if they arrive within 100msec of each other.
* Fix so that ldns-testns does not leak sockets if the read fails.
* SVCB and HTTPS draft rrtypes.
- Enable with --enable-rrtype-svcb-https
+ Enable with --enable-rrtype-svcb-https.
+ * bugfix #117: Assertion failure with DNSSEC validating of
+ non existence of RR types at the root. Thanks ZjYwMj
1.7.1 2019-07-26
* bugfix: Manage verification paths for OpenSSL >= 1.1.0
ldns_rr_list *rrsigs)
{
ldns_rdf *rr_name;
- ldns_rdf *wildcard_name;
+ ldns_rdf *wildcard_name = NULL;
ldns_rdf *chopped_dname;
ldns_rr *cur_nsec;
size_t i;
bool type_covered = false;
bool wildcard_covered = false;
bool wildcard_type_covered = false;
+ bool rr_name_is_root = false;
- wildcard_name = ldns_dname_new_frm_str("*");
rr_name = ldns_rr_owner(rr);
- chopped_dname = ldns_dname_left_chop(rr_name);
- result = ldns_dname_cat(wildcard_name, chopped_dname);
- ldns_rdf_deep_free(chopped_dname);
- if (result != LDNS_STATUS_OK) {
- return result;
+ rr_name_is_root = ldns_rdf_size(rr_name) == 1
+ && *ldns_rdf_data(rr_name) == 0;
+ if (!rr_name_is_root) {
+ wildcard_name = ldns_dname_new_frm_str("*");
+ chopped_dname = ldns_dname_left_chop(rr_name);
+ result = ldns_dname_cat(wildcard_name, chopped_dname);
+ ldns_rdf_deep_free(chopped_dname);
+ if (result != LDNS_STATUS_OK) {
+ return result;
+ }
}
for (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
name_covered = true;
}
+ if (rr_name_is_root)
+ continue;
+
if (ldns_dname_compare(wildcard_name,
ldns_rr_owner(cur_nsec)) == 0) {
if (ldns_nsec_bitmap_covers_type(ldns_nsec_get_bitmap(cur_nsec),
return LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
}
+ if (rr_name_is_root)
+ return LDNS_STATUS_OK;
+
if (wildcard_type_covered || !wildcard_covered) {
return LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED;
}
projects / thirdparty / ldns.git / commitdiff
