOAData& sd, int mode)
	{
	DNSZoneRecord rr;
	rr.dr.d_name=sd.qname;
	rr.dr.d_type=QType::SOA;
	rr.dr.d_content=makeSOAContent(sd);
	rr.dr.d_ttl=sd.ttl;
	rr.dr.d_ttl=min(sd.ttl, sd.default_ttl);
	rr.signttl=sd.ttl;
	rr.domain_id=sd.domain_id;
	rr.dr.d_place=DNSResourceRecord::AUTHORITY;
	rr.auth = 1;
	r->addRecord(rr);
	if(d_dk.isSecuredZone(sd.qname))
	addNSECX(p, r, target, wildcard, sd.qname, mode);
	S.ringAccount("noerror-queries",p->qdomain.toLogString()+"/"+p->qtype.getName());
	}

pdns/pdns/packethandler.cc

Lines 1425 to 1435 in c6bdd14

	/* Add in SOA if required */
	if(target==sd.qname) {
	rr.dr.d_name = sd.qname;
	rr.dr.d_type = QType::SOA;
	sd.serial = calculateEditSOA(sd.serial, d_dk, sd.qname);
	rr.dr.d_content = makeSOAContent(sd);
	rr.dr.d_ttl = sd.ttl;
	rr.domain_id = sd.domain_id;
	rr.auth = true;
	rrset.push_back(rr);
	}

Zone:

$ORIGIN dns-l.mn9.us.
$TTL 3600
@			SOA	pdns0.mattnordhoff.net. rname.mn0.us. (
						2019011002
						3600
						1800
						432000
						3600
					)
@			NS	ns1.linode.com.
@			NS	ns2.linode.com.
@			NS	ns3.linode.com.
@			NS	ns4.linode.com.
@			NS	ns5.linode.com.
@			NS	ns2.mattnordhoffdns.org.
@			NS	ns3.mattnordhoffdns.com.
foo			A	192.0.2.0

[Habbie]

Failing test:
https://gist.github.com/Habbie/20224bb3cb7c65c5561b7dc994c90e05