]> git.ipfire.org Git - thirdparty/knot-resolver.git/commitdiff
projects / thirdparty / knot-resolver.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4eedc70)
nsec: correct wildcard proof check with queried for literal wildcard
authorMarek Vavruša <mvavrusa@cloudflare.com>
Mon, 18 Jun 2018 23:56:53 +0000 (16:56 -0700)
committerVladimír Čunát <vladimir.cunat@nic.cz>
Thu, 21 Jun 2018 10:09:29 +0000 (12:09 +0200)
The validation fails in current implementation when queried directly
for the wildcard. In that case the count of the common labels with the
NSEC record is the same, and not shorter by 1 (to accomodate wildcard
expansion).

NEWS patch | blob | blame | history
lib/dnssec/nsec.c patch | blob | blame | history

diff --git a/NEWS b/NEWS
index cdbc4ab53c9f3bdb00b41f3a22d8204e992181a1..2483384f1823eaa33699c68ba24ea4123314b6ea 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ New features
 Bugfixes
 --------
 - avoid turning off qname minimization in some cases, e.g. co.uk. (#339)
+- fix validation of explicit wildcard queries (#274)
 
 
 Knot Resolver 2.3.0 (2018-04-23)
diff --git a/lib/dnssec/nsec.c b/lib/dnssec/nsec.c
index ab22ffbe31b48b5a30e866c808dda3373a333551..5b961dc42d894fa0b218bb0aebe99242db6b4658 100644 (file)
--- a/lib/dnssec/nsec.c
+++ b/lib/dnssec/nsec.c
@@ -380,13 +380,15 @@ static int wildcard_match_check(const knot_pkt_t *pkt, const knot_pktsection_t *
                if (!knot_dname_is_wildcard(rrset->owner)) {
                        continue;
                }
-               int wcard_labels = knot_dname_labels(rrset->owner, NULL);
-               int common_labels = knot_dname_matched_labels(rrset->owner, sname);
-               int rrsig_labels = coverign_rrsig_labels(rrset, sec);
-               if (wcard_labels < 1 ||
-                   common_labels != wcard_labels - 1 ||
-                   common_labels != rrsig_labels) {
-                       continue;
+               if (!knot_dname_is_equal(rrset->owner, sname)) {
+                       int wcard_labels = knot_dname_labels(rrset->owner, NULL);
+                       int common_labels = knot_dname_matched_labels(rrset->owner, sname);
+                       int rrsig_labels = coverign_rrsig_labels(rrset, sec);
+                       if (wcard_labels < 1 ||
+                           common_labels != wcard_labels - 1 ||
+                           common_labels != rrsig_labels) {
+                               continue;
+                       }
                }
                int ret = no_data_response_check_rrtype(&flags, rrset, stype);
                if (ret != 0) {
Mirror of https://gitlab.nic.cz/knot/knot-resolver.git