Recursor 4.0.0 DNSSEC fixes #4162

Merged
merged 7 commits into from Jul 15, 2016

Projects

None yet

2 participants

@pieterlexis
Member

Needs scrutinizing

@pieterlexis pieterlexis added the rec label Jul 12, 2016
@Habbie Habbie commented on the diff Jul 13, 2016
pdns/pdns_recursor.cc
@@ -787,10 +788,10 @@ void startDoResolve(void *p)
break;
}
-
if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, dc->d_local, dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_tcp, ret, dc->d_ednsOpts.empty() ? 0 : &dc->d_ednsOpts, dc->d_tag, &appliedPolicy, &dc->d_policyTags, res, &variableAnswer)) {
@Habbie
Habbie Jul 13, 2016 Member

we most likely also shouldn't validate if preresolve indeed took the query

@pieterlexis
pieterlexis Jul 13, 2016 Member

we discussed this today, the code already ensures no DNSSEC validation will take place if the query is handled by Lua

@Habbie
Member
Habbie commented Jul 13, 2016 edited

LGTM. As said, we probably need to help Lua out a bit as well.

pieterlexis added some commits Jul 12, 2016
@pieterlexis pieterlexis Use g_dnssecmode global instead of the slower arg() e7b1888
@pieterlexis pieterlexis Fix filename to match test names adc1b25
@pieterlexis pieterlexis Don't validate internal or out-of-band names
Closes #4149
Closes #4156
Closes #4157
9fc36e9
@pieterlexis pieterlexis Skip a level when a CNAME is found for the name
If we'd encounter a CNAME when chasing for DS/DNSKEY, we followed it and
concluded that the domain was bogus. We now skip this level and try to
get a DS record for the next name.

I'm unsure this is the correct solution, but it fixes #4158
19d1e7b
@pieterlexis pieterlexis Add tests for out of band names 2276d8e
@pieterlexis pieterlexis Add test for #4158 694ef44
@pieterlexis pieterlexis Add changelog entries 6a55699
@pieterlexis pieterlexis merged commit ee85668 into PowerDNS:master Jul 15, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@pieterlexis pieterlexis deleted the pieterlexis:post-400-dnssec-fixes branch Jul 15, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment