diff options
| author |  Miek Gieben <miek@miek.nl>
| 2016-11-06 08:32:07 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2016-11-06 08:32:07 +0000 |
| commit | 243797a3871a912f14c5d719157708e35179fc7f (patch) | |
| tree | 70d66dfc891b6b25b6df1c6d6501779fc9e9afeb /middleware/file/lookup.go | |
| parent | 8d3418c01535f63129da2fe1ffd5ff8e4ceceb2d (diff) | |
| download | coredns-243797a3871a912f14c5d719157708e35179fc7f.tar.gz coredns-243797a3871a912f14c5d719157708e35179fc7f.tar.zst coredns-243797a3871a912f14c5d719157708e35179fc7f.zip | |
middleware/file: add nsec for wildcard expansion (#382)
A NSEC record is need to deny any other name that might exist.
Also don't blindly perform the interface conversion when getting
glue for NS records as they now may include RRSIG - also add tests
for that.
Diffstat (limited to 'middleware/file/lookup.go')
| -rw-r--r-- | middleware/file/lookup.go | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/middleware/file/lookup.go b/middleware/file/lookup.go index 16325d3e9..95cd02e73 100644 --- a/middleware/file/lookup.go +++ b/middleware/file/lookup.go @@ -146,7 +146,9 @@ func (z *Zone) Lookup(qname string, qtype uint16, do bool) ([]dns.RR, []dns.RR, // Haven't found the original name. + // Found wildcard. if wildElem != nil { + auth := []dns.RR{} if rrs := wildElem.Types(dns.TypeCNAME, qname); len(rrs) > 0 { return z.searchCNAME(rrs, qtype, do) @@ -154,26 +156,29 @@ func (z *Zone) Lookup(qname string, qtype uint16, do bool) ([]dns.RR, []dns.RR, rrs := wildElem.Types(qtype, qname) - // NODATA + // NODATA response. if len(rrs) == 0 { ret := z.soa(do) if do { - // Do we need to add closest encloser here as well. - // closest encloser - // ce, _ := z.ClosestEncloser(qname) - // println("CLOSEST ENCLOSER", ce.Name()) // need to add this too. nsec := z.typeFromElem(wildElem, dns.TypeNSEC, do) ret = append(ret, nsec...) } return nil, ret, nil, Success } + if do { + // An NSEC is needed to say no longer name exists under this wildcard. + if deny, found := z.Tree.Prev(qname); found { + nsec := z.typeFromElem(deny, dns.TypeNSEC, do) + auth = append(auth, nsec...) + } + sigs := wildElem.Types(dns.TypeRRSIG, qname) sigs = signatureForSubType(sigs, qtype) rrs = append(rrs, sigs...) } - return rrs, nil, nil, Success + return rrs, auth, nil, Success } rcode := NameError @@ -289,9 +294,9 @@ func signatureForSubType(rrs []dns.RR, subtype uint16) []dns.RR { // Glue returns any potential glue records for nsrrs. func (z *Zone) Glue(nsrrs []dns.RR) []dns.RR { glue := []dns.RR{} - for _, ns := range nsrrs { - if dns.IsSubDomain(ns.Header().Name, ns.(*dns.NS).Ns) { - glue = append(glue, z.searchGlue(ns.(*dns.NS).Ns)...) + for _, rr := range nsrrs { + if ns, ok := rr.(*dns.NS); ok && dns.IsSubDomain(ns.Header().Name, ns.Ns) { + glue = append(glue, z.searchGlue(ns.Ns)...) } } return glue |