From 2a1e55f0f5abb6bf086e249c67de0588e59f6152 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
Date: Wed, 18 Dec 2024 12:21:24 +0100
Subject: [PATCH 1/3] pdnsutil add-record: Specify how to add a record to the
 apex

Fix the respective calls in a test and the docs according to the now
explicit recommendation.

Using NAME=@ is the condition that is explicitly treated for that
purpose in the code. Currently NAME='' and NAME=. have the same effect.
---
 docs/guides/basic-database.rst           | 2 +-
 docs/manpages/pdnsutil.1.rst             | 1 +
 regression-tests.auth-py/test_GSSTSIG.py | 6 +++---
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/docs/guides/basic-database.rst b/docs/guides/basic-database.rst
index 15afac0091a2..8afb554820b2 100644
--- a/docs/guides/basic-database.rst
+++ b/docs/guides/basic-database.rst
@@ -67,7 +67,7 @@ Now, let's add a zone and some records::
     $ sudo -u pdns pdnsutil create-zone example.com ns1.example.com
     Creating empty zone 'example.com'
     Also adding one NS record
-    $ sudo -u pdns pdnsutil add-record example.com '' MX '25 mail.example.com'
+    $ sudo -u pdns pdnsutil add-record example.com @ MX '25 mail.example.com'
     New rrset:
     example.com. 3005 IN MX 25 mail.example.com
     $ sudo -u pdns pdnsutil add-record example.com. www A 192.0.2.1
diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst
index dfc8e01c6030..4a2f9183b0cd 100644
--- a/docs/manpages/pdnsutil.1.rst
+++ b/docs/manpages/pdnsutil.1.rst
@@ -172,6 +172,7 @@ ZONE MANIPULATION COMMANDS
 add-record *ZONE* *NAME* *TYPE* [*TTL*] *CONTENT*
     Add one or more records of *NAME* and *TYPE* to *ZONE* with *CONTENT*
     and optional *TTL*. If *TTL* is not set, default will be used.
+    Use @ as name to add a record to the apex.
 add-autoprimary *IP* *NAMESERVER* [*ACCOUNT*]
     Add a autoprimary entry into the backend. This enables receiving zone updates from other servers.
 remove-autoprimary *IP* *NAMESERVER*
diff --git a/regression-tests.auth-py/test_GSSTSIG.py b/regression-tests.auth-py/test_GSSTSIG.py
index 2297f46c2a98..5b388efa0488 100644
--- a/regression-tests.auth-py/test_GSSTSIG.py
+++ b/regression-tests.auth-py/test_GSSTSIG.py
@@ -43,9 +43,9 @@ def setUpClass(cls):
         os.system("$PDNSUTIL --config-dir=configs/auth create-zone noacceptor.net")
         os.system("$PDNSUTIL --config-dir=configs/auth create-zone wrongacceptor.net")
 
-        os.system("$PDNSUTIL --config-dir=configs/auth add-record example.net . SOA 3600 'ns1.example.net otto.example.net 2022010403 10800 3600 604800 3600'")
-        os.system("$PDNSUTIL --config-dir=configs/auth add-record noacceptor.net . SOA 3600 'ns1.noacceptor.net otto.example.net 2022010403 10800 3600 604800 3600'")
-        os.system("$PDNSUTIL --config-dir=configs/auth add-record wrongacceptor.net . SOA 3600 'ns1.wrongacceptor.net otto.example.net 2022010403 10800 3600 604800 3600'")
+        os.system("$PDNSUTIL --config-dir=configs/auth add-record example.net @ SOA 3600 'ns1.example.net otto.example.net 2022010403 10800 3600 604800 3600'")
+        os.system("$PDNSUTIL --config-dir=configs/auth add-record noacceptor.net @ SOA 3600 'ns1.noacceptor.net otto.example.net 2022010403 10800 3600 604800 3600'")
+        os.system("$PDNSUTIL --config-dir=configs/auth add-record wrongacceptor.net @ SOA 3600 'ns1.wrongacceptor.net otto.example.net 2022010403 10800 3600 604800 3600'")
 
         os.system("$PDNSUTIL --config-dir=configs/auth set-meta example.net GSS-ACCEPTOR-PRINCIPAL DNS/ns1.example.net@EXAMPLE.COM")
         os.system("$PDNSUTIL --config-dir=configs/auth set-meta wrongacceptor.net GSS-ACCEPTOR-PRINCIPAL DNS/ns1.example.net@EXAMPLE.COM")

From 391ca6494fad04458de9ab9d60b3fc4f31737250 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
Date: Tue, 17 Dec 2024 23:15:56 +0100
Subject: [PATCH 2/3] pdnsutil {add-record,delete-rrset}: Don't append ZONE if
 NAME ends with . or ZONE

If a NAME ends with a . it is to be understood as an absolute name and
appending the zone is not intuitive then.

Note this changes behaviour for calls like:

	pdnsutil --config-dir=configs/auth add-record example.net . NS 1.2.3.4

which added the NS record to the zone's apex before and is likely an
error now.

Also make both

	pdnsutil --config-dir=configs/auth add-record example.net www.example.net A 1.2.3.5
	pdnsutil --config-dir=configs/auth add-record example.net www A 1.2.3.5

add www.example.net. to the example.net zone.

Closes: https://github.com/PowerDNS/pdns/issues/8595
---
 pdns/pdnsutil.cc | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc
index ed19662297cd..92d010b0d786 100644
--- a/pdns/pdnsutil.cc
+++ b/pdns/pdnsutil.cc
@@ -1597,10 +1597,14 @@ static int addOrReplaceRecord(bool addOrReplace, const vector<string>& cmds) {
   vector<DNSResourceRecord> newrrs;
   DNSName zone(cmds.at(1));
   DNSName name;
-  if (cmds.at(2) == "@")
-    name=zone;
-  else
+  if (cmds.at(2) == "@") {
+    name = zone;
+  } else if (isCanonical(cmds.at(2)) || boost::ends_with(cmds.at(2), cmds.at(1))) {
+    name = DNSName(cmds.at(2));
+  } else {
+    cerr << "Name " << cmds.at(2) << "' does not fit into zone '" << zone << "'. Interpreting as relative name." << endl;
     name = DNSName(cmds.at(2)) + zone;
+  }
 
   rr.qtype = DNSRecordContent::TypeToNumber(cmds.at(3));
   rr.ttl = ::arg().asNum("default-ttl");
@@ -1735,10 +1739,14 @@ static int deleteRRSet(const std::string& zone_, const std::string& name_, const
   }
 
   DNSName name;
-  if(name_=="@")
-    name=zone;
-  else
-    name=DNSName(name_)+zone;
+  if (name_ == "@") {
+    name = zone;
+  } else if (isCanonical(name_) || boost::ends_with(name_, zone_)) {
+    name = DNSName(name_);
+  } else {
+    cerr << "Name " << name_ << "' does not fit into zone '" << zone << "'. Interpreting as relative name." << endl;
+    name = DNSName(name_) + zone;
+  }
 
   QType qt(QType::chartocode(type_.c_str()));
   di.backend->startTransaction(zone, -1);

From 5f8af391b1ba7a49c884a020b525fa5ef8ff6db5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
Date: Wed, 18 Dec 2024 10:04:02 +0100
Subject: [PATCH 3/3] misc: Use boost::ends_with() in isCanonical instead of
 open-coding

boost:ends_with(qname, ".") behaves exactly as isCanonical(qname)
should. So use the first to implement the latter.
---
 pdns/misc.hh | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pdns/misc.hh b/pdns/misc.hh
index 39fdb6c08680..2a7c0be2a2bf 100644
--- a/pdns/misc.hh
+++ b/pdns/misc.hh
@@ -469,9 +469,7 @@ pair<string, string> splitField(const string& inp, char sepa);
 
 inline bool isCanonical(const string& qname)
 {
-  if(qname.empty())
-    return false;
-  return qname[qname.size()-1]=='.';
+  return boost::ends_with(qname, ".");
 }
 
 inline DNSName toCanonic(const DNSName& zone, const string& qname)