New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rec 4.0.x: be more resilient with broken auths #5726

Merged
merged 2 commits into from Oct 16, 2017

Conversation

Projects
None yet
2 participants
@pieterlexis
Member

pieterlexis commented Sep 25, 2017

Short description

This PR solves an issue where we would SERVFAIL while trying to validate zones for which the auths do either not understand EDNS0 or give NXDOMAIN/SERVFAIL answers for non-A/AAAA queries.

The first commit ensures we stop validating a name once we hit an Insecure zone cut, all the while cleaning up getZoneCuts (no more pointer magic).

The second commit makes EDNS0 not mandatory anymore for DNSSEC (to work around broken auths).

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled and tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@pieterlexis pieterlexis requested a review from rgacogne Sep 25, 2017

@rgacogne

Looks good, although I have the feeling that we should rename ednsMANDATORY in this PR to avoid mistakes later.

Show outdated Hide outdated pdns/syncres.cc Outdated
Show outdated Hide outdated pdns/validate.cc Outdated

@pieterlexis pieterlexis merged commit ef366df into PowerDNS:rel/rec-4.0.x Oct 16, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@pieterlexis pieterlexis deleted the pieterlexis:auth-406-per-cut-validation branch Oct 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment