detect when closest-encloser name is too long

there was a database bug in which dns_db_find() could get a partial
match for the query name, but still set foundname to match the full
query name.  this triggered an assertion when query_addwildcardproof()
assumed that foundname would be shorter.

the database bug has been fixed, but in case it happens again, we
can just copy the name instead of splitting it. we will also log a
warning that the closest-encloser name was invalid.

diff --git a/lib/ns/query.c b/lib/ns/query.c
index cc57bcf684a84dd8aca4e9b406e8c5cf94a80b48..8464e782d9f34b84527d5a37fe746b93c68bc1bb 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -11167,7 +11167,15 @@ again:
                 * Add no qname proof.
                 */
                labels = dns_name_countlabels(cname) + 1;
-               if (dns_name_countlabels(name) == labels) {
+               if (labels > maxlabels) {
+                       char namebuf[DNS_NAME_FORMATSIZE];
+                       dns_name_format(cname, namebuf, sizeof(namebuf));
+                       ns_client_log(qctx->client, DNS_LOGCATEGORY_DNSSEC,
+                                     NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+                                     "closest-encloser name too long: %s",
+                                     namebuf);
+                       dns_name_copy(name, wname);
+               } else if (labels == maxlabels) {
                        dns_name_copy(name, wname);
                } else {
                        dns_name_split(name, labels, NULL, wname);