From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 11 Oct 2017 10:20:42 +0000 (+0200)
Subject: rec: The NSEC next name should be different to prove an ENT
X-Git-Tag: rec-4.1.0-rc2~40^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F5808%2Fhead;p=thirdparty%2Fpdns.git

rec: The NSEC next name should be different to prove an ENT

While it's not an issue in the current code because we checked
earlier that the NSEC covered the name, it might prevent an issue
if we reuse nsecProvesENT() later.
---

diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc
index 3ce10cf893..3e90a06d6e 100644
--- a/pdns/recursordist/test-syncres_cc.cc
+++ b/pdns/recursordist/test-syncres_cc.cc
@@ -7248,6 +7248,10 @@ BOOST_AUTO_TEST_CASE(test_nsec_ent_denial) {
      it is an ENT */
   denialState = getDenial(denialMap, DNSName("c.powerdns.com."), QType::AAAA, true, true);
   BOOST_CHECK_EQUAL(denialState, NXQTYPE);
+
+  /* this NSEC is not valid to prove a NXQTYPE for QType::A at a.c.powerdns.com either */
+  denialState = getDenial(denialMap, DNSName("a.c.powerdns.com."), QType::A, true, true);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
 }
 
 BOOST_AUTO_TEST_CASE(test_nsec3_ancestor_nxqtype_denial) {
diff --git a/pdns/validate.cc b/pdns/validate.cc
index 790031d87d..3df1c74128 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -48,7 +48,7 @@ static bool nsecProvesENT(const DNSName& name, const DNSName& begin, const DNSNa
      - begin < name
      - next is a child of name
   */
-  return begin.canonCompare(name) && next.isPartOf(name);
+  return begin.canonCompare(name) && next != name && next.isPartOf(name);
 }
 
 static std::string getHashFromNSEC3(const DNSName& qname, const std::shared_ptr<NSEC3RecordContent> nsec3)