From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 16 Jun 2020 12:42:02 +0000 (+0200)
Subject: rec: Don't validate a NXD with a NSEC proving that the name is an ENT
X-Git-Tag: dnsdist-1.5.0-rc4~5^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F9237%2Fhead;p=thirdparty%2Fpdns.git

rec: Don't validate a NXD with a NSEC proving that the name is an ENT

A NSEC from a.powerdns.com. to a.b.powerdns.com. proves that
b.powerdns.com. exists and is an empty non terminal, so it cannot be
used to prove that b.powerdns.com. does not exist.
---

diff --git a/pdns/recursordist/test-syncres_cc8.cc b/pdns/recursordist/test-syncres_cc8.cc
index 056fb1ef88..95a9721635 100644
--- a/pdns/recursordist/test-syncres_cc8.cc
+++ b/pdns/recursordist/test-syncres_cc8.cc
@@ -477,6 +477,11 @@ BOOST_AUTO_TEST_CASE(test_nsec_ent_denial)
 
   denialState = getDenial(denialMap, DNSName("b.powerdns.com."), QType::A, true, false);
   BOOST_CHECK_EQUAL(denialState, NXDOMAIN);
+
+  /* this NSEC is NOT valid to prove a NXDOMAIN at c.powerdns.com because it proves that
+     it exists and is an ENT */
+  denialState = getDenial(denialMap, DNSName("c.powerdns.com."), QType::AAAA, true, false);
+  BOOST_CHECK_EQUAL(denialState, NODATA);
 }
 
 BOOST_AUTO_TEST_CASE(test_nsec3_ancestor_nxqtype_denial)
diff --git a/pdns/validate.cc b/pdns/validate.cc
index 58aa671327..c025647f23 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -419,13 +419,21 @@ dState getDenial(const cspmap_t &validrrsets, const DNSName& qname, const uint16
         }
 
         /* check if the whole NAME is denied existing */
-        if(isCoveredByNSEC(qname, owner, nsec->d_next)) {
+        if (isCoveredByNSEC(qname, owner, nsec->d_next)) {
           LOG(qname<<" is covered ");
-          /* if the name is an ENT and we received a NODATA answer,
-             we are fine with a NSEC proving that the name does not exist. */
-          if (wantsNoDataProof && nsecProvesENT(qname, owner, nsec->d_next)) {
-            LOG("Denies existence of type "<<qname<<"/"<<QType(qtype).getName()<<" by proving that "<<qname<<" is an ENT"<<endl);
-            return NXQTYPE;
+
+          if (nsecProvesENT(qname, owner, nsec->d_next)) {
+            if (wantsNoDataProof) {
+              /* if the name is an ENT and we received a NODATA answer,
+                 we are fine with a NSEC proving that the name does not exist. */
+              LOG("Denies existence of type "<<qname<<"/"<<QType(qtype).getName()<<" by proving that "<<qname<<" is an ENT"<<endl);
+              return NXQTYPE;
+            }
+            else {
+              /* but for a NXDOMAIN proof, this doesn't make sense! */
+              LOG("but it tries to deny the existence of "<<qname<<" by proving that "<<qname<<" is an ENT, this does not make sense!"<<endl);
+              return NODATA;
+            }
           }
 
           if (!needWildcardProof) {