From a4a7894f793d1394a0ace276a78f3aa70249b46a Mon Sep 17 00:00:00 2001
From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Fri, 13 Nov 2009 10:10:05 +0000
Subject: [PATCH] Fix validation failure cnamenodata proof failed for hud.gov.

git-svn-id: file:///svn/unbound/trunk@1902 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog                  |   3 +
 testdata/val_cnametooptout.rpl | 110 +++++++++++++++++++++++++++++++++
 validator/val_nsec3.c          |  25 +++++---
 3 files changed, 128 insertions(+), 10 deletions(-)
 create mode 100644 testdata/val_cnametooptout.rpl

diff --git a/doc/Changelog b/doc/Changelog
index d5f009e6d..4e9b244c9 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+13 November 2009: Wouter
+	- Fixed validation failure for CNAME to optout NSEC3 nodata answer.
+
 12 November 2009: Wouter
 	- iana portlist updated.
 	- fix manpage errors reported by debian lintian.
diff --git a/testdata/val_cnametooptout.rpl b/testdata/val_cnametooptout.rpl
new file mode 100644
index 000000000..d4638d07f
--- /dev/null
+++ b/testdata/val_cnametooptout.rpl
@@ -0,0 +1,110 @@
+; config options
+server:
+	trust-anchor: "GOV. DS 26079 7 2 4ED5FFBC8A40262B56E1232135B929192804ACC006930D087AAB38A611C89041"
+	val-override-date: "20091113091234"
+
+forward-zone:
+	name: "."
+	forward-addr: 192.0.2.1
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with CNAME to optout NSEC3 span NODATA
+
+RANGE_BEGIN 0 100
+	ADDRESS 192.0.2.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.hud.gov. IN AAAA
+SECTION ANSWER
+www.hud.gov.    86400   IN      CNAME   www.content.hud.gov.
+www.hud.gov.    86400   IN      RRSIG   CNAME 7 3 86400 20091204150200 20091104150200 64775 hud.gov. taZtumaTp8eSlcj0vEGnY0Up05RtlC2NhHrtHDUdq1TskAPQH8Eu9AoVe6gKrFEyCC1ixprOhT8Ni661d/ZykdzgceZ8KgFIlSQ84Whm59yB2gcbXLen9rApF0+NuyRgdAph6yjMYMtfoRQWAASG7SqS/v52dkHNf/a9PXaDvHBvjoiTK+dXPKFulkmEl0KyhXBdsikl6/Xd68FF41FdDNzWS8ZzYCdd4CWaXXkwTtPSFsKyXGZeXOTxqGQJnD+hNBkn2sAca1oLiAsfaiCHec66I+rHGXT+mPB7HXez32jbbeInkgB7M2TUoRXehifuloR8sur8Xck9FPRv24Si8A== ;{id = 64775}
+SECTION AUTHORITY
+content.hud.gov.        86400   IN      NS      drfswitch.hud.gov.
+content.hud.gov.        86400   IN      NS      lanswitch.hud.gov.
+3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov.       86400   IN      NSEC3   1 1 5 abcd  42bsks495i3mb2s3f6nhusc6rfm54g4g A NS SOA MX RRSIG DNSKEY NSEC3PARAM  ; flags: optout
+3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov.       86400   IN      RRSIG   NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. APf75Nx4eY9eHov3T9hduDLuG4TJfVfEUEhSgm7HIZRvSPFgajHz2q+Wy6888G3C0T1Zft1qL2PdHMonK6H1OEE+NiOxroDsZaH+aWZjAsbIO86qQ2xcC+/Z9DsddQtONk0zAqpuYxHSn879rAk/BIKeDukNoBChHCSTy8olUFiYt7XEmjz5AOoc8R5VQhMQi/vmbmC0BoFOemDxxowG2MX27Hj2MbVBEJiT8xioFEk41jsdDI0WQtpnory2NT/UM4kWZdmDdxbpwu2F8oixe3oi4AOI9j3EukoOZT9f0Sx+tCg/I9zLNZJi+VuI5oUlpZkSH5EoUyRgK33eO+KJhQ== ;{id = 64775}
+GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov.       86400   IN      NSEC3   1 1 5 abcd  gvfjd9enpjtet8a14uhb8hlrfeon2b72 A RRSIG  ; flags: optout
+GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov.       86400   IN      RRSIG   NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. eQFg/RvJ640k+Fa5yIUZwkx8FvsYSivykYFjc6dOiGt7r3VprfxwGWeYpyjYr/+mzu0ugE5ePDjZWtr5naK3dvqmt7qKk4/nEvVDoUmrg7joIUmeTzami9RB9lzCq2O/ddempQ6jpwfjiIDuEKUxHMpBFpw8QQZnZSZHKKQCDB4pOj8U8J/wNJXCS+SP7plU1hEVroC+QXCOYS8NHY2wFyeuW7A+xvg9tyYp9PH6c5MoNMkRQt36Kdvfk1nk3osktwalJNLmMhDr/vtErFieGGD6E9Ud9Pg70bPF2G5nqwwLDRevy7hIFjaMDHfYrcWc4B5hrUSpGtLJkYog9vsd2w== ;{id = 64775}
+SECTION ADDITIONAL
+drfswitch.hud.gov.      86400   IN      A       170.97.167.1
+lanswitch.hud.gov.      86400   IN      A       170.97.67.78
+drfswitch.hud.gov.      86400   IN      RRSIG   A 7 3 86400 20091204150200 20091104150200 64775 hud.gov. ub6Anb7XgDMRsTYxqKDRUOYnntLetcJMXM9SVbG7Cb2n+ccp4OO38u6KnGO1i8U5rhTQ6WPlG6iKA+8U0mQuWp3fkzBaE+a5R3eEfzLlRE/MbjUqHjTb0MVYQnMWaA7YXmj/1BNFjBuAam+J3QnU4JR3RqN9WDmHXYx8IUEY9BYSWvTMhOnzebRu6z9MUBQWFfm69pFxf0Z1SkpInznU/mxGdGlslzxL8ScKAUMSBiQG1tyL90OEXW3Yp7kbOtpTxGrXucpMiMB9lXI/z9UiRJenZrJ7swyyyJ5Do0TjCiS3oS8RBhX8ou09sNftUmF9crKz/BdNq90wVYoHXYz9vg== ;{id = 64775}
+lanswitch.hud.gov.      86400   IN      RRSIG   A 7 3 86400 20091204150200 20091104150200 64775 hud.gov. QO+quzaZXrIBZy0JXhx85/8auhBj8dCqeidaUCs6rzCd/lgUDt7B/mH8IanU33o+PyKsBN+B5r9bavFFCNc4sPDUVwNcnZfKCyFQvvUnI3rztCJb/ESYnJ/xu/5g966cRLOajzAvvLAWZ6vT4p3b9+CpaONOJ19D08RpwsWnTkqiEP/UiXaWBpVwyt4JHN0oiNmMGshk5zjbHir1gUInd7QbJk3SpyiIgHT5Z4nhTUGkd1sIve++aIxjsQ8MVrE+INw4v56dJaoYD6bqQewmg2yAr9nYemYUHYi8+USy7/anEaUsOvk9zZfncevTfY/sOORFWoD15bHF2BWUo2YwaQ== ;{id = 64775}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.content.hud.gov. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+GOV. IN DNSKEY
+SECTION ANSWER
+GOV.    86400   IN      DNSKEY  256 3 7 AwEAAaQ6vDoHd2QDRBLwB+n63RxnmJExvIcOz7uv9gM+l8QSMAJTTCDpqJ8R+8UfYs97cn6LM3cT3kcl9V0GnjljNzNMk39W11Ej7htNcbf4u1n5z2e4WsnpjQJJmKoWv2FORIfJmLKbxzGILSK13mrDUETj9onhdtOsjkhcK/7S+h1d ;{id = 51998 (zsk), size = 1024b}
+GOV.    86400   IN      DNSKEY  257 3 7 AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi++p5ABXSoxqJ65WQko6xrI9RImK7IBT5roFhXjBDGJ8ld9CYIEN94kK83K/QwUGCJ+v3vIQFi09IqsPeRdHTQyghWWbhzAZpnlZ16imXB4yFZjdbV2iM66KcgsESQMPEcIayDQJh6JEi1wmslrYvRRJ6YPOWrlLD0RmdtCaRuzlUE0RiWSem/i8vDFdmsSwChRMcORklKqjqt1+RBIiEFJGKIz7lGc9DXRwkBfb+halii+jrELiZAPzfO7rf08l3QlgHEuxclTTdEaxctPd2O2U/Hl9tRgkxRL/Zv1i0sEx2mOJGcUCeVm4Hf2aM8= ;{id = 26079 (ksk), size = 2048b}
+GOV.    86400   IN      RRSIG   DNSKEY 7 1 86400 20091117211705 20091112211705 26079 gov. OR2ltuGs0IxWqikvqWIoXLy7gPpWafolM+fyQ9uyuzPdxILo8QboVzfRr3Q8X/hOa6MRwR0KHGci2NH/29p9cekafdMbOer0kvh0hndnf+yGLuDcd9HLj5hpoZ5uecZ2r02OWtRHCKetAPF95SYrIQBzoqUNOswdDlSTW1R8v/BQ6UpztuUQcciZJxARbXlovzSkMbnoyjtehgKjXPP/Zy79vSwhjpTJ4XAsc2E3Tw1qAE7ZZUzYpN8uGmAQYVtZraQIjazE/A+xVo+XB0dZdhlM00xUs6GNuZytckUOqecBKZ2IKlxBe+kBEkj2nz1PBRAzmZUoS3ZZPkKaA6ygTA== ;{id = 26079}
+GOV.    86400   IN      RRSIG   DNSKEY 7 1 86400 20091117211705 20091112211705 51998 gov. VDizeuAywZB0tQm4kmbOSGhrK1eJYC9VSSND/wG7oTj/oWDAKMEke1XrQXGEoIFyBKZk5dHpUB6tmEA9RPLMwI51ue66pM9RRT1aNLba08r6TDzr6ZxKjtqBDj4Xy16h6PWZ2jC9JASGeNGINg6zCeVmU75yqXh6+X+KeypO64E= ;{id = 51998}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+hud.gov. IN DS
+SECTION ANSWER
+hud.gov.        86399   IN      DS      52146 7 2 54af554fc3ffc532bb898b9ab39f1276fd17b59d3e44772c3142ea62680d71c7 ; xihap-zehog-zybyz-zecaf-dyvym-nydun-pusan-zagil-kezyc-lutyn-tazog-gyted-sosig-depyk-dypeb-tasas-lexix
+hud.gov.        86399   IN      RRSIG   DS 7 2 86400 20091117211705 20091112211705 51998 gov. FHDstL7xVBBedCaG83M884pnxCV8PY9GjUulwH7BSTVIaFBJe/kxlKGTsD0j5x4QfezjBWKenjpvw5SiMGeQOnIJeA/z6Ze9QBCGVrbx0ZgoKEoSRyfD0vIjvM7J4T2PLgslI8fsMpWFs4KzmujKJNRVq4aFzFk9k8bFCJnEPJk= ;{id = 51998}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+hud.gov. IN DNSKEY
+SECTION ANSWER
+hud.gov.        86400   IN      DNSKEY  256 3 7 AwEAAcAOoW+zclZqs8kCGmm290DImA1DDfKqbifB1oGNjOcmz6xz6PigLa8ORaAG0zpabZwLMXyhMaKbseR+beGnOf2wh5N0oxN8grCNTJm+YAMeyvCn2dz3J8YEoclyST4bhU38MGFsEVVZukXsIniFfvnKfpVxArpO7ocbDXI+EN3RA8EHFTIHOCfEbCS7zyO0mtrdM88Y/tIX9fjsYUig6lfVUNISJUL4TyUMpmi8/hu2dLdTuXXIAEMx/vyQHVFq2ZZM0nnDJ9vJCZEgwFAjUE5/BjlrDgofonxdY8SLDbQvn11z/SPugKiA16bdO6i/ND4FjEhG2HUJHeeQCrZ61rE= ;{id = 64775 (zsk), size = 2048b}
+hud.gov.        86400   IN      DNSKEY  256 3 7 AwEAAfFubFVJ6m7jO8HvInmFEXivfnqZZpS7SnsucTlfGg5yhIayzS3tC0UMAt1QU+pEIyVH+qa2fG2+/45gAp+iG3zwyepyZuup8eo/SlXefWXZ9CIjBNaaptd2sSDsuF8mPtdQmtm3AbPqGEe7p7edIHHJBxPy90AzJQeKppyRcRcrGO3QNC9Glso177NbHZVZuY46V63RdaY3Qf5t7/03xy/Z68KWFEJKUCBxkHjAVIH0KaT9M37dPzs9L7F/+NyOLfMUzk87ctv4ivW9dcJRf79aulzoIV4LlGu0ZsrvxRZ5t+ind+GDeTvaKseH0NWF5Am2dG/QrHtewQL9qGztjN8= ;{id = 41402 (zsk), size = 2048b}
+hud.gov.        86400   IN      DNSKEY  257 3 7 AwEAAZ50d20TkOzWzJD+anUMSIMfGaI8m4If6DMax4NQnZ34yta6UOb907SRqBs2vJ+MpcJkyRuLx/Z9vGlfZQ7V9eBgI62EZwmfiitanwSFPZgCzM8nVswpDS+/CmaHhXUoLdgNgUYh4WSl/7fXroluC/18xyMl3ZGQRRjJftpQSMXubP/n9nCHZXE5YiDw1cRklqA4lLyNeXBgadWa8klekr89WNij454KApevbg0GSudEJw7IWzbOb09npvQ1hnLz8pmDsaahfIsGBvcHSUEJrjSkk3J1oHDj0B7Gxm+tZH4Er21RTucEWeroyIJSQmsYN+Cm0FyfgJ75bNEsRe5M4Vc= ;{id = 52146 (ksk), size = 2048b}
+hud.gov.        86400   IN      RRSIG   DNSKEY 7 2 86400 20091204150200 20091104150200 52146 hud.gov. KWIA6wH6BqwuF7d6dyTbfqbcLgbUG2ZKJA4vVfhWqOC76Xnt7gXPLeB2GQwwyhSR0s3IHIzAB0Uj+RAGGcz2NH5JanfxNC9rAvubYESXSlLr/FC33exLeOxGisJZzRnPpk5NynXwyT8TXul1ew48/Mpyi7j6+tlqakqHw2HlId7oblxO2cjN6JV0JLZ44l7tCw6ALYhamA48PQ1WeJbGcfH7buCEG7S1ceZSZlG6kml+u7pb65QL9AZjCnDIecXk7B3HMCdIT8zyrO8QK0GiLMMak9RogF/5gBiH/WDCq7146vcVneW/Hn/+hLnY104iOKuadJcbmStlMF5k0iBzng== ;{id = 52146}
+hud.gov.        86400   IN      RRSIG   DNSKEY 7 2 86400 20091204150200 20091104150200 64775 hud.gov. V0JSAtTmQn76T408nyntg1ydX5sVvq8RSCN/Bf+cqTPXMFlPpmOs4VQv791bY85n28qOehV7Ws2CrhfxbyFbyYRXPBtWkg6jH3JXicYPn7Abm7E5N2Y6Mkm1Z9xt/APCw+aSkt0swMJzYBO5P5aeDesIB+Pz5I+SLuOPin3GFjGYL+YB5j5rTY/Nqnp2eQytF0SoFdqCIPCP7l9ZtYdaxBDQNX3Hklm4dRYP5U9wL8sqaeUwgKjJTGcbXiXdPXF9+3AojshKMpk14lcplHcy+cQ4p5ehSngtDwdWtG8gcWKCg829I/1iOFcnPgJ1YK1DdPVEGTgUFgGGwTx+HYMsPA== ;{id = 64775}
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.hud.gov. IN AAAA
+ENTRY_END
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.hud.gov. IN AAAA
+SECTION ANSWER
+www.hud.gov.    86400   IN      CNAME   www.content.hud.gov.
+www.hud.gov.    86400   IN      RRSIG   CNAME 7 3 86400 20091204150200 20091104150200 64775 hud.gov. taZtumaTp8eSlcj0vEGnY0Up05RtlC2NhHrtHDUdq1TskAPQH8Eu9AoVe6gKrFEyCC1ixprOhT8Ni661d/ZykdzgceZ8KgFIlSQ84Whm59yB2gcbXLen9rApF0+NuyRgdAph6yjMYMtfoRQWAASG7SqS/v52dkHNf/a9PXaDvHBvjoiTK+dXPKFulkmEl0KyhXBdsikl6/Xd68FF41FdDNzWS8ZzYCdd4CWaXXkwTtPSFsKyXGZeXOTxqGQJnD+hNBkn2sAca1oLiAsfaiCHec66I+rHGXT+mPB7HXez32jbbeInkgB7M2TUoRXehifuloR8sur8Xck9FPRv24Si8A== ;{id = 64775}
+SECTION AUTHORITY
+3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov.       86400   IN      NSEC3   1 1 5 abcd  42bsks495i3mb2s3f6nhusc6rfm54g4g A NS SOA MX RRSIG DNSKEY NSEC3PARAM  ; flags: optout
+3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov.       86400   IN      RRSIG   NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. APf75Nx4eY9eHov3T9hduDLuG4TJfVfEUEhSgm7HIZRvSPFgajHz2q+Wy6888G3C0T1Zft1qL2PdHMonK6H1OEE+NiOxroDsZaH+aWZjAsbIO86qQ2xcC+/Z9DsddQtONk0zAqpuYxHSn879rAk/BIKeDukNoBChHCSTy8olUFiYt7XEmjz5AOoc8R5VQhMQi/vmbmC0BoFOemDxxowG2MX27Hj2MbVBEJiT8xioFEk41jsdDI0WQtpnory2NT/UM4kWZdmDdxbpwu2F8oixe3oi4AOI9j3EukoOZT9f0Sx+tCg/I9zLNZJi+VuI5oUlpZkSH5EoUyRgK33eO+KJhQ== ;{id = 64775}
+GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov.       86400   IN      NSEC3   1 1 5 abcd  gvfjd9enpjtet8a14uhb8hlrfeon2b72 A RRSIG  ; flags: optout
+GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov.       86400   IN      RRSIG   NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. eQFg/RvJ640k+Fa5yIUZwkx8FvsYSivykYFjc6dOiGt7r3VprfxwGWeYpyjYr/+mzu0ugE5ePDjZWtr5naK3dvqmt7qKk4/nEvVDoUmrg7joIUmeTzami9RB9lzCq2O/ddempQ6jpwfjiIDuEKUxHMpBFpw8QQZnZSZHKKQCDB4pOj8U8J/wNJXCS+SP7plU1hEVroC+QXCOYS8NHY2wFyeuW7A+xvg9tyYp9PH6c5MoNMkRQt36Kdvfk1nk3osktwalJNLmMhDr/vtErFieGGD6E9Ud9Pg70bPF2G5nqwwLDRevy7hIFjaMDHfYrcWc4B5hrUSpGtLJkYog9vsd2w== ;{id = 64775}
+ENTRY_END
+
+SCENARIO_END
diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index 35bc152fe..a99f19f0a 100644
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -1159,20 +1159,24 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
 	}
 
 	/* Case 5: */
-	if(qinfo->qtype != LDNS_RR_TYPE_DS) {
-		verbose(VERB_ALGO, "proveNodata: could not find matching "
-			"NSEC3, nor matching wildcard, and qtype is not DS "
-			"-- no more options, bogus.");
-		return sec_status_bogus;
-	}
+	/* Due to forwarders, cnames, and other collating effects, we
+	 * can see the ordinary unsigned data from a zone beneath an
+	 * insecure delegation under an optout here */
 
 	/* We need to make sure that the covering NSEC3 is opt-out. */
 	log_assert(ce.nc_rrset);
 	if(!nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
-		verbose(VERB_ALGO, "proveNodata: covering NSEC3 was not "
+		if(qinfo->qtype == LDNS_RR_TYPE_DS)
+		  verbose(VERB_ALGO, "proveNodata: covering NSEC3 was not "
 			"opt-out in an opt-out DS NOERROR/NODATA case.");
+		else verbose(VERB_ALGO, "proveNodata: could not find matching "
+			"NSEC3, nor matching wildcard, nor optout NSEC3 "
+			"-- no more options, bogus.");
 		return sec_status_bogus;
 	}
+	/* the optout is a secure denial of DS records */
+	if(qinfo->qtype != LDNS_RR_TYPE_DS)
+		return sec_status_insecure;
 	return sec_status_secure;
 }
 
@@ -1339,6 +1343,7 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve,
 	struct ub_packed_rrset_key** list, size_t num, 
 	struct query_info* qinfo, struct key_entry_key* kkey, int* nodata)
 {
+	enum sec_status sec;
 	rbtree_t ct;
 	struct nsec3_filter flt;
 	*nodata = 0;
@@ -1357,9 +1362,9 @@ nsec3_prove_nxornodata(struct module_env* env, struct val_env* ve,
 
 	if(nsec3_do_prove_nameerror(env, &flt, &ct, qinfo)==sec_status_secure)
 		return sec_status_secure;
-	if(nsec3_do_prove_nodata(env, &flt, &ct, qinfo)==sec_status_secure) {
+	sec = nsec3_do_prove_nodata(env, &flt, &ct, qinfo);
+	if(sec==sec_status_secure) {
 		*nodata = 1;
-		return sec_status_secure;
 	}
-	return sec_status_bogus;
+	return sec;
 }
-- 
2.47.3