Auth: correct replies to NS and SOA in .arpa zones.

2025-12-19 10:18:25 +00:00 · 2015-04-16 15:05:30 +01:00
parent 38440b204d
commit 78c6184752
2 changed files with 38 additions and 21 deletions
--- a/8
+++ b/8
@@ -94,6 +94,14 @@ version 2.73
 	    in the auth-zone declaration. Thanks to Johnny S. Lee
 	    for the bugreport and initial patch.

+	    Fix authoritative DNS code to correctly reply to NS 
+	    and SOA queries for .arpa zones for which we are 
+	    declared authoritative by means of a subnet in auth-zone.
+	    Previously we provided correct answers to PTR queries
+	    in such zones (including NS and SOA) but not direct
+	    NS and SOA queries. Thanks to Johnny S. Lee for 
+	    pointing out the problem.
+
 	
 version 2.72
            Add ra-advrouter mode, for RFC-3775 mobile IPv6 support.
--- a/src/auth.c
+++ b/src/auth.c
@@ -131,24 +131,27 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	  continue;
 	}

-      if (qtype == T_PTR)
+      if ((qtype == T_PTR || qtype == T_SOA || qtype == T_NS) &&
+	  (flag = in_arpa_name_2_addr(name, &addr)) &&
+	  !local_query)
 	{
-	  if (!(flag = in_arpa_name_2_addr(name, &addr)))
-	    continue;
-
-	  if (!local_query)
+	  for (zone = daemon->auth_zones; zone; zone = zone->next)
+	    if ((subnet = find_subnet(zone, flag, &addr)))
+	      break;
+	  
+	  if (!zone)
 	    {
-	      for (zone = daemon->auth_zones; zone; zone = zone->next)
-		if ((subnet = find_subnet(zone, flag, &addr)))
-		  break;
-			
-	      if (!zone)
-		{
-		  auth = 0;
-		  continue;
-		}
+	      auth = 0;
+	      continue;
 	    }
+	  else if (qtype == T_SOA)
+	    soa = 1, found = 1;
+	  else if (qtype == T_NS)
+	    ns = 1, found = 1;
+	}

+      if (qtype == T_PTR && flag)
+	{
 	  intr = NULL;

 	  if (flag == F_IPV4)
@@ -243,14 +246,20 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
 	}
      
    cname_restart:
-      for (zone = daemon->auth_zones; zone; zone = zone->next)
-	if (in_zone(zone, name, &cut))
-	  break;
-      
-      if (!zone)
+      if (found)
+	/* NS and SOA .arpa requests have set found above. */
+	cut = NULL;
+      else
 	{
-	  auth = 0;
-	  continue;
+	  for (zone = daemon->auth_zones; zone; zone = zone->next)
+	    if (in_zone(zone, name, &cut))
+	      break;
+	  
+	  if (!zone)
+	    {
+	      auth = 0;
+	      continue;
+	    }
 	}

      for (rec = daemon->mxnames; rec; rec = rec->next)