recursor: DNSSEC related query flag processing #3752

merged 5 commits into from Apr 29, 2016


None yet

3 participants


Please merge after #3741.

This PR ensures that we only do validation when asked (by means of the AD bit in the query) or in full-blown validation mode. The recursor now only returns DNSSEC records (RRSIG, NSEC, NSEC3) when the DO bit is set in the query (and won't validate on +DO unless in validate mode).

Furthermore, it solves a bug where a +CD in a query to a recursor with dnssec=off would lead to a response with the DO bit set.

Closes #3682

@rgacogne rgacogne and 1 other commented on an outdated diff Apr 22, 2016
@@ -126,7 +126,7 @@ public:
bool matches(const DNSQuestion* dq) const override
- return dq->dh->cd || (getEDNSZ((const char*)dq->dh, dq->len) & EDNS_HEADER_FLAG_DO); // turns out dig sets ad by default..
+ return dq->dh->ad || (getEDNSZ((const char*)dq->dh, dq->len) & EDNS_HEADER_FLAG_DO);
rgacogne Apr 22, 2016 Member

Hmm, this looks wrong, or at least would not be consistent with our documented behavior.

pieterlexis Apr 22, 2016 Member

ohw, this file is not part of the recursor. Based on the documentation, we should make this line

return dq->dh->cd || dq->dh->ad ||(getEDNSZ((const char*)dq->dh, dq->len) & EDNS_HEADER_FLAG_DO);

As any of these flags could mean "do something with DNSSEC"

@ahupowerdns ahupowerdns merged commit 7d7444e into PowerDNS:master Apr 29, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
@pieterlexis pieterlexis deleted the pieterlexis:issue-3682-DNSSEC-processing branch Apr 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment