35b40a84f2
The filtering of DNSSEC records in the cache plugin was not done correctly. Also the change to introduced this bug didn't take into account that the cache - by virtue of differentiating between DNSSEC and no-DNSSEC - relied on not copying the data from the cache. This change copies and then filters the data and factors the filtering into a function that is used in two places (albeit with on ugly boolean parameters to prevent copying things twice). Add tests, do_test.go is moved to test/cache_test.go because the OPT handing is done outside of the cache plugin. The core server re-attaches the correct OPT when replying, so that makes for a better e2e test. Added small unit test for filterRRslice and an explicit test that asks for DNSSEC first and then plain, and vice versa to test cache behavior. Fixes: #4146 Signed-off-by: Miek Gieben <miek@miek.nl>
43 lines
981 B
Go
43 lines
981 B
Go
package cache
|
|
|
|
import "github.com/miekg/dns"
|
|
|
|
// isDNSSEC returns true if r is a DNSSEC record. NSEC,NSEC3,DS and RRSIG/SIG
|
|
// are DNSSEC records. DNSKEYs is not in this list on the assumption that the
|
|
// client explictly asked for it.
|
|
func isDNSSEC(r dns.RR) bool {
|
|
switch r.Header().Rrtype {
|
|
case dns.TypeNSEC:
|
|
return true
|
|
case dns.TypeNSEC3:
|
|
return true
|
|
case dns.TypeDS:
|
|
return true
|
|
case dns.TypeRRSIG:
|
|
return true
|
|
case dns.TypeSIG:
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// filterRRSlice filters rrs and removes DNSSEC RRs when do is false. In the returned slice
|
|
// the TTLs are set to ttl. If dup is true the RRs in rrs are _copied_ into the slice that is
|
|
// returned.
|
|
func filterRRSlice(rrs []dns.RR, ttl uint32, do, dup bool) []dns.RR {
|
|
j := 0
|
|
rs := make([]dns.RR, len(rrs), len(rrs))
|
|
for _, r := range rrs {
|
|
if !do && isDNSSEC(r) {
|
|
continue
|
|
}
|
|
r.Header().Ttl = ttl
|
|
if dup {
|
|
rs[j] = dns.Copy(r)
|
|
} else {
|
|
rs[j] = r
|
|
}
|
|
j++
|
|
}
|
|
return rs[:j]
|
|
}
|