fix nsec3 wrapping issue for insecure delegations

author bert hubert <bert.hubert@netherlabs.nl>

Fri, 1 Jul 2016 09:02:26 +0000 (11:02 +0200)

committer bert hubert <bert.hubert@netherlabs.nl>

Fri, 1 Jul 2016 09:02:26 +0000 (11:02 +0200)
author bert hubert <bert.hubert@netherlabs.nl>
Fri, 1 Jul 2016 09:02:26 +0000 (11:02 +0200)
committer bert hubert <bert.hubert@netherlabs.nl>
Fri, 1 Jul 2016 09:02:26 +0000 (11:02 +0200)
diff --git a/pdns/validate.cc b/pdns/validate.cc

index 25b6e9b4d6d82b4d7a24af35c9343e0a16b48094..6918f5f06a3b2cc5ae38450aa867821f11c06b5f 100644 (file)
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -403,7 +403,8 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
                string h = hashQNameWithSalt(nsec3->d_salt, nsec3->d_iterations, qname);
                LOG("\tquery hash: "<<toBase32Hex(h)<<endl);
                string beginHash=fromBase32Hex(v.first.first.getRawLabels()[0]);
-              if(beginHash < h && h < nsec3->d_nexthash) {
+              if( (beginHash < h && h < nsec3->d_nexthash) ||
+                  (nsec3->d_nexthash > h  && beginHash > nsec3->d_nexthash)) { //wrap
                  LOG("Denies existence of DS!"<<endl);
                  return Insecure;
                }
author	bert hubert <bert.hubert@netherlabs.nl>
	Fri, 1 Jul 2016 09:02:26 +0000 (11:02 +0200)
committer	bert hubert <bert.hubert@netherlabs.nl>
	Fri, 1 Jul 2016 09:02:26 +0000 (11:02 +0200)