diff options
| author |  Chris O'Haver <cohaver@infoblox.com>
| 2021-07-09 04:53:50 -0400 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2021-07-09 10:53:50 +0200 |
| commit | 002b748ccd6b7cc2e3a65f1bd71509f80b95d342 (patch) | |
| tree | dbc9050c25f40f0e211904c3c1851b8ae680e688 /plugin | |
| parent | bfb6972d300fc7ff5db319aea228271896278cab (diff) | |
| download | coredns-002b748ccd6b7cc2e3a65f1bd71509f80b95d342.tar.gz coredns-002b748ccd6b7cc2e3a65f1bd71509f80b95d342.tar.zst coredns-002b748ccd6b7cc2e3a65f1bd71509f80b95d342.zip | |
plugin/cache: Unset AD flag when DO is not set for cache miss (#4736)
* unset AD bit when client DO is 0
Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
* add flag check to existing tests
Signed-off-by: Chris O'Haver <cohaver@infoblox.com>
Diffstat (limited to 'plugin')
| -rw-r--r-- | plugin/cache/cache.go | 4 | ||||
| -rw-r--r-- | plugin/cache/dnssec_test.go | 7 | ||||
| -rw-r--r-- | plugin/test/helpers.go | 17 |
3 files changed, 19 insertions, 9 deletions
diff --git a/plugin/cache/cache.go b/plugin/cache/cache.go index 5673cc948..54e5e4db3 100644 --- a/plugin/cache/cache.go +++ b/plugin/cache/cache.go @@ -181,6 +181,10 @@ func (w *ResponseWriter) WriteMsg(res *dns.Msg) error { res.Ns = filterRRSlice(res.Ns, ttl, w.do, false) res.Extra = filterRRSlice(res.Extra, ttl, w.do, false) + if !w.do { + res.AuthenticatedData = false // unset AD bit if client is not OK with DNSSEC + } + return w.ResponseWriter.WriteMsg(res) } diff --git a/plugin/cache/dnssec_test.go b/plugin/cache/dnssec_test.go index 446718c9f..a746387bf 100644 --- a/plugin/cache/dnssec_test.go +++ b/plugin/cache/dnssec_test.go @@ -23,7 +23,8 @@ func TestResponseWithDNSSEC(t *testing.T) { }, { Qname: "invent.example.org.", Qtype: dns.TypeA, - Do: true, + Do: true, + AuthenticatedData: true, Answer: []dns.RR{ test.CNAME("invent.example.org. 1781 IN CNAME leptone.example.org."), test.RRSIG("invent.example.org. 1781 IN RRSIG CNAME 8 3 1800 20201012085750 20200912082613 57411 example.org. ijSv5FmsNjFviBcOFwQgqjt073lttxTTNqkno6oMa3DD3kC+"), @@ -40,6 +41,9 @@ func TestResponseWithDNSSEC(t *testing.T) { m := tc.Msg() rec := dnstest.NewRecorder(&test.ResponseWriter{}) c.ServeDNS(context.TODO(), rec, m) + if tc.AuthenticatedData != rec.Msg.AuthenticatedData { + t.Errorf("Test %d, expected AuthenticatedData=%v", i, tc.AuthenticatedData) + } if err := test.Section(tc, test.Answer, rec.Msg.Answer); err != nil { t.Errorf("Test %d, expected no error, got %s", i, err) } @@ -64,6 +68,7 @@ func dnssecHandler() plugin.Handler { m := new(dns.Msg) m.SetQuestion("example.org.", dns.TypeA) + m.AuthenticatedData = true m.Answer = make([]dns.RR, 4) m.Answer[0] = test.CNAME("invent.example.org. 1781 IN CNAME leptone.example.org.") m.Answer[1] = test.RRSIG("invent.example.org. 1781 IN RRSIG CNAME 8 3 1800 20201012085750 20200912082613 57411 example.org. ijSv5FmsNjFviBcOFwQgqjt073lttxTTNqkno6oMa3DD3kC+") diff --git a/plugin/test/helpers.go b/plugin/test/helpers.go index 0c7e85f2a..cb7b0994b 100644 --- a/plugin/test/helpers.go +++ b/plugin/test/helpers.go @@ -29,14 +29,15 @@ func (p RRSet) Less(i, j int) bool { return p[i].String() < p[j].String() } // Case represents a test case that encapsulates various data from a query and response. // Note that is the TTL of a record is 303 we don't compare it with the TTL. type Case struct { - Qname string - Qtype uint16 - Rcode int - Do bool - Answer []dns.RR - Ns []dns.RR - Extra []dns.RR - Error error + Qname string + Qtype uint16 + Rcode int + Do bool + AuthenticatedData bool + Answer []dns.RR + Ns []dns.RR + Extra []dns.RR + Error error } // Msg returns a *dns.Msg embedded in c. |