Handle DS queries to auth zones.

When dnsmasq is configured to act as an authoritative server and has
an authoritative zone configured, and recieves a query for
that zone _as_forwarder_ it answers the query directly rather
than forwarding it. This doesn't affect the answer, but it
saves dnsmasq forwarding the query to the recusor upstream,
whch then bounces it back to dnsmasq in auth mode. The
exception should be when the query is for the root of zone, for a DS
RR. The answer to that has to come from the parent, via the
recursor, and will typically be a proof-of-nonexistence since
dnsmasq doesn't support signed zones. This patch suppresses
local answers and forces forwarding to the upstream recursor
for such queries. It stops breakage when a DNSSEC validating
client makes queries to dnsmasq acting as forwarder for a zone
for which it is authoritative.

CHANGELOG

@@ -82,6 +82,21 @@ version 2.91
 	to queries which arrive a dnsmasq already carrying an EDNS client
 	subnet.
 
+	Handle DS queries to auth zones. When dnsmasq is configured to
+	act as an authoritative server and has an authoritative zone
+	configured, and recieves a query for that zone _as_forwarder_
+	it answers the query directly rather than forwarding it. This
+	doesn't affect the answer, but it saves dnsmasq forwarding the
+	query to the recusor upstream, whch then bounces it back to dnsmasq
+	in auth mode. The exception should be when the query is for the root
+	of zone, for a DS RR. The answer to that has to come from the parent,
+	via the recursor, and will typically be a proof-of-nonexistence
+	since dnsmasq doesn't support signed zones. This patch suppresses
+	local answers and forces forwarding to the upstream recursor for such
+	queries. It stops breakage when a DNSSEC validating client makes
+	queries to dnsmasq acting as forwarder for a zone for which it is
+	authoritative.
+
 	
 version 2.90
 	Fix reversion in --rev-server introduced in 2.88 which

src/forward.c

@@ -1691,15 +1691,27 @@ void receive_query(struct listener *listen, time_t now)
 			   &source_addr, auth_dns ? "auth" : "query", type);
       
 #ifdef HAVE_AUTH
-      /* find queries for zones we're authoritative for, and answer them directly */
+      /* Find queries for zones we're authoritative for, and answer them directly.
+	 The exception to this is DS queries for the zone route. They
+	 have to come from the parent zone. Since dnsmasq's auth server
+	 can't do DNSSEC, the zone will be unsigned, and anything using
+	 dnsmasq as a forwarder and doing validation will be expecting to
+	 see the proof of non-existence from the parent. */
       if (!auth_dns && !option_bool(OPT_LOCALISE))
 	for (zone = daemon->auth_zones; zone; zone = zone->next)
-	  if (in_zone(zone, daemon->namebuff, NULL))
+	  {
+	    char *cut;
+	    
+	    if (in_zone(zone, daemon->namebuff, &cut))
+	      {
+		if (type != T_DS || cut)
 		  {
 		    auth_dns = 1;
 		    local_auth = 1;
+		  }
 		break;
 	      }
+	  }
 #endif
       
 #ifdef HAVE_LOOP
@@ -2325,15 +2337,27 @@ unsigned char *tcp_request(int confd, time_t now,
 				   &peer_addr, auth_dns ? "auth" : "query", qtype);
 	      
 #ifdef HAVE_AUTH
-	      /* find queries for zones we're authoritative for, and answer them directly */
+	      /* Find queries for zones we're authoritative for, and answer them directly.
+		 The exception to this is DS queries for the zone route. They
+		 have to come from the parent zone. Since dnsmasq's auth server
+		 can't do DNSSEC, the zone will be unsigned, and anything using
+		 dnsmasq as a forwarder and doing validation will be expecting to
+		 see the proof of non-existence from the parent. */
 	      if (!auth_dns && !option_bool(OPT_LOCALISE))
 		for (zone = daemon->auth_zones; zone; zone = zone->next)
-		  if (in_zone(zone, daemon->namebuff, NULL))
+		  {
+		    char *cut;
+		    
+		    if (in_zone(zone, daemon->namebuff, &cut))
+		      {
+			if (qtype != T_DS || cut)
 			  {
 			    auth_dns = 1;
 			    local_auth = 1;
+			  }
 			break;
 		      }
+		  }
 #endif
 	      
 	      norebind = domain_no_rebind(daemon->namebuff);