Drop NSEC3 zone (#120)

Error out when parsing and transferring such a zone. If we would serve it we would give out the wrong answers, leading to (probably) validation failures... Fixes #114
2025-11-09 13:32:16 -05:00 · 2016-04-14 07:33:03 +01:00
parent ec343ce0ce
commit eb1f21bfff
3 changed files with 46 additions and 13 deletions
--- a/middleware/file/secondary.go
+++ b/middleware/file/secondary.go
@@ -1,6 +1,7 @@
 package file

 import (
+	"fmt"
 	"log"
 	"time"

@@ -28,27 +29,33 @@ Transfer:
 		t := new(dns.Transfer)
 		c, err := t.In(m, tr)
 		if err != nil {
-			log.Printf("[ERROR] Failed to setup transfer %s with %s: %v", z.name, tr, err)
+			log.Printf("[ERROR] Failed to setup transfer `%s' with `%s': %v", z.name, tr, err)
 			Err = err
 			continue Transfer
 		}
 		for env := range c {
 			if env.Error != nil {
-				log.Printf("[ERROR] Failed to parse transfer %s: %v", z.name, env.Error)
+				log.Printf("[ERROR] Failed to parse transfer `%s': %v", z.name, env.Error)
 				Err = env.Error
 				continue Transfer
 			}
 			for _, rr := range env.RR {
-				if rr.Header().Rrtype == dns.TypeSOA {
+				switch h := rr.Header().Rrtype; h {
+				case dns.TypeSOA:
 					z1.SOA = rr.(*dns.SOA)
-					continue
-				}
-				if rr.Header().Rrtype == dns.TypeRRSIG {
+				case dns.TypeNSEC3, dns.TypeNSEC3PARAM:
+					err := fmt.Errorf("NSEC3 zone is not supported, dropping")
+					log.Printf("[ERROR] Failed to parse transfer `%s': %v", z.name, err)
+					return err
+				case dns.TypeRRSIG:
 					if x, ok := rr.(*dns.RRSIG); ok && x.TypeCovered == dns.TypeSOA {
 						z1.SIG = append(z1.SIG, x)
+						continue
 					}
+					fallthrough
+				default:
+					z1.Insert(rr)
 				}
-				z1.Insert(rr)
 			}
 		}
 		Err = nil