Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-11-02 02:03:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

plugin/dnssec: fix blacklies for NXDOMAIN (#1399)

Browse Source 
* plugin/dnssec: filter bitmap also for NXDOMAIN responses

We change nxdomain to nodata, so at the point when we receive the
reply it can be nxdomain or nodata. In both cases we should filter the
nsec bitmap.

Change the code and add explicit tests for this.

* More tests
This commit is contained in:
Miek Gieben
2018-01-18 13:07:23 +00:00
committed by GitHub
parent c39e5cd014
commit cb3190bab1
3 changed files with 102 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
plugin/dnssec/black_lies.go
View File

@@ -38,10 +38,9 @@ var (
apexBitmap = [...]uint16{dns.TypeA, dns.TypeNS, dns.TypeSOA, dns.TypeHINFO, dns.TypeMX, dns.TypeTXT, dns.TypeAAAA, dns.TypeLOC, dns.TypeSRV, dns.TypeCERT, dns.TypeSSHFP, dns.TypeRRSIG, dns.TypeNSEC, dns.TypeDNSKEY, dns.TypeTLSA, dns.TypeHIP, dns.TypeOPENPGPKEY, dns.TypeSPF}
)
// filter14 filters out t from bitmap (if it exists). If mt is not an NODATA response, just
// return the entire bitmap.
// filter14 filters out t from bitmap (if it exists). If mt is not an NODATA response, just return the entire bitmap.
func filter14(t uint16, bitmap [14]uint16, mt response.Type) []uint16 {
if mt != response.NoData {
if mt != response.NoData && mt != response.NameError {
return zoneBitmap[:]
}
for i := range bitmap {
@@ -53,7 +52,7 @@ func filter14(t uint16, bitmap [14]uint16, mt response.Type) []uint16 {
}
func filter18(t uint16, bitmap [18]uint16, mt response.Type) []uint16 {
if mt != response.NoData {
if mt != response.NoData && mt != response.NameError {
return apexBitmap[:]
}
for i := range bitmap {