From 594b7f8b918c07cd57190d690a660b321cd0cedf Mon Sep 17 00:00:00 2001
From: Shreyas Zare <shreyas@technitium.com>
Date: Sun, 6 Mar 2022 16:06:26 +0530
Subject: [PATCH] PrimarySubDomainZone: Updated implementation to validate of
 the RRSet type is supported by DNSSEC.

---
 .../Dns/Zones/PrimarySubDomainZone.cs         | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/DnsServerCore/Dns/Zones/PrimarySubDomainZone.cs b/DnsServerCore/Dns/Zones/PrimarySubDomainZone.cs
index c94fd6c3..2d919ea2 100644
--- a/DnsServerCore/Dns/Zones/PrimarySubDomainZone.cs
+++ b/DnsServerCore/Dns/Zones/PrimarySubDomainZone.cs
@@ -54,6 +54,16 @@ namespace DnsServerCore.Dns.Zones
 
         public override void SetRecords(DnsResourceRecordType type, IReadOnlyList<DnsResourceRecord> records)
         {
+            if (_primaryZone.DnssecStatus != AuthZoneDnssecStatus.Unsigned)
+            {
+                switch (type)
+                {
+                    case DnsResourceRecordType.ANAME:
+                    case DnsResourceRecordType.APP:
+                        throw new DnsServerException("The record type is not supported by DNSSEC signed primary zones.");
+                }
+            }
+
             switch (type)
             {
                 case DnsResourceRecordType.SOA:
@@ -66,6 +76,9 @@ namespace DnsServerCore.Dns.Zones
                 case DnsResourceRecordType.NSEC3:
                     throw new InvalidOperationException("Cannot set DNSSEC records.");
 
+                case DnsResourceRecordType.FWD:
+                    throw new DnsServerException("The record type is not supported by primary zones.");
+
                 default:
                     if (records[0].OriginalTtlValue > _primaryZone.GetZoneSoaExpire())
                         throw new DnsServerException("Failed to set records: TTL cannot be greater than SOA EXPIRE.");
@@ -85,6 +98,16 @@ namespace DnsServerCore.Dns.Zones
 
         public override void AddRecord(DnsResourceRecord record)
         {
+            if (_primaryZone.DnssecStatus != AuthZoneDnssecStatus.Unsigned)
+            {
+                switch (record.Type)
+                {
+                    case DnsResourceRecordType.ANAME:
+                    case DnsResourceRecordType.APP:
+                        throw new DnsServerException("The record type is not supported by DNSSEC signed primary zones.");
+                }
+            }
+
             switch (record.Type)
             {
                 case DnsResourceRecordType.DNSKEY:
@@ -94,6 +117,9 @@ namespace DnsServerCore.Dns.Zones
                 case DnsResourceRecordType.NSEC3:
                     throw new InvalidOperationException("Cannot add DNSSEC record.");
 
+                case DnsResourceRecordType.FWD:
+                    throw new DnsServerException("The record type is not supported by primary zones.");
+
                 default:
                     if (record.OriginalTtlValue > _primaryZone.GetZoneSoaExpire())
                         throw new DnsServerException("Failed to add record: TTL cannot be greater than SOA EXPIRE.");