From: bert hubert <bert.hubert@netherlabs.nl>
Date: Wed, 27 Apr 2016 13:10:49 +0000 (+0200)
Subject: process NSEC3 insecure delegation, closes #3675
X-Git-Tag: rec-4.0.0-alpha3~43^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F3785%2Fhead;p=thirdparty%2Fpdns.git

process NSEC3 insecure delegation, closes #3675
---

diff --git a/pdns/validate.cc b/pdns/validate.cc
index fda7ec32e6..1d6de7d033 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -347,6 +347,22 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
             }
 
           }
+          else if(v.first.second==QType::NSEC3) {
+            for(const auto& r : v.second.records) {
+              LOG("\t"<<r->getZoneRepresentation()<<endl);
+
+              auto nsec3 = std::dynamic_pointer_cast<NSEC3RecordContent>(r);
+              string h = hashQNameWithSalt(nsec3->d_salt, nsec3->d_iterations, qname);
+              LOG("\tquery hash: "<<toBase32Hex(h)<<endl);
+              if(fromBase32Hex(v.first.first.getRawLabels()[0]) < h && h < nsec3->d_nexthash) {
+                LOG("Denies existence of DS!"<<endl);
+                return Insecure;
+              }
+              else {
+                LOG("Did not cover us, start="<<v.first.first<<", us="<<toBase32Hex(h)<<", end="<<toBase32Hex(nsec3->d_nexthash)<<endl);
+              }
+            }
+          }
         }
         return Bogus;
       }