Ignore NSEC records without RRSIG and NSEC present

dns_nsec_noexistnodata now checks that RRSIG and NSEC are
present in the type map.  Both types should be present in
a correctly constructed NSEC record.  This check is in
addition to similar checks in resolver.c and validator.c.

diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 95af49c3a2d875b293b84a7003b8cdf2cae4ad82..d7aa394f9259dc35ff07bf4f0c4b4a5332b19ef6 100644 (file)
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -328,6 +328,16 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
        }
        dns_rdataset_current(nsecset, &rdata);
 
+#ifdef notyet
+       if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) ||
+           !dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
+       {
+               (*logit)(arg, ISC_LOG_DEBUG(3),
+                        "NSEC missing RRSIG and/or NSEC from type map");
+               return (ISC_R_IGNORE);
+       }
+#endif
+
        (*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
        relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
 

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 71a65d489463649b71692d834fc622c2bdbc7875..ce88b2df51cbd986dae9f653f6c3f57528fc1111 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -10069,6 +10069,14 @@ query_coveringnsec(query_ctx_t *qctx) {
                goto cleanup;
        }
 
+       /*
+        * If NSEC or RRSIG are missing from the type map
+        * reject the NSEC RRset.
+        */
+       if (!dns_nsec_requiredtypespresent(qctx->rdataset)) {
+               goto cleanup;
+       }
+
        /*
         * Check that we have the correct NOQNAME NSEC record.
         */