recursor: DNSSEC related query flag processing #3752

Merged
merged 5 commits into from Apr 29, 2016

Projects

None yet

3 participants

@pieterlexis
Member

Please merge after #3741.

This PR ensures that we only do validation when asked (by means of the AD bit in the query) or in full-blown validation mode. The recursor now only returns DNSSEC records (RRSIG, NSEC, NSEC3) when the DO bit is set in the query (and won't validate on +DO unless in validate mode).

Furthermore, it solves a bug where a +CD in a query to a recursor with dnssec=off would lead to a response with the DO bit set.

Closes #3682

@rgacogne rgacogne and 1 other commented on an outdated diff Apr 22, 2016
pdns/dnsrulactions.hh
@@ -126,7 +126,7 @@ public:
}
bool matches(const DNSQuestion* dq) const override
{
- return dq->dh->cd || (getEDNSZ((const char*)dq->dh, dq->len) & EDNS_HEADER_FLAG_DO); // turns out dig sets ad by default..
+ return dq->dh->ad || (getEDNSZ((const char*)dq->dh, dq->len) & EDNS_HEADER_FLAG_DO);
@rgacogne
rgacogne Apr 22, 2016 Member

Hmm, this looks wrong, or at least would not be consistent with our documented behavior.

@pieterlexis
pieterlexis Apr 22, 2016 Member

ohw, this file is not part of the recursor. Based on the documentation, we should make this line

return dq->dh->cd || dq->dh->ad ||(getEDNSZ((const char*)dq->dh, dq->len) & EDNS_HEADER_FLAG_DO);

As any of these flags could mean "do something with DNSSEC"

@ahupowerdns ahupowerdns merged commit 7d7444e into PowerDNS:master Apr 29, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@pieterlexis pieterlexis deleted the pieterlexis:issue-3682-DNSSEC-processing branch Apr 29, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment