Hello community,
here is the log from the commit of package pdns-recursor for openSUSE:Factory checked in at 2019-05-22 11:17:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pdns-recursor (Old)
and /work/SRC/openSUSE:Factory/.pdns-recursor.new.5148 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pdns-recursor"
Wed May 22 11:17:08 2019 rev:28 rq:704461 version:4.1.13
Changes:
--------
--- /work/SRC/openSUSE:Factory/pdns-recursor/pdns-recursor.changes 2019-04-26 22:55:51.449260722 +0200
+++ /work/SRC/openSUSE:Factory/.pdns-recursor.new.5148/pdns-recursor.changes 2019-05-22 11:17:09.654483544 +0200
@@ -1,0 +2,8 @@
+Tue May 21 12:17:26 UTC 2019 - Adam Majer
+
+- update to 4.1.13:
+ * Add the disable-real-memory-usage setting to skip expensive
+ collection of detailed memory usage info
+ * Fix DNSSEC validation of wildcards expanded onto themselves.
+
+-------------------------------------------------------------------
Old:
----
pdns-recursor-4.1.12.tar.bz2
pdns-recursor-4.1.12.tar.bz2.sig
New:
----
pdns-recursor-4.1.13.tar.bz2
pdns-recursor-4.1.13.tar.bz2.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ pdns-recursor.spec ++++++
--- /var/tmp/diff_new_pack.qxZkbG/_old 2019-05-22 11:17:10.166483185 +0200
+++ /var/tmp/diff_new_pack.qxZkbG/_new 2019-05-22 11:17:10.170483183 +0200
@@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@@ -35,7 +35,7 @@
%endif
Name: pdns-recursor
-Version: 4.1.12
+Version: 4.1.13
Release: 0
BuildRequires: autoconf
BuildRequires: automake
++++++ pdns-recursor-4.1.12.tar.bz2 -> pdns-recursor-4.1.13.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/.version new/pdns-recursor-4.1.13/.version
--- old/pdns-recursor-4.1.12/.version 2019-04-02 12:31:34.000000000 +0200
+++ new/pdns-recursor-4.1.13/.version 2019-05-21 07:47:40.000000000 +0200
@@ -1 +1 @@
-4.1.12
+4.1.13
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/configure new/pdns-recursor-4.1.13/configure
--- old/pdns-recursor-4.1.12/configure 2019-04-02 12:31:33.000000000 +0200
+++ new/pdns-recursor-4.1.13/configure 2019-05-21 07:47:39.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for pdns-recursor 4.1.12.
+# Generated by GNU Autoconf 2.69 for pdns-recursor 4.1.13.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='pdns-recursor'
PACKAGE_TARNAME='pdns-recursor'
-PACKAGE_VERSION='4.1.12'
-PACKAGE_STRING='pdns-recursor 4.1.12'
+PACKAGE_VERSION='4.1.13'
+PACKAGE_STRING='pdns-recursor 4.1.13'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1445,7 +1445,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures pdns-recursor 4.1.12 to adapt to many kinds of systems.
+\`configure' configures pdns-recursor 4.1.13 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1515,7 +1515,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of pdns-recursor 4.1.12:";;
+ short | recursive ) echo "Configuration of pdns-recursor 4.1.13:";;
esac
cat <<\_ACEOF
@@ -1677,7 +1677,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-pdns-recursor configure 4.1.12
+pdns-recursor configure 4.1.13
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2270,7 +2270,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by pdns-recursor $as_me 4.1.12, which was
+It was created by pdns-recursor $as_me 4.1.13, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3133,7 +3133,7 @@
# Define the identity of the package.
PACKAGE='pdns-recursor'
- VERSION='4.1.12'
+ VERSION='4.1.13'
cat >>confdefs.h <<_ACEOF
@@ -21846,7 +21846,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by pdns-recursor $as_me 4.1.12, which was
+This file was extended by pdns-recursor $as_me 4.1.13, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -21912,7 +21912,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-pdns-recursor config.status 4.1.12
+pdns-recursor config.status 4.1.13
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/effective_tld_names.dat new/pdns-recursor-4.1.13/effective_tld_names.dat
--- old/pdns-recursor-4.1.12/effective_tld_names.dat 2019-04-02 12:32:28.000000000 +0200
+++ new/pdns-recursor-4.1.13/effective_tld_names.dat 2019-05-21 07:48:32.000000000 +0200
@@ -6191,34 +6191,33 @@
edu.to
mil.to
-// subTLDs: https://www.nic.tr/forms/eng/policies.pdf
-// and: https://www.nic.tr/forms/politikalar.pdf
-// Submitted by
+// tr : https://nic.tr/
+// https://nic.tr/forms/eng/policies.pdf
+// https://nic.tr/index.php?USRACTN=PRICELST
tr
-com.tr
-info.tr
-biz.tr
-net.tr
-org.tr
-web.tr
-gen.tr
-tv.tr
av.tr
-dr.tr
bbs.tr
-name.tr
-tel.tr
-gov.tr
bel.tr
-pol.tr
+biz.tr
+com.tr
+dr.tr
+edu.tr
+gen.tr
+gov.tr
+info.tr
mil.tr
k12.tr
-edu.tr
kep.tr
-
+name.tr
+net.tr
+org.tr
+pol.tr
+tel.tr
+tsk.tr
+tv.tr
+web.tr
// Used by Northern Cyprus
nc.tr
-
// Used by government agencies of Northern Cyprus
gov.nc.tr
@@ -7941,9 +7940,6 @@
// dog : 2014-12-04 Binky Moon, LLC
dog
-// doha : 2014-09-18 Communications Regulatory Authority (CRA)
-doha
-
// domains : 2013-10-17 Binky Moon, LLC
domains
@@ -10844,6 +10840,10 @@
// Submitted by Anthony Voutas
backplaneapp.io
+// Banzai Cloud
+// Submitted by Gabor Kozma
+app.banzaicloud.io
+
// BetaInABox
// Submitted by Adrian
betainabox.com
@@ -10879,6 +10879,7 @@
// Bytemark Hosting : https://www.bytemark.co.uk
// Submitted by Paul Cammish
+uk0.bigv.io
dh.bytemark.co.uk
vm.bytemark.co.uk
@@ -10947,6 +10948,10 @@
// Submitted by Alex Stoddard
xenapponazure.com
+// Civilized Discourse Construction Kit, Inc. : https://www.discourse.org/
+// Submitted by Rishabh Nambiar
+discourse.group
+
// ClearVox : http://www.clearvox.nl/
// Submitted by Leon Rowland
virtueeldomein.nl
@@ -11717,6 +11722,11 @@
// Submitted by Alex Hanselka
gitlab.io
+// GOV.UK Platform as a Service : https://www.cloud.service.gov.uk/
+// Submitted by Tom Whitwell
+cloudapps.digital
+london.cloudapps.digital
+
// UKHomeOffice : https://www.gov.uk/government/organisations/home-office
// Submitted by Jon Shanks
homeoffice.gov.uk
@@ -12084,6 +12094,10 @@
org.ru
pp.ru
+// Nabu Casa : https://www.nabucasa.com
+// Submitted by Paulus Schoutsen
+ui.nabu.casa
+
// Netlify : https://www.netlify.com
// Submitted by Jessica Parsons
bitballoon.com
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/pdns_recursor.1 new/pdns-recursor-4.1.13/pdns_recursor.1
--- old/pdns-recursor-4.1.12/pdns_recursor.1 2019-04-02 12:32:28.000000000 +0200
+++ new/pdns-recursor-4.1.13/pdns_recursor.1 2019-05-21 07:48:32.000000000 +0200
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "PDNS_RECURSOR" "1" "Apr 02, 2019" "4.1" "PowerDNS Recursor"
+.TH "PDNS_RECURSOR" "1" "May 21, 2019" "4.1" "PowerDNS Recursor"
.SH NAME
pdns_recursor \- The PowerDNS Recursor binary
.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/pdns_recursor.cc new/pdns-recursor-4.1.13/pdns_recursor.cc
--- old/pdns-recursor-4.1.12/pdns_recursor.cc 2019-04-02 12:31:21.000000000 +0200
+++ new/pdns-recursor-4.1.13/pdns_recursor.cc 2019-05-21 07:47:27.000000000 +0200
@@ -3652,6 +3652,7 @@
::arg().setSwitch("log-rpz-changes", "Log additions and removals to RPZ zones at Info level")="no";
::arg().set("distribution-load-factor", "The load factor used when PowerDNS is distributing queries to worker threads")="0.0";
+ ::arg().setSwitch("disable-real-memory-usage", "Disable expensive real-memory-usage metric")= "no";
::arg().setCmd("help","Provide a helpful message");
::arg().setCmd("version","Print version string");
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/pubsuffix.cc new/pdns-recursor-4.1.13/pubsuffix.cc
--- old/pdns-recursor-4.1.12/pubsuffix.cc 2019-04-02 12:32:28.000000000 +0200
+++ new/pdns-recursor-4.1.13/pubsuffix.cc 2019-05-21 07:48:32.000000000 +0200
@@ -5015,26 +5015,27 @@
"org.to",
"edu.to",
"mil.to",
-"com.tr",
-"info.tr",
-"biz.tr",
-"net.tr",
-"org.tr",
-"web.tr",
-"gen.tr",
-"tv.tr",
"av.tr",
-"dr.tr",
"bbs.tr",
-"name.tr",
-"tel.tr",
-"gov.tr",
"bel.tr",
-"pol.tr",
+"biz.tr",
+"com.tr",
+"dr.tr",
+"edu.tr",
+"gen.tr",
+"gov.tr",
+"info.tr",
"mil.tr",
"k12.tr",
-"edu.tr",
"kep.tr",
+"name.tr",
+"net.tr",
+"org.tr",
+"pol.tr",
+"tel.tr",
+"tsk.tr",
+"tv.tr",
+"web.tr",
"nc.tr",
"gov.nc.tr",
"co.tt",
@@ -5588,6 +5589,7 @@
"wpcomstaging.com",
"myfritz.net",
"backplaneapp.io",
+"app.banzaicloud.io",
"betainabox.com",
"bnr.la",
"blackbaudcdn.net",
@@ -5600,6 +5602,7 @@
"bplaced.net",
"square7.net",
"browsersafetymark.io",
+"uk0.bigv.io",
"dh.bytemark.co.uk",
"vm.bytemark.co.uk",
"mycd.eu",
@@ -5638,6 +5641,7 @@
"c.la",
"certmgr.org",
"xenapponazure.com",
+"discourse.group",
"virtueeldomein.nl",
"cleverapps.io",
"c66.me",
@@ -6211,6 +6215,8 @@
"github.io",
"githubusercontent.com",
"gitlab.io",
+"cloudapps.digital",
+"london.cloudapps.digital",
"homeoffice.gov.uk",
"ro.im",
"shop.ro",
@@ -6436,6 +6442,7 @@
"net.ru",
"org.ru",
"pp.ru",
+"ui.nabu.casa",
"bitballoon.com",
"netlify.com",
"4u.com",
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/rec_channel_rec.cc new/pdns-recursor-4.1.13/rec_channel_rec.cc
--- old/pdns-recursor-4.1.12/rec_channel_rec.cc 2019-04-02 12:31:21.000000000 +0200
+++ new/pdns-recursor-4.1.13/rec_channel_rec.cc 2019-05-21 07:47:27.000000000 +0200
@@ -884,6 +884,10 @@
return 0;
}
+uint64_t getFakeMemoryUsage(const std::string&) {
+ return 0;
+}
+
extern ResponseStats g_rs;
void registerAllStats()
@@ -1005,7 +1009,11 @@
addGetStat("noedns-outqueries", &g_stats.noEdnsOutQueries);
addGetStat("uptime", calculateUptime);
- addGetStat("real-memory-usage", boost::bind(getRealMemoryUsage, string()));
+ if (::arg().mustDo("disable-real-memory-usage"))
+ addGetStat("real-memory-usage", boost::bind(getFakeMemoryUsage, string()));
+ else
+ addGetStat("real-memory-usage", boost::bind(getRealMemoryUsage, string()));
+
addGetStat("fd-usage", boost::bind(getOpenFileDescriptors, string()));
// addGetStat("query-rate", getQueryRate);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/rec_control.1 new/pdns-recursor-4.1.13/rec_control.1
--- old/pdns-recursor-4.1.12/rec_control.1 2019-04-02 12:32:28.000000000 +0200
+++ new/pdns-recursor-4.1.13/rec_control.1 2019-05-21 07:48:32.000000000 +0200
@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
-.TH "REC_CONTROL" "1" "Apr 02, 2019" "4.1" "PowerDNS Recursor"
+.TH "REC_CONTROL" "1" "May 21, 2019" "4.1" "PowerDNS Recursor"
.SH NAME
rec_control \- Command line tool to control a running Recursor
.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/syncres.cc new/pdns-recursor-4.1.13/syncres.cc
--- old/pdns-recursor-4.1.12/syncres.cc 2019-04-02 12:31:21.000000000 +0200
+++ new/pdns-recursor-4.1.13/syncres.cc 2019-05-21 07:47:27.000000000 +0200
@@ -1920,7 +1920,7 @@
return Bogus;
}
-RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery)
+RCode::rcodes_ SyncRes::updateCacheFromRecords(unsigned int depth, LWResult& lwr, const DNSName& qname, const QType& qtype, const DNSName& auth, bool wasForwarded, const boost::optional<Netmask> ednsmask, vState& state, bool& needWildcardProof, bool& gatherWildcardProof, unsigned int& wildcardLabelsCount, bool rdQuery)
{
bool wasForwardRecurse = wasForwarded && rdQuery;
tcache_t tcache;
@@ -1946,7 +1946,7 @@
/* if we have a positive answer synthetized from a wildcard,
we need to store the corresponding NSEC/NSEC3 records proving
that the exact name did not exist in the negative cache */
- if(needWildcardProof) {
+ if(gatherWildcardProof) {
if (nsecTypes.count(rec.d_type)) {
authorityRecs.push_back(std::make_shared<DNSRecord>(rec));
}
@@ -1964,9 +1964,20 @@
count can be lower than the name's label count if it was
synthetized from the wildcard. Note that the difference might
be > 1. */
- if (rec.d_name == qname && rrsig->d_labels < labelCount) {
- LOG(prefix<d_labels;
}
@@ -2204,7 +2215,7 @@
return getDenial(csp, ne.d_name, ne.d_qtype.getCode(), referralToUnsigned, expectedState == NXQTYPE);
}
-bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const unsigned int wildcardLabelsCount)
+bool SyncRes::processRecords(const std::string& prefix, const DNSName& qname, const QType& qtype, const DNSName& auth, LWResult& lwr, const bool sendRDQuery, vector<DNSRecord>& ret, set<DNSName>& nsset, DNSName& newtarget, DNSName& newauth, bool& realreferral, bool& negindic, vState& state, const bool needWildcardProof, const bool gatherWildcardProof, const unsigned int wildcardLabelsCount)
{
bool done = false;
@@ -2263,7 +2274,7 @@
/* if we have a positive answer synthetized from a wildcard, we need to
return the corresponding NSEC/NSEC3 records from the AUTHORITY section
proving that the exact name did not exist */
- else if(needWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) {
+ else if(gatherWildcardProof && (rec.d_type==QType::RRSIG || rec.d_type==QType::NSEC || rec.d_type==QType::NSEC3) && rec.d_place==DNSResourceRecord::AUTHORITY) {
ret.push_back(rec); // enjoy your DNSSEC
}
// for ANY answers we *must* have an authoritative answer, unless we are forwarding recursively
@@ -2538,8 +2549,9 @@
}
bool needWildcardProof = false;
+ bool gatherWildcardProof = false;
unsigned int wildcardLabelsCount;
- *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, wildcardLabelsCount, sendRDQuery);
+ *rcode = updateCacheFromRecords(depth, lwr, qname, qtype, auth, wasForwarded, ednsmask, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount, sendRDQuery);
if (*rcode != RCode::NoError) {
return true;
}
@@ -2551,7 +2563,7 @@
DNSName newauth;
DNSName newtarget;
- bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, wildcardLabelsCount);
+ bool done = processRecords(prefix, qname, qtype, auth, lwr, sendRDQuery, ret, nsset, newtarget, newauth, realreferral, negindic, state, needWildcardProof, gatherWildcardProof, wildcardLabelsCount);
if(done){
LOG(prefix<setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res, bool* chained) {
+
+ if (type == QType::DS || type == QType::DNSKEY) {
+ if (domain == target) {
+ const auto auth = DNSName("powerdns.com.");
+ /* we don't want a cut there */
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, auth, 300);
+ /* add a NSEC denying the DS */
+ std::set types = { QType::NSEC };
+ addNSECRecordToLW(domain, DNSName("z") + domain, types, 600, res->d_records);
+ addRRSIG(keys, res->d_records, auth, 300);
+ return 1;
+ }
+ return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+ }
+ else {
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, domain, QType::A, "192.0.2.42");
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
+ /* we don't _really_ need to add the proof that the exact name does not exist because it does,
+ it's the wildcard itself, but let's do it so other validators don't choke on it */
+ addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+ return 1;
+ }
+ });
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+ /* A + RRSIG, NSEC + RRSIG */
+ BOOST_REQUIRE_EQUAL(ret.size(), 4);
+}
+
+BOOST_AUTO_TEST_CASE(test_dnssec_validation_wildcard_like_expanded_from_wildcard) {
+ std::unique_ptr<SyncRes> sr;
+ initSR(sr, true);
+
+ setDNSSECValidation(sr, DNSSECMode::ValidateAll);
+
+ primeHints();
+ const DNSName target("*.sub.powerdns.com.");
+ testkeysset_t keys;
+
+ auto luaconfsCopy = g_luaconfs.getCopy();
+ luaconfsCopy.dsAnchors.clear();
+ generateKeyMaterial(g_rootdnsname, DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(DNSName("com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+ generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::SHA256, keys, luaconfsCopy.dsAnchors);
+
+ g_luaconfs.setState(luaconfsCopy);
+
+ sr->setAsyncCallback([target,keys](const ComboAddress& ip, const DNSName& domain, int type, bool doTCP, bool sendRDQuery, int EDNS0Level, struct timeval* now, boost::optional<Netmask>& srcmask, boost::optional context, std::shared_ptr<RemoteLogger> outgoingLogger, LWResult* res, bool* chained) {
+
+ if (type == QType::DS || type == QType::DNSKEY) {
+ if (domain == target) {
+ const auto auth = DNSName("powerdns.com.");
+ /* we don't want a cut there */
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, auth, 300);
+ addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+ return 1;
+ }
+ else if (domain == DNSName("sub.powerdns.com.")) {
+ const auto auth = DNSName("powerdns.com.");
+ /* we don't want a cut there */
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, auth, QType::SOA, "foo. bar. 2017032800 1800 900 604800 86400", DNSResourceRecord::AUTHORITY, 86400);
+ addRRSIG(keys, res->d_records, auth, 300);
+ /* add a NSEC denying the DS */
+ addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+ return 1;
+ }
+ return genericDSAndDNSKEYHandler(res, domain, domain, type, keys);
+ }
+ else {
+ setLWResult(res, 0, true, false, true);
+ addRecordToLW(res, domain, QType::A, "192.0.2.42");
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com."), 300, false, boost::none, DNSName("*.powerdns.com"));
+ addNSECRecordToLW(DNSName("*.powerdns.com."), DNSName("wwz.powerdns.com."), { QType::A, QType::NSEC, QType::RRSIG }, 600, res->d_records);
+ addRRSIG(keys, res->d_records, DNSName("powerdns.com"), 300, false, boost::none, DNSName("*.powerdns.com"));
+ return 1;
+ }
+ });
+
+ vector<DNSRecord> ret;
+ int res = sr->beginResolve(target, QType(QType::A), QClass::IN, ret);
+ BOOST_CHECK_EQUAL(res, RCode::NoError);
+ BOOST_CHECK_EQUAL(sr->getValidationState(), Secure);
+ /* A + RRSIG, NSEC + RRSIG */
+ BOOST_REQUIRE_EQUAL(ret.size(), 4);
+}
+
BOOST_AUTO_TEST_CASE(test_dnssec_no_ds_on_referral_secure) {
std::unique_ptr<SyncRes> sr;
initSR(sr, true);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pdns-recursor-4.1.12/validate.cc new/pdns-recursor-4.1.13/validate.cc
--- old/pdns-recursor-4.1.12/validate.cc 2019-04-02 12:31:21.000000000 +0200
+++ new/pdns-recursor-4.1.13/validate.cc 2019-05-21 07:47:27.000000000 +0200
@@ -116,6 +116,15 @@
Labels field of the covering RRSIG RR, then the RRset and its
covering RRSIG RR were created as a result of wildcard expansion."
*/
+bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign)
+{
+ if (sign && sign->d_labels < labelCount) {
+ return true;
+ }
+
+ return false;
+}
+
static bool isWildcardExpanded(const DNSName& owner, const std::vector& signatures)
{
if (signatures.empty()) {
@@ -124,13 +133,29 @@
const auto& sign = signatures.at(0);
unsigned int labelsCount = owner.countLabels();
- if (sign && sign->d_labels < labelsCount) {
+ return isWildcardExpanded(labelsCount, sign);
+}
+
+bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign)
+{
+ if (owner.isWildcard() && (labelCount - 1) == sign->d_labels) {
+ /* this is a wildcard alright, but it has not been expanded */
return true;
}
-
return false;
}
+static bool isWildcardExpandedOntoItself(const DNSName& owner, const std::vector& signatures)
+{
+ if (signatures.empty()) {
+ return false;
+ }
+
+ const auto& sign = signatures.at(0);
+ unsigned int labelsCount = owner.countLabels();
+ return isWildcardExpandedOntoItself(owner, labelsCount, sign);
+}
+
/* if this is a wildcard NSEC, the owner name has been modified
to match the name. Make sure we use the original '*' form. */
static DNSName getNSECOwnerName(const DNSName& initialOwner, const std::vector& signatures)
@@ -385,7 +410,7 @@
/* we know that the name exists (but this qtype doesn't) so except
if the answer was generated by a wildcard expansion, no wildcard
could have matched (rfc4035 section 5.4 bullet 1) */
- if (!isWildcardExpanded(owner, v.second.signatures)) {
+ if (!isWildcardExpanded(owner, v.second.signatures) || isWildcardExpandedOntoItself(owner, v.second.signatures)) {
needWildcardProof = false;
}
@@ -399,6 +424,7 @@
/* check if the whole NAME is denied existing */
if(isCoveredByNSEC(qname, owner, nsec->d_next)) {
+ LOG(qname<<" is covered ");
/* if the name is an ENT and we received a NODATA answer,
we are fine with a NSEC proving that the name does not exist. */
if (wantsNoDataProof && nsecProvesENT(qname, owner, nsec->d_next)) {
@@ -407,15 +433,19 @@
}
if (!needWildcardProof) {
+ LOG("and we did not need a wildcard proof"<& signatures);
bool denialProvesNoDelegation(const DNSName& zone, const std::vector<DNSRecord>& dsrecords);
bool isRRSIGNotExpired(const time_t now, const shared_ptr<RRSIGRecordContent> sig);
+bool isWildcardExpanded(unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);
+bool isWildcardExpandedOntoItself(const DNSName& owner, unsigned int labelCount, const std::shared_ptr<RRSIGRecordContent>& sign);