return;
}
+#warning Ponder storing everything in raw form, without the zone instead. It still needs to be a DNSName for NSEC, though
next = DNSName(toBase32Hex(content->d_nexthash)) + zone;
entry->d_iterations = content->d_iterations;
entry->d_salt = content->d_salt;
denial = matchesNSEC(wc, type.getCode(), wcEntry.d_owner, nsecContent, wcEntry.d_signatures);
if (denial == dState::NODENIAL) {
/* too complicated for now */
+ /* we would need:
+ - to store wildcard entries in the non-expanded form in the record cache, in addition to their expanded form ;
+ - do a lookup to retrieve them ;
+ - expand them and the NSEC
+ */
return false;
}
else if (denial == dState::NXQTYPE) {
if (wcEntry.d_owner != wc) {
needWildcard = true;
}
-#if 0
- if (wcEntry.d_owner == wc) {
- if (!nsecContent) {
- return false;
- }
- if (nsecContent->isSet(type.getCode())) {
- /* too complicated for now */
- return false;
- }
- if (nsecContent->isSet(QType::CNAME)) {
- /* too complicated for now */
- return false;
- }
-
- covered = true;
- res = RCode::NoError;
- }
- else if (isCoveredByNSEC(wc, wcEntry.d_owner, wcEntry.d_next)) {
- cerr<<"next is "<<wcEntry.d_next<<endl;
- covered = true;
- res = RCode::NXDomain;
- needWildcard = true;
- }
-#endif
}
}
BOOST_CHECK_EQUAL(denialState, dState::NODENIAL);
}
+BOOST_AUTO_TEST_CASE(test_nsec_expanded_wildcard_proof)
+{
+ initSR();
+
+ testkeysset_t keys;
+ generateKeyMaterial(DNSName("example.org."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys);
+
+ vector<DNSRecord> records;
+
+ sortedRecords_t recordContents;
+ vector<shared_ptr<RRSIGRecordContent>> signatureContents;
+
+ /* proves that a.example.com does exist, and has been generated from a wildcard (see the RRSIG below) */
+ addNSECRecordToLW(DNSName("a.example.org."), DNSName("d.example.org"), {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records);
+ recordContents.insert(records.at(0).d_content);
+ addRRSIG(keys, records, DNSName("example.org."), 300, false, boost::none, DNSName("example.org."));
+ signatureContents.push_back(getRR<RRSIGRecordContent>(records.at(1)));
+ records.clear();
+
+ ContentSigPair pair;
+ pair.records = recordContents;
+ pair.signatures = signatureContents;
+ cspmap_t denialMap;
+ denialMap[std::make_pair(DNSName("a.example.org."), QType::NSEC)] = pair;
+
+ /* This is an expanded wildcard proof, meaning that it does prove that the exact name
+ does not exist so the wildcard can apply */
+ dState denialState = getDenial(denialMap, DNSName("a.example.org."), QType(0).getCode(), false, false, false, /* normally retrieved from the RRSIG's d_labels */ 2);
+ BOOST_CHECK_EQUAL(denialState, dState::NXDOMAIN);
+}
+
BOOST_AUTO_TEST_CASE(test_nsec_wildcard_with_cname)
{
initSR();
if (qname.isPartOf(wildcard)) {
LOG("\tWildcard matches");
- if (qtype == 0 || (!nsec->isSet(qtype) && !nsec->isSet(QType::CNAME))) {
+ if (qtype == 0 || (!nsec->isSet(qtype) && !nsec->isSet(QType::CNAME) && !nsec->isSet(QType::DNAME))) {
LOG(" and proves that the type did not exist"<<endl);
return true;
}
if (wildcardExists) {
*wildcardExists = true;
}
- if (qtype == 0 || (!nsec3->isSet(qtype) && !nsec3->isSet(QType::CNAME))) {
+ if (qtype == 0 || (!nsec3->isSet(qtype) && !nsec3->isSet(QType::CNAME) && !nsec3->isSet(QType::DNAME))) {
LOG(" and proves that the type did not exist"<<endl);
return true;
}
return dState::NODENIAL;
}
+ if (nsec->isSet(QType::DNAME)) {
+ return dState::NODENIAL;
+ }
+
return dState::NXQTYPE;
}
return dState::NODENIAL;
}
+ if (nsec->isSet(QType::DNAME)) {
+ LOG("However a CNAME exists"<<endl);
+ return dState::NODENIAL;
+ }
+
/*
* RFC 4035 Section 2.3:
* The bitmap for the NSEC RR at a delegation point requires special
return dState::NODENIAL;
}
+ if (nsec3->isSet(QType::DNAME)) {
+ LOG("However a CNAME exists"<<endl);
+ return dState::NODENIAL;
+ }
+
/*
* RFC 5155 section 8.9:
* If there is an NSEC3 RR present in the response that matches the
projects / thirdparty / pdns.git / commitdiff
