From 1a02ab895b89aae6cc386dd7e30074b3742d9483 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Wed, 7 Oct 2009 12:56:57 +0000 Subject: [PATCH] Fix check for signatures. git-svn-id: file:///svn/unbound/trunk@1864 be551aaa-1e26-0410-a405-d3ace91eadb9 --- validator/val_nsec3.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c index ef50c5823..b8b4065f4 100644 --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -1237,6 +1237,27 @@ nsec3_prove_wildcard(struct module_env* env, struct val_env* ve, return sec_status_secure; } +/** test if list is all secure */ +static int +list_is_secure(struct module_env* env, struct val_env* ve, + struct ub_packed_rrset_key** list, size_t num, + struct key_entry_key* kkey) +{ + size_t i; + enum sec_status sec; + char* reason = NULL; + for(i=0; irk.type != htons(LDNS_RR_TYPE_NSEC3)) + continue; + sec = val_verify_rrset_entry(env, ve, list[i], kkey, &reason); + if(sec != sec_status_secure) { + verbose(VERB_ALGO, "NSEC3 did not verify"); + return 0; + } + } + return 1; +} + enum sec_status nsec3_prove_nods(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key** list, size_t num, @@ -1251,6 +1272,8 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve, if(!list || num == 0 || !kkey || !key_entry_isgood(kkey)) return sec_status_bogus; /* no valid NSEC3s, bogus */ + if(!list_is_secure(env, ve, list, num, kkey)) + return sec_status_bogus; /* not all NSEC3 records secure */ rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */ filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) -- 2.47.3