Merge branch 'trac2226'

src/bin/auth/query.cc

@@ -379,6 +379,17 @@ Query::process(datasrc::ClientList& client_list,
         response_->setRcode(Rcode::SERVFAIL());
         return;
     }
+
+    if (qtype == RRType::RRSIG()) {
+        // We will not serve RRSIGs directly. See #2226 and the
+        // following thread for discussion why:
+        // http://www.ietf.org/mail-archive/web/dnsext/current/msg07123.html
+        // RRSIGs go together with their covered RRset.
+        response_->setHeaderFlag(Message::HEADERFLAG_AA);
+        response_->setRcode(Rcode::REFUSED());
+        return;
+    }
+
     ZoneFinder& zfinder = *result.finder_;
 
     // We have authority for a zone that contain the query name (possibly

src/bin/auth/tests/query_unittest.cc

@@ -1215,6 +1215,13 @@ TEST_P(QueryTest, exactMatchMultipleQueries) {
                   www_a_txt, zone_ns_txt, ns_addrs_txt);
 }
 
+TEST_P(QueryTest, qtypeIsRRSIG) {
+    // Directly querying for RRSIGs should result in rcode=REFUSED.
+    EXPECT_NO_THROW(query.process(*list_, qname, RRType::RRSIG(), response));
+    responseCheck(response, Rcode::REFUSED(), AA_FLAG, 0, 0, 0,
+                  "", "", "");
+}
+
 TEST_P(QueryTest, exactMatchIgnoreSIG) {
     // Check that we do not include the RRSIG when not requested even when
     // we receive it from the data source.

tests/lettuce/features/queries.feature

@@ -331,6 +331,28 @@ Feature: Querying feature
           | qryreferral       |          1 |
           | rcode.noerror     |          1 |
 
+    Scenario: RRSIG query
+        # Directly querying for RRSIGs should result in rcode=REFUSED.
+        Given I have bind10 running with configuration nsec3/nsec3_auth.config
+        And wait for bind10 stderr message BIND10_STARTED_CC
+        And wait for bind10 stderr message CMDCTL_STARTED
+        And wait for bind10 stderr message AUTH_SERVER_STARTED
+
+        bind10 module Auth should be running
+        And bind10 module Resolver should not be running
+        And bind10 module Xfrout should not be running
+        And bind10 module Zonemgr should not be running
+        And bind10 module Xfrin should not be running
+        And bind10 module Stats should not be running
+        And bind10 module StatsHttpd should not be running
+
+        A dnssec query for example. type RRSIG should have rcode REFUSED
+        The last query response should have flags qr aa
+        The last query response should have edns_flags do
+        The last query response should have ancount 0
+        The last query response should have nscount 0
+        The last query response should have adcount 1
+
     Scenario: SSHFP query
         # We are testing one more RR type for a normal successful case
         Given I have bind10 running with configuration example.org.inmem.config