only use the scope from the answer

PowerDNS · Jan 11, 2024 · b9b7d77 · b9b7d77
1 parent 93e5793
commit b9b7d77
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 12 deletions.
diff --git a/pdns/dnsproxy.cc b/pdns/dnsproxy.cc
@@ -270,12 +270,12 @@ void DNSProxy::mainloop()
         MOADNSParser mdp(false, p.getString());
         if (p.d_eso.scope.isValid()){
           // update the EDNS options with info from the resolver - issue #5469
-          i->second.complete->d_eso = p.d_eso;
+          i->second.complete->d_eso.scope = p.d_eso.scope;
           DLOG(g_log<<"from dnsproxy::mainLoop: updated EDNS options from resolver EDNS source: "<<i->second.complete->d_eso.source.toString()<<" EDNS scope: "<<i->second.complete->d_eso.scope.toString()<<endl);
         }
 
         if (mdp.d_header.rcode == RCode::NoError) {
-          for(const auto & answer : mdp.d_answers) {        
+          for (const auto & answer : mdp.d_answers) {        
             if(answer.first.d_place == DNSResourceRecord::ANSWER || (answer.first.d_place == DNSResourceRecord::AUTHORITY && answer.first.d_type == QType::SOA)) {
 
               if(answer.first.d_type == i->second.qtype || (i->second.qtype == QType::ANY && (answer.first.d_type == QType::A || answer.first.d_type == QType::AAAA))) {

diff --git a/pdns/stubresolver.cc b/pdns/stubresolver.cc
@@ -105,7 +105,7 @@ void stubParseResolveConf()
 }
 
 // s_resolversForStub contains the ComboAddresses that are used to resolve the
-int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSZoneRecord>& ret, EDNSSubnetOpts* d_eso)
+int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSZoneRecord>& ret, const EDNSSubnetOpts* d_eso)
 {
   // ensure resolver gets always configured
   if (!s_stubResolvConfigured) {
@@ -125,7 +125,7 @@ int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSZoneRecord>& r
   pw.getHeader()->id=dns_random_uint16();
   pw.getHeader()->rd=1;
 
-  if(d_eso != nullptr)
+  if (d_eso != nullptr)
   {
     // pass along EDNS subnet from client if given - issue #5469
     string origECSOptionStr = makeEDNSSubnetOptsString(*d_eso);
@@ -183,7 +183,7 @@ int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSZoneRecord>& r
   return RCode::ServFail;
 }
 
-int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSRecord>& ret, EDNSSubnetOpts* d_eso) {
+int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSRecord>& ret, const EDNSSubnetOpts* d_eso) {
   vector<DNSZoneRecord> ret2;
   int res = stubDoResolve(qname, qtype, ret2, d_eso);
   for (const auto &r : ret2) {

diff --git a/pdns/stubresolver.hh b/pdns/stubresolver.hh
@@ -26,5 +26,5 @@
 
 void stubParseResolveConf();
 bool resolversDefined();
-int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSZoneRecord>& ret, EDNSSubnetOpts* d_eso = nullptr);
-int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSRecord>& ret, EDNSSubnetOpts* d_eso = nullptr);
+int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSZoneRecord>& ret, const EDNSSubnetOpts* d_eso = nullptr);
+int stubDoResolve(const DNSName& qname, uint16_t qtype, vector<DNSRecord>& ret, const EDNSSubnetOpts* d_eso = nullptr);
diff --git a/regression-tests.auth-py/test_ALIAS.py b/regression-tests.auth-py/test_ALIAS.py
@@ -38,6 +38,7 @@ class TestALIAS(AuthTest):
 nxd.example.org.             3600 IN ALIAS nxd.example.com.
 servfail.example.org.        3600 IN ALIAS servfail.example.com.
 subnet.example.org.          3600 IN ALIAS subnet.example.com.
+subnetwrong.example.org.     3600 IN ALIAS subnetwrong.example.com.
         """,
     }
 
@@ -191,13 +192,36 @@ def testECS(self):
         self.assertEqual(res.options[0], ecso2)
 
         ecso = clientsubnetoption.ClientSubnetOption('2001:db8:db6:db5::', 64)
-        ecso2 = clientsubnetoption.ClientSubnetOption('2001:db8:db6::', 64, 48)
+        ecso2 = clientsubnetoption.ClientSubnetOption('2001:db8:db6:db5::', 64, 48)
         query = dns.message.make_query('subnet.example.org', 'A', use_edns=True, options=[ecso])
         res = self.sendUDPQuery(query)
         self.assertRcodeEqual(res, dns.rcode.NOERROR)
         self.assertAnyRRsetInAnswer(res, expected_a)
         self.assertEqual(res.options[0], ecso2)
 
+    def testECSWrong(self):
+        expected_a = [dns.rrset.from_text('subnetwrong.example.org.',
+                                          0, dns.rdataclass.IN, 'A',
+                                          '192.0.2.1')]
+        expected_aaaa = [dns.rrset.from_text('subnetwrong.example.org.',
+                                             0, dns.rdataclass.IN, 'AAAA',
+                                             '2001:DB8::1')]
+
+        ecso = clientsubnetoption.ClientSubnetOption('1.2.3.0', 24) # FIXME change all IPs to documentation space in this file
+        ecso2 = clientsubnetoption.ClientSubnetOption('1.2.3.0', 24, 22)
+        query = dns.message.make_query('subnetwrong.example.org', 'A', use_edns=True, options=[ecso])
+        res = self.sendUDPQuery(query)
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertAnyRRsetInAnswer(res, expected_a)
+        self.assertEqual(res.options[0], ecso2)
+
+        ecso = clientsubnetoption.ClientSubnetOption('2001:db8:db6:db5::', 64)
+        ecso2 = clientsubnetoption.ClientSubnetOption('2001:db8:db6:db5::', 64, 48)
+        query = dns.message.make_query('subnetwrong.example.org', 'A', use_edns=True, options=[ecso])
+        res = self.sendUDPQuery(query)
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertAnyRRsetInAnswer(res, expected_a)
+        self.assertEqual(res.options[0], ecso2)
 
 class AliasUDPResponder(DatagramProtocol):
     def datagramReceived(self, datagram, address):
@@ -210,11 +234,15 @@ def datagramReceived(self, datagram, address):
         name = question.name
         name_text = name.to_text()
 
-        if name_text in ('noerror.example.com.', 'subnet.example.com.'):
+        if name_text in ('noerror.example.com.', 'subnet.example.com.', 'subnetwrong.example.com.'):
 
             do_ecs = False
+            do_ecs_wrong = False
             if name_text == 'subnet.example.com.':
-                do_ecs=True
+                do_ecs = True
+            elif name_text == 'subnetwrong.example.com.':
+                do_ecs = True
+                do_ecs_wrong = True
 
             response.set_rcode(dns.rcode.NOERROR)
             if question.rdtype in [dns.rdatatype.A,
@@ -233,9 +261,9 @@ def datagramReceived(self, datagram, address):
 
             if do_ecs:
                 if request.options[0].family == clientsubnetoption.FAMILY_IPV4:
-                    ecso = clientsubnetoption.ClientSubnetOption('1.2.3.0', 24, 22)
+                    ecso = clientsubnetoption.ClientSubnetOption('5.6.7.0' if do_ecs_wrong else '1.2.3.0', 24, 22)
                 else:
-                    ecso = clientsubnetoption.ClientSubnetOption('2001:db8:db6::', 64, 48)
+                    ecso = clientsubnetoption.ClientSubnetOption('2600::' if do_ecs_wrong else '2001:db8:db6:db5::', 64, 48)
                 response.use_edns(edns=True, options=[ecso])
 
         if name_text == 'nxd.example.com.':