git.ipfire.org Git - thirdparty/pdns.git/commit

author	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 13 Jul 2021 09:56:00 +0000 (11:56 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Tue, 13 Jul 2021 16:36:36 +0000 (18:36 +0200)
commit	d270600bf4d310dcdc3d422ecc9be6d8210e7849
tree	73fd9f09815673a56de883a1454776efc860ca0f	tree
parent	ef3715af2d8ccd8203f5f740c864917e18d0b055	commit \| diff

rec: Ancestor NSEC3s can only deny the existence of a DS

Before that commit, the aggressive NSEC(3) cache could have
mistakenly used NSEC3s from the parent zone to prove that a given
name in the child zone did not exist, which is incorrect.
It happened because we did not properly detect that the NSEC3 for
the closest encloser was an ancestor NSEC3 indicating a delegation,
and then in the unlikely but possible case that we found a NSEC3
from the parent zone whose hashes covered the next closer we wrongly
concluded that the name did not exist, returning a NXDomain with an
invalid proof of denial.

pdns/recursordist/aggressive_nsec.cc		diff \| blob \| blame \| history
pdns/recursordist/test-aggressive_nsec_cc.cc		diff \| blob \| blame \| history
pdns/recursordist/test-syncres_cc8.cc		diff \| blob \| blame \| history