- Fix validation of . DS query.

git-svn-id: file:///svn/unbound/trunk@2474 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 498910d2e00c0d6995f66d7017fb9949845a2e91..27d32d4f14791cce8217c796d23bfd1bbf0cc4d7 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+17 August 2011: Wouter
+       - Fix validation of . DS query.
+
 10 August 2011: Wouter
        - Fix python site-packages path to /usr/lib64.
        - updated patch from Tom.

diff --git a/validator/val_nsec.c b/validator/val_nsec.c
index 75574ffb1ab44e402e3a49c37199c834ea39b726..8ebeaa6a7a1f437ac58071fd381a266ff52fd003 100644 (file)
--- a/validator/val_nsec.c
+++ b/validator/val_nsec.c
@@ -368,7 +368,8 @@ int nsec_proves_nodata(struct ub_packed_rrset_key* nsec,
                !nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
                return 0;
        } else if(qinfo->qtype == LDNS_RR_TYPE_DS &&
-               nsec_has_type(nsec, LDNS_RR_TYPE_SOA)) {
+               nsec_has_type(nsec, LDNS_RR_TYPE_SOA &&
+               !dname_is_root(qinfo->qname))) {
                return 0;
        }
 

diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index 8b799ee47c4712fe069acc0d9ef0e982595afc70..b3a16c325e98608229254772b5608f66ddd01f57 100644 (file)
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -435,7 +435,8 @@ filter_init(struct nsec3_filter* filter, struct ub_packed_rrset_key** list,
                        dname_subdomain_c(nm, filter->zone))) {
                        /* for a type DS do not accept a zone equal to qname*/
                        if(qinfo->qtype == LDNS_RR_TYPE_DS && 
-                               query_dname_compare(qinfo->qname, nm) == 0)
+                               query_dname_compare(qinfo->qname, nm) == 0 &&
+                               !dname_is_root(qinfo->qname))
                                continue;
                        filter->zone = nm;
                        filter->zone_len = nmlen;
@@ -1127,7 +1128,8 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
                 * If not type DS: matching nsec3 must not be a delegation.
                 */
                if(qinfo->qtype == LDNS_RR_TYPE_DS && qinfo->qname_len != 1 
-                       && nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA)) {
+                       && nsec3_has_type(rrset, rr, LDNS_RR_TYPE_SOA &&
+                       !dname_is_root(qinfo->qname))) {
                        verbose(VERB_ALGO, "proveNodata: apex NSEC3 "
                                "abused for no DS proof, bogus");
                        return sec_status_bogus;