be09f47305
By checking state.Do() were are checking if the request had DO, but we are _always_ adding Do now - do we need to save the DO from the ORIGINAL request, which must be done in the ResponseWriter. Also skip OPT records in filterDNSSEC as we can't set the TTL on those records, this prevents writing a number to OPT's MBZ. Note none of the tests have changed and still PASS. This is due to the fact that CoreDNSServerAndPorts isn't a full server as we start in main, it lacks the scrubwriter for instance. This is not bad per se, but should be documented in the test code. Signed-off-by: Miek Gieben <miek@miek.nl>
46 lines
1 KiB
Go
46 lines
1 KiB
Go
package cache
|
|
|
|
import "github.com/miekg/dns"
|
|
|
|
// isDNSSEC returns true if r is a DNSSEC record. NSEC,NSEC3,DS and RRSIG/SIG
|
|
// are DNSSEC records. DNSKEYs is not in this list on the assumption that the
|
|
// client explictly asked for it.
|
|
func isDNSSEC(r dns.RR) bool {
|
|
switch r.Header().Rrtype {
|
|
case dns.TypeNSEC:
|
|
return true
|
|
case dns.TypeNSEC3:
|
|
return true
|
|
case dns.TypeDS:
|
|
return true
|
|
case dns.TypeRRSIG:
|
|
return true
|
|
case dns.TypeSIG:
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// filterRRSlice filters rrs and removes DNSSEC RRs when do is false. In the returned slice
|
|
// the TTLs are set to ttl. If dup is true the RRs in rrs are _copied_ into the slice that is
|
|
// returned.
|
|
func filterRRSlice(rrs []dns.RR, ttl uint32, do, dup bool) []dns.RR {
|
|
j := 0
|
|
rs := make([]dns.RR, len(rrs), len(rrs))
|
|
for _, r := range rrs {
|
|
if !do && isDNSSEC(r) {
|
|
continue
|
|
}
|
|
if r.Header().Rrtype == dns.TypeOPT {
|
|
continue
|
|
}
|
|
r.Header().Ttl = ttl
|
|
if dup {
|
|
rs[j] = dns.Copy(r)
|
|
} else {
|
|
rs[j] = r
|
|
}
|
|
j++
|
|
}
|
|
return rs[:j]
|
|
}
|