From 68f09ddaeb3ef2bde81c41daa46e4b80b494349b Mon Sep 17 00:00:00 2001 From: Miod Vallat Date: Fri, 3 Jan 2025 09:12:58 +0100 Subject: [PATCH 1/2] Do not follow CNAME records for ANY or CNAME queries. The existing logic was only preventing this for CNAME queries. Fixes #5769 --- pdns/packethandler.cc | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 8483814d1954..4bb5bf7c6a18 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -1630,10 +1630,12 @@ std::unique_ptr PacketHandler::doQuestion(DNSPacket& p) rr.scopeMask = p.getRealRemote().getBits(); // this makes sure answer is a specific as your question rrset.push_back(rr); } - if(rec->d_type == QType::CNAME && p.qtype.getCode() != QType::CNAME) + if(rec->d_type == QType::CNAME && (p.qtype.getCode() != QType::ANY && p.qtype.getCode() != QType::CNAME)) { weRedirected = true; - else + } + else { weDone = true; + } } } catch(std::exception &e) { @@ -1660,8 +1662,9 @@ std::unique_ptr PacketHandler::doQuestion(DNSPacket& p) if((rr.dr.d_type == p.qtype.getCode() && !rr.auth) || (rr.dr.d_type == QType::NS && (!rr.auth || !(d_sd.qname==rr.dr.d_name)))) weHaveUnauth=true; - if(rr.dr.d_type == QType::CNAME && p.qtype.getCode() != QType::CNAME) - weRedirected=true; + if (rr.dr.d_type == QType::CNAME && (p.qtype.getCode() != QType::ANY && p.qtype.getCode() != QType::CNAME)) { + weRedirected = true; + } if (DP && rr.dr.d_type == QType::ALIAS && (p.qtype.getCode() == QType::A || p.qtype.getCode() == QType::AAAA || p.qtype.getCode() == QType::ANY) && !d_dk.isPresigned(d_sd.qname)) { if (!d_doExpandALIAS) { From 46928eb93af79bc9ae22ff09c8ccce1bd7f033d9 Mon Sep 17 00:00:00 2001 From: Miod Vallat Date: Mon, 20 Jan 2025 08:04:43 +0100 Subject: [PATCH 2/2] Update test oracles due to behaviour change. --- .../tests/cname-to-nxdomain-any/expected_result.dnssec | 2 ++ .../tests/cname-to-unauth-any/expected_result.dnssec | 2 ++ 2 files changed, 4 insertions(+) diff --git a/regression-tests/tests/cname-to-nxdomain-any/expected_result.dnssec b/regression-tests/tests/cname-to-nxdomain-any/expected_result.dnssec index c28605d52d50..8b25e9d402b4 100644 --- a/regression-tests/tests/cname-to-nxdomain-any/expected_result.dnssec +++ b/regression-tests/tests/cname-to-nxdomain-any/expected_result.dnssec @@ -1,5 +1,7 @@ 0 nxd.example.com. 120 IN CNAME nxdomain.example.com. 0 nxd.example.com. 120 IN RRSIG CNAME 13 3 120 [expiry] [inception] [keytag] example.com. ... +0 nxd.example.com. 86400 IN NSEC outpost.example.com. CNAME RRSIG NSEC +0 nxd.example.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] example.com. ... 2 . 32768 IN OPT Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='nxd.example.com.', qtype=ANY diff --git a/regression-tests/tests/cname-to-unauth-any/expected_result.dnssec b/regression-tests/tests/cname-to-unauth-any/expected_result.dnssec index b56f89893485..9728ab906535 100644 --- a/regression-tests/tests/cname-to-unauth-any/expected_result.dnssec +++ b/regression-tests/tests/cname-to-unauth-any/expected_result.dnssec @@ -1,5 +1,7 @@ 0 unauth.example.com. 120 IN CNAME no-idea.example.org. 0 unauth.example.com. 120 IN RRSIG CNAME 13 3 120 [expiry] [inception] [keytag] example.com. ... +0 unauth.example.com. 86400 IN NSEC usa.example.com. CNAME RRSIG NSEC +0 unauth.example.com. 86400 IN RRSIG NSEC 13 3 86400 [expiry] [inception] [keytag] example.com. ... 2 . 32768 IN OPT Rcode: 0 (No Error), RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='unauth.example.com.', qtype=ANY