3945. [bug] Invalid wildcard expansions could be incorrectly

                        accepted by the validator. [RT #37093]

(cherry picked from commit 2fa1fc53324c0fca978c902e883c7cc011210536)

diff --git a/CHANGES b/CHANGES
index aa8754ea82e1f2daea53b811a7c00819238a0ae4..a8aa630b020ddf7e9065b85581780d5b4e1d3e55 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3945.  [bug]           Invalid wildcard expansions could be incorrectly
+                       accepted by the validator. [RT #37093]
+
 3942.  [bug]           Wildcard responses from a optout range should be
                        marked as insecure. [RT #37072]
 

diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 8da1ac84b35b3ac70ed4c46ab684d7f243daf3f3..45228075594efdfa66c4738f260b0722ba0b7c23 100644 (file)
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -421,7 +421,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
                                                  nlabels, &common);
                }
                result = dns_name_concatenate(dns_wildcardname, &common,
-                                              wild, NULL);
+                                             wild, NULL);
                if (result != ISC_R_SUCCESS) {
                        dns_rdata_freestruct(&nsec);
                        (*logit)(arg, ISC_LOG_DEBUG(3),

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 67194b6bd3a6d38539eaf908cc47a78f45ec6b49..1291cbf40de3e6a5983006c6d2836bcaf1aff59d 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4916,10 +4916,17 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                }
        }
 
-       if (valrdataset != NULL)
-               result = valcreate(fctx, addrinfo, name, fctx->type,
-                                  valrdataset, valsigrdataset, valoptions,
-                                  task);
+       if (valrdataset != NULL) {
+               dns_rdatatype_t vtype = fctx->type;
+               if (CHAINING(valrdataset)) {
+                       if (valrdataset->type == dns_rdatatype_cname)
+                               vtype = dns_rdatatype_cname;
+                       else
+                               vtype = dns_rdatatype_dname;
+               }
+               result = valcreate(fctx, addrinfo, name, vtype, valrdataset,
+                                  valsigrdataset, valoptions, task);
+       }
 
        if (result == ISC_R_SUCCESS && have_answer) {
                fctx->attributes |= FCTX_ATTR_HAVEANSWER;

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index dd1804945b2dda01becdf9f02b7b0254da90ac71..dc35e926ae96c8ab105cd73082c06d2135a38687 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -918,12 +918,26 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
                                                devent->name;
                        }
                        if (!exists) {
+                               dns_name_t *closest;
+                               unsigned int clabels;
+
                                val->attributes |= VALATTR_FOUNDNOQNAME;
-                               val->attributes |= VALATTR_FOUNDCLOSEST;
+
+                               closest = dns_fixedname_name(&val->closest);
+                               clabels = dns_name_countlabels(closest);
+                               /*
+                                * If we are validating a wildcard response
+                                * clabels will not be zero.  We then need
+                                * to check if the generated wilcard from
+                                * dns_nsec_noexistnodata is consistent with
+                                * the wildcard used to generate the response.
+                                */
+                               if (clabels == 0 ||
+                                   dns_name_countlabels(wild) == clabels + 1)
+                                       val->attributes |= VALATTR_FOUNDCLOSEST;
                                /*
                                 * The NSEC noqname proof also contains
                                 * the closest encloser.
-
                                 */
                                if (NEEDNOQNAME(val))
                                        proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
@@ -2800,7 +2814,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
        if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
                if (!FOUNDNOQNAME(val))
                        findnsec3proofs(val);
-               if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) {
+               if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+                   !FOUNDOPTOUT(val)) {
                        validator_log(val, ISC_LOG_DEBUG(3),
                                      "marking as secure, noqname proof found");
                        marksecure(val->event);