From 00be1ff60bb1426a9bfa76712dd91ad21d72b276 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Wed, 11 Oct 2017 12:20:42 +0200 Subject: [PATCH] rec: The NSEC next name should be different to prove an ENT While it's not an issue in the current code because we checked earlier that the NSEC covered the name, it might prevent an issue if we reuse nsecProvesENT() later. --- pdns/recursordist/test-syncres_cc.cc | 4 ++++ pdns/validate.cc | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/pdns/recursordist/test-syncres_cc.cc b/pdns/recursordist/test-syncres_cc.cc index 3ce10cf893..3e90a06d6e 100644 --- a/pdns/recursordist/test-syncres_cc.cc +++ b/pdns/recursordist/test-syncres_cc.cc @@ -7248,6 +7248,10 @@ BOOST_AUTO_TEST_CASE(test_nsec_ent_denial) { it is an ENT */ denialState = getDenial(denialMap, DNSName("c.powerdns.com."), QType::AAAA, true, true); BOOST_CHECK_EQUAL(denialState, NXQTYPE); + + /* this NSEC is not valid to prove a NXQTYPE for QType::A at a.c.powerdns.com either */ + denialState = getDenial(denialMap, DNSName("a.c.powerdns.com."), QType::A, true, true); + BOOST_CHECK_EQUAL(denialState, NODATA); } BOOST_AUTO_TEST_CASE(test_nsec3_ancestor_nxqtype_denial) { diff --git a/pdns/validate.cc b/pdns/validate.cc index 790031d87d..3df1c74128 100644 --- a/pdns/validate.cc +++ b/pdns/validate.cc @@ -48,7 +48,7 @@ static bool nsecProvesENT(const DNSName& name, const DNSName& begin, const DNSNa - begin < name - next is a child of name */ - return begin.canonCompare(name) && next.isPartOf(name); + return begin.canonCompare(name) && next != name && next.isPartOf(name); } static std::string getHashFromNSEC3(const DNSName& qname, const std::shared_ptr nsec3) -- 2.47.2