NSEC3 check: RFC5155 para 8.2

author Simon Kelley <simon@thekelleys.org.uk>

Sun, 20 Dec 2015 21:39:19 +0000 (21:39 +0000)

committer Simon Kelley <simon@thekelleys.org.uk>

Sun, 20 Dec 2015 21:39:19 +0000 (21:39 +0000)
author Simon Kelley <simon@thekelleys.org.uk>
Sun, 20 Dec 2015 21:39:19 +0000 (21:39 +0000)
committer Simon Kelley <simon@thekelleys.org.uk>
Sun, 20 Dec 2015 21:39:19 +0000 (21:39 +0000)
diff --git a/src/dnssec.c b/src/dnssec.c

index 9fa64b6275931be08058eadaf5213608eb31e328..486e4221abe32ecb0a69306f574fccefb9b25b32 100644 (file)
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1704,7 +1704,7 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
    for (i = 0; i < nsec_count; i++)
      {
        unsigned char *nsec3p = nsecs[i];
-      int this_iter;
+      int this_iter, flags;
  
        nsecs[i] = NULL; /* Speculative, will be restored if OK. */
        
@@ -1716,8 +1716,12 @@ static int prove_non_existence_nsec3(struct dns_header *header, size_t plen, uns
        if (*p++ != algo)
         continue;
   
-      p++; /* flags */
+      flags = *p++; /* flags */
        
+      /* 5155 8.2 */
+      if (flags != 0 && flags != 1)
+       continue;
+
        GETSHORT(this_iter, p);
        if (this_iter != iterations)
         continue;
author	Simon Kelley <simon@thekelleys.org.uk>
	Sun, 20 Dec 2015 21:39:19 +0000 (21:39 +0000)
committer	Simon Kelley <simon@thekelleys.org.uk>
	Sun, 20 Dec 2015 21:39:19 +0000 (21:39 +0000)