resolved: do not use NSEC RRs from the wrong zone for proofs

When proving NODATA DS lookups we need to insist on looking at the parent zone's NSEC RR, not the child zone's.

When proving any other NODATA lookups we need to insist on looking at the child zone's NSEC RR, not the parent's.

diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
index f39454b9f94c99c07d76942a6be8c7412bd76837..b6fb362daa0c35b74405c7529118d46df2a53bc6 100644 (file)
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -1583,6 +1583,19 @@ int dnssec_nsec_test(DnsAnswer *answer, DnsResourceKey *key, DnssecNsecResult *r
                         if (r < 0)
                                 return r;
                         if (r > 0) {
+                                if (key->type == DNS_TYPE_DS) {
+                                        /* If we look for a DS RR and the server sent us the NSEC RR of the child zone
+                                         * we have a problem. For DS RRs we want the NSEC RR from the parent */
+                                        if (bitmap_isset(rr->nsec.types, DNS_TYPE_SOA))
+                                                continue;
+                                } else {
+                                        /* For all RR types, ensure that if NS is set SOA is set too, so that we know
+                                         * we got the child's NSEC. */
+                                        if (bitmap_isset(rr->nsec.types, DNS_TYPE_NS) &&
+                                            !bitmap_isset(rr->nsec.types, DNS_TYPE_SOA))
+                                                continue;
+                                }
+
                                 if (bitmap_isset(rr->nsec.types, key->type))
                                         *result = DNSSEC_NSEC_FOUND;
                                 else if (bitmap_isset(rr->nsec.types, DNS_TYPE_CNAME))