Do not follow CNAME records for ANY or CNAME queries #15008
Conversation
Pull Request Test Coverage Report for Build 12887559896Details
💛 - Coveralls |
miodvallat
force-pushed
the
cname_withheld_to_protect_the_innocent
branch
2 times, most recently
from
e47038f to
6f7e056
Compare
reading back what I wrote there, it turns out I did not include enough information for anybody (including myself) to see what that was about. In any case the RRSIG behaviour I see today (without your PR) looks just fine. |
|
This patch looks right. I wonder if any the wildcard, LUA and DNAME paths contain a similar bug, though. But this is an improvement in any case. Can you add a test? |
I am struggling with getting the existing tests to pass at the moment - a couple of the existing tests need oracle changes, but then further steps in the CI fail because they reuse the same tests and apparently don't need any change... |
miodvallat
force-pushed
the
cname_withheld_to_protect_the_innocent
branch
from
6f7e056 to
32f3173
Compare
| @@ -1,5 +1,7 @@ | |||
| 0 nxd.example.com. 120 IN CNAME nxdomain.example.com. | |||
| 0 nxd.example.com. 120 IN RRSIG CNAME 13 3 120 [expiry] [inception] [keytag] example.com. ... | |||
| 0 nxd.example.com. 86400 IN NSEC outpost.example.com. CNAME RRSIG NSEC | |||
There was a problem hiding this comment.
this extra output is unexpected. If anything I would expect some responses to become smaller!
There was a problem hiding this comment.
i wonder if we should be setting weDone when we match-but-don't-follow a CNAME?
The existing logic was only preventing this for CNAME queries. Fixes PowerDNS#5769
miodvallat
force-pushed
the
cname_withheld_to_protect_the_innocent
branch
from
32f3173 to
46928eb
Compare
Short description
This is an attempt at fixing #5769 (not addressing the RRSIG concern at the moment, though).
Disclaimer: I have no idea what I am doing.
Checklist
I have: