plugin/file: Fix in wrong answers returned when wildcard and concrete records exist (#4599)

* plugin/file: Fix in wrong answers returned when wildcard and concrete records exist Signed-off-by: Jason Du <xdu@infoblox.com> * Remove superfluous change Signed-off-by: Jason Du <xdu@infoblox.com> * Re-implementation and new test case If the domain's terminal is neither the matching wildcard, nor a domian directly under the wildcard, return NXDOMAIN Signed-off-by: Jason Du <xdu@infoblox.com> * Fix empty non-terminal & add test case Signed-off-by: Jason Du <xdu@infoblox.com> * Cleanup Signed-off-by: Jason Du <xdu@infoblox.com> * Fix case on domain name with character before * and add more test cases Signed-off-by: Jason Du <xdu@infoblox.com> * Use different IPs for records in cornerCasesWildcard zone file Signed-off-by: Jason Du <xdu@infoblox.com>
2025-10-27 08:14:18 -04:00 · 2021-05-17 13:21:08 -07:00
parent 5f41d8eb1f
commit fbf3f07f46
3 changed files with 110 additions and 6 deletions
--- a/plugin/file/lookup.go
+++ b/plugin/file/lookup.go
@@ -56,10 +56,10 @@ func (z *Zone) Lookup(ctx context.Context, state request.Request, qname string)
 	}

 	var (
-		found, shot    bool
-		parts          string
-		i              int
-		elem, wildElem *tree.Elem
+		found, shot              bool
+		parts                    string
+		i, maxLabelNum           int
+		elem, wildElem, nextElem *tree.Elem
 	)

 	loop, _ := ctx.Value(dnsserver.LoopKey{}).(int)
@@ -92,6 +92,12 @@ func (z *Zone) Lookup(ctx context.Context, state request.Request, qname string)
 			break
 		}

+		if nextElem, found = tr.Next(parts); found {
+			if dns.IsSubDomain(parts, nextElem.Name()) {
+				maxLabelNum = z.origLen + i
+			}
+		}
+
 		elem, found = tr.Search(parts)
 		if !found {
 			// Apex will always be found, when we are here we can search for a wildcard
@@ -201,8 +207,18 @@ func (z *Zone) Lookup(ctx context.Context, state request.Request, qname string)

 	// Found wildcard.
 	if wildElem != nil {
-		auth := ap.ns(do)
+		// if the domain's longest matching parent domain is subdomain of the wildcard,
+		// in other words, the domain‘s max number of labels matched is >= number of labels of the wildcard
+		if maxLabelNum >= dns.CountLabel(wildElem.Name()) {
+			ret := ap.soa(do)
+			if do {
+				nsec := typeFromElem(wildElem, dns.TypeNSEC, do)
+				ret = append(ret, nsec...)
+			}
+			return nil, ret, nil, NameError
+		}

+		auth := ap.ns(do)
 		if rrs := wildElem.TypeForWildcard(dns.TypeCNAME, qname); len(rrs) > 0 {
 			ctx = context.WithValue(ctx, dnsserver.LoopKey{}, loop+1)
 			return z.externalLookup(ctx, state, wildElem, rrs)