Recursor 4.0.0 DNSSEC fixes #4162

merged 7 commits into from Jul 15, 2016


None yet

2 participants


Needs scrutinizing

@pieterlexis pieterlexis added the rec label Jul 12, 2016
@Habbie Habbie commented on the diff Jul 13, 2016
@@ -787,10 +788,10 @@ void startDoResolve(void *p)
if(!t_pdl->get() || !(*t_pdl)->preresolve(dc->d_remote, dc->d_local, dc->d_mdp.d_qname, QType(dc->d_mdp.d_qtype), dc->d_tcp, ret, dc->d_ednsOpts.empty() ? 0 : &dc->d_ednsOpts, dc->d_tag, &appliedPolicy, &dc->d_policyTags, res, &variableAnswer)) {
Habbie Jul 13, 2016 Member

we most likely also shouldn't validate if preresolve indeed took the query

pieterlexis Jul 13, 2016 Member

we discussed this today, the code already ensures no DNSSEC validation will take place if the query is handled by Lua

Habbie commented Jul 13, 2016 edited

LGTM. As said, we probably need to help Lua out a bit as well.

pieterlexis added some commits Jul 12, 2016
@pieterlexis pieterlexis Use g_dnssecmode global instead of the slower arg() e7b1888
@pieterlexis pieterlexis Fix filename to match test names adc1b25
@pieterlexis pieterlexis Don't validate internal or out-of-band names
Closes #4149
Closes #4156
Closes #4157
@pieterlexis pieterlexis Skip a level when a CNAME is found for the name
If we'd encounter a CNAME when chasing for DS/DNSKEY, we followed it and
concluded that the domain was bogus. We now skip this level and try to
get a DS record for the next name.

I'm unsure this is the correct solution, but it fixes #4158
@pieterlexis pieterlexis Add tests for out of band names 2276d8e
@pieterlexis pieterlexis Add test for #4158 694ef44
@pieterlexis pieterlexis Add changelog entries 6a55699
@pieterlexis pieterlexis merged commit ee85668 into PowerDNS:master Jul 15, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
@pieterlexis pieterlexis deleted the pieterlexis:post-400-dnssec-fixes branch Jul 15, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment