Better wrongly truncated check. And debug statements.

git-svn-id: file:///svn/unbound/trunk@1687 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index c494eb9474ef1032580b2e108b7528fd85493bd8..6ce34536883537555dd4c6526fda80fba8ecb0a1 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,7 @@
 29 June 2009: Wouter
        - ldns trunk r2959 imported as tarball, because of solaris cc compile
          support for c99.
+       - better wrongly_truncated check.
 
 26 June 2009: Wouter
        - Fix EDNS fallback when EDNS works for short answers but long answers

diff --git a/validator/validator.c b/validator/validator.c
index 141a98acac20ac6fe0b60f433dfca46b128ba56b..7adf0dd01e728576fa354b0c7450779aeeca6866 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -482,7 +482,7 @@ validate_msg_signatures(struct module_env* env, struct val_env* ve,
  * Detect wrong truncated response (say from BIND 9.6.1 that is forwarding
  * and saw the NS record without signatures from a referral).
  * The positive response has a mangled authority section.
- * Remove that authority section.
+ * Remove that authority section and the additional section.
  * @param rep: reply
  * @return true if a wrongly truncated response.
  */
@@ -496,9 +496,8 @@ detect_wrongly_truncated(struct reply_info* rep)
                (int)rep->ns_numrrsets, (int)rep->ar_numrrsets,
                (int)rep->rrset_count);
 
-       /* no additional, only NS in authority, and it is bogus */
-       if(rep->ar_numrrsets != 0 || rep->ns_numrrsets != 1 ||
-               rep->an_numrrsets == 0)
+       /* only NS in authority, and it is bogus */
+       if(rep->ns_numrrsets != 1 || rep->an_numrrsets == 0)
                return 0;
        if(ntohs(rep->rrsets[ rep->an_numrrsets ]->rk.type) != LDNS_RR_TYPE_NS)
                return 0;
@@ -510,7 +509,7 @@ detect_wrongly_truncated(struct reply_info* rep)
                sec_status_to_string(((struct packed_rrset_data*)rep->rrsets[ 
                rep->an_numrrsets ] ->entry.data)->security));
        if(((struct packed_rrset_data*)rep->rrsets[ rep->an_numrrsets ]
-               ->entry.data)->security != sec_status_bogus)
+               ->entry.data)->security == sec_status_secure)
                return 0;
        /* answer section is present and secure */
        for(i=0; i<rep->an_numrrsets; i++) {
@@ -1507,9 +1506,13 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
                        detect_wrongly_truncated(vq->orig_msg->rep)) {
                        /* truncate the message some more */
                        vq->orig_msg->rep->ns_numrrsets = 0;
-                       vq->orig_msg->rep->rrset_count--;
+                       vq->orig_msg->rep->ar_numrrsets = 0;
+                       vq->orig_msg->rep->rrset_count = 
+                               vq->orig_msg->rep->an_numrrsets;
                        vq->chase_reply->ns_numrrsets = 0;
-                       vq->chase_reply->rrset_count--;
+                       vq->chase_reply->ar_numrrsets = 0;
+                       vq->chase_reply->rrset_count = 
+                               vq->chase_reply->an_numrrsets;
                }
                else {
                        verbose(VERB_DETAIL, "Validate: message contains "