From: Remi Gacogne Date: Tue, 26 Mar 2024 13:44:15 +0000 (+0100) Subject: rec: Correctly count NSEC3s considered when chasing the closest encloser X-Git-Tag: rec-5.1.0-alpha1~78^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F13984%2Fhead;p=thirdparty%2Fpdns.git rec: Correctly count NSEC3s considered when chasing the closest encloser We need to count the number of NSEC3s that are present in the response, not the number of times we have to consider possible NSEC3s when looking for the NSEC3 closest encloser, label by label. --- diff --git a/pdns/recursordist/test-syncres_cc8.cc b/pdns/recursordist/test-syncres_cc8.cc index 901c8b7784..464f33d672 100644 --- a/pdns/recursordist/test-syncres_cc8.cc +++ b/pdns/recursordist/test-syncres_cc8.cc @@ -887,6 +887,68 @@ BOOST_AUTO_TEST_CASE(test_nsec3_denial_too_many_iterations) BOOST_CHECK_EQUAL(denialState, dState::INSECURE); } +BOOST_AUTO_TEST_CASE(test_nsec3_many_labels_between_name_and_closest_encloser) +{ + initSR(); + + testkeysset_t keys; + generateKeyMaterial(DNSName("powerdns.com."), DNSSECKeeper::ECDSA256, DNSSECKeeper::DIGEST_SHA256, keys); + + vector records; + + sortedRecords_t recordContents; + vector> signatureContents; + + ContentSigPair pair; + cspmap_t denialMap; + + const DNSName requestedName("_ldap._tcp.a.b.c.d.powerdns.com."); + const DNSName zone("powerdns.com."); + /* Add NSEC3 for the closest encloser */ + recordContents.clear(); + signatureContents.clear(); + records.clear(); + addNSEC3UnhashedRecordToLW(DNSName("powerdns.com."), zone, "whatever", {QType::A, QType::TXT, QType::RRSIG, QType::NSEC}, 600, records); + recordContents.insert(records.at(0).getContent()); + addRRSIG(keys, records, zone, 300); + signatureContents.push_back(getRR(records.at(1))); + + pair.records = recordContents; + pair.signatures = signatureContents; + denialMap[std::pair(records.at(0).d_name, records.at(0).d_type)] = pair; + + /* Add NSEC3 for the next closer */ + recordContents.clear(); + signatureContents.clear(); + records.clear(); + addNSEC3NarrowRecordToLW(DNSName("d.powerdns.com."), zone, {QType::A, QType::TXT, QType::RRSIG, QType::NSEC3}, 600, records); + recordContents.insert(records.at(0).getContent()); + addRRSIG(keys, records, zone, 300); + signatureContents.push_back(getRR(records.at(1))); + + pair.records = recordContents; + pair.signatures = signatureContents; + denialMap[std::pair(records.at(0).d_name, records.at(0).d_type)] = pair; + + /* add wildcard denial */ + recordContents.clear(); + signatureContents.clear(); + records.clear(); + addNSEC3NarrowRecordToLW(DNSName("*.powerdns.com."), zone, {QType::A, QType::TXT, QType::RRSIG, QType::NSEC3}, 600, records); + recordContents.insert(records.at(0).getContent()); + addRRSIG(keys, records, zone, 300); + signatureContents.push_back(getRR(records.at(1))); + + pair.records = recordContents; + pair.signatures = signatureContents; + denialMap[std::pair(records.at(0).d_name, records.at(0).d_type)] = pair; + + g_maxNSEC3sPerRecordToConsider = 10; + auto denialState = getDenial(denialMap, requestedName, QType::A, false, true); + g_maxNSEC3sPerRecordToConsider = 0; + BOOST_CHECK_EQUAL(denialState, dState::NXDOMAIN); +} + BOOST_AUTO_TEST_CASE(test_nsec3_insecure_delegation_denial) { initSR(); diff --git a/pdns/validate.cc b/pdns/validate.cc index 33e6ecbd57..d8f60c1150 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -781,7 +781,6 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16 DNSName closestEncloser(qname); bool found = false; if (needWildcardProof) { - nsec3sConsidered = 0; /* We now need to look for a NSEC3 covering the closest (provable) encloser RFC 5155 section-7.2.1 RFC 7129 section-5.5 @@ -789,6 +788,7 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16 VLOG(log, qname << ": Now looking for the closest encloser for "<= numberOfLabelsOfParentZone) { + nsec3sConsidered = 0; for(const auto& validset : validrrsets) { if(validset.first.second==QType::NSEC3) {