3945. [bug] Invalid wildcard expansions could be incorrectly

                        accepted by the validator. [RT #37093]

(cherry picked from commit 2fa1fc53324c0fca978c902e883c7cc011210536)

diff --git a/CHANGES b/CHANGES
index 214c4d9323c28d2e87c01cb66e39e32d6f148fb9..e3714b8ada15c897a04cb52eff87fed0347ee5af 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3945.  [bug]           Invalid wildcard expansions could be incorrectly
+                       accepted by the validator. [RT #37093]
+
 3942.  [bug]           Wildcard responses from a optout range should be
                        marked as insecure. [RT #37072]
 

diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 5d1197d093b09b4584aff14b9b37794dcb85cc12..6183ef281c02ef938530d43166d3a3792ac27928 100644 (file)
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -436,7 +436,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
                                                  nlabels, &common);
                }
                result = dns_name_concatenate(dns_wildcardname, &common,
-                                              wild, NULL);
+                                             wild, NULL);
                if (result != ISC_R_SUCCESS) {
                        dns_rdata_freestruct(&nsec);
                        (*logit)(arg, ISC_LOG_DEBUG(3),

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ee9db11fb70ba5493f4cc9338eafb5b95ff8b8fb..0f4ef6f4ccd1f926ca4a9f8d01db7ac0c05e6c05 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4922,10 +4922,17 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                }
        }
 
-       if (valrdataset != NULL)
-               result = valcreate(fctx, addrinfo, name, fctx->type,
-                                  valrdataset, valsigrdataset, valoptions,
-                                  task);
+       if (valrdataset != NULL) {
+               dns_rdatatype_t vtype = fctx->type;
+               if (CHAINING(valrdataset)) {
+                       if (valrdataset->type == dns_rdatatype_cname)
+                               vtype = dns_rdatatype_cname;
+                       else
+                               vtype = dns_rdatatype_dname;
+               }
+               result = valcreate(fctx, addrinfo, name, vtype, valrdataset,
+                                  valsigrdataset, valoptions, task);
+       }
 
        if (result == ISC_R_SUCCESS && have_answer) {
                fctx->attributes |= FCTX_ATTR_HAVEANSWER;

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 5b74e6e55e745a6f1293e29aa841ed792043ccab..0b203d882923efbaa5be252c6464100be174c5ca 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -918,12 +918,26 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
                                                devent->name;
                        }
                        if (!exists) {
+                               dns_name_t *closest;
+                               unsigned int clabels;
+
                                val->attributes |= VALATTR_FOUNDNOQNAME;
-                               val->attributes |= VALATTR_FOUNDCLOSEST;
+
+                               closest = dns_fixedname_name(&val->closest);
+                               clabels = dns_name_countlabels(closest);
+                               /*
+                                * If we are validating a wildcard response
+                                * clabels will not be zero.  We then need
+                                * to check if the generated wilcard from
+                                * dns_nsec_noexistnodata is consistent with
+                                * the wildcard used to generate the response.
+                                */
+                               if (clabels == 0 ||
+                                   dns_name_countlabels(wild) == clabels + 1)
+                                       val->attributes |= VALATTR_FOUNDCLOSEST;
                                /*
                                 * The NSEC noqname proof also contains
                                 * the closest encloser.
-
                                 */
                                if (NEEDNOQNAME(val))
                                        proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
@@ -2803,7 +2817,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
        if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
                if (!FOUNDNOQNAME(val))
                        findnsec3proofs(val);
-               if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) {
+               if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+                   !FOUNDOPTOUT(val)) {
                        validator_log(val, ISC_LOG_DEBUG(3),
                                      "marking as secure, noqname proof found");
                        marksecure(val->event);